RPKI & ROAs – What You Need to Know and Do
by Leo Vegoda

The Network Structure
Independent networks identify themselves to one another with unique AS Numbers (ASNs). The IP addresses on a network further identify the individual devices there. These two types of number are vital in getting data to the right place on the internet. Every node is uniquely identified.
In order for those connections to happen, networks must know the paths to other networks and the addresses they contain. So, networks “announce” themselves to other networks and publish their intentions in public databases so other networks can identify mistakes and protect against them . These databases are shared resources.
The Problem RPKI Solves
Sometimes people configure the wrong IP addresses on their network and tell other internet networks they are a legitimate destination for those addresses. Then data is sent to the wrong place. RPKI, the Resource Public Key Infrastructure, is a technology that associates digital certificates with IP addresses and AS Numbers. It helps reduce the impact of this kind of accidental misconfiguration. RPKI is the name applied to the set of services. A variety of digital objects are created, published, and validated in an RPKI service.
One of these is a Route Origin Authorization (ROA). It is the digital certificate that confirms the addresses their ASN is announcing. Other networks use that ROA when deciding which routing announcements to accept.
In a similar but different use case, Cloud providers offering Bring Your Own IP (BYOIP) services often use the ROA to check that anyone providing their own IP addresses are entitled to use them.
RPKI is both more and less than the Internet Routing Registry (IRR). The IRR is a collection of 18 databases where networks can publish policies of the addresses they use and where they use them. They can publish large, complex policies in the Routing Policy Specification Language (RPSL).
Most IRR databases validate user claims to some extent and remove outdated entries. But policies published in the IRR are claims or promises. For instance, a statement that your ASN announces a specific block of IP addresses in one place and not another. RPSL supports complex policies and it is easy to make a mistake or miss a detail when changing the policy. In contrast, the claims made in a ROA can be validated or rejected because they use a hierarchy of digital certificates. But RPKI ROAs are simple claims without the detail available in the IRR.
Creating an ROA
A ROA is a digital certificate that ties a block of IP addresses to an AS Number. AS Numbers identify networks in a similar way to how an IP address identifies a device. The ROA is the digital object confirming that a network can use some addresses.
If you have a contract with a Regional Internet Registry (RIR) for your IP addresses, you can use its RPKI service. All the RIRs have web portals that let you create and publish ROAs. You can also have the RIRs delegate RPKI management to you. That means running your own Certification Authority, which is a significant commitment. This is useful if you have resources from more than one RIR. For instance, you might have an AS Number from RIPE NCC but IP addresses from RIPE NCC and ARIN.
If you don’t have a contract, or if you got your IP addresses from a network with IP addresses from before the formation of the RIRs, you might not have access to RPKI services.
Valid, Unknown, and Invalid
RPKI ROAs aren’t used to dynamically check internet routing announcements as they change. Instead, networks use RPKI ROAs alongside other information to build filters that are updated on a schedule, often once every day.
In the context of RPKI an internet route can only have three statuses. If there is no ROA the status will always be unknown. This is not bad and is likely to be the status of newly created networks that are getting themselves up and running. Routes with an unknown status do not need to be rejected.
Internet routes that match a ROA are said to validate and they are obviously good. Internet routes that do not match a ROAs, for instance addresses originating from the wrong ASN, do not validate and will come back with an invalid status.
NIST, the US government’s standardization agency, monitors RPKI deployment. It reports that over half of unique prefix (IP address block) and AS Number pairs have valid RPKI ROAs. Just under half of pairs have an unknown status.
Only half of one percent have an invalid status and a few of these are deliberately broken test networks used by organizations running internet measurement experiments.
The low proportion of invalid pairs is a tribute to the simplicity of creating RPKI objects in the RIR portals.
Validating ROAs
RPKI only makes a difference if network operators validate. Creating the digital certificates but not checking them just adds cost. It doesn’t improve security. But not all network operators have to validate for those that do to make a difference. Industry consolidation means that if a few big networks validate, their outsized impact makes a difference for everyone.
So, when global players validate RPKI ROAs, it pushes the industry to improve.
It is hard to measure the proportion of networks that are validating. But APNIC has measured the impact on users, which is a slightly different thing. Their measurements show that about one in five users is behind a network that discards RPKI invalid routes. In other words, four in five users are not protected.
Should you validate? Unless you connect other networks to the internet, it is probably not useful. And if you only connect a few networks to the internet, you might validate the routes they advertise to you in a different way.
Meanwhile, European IXP operators are working on a proposal to achieve similar aims by reducing the number of IRR databases in use. Improvements to the IRR and RPKI are both approaches to achieving the same goal of a more reliable internet infrastructure.
Create an RPKI ROA
Whether you choose to validate or not, creating and publishing an RPKI ROA and IRR entry is useful. The RIRs will help you do this. You can also use third-party tools to check, like NLNLOG’s IRR Explorer to check that you have everything configured properly. They check that the IRR and RPKI records match each other and BGP, the routing protocol used to connect internet networks.

Fig: NLNLOG’s IRR Explorer Report for the RIPE NCC’s Network