FAQ: Certification

Show or Hide answer What is Resource Certification (RPKI)?

Resource Certification (RPKI) is a free opt-in member service that allows LIRs to obtain a resource certificate listing the Internet number resources they hold. The certificate is cryptographically verifiable proof that the Internet number resources have been registered to a member by the RIR.

The system is based on globally accepted and well-known X.509 Public Key Infrastructure (PKI) principles. The standards used in Resource Certification are open and have come out of the Secure Inter-Domain Routing (SIDR) Working Group in the IETF.

Show or Hide answer Why should I request a resource certificate?

The practical application offered today is the ability to use resource certificates to help secure Internet routing by providing BGP origin validation.

Using the certificate, an LIR can state which Autonomous Systems are authorised to originate the IP prefixes that the LIR holds. Other network operators can base routing decisions on this information.

Show or Hide answer Why must I have a business relationship with the RIPE NCC to be certified?

When an organisation wants to become an LIR and obtain a resource allocation, the RIPE NCC first checks its identity and company registration papers. This forms the foundation of the business relationship that is necessary for all services offered by the RIPE NCC, including Resource Certification.

Show or Hide answer How are you operating this system exactly? It is secure?

The way the RIPE NCC operates the Certificate Authority is described in detail in the RPKI Certification Practice Statement (CPS).

Show or Hide answer I don't see one of my address blocks on my certificate. Why is that?

Currently, only address blocks with the following statuses are eligible for resource certification:

  • IPv4 Provider Aggregated
  • IPv4 Allocated Unspecified
  • IPv4 PI marked as INFRA in your LIR Portal account
  • IPv4 Anycast marked as INFRA in your LIR Portal account
  • IPv6 Aggregated by RIR
  • IPv6 PI marked as INFRA in your LIR Portal account
  • IPv6 Anycast marked as INFRA in your LIR Portal account


The RIPE NCC will gradually make other types of address space eligible. We will announce changes as they become available.

Show or Hide answer I am a legacy address space holder and not a RIPE NCC member. Can I still get a certificate?

The recently accepted policy proposal 2013-04, “Resource Certification for non-RIPE NCC Members” allows for the certification of non-members' address space. We are currently working on the implementation of this proposal, which will be completed soon. 

Show or Hide answer I'm a PI End User and got my space through a sponsoring LIR. Can I still get a certificate?

Yes, a PI End User or the Sponsoring LIR can request a certificate for PI End User resources.

Show or Hide answer How does RPKI protect me from BGP hijacking?

Resource Certification (RPKI) allows LIRs to make a cryptographically verifiable statement, known as a Route Origin Authorisation (ROA), indicating which Autonomous Systems are authorised to originate the IP prefixes that the LIR holds. This marks the associated BGP announcements as RPKI Valid. At the same time, any origination of the prefix by an unauthorised AS i.e. a BGP hijack, is marked as RPKI Invalid.

Any network operator can base routing decisions on the information that the RPKI data set provides. In order to do this, there are several validation toolsets available that can integrate into existing workflows.

Please note that in the current implementation, RPKI only provides origin validation, not path validation.

Show or Hide answer You are only providing BGP origin validation and not path validation. Does that make the system less valuable?

BGP origin validation will already cover the bulk of the problems we see today. Many of the BGP hijacks that occur are accidental mis-originations, and the current implementation has the ability to protect against them.

Standards for BGP path validation are currently being developed in the IETF. They build on the foundation that has been laid by the current BGP origin validation implementation.

Show or Hide answer What is a Route Origin Authorisation (ROA)?

A ROA is a cryptographically signed object that states which Autonomous System (AS) is authorised to originate a certain prefix. Because a ROA is a child object of a resource certificate, only the legitimate holder of a certain IP address block can create a valid ROA for one of the prefixes that the LIR holds.

In addition, a ROA can specify a maximum prefix length. When present, this specifies the length of the most specific IP prefix that the AS is authorised to advertise. When it is not present, the AS is only authorised to advertise exactly the prefix specified. Any more specific announcement of the prefix will be considered RPKI Invalid. This is a way to enforce aggregation and prevent hijacking through the announcement of a more specific prefix.

More information on ROAs, including several examples, is available.

