RPKI & ROA: Sicherung Ihrer IPv4-Routen
Alles, was Sie über Resource Public Key Infrastructure (RPKI) und Route Origin Authorization (ROA) wissen müssen — von Konzepten bis zur praktischen Umsetzung.
What is RPKI?
Resource Public Key Infrastructure (RPKI) is a cryptographic framework designed to secure the internet's routing infrastructure. It provides a way to verify that the holder of an IP address block has authorized a specific Autonomous System (AS) to originate routes for that prefix.
Without RPKI, BGP — the protocol that routes traffic across the internet — operates largely on trust. Any AS can announce any IP prefix, potentially redirecting traffic through unauthorized networks. RPKI adds a layer of cryptographic verification to prevent such hijacks.
RPKI was developed by the IETF and is managed by the five Regional Internet Registries (RIRs): RIPE NCC, ARIN, APNIC, LACNIC, and AFRINIC. Each RIR operates as a Certificate Authority (CA) within the RPKI framework.
What is ROA?
A Route Origin Authorization (ROA) is a digitally signed object within the RPKI framework. It specifies which AS number is authorized to announce a particular IP prefix and the maximum prefix length that can be announced.
For example, a ROA might state: "AS64500 is authorized to announce 192.0.2.0/24 with a maximum length of /24." This means only AS64500 can legitimately originate this prefix, and it cannot be announced as more specific prefixes like /25.
ROAs are created by the IP address holder through their RIR's portal and are stored in the RIR's RPKI repository. Network operators then use RPKI validators to check incoming BGP announcements against published ROAs.
How RPKI Works
RPKI operates through a chain of trust anchored at the RIRs. When you receive an IP address allocation or transfer, the RIR issues a resource certificate linking your organization to those IP resources. You can then create ROA objects under this certificate.
Network operators run RPKI validators (such as Routinator, FORT, or rpki-client) that download and verify all ROAs from the RIR repositories. These validators feed the validation results to routers via the RPKI-to-Router (RTR) protocol.
When a BGP route announcement arrives, the router checks it against RPKI validation data. Routes are classified as Valid (matching a ROA), Invalid (conflicting with a ROA), or NotFound (no ROA exists). Operators can then configure policies — commonly accepting Valid routes, rejecting Invalid ones, and allowing NotFound routes.
Valid
The BGP announcement matches a published ROA — correct AS and prefix length. The route is accepted.
Invalid
The announcement conflicts with a ROA — wrong AS or exceeds maximum prefix length. The route should be rejected.
NotFound
No ROA exists for this prefix. The route is accepted by default but lacks cryptographic verification.
Unknown
The validator cannot determine the status, typically due to connectivity issues with RPKI repositories.
Creating ROA Records
Creating ROA records is straightforward and can be done through your RIR's member portal. The process varies slightly between RIRs but follows the same general steps.
For RIPE NCC, log into the LIR Portal, navigate to "RPKI" section, select the prefix you want to protect, specify the authorized AS number and maximum prefix length, and publish the ROA. RIPE also offers a "one-click RPKI" feature that automatically creates ROAs based on existing route objects.
For ARIN, use the ARIN Online portal to access the RPKI section. You can create ROAs for your resources and manage your RPKI certificates. ARIN provides both hosted and delegated RPKI options.
For APNIC, the MyAPNIC portal includes RPKI management tools. You can create ROAs for your IP resources and monitor their status through the dashboard.
RIPE NCC
LIR Portal → RPKI → Create ROA. Supports one-click ROA creation from existing route objects. Instant publication.
ARIN
ARIN Online → RPKI → Create ROA. Offers both hosted and delegated RPKI. Publication within minutes.
APNIC
MyAPNIC → RPKI → Create ROA. Integrated dashboard for monitoring ROA status and coverage.
LACNIC / AFRINIC
Similar portal-based ROA creation. Check respective RIR documentation for specific steps and features.
