Resource Certification (RPKI) is a community-driven system in which all Regional Internet Registries, open source software developers and several major router vendors participate. It uses open standards that were developed in the Secure Inter-Domain Routing (sidr) Working Group in the IETF.
A resource certificate offers validatable proof of holdership of a resource's allocation or assignment by an RIR. Using their resource certificate, network operators can create cryptographically validatable statements about the route announcements they authorise to be made with the prefixes they hold. This is known as BGP Origin Validation.
There are about 550,000 route announcements on the Internet today. The most common routing error we see is the accidental mis-origination of a prefix, meaning someone unintentionally announces an IP prefix that they are not the holder of. RPKI offers BGP origin validation, so the question it tries to answer is:
“Is this particular route announcement authorised by the legitimate holder of the address space?”
RPKI allows network operators to create cryptographically validatable statements about the route announcements they authorise to be made with the prefixes they hold. These statements are called Route Origin Authorisations (ROAs).
A ROA states which Autonomous System (AS) is authorised to originate a certain IP address prefix. In addition, it can determine the maximum length of the prefix that the AS is authorised to advertise.
Based on this information, other network operators can make routing decisions.
When a network operator creates a ROA for a certain combination of origin AS and prefix, this will have an effect on the RPKI validity of one or more route announcements. They can be:
The Resource Certification (RPKI) system consists of two parts:
Please note that the current RPKI functionality solely offers origin validation. However, it lays the foundation to offering true Secure BGP, including path validation. Work on creating the standards for this are currently being developed in the IETF.
IETF Secure Inter-Domain Routing (sidr) Working Group