With global Route Origin Authorization (ROA) coverage surpassing 50% for both IPv4 and IPv6, implementing Route Origin Validation (ROV) has become increasingly critical for securing network operations. Network operators, developers, and even end users might wonder whether their networks are correctly configured for ROV or if they are truly safeguarded by ROV. To address these concerns and promote adoption, JPNIC developed the rov-check project — a straightforward tool designed to quickly verify the ROV deployment of your network.
The rov-check project is presented as an accessible, intuitive web application available globally, enabling users to instantly examine their network’s ROV protection status. This verification process requires only a simple action: Users accept the Terms of Use by clicking a single button to initiate the check.
How rov-check works
The rov-check backend system functions by advertising three distinct BGP prefixes, each representing different conditions related to their associated RPKI ROA configurations:
- Valid prefix: A correctly configured ROA that exactly matches the BGP origin Autonomous System (AS). Relying Party (RP) software recognizes this route as ‘Valid’ and routers implementing ROV forward packets to/from this prefix normally.
- Invalid prefix: An intentionally misconfigured ROA where the origin AS specified in the ROA differs from the one advertised in BGP. RP software determines this route as ‘Invalid’ and routers implementing ROV drop the related traffic.
- NotFound prefix: No ROA exists for this prefix. RP software classifies this route as ‘NotFound’ or ‘Unknown’ and routers implementing ROV forward the associated packets normally. Serving as a control, the NotFound prefix ensures that connectivity differences observed are genuinely due to RPKI validation effects and not influenced by other routing issues.
When users run a test on rov-check, JavaScript client code running in their web browser attempts to connect to specific endpoints hosted in each prefix. These endpoints simply return a JSON response indicating successful connectivity. The client then evaluates these responses according to the following logic:
- If the Invalid prefix endpoint is unreachable or times out, but successful responses are received from both Valid and NotFound endpoints, the user’s network is classified as ‘Protected by ROV’.
- If responses are successfully received from all three endpoints, the user’s network is considered ‘Not protected by ROV’.
- Any other pattern of responses results in the network’s status being classified as ‘Unknown’.
This evaluation is conducted independently over IPv4 and IPv6, clearly highlighting the ROV status separately for each protocol and ensuring comprehensive insight into network security.
After completing the test, the client automatically sends the results, timestamp, and IP address to the server, enabling rov-check to perform in-depth analysis.
Comparison with existing tools
Similar projects have preceded rov-check, such as Cloudflare’s Is BGP Safe Yet? and NLNetLabs’ rpkitest. While they share a common goal of evaluating ROV implementation in the user’s network, rov-check distinguishes itself in several important ways:
- Compared to Is BGP Safe Yet? rov-check explicitly tests both IPv4 and IPv6 independently. This approach allows rov-check to assess potential differences in ROV implementation or BGP path selection influenced by the IP version.
- Unlike rpkitest, rov-check does not verify ROA creation status directly. Rather, it focuses on the ROV implementation status. Additionally, rov-check uses a different method for advertising invalid routes.
Each tool operates with unique implementations and from different AS perspectives. The rov-check experimental AS is currently located in Japan under the JPNIC network, providing a specifically Japanese domestic routing perspective. Using multiple tools for cross-checking can give users comprehensive insights into their network’s ROV status.
You can also see how ROV measurement is done in APNIC Labs and RoVISTA.
Why rov-check is essential
Accurate implementation and widespread adoption of ROV significantly reduces the risk of route hijacking or mis-origination, whether intentional or accidental. RPKI provides cryptographic proof to validate route origins, building trust and reliability within the global routing system. Despite its clear benefits, deployment remains inconsistent across regions and varies greatly among network operators. The rov-check project addresses this challenge by offering an easy-to-use verification tool that empowers stakeholders — regardless of technical expertise — to assess their network’s protection level.
Moreover, rov-check offers educational value, giving users clear insights into routing security fundamentals by disclosing the backend system on the same web page. We believe this approach helps drive awareness and encourages active participation in securing domestic and global routing infrastructure.
JPNIC’s RPKI research focus
JPNIC’s series of RPKI research projects primarily focus on evaluating whether and how critical Internet environments used daily in Japan are effectively protected by RPKI. Complementary projects leverage rov-check’s invalid route advertisements to assess access to essential services, including government online platforms, online banking, social networking sites, and authoritative DNS servers via invalid routes. This approach helps determine whether major domestic networks and their routing paths correctly implement ROV.
Encouraging practical engagement
Although many outputs from JPNIC’s RPKI research projects are not yet publicly available, rov-check offers a uniquely accessible platform that allows end users to directly participate in the research. We encourage people to proactively use rov-check across various networks — whether at home, on mobile, or within corporate or school environments. This hands-on engagement helps users gain a clearer understanding of their network security status.
Those interested in rov-check or other network security research initiatives at JPNIC are welcome to reach out to us via arch-info@nic.ad.jp.
Collaborative efforts
Effective collaboration is vital for increasing ROV implementation globally. Recognizing this, JPNIC actively participates in international partnerships, exchanges insights, and aligns efforts with various stakeholders, including Regional Internet Registries (RIRs), network operators, Internet Service Providers (ISPs), and transit networks. Crucially, cooperation from our transit AS operators is essential since their ROV implementation could impact accurate testing using the Invalid route.
Future direction
Looking ahead, rov-check is expected to introduce new features aimed at delivering deeper analytical insights and improving usability. Furthermore, analysing rov-check results collected from clients — combined with integration into experiments from other projects — will provide more comprehensive insights into the measures needed to secure the Internet.
JPNIC also plans to strengthen international engagement through initiatives such as our annual event, Internet Week, as well as participation in RIR, IXP, and IETF meetings. These efforts will promote knowledge sharing and accelerate the global adoption of ROV best practices, contributing to a safer and more resilient internet infrastructure.
Wataru (Alt) Ohgai is a network engineer at JPNIC, working primarily in Internet Infrastructure Planning within the Internet Development department and in the Engineering department. He is involved in research, operations, and outreach activities related to Internet technologies and policies, both domestically and internationally.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.