Resource Certification, also referred to as Resource Public Key Infrastructure (RPKI), is a robust security framework for verifying the association between resource holders and their Internet resources. In this context, ‘resource holders’ are organizations such as Regional Internet Registries (RIRs), Local Internet Registries (LIRs), ISPs, or end-user organizations, while ‘Internet resources’ are IPv4 and IPv6 address blocks and Autonomous System Numbers (ASNs). This has been an initiative that has been developed within the IETF’s SIDR Working Group and among the various RIRs. In 2011, the five RIRs will deploy a system of Internet resource certification. What is it and what does it mean for you?
What Is a Resource Certificate?
A resource certificate created by one of the five RIRs is a verifiable digital statement that an Internet number resource (a block of IPv4 or IPv6 addresses, or an Autonomous System Number) has been registered by that RIR.
In technical terms, it is an X.509 certificate with “Extensions for IP Addresses and AS Identifiers”, as described in RFC3779.
What Can Be Certified?
Any Internet number resource can be certified. In practice, however, the RIRs will roll out the system gradually, initially allowing their members to certify only a subset of resources. Speak to your RIR for more details of their deployment plan.
How Will This Secure Routing?
Once a certificate is created, the holder can use it to create a Route Origin Authorization (ROA). This is a digital document stating that, as the holders of a given range of IP addresses, you allow those addresses to be routed by specific Autonomous Systems.
By using an automated system to check actual routes against those described in the repository of ROAs maintained by the RIR, network operators can work with a new level of certainty that the traffic they are receiving is coming from a legitimately registered network.
Are There Privacy Concerns About Certification?
Resource certification is intended to improve technical reliability and therefore it does not serve to verify a user’s identity. This means that a certificate does not contain any personal information or an organisation name.
Digital certificates have helped make business on the Internet more secure. Now we are using resource certificates to make the Internet itself more secure!
Internet number resource: A block of IPv4 or IPv6 addresses, or an Autonomous System Number
Internet resource certificate: A digital statement, based on Public Key Infrastructure (PKI) principles, stating that the holder of a specific private key has been assigned or allocated the particular resource.
Resource certification system: A system to manage the creation and storage of digital certificates and the associated Route Origin Authorization (ROA) documents.
- The NRO & Resource Certification (RPKI)
- Update on Global Deployment of Resource Certification (2 December 2010)
Video: Resource Certification Explained