RPKI

General

  • Introduction
    • About this Documentation
    • About Resource Public Key Infrastructure
    • Organisation of this Documentation
  • FAQ
    • RPKI Mechanism
      • What is RPKI and why was it developed?
      • I thought we were all using the IRR to check route origin, why do we need RPKI now?
      • Why are we investing in RPKI, isn’t it easier to just fix the Internet Routing Registry (IRR) system?
      • Is it true that BGP4 is just not up to the task any longer?
      • As RPKI relies on X.509 PKI, isn’t this the same problem with untrustworthy SSL/TLS Certificate Authorities all over again?
      • What is the value of RPKI based BGP Origin Validation without Path Validation?
      • When comparing the ROA data set to the announcements my router sees, what are possible outcomes?
      • I’ve heard the term “route leak” and “route hijack”. What’s the difference?
      • If a ROA is cryptographically invalid, will it make my route invalid?
    • Operations and Impact
      • Will my router have a problem with all of this cryptographic validation?
      • Does RPKI reduce the BGP convergence speed of my routers?
      • Why do I need rsync on my system to use a validator?
      • The five RIRs provide a Hosted RPKI system, so why would I want to run a Delegated RPKI system myself instead?
      • Should I run a validator myself, when I can use an external data source I found on the Internet?
      • How often should I fetch new data from the RPKI repositories?
      • What if the RPKI system becomes unavailable or some other catastrophe occurs, will my (signed) prefixes become unreachable to others? Will other prefixes my routers learned over BGP become unreachable for me?
      • What if the Validator I use crashes and my router stops getting a feed. What will happen to the prefixes I learn over BGP?
      • I don’t want to rely on the RPKI data set in all cases, but I want to have my own preferences for some routes. What can I do?
      • Is there any point in signing my routes with ROAs if I don’t validate and filter myself?
    • Miscellaneous
      • Why isn’t the ARIN RPKI TAL like other public key files?
      • What is the global adoption and data quality of RPKI like?
      • I want to use the RPKI services from a specific RIR that I’m not currently a member of. Can I transfer my resources?
      • Will RPKI be used as a censorship mechanism allowing governments to make arbitrary prefixes unroutable on a whim?
      • What are the long-term plans for RPKI?
  • Quick Help
    • What is RPKI or ROA?
    • What do they do?
    • How does it work?
    • What is in a ROA?
    • What happens next?
    • What can I do about my route having an Invalid state?

RPKI Technology

  • Introduction
    • Internet Number Resource Allocation
    • Mapping the Resource Allocation Hierarchy into the RPKI
    • X.509 PKI Considerations
  • Internet Routing
    • BGP Best Path Selection
      • Preference for Shortest Path
      • Preference for Most Specific Prefix
    • Routing Errors
    • Mitigation of Routing Errors
    • The Internet Routing Registry
  • Securing BGP
    • Route Origin Validation
      • Route Origin Authorisations
        • Maximum Prefix Length
      • Route Announcement Validity
    • Path Validation
  • Implementation Models
    • Hosted RPKI
      • Functional differences across RIRs
    • Delegated RPKI
  • Using RPKI Data
    • Connecting to the Trust Anchor
    • Fetching and Verifying
    • Validating Routes
    • Local Overrides
    • Feeding Routers

Operations

  • Software Projects
    • Relying Party Software
    • RTR Server Software
    • Certificate Authority Software
    • Supporting Tools
  • Router Support
    • Hardware Solutions
    • Software Solutions
  • Resources
    • Books
    • Insights and Statistics
    • Operational Experiences
    • Examples of BGP Hijacks
    • IETF Documents
RPKI
  • Search

© Copyright 2018-2024, NLnet Labs (CC-BY 3.0).

Built with Sphinx using a theme provided by Read the Docs.