Route Origin Validation (ROV):
Organizations can enforce route-origin validation (ROV) [RFC7115], to identify and discard BGP route-advertisements that violate ROAs. Namely, advertisements where the destination IP prefix is not mapped to the origin AS specified in the ROA.
A local cache machine at the AS periodically syncs with the RPKI database to retrieve RCs and ROAs, validating them from the root of the RPKI hierarchy to its leaves.
Valid ROAs mapping IP prefixes to ASes are then used to generate whitelists which BGP routers in that AS pull from the cache periodically using the RPKI-to-Router protocol. The figure below illustrates this typical deployment.

With cryptographic operations outsourced to the cache machine, routers can enforce ROV without changes to their hardware or BGP-message handling architecture (routers supported configuration of filters to BGP messages long before RPKI).

Back to the main page