RPKI et ROA : Sécuriser vos Routes IPv4
Tout ce que vous devez savoir sur l'Infrastructure à Clé Publique de Ressources (RPKI) et l'Autorisation d'Origine de Route (ROA) — des concepts à la mise en œuvre pratique.
What is RPKI?
Resource Public Key Infrastructure (RPKI) is a cryptographic framework designed to secure the internet's routing infrastructure. It provides a way to verify that the holder of an IP address block has authorized a specific Autonomous System (AS) to originate routes for that prefix.
Without RPKI, BGP — the protocol that routes traffic across the internet — operates largely on trust. Any AS can announce any IP prefix, potentially redirecting traffic through unauthorized networks. RPKI adds a layer of cryptographic verification to prevent such hijacks.
RPKI was developed by the IETF and is managed by the five Regional Internet Registries (RIRs): RIPE NCC, ARIN, APNIC, LACNIC, and AFRINIC. Each RIR operates as a Certificate Authority (CA) within the RPKI framework.
What is ROA?
A Route Origin Authorization (ROA) is a digitally signed object within the RPKI framework. It specifies which AS number is authorized to announce a particular IP prefix and the maximum prefix length that can be announced.
For example, a ROA might state: "AS64500 is authorized to announce 192.0.2.0/24 with a maximum length of /24." This means only AS64500 can legitimately originate this prefix, and it cannot be announced as more specific prefixes like /25.
ROAs are created by the IP address holder through their RIR's portal and are stored in the RIR's RPKI repository. Network operators then use RPKI validators to check incoming BGP announcements against published ROAs.
How RPKI Works
RPKI operates through a chain of trust anchored at the RIRs. When you receive an IP address allocation or transfer, the RIR issues a resource certificate linking your organization to those IP resources. You can then create ROA objects under this certificate.
Network operators run RPKI validators (such as Routinator, FORT, or rpki-client) that download and verify all ROAs from the RIR repositories. These validators feed the validation results to routers via the RPKI-to-Router (RTR) protocol.
When a BGP route announcement arrives, the router checks it against RPKI validation data. Routes are classified as Valid (matching a ROA), Invalid (conflicting with a ROA), or NotFound (no ROA exists). Operators can then configure policies — commonly accepting Valid routes, rejecting Invalid ones, and allowing NotFound routes.
Valid
The BGP announcement matches a published ROA — correct AS and prefix length. The route is accepted.
Invalid
The announcement conflicts with a ROA — wrong AS or exceeds maximum prefix length. The route should be rejected.
NotFound
No ROA exists for this prefix. The route is accepted by default but lacks cryptographic verification.
Unknown
The validator cannot determine the status, typically due to connectivity issues with RPKI repositories.
Creating ROA Records
Creating ROA records is straightforward and can be done through your RIR's member portal. The process varies slightly between RIRs but follows the same general steps.
For RIPE NCC, log into the LIR Portal, navigate to "RPKI" section, select the prefix you want to protect, specify the authorized AS number and maximum prefix length, and publish the ROA. RIPE also offers a "one-click RPKI" feature that automatically creates ROAs based on existing route objects.
For ARIN, use the ARIN Online portal to access the RPKI section. You can create ROAs for your resources and manage your RPKI certificates. ARIN provides both hosted and delegated RPKI options.
For APNIC, the MyAPNIC portal includes RPKI management tools. You can create ROAs for your IP resources and monitor their status through the dashboard.
RIPE NCC
LIR Portal → RPKI → Create ROA. Supports one-click ROA creation from existing route objects. Instant publication.
ARIN
ARIN Online → RPKI → Create ROA. Offers both hosted and delegated RPKI. Publication within minutes.
APNIC
MyAPNIC → RPKI → Create ROA. Integrated dashboard for monitoring ROA status and coverage.
LACNIC / AFRINIC
Similar portal-based ROA creation. Check respective RIR documentation for specific steps and features.
RPKI Validation
RPKI validation is performed by dedicated software called validators. These tools download the complete set of RPKI data from all five RIR repositories, verify the cryptographic signatures, and build a validated cache of Route Origin Authorizations.
Popular open-source validators include Routinator (by NLnet Labs), FORT Validator, rpki-client (by OpenBSD), and OctoRPKI (by Cloudflare). These validators serve validated data to routers via the RTR protocol.
Major network operators and cloud providers — including Cloudflare, Google, Amazon AWS, and Microsoft Azure — have deployed RPKI validation and reject Invalid routes. As adoption grows, having proper ROA records becomes increasingly important to ensure your prefixes are reachable globally.
Why RPKI Matters for IPv4 Transfers
When you purchase or lease IPv4 addresses, setting up RPKI and ROA records is one of the first things you should do. Without ROA records, your newly acquired prefixes lack cryptographic origin validation, making them more susceptible to accidental or intentional hijacking.
Additionally, as more networks adopt RPKI-based route filtering, prefixes without valid ROA records may experience reduced reachability. Some networks already prefer or require RPKI-valid routes, and this trend is accelerating.
At ipv4.center, we assist our clients with RPKI setup after every IPv4 transfer. Whether you're buying or leasing IPv4 space, our team helps you create the appropriate ROA records and verify that your prefixes are properly protected.
Route Protection
ROA records prevent unauthorized parties from hijacking your IPv4 prefixes via BGP, protecting your traffic and reputation.
Global Reachability
As RPKI adoption grows, valid ROA records ensure your prefixes remain reachable across all major networks worldwide.
Compliance
Many enterprise customers and government networks require RPKI-valid routes. ROA records help meet these compliance requirements.
Transfer Readiness
After an IPv4 transfer, creating ROA records is essential before announcing the prefix. ipv4.center helps with this process.
Questions Fréquemment Posées
Questions courantes sur RPKI et ROA pour les détenteurs d'adresses IPv4.
Sans enregistrements ROA, votre préfixe a un statut RPKI « NotFound ». Bien que la plupart des réseaux acceptent encore les routes NotFound, votre préfixe n'est pas protégé contre le détournement BGP. À mesure que l'adoption de RPKI augmente, certains réseaux peuvent déprioriser ou filtrer les routes NotFound.
Les enregistrements ROA se propagent généralement dans les 15 à 30 minutes suivant leur création. Les validateurs RPKI actualisent leurs caches périodiquement (généralement toutes les 10 à 20 minutes), la visibilité mondiale est donc atteinte rapidement.
Cela dépend de l'accord de location. Dans la plupart des cas, le détenteur de l'IP (bailleur) crée le ROA en votre nom, autorisant votre numéro AS. Chez ipv4.center, nous gérons la création de ROA pour tous les préfixes loués dans le cadre de notre service.
RPKI sécurise le routage BGP en validant quel AS peut annoncer un préfixe IP. DNSSEC sécurise le DNS en garantissant que les réponses DNS n'ont pas été falsifiées. Ils protègent différentes couches de l'infrastructure Internet mais utilisent tous deux des signatures cryptographiques.
RPKI avec ROA empêche le détournement d'origine (un AS non autorisé annonçant votre préfixe). Cependant, il ne prévient pas les attaques de manipulation de chemin. BGPsec, une extension de RPKI, traite la sécurité des chemins mais son déploiement est limité.
RPKI n'est obligatoire auprès d'aucun RIR, mais son adoption est fortement encouragée. Les grands réseaux comme Cloudflare, Google et AWS rejettent déjà les routes RPKI-invalides. L'industrie évolue vers un déploiement universel de RPKI pour un Internet plus sûr.