{"id":31570,"date":"2025-10-29T18:01:34","date_gmt":"2025-10-29T18:01:34","guid":{"rendered":"https:\/\/blog.lacnic.net\/?p=31570"},"modified":"2025-10-29T18:01:51","modified_gmt":"2025-10-29T18:01:51","slug":"anchor-rpki","status":"publish","type":"post","link":"https:\/\/blog.lacnic.net\/en\/anchor-rpki\/","title":{"rendered":"A solution to the concerns on the current RPKI Trust Anchor configuration"},"content":{"rendered":"\n<p>By <a href=\"https:\/\/blog.lacnic.net\/en\/author\/sofia-silva-berenguer\/\">Sofia\u00a0 Silva Berenguer<\/a><\/p>\n\n\n\n<p>In the context of the Resource Public Key Infrastructure (RPKI), validation is performed by Relying Party (RP) software. RPs are commonly configured with five Trust Anchors (TAs), one for each of the Regional Internet Registries (RIRs). Each TA operator is able to make arbitrary RPKI statements about Internet Number Resources (INRs) independently of the other TA operators: for example, one TA could issue a Route Origin Authorisation (ROA) for resources that have actually been assigned to another TA. The fact that TAs can claim resources for which they are not authoritative has created concerns among the technical community.<\/p>\n\n\n\n<p>As part of the <a href=\"https:\/\/www.nro.net\/technical-coordination\/nro-rpki-program\/\">NRO RPKI Program<\/a>, representatives of the five RIRs have been working on a draft specification to address these concerns.&nbsp; This specification has now been <a href=\"https:\/\/www.ietf.org\/archive\/id\/draft-nro-sidrops-ta-constraints-00.txt\">posted<\/a> to the <a href=\"https:\/\/datatracker.ietf.org\/wg\/sidrops\/about\/\">SIDR Operations working group (sidrops WG)<\/a> in the IETF and will be discussed during the <a href=\"https:\/\/datatracker.ietf.org\/meeting\/124\/session\/sidrops\">sidrops WG session on Nov 3rd in Montreal<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How this solution works<\/h2>\n\n\n\n<p>The document defines a protocol that a group of RPKI TAs can use to make statements about which TA is authoritative for which INRs.&nbsp; The aim of this work is to protect RPKI clients from TAs claiming resources that they do not actually hold.<\/p>\n\n\n\n<p>The protocol involves each TA agreeing to an initial distribution of resources, and then signing an object to that effect.&nbsp; After that object has been issued, TAs can issue additional objects in order to perform transfers.&nbsp; For transfers, only the source and the recipient TAs are involved in signing the relevant objects.&nbsp; TAs can also assert on their own initiative that they have received resources from IANA, or have returned resources to IANA, by way of other signed objects.<\/p>\n\n\n\n<p>Periodically, the TAs will each issue a new &#8220;distribution of resources&#8221; object at an agreed time, which then functions as the new initial state for clients. This new state follows logically from the previous state and all changes that occurred since. Furthermore, this acts as a check on mistakes or errors that occur in transfers or IANA-related operations.<\/p>\n\n\n\n<p>One of the requirements of the protocol is that a single TA cannot cause constraint validation to fail.&nbsp; This limits the risk of a mistake or error at one RIR from having an operational impact on clients.&nbsp;<\/p>\n\n\n\n<p>This document is intended to align with the emerging consensus in the <a href=\"https:\/\/www.nro.net\/policy\/internet-coordination-policy-2\/\">RIR Governance Requirements document<\/a> that arises from the ICP-2 update process. While the TA constraints functionality is intended to be usable by any group of RPKI TAs, the final specification will be such that the RIRs will be able to implement the TA constraints functionality as well as fulfilling all of the requirements from the governance requirements document.<\/p>\n\n\n\n\n\n<p><em>Note that in the scenario with TA Constraints there may be temporary INR overlaps to allow for make-before-break when INRs are being transferred across RIRs.<\/em><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What now<\/h2>\n\n\n\n<p>We would like to invite the broader technical community to join the discussion about this proposed specification to iterate it and improve it based on feedback received. Read the <a href=\"https:\/\/www.ietf.org\/archive\/id\/draft-nro-sidrops-ta-constraints-00.txt\">draft<\/a>, join the discussion in the <a href=\"https:\/\/mailman3.ietf.org\/mailman3\/lists\/sidrops@ietf.org\/\">sidrops mailing list<\/a>, join the discussion at the <a href=\"https:\/\/datatracker.ietf.org\/meeting\/124\/session\/sidrops\">sidrops working group session<\/a> and please share your feedback.