kentik Kentik Product Updates logo
Back to Homepage Subscribe to Updates

Kentik Product Updates

Latest features, improvements, and product updates on the Kentik Network Intelligence Platform.

Labels

  • All Posts
  • Improvement
  • Hybrid Cloud
  • Core
  • Service Provider
  • UI/UX
  • Synthetics
  • Insights & Alerting
  • DDoS
  • New feature
  • BGP Monitoring
  • MyKentik Portal
  • Agents & Binaries
  • Kentik Map
  • API
  • BETA
  • Flow
  • SNMP
  • NMS
  • AI

Jump to Month

  • June 2025
  • May 2025
  • April 2025
  • March 2025
  • February 2025
  • January 2025
  • December 2024
  • November 2024
  • October 2024
  • August 2024
  • July 2024
  • June 2024
  • May 2024
  • April 2024
  • March 2024
  • February 2024
  • January 2024
  • December 2023
  • November 2023
  • October 2023
  • September 2023
  • August 2023
  • July 2023
  • June 2023
  • May 2023
  • April 2023
  • March 2023
  • February 2023
  • January 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • July 2021
  • June 2021
  • May 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • October 2020
  • September 2020
  • June 2020
  • February 2020
  • August 2019
  • June 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • September 2018
  • August 2018
  • June 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • January 2018
  • December 2017
  • November 2017
  • October 2017
  • July 2017
  • June 2017
  • May 2017
  • April 2017
  • March 2017
  • February 2017
  • January 2017
  • December 2016
  • November 2016
  • October 2016
  • April 2016
New featureBGP Monitoring
6 years ago

RPKI Dimension

BGP is the routing protocol that makes the internet work—it is the language spoken by routers on the Internet to determine how packets can be sent from one router to another to reach their final destination.

However, route leaks and hijacks happen semi-frequently and usually result in part of the internet being unreachable.

An improved routing security mechanism is needed to make the Internet routing world safer. Enter RPKI…


Resource Public Key Infrastructure (RPKI), defined by RFC6480, is a cryptographic method that was designed to sign BGP route prefix announcements with the originating AS number. One way to think about what RPKI: RPKI is to BGP is what DNSSEC is to DNS. It offers a way to validate the origination of BGP prefixes against an official, signed list of prefixes by origin ASN.

Kentik has now integrated RPKI support via new dimensions, to allow users to precisely determine what would happen to the existing network traffic if they were to turn on RPKI validation on their networking equipment.


More details about these dimensions:

RPKI Validation Status: Contains the full RPKI state for a given flow, including the values shown in the table below:

RPKI Validation StatusValue Description
RPKI UnknownNo Route Origin Authorization (ROA) has been found to associate with the routes being analyzed.
RPKI ValidThere is a valid Route Origin Authorization (ROA) found for that destination prefix, and the BGP announcements for it are announced by the correct, authorized ASN.
RPKI Invalid
  • Valid covering prefix
  • Unknown covering prefix
The validation state of the prefix is invalid, but there is a larger supernet or covering route that is RPKI Valid or RPKI Unknown that would be used to forward traffic to the destination prefix.
Prefix length out of boundsTraffic under this label will be dropped in case of strict route validation.
Incorrect Origin ASNThe preferred BGP route for a specific prefix isn’t originated by the ASN specified by the ROA.
Explicit ASN 0The RPKI standard allows statically defining prefixes that shouldn’t at all be trusted. A Route Origin Authorization (ROA) with ASN = 0 means that any traffic coming from that prefix and all the prefixes contained in it as per maxLength will be considered explicitly invalid.

RPKI Quick Status: Tells how traffic is going to behave globally by aggregating the RPKI validation Statuses. See the table below:

RPKI Quick StatusCorresponding RPKI Validation StatusRoute Validation Behavior
RPKI UnknownRPKI UnknownWill be forwarded
RPKI ValidRPKI ValidWill be forwarded
RPKI Invalid - Covering Valid/Unknown
  • RPKI Invalid - Valid Covering Prefix
  • RPKI Invalid - Unknown Covering Prefix
Will be forwarded
RPKI Invalid - Will be dropped
  • RPKI Invalid - Prefix Length Out of Bounds
  • RPKI Invalid - Incorrect Origin ASN
  • RPKI Invalid - Explicit ASN 0
Will be dropped
Empty valueEmpty valueUndetermined behavior:
  • The prefix may be in a static route
  • The prefix may be a /32 or /31
  • No AS_Path info available

Furthermore, using RPKI dimensions with multiple other dimensions can provide a very detailed picture of potentially invalid or malicious traffic, to help network operators make informed decisions about turning on/off RPKI Route Validation selectively. For example, you can cross check with connectivity types, such as PNIs, IX peerings, transit and so on; or cross check with Routers and Sites; or cross check with end customers’ IDs.

For more information, please see our blog post with an introduction to RPKI, our blog post with a technical walkthrough of how RPKI features can be used in Kentik, and the BGP Dimension Reference in our Knowledge Base and look for “RPKI”, or contact our Customer Success team.

Lastly, stay tuned for more news concerning chfAgent as it now embeds both an RPKI validator and an RTR-speaking server, that can be leveraged by routers to perform route validation based on the aggregated global list of ROAs.

Avatar of authorJoe Reves