BGP, the protocol that holds the internet together, was designed in an era where every network operator was assumed to be trustworthy. That assumption no longer holds. Route hijacks — accidental or malicious — happen regularly, and they can redirect, intercept, or black-hole traffic for entire countries. RPKI (Resource Public Key Infrastructure) is the cryptographic foundation that fixes this. This guide explains what RPKI is, how ROAs and ROV work, and how to deploy them in 2026.
At Noded, we deploy RPKI on every network we operate, so we know what works in real-world deployments.
The Problem RPKI Solves
BGP announcements aren't authenticated by default. Anyone with a BGP-speaking router and an upstream peer can announce a prefix they don't own. When they do, traffic to that prefix may follow the bogus announcement, causing outages or enabling traffic interception.
Some famous examples include the 2008 Pakistan Telecom incident that took YouTube globally offline and several large-scale route leaks affecting major cloud providers in subsequent years. RPKI addresses this by cryptographically binding IP prefixes to the AS numbers authorized to originate them.
What Is RPKI?
RPKI is a public key infrastructure where the Regional Internet Registries (ARIN, RIPE, APNIC, LACNIC, AFRINIC) act as trust anchors. Resource holders (organizations that own IP space) sign cryptographic objects called Route Origin Authorizations (ROAs).
A ROA states: "AS X is authorized to originate prefix P (with a maximum length of N)." Network operators can then verify any BGP announcement against the published ROAs and reject invalid ones.
ROAs in Detail
A Route Origin Authorization contains three key fields:
- Prefix: The IP block being authorized (e.g., 203.0.113.0/24).
- ASN: The autonomous system number authorized to originate it.
- Max Length: The longest prefix length allowed for sub-announcements (e.g., /24).
Set max length too loose and you allow more-specifics that hijackers could exploit. Set it too tight and you can't announce sub-allocations later. Best practice is to match max length to the actual prefix length unless you specifically need to announce more-specifics.
Route Origin Validation (ROV)
ROAs alone don't help unless networks check them. Route Origin Validation is the process where a router classifies each received BGP route as:
- Valid: The announcement matches a published ROA.
- Invalid: A ROA exists, but the origin AS or prefix length doesn't match.
- Not Found: No ROA covers this prefix.
Most operators reject Invalid routes, accept Valid routes, and accept Not Found routes (because RPKI coverage isn't 100% yet). This policy is sometimes called "drop invalids."
The RPKI Toolchain
A typical RPKI deployment has three layers:
1. Publication (you publish your ROAs)
Most network operators sign ROAs through their RIR's hosted portal or via delegated CA. ARIN, RIPE, and APNIC all offer hosted ROA management with a web interface or API.
2. Validation (a Relying Party fetches and verifies)
You run software that downloads all published ROAs and validates them. Common open-source validators include Routinator, FORT, and rpki-client. These programs build a Validated ROA Payload (VRP) cache.
3. Router consumption (RTR protocol)
Routers connect to the validator over the RPKI-to-Router protocol (RFC 8210) to receive VRPs. They then apply ROV policy to incoming BGP updates.
Deploying RPKI: Step by Step
Step 1: Audit Your Prefixes
List every prefix your AS announces. Note the originating AS and the appropriate max length.
Step 2: Create ROAs
Log into your RIR portal and create ROAs for each prefix. Double-check max length values to avoid creating invalids for your own announcements.
Step 3: Verify Your Announcements
Use public tools like the RIPE NCC RPKI Validator or routeviews to confirm your prefixes show as Valid.
Step 4: Deploy a Validator
Stand up at least two Routinator (or equivalent) instances for redundancy. They should fetch from all five RIRs.
Step 5: Configure RTR on Your Routers
Connect your routers to your validators. On Cisco IOS XR, Juniper, Arista, and Nokia, RTR is well-supported.
Step 6: Apply Drop-Invalid Policy
Start by tagging Invalid routes for monitoring, then move to dropping them once you're confident your own ROAs are correct.
Common RPKI Mistakes
- Mismatched max length: Creates invalids for your own legitimate more-specifics.
- Forgetting to update ROAs: When you re-allocate prefixes, ROAs need updating too.
- Single validator instance: If it dies, your routers fall back to no RPKI data, bypassing protection.
- Trusting only one RIR: Validators should fetch from all RIRs.
RPKI Adoption in 2026
RPKI coverage has grown steadily. Major networks including Cloudflare, Google, Amazon, and most Tier-1 transit providers drop invalids. In Europe and parts of Asia, ROA coverage exceeds 50%. In North America, adoption is rising thanks to ARIN's improved tooling.
That said, RPKI only protects against origin hijacks. Path hijacks (where a malicious AS prepends itself into the AS path) require additional mechanisms like ASPA (AS Provider Authorization), which is gaining traction in 2026.
RPKI at Noded
At Noded, every prefix we announce has a valid ROA, and every router we operate runs ROV with drop-invalid policy. We pair this with strong multi-homed BGP and DDoS protection for end-to-end network integrity. If you lease IP space from us (see IPv4 Leasing), we handle the ROA work for you.
FAQ
Does RPKI prevent all BGP hijacks?
No. RPKI prevents origin hijacks but not path hijacks. ASPA and BGPsec address those, but their adoption is still nascent.
Can I deploy RPKI without dropping invalids?
Yes. Many operators start in monitor-only mode, tagging invalids while continuing to accept them. Once they're confident, they switch to drop-invalid.
What happens if my validator goes down?
Routers fall back to treating all routes as "not found," which means RPKI protection is effectively off until the validator returns.
How long does it take a ROA to take effect?
Typically minutes to a few hours, depending on RIR publication intervals and validator refresh cycles.
Is RPKI free?
Yes. Creating ROAs through your RIR is included with your IP resource membership, and validator software is open source.