RPKI/ROA Validator

Checks ROA (Route Origin Authorization) validity for an origin ASN and prefix pair. Validation by RIPEstat.

What this RPKI/ROA validator does

RPKI (Resource Public Key Infrastructure) lets the holder of an IP prefix publish a signed statement — a ROA (Route Origin Authorization) — declaring which AS is allowed to originate that prefix in BGP. Networks that do Route Origin Validation then drop routes that conflict with the ROA, which stops many route hijacks and fat-finger leaks. This tool checks a given origin ASN + prefix pair against published ROAs using the RIPEstat validation API.

Reading the result

Valid — a ROA exists and the announcement matches the authorized AS and prefix length.
Invalid — a ROA covers the prefix but the origin AS or the prefix length does not match (invalid_asn / invalid_length). Such routes are rejected by validating networks.
Unknown — no ROA covers the prefix, so RPKI can neither confirm nor deny it.

Find the origin AS for an IP with the ASN lookup. Background: RPKI and ROA explained and BGP routing basics.

Frequently asked questions

My prefix is "Unknown" — is that bad?

It means you have not published a ROA yet, so the prefix is unprotected by RPKI. It will still route normally, but creating a ROA at your RIR upgrades it to Valid and protects it from hijack by networks doing origin validation.

What is the difference between invalid_asn and invalid_length?

invalid_asn means a ROA exists for the prefix but authorizes a different AS than the one announcing it. invalid_length means the announced prefix is more specific than the ROA's maxLength allows. Both are treated as Invalid and dropped.

Does RPKI secure the entire BGP path?

No. ROA-based origin validation only confirms the origin AS is authorized for the prefix. Securing the full AS path requires path validation (BGPsec / ASPA), which is far less widely deployed.