This is an Experimental Service

RPKI-ROA Visualizer

Understand RPKI Validation Logic Step-by-Step

Development supported in part by the National Science Foundation (OAC-2530871).

Configuration

RPKI-ROA

BGP Route

Tip: Try changing the Route Prefix to a longer subnet (e.g. /25) to trigger an Invalid MaxLength, or change the ASN to trigger an Origin Mismatch.
Step 1: Coverage Check (Does the ROA apply to the Route)
PENDING

Why do we check this?

The ROA must be a "supernet" (or exact match) of the Route. We compare the binary bits of the Route against the ROA's prefix. If the Route is not contained within the ROA's IP block, the ROA simply doesn't apply (Status: Not Found).

Checking if ROA prefix bits match Route bits...
Step 2: Length Check (Is the route shorter or equal to the MaxLength)
PENDING

Why do we check this?

The ROA specifies a maxLength. If the ROA covers the route (see Step 1), maxLength controls how specific the announcement can be. If the Route's prefix length (CIDR mask) is longer than the ROA's MaxLength, the route is INVALID.

Checking if Route Length ≤ ROA MaxLength...
Show all valid prefixes allowed by this ROA
Step 3: Origin ASN Check (Is the route's origin the same as the ROA's)
PENDING

Why do we check this?

Finally, if the ROA covers the route (Step 1) and the route is not longer than MaxLength (Step 2) we verify that the Autonomous System (AS) originating the route is the one authorized in the ROA. If the ASN doesn't match, the route is INVALID (Origin Mismatch).

Checking if Route ASN matches ROA ASN...
Waiting...