ENTRDEESFRPTIT
← All Guides
Guide

RPKI & ROA: Securing Your IPv4 Routes

Everything you need to know about Resource Public Key Infrastructure (RPKI) and Route Origin Authorization (ROA) — from concepts to practical implementation. A guide by IPv4Center.

What is RPKI?

Resource Public Key Infrastructure (RPKI) is a cryptographic framework designed to secure the internet's routing infrastructure. It provides a way to verify that the holder of an IP address block has authorized a specific Autonomous System (AS) to originate routes for that prefix.

Without RPKI, BGP — the protocol that routes traffic across the internet — operates largely on trust. Any AS can announce any IP prefix, potentially redirecting traffic through unauthorized networks. RPKI adds a layer of cryptographic verification to prevent such hijacks.

RPKI was developed by the IETF and is managed by the five Regional Internet Registries (RIRs): RIPE NCC, ARIN, APNIC, LACNIC, and AFRINIC. Each RIR operates as a Certificate Authority (CA) within the RPKI framework.

What is ROA?

A Route Origin Authorization (ROA) is a digitally signed object within the RPKI framework. It specifies which AS number is authorized to announce a particular IP prefix and the maximum prefix length that can be announced.

For example, a ROA might state: "AS64500 is authorized to announce 192.0.2.0/24 with a maximum length of /24." This means only AS64500 can legitimately originate this prefix, and it cannot be announced as more specific prefixes like /25.

ROAs are created by the IP address holder through their RIR's portal and are stored in the RIR's RPKI repository. Network operators then use RPKI validators to check incoming BGP announcements against published ROAs.

How RPKI Works

RPKI operates through a chain of trust anchored at the RIRs. When you receive an IP address allocation or transfer, the RIR issues a resource certificate linking your organization to those IP resources. You can then create ROA objects under this certificate.

Network operators run RPKI validators (such as Routinator, FORT, or rpki-client) that download and verify all ROAs from the RIR repositories. These validators feed the validation results to routers via the RPKI-to-Router (RTR) protocol.

When a BGP route announcement arrives, the router checks it against RPKI validation data. Routes are classified as Valid (matching a ROA), Invalid (conflicting with a ROA), or NotFound (no ROA exists). Operators can then configure policies — commonly accepting Valid routes, rejecting Invalid ones, and allowing NotFound routes.

Valid

The BGP announcement matches a published ROA — correct AS and prefix length. The route is accepted.

Invalid

The announcement conflicts with a ROA — wrong AS or exceeds maximum prefix length. The route should be rejected.

NotFound

No ROA exists for this prefix. The route is accepted by default but lacks cryptographic verification.

Unknown

The validator cannot determine the status, typically due to connectivity issues with RPKI repositories.

Creating ROA Records

Creating ROA records is straightforward and can be done through your RIR's member portal. The process varies slightly between RIRs but follows the same general steps.

For RIPE NCC, log into the LIR Portal, navigate to "RPKI" section, select the prefix you want to protect, specify the authorized AS number and maximum prefix length, and publish the ROA. RIPE also offers a "one-click RPKI" feature that automatically creates ROAs based on existing route objects.

For ARIN, use the ARIN Online portal to access the RPKI section. You can create ROAs for your resources and manage your RPKI certificates. ARIN provides both hosted and delegated RPKI options.

For APNIC, the MyAPNIC portal includes RPKI management tools. You can create ROAs for your IP resources and monitor their status through the dashboard.

RIPE NCC

LIR Portal → RPKI → Create ROA. Supports one-click ROA creation from existing route objects. Instant publication.

ARIN

ARIN Online → RPKI → Create ROA. Offers both hosted and delegated RPKI. Publication within minutes.

APNIC

MyAPNIC → RPKI → Create ROA. Integrated dashboard for monitoring ROA status and coverage.

LACNIC / AFRINIC

Similar portal-based ROA creation. Check respective RIR documentation for specific steps and features.

RPKI Validation

RPKI validation is performed by dedicated software called validators. These tools download the complete set of RPKI data from all five RIR repositories, verify the cryptographic signatures, and build a validated cache of Route Origin Authorizations.

Popular open-source validators include Routinator (by NLnet Labs), FORT Validator, rpki-client (by OpenBSD), and OctoRPKI (by Cloudflare). These validators serve validated data to routers via the RTR protocol.

