Resource Public Key Infrastructure
The Resource Public Key Infrastructure (RPKI) enables users of public networks, such as the Internet, to verify the authenticity of data that has been digitally signed by the originator of the data.
When a block of data is signed using a resource holder's private key, the data can be verified by the recipient using the signer's public key. This verification process can detect attempts to tamper with the data in any way.
The sender's public key needs to be verified as well, and this is achieved though the identification of a chain of interlocking certificates that connect a Trust Anchor to the signer's public key certificate. In this case, the trusted certificate authority is APNIC. This structure of interlocking resource certificates is referred to as the RPKI.
Using the RPKI, information can be either encrypted or signed with a private key and can only be decrypted or have its signature verified using the matching public key.
For example, by digitally signing routing authority documents, the routing advertisements that are passed into the Internet's routing system may be verified by other network operators. If there is a match between the routing object and the routing authority, and the authority's digital signature can be verified, then there is a strong assurance that the routing information is authentic.
To ensure the authenticity of the public key purported to be yours, APNIC publishes your public key, together with a list of your current holdings of Internet resources in a resource certificate and attests that the public key in the certificate belongs to you. APNIC signs this digital attestation with its private key. In this manner, APNIC publicly confirms that the holder of the corresponding private key is the current right-of-use holder for a specific set of address or AS number resources.
X.509 extensions
Resource Certificates are based on the X.509 certificate format (RFC 5280). The format has been extended by another IETF standard, (RFC 3779) to include IP address and AS numbers in a critical certificate extension. The extension binds a list of IP address blocks and AS numbers to the subject of a certificate.
The extension is defined as a 'critical' extension, meaning that validation must include the check that the issuers certificate extension exists, and that the parent certificate must encompass the resource block described in the extension of the certificate being validated. Due to this critical extension, these resource certificates cannot be used in a conventional manner for identity verification or web-server assurance. Resource certificates can only be used by specialized applications and services that are related to verification of an entity's rights to use an IP address or AS number.
Route Origin Attestations (ROAs)
In an effort to support the addition of more security to inter-domain routing, mechanisms are available that allow entities to verify that an autonomous system (AS) has been given permission by an IP address block holder to advertise routes to one or more prefixes within that block. We call this mechanism a Route Origin Attestation (ROA). The certificate holder uses their private key to sign an ROA for specific IP address blocks to be routed by a specific AS, and this can be tested and verified by the public key, and the certificate hierarchy.
For example, the ROA might state the following: "ISP 4 permits AS 65000 to originate a route for the prefix 192.2.200.0/24"
The content of an ROA identifies a single AS that has been authorized by the address space holder to originate routes and a list of one or more IP address prefixes that will be advertised.
Resource certification offers a means to make inter-domain routing more secure