Do I need to care about BGP if I am just an enterprise customer?

Yes. Even if you do not run BGP yourself, your provider does, and an upstream hijack reroutes your traffic. Subscribe to BGPMon alerts on prefixes you care about. If you operate critical services (banking, payments, healthcare under DPDP/SDF rules), you should also be tracking the routing posture of your CDN and DDoS-mitigation providers.

How do I publish ROAs?

Through your Regional Internet Registry — for India, APNIC. Log into MyAPNIC, navigate to Resources → RPKI, and create a ROA per prefix-origin pair. Free; takes minutes. Most large operators publish ROAs for prefixes they manage on behalf of customers; smaller ASNs publish their own.

Can RPKI prevent all hijacks?

No. RPKI Origin Validation prevents announcements with a wrong origin AS, but a sophisticated attacker can prepend a valid origin and still manipulate the path. ASPA and BGPsec address this; full coverage is a multi-year effort. Treat RPKI as essential but insufficient.

What is BCP38 and why does my ISP not implement it?

BCP38 (RFC 2827) is ingress filtering: the ISP drops outbound packets with source IPs not assigned to the originating customer. This prevents IP spoofing — the basis of every reflection-amplification DDoS. Many ISPs do not implement it because there is no business pressure; the cost of DDoS is borne by victims, not source-network operators. MANRS is changing this through peer pressure.

Should an Indian fintech run its own ASN?

Mostly no. The operational cost is high (24×7 NOC, BGP expertise, RPKI/MANRS conformance, peer maintenance). For most fintechs the right answer is anycast services from Cloudflare / Fastly / Akamai who run the AS for you. Run your own ASN only if you operate large-scale infrastructure where the routing policy gives you a meaningful business edge.

How quickly can I deploy RPKI in production?

On the signing side (publish ROAs through APNIC), one afternoon. On the validating side, expect 1-2 weeks: deploy RPKI relying-party software (Routinator, FORT, OctoRPKI), configure RPKI-RTR sessions to your routers, gradually enable validation policy from "log only" to "drop invalid". Most operators run "log only" for a month before enforcement.

What happens if my RPKI publication is wrong?

A wrong ROA (e.g., AS mismatch, max-length too short) marks legitimate announcements "invalid" — and validating peers drop them. The result is partial unreachability that looks like a routing problem. Use a staging environment + Routinator validator to test ROAs before publication; monitor the global view via RIPEstat.

BGP Security & RPKI | RingSafe Academy

Read as

Last updated: May 1, 2026

BGP is the routing protocol of the Internet — every ISP, hyperscaler, and large enterprise speaks it. It assumes good behaviour by every participant; that assumption fails several times a year, and we get prefix hijacks, route leaks, and accidental outages. RPKI cryptographically validates which AS may originate which prefix, BGPsec extends that to AS-PATH, and MANRS is the operator-collective best-practice baseline. This module is the working introduction to all four.

Border Gateway Protocol routes the Internet between Autonomous Systems (AS) — the ~100,000 distinct networks operated by ISPs, content providers, hyperscalers, and large enterprises. It works on a trust model: each AS announces “I have these prefixes, here is the path”, and every other AS believes it. When that trust breaks — by accident or on purpose — entire countries lose connectivity for hours. This module covers the architecture, the attack classes (hijack, leak, MITM), and the modern mitigations (RPKI, BGPsec, MANRS) that operators and enterprises must understand in 2026.

BGP in 90 seconds — the model you must hold in your head

Each AS has a unique number (ASN, 16 or 32 bit). ASNs maintain BGP sessions over TCP/179 with peers (their neighbours). A BGP session exchanges UPDATE messages: “I can reach prefix 203.0.113.0/24, AS-PATH is [AS65010 AS65020 AS65030]”. Each receiving AS prepends its own ASN before re-announcing. Path selection: from all received paths to the same prefix, choose the one with the highest local-preference, then the shortest AS-PATH, then more tie-breakers (origin, MED, eBGP-over-iBGP, lowest router-id). The principle: BGP routes by policy, not by physical optimality. Two ISPs may have a direct fibre between them but route via a third because of business agreements. Every BGP-related security incident is a misuse of one of these mechanisms — usually a more-specific prefix that wins longest-prefix match, or a falsely shorter AS-PATH.

Want this for your team?

Custom team training + practitioner advisory

Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.

Book team training call Replies in 4 working hrs · India-only · Senior consultants

BGP Security and RPKI — How the Internet Trusts Itself, and Why It Sometimes Should Not

BGP in 90 seconds — the model you must hold in your head

Custom team training + practitioner advisory

Other modules in this track

Networking Fundamentals — OSI, TCP/IP, and Why Layers Actually Matter

Packet Analysis with Wireshark — From “Open the PCAP” to Diagnosing Real Incidents

Network Protocols Deep Dive — ARP, DHCP, ICMP, DNS, HTTP and the Trust They Assume