Resource Public Key Infrastructure
Resource Public Key Infrastructure (RPKI) is a hierarchical public key infrastructure framework that enables the secure binding of Internet number resources—such as IP address blocks and Autonomous System (AS) numbers—to their legitimate holders through X.509 digital certificates, thereby supporting the validation of route origin authorizations in the Border Gateway Protocol (BGP).[1] Developed to address vulnerabilities in global Internet routing, RPKI allows resource allocation holders, including the Internet Assigned Numbers Authority (IANA) and Regional Internet Registries (RIRs), to issue certificates that cryptographically attest to resource ownership and authorize specific ASes to originate routes for those resources.[1] This system operates as an opt-in mechanism, with components including resource certificates, Certificate Authorities (CAs), and signed objects like Route Origin Authorizations (ROAs), all stored in a distributed repository for retrieval by network operators and routers.[2] At its core, RPKI functions by establishing a chain of trust anchored in root certificates issued by entities like IANA or RIRs, which delegate authority down to Local Internet Registries (LIRs) and end users via sub-certificates.[1] Resource holders use these certificates to sign ROAs, which explicitly list authorized ASes and prefix ranges, preventing unauthorized route advertisements that could lead to hijacks or leaks.[3] Routers equipped with RPKI validation capabilities query repositories using protocols such as the RPKI-to-Router Server (RTR) protocol to obtain and validate these objects in real-time, classifying routes as valid, invalid, or not found during BGP decision-making.[4] This validation process, known as BGP Origin Validation, integrates with existing routing infrastructure without requiring changes to the BGP protocol itself, leveraging standards like RFC 3779 for resource extensions in certificates.[1] The development of RPKI emerged in response to high-profile BGP security incidents in the 2000s, with initial standardization efforts by the IETF's Secure Interdomain Routing (SIDR) working group culminating in RFC 6480 in February 2012, which outlines the overall architecture.[1] Early deployments began in 2011 through RIR-hosted services, such as those provided by the RIPE NCC, ARIN, and APNIC, enabling LIRs to either host their own CAs or use delegated services for ROA issuance.[2] Adoption has accelerated in recent years, driven by incidents like the 2020 Twitter BGP hijack and collaborative initiatives such as the Mutually Agreed Norms for Routing Security (MANRS); as of November 2025, over 60% of IPv4 routes and over 55% of IPv6 routes in the global routing table are covered by ROAs, with IPv6 first achieving over 50% coverage in late 2023.[5] This progress has reduced the propagation of invalid routes by approximately 24% since 2022, with further declines continuing, enhancing overall Internet resilience, though full global deployment remains ongoing due to operational and policy challenges.[6]Core Concepts
Definition and Purpose
Resource Public Key Infrastructure (RPKI) is a hierarchical public key infrastructure designed to bind Internet number resources, such as IP address prefixes and Autonomous System (AS) numbers, to cryptographic certificates, thereby supporting secure Border Gateway Protocol (BGP) routing.[1] This framework mirrors the hierarchical allocation of resources from the Internet Assigned Numbers Authority (IANA) to Regional Internet Registries (RIRs) and subsequently to Local Internet Registries (LIRs) and end entities, using X.509-based certificates to embed resource holdings directly into the certificate structure.[1] The primary purpose of RPKI is to enable cryptographically verifiable authorizations for route announcements in BGP, allowing network operators to confirm that an AS is legitimately authorized to originate routes for specific IP prefixes and thus mitigate vulnerabilities such as prefix hijacking and unintended route leaks.[1] By providing a mechanism for explicit, signed attestations of resource allocation and route origination rights, RPKI addresses the inherent trust model in BGP where updates are accepted without validation of the sender's authority over the advertised prefixes.[1] RPKI establishes a chain of trust starting from root certification authorities, such as those operated by IANA and the RIRs, which serve as trust anchors for relying parties like BGP routers and validators.[1] Certificates form a delegation chain down to resource holders, where each level signs the subordinate's certificate, ensuring that resource bindings can be validated back to a trusted root through cryptographic verification.[1] This structure allows for scalable validation while maintaining the integrity of the resource allocation hierarchy. Standard BGP lacks built-in origin validation, making it susceptible to attacks where malicious or erroneous announcements inject false routes, leading to traffic blackholing, interception, or misdirection.[1] RPKI counters these insecurities by enabling routers to cryptographically verify the legitimacy of route origins before propagation, thereby enhancing the overall security and reliability of global Internet routing.[1]Historical Development