Show or Hide answer There is a Maximum Length option in the ROA. What is this and how do I use it?

The Maximum Length field specifies the length of the most specific IP prefix that an Autonomous System is authorised to advertise. This means that you, the holder of the prefix, have control over the level of deaggregation that an AS can do. We have created a short video explaining how to use this option properly.

Show or Hide answer I thought the RIRs were not involved in BGP routing. Why are you doing this?

The RIPE NCC is not directly involved in BGP routing. The RPKI service allows the LIR to make statements about their routing, much like creating a route object in the Internet Routing Registry (IRR) that the RIPE NCC operates. Any operator is free to base any routing decision on the information that is provided.

Show or Hide answer Do I have to buy a new router in order to use RPKI?

No. Several router vendors are committed to offering the ability to use RPKI data in router hardware as a free update. This consists of two parts:

  1. The validation software that runs on a separate system can feed the processed RPKI data directly into an RPKI-capable router.
  2. You can create policies such as route-maps based on the three RPKI validity states: Valid, Invalid and Unknown.

For more information on supported platforms and configuration details, please refer to the Router Configuration page.

Show or Hide answer How do I retrieve all the data in the different RPKI repositories? Are there any tools to use the data set?

There are several RPKI validation toolsets available, including one offered by the RIPE NCC. The toolsets run a service on your local system and periodically retrieve all RPKI information from the global repositories. Cryptographic validation of objects will be performed by the application. Operators can use the processed data to make routing decisions. In addition, the validated data set can be fed directly into an RPKI-capable router.

Show or Hide answer The validation of certificates and ROAs probably takes a lot of processing power and memory. How will my router cope?

An RPKI-capable router does not perform any of the cryptographic operations involved in BGP origin Validation. All cryptography is performed by a separate software toolset, running the operator’s local network. The processed data can be fed into an RPKI-capable router, where you can apply policies such as route-maps.

For more information and examples, please refer to the Router Configuration page.

Show or Hide answer I created a ROA to authorise an AS to originate one of my prefixes, but the announcement is still "Invalid". Why is that?

A ROA contains three informational elements:

  1. An Autonomous System Number
  2. An IP prefix
  3. The maximum prefix length

An Invalid BGP route announcement that is covered by a matching ROA is usually caused by an incorrect maximum prefix length. That is, the actual announcement is more specific than is allowed by the maximum length set in the ROA.

When present, the maximum length specifies the most specific IP prefix that the AS is authorised to advertise. When it is not present, the AS is only authorised to advertise exactly the prefix specified. Any more specific announcement of the prefix will be considered RPKI Invalid.

You can find more information on ROAs, including several examples, on the Route Origin Authorisation (ROA) page.

Show or Hide answer I created a ROA to authorise an AS to originate one of my prefixes, but now another announcement of this prefix, from a different AS, is "Invalid". Why is that?

When you create a ROA to authorise a certain AS to originate one of your prefixes, any other AS that also originates it is automatically marked as unauthorised, i.e. a hijack. So when you are multi-homed and originate your prefixes from several ASs, you have to make sure you have a ROA in place for all of them. This also applies to more specific prefixes that are announced by your customer’s AS.

In short, when you create ROAs, you have to make sure you authorise all of the Autonomous Systems from which your prefixes will be originated.

You can find more information on ROAs, including several examples, on the Route Origin Authorisation (ROA) page.

Show or Hide answer Where can I get training on Resource Certification (RPKI)?

The RIPE NCC Training Department offers a full day Routing Security Training Course. In addition, dedicated Resource Certification (RPKI) online webinars are scheduled regularly. For more information, please see the RIPE NCC’s Training pages.

Show or Hide answer I want to set up RPKI for PI resources using the wizard, but I don't have an MD5 password, only PGP

The wizard to set up Resource Cerification (RPKI) for Provider Independent resources only supports entering MD5 passwords to associate the maintainer object to your RIPE NCC Access account. If you solely use PGP keys to authenticate, then please edit your mainainer object manually and add the following attribute:

auth: SSO <your-access-sso-email _at_ example _dot_ net>

 If you run the wizard again, it will say that your SSO account has already been associated, allowing you to continue with the process. You can find more information on using your RIPE NCC Access account in the RIPE Database in this Labs article.