RPKI (Resource Public Key Infrastructure) or more commonly referred as Resource Certification, is a framework based on Public Key Infrastructure that allows Internet resources such as IP addresses and Autonomous System Numbers to be securely associated to a trust anchor.

RPKI can be used to secure the Internet Routing, by validating the Route Origination Authorization or ROAs. A ROA will contain which Autonomous Systems (AS) are authorized to announce IP prefixes. A network operator in charge of Internet routers can use the RPKI to Router Protocol (RTR) to make routing decisions based on the validity of ROA covering BGP announcements. A BGP announcement is VALID if it’s covered by one or more ROAs, INVALID if there is a mismatch between the expected origin AS and announcement origin AS, or UNKNOWN if the announcement is partially covered by a ROA.

Cryptographic validation of ROAs happen at a RPKI Validator, to avoid burdening Internet routers with the process. The RTR protocol defines the communication between the router and a validator, to verify if a BGP announcement is covered by a validated ROA.

NZRS provides a free and openly available RPKI Validator for Internet operators to use. validator.rpki.net.nz contains all the RIR trust anchors and provides an interface to discover the status of ROAs. It uses open source software written by RIPE NCC

RPKI is an effective measure against BGP prefix hijacking, such as the incident affecting YouTube back in 2008.