The development of Resource Public Key Infrastructure (RPKI) was driven by growing concerns over Border Gateway Protocol (BGP) vulnerabilities in the early 2000s, exemplified by high-profile routing incidents that exposed the risks of route hijacking and unintended traffic diversion.[7] A notable catalyst was the February 24, 2008, incident where Pakistan Telecom (AS 17557) erroneously announced the YouTube prefix (208.65.153.0/24), effectively hijacking global traffic to the site and rendering it inaccessible worldwide for several hours due to BGP's lack of origin validation mechanisms.[8] This event, among others, underscored the urgent need for cryptographic assurances in inter-domain routing, prompting the Internet Engineering Task Force (IETF) to prioritize secure routing solutions.[7] In response, the IETF chartered the Secure Inter-Domain Routing (SIDR) working group in 2007 to develop standards for validating BGP route origins and paths using public key infrastructure principles tailored to Internet number resources. The SIDR effort built on earlier conceptual work, including X.509 extensions for IP address allocation in RFC 3779 (2004), and focused on creating a hierarchical trust model involving Regional Internet Registries (RIRs). Initial prototypes emerged in the late 2000s, with the RIPE NCC launching a pilot resource certification system in early 2011 to issue digital certificates linking Autonomous System Numbers (ASNs) and IP prefixes.[2] Key milestones in RPKI's standardization occurred in the early 2010s, culminating in the publication of RFC 6480 in February 2012, which outlined the overall architecture for an infrastructure supporting secure Internet routing through resource certificates and signed objects.[1] Complementing this, RFC 6482, also published in February 2012, defined the profile for Route Origin Authorizations (ROAs), digitally signed objects enabling address holders to authorize specific ASes to originate their prefixes, thereby enabling route origin validation.[9] These RFCs marked the transition from prototypes to a deployable framework, with early implementations by RIRs like ARIN and APNIC establishing trust anchors—root certificates anchoring the global RPKI hierarchy.[3] RPKI evolved further in the late 2010s to address path validation limitations, with the introduction of Autonomous System Provider Authorizations (ASPAs) in RFC 8658, published in October 2019, allowing ASes to specify authorized customer-provider relationships for verifying BGP AS paths.[10] By the 2020s, global trust anchor expansions by all five RIRs facilitated broader adoption, integrating ROAs and ASPAs into operational BGP security practices.[11] Recent developments include governmental mandates, such as the Dutch government's April 2023 commitment to implement RPKI across all its networks by the end of 2024 to mitigate BGP hijacking risks.[12] In August 2025, the National Institute of Standards and Technology (NIST) released the BGP RPKI IO (BRIO) tool, an open-source platform for generating synthetic BGP and RPKI data to test and validate emerging routing security mechanisms.[13]Technical Components
Resource Certificates
Resource certificates form the foundational elements of the Resource Public Key Infrastructure (RPKI), serving as X.509v3 certificates that bind Internet number resources—such as IPv4 and IPv6 address prefixes and Autonomous System Numbers (ASNs)—to the entities authorized to use them.[14] These certificates enable a hierarchical trust model for validating resource allocations, distinct from traditional Public Key Infrastructure (PKI) systems that primarily focus on identity authentication.[14] In RPKI, the emphasis is on attesting to the "right-of-use" of routing resources rather than verifying personal or organizational identities, with resources explicitly embedded in the certificate structure to prevent unauthorized delegation.[14] The structure of resource certificates adheres to a specific profile defined in RFC 6487, which mandates the use of X.509v3 extensions to incorporate resource information.[14] Key extensions include the IP Address Delegation Extension (OID 1.3.6.1.5.5.7.1.7), which is critical and encodes sets of IPv4 or IPv6 prefixes that the subject is authorized to use, either explicitly listed or inherited from the issuer using the "inherit" keyword as specified in RFC 3779.[14] Similarly, the AS Identifier Extension (OID 1.3.6.1.5.5.7.1.14) is critical and lists ASNs or uses inheritance to delegate autonomous system resources.[14] These extensions ensure that resource sets are precisely defined, with IPv4 addresses represented in CIDR notation (e.g., 192.0.2.0/24) and IPv6 in hexadecimal with prefix lengths, while ASNs are denoted as integers or ranges.[15] The certificate also includes standard X.509 fields such as the subject public key, issuer, serial number, and signature algorithm, with the Basic Constraints extension marked as critical to indicate CA status where applicable.