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>By Sofia\u00a0 Silva Berenguer In the context of the Resource Public Key Infrastructure (RPKI), validation is performed by Relying Party (RP) software. RPs are commonly configured with five Trust Anchors (TAs), one for each of the Regional Internet Registries (RIRs). Each TA operator is able to make arbitrary RPKI statements about Internet Number Resources (INRs) [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":31145,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[1327],"tags":[1292],"archivo":[1345,1451],"taxonomy-authors":[1470],"tipo_autor":[],"class_list":["post-31570","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-interconnection","tag-interconnection","archivo-editions","archivo-highlights-2023","taxonomy-authors-sofia-silva-berenguer-en"],"acf":{"author":"","related_notes":""},"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>LACNIC Blog | A solution to the concerns on the current RPKI Trust Anchor configuration<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.lacnic.net\/en\/anchor-rpki\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"LACNIC Blog | A solution to the concerns on the current RPKI Trust Anchor configuration\" \/>\n<meta property=\"og:description\" content=\"By Sofia\u00a0 Silva Berenguer In the context of the Resource Public Key Infrastructure (RPKI), validation is performed by Relying Party (RP) software. RPs are commonly configured with five Trust Anchors (TAs), one for each of the Regional Internet Registries (RIRs). Each TA operator is able to make arbitrary RPKI statements about Internet Number Resources (INRs) [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.lacnic.net\/en\/anchor-rpki\/\" \/>\n<meta property=\"og:site_name\" content=\"LACNIC Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/facebook.com\/lacnic\" \/>\n<meta property=\"article:published_time\" content=\"2025-10-29T18:01:34+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-10-29T18:01:51+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/09\/rpki2692025-1024x576.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\n\t<meta property=\"og:image:height\" content=\"576\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Gianni\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@lacnic\" \/>\n<meta name=\"twitter:site\" content=\"@lacnic\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/blog.lacnic.net\/en\/anchor-rpki\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/blog.lacnic.net\/en\/anchor-rpki\/\"},\"author\":{\"name\":\"Gianni\",\"@id\":\"https:\/\/blog.lacnic.net\/#\/schema\/person\/1338d9cfdb0137e8bc5581f3771f39ab\"},\"headline\":\"A solution to the concerns on the current RPKI Trust Anchor configuration\",\"datePublished\":\"2025-10-29T18:01:34+00:00\",\"dateModified\":\"2025-10-29T18:01:51+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/blog.lacnic.net\/en\/anchor-rpki\/\"},\"wordCount\":546,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/blog.lacnic.net\/#organization\"},\"image\":{\"@id\":\"https:\/\/blog.lacnic.net\/en\/anchor-rpki\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/09\/rpki2692025.jpg\",\"keywords\":[\"Interconnection\"],\"articleSection\":[\"Interconnection\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/blog.lacnic.net\/en\/anchor-rpki\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.lacnic.net\/en\/anchor-rpki\/\",\"url\":\"https:\/\/blog.lacnic.net\/en\/anchor-rpki\/\",\"name\":\"LACNIC Blog | A solution to the concerns on the current RPKI Trust Anchor