Resource Public Key Infrastructure (RPKI) is a system designed to enhance the security of Border Gateway Protocol (BGP) by preventing BGP hijacking. It uses cryptographic signatures to validate that an Autonomous System Number (ASN) is permitted to announce a particular IP subnet. This system secures the internet's routing infrastructure and prevents malicious actors from redirecting or intercepting traffic.
Route Origin Authorization (ROA) is the core component of RPKI. A ROA specifies the allowed ASNs, IP prefixes, and the maximum prefix length that can be advertised. These ROAs are cryptographically signed and publicly published, allowing routers to verify that a given ASN is permitted to announce a specific IP prefix.
/29In the following example of a ROA, AS20473 is permitted to announce the 192.0.2.0/24 network and all smaller subnets within the /29 range:
{
"asn" : "AS20473",
"prefix" : "192.0.2.0/24",
"maxLength" : 29,
"ta" : "ARIN"
}In the above example:
asn: This must be a public ASN. If you're using a private ASN, your ROA should list Vultr's public ASN AS20473, as RPKI requires a globally routable ASN to authorize prefix announcements.
prefix: This is the IP block being authorized. It defines the base prefix that the ASN is allowed to announce.
maxLength: This specifies the most specific subnet (smallest prefix) that can be announced from the base prefix. In this case, any subnet between /24 and /29 is allowed, such as /25, /26, /27, /28, or /29.
ta: This is the Trust Anchor or Regional Internet Registry that issued the prefix, such as ARIN, RIPE, or APNIC.
In the following example of a ROA, AS20473 is permitted to announce only the exact 192.0.2.0/24 prefix, with no smaller subnets allowed:
{
"asn" : "AS20473",
"prefix" : "192.0.2.0/24",
"maxLength" : 24,
"ta" : "ARIN"
}You can check individual ROAs using the RIPE Validator, a public service provided by RIPE.
Vultr performs nightly checks on the RPKI status of every customer subnet. You can view the RPKI status in the BGP section of your Vultr customer portal. You may encounter the following RPKI status states:
Valid: This means that an ROA exists for the ASN/prefix pair, and everything is in order. This is the state you want to see for your subnets.
Unknown: No ROA exists for the given prefix. This is common for many IP addresses and is typically not an issue, as most ISPs are not yet requiring RPKI validation. You will probably not encounter problems with this state.
Several types of invalid signatures can prevent your IP space from being advertised across the internet. These need to be fixed:
Invalid ASN: An ROA exists for this prefix, but none of the ASNs match what your account is configured for. If you're using a private ASN, your ROAs should list Vultr’s public ASN AS20473.
Invalid Prefix Length: An ROA exists for this prefix/ASN, but the maximum allowed prefix length is not correct. Typically, you would need to issue a new ROA with the correct maximum prefix length, such as 24 for IPv4 or 48 for IPv6. You can also issue a new ROA for a smaller prefix if needed.
RPKI setup is managed through your Regional Internet Registry (RIR) (such as RIPE, ARIN, APNIC, etc.). Only the owner of IP space can manage RPKI ROAs.
If you are leasing IP space, contact your provider for help with configuring RPKI.