The Necessity of RPKI

RPKI

March 16, 2026 by Cogent Solutions Engineering

A key aspect of internet security for ISPs and their customers deals with establishing systems that prevent the hijacking of BGP prefixes. At a high level, ISPs address this problem by verifying that their customers only announce prefixes they have been allocated by a Regional Internet Registry (RIR), are currently leasing, or that have been allocated to their end users.

Read on for more

Customers using BGP therefore need to work with each of their upstream providers to implement lists of allowed prefixes. In many cases this is a manual process and policies for validating prefixes and updating prefix lists differ from one ISP to the next. Prior to the development of RPKI, ISPs took a more decentralized approach to prefix validation, typically relying on Internet Routing Registries (IRRs) such as RADB and its mirrors to validate which prefixes their customers could announce on their BGP sessions. The downside to using these IRRs is that their data may not always be accurate or up-to-date.

RPKI provides a centralized means of validating which ASNs are allowed to originate each prefix, which in turn can be used by ISPs as an authoritative source for policing their customers’ BGP prefix lists. With the advent of RPKI, holders of IP resources who have an agreement with their RIR can generate Route Origin Authorizations (ROAs) which are cryptographically signed objects that associate a given IP prefix with a specific originating ASN. ISPs can then verify the validity of said announcements by checking ROAs against the issuing RIR’s RPKI database, and drop routes deemed invalid:

Although RPKI ROAs aren’t currently mandatory, the industry is moving in that direction and one can imagine a future where all prefix announcements on BGP sessions will require ROAs, as a means of preventing prefix hijacking and route leaks.

As a leading global ISP, Cogent supports RPKI validation natively across its entire backbone, enabling customers to bring their own IP blocks and associated ROAs. Cogent can furthermore generate ROAs for customers who choose to lease IP space from our vast allotment of public IPv4 resources.

About the Author:
The Cogent Solutions Engineering team is a group of experienced, technically-versed and business-minded individuals who understand the challenges facing our global customer base, and how Cogent’s set of products and services can address these, from their daily involvement in customer conversations, review of individual customer requirements, solution design, and resulting product development initiatives.