What is RPKI?
Also known as: Resource Public Key Infrastructure
RPKI is a cryptographic framework that binds IP address blocks and AS numbers to their legitimate holders, enabling routers to verify BGP route origin claims and prevent hijacks.
The Resource Public Key Infrastructure (RPKI) is a specialized PKI designed for Internet number resources. It uses digital certificates to attest that a specific Autonomous System (AS) is authorized to originate a particular IP prefix or set of prefixes. RPKI does not directly modify BGP. Instead, it provides a separate validation layer that routers or route servers can query to check whether a received BGP update matches an authorized origin.
Operationally, each Regional Internet Registry (RIR) and some National Internet Registries (NIRs) act as Certificate Authorities (CAs) in the RPKI hierarchy. They issue certificates to resource holders, who can then create Route Origin Authorizations (ROAs). A ROA lists an AS number, a prefix, and the maximum prefix length the AS is allowed to announce. Routers that support RPKI (such as those running BGP with the RTR protocol, RFC 8210) fetch validated ROA payloads from a cache server and apply a per-prefix validation state: VALID, INVALID, or UNKNOWN. Operators can then configure local policy, for example dropping INVALID announcements.
RPKI was first standardized in RFC 6480 (2012) and later refined across multiple documents in the SIDR working group. It is now widely deployed, though coverage varies by region. RPKI alone prevents only origin hijacks, not path manipulation. To address path attacks, RPKI is being extended by BGPsec (RFC 8205), which cryptographically signs the full AS path. RPKI deployment increased sharply after 2020, driven by major CDNs and cloud providers mandating ROA creation for their customers.
Key facts
- RPKI binds IP prefixes and AS numbers to their owners via X.509 certificates.
- Route Origin Authorizations (ROAs) specify which AS may originate a prefix.
- Routers use the RPKI-to-Router (RTR) protocol (RFC 8210) to fetch validated data.
- Validation states are VALID, INVALID, and UNKNOWN; operators set policy on each.
- RPKI only protects against origin hijacks; BGPsec extends it to AS path protection.
How it works in practice
Related terms
References
More in Networking & Routing
Anycast
Anycast is a network addressing and routing method where a single IP address is assigned to multiple servers, and routers send traffic to the nearest server based on routing protocol metrics.
AS Path
A BGP path attribute that lists the sequence of autonomous system numbers a route has passed through, used for loop detection and path selection.
ASN
A globally unique 16 or 32 bit number assigned to an autonomous system for use in BGP routing between organizations on the Internet.
Autonomous System
An Autonomous System (AS) is a group of IP networks under a single administrative routing policy, identified by a unique ASN (Autonomous System Number) for exterior gateway routing.
BGP
BGP (Border Gateway Protocol) is the path vector routing protocol that networks use to exchange reachability information between autonomous systems on the public internet.
CIDR
CIDR (Classless Inter-Domain Routing) is a method for allocating IP addresses and routing packets using variable-length subnet masks (e.g., /24) instead of fixed classful boundaries.
Hop
A hop is one passage of a packet through a router or other layer-3 forwarding device as it travels from source to destination across an internetwork.
IPv4
IPv4 is the core Internet Protocol using 32-bit addresses, providing roughly 4.3 billion unique identifiers for network interfaces on the global internet.
IPv6
IPv6 is the most recent version of the Internet Protocol, using 128-bit addresses to provide an effectively unlimited number of unique identifiers for networked devices.
Latency
Latency (or round-trip time, RTT) is the time required for a packet to travel from a source to a destination and back, measured in milliseconds, and is a critical metric in network performance.