Secure BGP Routing with RPKI-Registered IP Addresses
Routers reject or down-rank invalid IP address routes to enhance BGP security.
Plain language
This control is about making sure that the internet routes used to send and receive data are secure and accurate. If this isn't done, your data could be sent through the wrong paths, posing risks like loss of sensitive information or even your website or services being inaccessible. It's like ensuring your mail gets delivered to the right address and not everyone else's mailbox.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Routes for RPKI-registered IP addresses that are advertised from invalid Autonomous Systems, or that are longer than allowed, are rejected or deprioritised by routers that exchange routes via BGP.
Why it matters
Without rejecting/deprioritising RPKI-invalid BGP routes (wrong origin AS or too-long prefix), traffic can be hijacked, intercepted or blackholed, causing outages and misrouting.
Operational notes
Maintain ROA-based BGP policy: regularly refresh RPKI cache/ROAs, set routers to reject or deprioritise RPKI-invalid (and max-length exceeded) routes, and alert on validation state changes.
Implementation tips
- Internet Service Providers (ISPs) should work with network engineers to register their IP addresses with the Resource Public Key Infrastructure (RPKI). This involves verifying every IP address and linking them to a specific network to prevent unauthorized use.
- Network administrators must configure routers to automatically reject or down-rank any incorrect routes. This can be done by setting up rules that specify which paths are valid and should be preferred according to RPKI data.
- The IT team should routinely check RPKI data for any changes or updates. By regularly verifying RPKI records, you can ensure that only valid and authorised routes are advertised.
- Cybersecurity managers should train staff on the importance of RPKI and secure BGP routing. Provide workshops or simple guides to explain how correct routing protects our online activities from being hijacked.
- Business owners should liaise with their network provider to ensure compliance with RPKI guidelines. This means confirming with your service provider whether they are implementing secure routing practices, as recommended by government agencies like the Australian Cyber Security Centre (ACSC).
Audit / evidence tips
- AskThe network's RPKI validation status report: Request to see records that show the validation outcomes of your current IP address routes GoodShows all routes as valid and lists recent validation dates
- AskTo see how routers are set up to handle routing decisions GoodIs clear, documented settings that specifically enforce these rules
- GoodIncludes up-to-date training content and attendance records
- AskThe communication log with the network provider: Request evidence of discussions between the organisation and their ISP regarding secure routing practices GoodIncludes recent, documented interactions affirming compliance with RPKI practices
- GoodIs a verified log indicating consistency and up-to-date information
Cross-framework mappings
How ISM-2018 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| link Related (1) expand_less | ||
| Annex A 8.20 | Annex A 8.20 requires secure management and control of networks to protect information and maintain trusted connectivity | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.