You are here: Home > LIR Services > Resource Management > FAQs > FAQ: Certification
RIPE Database Search

By pressing the "Search" button you explicitly express your agreement with the RIPE Database Terms and Conditions.

IPv4 Exhaustion

The RIPE NCC will reach the last /8 of IPv4 address space in the coming months.

Find out more
Service Announcements
  • All of our services are operating normally.

FAQ: Certification

Show or Hide answer What is certification?

A "resource certificate" issued by the RIPE NCC states that a particular Internet number resource (that is, a block of IPv4 or IPv6 addresses, or an Autonomous System (AS) Number) has been registered by the RIPE NCC.

Resource certification is a system based on globally accepted and well-known Public Key Infrastructure (PKI) principles. The standards used in resource certification are open, and have come out of the Secure Inter-Domain Routing (SIDR) Working Group in the IETF.

All of the Regional Internet Registries (RIRs) have committed to deploying certification on 1 January 2011. Certification will run alongside the Internet Routing Registry (IRR) system and should eventually replace it.

Show or Hide answer Why is certification needed?

Routing on the Internet is a fragile system. It depends on every network operator working together, and in most cases working around other people's mistakes by routing differently until the source problem is fixed. Today, the vast majority of mis-announcements are accidental originations of somebody else's prefix. Routing errors have a high customer impact because entire networks can become unreachable.

There is an urgent need to make this system more robust before a routing event occurs that causes major, widespread problems.

As the unallocated pool of IPv4 addresses runs out, two issues will likely emerge:

  • The number of people hijacking address space will grow

  • The incentive for people to sell any unused or under-utilised blocks of IPv4 address space they hold will increase. However, potential buyers have no way of knowing if the seller is actually the legitimate holder of the resources.

Both of these issues can be solved by the resource certification system. By digitally verifying that a resource has been allocated or assigned to a specific certificate holder, resource certification facilitates the following benefits:

  1. Resource certification will allow for prefix holder checking to be automated in a dependable, transparent and standardised way, using Route Origin Authorisation (ROA) objects. This is often referred to as "automated provisioning", and can play an important role in securing the routing system.

  2. When Internet resources are transferred between two parties, certification will make this transaction reliable and secure, because the recipient can be sure that the resources have been legitimately allocated or assigned by an RIR.

Show or Hide answer What will certification achieve?

Resource certification will help to ensure the long-term stability of Internet routing by preventing route hijacking and leaking. This provides a safer online environment for Internet users.

As with DNSSEC, certification represents the continuing evolution and strengthening of the Internet's infrastructure. The RIPE NCC is taking a responsible role in its development, working closely with Internet stakeholders to ensure that it is implemented in a safe, stable and effective manner.

Certification is based on open standards – why is this beneficial to Internet users?

The use of open standards encourages widespread adoption of the technology and facilitates future innovation.

Why are the Regional Internet Registries (RIRs) responsible for operating a certification system?

The RIPE NCC is the authority on address space registration information in our service region, and ensuring that this data is of the highest possible quality is one of our main priorities. The RIPE NCC also operates the second largest Internet routing registry (IRR) in the world. A resource certification system is a natural evolution of the services already provided by the RIPE NCC and other RIRs.

It is also vitally important that the organisations responsible for certification be open, accountable and trusted, both by those whose resources they are certifying and by the rest of the Internet community. Over nearly two decades of operation, the RIPE NCC has established relationships of trust and respect with its members, the Internet technical community, governments, law enforcement agencies and civil society.

Resource certification will only provide origin validation, yet path validation would be a far more significant step toward securing the routing system. Why don't you do that?

Path validation is extremely difficult to achieve. If it can be done at all, the first step will be to implement origin validation. The current system is one step in the evolutionary process of making the routing system more secure and robust.

Show or Hide answer What can I get certified?

As of 1 January 2011, it will be possible for RIPE NCC members to certify their Provider Aggregatable (PA) IP address allocations. This includes both IPv4 and IPv6 PA allocations.

As the system is deployed over time, it will eventually be possible to certify Provider Independent (PI) address assignments and allocations, and Autonomous System Number (ASN) assignments. For End Users who have PI address assignments from sponsoring LIRs, the sponsoring LIR will need to create a Route Origin Authorisation (ROA) object for the End User. The RIPE NCC will do this for Direct Assignment Users who have received PI address space directly from the RIPE NCC.

Show or Hide answer How do I certify my resources?

As of 1 January 2010, LIRs can obtain certificates over new and existing PA address allocations through the LIR Portal. Please follow these steps to enable the service. Registering for certification will create a single certificate detailing all of your current resource holdings. This certificate will be automatically updated with any new allocations or assignments that the LIR receives from the RIPE NCC.

Show or Hide answer Does certification give the RIPE NCC the ability to revoke my resources?

