← All articles
Security 6 min

RPKI and routing security: putting an end to BGP hijacks

BGP, the protocol that holds the Internet together, has historically relied on trust: when a network announces a prefix, its neighbours take it at its word. That model has a major flaw — nothing prevents, by mistake or malice, announcing addresses that aren't yours. This is the root of the route leaks and hijacks that regularly make services unreachable or divert traffic.

The problem: announcements no one verifies

A BGP hijack happens when an AS announces a prefix it isn't authorised to announce. Traffic destined for those addresses can then be sucked toward the wrong network — sometimes on the other side of the world. A single typo in a configuration has already been enough to take down major services for hours.

RPKI and ROAs: signing your prefixes

RPKI (Resource Public Key Infrastructure) provides a cryptographic answer. The legitimate holder of a prefix publishes a ROA (Route Origin Authorization): a signed record stating "prefix X may be announced by AS Y". Operators doing Route Origin Validation (ROV) compare each received announcement against these ROAs and reject the ones marked "invalid".

In practice, if you hold your prefixes, creating your ROAs with your RIR (the RIPE NCC in Europe) is now a basic security step — it protects your addresses against accidental or malicious hijacks.

MANRS: collective best practices

The MANRS initiative (Mutually Agreed Norms for Routing Security) formalises what every responsible operator should do:

  • Filtering: only accept from customers and peers the prefixes they are legitimately authorised to announce.
  • Validation (RPKI): reject announcements that are invalid against ROAs.
  • Anti-spoofing: prevent traffic with spoofed source addresses from being sent.
  • Coordination: keep contact details up to date (PeeringDB, RIR objects) to react quickly.

What you should demand from your operator

Routing security isn't just an expert concern: it determines whether your services are reachable. Ask your operator whether it filters customer announcements, performs RPKI validation, and helps you publish your ROAs. At Connect-IX, routing security is part of operating our IP transit; you can inspect our announcements in real time via the Looking Glass and use our BGP communities to steer your prefixes.

A network project to bring to life?

Let's talk about your needs — a tailored quote within 24 h, no commitment.

Contact us