RIPE NCC RPKI Trust Anchor Structure
On 28 September 2017, the RIPE NCC RPKI Trust Anchor configuration was updated following an agreement with the RIRs and announced by the NRO.
In this configuration, each RIR publishes an “all resources” Trust Anchor, under which its own regional resources (IP addresses and ASNs) will be certified.
In this structure, the RIPE NCC Offline Trust Anchor and the RIPE NCC Online Operational Certificate will each hold “all resources”. Using “all resources” on these certificates is in-line with operations by other RIRs. This allows the RIPE NCC to issue a more constrained “RIPE NCC Managed Resources” certificate dynamically, and reflects the actual set of resources registered by the RIPE NCC. As a result, resources transferred into the RIPE NCC service region can be certified immediately. Conversely, resources transferred out of the RIPE NCC service region can removed immediately. Using this certificate, the RIPE NCC can then issue a single resource certificate to each of its members, reflecting all the resources registered to them by RIPE NCC.
RIPE NCC’s Trust Anchor Locator (TAL) is a file that contains both the location of the RIPE NCC RPKI repository and the RIPE NCC public key, which is used to cryptographically verify that RIPE NCC has signed the artifacts within the RIPE NCC repository. The TAL is used with an RPKI Validator to verify the certificates and ROAs within the RIPE NCC RPKI repository. This validated information can then be used to make routing decisions in your network.
RIPE NCC’s Trust Anchor Locator (TAL) links:
- Preferred TAL file (https://tal.rpki.ripe.net/ripe-ncc.tal)
This is the latest TAL file published by the RIPE NCC. We recommend that you use this file.
- RFC8630 TAL file (https://tal.rpki.ripe.net/ripe-ncc-rfc8630.tal)
This TAL file is compatible with RFC8630.