Implementing BGP Security with RPKI

Overview

Resource Public Key Infrastructure (RPKI) provides cryptographic validation of BGP route origins to prevent route hijacking and accidental route leaks. RPKI enables network operators to create Route Origin Authorizations (ROAs) that declare which Autonomous Systems (ASes) are authorized to originate specific IP prefixes. BGP routers validate received route announcements against RPKI data through Route Origin Validation (ROV), rejecting routes with invalid origins. This skill covers creating ROAs through Regional Internet Registries (RIRs), deploying RPKI validator software, configuring ROV on Cisco IOS-XE and Juniper Junos routers, and implementing BGP filtering policies based on RPKI validation state.

When to Use

• When deploying or configuring implementing bgp security with rpki capabilities in your environment
• When establishing security controls aligned to compliance requirements
• When building or improving security architecture for this domain
• When conducting security assessments that require this implementation

Prerequisites

• IP address space allocated from an RIR (ARIN, RIPE, APNIC, AFRINIC, LACNIC)
• RIR member portal access for ROA creation
• BGP routers (Cisco IOS-XE 16.x+, Juniper Junos 12.2+, or similar)