Requirements for Monitoring RPKI-Related Processes on Routers Using BMP

Introduction The Resource Public Key Infrastructure (RPKI) enhances BGP security by enabling cryptographic validation of route origins and AS paths . Despite growing adoption of RPKI, standard implementations of the BGP Monitoring Protocol (BMP) do not natively support monitoring of RPKI-related data. This limitation hampers visibility into RPKI validation processes and their impact on network operations. While existing proposals aim to extend BMP for specific aspects of RPKI monitoring, such as reporting invalid routes or providing validation statistics , a comprehensive and end-to-end monitoring framework for the RPKI lifecycle on the router is still lacking. This document defines requirements and extensions for BMP to monitor four key stages:

Acquisition of RPKI data;
Configuration of RPKI policies;
Validation of routes using RPKI;
Impact of RPKI validation on routing decisions.

It is important to note that this document focuses on monitoring RPKI's effect on BGP routing decisions, not on replicating the operational monitoring of the RTR protocol itself. Operational aspects of RTR — such as session management, protocol version negotiation, cache server health, and synchronization sequence numbers — are better served by YANG modeling and streaming telemetry mechanisms. BMP and YANG/telemetry are complementary: YANG handles RTR protocol operations, while BMP (as extended by this document) handles the impact of RPKI data on BGP route validation and selection. discusses this scope boundary in more detail.

Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Requirements Overview The BMP extension for RPKI monitoring SHOULD:

Monitor extensible RPKI data from various sources on routers, including through RPKI-to-Router Protocol (RTR) , BGP , static configurations, or SLURM local exceptions ;
Enable real-time monitoring of the route validation process on the router ;
Facilitate the correlation between RPKI validation states and BGP routing decisions;
Scale efficiently across diverse validation types.

Consequently, this document identifies four key stages in the RPKI lifecycle on routers which necessitate detailed monitoring and reporting:

RPKI Data Acquisition To ensure accurate and timely acquisition of RPKI data, network administrators require BMP to provide real-time, consistent monitoring of the health and status of all RPKI data sources. These sources include RTR connections to RPKI caches, iBGP and eBGP peers, local static configurations, and SLURM local exceptions . This enables rapid detection and response to faults or outages in data provisioning. Accordingly, BMP SHOULD report a common set of source-type-agnostic status fields for each source, with source-type-specific parameters available as optional extensions.

RPKI Policy Configuration Routing policies on the router may change dynamically, therefore real-time monitoring is necessary to ensure correct implementation and prompt misconfiguration detection of RPKI-based policies. To achieve this, BMP SHOULD report global RPKI enforcement status, RPKI-related validation rules and policies for each peer, and any SLURM local exceptions that modify the effective validation dataset.

Route Validation with RPKI Routers from different vendors implement RPKI-based route validation — including origin validation and path validation — with varying approaches. To facilitate accurate troubleshooting against validation outcomes, BMP SHOULD report the RPKI validation state as well as the related rules that contribute to the state.

Impact of RPKI Validation on Routing A router may implement numerous routing policies, resulting in complex routing behavior that obscures the influence of RPKI validation on decision-making. To provide visibility into this impact, BMP should report both intended outcomes and unintended side effects that are caused by the RPKI validation process.

RPKI Configuration Monitoring This section describes the monitoring of RPKI configuration on routers, encompassing both RPKI data source status and RPKI-related policy settings. These two aspects are closely correlated — both describe how RPKI is set up on the monitored router — and are therefore consolidated into a single RPKI_CONFIG message type (Type = TBD1). This consolidation reduces the BMP namespace footprint and enables natural correlation between data source state and policy configuration.

RPKI Data Source Status BMP SHOULD enumerate all sources of RPKI data on the monitored router. These sources include RTR connections to RPKI cache servers, iBGP sessions, eBGP sessions, local static configurations, and SLURM local exceptions . For each source, BMP SHOULD report a common set of source-type-agnostic fields:

A source type identifier indicating the kind of source (RTR, iBGP, eBGP, static, SLURM);
The reachability or connection status of the source (e.g., active, idle, not applicable);
The total number of RPKI records received or configured, including ROAs and ASPAs;
The timestamp of the most recent synchronization or update;
The cumulative error count;
Optionally, a CCR hash when supported by the implementation, to enable verification of the RPKI dataset version being used for validation.

In addition, source-type-specific parameters MAY be reported as optional extensions within each source's TLV group: For RTR sources:

The RPKI cache's designation as primary or backup, including its priority in the selection order;
The version of the RTR protocol in use (e.g., version 0 , version 1 );
The type of TCP connection established (e.g., plain TCP, TLS, SSH);
The IP address and port number of the cache.

For iBGP sources:

The IP address of the iBGP peer providing the RPKI data.

