About the RPKI-ROA Visualizer
This experimental tool helps you understand and visualize how RPKI Route Origin Validation (ROV) works in BGP.
What is RPKI / ROV?
RPKI (Resource Public Key Infrastructure) is a security framework that helps prevent BGP route hijacks and mis-originations. The core building block is a Route Origin Authorization (ROA):
- A ROA is a cryptographically signed statement saying:
“ASxxxx is allowed to announce this prefix (or more-specific prefixes up to a certain length).” - Each ROA contains: ASN, prefix, and
maxLength
When a router receives a BGP announcement, it can perform Route Origin Validation (ROV) and classify the route as one of three states:
| VALID | The announcement is covered by ≥1 ROA and the ASN matches and the prefix length ≤ maxLength. |
| INVALID | A ROA covers the prefix, but either the ASN is wrong or the announced prefix is too specific (longer than maxLength). |
| NOT FOUND / UNKNOWN | No ROA covers the prefix at all (most conservative / safest treatment in many networks). |
What this tool shows
Paste one or more ROAs and a BGP route announcement, then click Evaluate Route Validation. The tool walks you through:
- Coverage Check — bit-by-bit binary comparison of the prefix in each ROA against the announced route prefix.
→ Green highlights = matching bits
→ Only ROAs that cover the route (longer or equal prefix length) are considered further. - Validation Evaluation — for each covering ROA, check:
• Is the announced prefix length ≤ maxLength?
• Does the Origin AS match?
→ If both are yes → contributes to VALID result - Final Verdict — based on real ROV logic (RFC 6811 / RFC 6483):
- VALID — at least one ROA fully matches
- INVALID — at least one ROA covers the prefix, but no ROA fully matches
- NOT FOUND — no ROA covers the prefix at all
Input format tips
- Multiple prefixes per ASN:
65001 2001:db8::/32 48, 2001:db8:cafe::/48 64 - Max length is optional — defaults to prefix length if omitted
- Supports both IPv4 and IPv6 (but all ROAs + route must be same address family)
This is an educational visualization — it performs a simplified but standards-compliant simulation of origin validation. It does not fetch real-time ROAs from the global RPKI repositories.
Development supported in part by the National Science Foundation (OAC-2530871).