RPKI Validation
RPKI validation is performed by dedicated software called validators. These tools download the complete set of RPKI data from all five RIR repositories, verify the cryptographic signatures, and build a validated cache of Route Origin Authorizations.
Popular open-source validators include Routinator (by NLnet Labs), FORT Validator, rpki-client (by OpenBSD), and OctoRPKI (by Cloudflare). These validators serve validated data to routers via the RTR protocol.
Major network operators and cloud providers — including Cloudflare, Google, Amazon AWS, and Microsoft Azure — have deployed RPKI validation and reject Invalid routes. As adoption grows, having proper ROA records becomes increasingly important to ensure your prefixes are reachable globally.
Why RPKI Matters for IPv4 Transfers
When you purchase or lease IPv4 addresses, setting up RPKI and ROA records is one of the first things you should do. Without ROA records, your newly acquired prefixes lack cryptographic origin validation, making them more susceptible to accidental or intentional hijacking.
Additionally, as more networks adopt RPKI-based route filtering, prefixes without valid ROA records may experience reduced reachability. Some networks already prefer or require RPKI-valid routes, and this trend is accelerating.
At ipv4.center, we assist our clients with RPKI setup after every IPv4 transfer. Whether you're buying or leasing IPv4 space, our team helps you create the appropriate ROA records and verify that your prefixes are properly protected.
Route Protection
ROA records prevent unauthorized parties from hijacking your IPv4 prefixes via BGP, protecting your traffic and reputation.
Global Reachability
As RPKI adoption grows, valid ROA records ensure your prefixes remain reachable across all major networks worldwide.
Compliance
Many enterprise customers and government networks require RPKI-valid routes. ROA records help meet these compliance requirements.
Transfer Readiness
After an IPv4 transfer, creating ROA records is essential before announcing the prefix. ipv4.center helps with this process.
Häufig gestellte Fragen
Häufige Fragen zu RPKI und ROA für IPv4-Adressinhaber.
Ohne ROA-Einträge hat Ihr Präfix den RPKI-Status „NotFound". Obwohl die meisten Netzwerke NotFound-Routen noch akzeptieren, ist Ihr Präfix nicht vor BGP-Hijacking geschützt. Mit zunehmender RPKI-Verbreitung können einige Netzwerke NotFound-Routen herabstufen oder filtern.
ROA-Einträge propagieren typischerweise innerhalb von 15–30 Minuten nach der Erstellung. RPKI-Validatoren aktualisieren ihre Caches periodisch (normalerweise alle 10–20 Minuten), sodass die globale Sichtbarkeit schnell erreicht wird.
Das hängt von der Leasing-Vereinbarung ab. In den meisten Fällen erstellt der IP-Inhaber (Vermieter) den ROA in Ihrem Namen und autorisiert Ihre AS-Nummer. Bei ipv4.center übernehmen wir die ROA-Erstellung für alle geleasten Präfixe als Teil unseres Service.
RPKI sichert das BGP-Routing, indem es validiert, welches AS ein IP-Präfix ankündigen darf. DNSSEC sichert DNS, indem es gewährleistet, dass DNS-Antworten nicht manipuliert wurden. Sie schützen verschiedene Schichten der Internet-Infrastruktur, verwenden aber beide kryptografische Signaturen.
RPKI mit ROA verhindert Origin-Hijacking (unbefugtes AS kündigt Ihr Präfix an). Es verhindert jedoch keine Pfadmanipulationsangriffe. BGPsec, eine Erweiterung von RPKI, befasst sich mit Pfadsicherheit, ist aber nur begrenzt verbreitet.
RPKI ist von keiner RIR verpflichtend, wird aber dringend empfohlen. Große Netzwerke wie Cloudflare, Google und AWS lehnen bereits RPKI-ungültige Routen ab. Die Branche bewegt sich auf eine universelle RPKI-Bereitstellung für ein sichereres Internet zu.