Resource Public Key Infrastructure (RPKI) is a security framework that is used to match internet resources (such as IP address blocks) to their rightful owners.

In the early days of the internet, the honour system was used. After all, why would anyone want to advertise an IP block that they don’t own?

Unfortunately, there have been several cases of abuse, malicious intent, and even accidental misconfiguration that have caused routing problems on the internet. These cases involved using BGP to redirect traffic to the wrong place.

To address this, RPKI is used to verify that an update is really being advertised by its true owner. It does this in a very similar way to a regular PKI framework.

RPKI makes use of x509 certificates, with RFC 3779 extensions to include IP addresses and AS numbers. The private key is used to sign a block of data (such as an IP block being advertised in BGP), and the public key can then be used to validate the sender.

Of course, if certificates are involved, a CA (Certificate Authority) must be used. The CA can be provided by the AS owner, or they can use their RIR’s CA.

Route Origin Authorization (ROA) is used along with RPKI. It is essentially a statement by the owner of an IP block, stating which AS number is allowed to advertise it, and the most specific network (maximum subnet mask length) that the AS may advertise.

This information is lodged with the owner’s RIR, and signed with the owners private key, allowing RPKI verification.

RPKI and ROA is a more recent initiative to prevent malicious route hijacking, and errors due to human misconfiguration.

Attacks involving the injection of incorrect routes into the internet for the purposes of DDOS (black holing), Spam or Man-In-The-Middle a re partially addressed by Bogon Route Filtering and Routing Policy Databases, but these are not totally effective on their own.

RPKI helps to cover the difference, by making sure that only the righful owner of internet resources are able to control where they are advertised.