General Information Resource Certification System (RPKI)

 

LACNIC, the Latin American and Caribbean Internet Address Registry, operates the Resource Certification System (RPKI) for the assigned number resources.

Resource Certification (RPKI)

The goal of this project is to issue cryptographic material that will allow LACNIC members to digitally prove they have the right to use IPv4 and IPv6 addresses.

The resource certification project establishes a public key infrastructure (PKI) commonly known as RPKI (Resource Public Key Infrastructure). This infrastructure combines the hierarchy of the Internet resource assignment model through Regional or National Internet Registries with the use of digital certificates based on standard X.509. X.509 certificates are typically used for authenticating either an individual or, for example, a website. In RPKI, X.509 certificates do not include identification information, as their only purpose is to transfer the right to use Internet resources.

Since 2007, LACNIC has been participating in the definition of the standards that have allowed developing this tool. In May 2010, LACNIC launched a beta version of its RPKI Certification Authority (CA) for the resources it administrates. The LACNIC Resource Certification Service is in production since January 2011.

RPKI System

The LACNIC RPKI system can be accessed here.

The system has two modes: "delegated" and "hosted".

Under the "delegated" mode, an organization can implement its own certification authority and thus maintain its own private key for signing cryptographic material. Though still not in operation, it is anticipated that this service will begin to function at the end of the first semester of 2011.

The "hosted" service has been in operation since 1st January, 2011. Under the "hosted" mode, member organizations can perform all RPKI architecture related tasks by accessing a simple website.

System User's Manual

Here you will find the LACNIC RPKI System User's Manual, as well as additional reference information.

Standardization Activities

RPKI infrastructure standardization work is carried out at the IETF (Internet Engineering Task Force). In its RFC 4593 document, the RPSEC (Routing Protocol Security Requirements) working group analyzed the security threats of IP routing protocols. This document specifically mentions the falsification of routing information.

In 2007, the IETF created the SIDR (Secure Inter-domain Routing) working group to prepare the architecture that will allow eliminating the threats identified in RFC 4593 for inter-domain (or external) routing. The technology to be developed should allow incremental implementation.

In particular, the SIDR group is documenting the use of certificates for the delegation of the right to use Internet resources. Its work includes specifying, among others, RPKI architecture, certification policies, profile of the certificates that will be issued, and different useful cryptographic materials. Before being able to issue RPKI certificates, it was necessary to define extensions to the X.509 certificates to represent IPv4 and IPv6 addresses and ASNs; these extensions are defined in RFC 3779.

More information on the IETF SIDR working group and the standardization documents that are being developed can be found here.

Resource Certification (RPKI) Function

An Internet resource PKI allows validating an organization's right to use a certain resource. The main goal of this infrastructure is to provide the basis for improving IP packet routing security. The following are some of the proposed applications for this infrastructure:

  • Building announcement filters using BGP (Border Gateway Protocol).
  • Creating routing rules based on the cryptographic validity of announced prefixes.
  • Security extensions for BGP protocol through the SBGP or soBGP proposals.
  • Security extensions for internal routing protocols, such as OSPF or ISIS.
  • Authentication of routers in local area networks (LANs) for the Secure Neighbor Discovery (SEND) protocol.
  • Digital signature for Whois services or in RPSL (Routing Policy Specification Language) objects.

References and Resources