← Back to posts
Networking

Securing BGP with RPKI: Stopping Route Hijacks Before They Happen

By Travis · · 3 min read
#bgp#rpki#routing#security#cisco

The BGP Problem

BGP is the protocol that glues the internet together — but it was designed in an era of trust. Any Autonomous System (AS) can announce any prefix, and by default, routers will accept it.

This is how route hijacks happen. A rogue or misconfigured AS announces your IP space, traffic reroutes toward them, and suddenly your users are hitting someone else’s servers — or nowhere at all.

Notable incidents:

  • 2018: MyEtherWallet hijacked via BGP, users’ crypto stolen
  • 2022: Multiple financial institutions impacted by route leaks
  • 2023: Large CDN briefly unreachable due to prefix hijack

What RPKI Does

Resource Public Key Infrastructure (RPKI) introduces cryptographic proof of prefix ownership. Network operators create Route Origin Authorizations (ROAs) — signed records that say:

“AS64500 is authorized to announce 203.0.113.0/24”

Routers performing Route Origin Validation (ROV) then check incoming BGP announcements against these ROAs and mark them as:

  • Valid — matches a ROA
  • Invalid — conflicts with a ROA (drop it)
  • ⚠️ NotFound — no ROA exists (accept with caution)

Creating a ROA

Log into your RIR portal (ARIN, RIPE, APNIC, etc.) and create a ROA for each prefix you originate:

FieldValue
Prefix203.0.113.0/24
Max Length/24
Origin ASNAS64500

Set max length carefully — setting it too permissive (e.g. /32) lets attackers announce more-specifics.

Cisco IOS-XE Configuration

IOS-XE uses an external RPKI cache server (validator) connected via RTR protocol.

Step 1 — Connect to an RPKI Validator

! Point to Cloudflare's free RPKI validator
router bgp 64500
 bgp rpki server tcp rpki.cloudflare.com port 8282 refresh 600

You can also use your own validator (Routinator, OctoRPKI, etc.):

router bgp 64500
 bgp rpki server tcp 192.0.2.10 port 3323 refresh 300

Step 2 — Verify the RPKI Session

show bgp rpki server
show bgp rpki table
show bgp rpki prefix 203.0.113.0/24

Step 3 — Create a Route Map to Drop Invalid Routes

route-map RPKI-FILTER deny 10
 match rpki invalid
!
route-map RPKI-FILTER permit 20
!
router bgp 64500
 neighbor 198.51.100.1 route-map RPKI-FILTER in
 neighbor 198.51.100.2 route-map RPKI-FILTER in

Cisco IOS-XR Configuration

IOS-XR (used on ASR 9000, NCS series) has native RPKI support built into the BGP process.

Step 1 — Configure the RPKI Server

router bgp 64500
 rpki server 192.0.2.10
  transport tcp port 3323
  refresh-time 300
  response-time 60

Step 2 — Verify

show bgp rpki summary
show bgp rpki database
show bgp rpki prefix 203.0.113.0/24 detail

Step 3 — Drop Invalid Routes via Policy

route-policy RPKI-VALIDATE
  if validation-state is invalid then
    drop
  endif
  pass
end-policy
!
router bgp 64500
 neighbor 198.51.100.1
  address-family ipv4 unicast
   route-policy RPKI-VALIDATE in

Step 4 — Signal Validation State to iBGP Peers

router bgp 64500
 bgp origin-as validation signal ibgp
 address-family ipv4 unicast
  bgp origin-as validation

Cisco NX-OS Configuration (Nexus)

NX-OS RPKI support requires NX-OS 9.3(5) or later.

Step 1 — Enable BGP and Configure Validator

feature bgp

router bgp 64500
  address-family ipv4 unicast
    rpki cache 192.0.2.10
      transport tcp port 3323
      refresh-time 300

Step 2 — Verify

show bgp rpki cache-server
show bgp rpki prefix-table

Step 3 — Drop Invalids with Route Map

route-map RPKI-INBOUND deny 10
  match rpki-origin-validation-status invalid
!
route-map RPKI-INBOUND permit 20
!
router bgp 64500
  neighbor 198.51.100.1
    address-family ipv4 unicast
      route-map RPKI-INBOUND in

Verifying Your ROAs Are Published

whois -h whois.radb.net -- '-i origin AS64500'

Online tools:

  • Cloudflare RPKI Validator: rpki.cloudflare.com
  • RIPE Stat: stat.ripe.net
  • RoVista: rovista.net

The Adoption Gap

As of 2025, roughly 45% of the internet’s prefixes have ROAs, but only ~35% of ASes actively drop RPKI-invalid routes. RPKI only works when networks both publish ROAs and enforce ROV.

Your action items:

  1. Create ROAs for all prefixes you originate at your RIR
  2. Enable ROV on your border routers using the configs above
  3. Start with logging only before enforcing drops — validate for a week first
  4. Encourage your upstreams and peers to enforce ROV
// Found this useful? Share it or start a conversation.
Y Hacker News 𝕏 X in LinkedIn 🦋 Bluesky r/ Reddit
// Related More on similar topics.
Networking May 25, 2025

BFD Explained: How Bidirectional Forwarding Detection Makes BGP Failover Instant

A deep dive into Bidirectional Forwarding Detection — why BGP's default failure detection is dangerously slow, how BFD provides sub-second link failure detection, and how to configure it on Cisco IOS-XE, IOS-XR, and NX-OS.
Networking May 24, 2025

How Hackers Hijacked Amazon Route 53 and Stole $152,000 in Ethereum: The MyEtherWallet BGP Attack

How a 2018 BGP hijack redirected Amazon Route 53 traffic, harvested private keys from MyEtherWallet users, and stole $152K in Ethereum — BGP and DNS weaknesses chained.
Networking May 23, 2025

The Day Pakistan Telecom Took Down YouTube: A BGP Hijack Postmortem

How a government censorship order, a leaked more-specific route, and one upstream provider that didn't filter turned into a global internet outage that took YouTube offline for nearly two hours in 2008 — and what it proved about BGP's fundamental trust problem.