RPKI Validator
Check if a BGP route is authorized via Resource Public Key Infrastructure (RPKI). Verify ROA validity for any ASN and prefix pair.
Advertisement · Anuncio
RPKI (Resource Public Key Infrastructure) is a cryptographic security layer for BGP that allows IP address holders to create digitally signed Route Origin Authorizations (ROAs). A ROA specifies which ASN is authorized to announce a given IP prefix, preventing BGP route hijacking.
Validation States
- Valid: A ROA exists that matches the announcement — the origin ASN is authorized and the prefix length is within the allowed range. Routers should accept and prefer these routes.
- Invalid: A ROA exists but the announcement violates it — either the wrong ASN is originating, or the prefix is more specific than the ROA's max-length allows. Routers should drop these routes (Route Origin Validation, ROV).
- Not Found (Unknown): No ROA covers this prefix at all. Most networks pass these routes currently, but filtering "not found" is increasing as RPKI adoption grows.
Why RPKI Matters
BGP route hijacks — where an AS maliciously or accidentally announces IP prefixes it doesn't own — have caused major internet outages and security incidents. RPKI's Route Origin Validation (ROV) allows routers to automatically reject invalid announcements, making the internet's routing infrastructure significantly more secure. Major networks like Comcast, AT&T, and most Tier-1 providers now enforce RPKI-invalid route rejection.