Resource Public Key Infrastructure (RPKI)
RPKI allows to digitally encrypt and sign routing advertisements into the BGP by using a private and public keys. Information can be encrypted and signed with a private key and can only be decrypted and signature verified, using the matching public key. Digitally signing information provides assurance that routing advertisements are verified and authentic. It helps us to verify whether an Autonomous System (AS) is authorized to announce a specific IP prefix. Routing protocols are potentially at risk of attacks that can harm individual users or network operations. RPKI was specified by the IETF to provide securing routing. The Internet Architecture Board considers “a properly designed and deployed RPKI an absolute prerequisite to having a secure global routing system, which is in turn a prerequisite to having a reliable worldwide Internet.”
Route Origin Authorizations (ROAs)
Route Origin Authorization (ROA) is a cryptographically signed object that states which Autonomous System (AS) is authorized to originate a certain IP prefix. Network operators are creating cryptographically valid statements, or Route Origin Authorizations (ROAs), about the route announcements they authorize to be made with the prefixes they hold.
ROA contain below information.
- Authorize AS number.
- The prefix that is being originated from the AS.
- The specific prefix (maximum length) that the AS may announce.
- Verify whether an AS is authorized to announce a specific IP prefix.
- Minimize common routing errors
- Prevent prefix hijacks
Furthermore, you can also visit the page of Ready to ROA campaign, so keep an eye on it for the latest news and updates.
Create your ROA in MyAPNIC
It’s easy to create a ROA. Log in to your MyAPNIC account and follow the step-by-step guide. It will only take you about 5 minutes to complete.
How to Check ROA
Follow below method to check ROA.
Method-1: Go to https://bgp.he.net and search your AS there. Click on the prefixes v4 tab and check whether the icon (key sign) right of the prefix is green, red or nothing. If the sign is green then ROA is valid. If the sign is red then ROA is not valid. If there is no icon (key sign) then ROA is not configured yet.
Method-2: Login your Linux machine and run below command. If your AS ROA is valid then you can see the valid time period.
whois -h whois.bgpmon.net " --roa YOUR_ASN YOUR_PREFIX"
whois -h whois.bgpmon.net " --roa 18369 126.96.36.199/24"
CCNP (ENCOR & R), CCNA (R&S), JNCIA-Junos & SEC. Experienced Network & System Engineer.