RPKI in Practice: Securing Your BGP Routes Against Hijacking in 2026

RPKI in Practice: Securing Your BGP Routes Against Hijacking BGP was designed in 1989 with an implicit assumption: every network operator is trustworthy. That assumption hasn't aged well. Route hijacking — where someone announces your prefixes as their own — remains one of the Internet's most persistent security problems. RPKI (Resource Public Key Infrastructure) fixes this by cryptographically binding IP prefixes to the ASNs authorized to originate them. If you operate your own AS, deploying RPKI is no longer optional — it's table stakes. How RPKI Works The chain of trust starts at the five Regional Internet Registries (RIRs): ARIN, RIPE NCC, APNIC, AFRINIC, and LACNIC. Each RIR operates a Certificate Authority (CA) that issues certificates to resource holders. RIR (Trust Anchor) └── LIR / Resource Holder (Certificate) └── ROA (Route Origin Authorization) └── "AS215000 is authorized to announce 2001:db8:abcd::/48" When you create a ROA, you're signing a statement: "This ASN is allowed