RPKI management

Route Origin Validation (ROV)

RPKI provides a mechanism to verify whether a BGP route announcement is authorized by the legitimate owner of the IP address space. This is done by using signed Route Origin Authorizations (ROAs) that specify which AS is allowed to announce routes for a given IP prefix.

Certificate Authority (CA) Infrastructure

RPKI relies on a hierarchical structure of Certificate Authorities. These CAs issue certificates and sign ROAs. The CA hierarchy starts with a root CA, which signs subordinate CA certificates. These subordinate CAs, in turn, issue certificates and ROAs to individual ASes or networks.

Repository System

RPKI uses a repository system to store and distribute the cryptographic material, including certificates and signed ROAs. Network operators can query these repositories to retrieve the necessary data for ROV.

RPKI Validator

Network operators deploy RPKI validators that use the cryptographic information from the repositories to validate BGP route announcements. The validator checks if the origin AS matches a valid ROA for the announced prefix. If there's a valid ROA, the route is considered legitimate; otherwise, it's flagged as potentially unauthorized.

ROA Management

Network operators need to create and manage ROAs to specify which ASes are allowed to originate routes for their IP prefixes. They also need to periodically update and revoke ROAs as network configurations change.

Key Rollover

Just like any cryptographic system, RPKI requires key rollover to maintain security. This involves replacing old keys and certificates with new ones while ensuring the continuity of secure operations.

Deployment and Configuration

Implementing RPKI involves configuring the RPKI validators, connecting to the appropriate repositories, and integrating RPKI data into the BGP routing process.

Monitoring and Reporting

Network operators should regularly monitor the status of RPKI validation and receive notifications about invalid or potentially hijacked routes.