RPKI Optimization and Security: The LACNIC Checklist

07/01/2025

RPKI Optimization and Security: The LACNIC Checklist
Image assisted/created by AI

By Jorge Cano, Senior Software Architect at LACNIC

Earlier this year, we implemented a new system to manage the cryptographic objects associated with LACNIC’s Resource Public Key Infrastructure (RPKI) system. This system adds significant improvements to the security of the process, including management of the master key, used as a point of trust for validating the information.

This key is maintained offline and is only activated for short periods of time for the sole purpose of re-signing the master certificate on which all cryptographic objects in our section of the RPKI tree rely. This measure not only strengthens protection against potential unauthorized access, but also guarantees greater resilience and trust in the system.

The periods during which the master key is activated are known as “RPKI Signing Ceremonies.” During these ceremonies, part of the LACNIC staff obtains temporary access to the master key to conduct critical operations, which must be auditable, repeatable, and free of errors due to omission or carelessness. To ensure these activities are executed properly, we use a checklist or script that ensures each step is carried out accurately, provides transparency, and allows the internal LACNIC team to audit the process.

Additional reading:

To date, we have completed three signing ceremonies with the participation of members of different LACNIC departments. These ceremonies take place in a controlled environment like our offices at Casa de Internet in Uruguay, under strict security measures and with the presence of witnesses who certify the process.

Seeking to optimize the creation and management of these checklists, we are developing an open-source application, CheckList, which is available to the community. This tool allows developers to define steps in a YAML text file, plain text, or using Markdown. It also allows including commands to be executed directly on the command line and display the expected results.

Once created, the list can be published on any web server. The application allows monitoring progress, checking off steps as they are completed, and recording any incidents or exceptions that occur during execution.After the process is complete, an official document is generated that can be printed or stored digitally to facilitate auditing and ensure a transparent record

We invite you to click here to visit the project webpage or take a look at an example of a checklist.

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of LACNIC.

Subscribe
Notify of

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments