Skip to main content


Technical & Additional Services

What is RPKI?

Resource Public Key Infrastructure (RPKI) is a public key infrastructure framework designed to secure the Internet’s routing infrastructure, specifically the Border Gateway Protocol.
RPKI provides a way to connect Internet number resource information to a trust anchor, and lets the legitimate holder of a block of IP addresses make an authoritative statement about which AS is authorised to originate their prefix in the BGP. In turn, other network operators can download and validate these statements and make routing decisions based on them. This process is referred to as route origin validation (ROV). This provides a stepping stone to provide path validation in the future.

Route Origin Validation

With route origin validation (ROV), the RPKI system tries to closely mimic what route objects in the IRR intend to do, but then in a more trustworthy manner. It also adds a couple of useful features.
Origin validation is currently the only functionality that is operationally used. The five RIRs provide functionality for it, there is open source software available for creation and publication of data, and many major router vendors have implemented ROV in their platforms. Various router software implementations offer support for it, as well.

Route Origin Authorisations

Using the RPKI system, the legitimate holder of a block of IP addresses can use their resource certificate to make an authoritative, signed statement about which autonomous system is authorised to originate their prefix in BGP. These statements are called Route Origin Authorisations (ROAs).
The creation of a ROA is solely tied to the IP address space that is listed on the certificate and not to the AS numbers. This means the holder of the certificate can authorise any AS to originate their prefix, not just their own autonomous systems.

Route Announcement Validity

When a network operator creates a ROA for a certain combination of origin AS and prefix, this will have an effect on the RPKI validity of one or more route announcements. Once a ROA is validated, the resulting object contains an IP prefix, a maximum length, and an origin AS number. This object is referred to as validated ROA payload (VRP).
When comparing VRPs to route announcements seen in BGP, RFC 6811 describes their possible statuses:


The route announcement is covered by at least one VRP. The term covered means that the prefix in the route announcement is equal, or more specific than the prefix in the VRP.


The prefix is announced from an unauthorised AS, or the announcement is more specific than is allowed by the maxLength set in a VRP that matches the prefix and AS.


The prefix in this announcement is not, or only partially covered by a VRP.

RPKI at NAPAfrica

Currently, NAPAfrica operates 3 pairs of validators, available to peering members in each region.

NAPAfrica route servers perform filtering and validation in the following sequence:

  • Drop prefixes that are too long (/25-/32 for v4 and /49-/128 for v6)
  • Drop prefixes considered as martians/bogons
  • Drop prefixes where the AS path length is too short
  • Drop prefixes where the first AS in the path is not the peer AS
  • Drop prefixes with well known transit AS numbers in the path
  • Drop prefixes where the AS path is too long
  • RPKI Route Origin Validation – Drop invalid prefixes, Accept valid prefixes. RPKI unknowns will be subject to IRR filtering

Teraco is Africa's Data Centre

Connect to Africa’s Largest Peering Community


National Contact

How can we help? We’re available

Monday to Friday from 08h00 until 17h00.