What is Route Origin Authorization (ROA)

Route Origin Authorization (ROA) serves as a security feature within the Resource Public Key Infrastructure (RPKI) framework, designed to enhance the security of internet routing by confirming the authenticity of IP prefix announcements. ROA records enable network operators to verify that only designated Autonomous Systems (ASes) are permitted to announce particular IP address ranges. This process of validation is crucial in mitigating two prevalent routing security threats: IP prefix hijacking, which occurs when an unauthorized entity claims a route for an IP address that does not belong to them, and route leaks, where a route is incorrectly shared with an unauthorized party. Both scenarios can lead to network instability and misdirection of traffic.

Why is ROA Important?

The Border Gateway Protocol (BGP) is tasked with the exchange of routing information across networks; however, it does not include built-in security features to verify that a route is being announced by a legitimate source. This vulnerability renders BGP open to hijacking and route leaks, whether deliberate or unintentional. Such occurrences can lead to significant disruptions in internet connectivity, potential data interception, and even denial-of-service attacks.

ROA acts as an extra verification mechanism, enabling network operators to confirm if a particular Autonomous System (AS) is permitted to announce a route for a specific IP prefix. This contributes to:

• Prevent IP Hijacking: Only the AS listed in the ROA is authorized to announce the IP prefix, reducing the risk of unauthorized announcements.
• Reduce Route Leaks: ROA ensures that route announcements align with authorized configurations, minimizing unintentional leaks.
• Enhance Routing Security: With ROA validation, network operators gain better trust in the routing paths, which strengthens the overall security and resilience of the internet infrastructure.

The implementation of ROA is a crucial measure for enhancing the security of global routing, enabling network operators to differentiate between authentic route announcements and those that may be harmful or incorrect.

 

How Does ROA Work?

The process of creating, validating, and maintaining ROAs involves several steps:

1. Creation of a ROA Record: The owner of an IP prefix registers with their Regional Internet Registry (RIR), such as ARIN, RIPE NCC, APNIC, LACNIC, or AFRINIC. Through RPKI tools, they can create a ROA that specifies the following:
• IP Prefix: The range of IP addresses for which the ROA is valid.
• Origin AS Number: The AS number authorized to announce this IP prefix.
• Maximum Length: Specifies the longest allowable prefix length. This enables the owner to authorize subnets without creating separate ROAs for each one, adding flexibility.

After creation, the ROA is signed and uploaded to the RIR's RPKI repository.

1. Publication and Distribution: Once created, the ROA is published to a public RPKI repository managed by the RIR. This repository acts as a trust anchor, allowing other network operators to access the ROA data when validating route announcements.
2. Validation of ROAs in Routing Decisions: Network operators who deploy RPKI validation tools on their routers can check BGP route announcements against the published ROAs. When a route announcement is received, the router queries the RPKI repository to verify:
• If a matching ROA exists for the IP prefix in the announcement.
• If the AS number in the route announcement matches the ROA’s authorized AS.
• If the prefix length aligns with the ROA’s maximum length.

The route announcement is assessed according to these criteria. If it corresponds with a valid Route Origin Authorization (ROA), it is classified as "valid." In cases of conflict, it is labeled "invalid," and if there is no existing ROA, it is categorized as "unknown." Network operators utilize this information to inform their routing decisions, typically favoring valid routes while deprioritizing or rejecting those deemed invalid.

Conclusion

The route announcement is assessed according to these criteria. If it corresponds with a valid Route Origin Authorization (ROA), it is classified as "valid." In cases of conflict, it is labeled "invalid," and if there is no existing ROA, it is categorized as "unknown." Network operators utilize this information to inform their routing decisions, typically favoring valid routes while deprioritizing or rejecting those deemed invalid.