Resource Certification (RPKI)
What is Resource Certification?
Resource certification is a security framework that proves the association between specific IP address blocks or AS numbers (Internet number resources) and the holders of those Internet number resources. The certificates are proof of the resource holder’s right of use of their Internet number resources and can be validated cryptographically. Resource certification uses a framework called Resource Public Key Infrastructure (RPKI), which is based on an X.509 certificate profile defined in RFC3779.
Background
This initiative was developed within the IETF’s SIDR Working Group with the aim to help secure global routing. The NRO acts as a coordination point for the five ‘ (RIRs) Engineering teams to collaborate on this important cross-RIR project.
What Is a Resource Certificate?
An RIR creates a resource certificate, which is a verifiable digital statement that an Internet number resource (a block of IPv4 or IPv6 addresses, or an Autonomous System Number – ASN) has been registered by that RIR. In technical terms, it is an X.509 certificate with “Extensions for IP Addresses and AS Identifiers”, as described in RFC3779.
How Will This Secure Routing?
Once a certificate is created, the holder can use it to create a Route Origin Authorization (ROA). This is a digital document stating that, as the holders of a given range of IP addresses, you allow those addresses to be routed by specific Autonomous Systems (AS). By using an automated system to check actual routes against those described in the repository of ROAs maintained by the RIR, network operators can work with a new level of certainty that the traffic they are receiving is coming from a legitimately registered network.
Are There Privacy Concerns About Certification?
Resource certification is intended to improve technical reliability and therefore it does not serve to verify a user’s identity. This means that a certificate does not contain any personal information or organization’s name.
Trust Anchor Locator
The single trust anchor is represented by a file called a ‘Trust Anchor Locator’ or TAL. It is very important that relying parties, who consume the products of the RIR RPKI system have this TAL configured into their validator.
The TAL file contains both the location of the RIR RPKI repository and the RIR public key, which is used to cryptographically verify that the RIR has signed the artifacts within the RIR repository. The TAL is used with an RPKI Validator to verify the certificates and ROAs within the RIR RPKI repository. This validated information can then be used to make routing decisions in your network. You can find each RIR TAL file at AFRINIC | APNIC | ARIN | LACNIC | RIPE NCC
What is the status of the RIRs’ RPKI systems?
- Check the “RPKI Systems” box in the Afrinic Status Page
- Expand the “RPKI Service” section in the APNIC Status Page
- Expand the “Registry Services” and the “Provisioning Services” section in the ARIN Status Page
- LACNIC Status Page (Coming soon)
- Expand the “RPKI” section in the RIPE NCC Status Page
Where can I find out more about RPKI?
While RPKI is a cross-RIR project, each RIR provides specific information for resource holders in its region. Find out more: AFRINIC | APNIC | ARIN | LACNIC | RIPE NCC
The NRO RPKI Program
What’s the NRO RPKI Program?
As a result of the NRO Strategic Review Process, the NRO agreed to work toward providing a robust, coordinated and secure RPKI service. To achieve this strategic goal, the NRO RPKI Program was created, with a more specific purpose of providing a more consistent and uniformly secure, resilient and reliable RPKI service, removing barriers for RPKI adoption currently experienced by network operators who create RPKI objects through multiple RIRs.
Who are we?
The RPKI Program Team consists of:
- The NRO EC, as the executive sponsor of the program, with a role of strategic goal prioritisation, approval and funding
- The NRO RPKI Program Manager, with a role of operational direction, oversight and support
- The RPKI Steering Group, which includes RPKI experts from the five RIRs and has a role of specific direction and advise related to agreed objectives
- Other RIR RPKI Subject Matter Experts (SMEs) and consultative groups, with a role of goal delivery and execution
What are we aiming to achieve?
2024 Objectives
In 2024, the first year of the NRO RPKI Program, we agreed to work toward gaining a better understanding of what a single, global RPKI system would look like; better measuring the robustness of the RPKI system as a whole and enhancing the security consistency of the RPKI system across the different RIRs, while keeping the technical community informed and engaged throughout the program and addressing RPKI-related concerns in a coordinated way.
2025 Objectives
For 2025, we have streamlined our objectives into two primary areas:
1) Enhancing the transparency, robustness and security of the RPKI system.
Our first objective is to gain a better understanding and make progress toward improved transparency, robustness, and security of the RPKI system. A key focus will be to publish a solution for consultation with the technical community that addresses current concerns regarding the RPKI trust anchor configuration.
2) Increasing the consistency of the RPKI system user experience across RIRs.
Additionally, we hope to increase the consistency of the RPKI system user experience. This will involve consolidating RPKI-related documentation, standardizing terminology, and aligning on recommended best practices. We are also planning to complete a comprehensive gap analysis of the RPKI user interfaces across all RIRs and produce a roadmap for implementation of an agreed set of core RPKI features.
This work will be performed while keeping the technical community informed and engaged throughout the program by sharing updates and publishing relevant documents.
Get in touch
Do you have any questions, ideas or input that you would like to share?
Email us at rpki_program [at] nro.net
Your feedback is a valuable component of efforts to improve RPKI implementation across the registry system. Input received from RPKI users, through direct email or in response to periodic surveys, provides data that informs discussion and helps shape future improvements in alignment with the strategic goals of the RPKI Program.
We appreciate the insights and experiences that community members share to make RPKI better for everyone.
More Information:
- NRO RPKI Program – 2024 in Review (December 2024) (Read the article on the Afrinic blog, APNIC blog, ARIN blog, LACNIC blog, RIPE Labs)
- Are differences in RIR RPKI implementations hindering RPKI adoption? (August 2024) (Read the article on the Afrinic blog, APNIC blog, ARIN blog, LACNIC blog, RIPE Labs)
- Working towards a coordinated RPKI system (May 2024) (Read the article on the Afrinic blog, APNIC blog, ARIN blog, LACNIC blog, RIPE Labs)
- Improving Regional Internet Registry Alignment in the RPKI Space (March 2024) (Read the article on the Afrinic blog, APNIC blog, ARIN blog, LACNIC blog, RIPE Labs)
- RIRs prepare to deploy “All Resources” RPKI Service (2017)
- NRO Communication to ICANN on RPKI Global Trust Anchor (2011)
- NRO Response to ICANN regarding Secure Routing & RPKI (2010)
- NRO Declaration on RPKI (2009)
Last modified on 12/03/2025