11 July 2017

Regional Internet Registries are preparing to deploy “All Resources” RPKI Service

By 30 September 2017, each RIR will have moved from an RPKI Trust Anchor that reflects their current holdings to one that reflects all holdings (0/0), as further detailed in the “All Resources Applicability Statement” dated 21 January 2017:

https://www.ietf.org/archive/id/draft-rir-rpki-allres-ta-app-statement-01.txt

“This document provides an applicability statement for the use of multiple, over-claiming ‘all resources’ (0/0) RPKI certificate authorities (CA) certificates used as trust anchors (TAs) operated by the Regional Internet Registry community to help mitigate the risk of massive downstream invalidation in the case of transient registry inconsistencies.”

To mitigate the risk and alleviate this threat, the RIR’s have agreed to move from a Trust Anchor that reflects their current holdings only, to one that reflects all holdings. This improvement will provide a more robust way of allowing resources that are covered under RPKI to be transferred from one RIR to another. Prior to this change, each RIR will be working with their RPKI user community to prepare for the transition.

The NRO encourages members of the Internet community to certify their resources through RPKI. Internet routing today is vulnerable to hijacking and the provisioning/use of certificates is one of first steps required to make routing more secure.  Widespread RPKI adoption will help simplify IP address holder verification and routing decision-making around the world.

Comments are closed.