Secure BGP with Valid ROA for IP Addresses
Ensure public IP addresses are protected by valid Route Origin Authorisation records to enhance security.
Plain language
This control is about making sure that the routes your internet traffic takes are secure and correctly identified. Without this, there's a risk that hackers can misdirect or intercept your online communications, potentially leading to data theft or service disruptions.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Public IP addresses controlled by, or used by, an organisation are signed by valid ROA records.
Why it matters
If valid ROAs are not maintained for organisation public prefixes, BGP routes can be hijacked, redirecting traffic and causing outages or compromise.
Operational notes
Routinely validate ROAs for all public prefixes, monitor RPKI status, renew before expiry, and set maxLength to match announced prefixes and planned changes.
Implementation tips
- The network administrator should identify all the public IP addresses used by the organisation. Make a list of these addresses so you know exactly what needs to be protected.
- IT teams must ensure each public IP address has a Route Origin Authorisation (ROA) record. Use an online ROA service or contact your internet service provider to verify if records are in place.
- The IT manager should create a routine check for the validity of all ROA records. Schedule a regular review, such as quarterly, to ensure records are still correct and up-to-date.
- System administrators need to configure alerts for any changes in the routing of IP addresses. Utilise routing monitoring tools that notify the administrators if routes deviate from the expected path.
- Management should establish a policy that all new IP addresses must have a ROA before deployment. This can be ensured by including this requirement in procurement or deployment standards.
Audit / evidence tips
- AskA list of all public IP addresses: Verify that the organisation knows which IP addresses they're using GoodList includes all currently active IPs
- AskTo see the last routine check of ROA records
- GoodSystem reflects no unresolved or unexplained changes
- AskThe policy documentation regarding new IP deployments: Verify it requires valid ROA records GoodPolicy document, dated and signed, clearly details the ROA requirement
Cross-framework mappings
How ISM-1783 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| link Related (1) expand_less | ||
| Annex A 8.20 | Annex A 8.20 requires networks to be secured and controlled, including the integrity of routing where it affects information delivery and... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.