[14] Issuance of resource certificates occurs in a strict hierarchy starting from trust anchors, which are root certificates maintained by Regional Internet Registries (RIRs) such as ARIN, RIPE NCC, APNIC, LACNIC, and AFRINIC.[3][2] These trust anchors hold the full set of global Internet resources delegated by the Internet Assigned Numbers Authority (IANA) and issue subordinate certificates to child entities, ensuring that the resources in a child's certificate are a valid subset of the parent's.[14] For example, the RIPE NCC trust anchor delegates IPv4/IPv6 prefixes and ASNs to Local Internet Registries (LIRs), which in turn issue end-entity certificates to their customers for specific resource subsets.[2] Similarly, ARIN's trust anchor supports issuance to member organizations via hosted or delegated models, maintaining the chain of delegation through public keys and resource inclusions.[3] This hierarchical model enforces inheritance and subset validation, preventing over-delegation of resources not held by the issuer.[14] Each resource certificate incorporates validity periods defined by the notBefore and notAfter fields, which can extend beyond the issuer's validity but must align with the overall trust chain's constraints, typically lasting one to five years for stability.[14] Key pairs consist of a public key in the certificate subject and a corresponding private key held by the certificate authority (CA) or end-entity for signing operations, with subject names often using distinguished names tied to the resource holder's registration details.[14] Resource sets are encoded directly in the extensions, allowing precise control over delegable prefixes and ASNs, such as a certificate granting 203.0.113.0/24 for IPv4 and AS 64496 for ASN usage.[15] In contrast to standard PKI certificates, which rely on name constraints and identity bindings for access control, RPKI resource certificates prioritize resource validation through mandatory critical extensions that fail validation if resources are absent or invalid.[14] This design eliminates optional fields common in general-purpose PKI, enforces stricter scoping for revocation lists, and focuses solely on INR (Internet Number Resource) attestations, making them unsuitable for non-resource applications.[14] Resource certificates thus provide the cryptographic foundation for authorizing subsequent objects like Route Origin Authorizations (ROAs) and Autonomous System Provider Authorizations (ASPAs).[14]Route Origin Authorizations
Route Origin Authorizations (ROAs) are digitally signed data structures in the Resource Public Key Infrastructure (RPKI) that enable the holder of an IP address allocation to specify which Autonomous System Numbers (ASNs) are authorized to originate routes for particular IP prefixes.[16] These authorizations help prevent unauthorized route announcements by providing a verifiable record of legitimate origin ASNs for given prefixes. ROAs are issued by the resource holder using an end-entity certificate from the RPKI, ensuring the signer's control over the relevant address space.[16] The structure of a ROA follows the Cryptographic Message Syntax (CMS) signed data format as defined in RFC 6488, with a specific content type identified by the object identifier 1.2.840.113549.1.9.16.1.24.[16] Key fields include theasID, an INTEGER representing the authorized ASN; and ipAddrBlocks, a sequence of ROAIPAddressFamily elements, each containing one or more IP prefixes along with an optional maxLength INTEGER that specifies the longest prefix length authorized for origination.[16] The ROA is encoded in Distinguished Encoding Rules (DER) format and signed with the private key corresponding to the issuing end-entity certificate, which must itself be validated against the RPKI trust anchor.[16]
The maximum prefix length (maxLength) field allows resource holders to delegate authority for sub-prefixes while constraining the scope to prevent overclaiming of more specific routes. For instance, if a holder of a /16 allocation issues a ROA for a /24 sub-prefix with maxLength set to 26, it authorizes the specified ASN to originate routes for that /24 or any sub-prefix up to /26, but not longer ones that could hijack the space.[16] This mechanism supports hierarchical delegation without fully exposing the entire allocation to unauthorized longer prefixes.
In practice, a ROA might authorize ASN 64496 to originate the prefix 192.0.2.0/24 with a maximum length of /25, meaning the ASN can advertise 192.0.2.0/24 or 192.0.2.128/25, but any advertisement of a /26 or longer would not be covered by this ROA.[16] Such examples demonstrate how ROAs provide granular control over route origins within allocated address blocks.
When evaluating a BGP route announcement against available ROAs, three validity states are possible as per the origin validation process: Valid, where the route's prefix and originating ASN match a ROA (including length constraints); Invalid, where a ROA exists for the prefix but the originating ASN or prefix length does not match; and Not Found, where no applicable ROA covers the prefix and ASN. These states enable routers to assess the authenticity of route origins based on the signed authorizations.
