Resource Public Key Infrastructure (RPKI) FAQ
You can access the system via the following link http://rpki.lacnic.net.
A Route Origination Authorization (ROA) is a digitally signed object that explicitly authorizes a specific Autonomous System (AS) to originate a group of addresses.
RPKI is a public key infrastructure which offers providers additional tools to verify a client's right to use Internet resources. For example, if a client requests routing an address block from a specific ASN, the provider may request the corresponding cryptographic material and conduct its verification following the RPKI hierarchy.
Each provider chooses which information is appropriate to build their filters. In some cases, the information that exists in Internet Routing Registries is used. In other cases providers have web interfaces where clients chooses the prefixes they wish to announce. Today, generating Internet filters quickly and efficiently is essential to ensure proper Internet operation, and combat resource hijacking, while maintaining the dynamism required to allow topology modifications.
No, RPKI is a public key infrastructure which may be used to generate router filters. RPKI will not replace IRRs since it does not implement several of the latter's functionalities, such as policy registry by ASN.
However, the IRR section of the MiLACNIC platform uses the ROAs that are generated as its source of information.
Resource hijacking can occur when an ASN announces our prefix “as is” or with a longer prefix, whether due to an error or maliciously. The FORT project explains route hijacking and uses FORT Monitor to measure route hijacks in the region. The most well-known case of route hijacking is that of Pakistan Telecom. For more information, check out the following video https://youtu.be/IzLPKuAOe50
The two major peculiarities of an RPKI certificate are the lack of identifying information regarding the object of the certificate and the use of extensions to include both IPv4 and IPv6 addresses, as well as ASNs. These extensions were defined in RFC 3779.
It is not necessary that your routers support RPKI to generate certificates and ROAs. However, routing software that supports RPKI is required for routers to be able to make routing decisions that take into account the authenticity of routes based on RPKI.
The RPKI Project LACNIC is working on allows two options: delegated and hosted mode. Member organizations can perform all tasks related to RPKI architecture through a user-friendly website without the need to implement a Certificate Authority (CA).
Check out the following validation software:
- FORT project by LACNIC and NIC.MX:
- Routinator: https://nlnetlabs.nl/projects/rpki/routinator/
- RPKI-client Openbsd https://www.rpki-client.org
- OctoRPKI: https://github.com/cloudflare/cfrpki#octorpki
- RIPE NCC: http://www.ripe.net/lir-services/resource-management/certification/tools-and-resources
Most of the equipment providers already support origin validation, including Cisco System, Juniper Network, Quagga, and Huawei.
To verify that your prefixes have been properly signed, and that there are no errors marking the routes as invalid, you can use LACNIC’s origin validation tool: https://milacnic.lacnic.net/lacnic/rpki/state.