Resource Certification System (RPKI)

LACNIC's resource certification system has two modes: delegated and hosted. In delegated mode, an organization can implement its own certificate authority and thus maintain its own private key for signing cryptographic material.

Delegated RPKI Service

The delegated service has been in operation since December 18th, 2019. This service is available to all LACNIC members. Those interested in accessing RPKI in delegated mode should send an email to hostmaster [at] lacnic [.] net with the following information:

Brazil: Organizations that received their address space from registro.br can access the service at https://registro.br/tecnologia/numeracao/rpki/

Hosted RPKI Service

The hosted service has been in operation since January 1st, 2011. In this mode, member organizations can perform all RPKI architecture related tasks simply through the website available at the following.

Organizations that received their resources from IAR.MX should access the service using the following link http://rpki.lacnic.net

System User Manual

Click here to open the System User Manual and read complete information on how to manage certificates and ROAs.

For more information, read our FAQ section.

Standardization Activities

The standardization work for RPKI infrastructure is carried out by the Internet Engineering Task Force (IETF). In RFC 4593, the Routing Protocol Security Requirements (RPSEC) working group analyzed security threats to IP routing protocols. In particular, this document mentions the falsification of routing information.

In 2007, the IETF established the Secure Inter-domain Routing (SIDR) working group to create architecture that would allow eliminating the threats to inter-domain (or external) routing identified in RFC 4593. The technology to be developed would have to allow incremental deployment.

Specifically, the SIDR working group documented the use of certificates for the delegation of the right to use Internet resources. Its work includes, among others, the specification of RPKI architecture, certification policies, the profile of the certificates that will be issued, and various useful cryptographic materials. Before being able to issue RPKI certificates, it was necessary to define extensions to the X.509 certificates to represent IPv4 and IPv6 addresses and ASNs. The following RFCs are already part of the RPKI specification: RFC 6480 to RFC 6493, RCF 6810 and RFC 6811.

Further information on the work of the SIDR and SIDROPS working groups is available at the following links:
https://datatracker.ietf.org/wg/sidr/about/
https://datatracker.ietf.org/wg/sidrops/about/

Additional References

https://datatracker.ietf.org/group/sidrops/about/
https://datatracker.ietf.org/wg/sidr/charter/
https://www.fortproject.net/

RPKI RPKI Trust Anchor

In the context of the RPKI architecture, a Trust Anchor Locator (TAL) is a file that contains information needed for an RPKI validation tool to access the repository location and begin the validation process.

LACNIC's TAL contains two elements:

LACNIC's TAL:

  rsync://repository.lacnic.net/rpki/lacnic/rta-lacnic-rpki.cer 
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqZEzhYK0+PtDOPfub/KR 
c3MeWx3neXx4/wbnJWGbNAtbYqXg3uU5J4HFzPgk/VIppgSKAhlO0H60DRP48by9 
gr5/yDHu2KXhOmnMg46sYsUIpfgtBS9+VtrqWziJfb+pkGtuOWeTnj6zBmBNZKK+ 
5AlMCW1WPhrylIcB+XSZx8tk9GS/3SMQ+YfMVwwAyYjsex14Uzto4GjONALE5oh1 
M3+glRQduD6vzSwOD+WahMbc9vCOTED+2McLHRKgNaQf0YJ9a1jG9oJIvDkKXEqd 
fqDRktwyoD74cV57bW3tBAexB7GglITbInyQAsmdngtfg2LUMrcROHHP86QPZINj 
DQIDAQAB

While most validation tools already include the necessary TAL files, in certain cases it may be useful to have the TAL file separately.

This file can be downloaded from this link:

https://www.lacnic.net/rpki/lacnic.tal

The TAL file format is specified in documents prepared by the Internet Engineering Task Force (IETF):

SYSTEM CERTIFICATION ISO 9001 SGS

Top CHK_LACNIC