NAPAfrica IXP

Technical & Additional Services

What is RPKI?

Resource Public Key Infrastructure (RPKI) is a public key infrastructure framework designed to secure the Internet’s routing infrastructure, specifically the Border Gateway Protocol.
RPKI provides a way to connect Internet number resource information to a trust anchor, and lets the legitimate holder of a block of IP addresses make an authoritative statement about which AS is authorised to originate their prefix in the BGP. In turn, other network operators can download and validate these statements and make routing decisions based on them. This process is referred to as route origin validation (ROV). This provides a stepping stone to provide path validation in the future.

Route Origin Validation

With route origin validation (ROV), the RPKI system tries to closely mimic what route objects in the IRR intend to do, but then in a more trustworthy manner. It also adds a couple of useful features.
Origin validation is currently the only functionality that is operationally used. The five RIRs provide functionality for it, there is open source software available for creation and publication of data, and many major router vendors have implemented ROV in their platforms. Various router software implementations offer support for it, as well.

Route Origin Authorisations

Using the RPKI system, the legitimate holder of a block of IP addresses can use their resource certificate to make an authoritative, signed statement about which autonomous system is authorised to originate their prefix in BGP. These statements are called Route Origin Authorisations (ROAs).
The creation of a ROA is solely tied to the IP address space that is listed on the certificate and not to the AS numbers. This means the holder of the certificate can authorise any AS to originate their prefix, not just their own autonomous systems.

Route Announcement Validity

When a network operator creates a ROA for a certain combination of origin AS and prefix, this will have an effect on the RPKI validity of one or more route announcements. Once a ROA is validated, the resulting object contains an IP prefix, a maximum length, and an origin AS number. This object is referred to as validated ROA payload (VRP).
When comparing VRPs to route announcements seen in BGP, RFC 6811 describes their possible statuses:

Valid

The route announcement is covered by at least one VRP. The term covered means that the prefix in the route announcement is equal, or more specific than the prefix in the VRP.

Invalid

The prefix is announced from an unauthorised AS, or the announcement is more specific than is allowed by the maxLength set in a VRP that matches the prefix and AS.

NotFound

The prefix in this announcement is not, or only partially covered by a VRP.

RPKI at NAPAfrica

Currently, NAPAfrica operates 3 pairs of validators, available to peering members in each region.


rpki1.jb1.nap.africa
rpki2.jb1.nap.africa
rpki1.ct1.nap.africa
rpki2.ct1.nap.africa
rpki1.db1.nap.africa
rpki2.db1.nap.africa

NAPAfrica’s route servers perform origin validation, and the following actions are applied:

  • Prefixes with Valid status are allowed.
  • Prefixes with Invalid status are dropped.
  • Prefixes with Unknown status are subject to IRR validation, which will result in either allow or deny.

Teraco is Africa's Data Centre

Connect to Africa’s Largest Peering Community

360
Peering
800
Traffic
600
Ports
3
Locations

National Contact

How can we help? We’re available

Monday to Friday from 08h00 until 17h00.