Ressource Public Key Infrastructure (RPKI)

Improve the security and resilience of the Internet’s global routing system

Contact us

RPKI validation within Orange

Because we want to improve the security and resilience of the Internet’s global routing system, we activate  RPKI validation and filtering on every IP Transit service link and every Peering session with the AS 5511 network.

Important information for IP Transit customers

You will be contacted by our operational teams when we will intervene on BGP sessions between your network and Orange’s AS 5511.

In case you have already created ROAs for the IP space of your network, do not hesitate to double-check its consistency with your BGP advertisements. If you have not done this, we encourage you to in order to better protect the Internet.

IP Transit Backhole options (On Demand Blackhole or Remotely Triggered Blackhole) are not impacted by RPKI deployment in our network.

What is Resource Public Key Infrastructure (RPKI)?

The Internet today has developed into a worldwide network. People and companies rely on it for their day to day communication – from shopping and entertainment, to business critical applications. As more services converge to IP transport, IP transit reliability and quality performance has become an extremely important objective for both Internet subscribers, Internet Service Providers (ISPs), and content and cloud service providers. 

While IP is used for Internet transport, Border Gateway Protocol (BGP), an essential component of IP Transit, determines the path that IP packets are transported on. BGP routing protocol is  a standardized gateway protocol designed to exchange routing and reachability information among autonomous systems (AS) on the Internet. BGP builds and maintains the Internet routing table, however, it is not capable of validating the routing information by itself.

RPKI is an IETF  standard framework, which provides an out-of-band system in order to validate BGP routes advertised by networks constituting the Internet. RPKI is part of identified actions by the Mutually Agreed Norms for Routing Security (MANRS ) global initiative in order to:

  • Improve the security and resilience of the Internet’s global routing system.
  • Reduce the risk of accidental BGP routing incidents (route leaks)
  • Prevent malicious IP resource hijacks 

How does RPKI work?

RPKI relies on public information that can be accessed through cryptographic methods. Network operators create cryptographic certificates, called Route Origin Authorization (ROA), stating which autonomous system (AS) is authorized to originate a certain BGP prefix. ROAs can be securely consulted on the Regional Internet Registries’ databases, which encompass the following information: Autonomous System, Advertised prefix and Maximum Length

RPKI_Carte schéma RIR RPKI ROA


Routers will then perform a task called Route Origin Validation (ROV), where routers and the RPKI architecture will exchange information, allowing a comparison of the BGP prefix advertisement received against the ROA (if any).

RPKI_Schéma fonctionnement

The ROV task can provide 3 status allowing routers to take a decision about the given BGP prefix

  • Valid: the received BGP prefix is covered by at least one ROA and the ROA data matches the BGP advertisement
  • Invalid: there is an inconsistency between the received BGP prefix and the ROA that covers such prefix. Routers will discard BGP prefixes with an INVALID ROV status; it will not enter into the Internet routing table.


The AS that advertises the BGP prefix does not correspond to the AS authorized by the covering ROA. This could be a hijacking attempt.

BGP Prefix

Covering ROA

ASN: 65003 ; Prefix /24

ASN: 65020; Prefix: /24

Max Length: /26


The BGP prefix length is longer than what is allowed by the maximum length set in a ROA that matches the prefix and AS.


BGP Prefix

Covering ROA

ASN: 65003 ; Prefix /24

ASN: 65003; Prefix: /22

Max Length: /22


  • Unknown: the received BGP prefix is not covered by an existing ROA

Further information on RPKI and BGP routing protocol 

Feel free to check the following documentation for further information about RPKI and BGP routing matters: 



Our customers' testimonials

Jérôme Fleury
Director of Network Engineering at Cloudflare

“I'm very pleased to hear that RPKI origin validation is now fully deployed in your network, and that, thanks to you, the internet routing table is now even more secure. You are clearly demonstrating leadership among the international providers. We're very happy to be one of your Partners!”