How does BGPsec differ from RPKI in scope and requirements?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Master RIPE BGP Security with our comprehensive test. Understand the Border Gateway Protocol, explore multiple choice questions, and get ready for your exam with detailed hints and explanations.

Multiple Choice

How does BGPsec differ from RPKI in scope and requirements?

Explanation:
The main idea this item tests is the difference in what each technology proves and what it requires to do so. RPKI focuses on origin validation: it authorizes which autonomous systems are allowed to originate a given prefix using a PKI and ROAs. With this, a router can check that the route’s origin AS matches the authorizations in the ROA. But this stops at the origin; it does not verify the rest of the AS path. So a route could originate correctly yet be tampered with along the path without triggering an issue from RPKI alone. BGPsec expands the security model to the path as a whole. It requires that each AS along the route signs its contribution to the path (the AS_PATH segment), so downstream routers can verify the entire path from origin to destination. This end-to-end path validation with per-hop signatures catches alterations such as path injections or deletions that RPKI alone would miss. Implementing it, however, brings stronger requirements: networks must operate BGPsec-capable routers, manage and distribute cryptographic keys for each AS, and handle the associated performance and management overhead. So the correct statement reflects that RPKI provides origin validation, while BGPsec adds end-to-end path validation with per-hop signatures. The other options are inaccurate because BGPsec is not IPv6-only, RPKI is not deprecated, and BGPsec does not merely validate the next hop.

The main idea this item tests is the difference in what each technology proves and what it requires to do so. RPKI focuses on origin validation: it authorizes which autonomous systems are allowed to originate a given prefix using a PKI and ROAs. With this, a router can check that the route’s origin AS matches the authorizations in the ROA. But this stops at the origin; it does not verify the rest of the AS path. So a route could originate correctly yet be tampered with along the path without triggering an issue from RPKI alone.

BGPsec expands the security model to the path as a whole. It requires that each AS along the route signs its contribution to the path (the AS_PATH segment), so downstream routers can verify the entire path from origin to destination. This end-to-end path validation with per-hop signatures catches alterations such as path injections or deletions that RPKI alone would miss. Implementing it, however, brings stronger requirements: networks must operate BGPsec-capable routers, manage and distribute cryptographic keys for each AS, and handle the associated performance and management overhead.

So the correct statement reflects that RPKI provides origin validation, while BGPsec adds end-to-end path validation with per-hop signatures. The other options are inaccurate because BGPsec is not IPv6-only, RPKI is not deprecated, and BGPsec does not merely validate the next hop.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy