Resource Certification System (RPKI)
LACNIC's resource certification system has two modes: delegated and hosted. In delegated mode an organization can implement its own certificate authority, and so maintain its own private key for signing cryptographic material.
Delegated RPKI Service
The delegated Resource Public Key Infrastructure (RPKI) service has been in operation since 18 December 2019. This service is available to all LACNIC members. Those interested in accessing RPKI in delegated mode should send an email to email@example.com with the following information:
- Organization ID (OrgID)
- Full name of point of contact
- Email address of point of contact
Brazil: Organizations that received their address space from registro.br can access the service at https://registro.br/tecnologia/numeracao/rpki/
Hosted RPKI Service
The hosted service has been in operation since 1 January 2011. In this mode, member organizations can perform all RPKI architecture related tasks simply through the website available at the following link.
Organizations that received their resources from IAR.MX should access the service using the following link: http://rpki.lacnic.net.
System User Manual
Click here to open the System User Manual for complete information on how to manage certificates and ROAs.
For more information, read our FAQ section.
The standardization work for RPKI infrastructure is carried out by the Internet Engineering Task Force (IETF). In RFC 4593 the Routing Protocol Security Requirements (RPSEC) working group analyzed security threats to IP routing protocols. This document mentions the falsification of routing information.
In 2007, the IETF established the Secure Inter-Domain Routing (SIDR) working group to create architecture that would allow us to eliminate the threats to inter-domain (or external) routing identified in RFC 4593. The technology to be developed would have to allow incremental deployment.
Specifically, the SIDR working group documented the use of certificates for the delegation of the right to use Internet resources. Its work includes: the specification of RPKI architecture, certification policies, the profile of the certificates that will be issued and various useful cryptographic materials. Before being able to issue RPKI certificates, it was necessary to define extensions to the X.509 certificates to represent IPv4 and IPv6 addresses, and ASNs. The following RFCs are already part of the RPKI specification: RFC 6480 to RFC 6493, RCF 6810 and RFC 6811.
Further information on the work of the SIDR and SIDROPS working groups is available at the following links:
In the context of the RPKI architecture, a Trust Anchor Locator (TAL) is a file that contains information needed for an RPKI validation tool to access the repository location and begin the validation process.
LACNIC's TAL contains two elements:
- A URL pointing to LACNIC's RPKI repository
- LACNIC's public key, properly encoded
rsync://repository.lacnic.net/rpki/lacnic/rta-lacnic-rpki.cer MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqZEzhYK0+PtDOPfub/KR c3MeWx3neXx4/wbnJWGbNAtbYqXg3uU5J4HFzPgk/VIppgSKAhlO0H60DRP48by9 gr5/yDHu2KXhOmnMg46sYsUIpfgtBS9+VtrqWziJfb+pkGtuOWeTnj6zBmBNZKK+ 5AlMCW1WPhrylIcB+XSZx8tk9GS/3SMQ+YfMVwwAyYjsex14Uzto4GjONALE5oh1 M3+glRQduD6vzSwOD+WahMbc9vCOTED+2McLHRKgNaQf0YJ9a1jG9oJIvDkKXEqd fqDRktwyoD74cV57bW3tBAexB7GglITbInyQAsmdngtfg2LUMrcROHHP86QPZINj DQIDAQAB
While most validation tools already include the necessary TAL files, in certain cases it may be useful to have the TAL file separately.
This file can be downloaded at: https://www.lacnic.net/rpki/lacnic.tal
The TAL file format is specified in documents prepared by the Internet Engineering Task Force (IETF):