Autonomous System Provider Authorizations
Autonomous System Provider Authorizations (ASPAs) are cryptographically signed objects within the Resource Public Key Infrastructure (RPKI) that enable an Autonomous System (AS) to authorize specific upstream provider ASes to announce and propagate its routes via the Border Gateway Protocol (BGP).[17] These authorizations help validate customer-provider relationships in BGP AS_PATH segments, allowing relying parties to detect and mitigate route leaks where an unauthorized AS transits traffic without proper permission.[18] By focusing on inter-AS trust rather than individual prefix origins, ASPAs complement Route Origin Authorizations (ROAs) to enhance overall BGP security without requiring end-to-end path signing.[17] The structure of an ASPA follows a Cryptographic Message Syntax (CMS) profile, using the object identifier 1.2.840.113549.1.9.16.1.49 to denote its content type, and is protected by a digital signature from the customer AS's End-Entity (EE) certificate.[17] The core payload, known as ASProviderAttestation, is a SEQUENCE that includes a version field (explicitly set to 1), the customerASID (an INTEGER representing the authorizing customer AS number, ranging from 0 to 4294967295 as defined in RFC 3779), and a providers field (a SEQUENCE OF ASID listing the authorized provider AS numbers in ascending, unique order).[17] The validity period of an ASPA is derived from the notBefore and notAfter fields in the issuing EE certificate, ensuring temporal constraints align with the certificate's lifetime, typically up to one year.[17] Additional CMS signed attributes include the signing time and a message digest for integrity, with validation procedures outlined in RFC 6488 requiring chain-of-trust verification back to a trusted RPKI anchor.[17] In operation, ASPAs prevent certain BGP hijacks and leaks by attesting to valid customer-provider links, where a customer AS explicitly lists its upstream providers to restrict unauthorized transit.[18] During BGP route processing, a relying party retrieves and validates relevant ASPAs from RPKI repositories to check if consecutive AS_PATH segments conform to declared authorizations, flagging invalid paths (e.g., those traversing unlisted providers) as ineligible for the Loc-RIB while retaining them for diagnostics.[18] This mechanism targets violations of the "valley-free" routing model, such as peer-to-peer leaks or unauthorized upstream announcements, without needing to sign every BGP update.[18] Unlike ROAs, which bind specific IP prefixes to an originating AS to validate route origins, ASPAs emphasize AS-level relationships by authorizing providers for route propagation, enabling partial path validation independent of prefix details.[17] This distinction allows ASPAs to address inter-domain trust gaps that ROAs alone cannot cover, such as ensuring proper hierarchy in multi-hop AS paths.[18]Supporting Repository Objects
In the Resource Public Key Infrastructure (RPKI), supporting repository objects provide mechanisms to maintain the integrity, completeness, and security of published data, enabling relying parties to verify the contents of certification authority (CA) repositories without risking undetected tampering or omissions. These objects include manifests, certificate revocation lists (CRLs), and auxiliary records such as Ghostbusters entries, each serving distinct but complementary roles in repository management.[19] Manifests, formally known as Manifests for the Resource Public Key Infrastructure (MFTs), are signed objects that enumerate all non-expired and non-revoked signed objects within a specific RPKI repository publication point associated with a CA. Defined in RFC 9286, a manifest contains a version number (set to 0), an incrementing manifest number for sequencing updates, timestamps for thisUpdate and nextUpdate indicating the validity period, a hash algorithm identifier, and a file list comprising each object's filename paired with its cryptographic hash. This structure ensures that the manifest itself is signed using a one-time-use end-entity certificate whose validity aligns precisely with the manifest's update period, preventing reuse in replay attacks.[20] By including hashes computed over the full content of each listed file (using algorithms specified in RFC 7935), manifests allow relying parties to confirm that retrieved objects match the expected contents exactly, thereby detecting unauthorized additions, deletions, or modifications.[20] Certificate Revocation Lists (CRLs) in RPKI adapt the standard X.509 CRL profile from RFC 5280 to handle revocations of resource certificates issued by a CA. As profiled in RFC 6487, RPKI CRLs must use version 2, include mandatory extensions such as Authority Key Identifier and CRL Number, and list only the serial numbers and revocation dates of revoked certificates without support for indirect or delta CRLs. Each CA issues a single CRL covering all its certificates, signed with an algorithm compliant with RFC 6485, and includes a nextUpdate field to indicate when the next list will be available, ensuring timely awareness of revocations.[21][22][23] In practice, these CRLs are updated periodically—often every 24 hours—to balance security and operational efficiency, with revocation reasons limited to standard codes like key compromise or cessation of operation, though the profile emphasizes revocation status over detailed causation.[22] Recent updates in RFC 9829 refine the handling of CRL Number extensions to mitigate issues with overflow and ensure consistent incrementing for reliable sequencing. These supporting objects play a critical role in repository synchronization by allowing relying parties to fetch and validate the full set of repository contents systematically. During synchronization, a relying party retrieves the latest manifest to obtain the authoritative list and hashes of expected objects, then downloads and verifies each against the manifest; any mismatch or unlisted object signals potential compromise, prompting fallback to cached data or alerts.[20] Similarly, CRLs ensure that revoked certificates are excluded from validation chains, with their nextUpdate aligning closely with manifest updates to maintain a coherent view of repository state over time. This process collectively prevents incomplete or tampered repositories, enhancing the overall trustworthiness of RPKI data distribution.[22][20] Among other supporting objects, the RPKI Ghostbusters Record provides verified contact information for CA maintainers, facilitating issue resolution such as certificate expirations or operational disputes. Specified in RFC 6493, this signed object uses a profiled vCard format (per RFC 6350) containing essential details like organization name, address, telephone, and email, packaged as a CMS signed-data structure and published via the CA's Subject Information Access pointer. It serves as an attestation from the CA, not an identity certificate, to direct inquiries to responsible parties without relying on external directories.[24][25]Operational Processes
Management of Certificates and Authorizations
Resource holders, such as Internet Service Providers (ISPs) and other organizations allocated Internet number resources, manage RPKI certificates and authorizations through a structured administrative process that ensures secure control over routing announcements. This involves obtaining subresource certificates from parent Certification Authorities (CAs), typically regional Internet registries like ARIN or the RIPE NCC, and then generating authorization objects such as Route Origin Authorizations (ROAs) and Autonomous System Provider Authorizations (ASPAs).[3][26] To obtain a resource certificate, holders initiate a request via the registry's portal, linking it to their registered resources in the relevant database. For example, in ARIN's hosted model, users log into ARIN Online, select the hosted option, and request a certificate that cryptographically attests to their IPv4, IPv6, and ASN allocations without disclosing holder identity. Similarly, RIPE NCC members receive automated certificates tied to their organization object, valid for up to 18 months with auto-renewal every 12 months, and updates for resource changes like additions or returns. These certificates serve as the foundation for signing authorization objects.[27][26] Once certified, holders generate ROAs and ASPAs using provided tools to specify authorized routing origins and provider relationships. In RIPE NCC's hosted system, this is done through a web interface or API, where users define ROA parameters like prefixes and maximum lengths, with changes propagating quickly without manual key handling. ARIN offers comparable functionality in ARIN Online for creating ROAs by entering ASN and prefix details, and for ASPAs by specifying customer-provider ASN pairs, though ASPA support is currently in testing. For self-managed setups, holders deploy CA software like Krill to generate these objects locally before submission. ROAs and ASPAs are signed with the holder's private key to attest, for instance, that a specific ASN may originate certain IP prefixes.[26][27][28] Key rollover is a critical management task to maintain security and continuity, following a planned process outlined in RFC 6489. A CA generates a new key pair, obtains a new certificate from its parent while retaining the same Subject Information Access (SIA) extension, and enters a minimum 24-hour staging period to allow relying parties to cache the new certificate before publishing reissued subordinate objects. After staging, the old key pair is revoked, ensuring no service disruption. In hosted services, registries like RIPE NCC handle rollovers automatically, while delegated operators must implement this manually using compliant software. Best practices emphasize using hardware security modules (HSMs) for key generation and storage, certified to appropriate FIPS 140-2 levels (such as Level 3 or higher) as specified in regional Certification Practice Statements (CPS).[29][30][31] Revocation processes address compromises or resource changes, primarily through Certificate Revocation Lists (CRLs) issued by the CA. For standard revocations, such as key compromise or resource reallocation, the CA adds the affected certificate to a CRL, which is published periodically—every 24 hours for online CAs or quarterly for offline ones—and signed to prevent tampering. Emergency revocations prioritize rapid response, balancing security with controls like multi-operator approval; for instance, RIPE NCC processes validated requests within eight hours, publishing updates in CRLs. In cases of persistent CA issues, registries may intervene after 90 days of non-responsiveness, revoking delegations to mitigate risks. ROAs tied to revoked resources are automatically invalidated in hosted systems.[32][33][30] Resource holders choose between hosted and self-managed services based on operational needs. Hosted options, like ARIN's where the registry manages the CA and keys, simplify administration for smaller entities by offloading cryptographic operations, while delegated models allow full control via tools like open-source software for larger operators. Best practices include regular backups, monitoring for expiration, and secure key rotation to prevent outages.[27][26][33] All management aligns with regional Certification Practice Statements (CPS), which define policies for issuance, validity periods, and security controls. For example, ARIN's CPS mandates compliance with RFC 6484 for certificate profiles and revocation handling, while RIPE NCC's RIPE-751 specifies automated processes for members and strict timelines for revocations to ensure trustworthiness. These statements ensure interoperability and adherence to IETF standards across registries.[30][32][34]Publication Mechanisms
