How can I access LACNIC's RPKI system?

In order to generate certificates and ROAs, LACNIC's RPKI system can be accessed at: http://milacnic.lacnic.net

What is an ROA?

How does RPKI improve Internet routing security?

RPKI is a public key infrastructure which offers providers additional tools to verify a client's right to use Internet resources. For example, if a client requests routing a certain address block from a certain ASN, the provider may request the corresponding cryptographic material and conduct its verification following the RPKI hierarchy.

How are Internet prefix filters currently generated?

Each provider chooses which information is appropriate for building their filters. In some cases, the information that exists in Internet Routing Registries is used; in others, providers have web interfaces where clients chooses the prefixes they wish to announce. Today, generating Internet filters quickly and efficiently is an essential tool to ensure proper Internet operation, combat resource hijacking and, at the same time, maintain the dynamism required to allow topology modifications.

Does RPKI replace Internet Routing Registries?

No, RPKI is a public key infrastructure which may be used to generate router filters. RPKI will not replace IRRs, as it does not implement several of the latter's functionalities, such as policy registry by ASN. The IETF SIDR group is developing technologies to incorporate object signatures in the Routing Policy Specification Language (RPSL) using the keys generated in RPKI infrastructure.

What is resource hijacking?

Resource hijacking in action: The YouTube Case

From a network stability and security point of view, the most harmful resource hijacking attacks are those that occur on resources that are actively in use, especially when prefixes are announced in a more specific manner. A well-known case was the YouTube resource hijacking incident that occurred in February 2008.

Resource hijacking is the announcement of IPv4 addresses, IPv6 addresses or Autonomous System Numbers on the global Internet routing table by organizations that do not have the right to use those prefixes. Internet routing table announcements can be propagated because of a lack of proper controls on the part of those who provide connectivity to the hijacking organization. However, the causes behind resource hijacking are not always malicious, as oftentimes network operation and maintenance errors result in the apparent hijacking of resources. An example of Internet resource hijacking is the announcement of IP address blocks that have not yet been assigned by an RIR, which happens daily. Depending on which particular policies are implemented, resource hijacking may be limited to a specific region or group of providers, but resource hijacking may also have global consequences. Generally speaking, when faced with a resource hijacking incident, the only thing an Internet service provider (ISP) can do is contact the hijacker and request that they put an end to the situation.

  • ? List of resources suspected of being hijacked: IPv4& IPv6

What does an RPKI certificate look like?

The two major peculiarities of an RPKI certificate are the lack of identifying information regarding the object of the certificate and the use of extensions to include both IPv4 and IPv6 addresses, as well as ASNs. These extensions were defined in RFC 3779.

Must my routers support RPKI?

It is not necessary that your routers support RPKI in order to generate certificates and ROAs. However, routing software that supports RPKI is required for routers to be able to make routing decisions taking into account the authenticity of routes based on RPKI.

When using RPKI, will each organization have to maintain a Certificate Authority (CA)?

The RPKI Project LACNIC is working on allows two options: "delegated" and "hosted" mode, where members organizations can perform all task relating to RPKI architecture through a user-friendly website without the need to implement a Certificate Authority (CA).

Where I can find software to validate RPKI repositories?

Some validation software are:

Which routers support RPKI origin validation?

Most of the equipment providers already support origin validation, among them Cisco System, Juniper Network, Quagga, Mikrotik, Huawei.

How I can check if my routes are signed correctly?

Para verificar que sus prefijos se han firmado correctamente y no existen errores que marquen rutas como inválidas puede visitar la herramienta de validación de origen de LACNIC: https://milacnic.lacnic.net/lacnic/rpki/state

LACNIC está certificado por SGS:SGS