RPKI, short for Resource Public Key Infrastructure - is a cryptographic technology used in the world of networking to prevent BGP hijacking - a disruptive attack where a malicious/misconfigured network advertises prefixes (routes) which belong to other networks - and they have no right to use.
RPKI allows regional internet registries (RIR's) to sign Route Origin Authorisations (ROAs) for their members (networks around the world such as ourselves) using asymmetric key cryptography (public key + private key). They then publish these ROAs to allow networks around the world to query them, allowing networks to verify the published ROAs haven't been tampered with by using the RIR's known signing certificate (public key).
RPKI signing (protecting prefixes you advertise) can be setup within minutes, just by filling out 3 form fields on your RIR's RPKI portal for each prefix you want to enable RPKI for.
RPKI validation (filtering incoming prefixes which don't match RPKI) is a little more tricky, as it generally requires you to setup an RPKI server such as Routinator 3000, configure your peer-facing BGP routers to use your local RPKI server as an RPKI validator source, and setup some route maps to tell your router how strictly you'd like to enforce RPKI.
To show you how easy it is to setup RPKI signing, below are some screenshots of RIPE's RPKI Dashboard and some basic instructions for setting up RPKI signing.
First log into your RIR's LIR portal (e.g. RIPE/ARIN/AFRINIC). Locate the RPKI management page - for RIPE it's under
Resources > RPKI Dashboard.
Look for a button / link which says something like "New ROA", "Add Route Origin Authorisation" etc.
Click on that button. Enter into the form:
188.8.131.52/24) which you're advertising (or soon will be) via BGP
Go ahead and hit SAVE / SUBMIT. For RIPE, click the floppy disk in the same row as the form.
NOTE: For RIPE, once you've finished adding ROA's, you'll need to click "Review and publish changes" in the bottom right, as shown above - and click "Publish"
The first thing to understand before you can see why RPKI is important, is that BGP (Border Gateway Protocol) is a very old protocol, and was designed in the early days of the internet - when the only networks that you'd peer with, would be large universities and government organisations who you could trust to be telling your router(s) the truth.
Here in 2020, the internet has grown massively, and large networks such as Google and Cloudflare peer with 100s or even 1000s of individual networks. With plain BGP, it's very easy for a network to lie to another network via BGP, or most commonly, just trick the network by claiming you have a better prefix than the real ISP.
As an example, let's say there's a network - AS65000 (ExampleNet), and they tell other networks via BGP "we are AS65000 and you should route 184.108.40.206/25 via our network!", where
220.127.116.11/25 is a more specific prefix than the real AS15169 Google prefix
18.104.22.168/24, and thus many networks' routers will just trust that
22.214.171.124/25 from some small barely known network (ExampleNet AS65000) is a better route than the real
126.96.36.199/24 (Google AS15169).
If the other networks had RPKI validation setup, and Google had setup ROA's to restrict the prefix
AS15169 with a "most specific" prefix size of
24 - then
AS65000's hijacker prefixes would be rejected based on both their ASN and the fact that
/25 is more specific than the
24 maximum which Google had set.
An ROA generally contains 3 pieces of information:
10.1.0.0/16- but if the most specific prefix size is
24, then the ASN mentioned in that given ROA may advertise between
For example, here is a small subset of Privex (AS210083)'s RPKI ROA's, extracted using the Routinator command
AS210083,188.8.131.52/24,24,ripe AS210083,184.108.40.206/24,24,ripe AS210083,2a07:e00::/48,48,ripe AS210083,2a07:e00:a::/48,48,ripe AS210083,2a07:e01::/32,32,ripe
Let's break down the first line to help you understand it.
AS210083, declares that this ROA line authorises the AS number
210083to advertise the prefix defined in the following data.
220.127.116.11/24declares the prefix in CIDR format (a
/24is 256 IPv4 addresses).
AS210083may only advertise this prefix block as a
/24- nothing bigger or smaller.
ripesimply tells us that the ROA was declared at RIPE - the RIR for Europe, Russia, and certain other nearby regions