RPKI and ROA Explained
BGP trusts whatever a network announces, which is how route hijacks happen. RPKI (Resource Public Key Infrastructure) adds cryptographic proof of who owns which address space, and ROAs (Route Origin Authorizations) use it to say which AS may originate which prefix.
What a ROA contains
A ROA is a signed object stating three things:
| Field | Example | Meaning |
|---|---|---|
| Origin AS | AS3333 |
the AS allowed to announce |
| Prefix | 193.0.0.0/21 |
the address block |
| Max length | /24 |
most specific sub-prefix allowed |
The holder of the address space creates the ROA at their RIR, signed up the chain to the RIR's trust anchor.
Route Origin Validation
Networks that deploy ROV compare each BGP announcement against published ROAs and label it:
- Valid — a ROA authorizes this origin and prefix length.
- Invalid — a ROA exists but the origin AS or length doesn't match; the route is dropped.
- Unknown — no ROA covers the prefix; the route is accepted as before.
As more networks reject Invalid routes, a hijacker's bogus announcement simply doesn't propagate. Major IXPs and transit providers now drop Invalids by default.
Check it
Validate an origin AS + prefix pair with our RPKI/ROA checker, find an IP's origin AS with the ASN lookup, and read how routes flow in BGP routing basics.
Note: RPKI/ROA secures only the origin of a route, not the whole AS path. Path security (BGPsec, ASPA) is a separate, less-deployed effort. Still, publishing a ROA is a high-value, low-effort step every prefix holder should take.