Route Origin Authorization (ROA):
RPKI stores Route Origin Authorizations (ROAs), records that bind an IP address block to the AS that is allowed to advertise it in BGP.
ROAs are signed by an organization holding a Resource Certificate (RC) for the IP address block and can be leveraged by BGP routers to perform Route-Origin Validation (ROV) [RFC7115]:
identifying and discarding "invalid" BGP route-advertisements from unauthorized ASes, thus protecting against IP prefix hijacking.
The figure below shows that Deutsche Telekom used its RC to issue a ROA so as to protect its IP prefix against hijacking.
Back to the main page