Professional Documents
Culture Documents
Sandeep Bhanoori
GS-JTAC-400
• RPKI Technology enables authorized and reliable means of updating their IP resources in the global routing
table.
• This infrastructure is used to make internet routing more native driven, reliable and secure.
• Legitimate holder of a block of IP addresses can make an authoritative statement about AS to originate their
prefix, and network operators can download and validate these statements and make routing decisions
based on them.
• Resource Public Key Infrastructure (RPKI) revolves around the right to use Internet number resources, such
as IP addresses and autonomous system (AS) numbers.
- ROA is a signed statement that consists of a prefix, a maximum prefix length, and originating ASN.
- Functionality that is operationally used to closely mimic what route objects in the IRR intend to do in a
trustworthy manner.
- Once the data has been downloaded, the validator will verify the signatures on all objects and output
the valid route origins as a list. Each object in this list contains an IP prefix, a maximum length, and an
origin AS number. This object is referred to as validated ROA payload (VRP). The collection of VRPs is
known as the validated cache.
Serial Number
• X.509 Digital Certificates Signature Algorithm ID
- Subject validity period, public key and other fields.
Issuer Name
- Standardised under RFC 5280.
Validity Period (Not Before)
(Not After)
• With extensions
Subject Name
- RFC 3779 defines extensions that allow the internet
resources as certificate fields. Public Key Info
Public Key Algorithm
• List of IPv4 and IPv6 and ASNs assigned to an Organization. Subject Public Key
Certificate Algorithm
VALID: This is the state if the ROA and route announcement matches. It is
expected that all operators will allow these routes to be installed in
their routers. It is possible they may up-preference these routes.
INVALID: This is the state if the ROA and route announcement are
different. They either differ in originating ASN or is more specific than
Peer/Transit
is allowed by the maximum prefix length that is set in the ROA.
The only entity that can make any changes to the ROA is the RIR-listed authorized owner of the IP resource.
If an Existing/New authorized owner wanted to add/update their resources below links are useful.
RIR Portal
AFRINIC https://my.afrinic.net
APNIC https://myapnic.net
ARIN https://account.arin.net
LACNIC https://milacnic.lacnic.net
RIPE NCC https://my.ripe.net
© 2021 Juniper Networks 12
Juniper Business Use Only
Routing Errors
Route Leak (RFC 7908): A route leak is the propagation of routing announcement(s) beyond their intended scope.
That is, an announcement from an Autonomous System (AS) of a learned BGP route to another AS is in
violation of the intended policies of the receiver, the sender, and/or one of the ASes along the preceding
AS path.
Route Hijack: BGP Route Hijacking, also called prefix hijacking, route hijacking or IP hijacking, is the
illegitimate takeover of groups of IP addresses by corrupting Internet routing tables maintained
using the Border Gateway Protocol (BGP).
refresh-time 1800;
hold-time 3600;
record-lifetime 7200;
port 8383;
Refresh-Time: The time aged after which an incremental update is requested from the RPKI server.
Hold-Time: The time after which the RPKI-RTR session is considered down after inactivity.
Record-Lifetime: The maximum time aged after which the record is considered expired.
© 2021 Juniper Networks 22
Juniper Business Use Only
Thank you