In the Resource Public Key Infrastructure (RPKI), repositories serve as distributed publication points where issuers store and make available cryptographic objects such as certificates, route origin authorizations (ROAs), and revocation lists. These repositories follow a hierarchical structure aligned with the certification path, where each Resource Public Key Infrastructure (CA) maintains its own publication point (PP) containing objects relevant to its delegated resources. Access to these repositories is facilitated through uniform resource identifiers (URIs), primarily rsync URIs for full synchronization or HTTPS endpoints for delta updates via the RPKI Repository Delta Protocol (RRDP). All objects within repositories are formatted as Cryptographic Message Syntax (CMS) signed data structures, ensuring their integrity and authenticity during publication.[19][25] Distribution of RPKI objects relies on two primary protocols to enable efficient synchronization between publication points and relying parties (RPs). Rsync, a file transfer protocol, allows RP software to mirror entire repository contents by comparing file lists and transferring only differences, making it suitable for initial bootstrapping or infrequent updates. Complementing rsync, RRDP operates over HTTPS to provide snapshot and delta files, reducing bandwidth and processing overhead by transmitting only changes since the last fetch; this protocol supports session tokens for resuming interrupted transfers and is designed to scale with growing repository sizes. RP software, such as Routinator or rpki-client, periodically polls these repositories—typically every few hours—to retrieve updates, with rsync often used as a fallback when RRDP is unavailable. Manifests, signed listings of all objects in a publication point including their hashes and serial numbers, aid RPs in verifying completeness during fetches. To bootstrap access to the RPKI hierarchy, relying parties obtain Trust Anchor Locator (TAL) files from authoritative sources. A TAL is a simple XML document containing the URI of the root certificate for a trust anchor—either the IANA root for globally delegated resources or regional roots managed by Regional Internet Registries (RIRs) such as ARIN, APNIC, or RIPE NCC—and the corresponding public key for initial verification. These TAL files are statically distributed by IANA and the RIRs via their websites, enabling RPs to locate and download the top-level repository without prior configuration; updates to TALs, such as key rollovers, are announced through version attributes to prompt RPs to refresh them.[35] Scalability in RPKI publication is addressed through flexible repository partitioning and protocol optimizations to manage the increasing volume of objects as adoption grows. The repository profile permits issuers to operate multiple instances or sub-repositories, distributing load by partitioning content based on resource delegations (e.g., separate modules for IPv4, IPv6, or ASN subsets), which prevents single points of overload and supports parallel fetching by RPs. RRDP further enhances scalability by minimizing data transfer volumes—deltas can be orders of magnitude smaller than full rsync mirrors—while allowing publication servers to handle concurrent sessions without full repository scans; this has proven effective in deployments serving millions of objects across global hierarchies.[19]Validation Procedures
Validation procedures in the Resource Public Key Infrastructure (RPKI) ensure the authenticity and integrity of repository objects through a structured cryptographic verification process performed by relying parties (RPs). These procedures build a chain of trust from a designated trust anchor to end-entity objects, confirming that each element is properly signed, unexpired, and correctly inherits resources from its issuer. The process mitigates risks of unauthorized route announcements by validating resource allocations against the hierarchical structure of IP address and Autonomous System (AS) number delegations.[36] The validation chain begins with a trust anchor, typically a self-signed certificate or locator (TAL) that serves as the root of trust for a regional or global RPKI instance. RPs construct a path of certificates from the trust anchor to the end-entity certificate in question, where the subject of one certificate matches the issuer of the next. For each certificate in the chain (except the trust anchor), the RP verifies the signature using the public key from the issuing certificate. The current time must fall within the certificate's validity period (NotBefore to NotAfter), and the certificate must not appear on the issuer's Certificate Revocation List (CRL). Resources are inherited hierarchically: each certificate's Validated Resource Set (VRS) for IP prefixes (VRS-IP) and AS numbers (VRS-AS) is computed as the intersection of the issuer's VRS and the resources explicitly allocated in the subject certificate's extensions; if no resource extension is present, the VRS is set to empty. This ensures that end-entity objects can only authorize resources within the delegated scope from the trust anchor.[36][37] For Route Origin Authorizations (ROAs), validation extends the certificate chain process to the ROA object itself. The ROA's issuer certificate must first be validated as part of a complete chain to the trust anchor. The ROA's signature is then verified using the issuer's public key, and its listed IP prefixes must be contained within the issuer's VRS-IP, with matching AS numbers falling within the VRS-AS. The ROA must also be current (not expired) and listed in the issuer's Manifest (MFT), which is a signed inventory of repository objects; the MFT itself is validated similarly, with its CRL checked for revocations. If the ROA is absent from the MFT or the MFT is invalid, the ROA is considered unverified. These steps confirm that the ROA accurately reflects authorized route origins without overclaiming resources.[38][37] Error handling in RPKI validation classifies objects into states such as "valid," "invalid," or "not found" (sometimes termed "unknown" for unverified paths). An invalid chain—due to signature failure, expiration, revocation on a CRL, or mismatched issuer-subject pairs—renders the entire path and dependent objects invalid. Revoked objects, detected via CRL entries, are explicitly marked invalid and excluded from trust. Resource mismatches, such as overclaims where a certificate or ROA asserts more resources than inherited, trigger invalidation; newer implementations use specific Object Identifier (OID) extensions to flag such issues without fully rejecting the chain, but legacy systems reject outright. If an object cannot be fetched or verified (e.g., due to publication errors), it defaults to "not found," preventing reliance on potentially stale or tampered data. RPs must implement robust error recovery, such as retrying fetches, to maintain repository integrity.