Resource Certification (RPKI)
Resource certification is a security framework that proves the association between specific IP address blocks or AS numbers (Internet number resources) and the holders of those Internet number resources. The certificates are proof of the resource holder’s right of use of their Internet number resources and can be validated cryptographically. Resource certification uses a framework called Resource Public Key Infrastructure (RPKI), which is based on an X.509 certificate profile defined in RFC3779.
Background
This initiative was developed within the IETF’s SIDR Working Group with the aim to help secure global routing. The NRO acts as a coordination point for the five ‘ (RIRs) Engineering teams to collaborate on this important cross-RIR project.
What Is a Resource Certificate?
An RIR creates a resource certificate, which is a verifiable digital statement that an Internet number resource (a block of IPv4 or IPv6 addresses, or an Autonomous System Number – ASN) has been registered by that RIR. In technical terms, it is an X.509 certificate with “Extensions for IP Addresses and AS Identifiers”, as described in RFC3779.
How Will This Secure Routing?
Once a certificate is created, the holder can use it to create a Route Origin Authorization (ROA). This is a digital document stating that, as the holders of a given range of IP addresses, you allow those addresses to be routed by specific Autonomous Systems (AS). By using an automated system to check actual routes against those described in the repository of ROAs maintained by the RIR, network operators can work with a new level of certainty that the traffic they are receiving is coming from a legitimately registered network.
Are There Privacy Concerns About Certification?
Resource certification is intended to improve technical reliability and therefore it does not serve to verify a user’s identity. This means that a certificate does not contain any personal information or organization’s name.
Trust Anchor Locator
The single trust anchor is represented by a file called a ‘Trust Anchor Locator’ or TAL. It is very important that relying parties, who consume the products of the RIR RPKI system have this TAL configured into their validator.
The TAL file contains both the location of the RIR RPKI repository and the RIR public key, which is used to cryptographically verify that the RIR has signed the artifacts within the RIR repository. The TAL is used with an RPKI Validator to verify the certificates and ROAs within the RIR RPKI repository. This validated information can then be used to make routing decisions in your network. You can find each RIR TAL file at AFRINIC | APNIC | ARIN | LACNIC | RIPE NCC
Where can I find out more about RPKI?
While RPKI is a cross-RIR project, each RIR provides specific information for resource holders in its region. Find out more: AFRINIC | APNIC | ARIN | LACNIC | RIPE NCC
More Information:
- RIRs prepare to deploy “All Resources” RPKI Service (2017)
- NRO Communication to ICANN on RPKI Global Trust Anchor (2011)
- NRO Response to ICANN regarding Secure Routing & RPKI (2010)
- NRO Declaration on RPKI (2009)
Last modified on 24/09/2021