No. Certification simply says something additional about a resource. Other network users can then utilise this statement to define their routing preferences.

If a certificate needs to be revoked, this will not cause the resources covered by that certificate to be removed from Internet routing tables.

Show or Hide answer Why must I have a business relationship with the RIPE NCC to be certified?

Since certification is simply a different representation of the RIR allocation data, it must follow the same process. When an organisation wants to become an LIR and obtain an address allocation, the RIPE NCC first checks its identity and company registration papers. This forms the foundation of the business relationship that is necessary for all services offered by the RIPE NCC.

When an LIR closes, the business relationship with the RIPE NCC ends. Under existing operating procedures, the RIPE NCC will reclaim the LIR's Internet resources, remove the relevant RIPE Database entries and stop the corresponding reverse DNS delegation. Following a quarantine period, the reclaimed resources will be reissued to another LIR.

If the business relationship between an LIR and the RIPE NCC is discontinued, the existence of certificates that do not reflect this will reduce the value of the system. Therefore, when the RIPE NCC reclaims the resources of a closed LIR, it will also revoke any certificates associated with those resources.

Show or Hide answer Will certification mean that someone else controls my network?

No – certification does not impose any restrictions on network operators. LIRs using the system will retain complete control over their own networks and routing policies.

Show or Hide answer How is certification related to the transfer of address space?

When transferring resources between parties, it is vital that all parties have confidence in the status of the resources concerned. By verifying the legitimate registration of a resource, certification can make any resource transferral more reliable and secure.

Please note, however, that the standards for resource certification developed in the SIDR Working Group deal solely with making the routing system more secure. There are no standards for the facilitation of Internet resource trading. Should widespread trading of Internet resources occur, the RIPE NCC will work with the RIPE community to define the standards and build an appropriate system.

Show or Hide answer Will resource certification mean additional fees for RIPE NCC members?

No. Resource certification will add some additional overhead to RIPE NCC operations. However, normal RIPE NCC membership fees will cover this.

Show or Hide answer Does certification allow ISPs and governments to filter the Internet?

No. A certificate does not contain any information about the identity of its holder. The RIPE Database will remain the source for registration information and related contact details.

Show or Hide answer Could law enforcement use certification to force the RIPE NCC to revoke certificates and Internet number resources?

No. Resource certificates can allow holders to demonstrate to law enforcement that they are the certified holders of address space. However, under Dutch law, resource certificates do not qualify as goods that are capable of being confiscated.

Resource certificates exist only to drive a routing preference. The existence of a certificate and ROA is a positive message; the absence of a certificate is not a negative one.

Show or Hide answer If revocation of certificates has no effect, what's the point of having them at all?

A certificate is simply a message about the status of a resource, and this is information that network operators can use to make decisions regarding routing. With widespread adoption, the use of certificates to drive routing preferences will improve the stability of the Internet.

Show or Hide answer Does the RIPE NCC have the support of its members and the Internet community in developing and deploying this system?

Yes. The certification system relies on the support and assistance of both the RIPE NCC membership and the Internet community at large. Policies regarding certification must pass through the RIPE Policy Development (PDP) and the RIPE NCC cannot carry out any activities without the approval of the RIPE community and the RIPE NCC membership.

Show or Hide answer I don't see one of my address blocks on my certificate. Why is that?

Only address blocks with the following statuses are eligible for resource certification:

  • IPv4 Provider Aggregated
  • IPv4 Allocated Unspecified
  • IPv4 PI marked as INFRA in your LIR Portal account
  • IPv4 Anycast marked as INFRA in your LIR Portal account
  • IPv6 Aggregated by RIR
  • IPv6 PI marked as INFRA in your LIR Portal account
  • IPv6 Anycast marked as INFRA in your LIR Portal account


In addition, only address blocks in the following ranges will appear on the resource certificate:

 2.0.0.0/8
 5.0.0.0/8
 31.0.0.0/8
 37.0.0.0/8
 46.0.0.0/8
 62.0.0.0/8
 77.0.0.0-95.255.255.255
 109.0.0.0/8
 141.0.0.0/8
 145.0.0.0/8
 151.0.0.0/8
 176.0.0.0/8
 178.0.0.0/8
 185.0.0.0/8
 188.0.0.0/8
 193.0.0.0-195.255.255.255
 212.0.0.0/7
 217.0.0.0/8
 2001:600::-2001:bff:ffff:ffff:ffff:ffff:ffff:ffff
 2001:1400::/22
 2001:1a00::-2001:3bff:ffff:ffff:ffff:ffff:ffff:ffff
 2001:4000::/23
 2001:4600::/23
 2001:4a00::-2001:4dff:ffff:ffff:ffff:ffff:ffff:ffff
 2001:5000::/20
 2003::/18
 2a00::/12

In 2012, the RIPE NCC will gradually make other types and ranges eligible for resource certification. We will announce changes as they become available.