configuration\",\"isPartOf\":{\"@id\":\"https:\/\/blog.lacnic.net\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.lacnic.net\/en\/anchor-rpki\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.lacnic.net\/en\/anchor-rpki\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/09\/rpki2692025.jpg\",\"datePublished\":\"2025-10-29T18:01:34+00:00\",\"dateModified\":\"2025-10-29T18:01:51+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/blog.lacnic.net\/en\/anchor-rpki\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.lacnic.net\/en\/anchor-rpki\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.lacnic.net\/en\/anchor-rpki\/#primaryimage\",\"url\":\"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/09\/rpki2692025.jpg\",\"contentUrl\":\"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/09\/rpki2692025.jpg\",\"width\":1920,\"height\":1080},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.lacnic.net\/en\/anchor-rpki\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Portada\",\"item\":\"https:\/\/blog.lacnic.net\/en\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"A solution to the concerns on the current RPKI Trust Anchor configuration\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.lacnic.net\/#website\",\"url\":\"https:\/\/blog.lacnic.net\/\",\"name\":\"LACNIC Blog\",\"description\":\"En el Blog de LACNIC encontrar\u00e1s art\u00edculos t\u00e9cnicos vinculados al desarrollo de Internet en la regi\u00f3n de Am\u00e9rica Latina y el Caribe.\",\"publisher\":{\"@id\":\"https:\/\/blog.lacnic.net\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.lacnic.net\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/blog.lacnic.net\/#organization\",\"name\":\"LACNIC Blog\",\"url\":\"https:\/\/blog.lacnic.net\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.lacnic.net\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/03\/lacnic-blog.svg\",\"contentUrl\":\"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/03\/lacnic-blog.svg\",\"caption\":\"LACNIC Blog\"},\"image\":{\"@id\":\"https:\/\/blog.lacnic.net\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/facebook.com\/lacnic\",\"https:\/\/x.com\/lacnic\",\"https:\/\/www.instagram.com\/lacnic\/?hl=es-la\",\"https:\/\/uy.linkedin.com\/company\/lacnic\",\"https:\/\/www.youtube.com\/user\/lacnicstaff\",\"https:\/\/www.lacnic.net\/podcast\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.lacnic.net\/#\/schema\/person\/1338d9cfdb0137e8bc5581f3771f39ab\",\"name\":\"Gianni\",\"url\":\"https:\/\/blog.lacnic.net\/en\/author\/gianni\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"LACNIC Blog | A solution to the concerns on the current RPKI Trust Anchor configuration","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.lacnic.net\/en\/anchor-rpki\/","og_locale":"en_US","og_type":"article","og_title":"LACNIC Blog | A solution to the concerns on the current RPKI Trust Anchor configuration","og_description":"By Sofia\u00a0 Silva Berenguer In the context of the Resource Public Key Infrastructure (RPKI), validation is performed by Relying Party (RP) software. RPs are commonly configured with five Trust Anchors (TAs), one for each of the Regional Internet Registries (RIRs). Each TA operator is able to make arbitrary RPKI statements about Internet Number Resources (INRs) [&hellip;]","og_url":"https:\/\/blog.lacnic.net\/en\/anchor-rpki\/","og_site_name":"LACNIC Blog","article_publisher":"https:\/\/facebook.com\/lacnic","article_published_time":"2025-10-29T18:01:34+00:00","article_modified_time":"2025-10-29T18:01:51+00:00","og_image":[{"width":1024,"height":576,"url":"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/09\/rpki2692025-1024x576.jpg","type":"image\/jpeg"}],"author":"Gianni","twitter_card":"summary_large_image","twitter_creator":"@lacnic","twitter_site":"@lacnic","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.lacnic.net\/en\/anchor-rpki\/#article","isPartOf":{"@id":"https:\/\/blog.lacnic.net\/en\/anchor-rpki\/"},"author":{"name":"Gianni","@id":"https:\/\/blog.lacnic.net\/#\/schema\/person\/1338d9cfdb0137e8bc5581f3771f39ab"},"headline":"A solution to the concerns on the current RPKI Trust Anchor configuration","datePublished":"2025-10-29T18:01:34+00:00","dateModified":"2025-10-29T18:01:51+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.lacnic.net\/en\/anchor-rpki\/"},"wordCount":546,"commentCount":0,"publisher":{"@id":"https:\/\/blog.lacnic.net\/#organization"},"image":{"@id":"https:\/\/blog.lacnic.net\/en\/anchor-rpki\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/09\/rpki2692025.jpg","keywords":["Interconnection"],"articleSection":["Interconnection"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/blog.lacnic.net\/en\/anchor-rpki\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/blog.lacnic.net\/en\/anchor-rpki\/","url":"https:\/\/blog.lacnic.net\/en\/anchor-rpki\/","name":"LACNIC