RPKI ROA Validator (Educational)

Enter a prefix and origin ASN to validate against a sample ROA database. This tool is for learning the validation algorithm — use live validators for production decisions.

Validate a Prefix
Try these examples: 
Sample ROA Database
This database contains a small set of well-known public ROAs for demonstration purposes. For live validation, use: Cloudflare RPKI, RIPE RPKI Validator, or NIST RPKI Monitor.
PrefixmaxLengthOrigin ASNNote
How Validation Works (RFC 6811)

The validation algorithm (see RFC 6811) for an announced prefix P/len with origin ASN A:

  1. Find all ROAs in the VRP table where P/len is covered by the ROA prefix — that is, P is a subnet of (or equal to) the ROA prefix AND len ≤ ROA maxLength. Call this the covering set.
  2. If the covering set is emptyNotFound. No ROA asserts anything about this prefix.
  3. If the covering set is non-empty, check whether any ROA in the set also has origin ASN == A. If yes → Valid. If no → Invalid.

Key insight: Invalid is a stronger signal than NotFound. NotFound simply means no ROA exists yet — the prefix owner hasn't registered one. Invalid means a ROA exists explicitly saying this origin ASN is not authorized.

References: RFC 6480 (RPKI infrastructure), RFC 6482 (ROA profile), RFC 6811 (BGP prefix origin validation), RFC 8210 (RTR protocol).