← Back to Security Information

RPKI (Resource Public Key Infrastructure)

Complete Guide to Routing Security - Preventing BGP Route Hijacking and Protecting IP Address Space

Why RPKI Matters: Preventing Route Hijacking

RPKI prevents attackers from hijacking your IP address space by announcing unauthorized BGP routes. Without RPKI, attackers can redirect all traffic intended for your domain to malicious servers, even if DNS and other security measures are in place.

For government agencies, RPKI is critical for infrastructure security. Route hijacking is a serious threat that can cause widespread service disruption and data interception.

What is RPKI?

RPKI (Resource Public Key Infrastructure) is a security framework that verifies the authenticity of BGP (Border Gateway Protocol) route announcements. It prevents route hijacking by cryptographically verifying that route announcements are authorized.

Think of RPKI as a "certificate system for IP addresses"—just as SSL certificates verify domain ownership, RPKI verifies IP address space ownership and authorizes route announcements.

RPKI works by:

  1. Route Origin Authorization (ROA): IP address owners create ROA records authorizing specific routes
  2. Cryptographic Verification: Route announcements are cryptographically verified against ROA records
  3. Route Validation: RPKI-validating networks reject unauthorized route announcements
  4. Route Hijacking Prevention: Attackers cannot announce unauthorized routes

How RPKI Works

When a network announces a BGP route:

  1. Route Announcement: Network announces an IP prefix route through BGP
  2. RPKI Lookup: RPKI-validating networks check for ROA records for that IP prefix
  3. Validation: Network verifies that the route announcement matches the ROA:
    • Valid: Route matches ROA, route is accepted
    • Invalid: Route doesn't match ROA, route is rejected
    • Not Found: No ROA exists, route handling depends on policy
  4. Route Propagation: Only valid routes are propagated by RPKI-validating networks

Route Origin Authorization (ROA)

ROA (Route Origin Authorization) records are cryptographic certificates that specify which ASNs (Autonomous System Numbers) are authorized to announce specific IP prefixes. ROA records are published in the RPKI repository and verified by RPKI-validating networks.

ROA records specify:

  • IP Prefix: The IP address range (e.g., 192.0.2.0/24)
  • ASN: The Autonomous System Number authorized to announce the prefix
  • Max Length: Maximum prefix length allowed (for more specific routes)

Example ROA

A ROA might authorize ASN 64512 to announce 192.0.2.0/24 with a max length of /24, meaning:

  • ASN 64512 can announce 192.0.2.0/24
  • ASN 64512 can announce more specific routes like 192.0.2.0/25
  • Other ASNs cannot announce 192.0.2.0/24
  • ASN 64512 cannot announce 192.0.2.0/23 (longer prefix than authorized)

Why RPKI is Critical for Government Agencies

For government agencies, RPKI is critical for infrastructure security:

1. Prevents Route Hijacking

RPKI prevents attackers from hijacking your IP address space by announcing unauthorized routes. Without RPKI, attackers can:

  • Announce your IP prefixes from unauthorized locations
  • Redirect all traffic to malicious servers
  • Intercept communications intended for your domain
  • Cause widespread service disruption

2. Protects Infrastructure

RPKI protects your network infrastructure by ensuring only authorized routes are accepted. This prevents attacks that could compromise your entire network infrastructure.

3. Provides Cryptographic Proof

RPKI provides cryptographic proof of IP address space ownership and route authorization. This is important for compliance, insurance, and legal protection.

4. Required for Modern Internet Security

RPKI is becoming increasingly important as route hijacking attacks become more common. Many major networks are adopting RPKI validation, making RPKI essential for reliable connectivity.

What Can Go Wrong Without RPKI?

The consequences of operating without RPKI are severe:

Route Hijacking

Without RPKI, attackers can hijack your IP address space by announcing unauthorized routes. This can:

  • Redirect all traffic to malicious servers
  • Intercept sensitive communications
  • Cause widespread service disruption
  • Compromise your entire network infrastructure

Service Disruption

Route hijacking can cause complete service disruption, making your website and services inaccessible to users.

Data Interception

Hijacked routes can redirect traffic to malicious servers, allowing attackers to intercept and steal sensitive data.

How to Implement RPKI

Implementing RPKI requires:

Step 1: Obtain IP Address Space

You must own or have authority over IP address space (from ARIN, RIPE, APNIC, etc.) to create ROA records.

Step 2: Create ROA Records

Create ROA records authorizing your ASN(s) to announce your IP prefixes. This is typically done through your Regional Internet Registry (RIR).

Step 3: Publish ROA Records

Publish ROA records in the RPKI repository. RPKI-validating networks will retrieve and use these records to validate route announcements.

Step 4: Configure Route Validation

Configure your network's BGP routers to perform RPKI validation (if you're validating routes from others) or ensure your upstream providers validate routes.

RPKI Validation States

RPKI validation can result in three states:

  • Valid: Route matches ROA, route is authorized
  • Invalid: Route doesn't match ROA, route should be rejected
  • Not Found: No ROA exists, route handling depends on policy

How YesGov Ensures RPKI is Properly Configured

YesGov handles RPKI implementation and management for government agencies:

  • ROA Creation: We create ROA records for your IP address space
  • RPKI Repository: We publish ROA records in the RPKI repository
  • Validation Testing: We test RPKI validation to ensure it works correctly
  • Ongoing Management: We manage ROA records and update them as needed
  • Documentation: All RPKI configuration is documented for compliance and insurance purposes

How YesGov Ensures Complete RPKI Protection

At YesGov, we don't just check if RPKI is configured—we perform comprehensive validation of your entire RPKI setup:

  • ROA Creation: We create ROA records for your IP address space
  • RPKI Repository: We publish ROA records in the RPKI repository
  • Validation Testing: We test RPKI validation to ensure it works correctly
  • Route Protection: We verify routes are properly authorized and protected
  • Ongoing Management: We manage ROA records and update them as needed
  • Ongoing Monitoring: We continuously monitor RPKI status and route validation
  • Documentation: All RPKI configuration is documented for compliance

When you host with YesGov, RPKI is properly configured, continuously monitored, and automatically maintained. We handle ROA creation, repository management, and route validation so you don't have to worry about BGP route hijacking. This is one of our comprehensive security checks that ensures your agency meets and exceeds federal, state, and industry standards.

Get Protected Today Check Your RPKI

Additional Resources