Resource Public Key Infrastructure (RPKI)

  1. What is RPKI?
  2. Why do we need RPKI?
  3. Why are we making changes to APNIC’s RPKI?
  4. How will this affect the repository?
  5. What does it mean for me?
  6. Are there likely to be any service disruptions while this is being implemented?
  7. Will there be any changes to the APNIC Member portal RPKI system?

What is RPKI?

Resource Public Key Infrastructure (RPKI) is a public key infrastructure framework designed to secure the Internet’s routing infrastructure, specifically the Border Gateway Protocol. RPKI provides a way to connect Internet number resource information (such as IP Addresses) to a trust anchor. Using RPKI, legitimate holders of number resources are able to control the operation of Internet routing protocols to prevent route hijacking and other attacks. More information.

Why do we need RPKI?

Routing protocols are potentially at risk of attacks that can harm individual users or network operations as a whole. RPKI was specified by the IETF to provide a secure means to certify the allocation of Internet number resources, as a step towards securing routing. The Internet Architecture Board considers “a properly designed and deployed RPKI an absolute prerequisite to having a secure global routing system, which is in turn a prerequisite to having a reliable worldwide Internet.”

Why are we making changes to APNIC’s RPKI?

The initial phase of RPKI was introduced by the RIRs in 2009/2010. In this phase, each RIR issues self-signed trust anchors which are independent and contains all resources managed by the RIR, irrespective of their source.

The planned APNIC changes are intended to:

  1. Align APNIC’s RPKI model with the overall administrative and associated registry structure of number resources in the Internet.
  2. Provide a stable set of trust anchors for all APNIC certified Internet number resources in the future.

The new system will allow relying parties to adopt trust anchors of their choosing, and continue to validate APNIC-managed Internet number resources.

  • If a Relying Party uses a trust anchor model that directly reflects the contents of the IANA-administered number resource registries, then the APNIC RPKI structure will precisely align into this model, and all validly signed attestations relating to resources described in APNIC’s registry will validate against such trust anchor material.
  • If a Relying Party chooses to use trust anchor material that is published by APNIC, then all validly signed attestations relating to resources described in APNIC’s registry will validate against this APNIC published trust anchor material.

How will this affect the repository?

As part of this internal change in the RPKI structure within APNIC, the APNIC RPKI repository has been changed to include four additional RPKI publication points, making a total of five APNIC RPKI publication repositories. APNIC has aligned the five repositories to reflect five distinct subsets of the Internet number resources it manages. This reflects those resources for which administrative responsibility has been assigned to APNIC by IANA, as described in the IANA registries, and those resources whose administrative role has been transferred to APNIC from each of the other four RIRs.

These changes are consistent with the RPKI standard specifications, and should not materially alter the function or validation outcomes of RPKI software or those systems that have integrated RPKI validation into their operation.

What does it mean for me?

If you are responsible for router configuration, particularly if you run automatic configuration software, these changes will necessitate updates to relying parties’ out-of-band trust anchors. If you already have the APNIC trust anchor you should refresh this with the complete new set of five, and take note of any required configuration changes in your relying party software.

Are there likely to be any service disruptions while this is being implemented?

While the changes are being deployed, relying parties may see transitional periods where the APNIC repository is not available, or content is missing. APNIC will reissue all current valid certificates and products where possible.

A small set of data may not be re-made automatically and APNIC will contact Members directly to discuss how to convert these products into the new system.

Will there be any changes to the APNIC Member portal RPKI system?

APNIC is currently in the process of redesigning its Member portal RPKI system to align it with the RIPE NCC design. This is a product of the enhanced collaboration goals set by the two RIRs and will present a simplified and more consistent view of RPKI to APNIC Members, and to Members with resources in both RIPE and APNIC systems. Future changes are planned to bring the two RPKI portal systems into stronger alignment.

For further assistance, please contact the
APNIC Helpdesk:

Email Email
helpdesk@apnic.net
Phone Phone
+61 7 3858 3188
Multi-language phone support

Bahasa Indonesia, Bengali, Cantonese, English, Filipino (Tagalog), Hindi, and Mandarin.

Voip VoIP
helpdesk@voip.apnic.net
Fax Fax
+ 61 7 3858 3199