Resource Public Key Infrastructure (RPKI) FAQ

How can I access LACNIC's RPKI system?

You can access the system via the following link

What is an ROA?

A Route Origination Authorization (ROA) is a digitally signed object that explicitly authorizes a specific Autonomous System (AS) to originate a group of addresses.

How does RPKI improve Internet routing security?

RPKI is a public key infrastructure which offers providers additional tools to verify a client's right to use Internet resources. For example, if a client requests routing an address block from a specific ASN, the provider may request the corresponding cryptographic material and conduct its verification following the RPKI hierarchy.

How are Internet prefix filters currently generated?

Each provider chooses which information is appropriate to build their filters. In some cases, the information that exists in Internet Routing Registries is used. In other cases providers have web interfaces where clients chooses the prefixes they wish to announce. Today, generating Internet filters quickly and efficiently is essential to ensure proper Internet operation, and combat resource hijacking, while maintaining the dynamism required to allow topology modifications.

Does RPKI replace Internet Routing Registries?

No, RPKI is a public key infrastructure which may be used to generate router filters. RPKI will not replace IRRs since it does not implement several of the latter's functionalities, such as policy registry by ASN.

However, the IRR section of the MiLACNIC platform uses the ROAs that are generated as its source of information.

What is resource hijacking?

Resource hijacking can occur when an ASN announces our prefix “as is” or with a longer prefix, whether due to an error or maliciously. The FORT project explains route hijacking and uses FORT Monitor to measure route hijacks in the region. The most well-known case of route hijacking is that of Pakistan Telecom. For more information, check out the following video

What does an RPKI certificate look like?

The two major peculiarities of an RPKI certificate are the lack of identifying information regarding the object of the certificate and the use of extensions to include both IPv4 and IPv6 addresses, as well as ASNs. These extensions were defined in RFC 3779.

Must my routers support RPKI?

It is not necessary that your routers support RPKI to generate certificates and ROAs. However, routing software that supports RPKI is required for routers to be able to make routing decisions that take into account the authenticity of routes based on RPKI.

When using RPKI will each organization have to maintain a Certificate Authority (CA)?

The RPKI Project LACNIC is working on allows two options: delegated and hosted mode. Member organizations can perform all tasks related to RPKI architecture through a user-friendly website without the need to implement a Certificate Authority (CA).

Which routers support RPKI origin validation?

Most of the equipment providers already support origin validation, including Cisco System, Juniper Network, Quagga, and Huawei.

How I can check if my routes are signed correctly?

To verify that your prefixes have been properly signed, and that there are no errors marking the routes as invalid, you can use LACNIC’s origin validation tool: