RPKI & ROA Lookup

Check ASPA upstream provider authorization (IETF draft) and validate BGP route origins with RPKI ROAs. Enter an IP, prefix, or ASN to get started.

ROA Validation

Every BGP route checked against published Route Origin Authorizations

ASPA Records

Verify upstream provider authorization (IETF ASPA)

Hijack Detection

Identify RPKI-invalid routes that may indicate BGP hijacks

Real-Time Data

RPKI data updated regularly from all five RIR trust anchors

ASPA Adoption

2,025
ASNs with ASPA
51
Transit-Free (AS0)

Most-Referenced Upstream Providers

AS6939
HURRICANE - Hurricane Electric LLC
312 customers
AS174
COGENT-174 - Cogent Communications, LLC
211 customers
AS1299
TWELVE99 Arelion Sweden AB
163 customers
AS20473
AS-VULTR - The Constant Company, LLC
117 customers
AS34927
iFog-GmbH iFog GmbH
113 customers
AS212895
ROUTE64_ORG Johannes Ernst
112 customers
AS3356
LEVEL3 - Level 3 Parent, LLC
105 customers
AS3257
GTT-BACKBONE GTT Communications Inc.
85 customers
AS9002
RETN-AS RETN Limited
66 customers
AS41051
FREETRANSIT Openfactory GmbH
65 customers

What You Get

RPKI validation status for any prefix (valid / invalid / not found)
ROA details: authorized ASN, max prefix length, trust anchor
ASPA upstream provider list per ASN
Downstream customer ASNs declaring an ASN as upstream
Cross-reference with BGP routes and IRR objects
Historical RPKI coverage trends on the stats page

Popular Lookups

AS13335

Cloudflare

AS6939

Hurricane Electric

AS174

Cogent

AS1299

Arelion

1.1.1.0/24

Cloudflare DNS

8.8.8.0/24

Google DNS

Frequently Asked Questions

What is RPKI?

RPKI (Resource Public Key Infrastructure) is a cryptographic framework that lets IP address holders authorize specific ASNs to originate their prefixes in BGP. It prevents route hijacking by allowing networks to validate the origin of BGP announcements against signed ROA (Route Origin Authorization) objects.

What is ASPA?

ASPA (Autonomous System Provider Authorization) is a new RPKI object (draft-ietf-sidrops-aspa-profile) that lets an AS declare which other ASNs are its authorized upstream transit providers. This helps detect and prevent route leaks and path manipulation attacks in BGP.

What do RPKI statuses mean?

A 'valid' status means the BGP route's origin ASN matches a published ROA. 'Invalid' means there is a ROA but the origin ASN or prefix length doesn't match - this may indicate a hijack. 'Not found' means no ROA exists for the prefix, so RPKI cannot validate it.

How is ASPA different from ROA?

ROAs validate which ASN can originate a prefix (the first hop). ASPA validates the provider-customer relationships along the AS path (intermediate hops). Together, they provide comprehensive BGP path security - ROA secures the origin, ASPA secures the path.

Can I query RPKI data via API?

Yes. The GET /v1/prefix/{prefix} endpoint returns RPKI validation status for any prefix. The GET /v1/asn/{asn} endpoint includes ASPA data showing upstream providers and downstream customers. Free tier includes 1,000 requests/day.

Programmatic Access

Query RPKI and ASPA data via the REST API. Get ROA validation for prefixes and ASPA provider relationships for any ASN.

curl "https://api.ipctl.io/v1/prefix/1.1.1.0/24"
curl "https://api.ipctl.io/v1/asn/6939"
API Documentation

Related tools

  • ASPA Lookup — dedicated tool for checking BGP provider authorization records.
  • BGP Route Lookup — check how a prefix is routed across the internet.
View RPKI & BGP Statistics

Track RPKI deployment, ASPA adoption, and routing table growth over time.