[37][39] Relying party software must adhere to standardized requirements to perform these validations reliably, as outlined in RFC 8897. Such software fetches and caches objects using protocols like rsync or RRDP, processes TALs to initialize trust anchors, and validates certificate paths, CRLs, manifests, and signed objects like ROAs per the specified algorithms. Open-source validators implementing these procedures include Routinator, developed by NLnet Labs in Rust for secure, high-performance validation and RTR protocol support, and FORT, an open-source RP from the FORT Project that validates the full RPKI repository and serves ROA data. These tools enable network operators to integrate RPKI validation into routing decisions while meeting interoperability standards.[40][41][42]Applications in Routing
Route Origin Validation
Route Origin Validation (ROV) is a security mechanism within the Resource Public Key Infrastructure (RPKI) that enables routers to verify the legitimacy of the originating Autonomous System (AS) for BGP route announcements using validated Route Origin Authorizations (ROAs).[43] In this process, a router receiving a BGP announcement for a specific IP prefix queries its local cache of Validated ROA Payloads (VRPs), which are cryptographically verified ROAs, to determine if the announced origin AS is authorized by the prefix holder.[43] The validation checks whether the prefix in the announcement matches or is covered by any VRP associated with the origin AS.[43] The ROV classification categorizes each BGP route announcement into one of three states based on the local cache query: "Valid," "Invalid," or "Not Found."[43] A route is deemed Valid if at least one VRP exactly matches the announced prefix and its origin AS, confirming authorization.[43] It is Invalid if at least one VRP covers the announced prefix (meaning the prefix falls within the authorized range) but no VRP matches the origin AS exactly, indicating an unauthorized origination.[43] Otherwise, the route is Not Found if no relevant VRP covers the prefix, leaving it unauthenticated but not explicitly disallowed.[43] This classification relies on ROAs, which specify authorized prefixes and maximum lengths for an AS, ensuring precise matching without broader path analysis.[43] In routing decisions, ROV influences BGP path selection and filtering policies to mitigate route hijacks and leaks.[43] Routers can be configured to drop Invalid routes entirely, preventing their propagation, or to de-preference them in favor of Valid alternatives during best-path computation.[43] For instance, if a BGP announcement claims AS 65001 as the origin for prefix 192.0.2.0/24 but no matching ROA exists in the cache, the router classifies it as Invalid and rejects it, blocking potential unauthorized traffic diversion.[43] This approach enhances global routing integrity by isolating invalid announcements at the edge.[43] To maintain an up-to-date local cache, routers use the RPKI-Router Protocol (RTR), which facilitates real-time synchronization of validated ROA data from trusted caches or validators.[4] Under RTR version 1, routers periodically issue Serial Queries to the cache, requesting updates since the last known serial number; the cache responds with relevant prefix payloads (e.g., IPv4 or IPv6) and a new serial number, ensuring only active VRPs are delivered.[4] Caches also send Serial Notify messages to trigger immediate queries upon new data availability, supporting efficient, low-overhead updates critical for timely ROV.[4] Deployment of ROV for filtering Invalid routes has grown in production networks, demonstrating practical impact on BGP security.[44] For example, major providers like AT&T (AS 7018) implement ROV to discard Invalid prefixes at peering interfaces, reducing the propagation of hijacked routes while preserving customer traffic.[45] Similarly, networks such as those monitored by Cloudflare apply ROV filters to block Invalid announcements. As of November 2025, approximately 59% of IPv4 prefix-origin pairs in the global BGP table are classified as valid per the NIST RPKI Monitor, with ROV enforcement (filtering of invalid routes) implemented by about 27% of autonomous systems, though full Invalid filtering remains selective to avoid disruptions.[5][46] These implementations highlight ROV's role in preventing incidents like route leaks, as seen in increased adoption post-2017 policy shifts by transit providers.[44]BGP Path Validation
BGP path validation in the Resource Public Key Infrastructure (RPKI) utilizes Autonomous System Provider Authorizations (ASPAs) to verify the legitimacy of transit relationships between Autonomous Systems (ASes) in Border Gateway Protocol (BGP) announcements, thereby detecting unauthorized route leaks and hijacks that involve invalid AS paths.[18] This process builds on ASPA objects, which are digitally signed attestations issued by a customer AS to authorize specific provider ASes for advertising its prefixes, enabling routers to assess path integrity without requiring end-to-end cryptographic signing. The validation process involves examining the AS_PATH attribute in a BGP update by checking consecutive AS pairs against available ASPA attestations. For each pair in the path, a receiving AS applies provider authorization functions to confirm whether the upstream AS is authorized as a provider by the downstream AS (or vice versa in peering scenarios), using algorithms for upstream and downstream validation that account for customer-provider hierarchies.[18] Unauthorized transits are detected when an AS in the path lacks the necessary ASPA-based authorization for the transit, resulting in an "Invalid" state for the announcement; this includes scenarios where the path length exceeds the maximum allowed ramps (up-ramp for customer-to-provider ascent and down-ramp for provider-to-customer descent) without corresponding attestations.