The Border Gateway Protocol (BGP) is susceptible to route hijacking, i.e. unauthorized routers can advertise routes and thus redirect data traffic from the actual destination to itself. This situation can be caused by erroneous configurations and by explicit attacks.
Resource Public Key Infrastructure (RPKI) is a cryptographic method for signing and validating routing data records, which consist of a prefix and an autonomous system (AS). This record is called the Route Origin Authorization (ROA). More information on RPKI can be found in RFC 6480.
LCOS supports the Resource Public Key Infrastructure to Router Protocol (RTR) as per RFC 8210, with which a validator or cache supplies the router with information about validated routes and the associated AS number. This information is used by the BGP process to check whether a prefix or route was sent from the correct origin AS. Also checked is whether the prefix length corresponds to the information from the ROA data set.
This cache either runs on its own server for its own prefixes, or a public validator is used.
Public RPKI caches contain a large number of ROA entries. The recommendation is to operate RPKI only on devices with sufficient main memory to meet requirements (i.e. more than 2 GB), meaning that central-site devices or the vRouter need a correspondingly large main memory.