Child pages
  • RPKI Validation

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

Attacks against the routing system are increasing, and it's not uncommon in today's Internet world to experience prefix hijacking.  The IETF has for a while, been woking on an Internet Resource Public Key Infrastructure, to help validate routing (BGP) announcements.  

Details on RPKI and how this works is best followed up through the your RIR.  The RIPE-NCC in particular have excellent resources for you to peruse, and another excellent set of guidelines is available at


At INX-ZA, we operate three (3) a few RPKI validators that are made we use in production, and which we make available to the general public for use.  These are spread across the country, and are available at: 


(or will be) available for you to use to validate your prefixes.  We stongly  recommend that each network implements their own set of validators, and provide these for use as backup and/or failover validators primarily for peers, who are typically one network hop away;  although we place no restriction on reasonable use.

  • https://vc2 (Routinator 3000)
  • https://vc3 (Cloudflare GoRTR)

for you to use manually, or, through the built-in API, to validate your prefixes.  

  •  (Routinator 3000)
  • (Cloudflare GoRTR)

  •  (coming soon)
  •  (coming soon)

Of course the point of RPKI validation is for your network equipment to do this automatically, so we suggest the following configuration: 


Code Block
titleRPKI Config
router bgp 65001
 bgp rpki server tcp 2001:43F8:1F4:100::40<<host>> port 82823323 refresh 600
 bgp rpki server tcp 2001:43F8:1F5:100::40 port 8282 refresh 600
 bgp rpki server tcp 2001:43F8:1F3:100::40 port 8282 refresh 600
 bgp rpki server tcp port 8282 refresh 600
 bgp rpki server tcp port 8282 refresh 600
 bgp rpki server tcp port 8282 refresh 600

All of the hosts are dual-stacked;  please remember to use the v6 addresses, if your router supports IPv6.


From June 2019, INX drops RPKI invalids on our BGP Route server service.  Details for these, and other filtered routes, can be seen via the looking glass facilities that are provided into the INX BGP-RS service.  


We recommend that you

  • assign a higher local-pref to prefixes that have a Valid ROA
  • leave prefixes with Not-Found ROAs untouched
  • drop prefix with Invalid ROA

titleDealing with Invalids

Most operators may be tempted to choose an approach where they set the local-pref of Invalids to something really low (ie. least preferred).  The simple problem you're still likely to see is that a more-specific (ie. longer match) route for this, will still win in the BGP route selection process, and therefore still leave you to attack.  

Should you need assistance with this, please feel free to send a mail to ops [at]

Table of Contents