RPKI at the BatamIX route servers in order to increase the security of the Internet routing system and support the adoption of RPKI. The adoption was essential to Internet security, and the benefits were visible from day one for all peers and their members.
What is RPKI?
RPKI means Resource Public Key Infrastructure. It can be used to support secure Internet routing, especially to prevent route hijacking and other attacks.
More information can be found in RFC 6480 or at APNIC. community driven FAQ about RPKI is available here .
Why must use RPKI?
RPKI is useful to prove that a given IP prefix is really yours. For that, you get a certificate which is signed by the entity handing out that prefix to you. With this signed certificate, you can prove to a third party like BatamIX that a prefix is really yours and that you legitimately announce it to our route servers.
What is an ROA?
ROA means Route Origin Authorization. An ROA connects a prefix and an originating Autonomous System. It also states if the prefix must be announced as a whole or if sub-announcements are allowed.
How does the RPKI validation work?
RPKI validation means that a validator(sofware) checks existing ROAs. A router queries this validator, and as a result, three values are possible:
- Valid: There is an ROA and it covers the BGP announcement originator AS, prefix, and prefix length are covered by an ROA. This is the best case.
- Invalid: There is an ROA for this prefix, but either for a different originator AS or the prefix length does not match. These prefixes will be filtered out by BatamIX route servers.
- NotFound/Unknown: There is no ROA for this prefix. BatamIX route servers will distribute them if they can be successfully verified against IRRDB data.
How can I create ROAs for my prefix?
You can create ROA in your prefix registration like in apnic or idnic