RPKI ROA Validator (Educational)

Also available in:

العربيّة

Azərbaycan dili

Български

Català

Čeština

Dansk

Deutsch

Ελληνικά

Esperante

Español

Eesti

Euskara

فارسی

Suomi

Français

Galego

עברית

हिन्दी

Magyarul

Bahasa Indonesia

Italiano

日本語

한국어

Lietuvių

norsk

Nederlands

Polski

Português

Русский

Slovenčina

Slovenščina

Shqip

Svenska

ภาษาไทย

Türkçe

Українська

اردو

Tiếng Việt

简体中文

繁體中文

RPKI ROA Validator (Educational)

Enter a prefix and origin ASN to validate against a sample ROA database. This tool is for learning the validation algorithm — use live validators for production decisions.

Validate a Prefix
Try these examples: 
Sample ROA Database
This database contains a small set of well-known public ROAs for demonstration purposes. For live validation, use: Cloudflare RPKI, RIPE RPKI Validator, or NIST RPKI Monitor.
Prefix maxLength Origin ASN Note
How Validation Works (RFC 6811)

The validation algorithm (see RFC 6811) for an announced prefix P/len with origin ASN A:

  1. Find all ROAs in the VRP table where P/len is covered by the ROA prefix — that is, P is a subnet of (or equal to) the ROA prefix AND len ≤ ROA maxLength. Call this the covering set.
  2. If the covering set is emptyNotFound. No ROA asserts anything about this prefix.
  3. If the covering set is non-empty, check whether any ROA in the set also has origin ASN == A. If yes → Valid. If no → Invalid.

Key insight: Invalid is a stronger signal than NotFound. NotFound simply means no ROA exists yet — the prefix owner hasn't registered one. Invalid means a ROA exists explicitly saying this origin ASN is not authorized.

References: RFC 6480 (RPKI infrastructure), RFC 6482 (ROA profile), RFC 6811 (BGP prefix origin validation), RFC 8210 (RTR protocol).