RPKI and ROA: Securing Your IPv4 Address Space After Purchase
After purchasing IPv4 addresses, protecting them from hijacking should be your immediate priority. RPKI (Resource Public Key Infrastructure) and ROAs (Route Origin Authorizations) are the standard tools for securing BGP routing—and they’re straightforward to set up.
Understanding RPKI and ROAs
RPKI is a cryptographic framework that adds a layer of verification to BGP routing. At its core, it answers a simple question: “Is this network actually authorized to announce this IP prefix?”
A ROA is the mechanism that provides the answer. When you create a ROA, you’re cryptographically signing a statement that says “AS 12345 is authorized to announce 192.0.2.0/24.” Networks that validate RPKI will check incoming BGP announcements against published ROAs. If the announcement doesn’t match a valid ROA, it gets rejected or deprioritized.
This matters because BGP was designed in an era of implicit trust. Without RPKI, there’s nothing stopping someone from announcing your prefix and intercepting traffic destined for your network.
Why This Matters After Purchase
When you buy an IPv4 block and complete the RIR transfer, you become the new registry holder—but that doesn’t automatically protect your BGP announcements. The previous owner’s ROA (if they had one) will no longer be valid, and you need to establish your own.
RPKI adoption has grown substantially. Major networks including Google, Amazon, and most large ISPs now validate routes. If you announce a prefix without a valid ROA in 2023, some networks will accept it (RPKI Unknown), but your reach is already reduced compared to properly secured prefixes.
For buyers, setting up RPKI is part of taking full ownership. Our buying guide covers the acquisition process; RPKI setup is what comes immediately after.
Setting Up Your ROA
The process is straightforward and handled through your RIR:
1. Gather your details. You need the prefix you’re securing (e.g., 192.0.2.0/24) and the ASN that will announce it. If you’re using a hosting provider to announce on your behalf, use their ASN.
2. Access your RIR portal. Log in to ARIN, RIPE NCC, APNIC, LACNIC, or AFRINIC—whichever holds your registration.
3. Create the ROA. Navigate to the RPKI section and add a new ROA. Specify your prefix, the maximum prefix length you’ll announce, and the authorized ASN.
4. Verify publication. Use tools like RIPE’s RPKI Validator or Cloudflare’s RPKI Portal to confirm your ROA is visible and valid.
Coordinating During Transfer
RPKI handover should be part of your transfer checklist. Work with the seller to time the transition:
- The seller invalidates or removes their existing ROA
- You create your new ROA before announcing the prefix
- Both parties verify the new ROA is propagated before completing BGP changes
A gap between ROAs creates a window where your prefix has no RPKI coverage. While most networks will still accept RPKI Unknown routes, it’s better practice to maintain continuous coverage.
Next Steps
If you’ve recently acquired IPv4 addresses:
- Check current RPKI status. Use a validator to see if any ROAs exist for your prefix.
- Create your ROA. Log in to your RIR and set up the authorization.
- Document your setup. Record the ROA details alongside your other network documentation.
- Monitor ongoing. Set up alerts for ROA expiration or unexpected validation changes.
RPKI and ROAs are the foundation of modern routing security. Setting them up takes minutes and provides ongoing protection against one of the internet’s oldest vulnerabilities.