For eBGP sources:

The IP address and AS number of the eBGP peer providing the RPKI data;
The AS relationship between the eBGP peer and the current AS.

For static configuration sources:

The timestamp of the last modification to the static configuration.

For SLURM sources :

The number and type of local exceptions (prefix assertions and prefix filters);
The timestamp of the last modification to the SLURM file;
Read/write errors of the SLURM configuration.

Note that CCR hash values, when they become commonly implemented, can help a BMP consumer verify which version of the RPKI database is being used for validation. However, CCR will require time to mature and become commonly available. Implementations SHOULD include the CCR hash as an optional field that can be adopted when ready. In multi-source scenarios where RPKI data is acquired from multiple sources simultaneously, per-source CCR hashes (where available) provide pre-merge visibility, while the effective post-merge dataset used for validation may be influenced by SLURM local exceptions.

RPKI Policy Configuration BMP SHOULD report the RPKI-related policy configuration, which may be applied globally (uniformly applied across all peers) or on a per-peer basis (for example, only applied to the provider). The reported information SHOULD include:

The enablement status of RPKI validation;
The enabled set of validation rules derived from RPKI data, such as VRPs or ASPA entries;
If enabled, the configured actions for routes with Invalid or Not-Found states;
SLURM local exceptions : which RPKI validation rules are locally overridden, including prefix assertions (locally added VRPs) and prefix filters (locally removed VRPs). SLURM exceptions SHOULD be treated as a first-class monitoring item, as they directly shape the effective validation dataset used by the router.

Note that since the size of the total validation rule set could be really large, BMP could only convey the route features of enabled validation rules. These features could be logical combination (AND/OR) of a series of conditions (the origin ASes should be within a certain set, the origin ASes should be a certain role such as the customer, the rule source should only be static or iBGP, etc). The network administrator could combine the features and per-route specific information in the next section to obtain the total validation rules.

RPKI_CONFIG Message Format To convey the information described above, a new BMP message type RPKI_CONFIG (Type = TBD1) SHOULD be defined. This message consolidates what were previously separate RPKI_SOURCE and RPKI_POLICY message types. The RPKI_CONFIG message SHALL use the standard BMP common header followed by Type-Length-Value (TLV) elements per . Data source status and policy configuration are distinguished by Group TLV sub-types within the same message. For data source information, TLVs SHALL be grouped per RPKI data source, with each group using a Group TLV to index Stateless parsing TLVs containing the common and source-specific fields. A dedicated TLV within each group SHOULD specify the source type to ensure consistency and scalability. For global policy configurations, TLVs SHALL specify the validation rules and the actions associated with each non-valid state (i.e., Invalid and Not-Found), such as filtering, priority reduction, tagging, etc. For per-peer policy configurations, the message SHALL include an additional per-peer header, followed by TLVs that detail the RPKI rules and policies specific to each peer.

Route Validation with RPKI BMP SHOULD be extended to report both statistical summaries of validation results on a per-peer basis and detailed validation information for each route.

Validation Statistics For each peer, BMP messages SHOULD include counts of received routes categorized by their RPKI validation states. Rather than introducing a dedicated RPKI statistics message type, it is RECOMMENDED that RPKI-related statistics be reported using the existing BMP Statistics Report Message with new RPKI-specific Stat Type codes. This approach aligns with the existing BMP extension ecosystem, particularly the approach taken by . The new Stat Type codes SHOULD cover:

The number of routes in each validation state: Valid, Invalid, and Not-Found;
Optional statistics, such as the number of routes filtered as a result of RPKI validation.

This approach avoids the overhead of a new message type while providing a natural extension point for future RPKI-related statistics.

Per-Route Validation Report For any individual route, since it may go through multiple types of validations, and may hit multiple validation rules, BMP SHOULD report not only the overall validation state, but also every validation rule which is hit. Therefore, for per-route validation report, it is RECOMMENDED that a dedicated Validation Report Message RPKI_VALIDATION (Type = TBD2) be defined, by enhancing the original Route Monitoring Message with additional TLVs. These TLVs should describe:

The overall validation state, including Valid, Invalid or Unknown;
The types of validations the route goes through;
The information of all relevant validation rules, including the rule content (ROA entry for origin validation, ASPA entry for path validation, AS group set for region validation, etc), the data source, the expiration date, and the specific validation state for each rule.

Note that if the overall validation state is Valid, the specific validation state for every relevant validation rule should be valid; if the overall validation state is Unknown, there shouldn't be any relevant validation rule; if the overall validation state is Invalid, there should be at least one relevant validation rule whose specific validation state is Invalid.

Impact of RPKI Validation on Routing BMP SHOULD report the consequences of RPKI validation on route selection, with a particular focus on routes whose selection status is altered by RPKI validation:

Routes that are demoted due to RPKI validation (i.e., routes that would have been selected as the best path without RPKI but are not selected when RPKI is enabled);
Routes that are promoted due to RPKI validation (i.e., routes that would not have been selected as the best path without RPKI but are selected when RPKI is enabled).

