The Challenge of Expanding Resource Certification in the LACNIC Region

By Carlos Martinez, Chief Technology Officer at LACNIC

For the past 13 years, LACNIC has been actively working to promote the adoption of RPKI (Resource Public Key Infrastructure), a public key infrastructure that contains digital certificates to allow legitimate holders of number resources to prove that they are actually authorized to announce these prefixes.

Within the framework of the Internet Society’s RPKI Week, we participated in the panel on RPKI adoption where we shared some of the actions developed by LACNIC that have made it possible to reach 40 % of the certified resources in the Latin American and Caribbean region. However, we must further advance in the use of RPKI to ensure that the routing system is fully protected. To achieve this, it is necessary to get as close as possible to 100 % coverage.

There are two different objectives that generate confusion and need to be distinguished in relation to RPKI deployment in our region: on the one hand, the certification and creation of ROAs within the PKI for all network operators and LACNIC’s partners; while on the other hand, the implementation of the Route Origin Validation (ROV) in infrastructure equipment by large operators or carriers.

The ROV uses the data entered in the RPKI to validate that the announcements received by BGP actually represent what its holders want. Those that do not pass this test are discarded.

This distinction is important because we have a large asymmetry in the size of LACNIC’s membership. In many cases, organizations were reluctant to start creating objects in the RPKI because they thought it would be useless if large operators did not implement source validation themselves.

Therefore, we started to work with colleagues in the region. In 2012, we had the case of NAP Ecuador, which was very interested in using RPKI, not only to improve its security posture, but also to solve an operational problem: how to accept new prefixes in the IXP matrix with as little manual intervention as possible.

Continue reading

(Free access, no subscription required)

Finally, together with the NAP.ec team, the LACNIC team, and the collaboration of Cisco Systems, we managed to implement origin validation in NAP.ec. We organized a face-to-face activity to help NAP.ec members create their objects in LACNIC’s RPKI. I believe that was the first major milestone in RPKI’s development in our region.

Gradually, resource certification became a trend in the region.

Then, we followed with another very enriching and successful experience in Costa Rica, which later led to many other positive experiences.

Finally, together with the NAP.ec team, the LACNIC team, and the collaboration of Cisco Systems, we managed to implement origin validation in NAP.ec. We organized a face-to-face activity to help NAP.ec members create their objects in LACNIC’s RPKI. I believe that was the first major milestone in RPKI’s development in our region.

Gradually, resource certification became a trend in the region.

Then, we followed with another very enriching and successful experience in Costa Rica, which later led to many other positive experiences.

The interesting trend we saw is that as new IXPs are created in the region, they realize that resource certification is an integral part of the services they need to provide.

We continue to work with IXPs, now in close collaboration with our colleagues in LAC-IX, but also with individual operators. Other actions we have implemented in this direction include the creation of a unified IRR with our PKI for almost three years, and the creation of an API to host RPKI, which is slowly starting to be used.

Coverage and challenge

One of the challenges we face is to expand coverage, which is about 40 %, according to data from the FORT Monitoring initiative conducted by LACNIC. If we encourage operators in the region to use RPKI and check whether an autonomous system is authorized to advertise a certain prefix range, they could ensure that traffic reaches the correct destination and that it does so in a secure manner.

As RPKI deployment progresses, the number of unprotected prefixes will be reduced and the accuracy with which invalid prefixes are identified will increase.

This will allow us to have a more robust Internet in the region, improve our position and protect ourselves against possible attacks.

For more information, check out the video of the event here