Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Use Case Overview


BGP in the Internet core relies on a transitive trust model. In a transitive trust, a certain level of trust is inherited by an entity through an intermediary, rather than directly from the source. In a data center, a new process might inherit access rights not only from a parent process but also from the parent process’s parent. Transitive trusts are not the only trust model. For example, a bank might trust checks drawn on an account in a different branch, but not on an account from a bank that does not exist. There are also hierarchical trust models where trust passes from a top authority down to others.

On the Internet, the transitive trust nature of BGP routing information can lead to outages when a device incorrectly announces routes it does not own. By design, routers choose a more specific route in favor of a less specific route. An incorrect route announcement that has a longer and more specific network mask can result in the-hijacking-of a prefix throughout the Internet. This is a common event on the Internet and it usually occurs because of an accidental misconfiguration.

In response to this, the IETF has defined solutions that help to reduce the impact of this inherent vulnerability; Origin Validation.

RPKI is a specialized PKI framework designed to secure the Internet’s routing infrastructure. RPKI performs the following:

  • Provides a way to validate whether a rightful resource holder authorizes the originating AS number and announces the IPv4 and IPv6 prefixes.

  • Makes sure that the prefix lengths for the routes are within the limits defined by their owners.

  • Links the route information (a resource) to a trust anchor (a root certificate authority). This linking allows legitimate holders of these route resources to control the operation of routing protocols, in BGP, regarding their route information.

  • Uses X.509 certificates, which allow local Internet registries (LIRs) to obtain a resource certificate listing the AS numbers and IP address resources they hold.