Resource Public Key Infrastructure (RPKI) FAQ
RPKI is a public key infrastructure framework designed to offer providers additional tools to check a client's right to use specific Internet resources. For example, if a client asks to route a certain address block from a certain ASN, the provider may request and check the corresponding cryptographic material, following the RPKI hierarchy.
No. RPKI is a public key infrastructure that may be used to generate router filters. RPKI will not replace IRRs, as it does not provide several of the functionalities provided by the latter (for example, policy registry by ASN). However, the IRR section of the MiLACNIC platform uses the ROAs that are generated as its source of information.
Resource hijacking can occur when an ASN announces a prefix for which it is not the legitimate holder, either maliciously or due to an error. The FORT Project explains route hijacking and uses FORT Monitor to measure route hijacks in the region: The most widely known case of route hijacking was the one in which Pakistan Telecom was involved. For more information, check out the following video.
RPKI certificates have two distinctive features:
- The absence of identifying information regarding the object of the certificate
- The use of extensions to include both IPv4 and IPv6 addresses, as well as ASNs (these extensions were defined in RFC 3779).
It is not necessary for our routers support RPKI in order to generate certificates and ROAs. However, routing software that supports RPKI is required for routers to be able to make routing decisions considering the authenticity of routes based on RPKI.
LACNIC's RPKI project supports two formats: “delegated” and “hosted” RPKI. LACNIC provides a hosted service, where member organizations can perform all the tasks related to RPKI architecture simply by accessing a website, without the need to implement a Certificate Authority.
RPKI validation software includes the following:
- FORT Validator by LACNIC and NIC.MX:
- Routinator https://nlnetlabs.nl/projects/rpki/routinator/
- RPKI-client Openbsd https://www.rpki-client.org
- OctoRPKI https://github.com/cloudflare/cfrpki#octorpki
- RIPE NCC http://www.ripe.net/lir-services/resource-management/certification/tools-and-resources
Most equipment providers already support origin validation, including Cisco Systems, Juniper Network, Quagga, and Huawei.