APNIC to Upgrade to Split Trust Anchor RPKI

On 25 October 2012 APNIC will make some important changes to its Resource Public Key Infrastructure (RPKI) system.

Important step to further secure the worldwide Internet

On 25 October 2012, APNIC will make some important changes to its Resource Public Key Infrastructure (RPKI) system. These changes, which involve APNIC issuing up to five new “trust anchor” certificates, will align APNIC's RPKI model with the overall administrative and associated registry structure of number resources in the Internet.

Only those organizations testing routing software for RPKI will be affected by this change as their systems will need to be reconfigured to reflect this modified trust anchor material. The rest of the APNIC membership and others worldwide will not be affected in any way.

The RPKI is the resource public key infrastructure framework designed to secure the Internet's global routing infrastructure. By connecting IP addresses to a trust anchor, routers can validate the origins of any routing announcements. This RPKI validation allows the legitimate owners of those IP addresses to control the Internet routing protocols, to prevent route hijacking and other attacks.

The RPKI system has been in place since 2009 - with each participating RIR, including APNIC, publishing its own trust anchor to certify all the number resources in its registry. These resources include those IP blocks allocated by IANA, but also include IP addresses that Members have transferred from other regions, or that came to be managed by each registry by historical resource transfer processes.

With the recent increase in inter-RIR resource transfers, a more efficient way to reflect changes to an RIR’s resource holding, without revoking and reissuing the affected RIR trust anchor, is needed. The split model allows more granular updates, affecting only the certification path that covers the transferred resources.

What will change?
To migrate to the split trust anchor model, APNIC has published five new self-signed certificates – one for those resources that IANA has recorded as being administered by APNIC, and four other self-signed certificates for resources acquired from each of the other RIRs.

As a result, those organizations that run automatic configuration software for RPKI routing will need to make updates to their routing, replacing the old APNIC trust anchor with the new set of APNIC trust anchors.

For more information on APNIC’s migration to a global trust anchor RPKI system – read the FAQ.