Which mechanism best complements BGP security by validating route origins?

Validating where a BGP route comes from is about ensuring the origin AS is authorized to announce that prefix. RPKI-based validation uses Route Origin Authorizations and a cryptographic trust framework to confirm that a given AS is permitted to originate a specific prefix. Routers check announcements against these ROAs and label them as valid, invalid, or unknown, which helps prevent origin hijacks and misoriginations. The other options don’t provide cryptographic origin proof: MD5 protects the BGP session but not the legitimacy of the route origin; Unicast RPF guards against spoofed packets on the data plane rather than validating BGP origin; prefix filtering is a configuration-based safeguard without cryptographic validation.