Resource Public Key Infrastructure

Resource Public Key Infrastructure (RPKI), also known as Resource Certification, is a specialized public key infrastructure (PKI) framework to support improved security for the Internet's BGP routing infrastructure.

RPKI provides a way to connect Internet number resource information (such as Autonomous System numbers and IP addresses) to a trust anchor. The certificate structure mirrors the way in which Internet number resources are distributed. That is, resources are initially distributed by the IANA to the regional Internet registries (RIRs), who in turn distribute them to local Internet registries (LIRs), who then distribute the resources to their customers. RPKI can be used by the legitimate holders of the resources to control the operation of Internet routing protocols to prevent route hijacking and other attacks. In particular, RPKI is used to secure the Border Gateway Protocol (BGP) through BGP Route Origin Validation (ROV), as well as Neighbor Discovery Protocol (ND) for IPv6 through the Secure Neighbor Discovery protocol (SEND).

The RPKI architecture is documented in RFC 6480. The RPKI specification is documented in a spread out series of RFCs: RFC 6481, RFC 6482, RFC 6483, RFC 6484, RFC 6485, RFC 6486, RFC 6487, RFC 6488, RFC 6489, RFC 6490, RFC 6491, RFC 6492, and RFC 6493. SEND is documented in RFC 6494 and RFC 6495. These RFCs are a product of the IETF's sidr working group,[1] and are based on a threat analysis which was documented in RFC 4593. These standards cover BGP origin validation, while path validation is provided by BGPsec, which has been standardized separately in RFC 8205. Several implementations for prefix origin validation already exist.[2]

Leave a Comment