What is Route Origin Authorisation?
Also known as: ROA
A Route Origin Authorisation (ROA) is a cryptographically signed RPKI object that specifies which autonomous system (AS) is authorised to originate a given IP prefix, enabling BGP origin validation.
A Route Origin Authorisation (ROA) is a digitally signed record in the Resource Public Key Infrastructure (RPKI). It binds a specific IP prefix (or a range of prefixes via a maximum length) to a single autonomous system number (ASN) that is allowed to originate that prefix in BGP. The ROA is created by the prefix holder, signed with the private key corresponding to the resource certificate for that prefix, and published in a public RPKI repository.
When a network operator deploys RPKI-based route origin validation (ROV), their routers fetch ROAs from the repositories and compare incoming BGP updates against them. For each prefix, the router checks whether the originating AS in the update matches the ASN listed in any valid ROA for that prefix. The result is one of three states: valid (match), invalid (no matching ROA or AS mismatch), or not-found (no ROA exists). Routes marked invalid can be rejected or given lower preference, helping to prevent prefix hijacking and accidental misannouncements.
ROAs are a foundational component of RPKI-based BGP security. They address only the origin of a route, not the full AS path. For path validation, the BGPsec protocol extends RPKI certificates to sign each AS hop. ROAs are defined in RFC 6482 and their use in BGP origin validation is specified in RFC 6811. Adoption of ROAs has grown steadily since 2010, with major network operators and cloud providers publishing ROAs for their prefixes.
Key facts
- ROAs are signed using the private key of the prefix holder's RPKI resource certificate.
- Each ROA contains an AS number, a prefix, and an optional maximum prefix length.
- ROAs are published in RPKI repositories and fetched by routers via the RPKI-to-Router (RTR) protocol.
- ROAs only validate the origin AS; they do not protect against AS path manipulation.
- A BGP route is considered invalid if its origin AS does not match any valid ROA for that prefix.
How it works in practice
Related terms
References
More in Networking & Routing
Anycast
Anycast is a network addressing and routing method where a single IP address is assigned to multiple servers, and routers send traffic to the nearest server based on routing protocol metrics.
AS Path
A BGP path attribute that lists the sequence of autonomous system numbers a route has passed through, used for loop detection and path selection.
ASN
A globally unique 16 or 32 bit number assigned to an autonomous system for use in BGP routing between organizations on the Internet.
Autonomous System
An Autonomous System (AS) is a group of IP networks under a single administrative routing policy, identified by a unique ASN (Autonomous System Number) for exterior gateway routing.
BGP
BGP (Border Gateway Protocol) is the path vector routing protocol that networks use to exchange reachability information between autonomous systems on the public internet.
CIDR
CIDR (Classless Inter-Domain Routing) is a method for allocating IP addresses and routing packets using variable-length subnet masks (e.g., /24) instead of fixed classful boundaries.
Hop
A hop is one passage of a packet through a router or other layer-3 forwarding device as it travels from source to destination across an internetwork.
IPv4
IPv4 is the core Internet Protocol using 32-bit addresses, providing roughly 4.3 billion unique identifiers for network interfaces on the global internet.
IPv6
IPv6 is the most recent version of the Internet Protocol, using 128-bit addresses to provide an effectively unlimited number of unique identifiers for networked devices.
Latency
Latency (or round-trip time, RTT) is the time required for a packet to travel from a source to a destination and back, measured in milliseconds, and is a critical metric in network performance.