Blog | A solution to the concerns on the current RPKI Trust Anchor configuration","isPartOf":{"@id":"https:\/\/blog.lacnic.net\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.lacnic.net\/en\/anchor-rpki\/#primaryimage"},"image":{"@id":"https:\/\/blog.lacnic.net\/en\/anchor-rpki\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/09\/rpki2692025.jpg","datePublished":"2025-10-29T18:01:34+00:00","dateModified":"2025-10-29T18:01:51+00:00","breadcrumb":{"@id":"https:\/\/blog.lacnic.net\/en\/anchor-rpki\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.lacnic.net\/en\/anchor-rpki\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.lacnic.net\/en\/anchor-rpki\/#primaryimage","url":"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/09\/rpki2692025.jpg","contentUrl":"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/09\/rpki2692025.jpg","width":1920,"height":1080},{"@type":"BreadcrumbList","@id":"https:\/\/blog.lacnic.net\/en\/anchor-rpki\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Portada","item":"https:\/\/blog.lacnic.net\/en\/"},{"@type":"ListItem","position":2,"name":"A solution to the concerns on the current RPKI Trust Anchor configuration"}]},{"@type":"WebSite","@id":"https:\/\/blog.lacnic.net\/#website","url":"https:\/\/blog.lacnic.net\/","name":"LACNIC Blog","description":"En el Blog de LACNIC encontrar\u00e1s art\u00edculos t\u00e9cnicos vinculados al desarrollo de Internet en la regi\u00f3n de Am\u00e9rica Latina y el Caribe.","publisher":{"@id":"https:\/\/blog.lacnic.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.lacnic.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/blog.lacnic.net\/#organization","name":"LACNIC Blog","url":"https:\/\/blog.lacnic.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.lacnic.net\/#\/schema\/logo\/image\/","url":"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/03\/lacnic-blog.svg","contentUrl":"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/03\/lacnic-blog.svg","caption":"LACNIC Blog"},"image":{"@id":"https:\/\/blog.lacnic.net\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/facebook.com\/lacnic","https:\/\/x.com\/lacnic","https:\/\/www.instagram.com\/lacnic\/?hl=es-la","https:\/\/uy.linkedin.com\/company\/lacnic","https:\/\/www.youtube.com\/user\/lacnicstaff","https:\/\/www.lacnic.net\/podcast"]},{"@type":"Person","@id":"https:\/\/blog.lacnic.net\/#\/schema\/person\/1338d9cfdb0137e8bc5581f3771f39ab","name":"Gianni","url":"https:\/\/blog.lacnic.net\/en\/author\/gianni\/"}]}},"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2025\/09\/rpki2692025.jpg","jetpack_sharing_enabled":true,"wpml_current_locale":"en_US","wpml_translations":[{"locale":"es_ES","id":31559,"post_title":"Una soluci\u00f3n a las inquietudes sobre la configuraci\u00f3n actual de las anclas de confianza en RPKI","slug":"anchor-rpki","href":"https:\/\/blog.lacnic.net\/anchor-rpki\/"}],"_links":{"self":[{"href":"https:\/\/blog.lacnic.net\/en\/wp-json\/wp\/v2\/posts\/31570","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.lacnic.net\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.lacnic.net\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.lacnic.net\/en\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.lacnic.net\/en\/wp-json\/wp\/v2\/comments?post=31570"}],"version-history":[{"count":1,"href":"https:\/\/blog.lacnic.net\/en\/wp-json\/wp\/v2\/posts\/31570\/revisions"}],"predecessor-version":[{"id":31574,"href":"https:\/\/blog.lacnic.net\/en\/wp-json\/wp\/v2\/posts\/31570\/revisions\/31574"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.lacnic.net\/en\/wp-json\/wp\/v2\/media\/31145"}],"wp:attachment":[{"href":"https:\/\/blog.lacnic.net\/en\/wp-json\/wp\/v2\/media?parent=31570"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.lacnic.net\/en\/wp-json\/wp\/v2\/categories?post=31570"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.lacnic.net\/en\/wp-json\/wp\/v2\/tags?post=31570"},{"taxonomy":"archivo","embeddable":true,"href":"https:\/\/blog.lacnic.net\/en\/wp-json\/wp\/v2\/archivo?post=31570"},{"taxonomy":"taxonomy-authors","embeddable":true,"href":"https:\/\/blog.lacnic.net\/en\/wp-json\/wp\/v2\/taxonomy-authors?post=31570"},{"taxonomy":"tipo_autor","embeddable":true,"href":"https:\/\/blog.lacnic.net\/en\/wp-json\/wp\/v2\/tipo_autor?post=31570"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}