Resource Public Key Infrastructure (RPKI) is a simple framework to guarantee the authenticity of the routing information announced on the Internet. This means that the routing information is unified into a single source of truth. In addition, it allows internet players and final users to verify the validity of the routing information received from others on the Internet thanks to the digital certificate derived from the X.509 standard.
It operates as a distributed database where all Internet Players can register their IP prefixes linked to an Autonomous System Number (ASN). Each of these records are called a Route Origin Authorization Registry (ROA).
Once the ROAs are created, Internet Players can implement RPKI-based validation and filtering policies that can improve the security and resilience of Internet global routing, reducing any accidental Border Gateway Protocol (BGP) routing leaks risks and preventing malicious IP route hijacks.
RPKI validation and filtering in the network are strongly recommended in order to build a more resilient and safer Internet. At Telxius we have implemented RPKI validation and filtering on every BGP sessions within our AS 12956 Tier-1 network.
RPKI relies on routing information that is shared with the Internet Routing Registries (IRRs). The information is registered using cryptographic certificates in ROAs, stating which autonomous system (AS) is authorized to originate a specific BGP prefix. That way, anyone on the Internet can trust the information in a ROA is valid, meaning:
- It was generated by the rightful owner of the prefix.
- The relationship between that IP prefix and AS is correct.
There are three possible status of RPKI validity:
- Unknown: There are no ROAs for a specific prefix so it cannot be included in the Valid or Invalid categories; prefixes are transparent for RPKI.
In this case, there would be no impact on routing or traffic.
Recommended action. We recommend our customers to register ROAs but it’s not mandatory.
- Invalid: This status could be due to two different causes:
- BGP prefix and originating ASN don’t match the ROA.
- Prefix length doesn’t match the maximum length registered in the ROA.
In this scenario, BGP announcements would be rejected, and the traffic would be discarded.
Recommended action. Invalid ROAs should be correct.
- Valid: a combination of two facts:
- There is a ROA for your prefix registered in an IRR.
- Your prefix matches that ROA (ASN and max prefix length).
In this other case, BGP announcements wouldn’t be rejected and there wouldn’t be any impact on the traffic.
Recommended action. All good, no action required.