RPKI and BGP Security: How Route Origin Validation Prevents Hijacking

In 2008, Pakistan Telecom accidentally hijacked YouTube by announcing their IP prefix. In 2018, a BGP leak sent Google traffic through China and Russia. RPKI exists to prevent this.

The Trust Problem with BGP

BGP has no authentication. When an AS announces "I own 8.8.8.0/24," other routers simply believe it. This enables:

• Accidental Hijacking: Misconfigurations leak internal routes to the global table.
• Malicious Hijacking: Attackers announce victim prefixes to intercept or blackhole traffic.
• Route Leaks: Customer/peer routes accidentally propagated to other peers.

RPKI: Cryptographic Route Authorization

Resource Public Key Infrastructure (RPKI) lets IP address holders cryptographically sign which AS numbers are authorized to announce their prefixes.

• ROA (Route Origin Authorization): A signed object stating "AS64496 is allowed to announce 192.0.2.0/24 with max prefix length /24"
• Validators: Software that downloads ROAs from the five Regional Internet Registries and builds a validated cache
• RTR Protocol: Routers query validators to get the validated prefix-to-AS mappings

Route Origin Validation (ROV)

When a router receives a BGP announcement, it checks the prefix and origin AS against RPKI data:

• Valid: ROA exists and matches. Accept with high local preference.
• Invalid: ROA exists but does NOT match. Reject or deprioritize.
• Not Found: No ROA exists. Accept (backward compatibility).

Adoption Status

As of 2024, approximately 50% of routes have ROAs, and major networks (AT&T, NTT, Cloudflare, Google) perform ROV. This stops most hijacking attempts from propagating globally.

Checking Your Prefix

You can check if your IP range has valid ROAs at rpki-validator.ripe.net. If you manage IP space, creating ROAs is strongly recommended.