Major network operators and cloud providers — including Cloudflare, Google, Amazon AWS, and Microsoft Azure — have deployed RPKI validation and reject Invalid routes. As adoption grows, having proper ROA records becomes increasingly important to ensure your prefixes are reachable globally.

Why RPKI Matters for IPv4 Transfers

When you purchase or lease IPv4 addresses, setting up RPKI and ROA records is one of the first things you should do. Without ROA records, your newly acquired prefixes lack cryptographic origin validation, making them more susceptible to accidental or intentional hijacking.

Additionally, as more networks adopt RPKI-based route filtering, prefixes without valid ROA records may experience reduced reachability. Some networks already prefer or require RPKI-valid routes, and this trend is accelerating.

At IPv4Center.com, we assist our clients with RPKI setup after every IPv4 transfer. Whether you're buying or leasing IPv4 space, our team helps you create the appropriate ROA records and verify that your prefixes are properly protected.

Route Protection

ROA records prevent unauthorized parties from hijacking your IPv4 prefixes via BGP, protecting your traffic and reputation.

Global Reachability

As RPKI adoption grows, valid ROA records ensure your prefixes remain reachable across all major networks worldwide.

Compliance

Many enterprise customers and government networks require RPKI-valid routes. ROA records help meet these compliance requirements.

Transfer Readiness

After an IPv4 transfer, creating ROA records is essential before announcing the prefix. IPv4Center.com helps with this process.

ROA Coordination During a Transfer

An IPv4 transfer is the moment when RPKI mistakes are most common. If the seller's old ROA remains published while the buyer announces the prefix from a new ASN, the announcement is classified as RPKI-Invalid and will be rejected by major networks — effectively taking the prefix offline for a large part of the internet.

The correct sequence is: the seller removes existing ROAs shortly before the transfer is approved; the registry moves the resources to the buyer's account; the buyer immediately creates new ROAs for their own ASN; and only then is the prefix announced via BGP. During the transition window, both parties should coordinate timing to minimise the period without ROA coverage.

When you purchase or lease IPv4 addresses through IPv4Center, our team coordinates this handover as part of the transfer process, so the prefix is never announced in an Invalid state.

Step 1 — Seller Removes ROAs

Existing ROA records are deleted from the seller's RIR portal before the transfer completes.

Step 2 — Transfer Completes

The RIR moves the resources to the buyer's account and issues a new resource certificate.

Step 3 — Buyer Creates ROAs

The buyer publishes new ROAs authorising their ASN, with appropriate maximum prefix length.

Step 4 — Announce via BGP

Once validators have picked up the new ROAs (15–30 minutes), the prefix is announced safely as RPKI-Valid.

Frequently Asked Questions

Common questions about RPKI and ROA for IPv4 address holders.

Without ROA records, your prefix has a "NotFound" RPKI status. While most networks still accept NotFound routes, your prefix is unprotected against BGP hijacking. As RPKI adoption increases, some networks may deprioritize or filter NotFound routes.

ROA records typically propagate within 15–30 minutes after creation. RPKI validators refresh their caches periodically (usually every 10–20 minutes), so global visibility is achieved quickly.

This depends on the leasing arrangement. In most cases, the IP holder (lessor) creates the ROA on your behalf, authorizing your ASN. At IPv4Center.com, we handle ROA creation for all leased prefixes as part of our service.

RPKI secures BGP routing by validating which AS can originate an IP prefix. DNSSEC secures DNS by ensuring DNS responses haven't been tampered with. They protect different layers of internet infrastructure but both use cryptographic signatures.

RPKI with ROA prevents origin hijacking (unauthorized AS announcing your prefix). However, it does not prevent path manipulation attacks. BGPsec, an extension of RPKI, addresses path security but has limited deployment.

RPKI is not mandatory by any RIR, but adoption is strongly encouraged. Major networks like Cloudflare, Google, and AWS already reject RPKI-invalid routes. The industry is moving toward universal RPKI deployment for a more secure internet.

Related Articles from Our Blog

What Are ROA and LOA in IPv4 Leasing and Transfers?How to Get an RPKI API Key from RIPE NCCWhat Is IPv4 Hijacking and How to Protect Your Blocks

Need Help Setting Up RPKI?

Whether you're buying or leasing IPv4 addresses, browse our marketplace and our team helps you configure RPKI and ROA records to protect your address space from day one.