Resource certification

Resource Certification is a robust security framework for verifying the association between resource holders and their Internet resources. In this context, ‘resource holders’ are organizations such as Regional Internet Registries (RIRs), Local Internet Registries (LIRs), Internet Service Providers (ISPs), or end-user organizations, while ‘Internet resources’ are IPv4 and IPv6 address blocks and Autonomous System (AS) numbers.

Resource Certification is an initiative from APNIC aimed at improving the security of inter-domain routing and augmenting the information published in the APNIC Whois Database service with a verifiable form of a holder’s current right-of-use over an Internet resource. Other RIRs are working on similar certification projects.

A more secure Internet

Routing security is essential to the integrity of the Internet. To maintain its viability as a trustworthy platform for interactions and transactions, we need to build security into the Internet as a whole, not just our own computers and networks.

The majority of network relationships on the Internet are based on a system of mutual trust. Each party trusts that the route used to transmit information is safe, accurate, and will not be maliciously altered. This trust model proved adequate in the early stages of Internet development, but is increasingly open to potential abuse and attack as the network encompasses a markedly larger and very much more diverse population.

Such an attack might involve the injection of fraudulent or erroneous information into the routing system. The potential outcomes of this kind of exploitation of routing vulnerabilities might include traffic black-holing, impersonation of identity at an application level, inspection and alteration of traffic, denial of service against entire sites, and network destabilization.

The operational practice of deploying bogon filters and the piecemeal use of routing policy databases are not entirely reliable or robust forms of defence against these vulnerabilities. Resource Certification is a highly robust means of preventing the injection of false information into the Internet’s routing system.

The overall aim is a secure routing infrastructure where any party is able to validate routing advertisements such that they are confident in asserting that the information being passed through the Internet’s routing system is correct and that it corresponds to the intentions of the address holder. This confidence is achieved with a combination of certification of resource holdings via Resource Certificates and a validation structure for such certification in the form of a Resource Public Key Infrastructure (RPKI).

Where to next?

ResCert explained