Resource Public Key Infrastructure
The Resource Public Key Infrastructure (RPKI) enables users of public networks, such as the Internet, to verify the authenticity of data that has been digitally signed by the originator of the data.
When a block of data is signed using a resource holder’s private key, the data can be verified by the recipient using the signer’s public key. This verification process can detect attempts to tamper with the data in any way.
The sender’s public key needs to be verified as well, and this is achieved though the identification of a chain of interlocking certificates that connect a Trust Anchor to the signer’s public key certificate. In this case, the trusted certificate authority is APNIC. This structure of interlocking resource certificates is referred to as the RPKI.
Using the RPKI, information can be either encrypted or signed with a private key and can only be decrypted or have its signature verified using the matching public key.
For example, by digitally signing routing authority documents, the routing advertisements that are passed into the Internet’s routing system may be verified by other network operators. If there is a match between the routing object and the routing authority, and the authority’s digital signature can be verified, then there is a strong assurance that the routing information is authentic.
To ensure the authenticity of the public key purported to be yours, APNIC publishes your public key, together with a list of your current holdings of Internet resources in a resource certificate and attests that the public key in the certificate belongs to you. APNIC signs this digital attestation with its private key. In this manner, APNIC publicly confirms that the holder of the corresponding private key is the current right-of-use holder for a specific set of address or AS number resources.
X.509 extensions
Resource Certificates are based on the X.509 certificate format (RFC 5280). The format has been extended by another IETF standard, (RFC 3779) to include IP address and AS numbers in a critical certificate extension. The extension binds a list of IP address blocks and AS numbers to the subject of a certificate.
The extension is defined as a ‘critical’ extension, meaning that validation must include the check that the issuers certificate extension exists, and that the parent certificate must encompass the resource block described in the extension of the certificate being validated. Due to this critical extension, these resource certificates cannot be used in a conventional manner for identity verification or web-server assurance. Resource certificates can only be used by specialized applications and services that are related to verification of an entity’s rights to use an IP address or AS number.
Changes to APNIC’s RPKI
APNIC will issue five new certificates as self-signed certificates. This change will:
- Align APNIC’s RPKI model with the overall administrative and associated registry structure of number resources in the Internet
- Provide a stable set of trust anchors for all APNIC-certified Internet number resources in the future
Changes to the existing system
This change to APNIC’s published trust material will alter the repository synchronization and validation processing by those organizations with active RPKI validation systems. Those organizations will need to alter their trust configuration and repository root configurations accordingly.
APNIC commits to maintain its set of published trust anchor material as a resource for relying parties to use if they so choose.
More choice for the relying party
The new system will allow relying parties to adopt trust anchors of their choosing, and continue to validate APNIC-managed Internet number resources.
- If a Relying Party uses a trust anchor model that directly reflects the contents of the IANA-administered number resource registries, then the APNIC RPKI structure will precisely align into this model, and all validly signed attestations relating to resources described in APNIC’s registry will validate against such trust anchor material.
- If a Relying Party chooses to use trust anchor material that is published by APNIC, then all validly signed attestations relating to resources described in APNIC’s registry will validate against this APNIC published trust anchor material.
Changes to APNIC repository
APNIC’s repository will be changed to include four new publication points, making a total of five APNIC RPKI publication repositories. APNIC has aligned the five repositories to reflect five distinct subsets of the Internet number resources it manages. This reflects those resources for which administrative responsibility has been assigned to APNIC by IANA, as described in the IANA registries, and those resources whose administrative role has been transferred to APNIC from each of the other four RIRs.
Route Origin Authorization (ROAs)
In an effort to support the addition of more security to inter-domain routing, mechanisms are available that allow entities to verify that an autonomous system (AS) has been given permission by an IP address block holder to advertise routes to one or more prefixes within that block. We call this mechanism a Route Origin Authorization (ROA). The certificate holder uses their private key to sign an ROA for specific IP address blocks to be routed by a specific AS, and this can be tested and verified by the public key, and the certificate hierarchy.
The content of an ROA identifies a single AS that has been authorized by the address space holder to originate routes and a list of one or more IP address prefixes that will be advertised.