Resource Certification (RPKI)

What is Resource Certification?

Resource certification is a security framework that proves the association between specific IP address blocks or AS numbers (Internet number resources) and the holders of those Internet number resources. The certificates are proof of the resource holder’s right of use of their Internet number resources and can be validated cryptographically. Resource certification uses a framework called Resource Public Key Infrastructure (RPKI), which is based on an X.509 certificate profile defined in RFC3779.


This initiative was developed within the IETF’s SIDR Working Group with the aim to help secure global routing. The NRO acts as a coordination point for the five ‘ (RIRs) Engineering teams to collaborate on this important cross-RIR project.

What Is a Resource Certificate?

An RIR creates a resource certificate, which is a verifiable digital statement that an Internet number resource (a block of IPv4 or IPv6 addresses, or an Autonomous System Number – ASN) has been registered by that RIR. In technical terms, it is an X.509 certificate with “Extensions for IP Addresses and AS Identifiers”, as described in RFC3779.

How Will This Secure Routing?

Once a certificate is created, the holder can use it to create a Route Origin Authorization (ROA). This is a digital document stating that, as the holders of a given range of IP addresses, you allow those addresses to be routed by specific Autonomous Systems (AS). By using an automated system to check actual routes against those described in the repository of ROAs maintained by the RIR, network operators can work with a new level of certainty that the traffic they are receiving is coming from a legitimately registered network.

Are There Privacy Concerns About Certification?

Resource certification is intended to improve technical reliability and therefore it does not serve to verify a user’s identity. This means that a certificate does not contain any personal information or organization’s name.

Trust Anchor Locator

The single trust anchor is represented by a file called a ‘Trust Anchor Locator’ or TAL. It is very important that relying parties, who consume the products of the RIR RPKI system have this TAL configured into their validator.

The TAL file contains both the location of the RIR RPKI repository and the RIR public key, which is used to cryptographically verify that the RIR has signed the artifacts within the RIR repository. The TAL is used with an RPKI Validator to verify the certificates and ROAs within the RIR RPKI repository. This validated information can then be used to make routing decisions in your network. You can find each RIR TAL file at AFRINIC | APNIC | ARIN | LACNIC | RIPE NCC

Where can I find out more about RPKI?

While RPKI is a cross-RIR project, each RIR provides specific information for resource holders in its region. Find out more:  AFRINIC | APNIC | ARIN | LACNIC | RIPE NCC

The NRO RPKI Program

What’s the NRO RPKI Program?

As a result of the NRO Strategic Review Process, the NRO agreed to work toward providing a robust, coordinated and secure RPKI service. To achieve this strategic goal, the NRO RPKI Program was created, with a more specific purpose of providing a more consistent and uniformly secure, resilient and reliable RPKI service, removing barriers for RPKI adoption currently experienced by network operators who create RPKI objects through multiple RIRs.

Who are we?

The RPKI Program Team consists of:

  • The NRO EC, as the executive sponsor of the program, with a role of strategic goal prioritisation, approval and funding
  • The NRO RPKI Program Manager, with a role of operational direction, oversight and support
  • The RPKI Steering Group, which includes RPKI experts from the five RIRs and has a role of specific direction and advise related to agreed objectives
  • Other RIR RPKI Subject Matter Experts (SMEs) and consultative groups, with a role of goal delivery and execution

Get in touch

Do you have any questions, ideas or input that you would like to share?
Email us at rpki_program [at]

More Information:

Last modified on 29/02/2024