Secure BGP Routing with RPKI-Registered IP Addresses
Routers reject or down-rank invalid IP address routes to enhance BGP security.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Feb 2025
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Routes for RPKI-registered IP addresses that are advertised from invalid Autonomous Systems, or that are longer than allowed, are rejected or deprioritised by routers that exchange routes via BGP.
Source: ASD Information Security Manual (ISM)
Plain language
This control is about making sure that the internet routes used to send and receive data are secure and accurate. If this isn't done, your data could be sent through the wrong paths, posing risks like loss of sensitive information or even your website or services being inaccessible. It's like ensuring your mail gets delivered to the right address and not everyone else's mailbox.
Why it matters
Without rejecting/deprioritising RPKI-invalid BGP routes (wrong origin AS or too-long prefix), traffic can be hijacked, intercepted or blackholed, causing outages and misrouting.
Operational notes
Maintain ROA-based BGP policy: regularly refresh RPKI cache/ROAs, set routers to reject or deprioritise RPKI-invalid (and max-length exceeded) routes, and alert on validation state changes.
Implementation tips
- Internet Service Providers (ISPs) should work with network engineers to register their IP addresses with the Resource Public Key Infrastructure (RPKI). This involves verifying every IP address and linking them to a specific network to prevent unauthorized use.
- Network administrators must configure routers to automatically reject or down-rank any incorrect routes. This can be done by setting up rules that specify which paths are valid and should be preferred according to RPKI data.
- The IT team should routinely check RPKI data for any changes or updates. By regularly verifying RPKI records, you can ensure that only valid and authorised routes are advertised.
- Cybersecurity managers should train staff on the importance of RPKI and secure BGP routing. Provide workshops or simple guides to explain how correct routing protects our online activities from being hijacked.
- Business owners should liaise with their network provider to ensure compliance with RPKI guidelines. This means confirming with your service provider whether they are implementing secure routing practices, as recommended by government agencies like the Australian Cyber Security Centre (ACSC).
Audit / evidence tips
-
Ask: the network's RPKI validation status report: Request to see records that show the validation outcomes of your current IP address routes
Good: shows all routes as valid and lists recent validation dates
-
Ask: to see how routers are set up to handle routing decisions
Good: is clear, documented settings that specifically enforce these rules
-
Good: includes up-to-date training content and attendance records
-
Ask: the communication log with the network provider: Request evidence of discussions between the organisation and their ISP regarding secure routing practices
Good: includes recent, documented interactions affirming compliance with RPKI practices
-
Good: is a verified log indicating consistency and up-to-date information
Cross-framework mappings
How ISM-2018 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 8.20 | ISM-2018 requires routers to validate BGP route announcements for RPKI-registered IP prefixes and to reject or deprioritise invalid-origi... | |