Online Dev Tools

Developer & Security Tools for IT Professionals

Fuel The Infrastructure

RPKI / BGP Prefix Legitimacy Checker

Queries the public RIPEstat API No account or API key

Last reviewed: June 10, 2026 — validation verified end-to-end against live RPKI data (Valid, Invalid, and NotFound cases).

Check whether an IP prefix and its origin ASN are authorized by RPKI. Enter a prefix (or a bare IP), optionally an origin ASN, and get the RPKI validation state, the matching ROA, and a plain-English read on the route's legitimacy.

Quick examples — click to fill:

Result

Run a check to see the RPKI validation result, matching ROA, and risk level here.

What the result means

RPKI (Resource Public Key Infrastructure) lets the legitimate holder of an IP block publish a signed Route Origin Authorization (ROA) stating which Autonomous System (AS) is allowed to originate that prefix in BGP, and how specific the announcement may get (the max length). A validator compares a route — a prefix plus the AS announcing it — against the set of published ROAs and returns one of three states.

  • Valid — a covering ROA exists, the origin ASN matches, and the prefix length is within the ROA's max length. The origin is authorized.
  • Invalid — a covering ROA exists, but the announcement contradicts it: the origin ASN is wrong (invalid_asn), or the prefix is more specific than the allowed max length (invalid_length). RPKI-enforcing networks may drop the route. This can indicate a hijack, a leak, or simply a misconfigured/stale ROA.
  • NotFound — no ROA covers the prefix. RPKI neither authorizes nor contradicts it. This is extremely common and is not evidence of malice — the prefix's holder simply has not published an ROA for it.

RPKI secures the origin of a route only. It does not validate the full AS path, and a Valid result does not prove the traffic is safe — only that the announcing AS is authorized to originate the prefix.

About this tool

This checker queries the public RIPEstat Data API from RIPE NCC, which runs an RPKI validator (Routinator) against the live RPKI repositories. When you supply a prefix and origin ASN, it returns the validation state and the ROAs that cover the prefix. When you check a prefix without an ASN (or a bare IP), the tool first looks up the prefix's currently-announced origin AS from RIPEstat's BGP data, then validates against it. No API key is required and nothing you enter is stored by this site.

How it works

Your input is normalized in the browser: a CIDR is reduced to its canonical network address and prefix length, IPv4 and IPv6 are both supported, and an ASN written as 15169 or AS15169 is accepted either way. For a bare IP, the tool resolves the covering announced prefix. It then calls RIPEstat's rpki-validation endpoint with the prefix and origin ASN and maps the response — status, the validating ROAs, their authorized origin, and max length — into the result you see. The raw response is available under Advanced details.

Common use cases

  • Confirm your own ROAs are correct: after creating an ROA at your RIR, check that your prefix + AS validates as Valid and that the max length matches how specifically you actually announce.
  • Investigate a suspicious route: if you see an unexpected announcement for one of your prefixes, check whether it is RPKI Invalid — a strong signal of a hijack or leak.
  • Learn BGP security hands-on: compare Valid, Invalid (wrong ASN), and Invalid (too specific) outcomes with the built-in examples to build intuition for how Route Origin Validation behaves.
  • Pre-flight a new announcement: before originating a more-specific prefix, confirm it will not be rejected as invalid_length by your upstreams.

Limitations

  • RPKI validates route origin only, not the full AS path. Path-based attacks are out of scope.
  • Results reflect the RIPEstat validator's current view of the RPKI repositories; ROAs can take time to propagate after you publish them.
  • NotFound is not a verdict of legitimacy or malice — only that no ROA exists.
  • In "prefix only" mode the origin AS is discovered from current BGP data; a prefix not currently in the global table may have no discoverable origin.

FAQ

What does RPKI Valid mean?
A covering ROA exists, the origin ASN matches the authorized ASN, and the prefix length is within the ROA's max length — the origin is cryptographically authorized.

What does RPKI Invalid mean?
A covering ROA exists but the announcement conflicts with it — wrong origin ASN, or a prefix more specific than the allowed max length. RPKI-enforcing networks may drop the route.

What does RPKI NotFound mean?
No ROA covers the prefix. RPKI neither authorizes nor contradicts it. Common, and not evidence of malice.

Is my data sent anywhere?
The prefix and ASN are sent to the public RIPEstat API to perform validation. No account or key is needed, and this site stores nothing.

Related tools