nw nwtools

RPKI ROA Check

Validate whether a routed prefix is authorized to originate from an ASN.

Use RPKI ROA Check to compare a public IP or routed prefix with public route-origin authorization data so you can quickly see whether the visible origin looks valid, invalid, or uncovered before moving to deeper routing analysis.

Check route-origin authorization before assuming the live prefix and ASN are trustworthy.

When to use this tool

You need to verify whether a routed prefix is authorized to originate from a specific ASN.

A route leak, hijack, or wrong-origin event is suspected and you need a fast RPKI check first.

An IP address lands in an unexpected network and you want to confirm whether the visible origin is covered by a ROA.

You have a prefix and ASN from logs or routing data and need to validate the origin before going deeper.

You want to compare route-origin expectations with what public routing data currently shows.

You need a quick next step before moving to deeper BGP or RPKI tooling.

How to interpret results

Valid

The prefix and ASN combination matches a covering ROA.

Common causes: The origin ASN is authorized for the prefix length being announced.

Next action: This supports the route-origin expectation. Continue to routing-path or reachability checks if the issue remains.

Invalid ASN

A covering ROA exists, but for a different ASN.

Common causes: The wrong origin may be announcing the prefix, or the expected ROA may not match the live route.

Next action: Compare the visible origin with ASN Lookup and review the ROA configuration for the prefix.

Invalid length

The prefix is more specific than the ROA allows.

Common causes: The route may be announced with a prefix length that exceeds the ROA max length.

Next action: Review the ROA max length and the exact routed prefix size before changing anything else.

Unknown

No covering ROA was found for the prefix and ASN combination.

Common causes: The prefix may not be covered by RPKI, or the wrong prefix/origin may have been checked.

Next action: Confirm the routed prefix and origin ASN, then decide whether a ROA should exist.

No visible origin

The routing dataset did not return a usable public origin ASN for the resource.

Common causes: The resource may not be publicly visible, may be private, or may not have current route visibility.

Next action: Confirm that the IP or prefix is public and currently routed before assuming an RPKI issue.

Common issues this tool helps uncover

The visible origin ASN does not match the ROA-authorized ASN

The prefix length being announced is more specific than the ROA allows

A route looks correct operationally but has no visible ROA coverage

An IP was checked instead of the routed prefix, hiding the actual validation target

The routed prefix belongs to the expected network but the live origin has changed

The resource is not visible enough in public routing data to derive an origin cleanly

Next steps

Run ASN Lookup

Confirm the operator and ownership context for the origin ASN you are validating.

Run ASN Lookup

Run Traceroute

If routing still looks wrong, inspect the network path next.

Run Traceroute

Check IP Lookup

If you started from an IP address, compare the returned prefix and network metadata.

Check IP Lookup

Open DNS Lookup

If the routing issue started from a hostname or domain, compare it with the DNS layer next.

Open DNS Lookup

Related tools

ASN Lookup

Look up AS numbers, prefixes, and operator ownership details.

routing-asn
Open tool

Traceroute

Trace the network path between a client and destination host.

ip-network
Open tool

IP Lookup

Inspect basic ownership, reverse DNS, and network details for an IP.

ip-network
Open tool

Subnet Calculator

Calculate network ranges, masks, and host counts from CIDR blocks.

ip-network
Open tool

DNS Lookup

Query A, AAAA, CNAME, TXT, and other DNS records for a domain.

dns
Open tool

RPKI ROA Check FAQ

What does RPKI ROA Check do?

It checks whether a routed prefix is authorized to originate from a specific ASN according to public RPKI validation data.

What input should I enter?

Enter a public IP address or routed prefix. Optionally enter an origin ASN such as AS15169 if you want to validate a specific origin directly.

What happens if I do not enter an ASN?

The tool will try to derive one or more visible origin ASNs from public routing data for the entered IP or prefix and validate those automatically.

What does invalid ASN mean?

It means a covering ROA exists for the prefix, but the live or tested origin ASN does not match the authorized ASN in that ROA.

What should I check after this tool?

Usually ASN Lookup, Traceroute, IP Lookup, and the exact routed prefix or ROA configuration for the affected network.

Keep navigating

View all Routing & ASN tools Run ASN Lookup Run Traceroute Check IP Lookup Open DNS Lookup Browse all tools