[18] The outcome for a path is determined as "Valid" only if all verifiable segments pass these checks, "Invalid" if any segment fails, or "Unknown" if insufficient data exists to assess a segment.[18][47] Despite these capabilities, BGP path validation has notable limitations, including partial coverage where only segments with published ASPAs can be verified, leaving gaps in paths with incomplete attestations.[18] It does not provide full end-to-end validation, as it relies on pairwise authorizations rather than a complete chain, and unknown segments—such as those involving ASes without ASPAs—are treated conservatively as unverifiable, potentially allowing some invalid paths to propagate if not combined with other filters.[18][47] As of January 2025, ASPA adoption remains minimal, with approximately 0.001% of autonomous systems publishing ASPA records, though growth is observed in unique customer AS identifiers.[48] Enhancements to path validation include its integration with Route Origin Validation (ROV), which uses Route Origin Authorizations (ROAs) to verify prefix ownership at the origin AS, creating a combined security model that jointly assesses both endpoint legitimacy and intermediate transit authorizations for more robust BGP security.[18] For example, in a multi-hop path where AS 64496 (a customer) announces a prefix through its provider AS 1239 and then to a peering AS 3356, validation would check the ASPA from AS 64496 authorizing AS 1239 for the customer-provider link, and the relationship between AS 1239 and AS 3356; if AS 1239 attempts an unauthorized transit through an unlisted peer, the path would be marked Invalid several hops away.[18][47]Integration with Routing Protocols
The integration of Resource Public Key Infrastructure (RPKI) with routing protocols primarily occurs through the Border Gateway Protocol (BGP), where validation outputs from Route Origin Validation (ROV) and BGP Path Validation inform route selection and filtering decisions. Routers equipped with RPKI capabilities connect to validation servers via the RPKI-to-Router (RTR) protocol to obtain origin validation states—valid, invalid, or not found—for BGP announcements, enabling operators to enforce security policies without altering the core BGP exchange. This local enforcement allows networks to prioritize or discard routes based on cryptographic attestations, reducing the risk of prefix hijacks while maintaining routing stability.[49][50] In BGP, RPKI validation states can be signaled internally using BGP communities or extended communities to propagate information across an autonomous system (AS), allowing all routers in an iBGP mesh to apply consistent policies without individual RTR connections. For instance, extended communities defined in RFC 8097 enable the attachment of validation results to routes, facilitating coordinated decision-making. However, the IETF strongly advises against propagating these states via transitive path attributes to external BGP (eBGP) peers, as it can trigger widespread BGP update floods during RPKI changes, such as ROA revocations affecting over 500,000 routes and contributing to 8-10% of global BGP churn in observed incidents. Instead, validation should remain local to the AS, with states stripped before external announcements to prevent cascading instability.[51][52] Router configurations for ROV enforcement typically involve route maps that match on RPKI states and apply actions like setting local preference values or prepending AS paths. Major vendors support these via commands such as Cisco'smatch rpki in route maps, which can assign higher local preference (e.g., 200) to valid routes, intermediate (e.g., 100) to not-found routes, and lower (e.g., 50) to invalid ones, influencing the best-path algorithm without immediate drops. Policy options range from strict enforcement, where invalid routes are outright dropped from the routing information base (RIB) and not advertised, to softer de-preferencing, where invalids receive reduced priority but remain usable as last-resort paths. The default behavior on many platforms is to drop invalids, but configurable options like Cisco's bgp bestpath prefix-validate allow-invalid permit de-preferencing to avoid connectivity disruptions during partial RPKI deployment.[49][50]
As of 2025, global practices lean toward de-preferencing invalid routes to mitigate collateral damage from misconfigurations or incomplete adoption, with networks like those in APNIC and RIPE NCC regions often implementing gradual enforcement to prevent unintended blackholing of legitimate traffic. Strict drop policies are more common among large transit providers with mature RPKI setups, such as those achieving over 90% coverage of their prefixes, as they provide stronger protection against hijacks once ecosystems stabilize. Studies indicate that de-preferencing reduces invalid route propagation by 50-66% compared to no enforcement, balancing security with operational resilience. The Number Resource Organization (NRO) recommends starting with de-preference and transitioning to strict modes as validator redundancy and monitoring improve.[53][54][55]
In mixed environments with partial RPKI adoption, interoperability challenges arise as invalid routes can propagate through non-validating ASes, potentially creating longer but insecure paths. To handle this, operators configure inbound and outbound filters that de-preference invalids received from upstreams while accepting them as backups if no valid alternatives exist, ensuring gradual global effectiveness without isolating partially deployed networks. This approach aligns with IETF guidance on Drop Invalid If Shorter (DISR) policies, which drop invalids only when a valid or not-found route covers the same prefix, preserving reachability in transitional phases.[56][57][50]
Beyond BGP, RPKI's framework supports potential extensions to other inter-domain routing protocols under the IETF's IDR working group, where signed authorizations could enhance path validation in emerging mechanisms like source address validation networks (SAVNET). However, current deployments remain BGP-centric, with explorations into integrating RPKI data for broader inter-domain trust models still in draft stages.[58][59]