For each route affected by RPKI validation, the BMP extension SHOULD report:

The validation information, as detailed in the Route Validation stage;
The actions applied to the route following validation, such as degradation of preference, attribute tagging, or exclusion from the selection process.

Furthermore, the BMP message SHOULD include information about the alternate best route:

For routes demoted due to RPKI, the message SHOULD report the new best route selected with RPKI enabled;
For routes promoted due to RPKI, the message SHOULD report the best route that would have been selected without RPKI.

This facilitates a direct comparison of routing decisions with and without RPKI, thereby enhancing the understanding of RPKI's influence on BGP path selection. To enable per-route reporting of RPKI's impact on BGP routing, it is RECOMMENDED that a dedicated Validation Impact Message RPKI_IMPACT (Type = TBD3) be defined, by enhancing the original Route Monitoring Message with additional TLVs, to capture changes in route handling due to RPKI validation and policies. When a route is affected — such as being dropped, deprioritized, or superseded by another route — due to RPKI validation, such message could be triggered to report the incident. This message SHOULD include:

The prefix and attributes of the affected route;
The RPKI validation state of the affected route;
Details of all the relevant RPKI validation rules of the affected route;
The policy action enforced on the affected route (e.g., drop, reduce priority, tag);
Information of the alternate best route, including its prefix, attributes, and RPKI validation state.

Relationship with Other Monitoring Mechanisms The extensions defined in this document are designed to complement, not replace, existing monitoring mechanisms for RPKI-related protocol state. In particular, the operational state of the RPKI-to-Router (RTR) protocol — including session management, protocol version negotiation, cache server health, synchronization sequence numbers, and PDU-level exchanges — is better addressed by YANG modeling and streaming telemetry. The division of responsibility is as follows:

YANG / streaming telemetry: RTR session management, protocol operations, cache server certificate details, and other operational state of the RTR protocol itself;
BMP (this document): what RPKI data the router has acquired (from any source), what validation rules are in effect, how each route is validated, and how validation outcomes change route selection — i.e., the impact of RPKI on BGP routing.

The RPKI data source status reported by the RPKI_CONFIG message () is intentionally kept at a summary level — just enough for a BMP consumer to know whether the router's RPKI data is current and complete, without delving into RTR protocol internals. Source-type-specific details (such as RTR protocol version or cache priority) are provided as optional extensions for implementations that find them useful, but are not required.

Security Considerations

Transmission Security To ensure the integrity and authenticity of the transmitted monitoring data on RPKI, BMP MUST support the following requirements:

Protocol safety: BMP MUST employ either TCP Authentication Option (TCP-AO) or Transport Layer Security (TLS) to encrypt the monitoring sessions.
Data integrity: BMP should enforce mechanism like end-to-end signatures to ensure the integrity of critical data such as ROA validation result fields and AS_PATH change records, and validate the integrity of the received data prior to extracting the content of the data to prevent the propagation of tampered or corrupted information. The signing/verification keys could be dynamically derived from the RPKI certificate authority chain or managed through other secure mechanisms, and form a cross-verification mechanism with the source AS validation results of BGP UPDATE messages (where applicable) to prevent malicious rollback or tampering of the related monitoring data during transmission.

Operational Security To ensure the extended BMP aligns with router's original configuration, BMP MUST support the following requirements:

Protocol transparency: The monitoring data collection must strictly adhere to the "zero-intrusion" principle. For operations involving the RTR protocol , only read-only interfaces are permitted to retrieve certificate synchronization status, and any modification to the router's local RPKI cache tree structure is prohibited. The polling frequency of monitoring probes should be restricted, and appropriate memory access layer protections must be implemented to prevent cache reconstruction triggered by monitoring data extraction. Additionally, the acquisition of collected ROA validation records should not interfere with real-time traffic processing.
Forward compatibility: When the router does not enable the monitoring function recommended by this standard, or when the monitoring function fails, its native RPKI validation process and BGP decision logic must maintain full functional consistency to prevent unintended routing policy changes caused by the monitoring mechanism.

IANA Considerations This document requires IANA to assign values for the following new BMP message types and their associated TLVs:

TBD1: RPKI_CONFIG — for reporting RPKI data source status and policy configuration;
TBD2: RPKI_VALIDATION — for reporting per-route RPKI validation details;
TBD3: RPKI_IMPACT — for reporting the impact of RPKI validation on routing decisions.

Additionally, this document requires IANA to assign new Stat Type codes for use within the existing BMP Statistics Report Message, to report RPKI-related validation statistics. The registration procedures for these assignments SHALL follow the policy outlined in .