BGP Configuration Guide for Cisco 8000 Series Routers, Cisco IOS XR Releases

PDF

BGP prefix origin validation mechanisms

Updated: February 28, 2026

Want to summarize with AI?

Log in

Overview

Outlines BGP prefix origin validation using mechanisms such as RPKI and provides procedures to configure an RPKI cache server for validating route origin authorship.

A BGP prefix origin validation mechanism is a route security feature that

  • uses the Resource Public Key Infrastructure (RPKI) to validate the Autonomous System (AS) originating a BGP prefix

  • prevents prefix mis-announcement by verifying that the origin AS claiming an address prefix is authorized, and

  • enhances routing security by ensuring that BGP routers accept only prefixes with verifiable, legitimate origin AS numbers.

Table 1. Feature history table

Feature Name

Release Information

Feature Description

BGP Prefix Origin Validation Based on RPKI

Release 25.4.1

Introduced in this release on: Fixed Systems (8010 [ASIC: A100], 8700 [ASIC: K100])(select variants only*)

*This feature is supported on:

  • 8711-48Z-M

  • 8011-32Y8L2H2FH

  • 8011-12G12X4Y-A

  • 8011-12G12X4Y-D

BGP Prefix Origin Validation Based on RPKI

 Release 25.1.1

Introduced in this release on: Fixed Systems (8010 [ASIC: A100])(select variants only*)

*This feature is supported on Cisco 8011-4G24Y4H-I routers.

BGP Prefix Origin Validation Based on RPKI

Release 24.4.1

Introduced in this release on: Fixed Systems (8200 [ASIC: P100], 8700 [ASIC: P100, K100])(select variants only); Modular Systems (8800 [LC ASIC: P100])(select variants only*)

This feature enhances BGP route security by using Resource Public Key Infrastructure (RPKI) to validate the origin Autonomous System (AS). It associates a route's address prefix with AS numbers, starting with the origin AS, and uses RPKI to verify the AS claiming the prefix. This helps prevent prefix mis-announcement, ensuring routes are secure and legitimate.

*This feature is supported on:

  • 8212-48FH-M

  • 8711-32FH-M

  • 8712-MOD-M

  • 88-LC1-36EH

  • 88-LC1-12TH24FH-E

  • 88-LC1-52Y8H-EM

Overview of RPKI

RPKI is a globally distributed cryptographic framework that creates a verifiable database of IP address blocks and Autonomous System (AS) numbers. RPKI enables network operators to securely certify which AS is authorized to advertise specific IP address prefixes.

BGP origin validation process

When a BGP router receives a route, it examines the AS_PATH attribute, which lists the sequence of ASes across which a prefix announcement has traveled. The router identifies the origin AS for the prefix and checks this against the authorization records in the RPKI database. If RPKI lists the prefix-origin pair as valid, the BGP router accepts the route. If not, the router considers the route invalid or suspicious. This process helps you prevent unauthorized or accidental route advertisements.

Security benefits

By leveraging RPKI-based BGP prefix origin validation, networks can defend against several well-known routing threats, such as prefix hijacking, mis-announcements, and monkey-in-the-middle attacks. Only routes authenticated through RPKI are trusted, reducing the risk of disrupted or maliciously re-routed Internet traffic.

Example of BGP prefix origin validation using RPKI

Suppose AS 64500 originates the prefix 192.0.2.0/24 and announces it into BGP. Another router receives this route and checks the RPKI database. If the database confirms that AS 64500 is authorized to originate 192.0.2.0/24, the route is considered valid. If not, the route is rejected or marked as suspicious, thus preventing a possible hijack or mis-announcement.

Configure an RPKI cache server

RPKI helps prevent route hijacking by verifying that BGP routes are correctly originated. Configuring a cache server allows the router to obtain validated prefix information for secure routing decisions.

Before you begin

  • Obtain the RPKI cache server’s IP address or hostname and transport requirements (SSH or TCP).

  • Have SSH credentials available if using SSH as the transport protocol.

Procedure

1.

Enter RPKI cache server configuration mode and configure the transport protocol (TCP or SSH) and port for the cache server.

Example:

Router(config)# router bgp 100
Router(config-bgp)# rpki server 10.2.3.4 
Router(config-bgp-rpki-server)# transport ssh port 22
Note

The default SSH port is 22. Both SSH and TCP support ports in the range 1–65535.

Tip

You can set the transport to either TCP or SSH. Changing the transport method causes the cache session to flap.

2.

(Optional, when using SSH) Set the username and password for the cache server.

Example:

Router(config-bgp-rpki-server)# username ssh_rpki_cache
Router(config-bgp-rpki-server)# password ssh_rpki_pass
3.

(Optional) Configure the preference for this cache server if multiple servers are used.

Example:

Router(config-bgp-rpki-server)# preference 1

Range for the preference value is 1 to 10. Lower values have higher priority.
4.

(Optional) Set the purge time for how long BGP retains route information after the cache session drops.

Example:

Router(config-bgp-rpki-server)# purge-time 30

Range for the purge time is 30 to 360 seconds.

5.

(Optional) Configure periodic refresh and response timers.

To set the refresh interval or disable it:

Router(config-bgp-rpki-server)# refresh-time 20

Or 

Router(config-bgp-rpki-server)# refresh-time off

To set the maximum response wait time or disable the timeout:

Router(config-bgp-rpki-server)# response-time 30

Or 

Router(config-bgp-rpki-server)# response-time off
6.

(Optional) Shut down the RPKI cache server.

Example:

Router(config-bgp-rpki-server)# shutdown