Resource Certification (RPKI)
What is Resource Certification?
Resource certification is a security framework that proves the association between specific IP address blocks or AS numbers (Internet number resources) and the holders of those Internet number resources. The certificates are proof of the resource holder’s right of use of their Internet number resources and can be validated cryptographically. Resource certification uses a framework called Resource Public Key Infrastructure (RPKI), which is based on an X.509 certificate profile defined in RFC3779.
Background
This initiative was developed within the IETF’s SIDR Working Group with the aim to help secure global routing. The NRO acts as a coordination point for the five ‘ (RIRs) Engineering teams to collaborate on this important cross-RIR project.
What Is a Resource Certificate?
An RIR creates a resource certificate, which is a verifiable digital statement that an Internet number resource (a block of IPv4 or IPv6 addresses, or an Autonomous System Number – ASN) has been registered by that RIR. In technical terms, it is an X.509 certificate with “Extensions for IP Addresses and AS Identifiers”, as described in RFC3779.
How Will This Secure Routing?
Once a certificate is created, the holder can use it to create a Route Origin Authorization (ROA). This is a digital document stating that, as the holders of a given range of IP addresses, you allow those addresses to be routed by specific Autonomous Systems (AS). By using an automated system to check actual routes against those described in the repository of ROAs maintained by the RIR, network operators can work with a new level of certainty that the traffic they are receiving is coming from a legitimately registered network.
Are There Privacy Concerns About Certification?
Resource certification is intended to improve technical reliability and therefore it does not serve to verify a user’s identity. This means that a certificate does not contain any personal information or organization’s name.
Trust Anchor Locator
The single trust anchor is represented by a file called a ‘Trust Anchor Locator’ or TAL. It is very important that relying parties, who consume the products of the RIR RPKI system have this TAL configured into their validator.
The TAL file contains both the location of the RIR RPKI repository and the RIR public key, which is used to cryptographically verify that the RIR has signed the artifacts within the RIR repository. The TAL is used with an RPKI Validator to verify the certificates and ROAs within the RIR RPKI repository. This validated information can then be used to make routing decisions in your network. You can find each RIR TAL file at AFRINIC | APNIC | ARIN | LACNIC | RIPE NCC
Where can I find out more about RPKI?
While RPKI is a cross-RIR project, each RIR provides specific information for resource holders in its region. Find out more: AFRINIC | APNIC | ARIN | LACNIC | RIPE NCC
The NRO RPKI Program
What’s the NRO RPKI Program?
As a result of the NRO Strategic Review Process, the NRO agreed to work toward providing a robust, coordinated and secure RPKI service. To achieve this strategic goal, the NRO RPKI Program was created, with a more specific purpose of providing a more consistent and uniformly secure, resilient and reliable RPKI service, removing barriers for RPKI adoption currently experienced by network operators who create RPKI objects through multiple RIRs.
Who are we?
The RPKI Program Team consists of:
- The NRO EC, as the executive sponsor of the program, with a role of strategic goal prioritisation, approval and funding
- The NRO RPKI Program Manager, with a role of operational direction, oversight and support
- The RPKI Steering Group, which includes RPKI experts from the five RIRs and has a role of specific direction and advise related to agreed objectives
- Other RIR RPKI Subject Matter Experts (SMEs) and consultative groups, with a role of goal delivery and execution
What are we aiming to achieve?
Firstly, we want to gain a better understanding of what a single, global RPKI system would look like. We would like to know more about the expectations from the community in terms of consistency across the Regional Internet Registries (RIRs) in their RPKI implementations.
While we work with the community to clearly define what a single, global RPKI system would look like, we will start working on improving some other aspects of the RPKI system — namely robustness and security.
We plan to focus on better measuring the robustness of the RPKI system as a whole by agreeing on the aspects of robustness that should be measured, and clearly documenting the current status and any relevant planned development initiatives for each RIR regarding those aspects, so that in the future we can make this information public in a uniform way.
We also want to enhance the security consistency of the RPKI system across the different RIRs by establishing a baseline, working with the guidance of security experts on setting the minimum security requirements, and identifying the gaps per RIR, so we can then prioritise those gaps and work towards closing them.
Finally, we will work to keep the technical community informed and engaged throughout the program and to address RPKI-related concerns in a coordinated way.
Get in touch
Do you have any questions, ideas or input that you would like to share?
Email us at rpki_program [at] nro.net
Your feedback is a valuable component of efforts to improve RPKI implementation across the registry system. Input received from RPKI users, through direct email or in response to periodic surveys, provides data that informs discussion and helps shape future improvements in alignment with the strategic goals of the RPKI Program.
We appreciate the insights and experiences that community members share to make RPKI better for everyone.
More Information:
- Are differences in RIR RPKI implementations hindering RPKI adoption? (August 2024) (Read the article on the Afrinic blog, APNIC blog, ARIN blog, LACNIC blog, RIPE Labs)
- Working towards a coordinated RPKI system (May 2024) (Read the article on the Afrinic blog, APNIC blog, ARIN blog, LACNIC blog, RIPE Labs)
- Improving Regional Internet Registry Alignment in the RPKI Space (March 2024) (Read the article on the Afrinic blog, APNIC blog, ARIN blog, LACNIC blog, RIPE Labs)
- RIRs prepare to deploy “All Resources” RPKI Service (2017)
- NRO Communication to ICANN on RPKI Global Trust Anchor (2011)
- NRO Response to ICANN regarding Secure Routing & RPKI (2010)
- NRO Declaration on RPKI (2009)
Last modified on 19/09/2024