RPKI (FAQ)

How can I access LACNIC's RPKI system?

You can access through the following link http://rpki.lacnic.net

What is an ROA?

How does RPKI improve Internet routing security?

RPKI is a public key infrastructure which offers providers additional tools to verify a client's right to use Internet resources. For example, if a client requests routing a certain address block from a certain ASN, the provider may request the corresponding cryptographic material and conduct its verification following the RPKI hierarchy.

How are Internet prefix filters currently generated?

Each provider chooses which information is appropriate for building their filters. In some cases, the information that exists in Internet Routing Registries is used; in others, providers have web interfaces where clients chooses the prefixes they wish to announce. Today, generating Internet filters quickly and efficiently is an essential tool to ensure proper Internet operation, combat resource hijacking and, at the same time, maintain the dynamism required to allow topology modifications.

Does RPKI replace Internet Routing Registries?

No, RPKI is a public key infrastructure which may be used to generate router filters. RPKI will not replace IRRs, as it does not implement several of the latter's functionalities, such as policy registry by ASN.

However, the IRR section of the MiLacnic platform uses the ROAs that are generated as its source of information.

What is resource hijacking?

Resource hijacking can occur when an ASN announces our prefix “as is” or with a longer prefix, whether due to an error or maliciously.  The most well-known case of route hijacking is that of Pakistan Telecom. For more information, check out the following video https://youtu.be/IzLPKuAOe50

What does an RPKI certificate look like?

The two major peculiarities of an RPKI certificate are the lack of identifying information regarding the object of the certificate and the use of extensions to include both IPv4 and IPv6 addresses, as well as ASNs. These extensions were defined in RFC 3779.

Must my routers support RPKI?

It is not necessary that your routers support RPKI in order to generate certificates and ROAs. However, routing software that supports RPKI is required for routers to be able to make routing decisions taking into account the authenticity of routes based on RPKI.

When using RPKI, will each organization have to maintain a Certificate Authority (CA)?

The RPKI Project LACNIC is working on allows two options: "delegated" and "hosted" mode, where members organizations can perform all task relating to RPKI architecture through a user-friendly website without the need to implement a Certificate Authority (CA).

Where I can find software to validate RPKI repositories?

Some validation software are:

Which routers support RPKI origin validation?

Most of the equipment providers already support origin validation, among them Cisco System, Juniper Network, Quagga, Huawei.

How I can check if my routes are signed correctly?

To verify that your prefixes have been properly signed and that there are no errors marking the routes as invalid, you can use LACNIC?s origin validation tool: https://milacnic.lacnic.net/lacnic/rpki/state

SYSTEM CERTIFICATION ISO 9001 SGS

CHK_LACNIC