BGP Origin As Validation


BGP Origin AS Validation architecture is used to prevent IP address space from being hijacked. It relies on the Resource Public Key Infrastructure (RPKI) to tie a resources such as IP address to an ASN via cryptographic public key.


  • Validates the origin ASN to an IP address space.
  • Does not validate the whole path but only originator.
  • Vendor Support
    • Cisco IOS - 15.2
    • Cisco IOS-XR - 4.3.2
    • Juniper - 12.2


  • ROA (Route Origination Authorizations) - links which ASN is able to advertise IP address space. It can also contain the prefix' max length.
  • Validity States:
    • Valid - One ROA covers the prefix.
    • Invalid - A ROA exist, but the advertising ASN is invalid for the BGP route. The prefix length does not match ROA for the advertising ASN.
    • Unknown - There is no ROA created for the IP address space. There is no ROA that cover the prefix length for advertised route.
  • Routers don't validate the ROA


  • Composed on a number of architectural parts:
    • BGP router
    • RPKI Server
    • RPKI Router Protocol (RTR)
    • Trust Anchors - The RIR entities such as RIPE, ARIN, LACNIC, APNIC, AfriNIC.

Additional Resources

RIPE RPKI Internet Usage Report RPKI Adaptation Report - Validity, adaptation and detail reports.
RPKI Monitoring - NIST Monitoring Statistics. - Toolset
Cisco IOS XE BGP AS Origin Validation - Cisco Configuration Guide.
Resource Certification - The Internet Journal
Internet Society RPKI

RFC6810 - The Resource Public Key Infrastructure (RPKI) to Router Protocol
RFC7115 - Origin Validation Based on the Resource Public Key Infrastructure (RPKI)


rating: 0+x
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License