About Resource Public Key Infrastructure (RPKI) at Vultr

Updated on 24 June, 2025

Resource Public Key Infrastructure (RPKI) is a system designed to enhance the security of Border Gateway Protocol (BGP) by preventing BGP hijacking. It uses cryptographic signatures to validate that an Autonomous System Number (ASN) is permitted to announce a particular IP subnet. This system secures the internet's routing infrastructure and prevents malicious actors from redirecting or intercepting traffic.

About Route Origin Authorization (ROA)

Route Origin Authorization (ROA) is the core component of RPKI. A ROA specifies the allowed ASNs, IP prefixes, and the maximum prefix length that can be advertised. These ROAs are cryptographically signed and publicly published, allowing routers to verify that a given ASN is permitted to announce a specific IP prefix.

Example ROA With Maximum Length of /29

In the following example of a ROA, AS20473 is permitted to announce the 192.0.2.0/24 network and all smaller subnets within the /29 range:

{
    "asn" : "AS20473",
    "prefix" : "192.0.2.0/24",
    "maxLength" : 29,
    "ta" : "ARIN"
}

In the above example:

  • asn: This must be a public ASN. If you're using a private ASN, your ROA should list Vultr's public ASN AS20473, as RPKI requires a globally routable ASN to authorize prefix announcements.

  • prefix: This is the IP block being authorized. It defines the base prefix that the ASN is allowed to announce.

  • maxLength: This specifies the most specific subnet (smallest prefix) that can be announced from the base prefix. In this case, any subnet between /24 and /29 is allowed, such as /25, /26, /27, /28, or /29.

  • ta: This is the Trust Anchor or Regional Internet Registry that issued the prefix, such as ARIN, RIPE, or APNIC.

Example ROA With Exact Prefix Length

In the following example of a ROA, AS20473 is permitted to announce only the exact 192.0.2.0/24 prefix, with no smaller subnets allowed:

{
    "asn" : "AS20473",
    "prefix" : "192.0.2.0/24",
    "maxLength" : 24,
    "ta" : "ARIN"
}

You can check individual ROAs using the RIPE Validator, a public service provided by RIPE.

RPKI Status

Vultr performs nightly checks on the RPKI status of every customer subnet. You can view the RPKI status in the BGP section of your Vultr customer portal. You may encounter the following RPKI status states:

  • Valid: This means that an ROA exists for the ASN/prefix pair, and everything is in order. This is the state you want to see for your subnets.

  • Unknown: No ROA exists for the given prefix. This is common for many IP addresses and is typically not an issue, as most ISPs are not yet requiring RPKI validation. You will probably not encounter problems with this state.

Invalid Signatures

Several types of invalid signatures can prevent your IP space from being advertised across the internet. These need to be fixed:

  • Invalid ASN: An ROA exists for this prefix, but none of the ASNs match what your account is configured for. If you're using a private ASN, your ROAs should list Vultr’s public ASN AS20473.

  • Invalid Prefix Length: An ROA exists for this prefix/ASN, but the maximum allowed prefix length is not correct. Typically, you would need to issue a new ROA with the correct maximum prefix length, such as 24 for IPv4 or 48 for IPv6. You can also issue a new ROA for a smaller prefix if needed.

Configuring RPKI

RPKI setup is managed through your Regional Internet Registry (RIR) (such as RIPE, ARIN, APNIC, etc.). Only the owner of IP space can manage RPKI ROAs.

If you are leasing IP space, contact your provider for help with configuring RPKI.