CRYPTOGRAPHIC_ROUTE_SECURITY

RPKI &
Origin Validation

Eliminate BGP hijacks and accidental route leaks. We provide a fully managed, Delegated RPKI Certificate Authority (CA) integrated directly into the IP provisioning workflow.

Route Validator

Origin ASN

Prefix

READY_FOR_INPUT

Validation States

Valid

The route announcement matches a signed ROA (Route Origin Authorization) for both the ASN and prefix length. Traffic flows normally.

Invalid

The announcement contradicts an existing ROA. This indicates a hijack or misconfiguration. We drop these packets at the edge.

Not Found

No ROA exists for this prefix. Traffic is accepted, but unprotected. We recommend signing ROAs for 100% of your resources.

Automated Signing

Forget managing Krill instances or manual RIR portals. Define your ROAs in Terraform or via API, and we handle the cryptographic heavy lifting with the RIRs (ARIN/RIPE/APNIC).

15-minute Global Propagation
Automated Renewal
HSM-backed Key Storage

roa_config.tf

resource "netnounce_roa" "primary_block" {

prefix = "203.0.113.0/24"

asn = 133711

max_length = 24

# Auto-publish to RIRs

publish = true

}

Global Trust Anchors

ARIN

North America

SYNCED

12ms

RIPE NCC

Europe/Middle East

SYNCED

88ms

APNIC

Asia Pacific

SYNCED

140ms

LACNIC

Latin America

SYNCED

110ms

AFRINIC

Africa

SYNCED

180ms

Security Notice

Netnounce enforces Strict RPKI Validation on all eBGP sessions.

Warning

If your upstream announcement is RPKI Invalid, it will be silently dropped by our edge routers. Ensure your ROAs are current before peering.

Validation Tools

RIPE NCC RPKI Validator →Cloudflare IsBGPSafeYet? →RPKI Portal →

RPKI & Origin Validation

Route Validator

Validation States

Automated Signing

Global Trust Anchors

Security Notice

Validation Tools

RPKI &
Origin Validation