Resource Public Key Infrastructure (RPKI) FAQ

How does RPKI improve Internet routing security?

RPKI is a public key infrastructure framework designed to offer providers additional tools to check a client's right to use specific Internet resources. For example, if a client asks to route a certain address block from a certain ASN, the provider may request and check the corresponding cryptographic material, following the RPKI hierarchy.

Does RPKI replace Internet Routing Registries?

No. RPKI is a public key infrastructure that may be used to generate router filters. RPKI will not replace IRRs, as it does not provide several of the functionalities provided by the latter (for example, policy registry by ASN). However, the IRR section of the MiLACNIC platform uses the ROAs that are generated as its source of information.

What is resource hijacking?

Resource hijacking can occur when an ASN announces a prefix for which it is not the legitimate holder, either maliciously or due to an error. The FORT Project explains route hijacking and uses FORT Monitor to measure route hijacks in the region: The most widely known case of route hijacking was the one in which Pakistan Telecom was involved. For more information, check out the following video.

What does an RPKI certificate look like?

RPKI certificates have two distinctive features:

  • The absence of identifying information regarding the object of the certificate
  • The use of extensions to include both IPv4 and IPv6 addresses, as well as ASNs (these extensions were defined in RFC 3779).
Should my routers support RPKI?

It is not necessary for our routers support RPKI in order to generate certificates and ROAs. However, routing software that supports RPKI is required for routers to be able to make routing decisions considering the authenticity of routes based on RPKI.

When using RPKI, does each organization need to maintain a Certificate Authority (CA)?

LACNIC's RPKI project supports two formats: “delegated” and “hosted” RPKI. LACNIC provides a hosted service, where member organizations can perform all the tasks related to RPKI architecture simply by accessing a website, without the need to implement a Certificate Authority.

Which routers support RPKI origin validation ?

Most equipment providers already support origin validation, including Cisco Systems, Juniper Network, Quagga, and Huawei.

How can I check if my routes are properly signed?

To verify that your prefixes have been properly signed and that there are no errors due to invalid routes, you can use LACNIC's origin validation tool: