BGP Resource Public Key Infrastructure (RPKI)


Resource Public Key Infrastructure (RPKI) is a cryptographic method of signing records that associate routes with their originating AS number. RPKI allows holders of internet number resource such as IP addresses to make verifiable statements about how they plan to use these resources. RPKI uses a public key infrastructure that creates a verifiable chain of trust that lets the legitimate owners of the internet number resource (such as a block of IP addresses) make an authoritative statement about which Autonomous System (AS) is authorized to originate their prefix in BGP.

This information is then used by other network operators who download and validate these statements and use these to make routing decisions within their network.

The root of this trust chain is with the five (5) Regional Internet Registries (ARIN, RIPE NCC, APNIC, LACNIC, and AFRINIC). The primary role of these RIRs is to assign IP address blocks to NIRs (National Intenet Registries) and other entities that require IP address blocks. The owners of the assigned IP address blocks then assert the origination AS number (ASN) and generate the Route Origin Authentication (ROA) for the particular combination of route and origination ASN. This ROA is then published by the RIR for general consumption.

The published ROA is then available for use by any entity to instruct their routers to take action based on the ROA. A ROA is a signed statement that contains a prefix, a maximum prefix length, and the originating ASN.

Since the RIRs are the allocation authorities of the IP address blocks, the RPKI resource certificates mimic the structure of the hierarchy used to allocate IP address blocks. The five (5) RIRs each run a root CA with a trust anchor that is the base of the chain of trust for the resources managed by them.

The digital certificates used for RPKI are based on X.509. Certificates in this PKI are called resource certificates and do not contain identity information. Their only purpose is to confer the right to use the Internet number resources and to assert their ownership.