rir_check_rpki
Validate IP prefix and ASN pairs against RPKI to detect unauthorized route announcements and potential hijacks using Cloudflare's validator.
Instructions
Validate a prefix + ASN pair against the global RPKI using Cloudflare's validator.
RPKI (Resource Public Key Infrastructure) is the internet's route security framework. RIRs issue Route Origin Authorizations (ROAs) — digital certificates that cryptographically prove an ASN is authorized to announce a prefix.
Validity states: ✅ VALID — A matching ROA exists. Route is cryptographically authorized. 🚨 INVALID — A ROA exists but this ASN/prefix violates it. Possible hijack. ⚠️ NOT-FOUND — No ROA exists. Route is unverified (common, not inherently bad). ❓ UNKNOWN — Could not determine validity.
Combine with rir_check_bgp_status for full routing security assessment.
Results are cached for 15 minutes (ROAs can change, but not frequently).
Args: params (RPKICheckInput): - prefix (str): CIDR prefix e.g. '1.1.1.0/24' or '2400:cb00::/32' - asn (str): Originating ASN e.g. 'AS13335' or '13335'
Returns: str: RPKI validity state, description, and list of covering ROAs. JSON schema: { "prefix": str, "asn": str, "validity": "valid"|"invalid"|"not-found"|"unknown", "covering_roas": [{"asn": int, "prefix": str, "maxLength": int}], "description": str }
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| params | Yes |
Output Schema
| Name | Required | Description | Default |
|---|---|---|---|
| result | Yes |