AfriNIC's Resource Certification

Resource Certification is a security framework for verifying the association between Internet number resources (Internet addresses and/or Autonomous System Numbers) and their rightful holders. It is aimed to add a verifiable form of a holder's current right to use those resources over the Internet.

Since 2006, AfriNIC has been working with other RIRs on the resources certification activity, while also following the development of the standards in the Secure Inter-Domain Routing (SIDR) Working Group at the IETF. http://tools.ietf.org/wg/sidr/

As of the first of January 2011, AfriNIC will offer a system with a basic features, to be expanded over time in a phased deployment plan. Certification will be offered through a hosted environment via the MyAfriNIC portal. Members will be able to manage ROA, AAO specifications and view their certificates.The system takes care of all the crypto operations such as certificate requests and renewals, re-keys and objects publication in the repository (rsync://rpki.afrinic.net). Access to the resources certification sub-section request a business Public Key Infrastructure (BPKI) certificate.

Reasons behind deploying RPKI

Resource certificates can be used for various purposes:

• Sign Route Origin Authorizations
• Sign Internet Routing Objects
• Prove ownership of Internet number resources in the context of IPv4 transfer after the exhaustion of the IPv4 pool of the RIR
• Help to secure the inter-domain routing protocol by conveying the right-to-use of the resources and to validate routing information exchanged.

Technically speaking

Resource Certificates are based on the X.509 certificate format (RFC 5280). The format has been extended by the IETF standard, (RFC 3779) to include IP address and AS numbers in a critical certificate extension. These certificates are then published and bound together in a verifiable way. The resource certificates can only be used by specialized applications and services that are related to verification of an entity's rights to use an IP address or AS number.

AfriNIC has invested significant resources in the developement of its own in house system based on the APNIC RPKI code. A basic version of the system will be launched on the 1st of January 2011 and will evolve during the year in phases. These phases include the extension of the "up/down" protocol, the sub-certification, and the migration to a single Trust Anchor (TA).

To use the system

1. Activate your account on MyAfrinic if you have not done so before.
2. Navigate to Resources Certification under Resources
3. Enjoy !!!

If you have any questions, please send a mail to rpki-help[at]afrinic.net.

A mailing list rpki-discuss[at]afrinic.net is created for discussion the RPKI services.

Resource certification at other RIRs

• APNIC: http://www.apnic.net/services/services-apnic-provides/resource-certification.
• RIPE NCC: http://www.ripe.net/certification/
• LACNIC: http://lacnic.net/en/rpki/index.html
• ARIN: https://www.arin.net/resources/rpki.html