Deploy360 14 September 2016

RFC 7935: Algorithm & Key Size Specifications for RPKI

By Kevin MeynellFormer Senior Manager, Technical and Operational Engagement

Securing BGPLast week saw the publication of RFC 7935 that specifies the algorithms, algorithm parameters, asymmetric key formats, asymmetric key size, and signature format used by the Resource Public Key Infrastructure (RPKI). This should be read by RPKI subscribers generating digital signatures for certificates, Certificate Revocation Lists (CRLs), Cryptographic Message Syntax (CMS) signed objects and certification requests, as well as at Relying Parties (RPs) who need to verify these digital signatures.

This RFC updates the key sizes and signature and hash algorithms specified in RFC 6485 in order to maintain an acceptable level of cryptographic security. It also updates the Object Identifier (OID) specification to follow current operational practice instead of requiring compliance with the earlier RFC.

RPKI is a specialised PKI that aims to improve the security of the Internet routing system, specifically the Border Gateway Protocol (BGP). It does this through the issuing of X.509-based resource certificates to holders of IP addresses and AS numbers in order to prove assignment of these resources. These certificates are issued to Local Internet Registries (LIRs) by one of the five Regional Internet Registries (RIRs) – AfriNIC, APNIC, ARIN, LACNIC and RIPE NCC – who have responsibility for allocation and assignment of these resources in their service regions.

Each RIR acts as a Certificate Authority (CA) and trust anchor for the resources assigned within their service regions, and is responsible for issuing a CRL. These are usually generated at a defined intervals, and publish a list of the X.509 resource certificates that have been revoked before their normal expiry date. RPKI signed objects make use of CMS as a standard encapsulation format, as specified in RFC 6488.

Normally we’d point you to our Start Here page for more information, but we’re actually looking for contributors who’d be interested in writing a good overview of RPKI for us. If you can help, please get in touch.

In meantime, please follow the links above to the RPKI information on the RIR websites.

Deploy360, Securing Border Gateway Protocol (BGP)

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Recent Posts

Related articles

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Improving Technical Security 13 March 2019

IPv6 Security for IPv4 Engineers

It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a...