Describes how BGP RPKI-based origin validations for iBGP updates strengthen internal BGP route security and help prevent propagation of invalid prefixes within an autonomous system.
A BGP Resource Public Key Infrastructure (RPKI)-based origin validation on Inbound Internal Border Gateway Protocol (iBGP) prefixes is a BGP security feature that
-
enables RPKI origin-AS validation for inbound iBGP route updates,
-
provides the validation state to routing policies, allowing administrators to filter prefixes marked as invalid, and
-
integrates with Cisco IOS XR BGP configuration, supporting global, VRF, or neighbor-level deployment for flexible enforcement.
You enable validation by configuring bgp origin-as validation allow-inbound-ibgp command in your BGP context, which references RPKI ROA data to assess origin-AS authorization for each prefix within internal routes.
| Feature Name |
Release Information |
Feature Description |
|---|---|---|
| BGP RPKI-based origin validation on Inbound iBGP prefixes |
Release 26.2.1 | Introduced in this release on: Fixed Systems (8200 [ASIC: Q200,P100], 8700 [ASIC: P100, K100], 8010 [ASIC: A100]); Centralized Systems (8600 [ASIC:Q200]) ; Modular Systems (8800 [LC ASIC:Q100, Q200, P100]) You can now enhance internal routing security by validating iBGP-learned routes against RPKI origin-AS data. This provides validation states that can be used in routing policies to filter invalid routes, preventing the propagation of unauthorized prefixes within your network. |
Key options and limitations for BGP RPKI-based origin validations for iBGP updates
Describes configuration choices, and important distinctions relevant to RPKI-based iBGP origin validations in Cisco IOS XR.
Main configuration options include:
-
Activating validation globally, per VRF, or per iBGP neighbor to target specific iBGP sessions
-
Disabling validation on selected neighbors using
origin-as validation disablefor flexibility -
Using ROA databases and integrating with existing route policies
The following table compares iBGP and External Border Gateway Protocol (eBGP) origin validations:
Key limitations and requirements include:
-
Prefixes are validated against RPKI data, allowing administrators to configure routing policies that drop invalid prefixes while accepting those with a valid or not-found status.
-
Validation can be disabled per-neighbor for operational reasons
-
Not applied to outbound policies for eBGP neighbors
-
Requires Cisco IOS XR Release 26.2.1 or later
TIP: Keep RPKI ROA data up to date to ensure accurate internal validation and to prevent acceptance of invalid or hijacked prefixes.