RPKI Overview Tutorial

Welcome to the RPKI Simulator

On this screen, you'll find a simple network diagram. You can use it to simulate the basics of how the RPKI system works. Try these steps to get started:

1. Create a new Route Origin Authorization (a ROA) for a given network block (say "10.0.0.0") with a minimum and maximum route length you want your ISP to be able to advertise. Try, for example, using a minimum length of 12 and a maximum of 16.
2. Create a new route for your network, such as "10.0.0.0/14" and watch it propegate and become valid at the distant ISP.
3. Create a route that doesn't match the ROA properties, such as a length which is too long (try "10.0.0.0/24"). Note how it becomes invalid.
4. Add more ROAS and routes and notice their effects

Have fun!

RPKI Pieces

Let's talk about the basics of the RPKI:

Border Gateway Protocol (BGP):

The internet protocol that lets ASes advertise routes.

Autonomous System (AS):

A unique numeric identifier given to ISPs.

Route Origin Authorization (a ROA):

A cryptographically signed object that authorizes a given Autonomous System (AS) to advertize a network prefix.

Anyone can send routes to address blocks to the internet. ROAs let organizations authorize who is allowed to send routes.

Route Validation States

When an ISP validates a route aganist it's cache of ROAs, it will put the route into one of three categories:

Unknown:

There was no ROAs that covered the address space in the route.
In our tutorial screens, Unknown routes will be shown in orange.

Valid:

A ROA was found covering the address space, and the route met the requirements
In our tutorial screens, Valid routes will be shown in green.

Invalid:

A ROA was found covering the address spcae, but did not match against the received route.
In our tutorial screens, Invalid routes will be shown in Red.

ISPs can use these three states to make decisions, such as whether to accept a route or not.