Donate
‹ Back
Deploy360 14 September 2016

RFC 7935: Algorithm & Key Size Specifications for RPKI

Kevin Meynell
By Kevin MeynellSenior Manager, Technical and Operational Engagement

Securing BGPLast week saw the publication of RFC 7935 that specifies the algorithms, algorithm parameters, asymmetric key formats, asymmetric key size, and signature format used by the Resource Public Key Infrastructure (RPKI). This should be read by RPKI subscribers generating digital signatures for certificates, Certificate Revocation Lists (CRLs), Cryptographic Message Syntax (CMS) signed objects and certification requests, as well as at Relying Parties (RPs) who need to verify these digital signatures.

This RFC updates the key sizes and signature and hash algorithms specified in RFC 6485 in order to maintain an acceptable level of cryptographic security. It also updates the Object Identifier (OID) specification to follow current operational practice instead of requiring compliance with the earlier RFC.

RPKI is a specialised PKI that aims to improve the security of the Internet routing system, specifically the Border Gateway Protocol (BGP). It does this through the issuing of X.509-based resource certificates to holders of IP addresses and AS numbers in order to prove assignment of these resources. These certificates are issued to Local Internet Registries (LIRs) by one of the five Regional Internet Registries (RIRs) – AfriNIC, APNIC, ARIN, LACNIC and RIPE NCC – who have responsibility for allocation and assignment of these resources in their service regions.

Each RIR acts as a Certificate Authority (CA) and trust anchor for the resources assigned within their service regions, and is responsible for issuing a CRL. These are usually generated at a defined intervals, and publish a list of the X.509 resource certificates that have been revoked before their normal expiry date. RPKI signed objects make use of CMS as a standard encapsulation format, as specified in RFC 6488.

Normally we’d point you to our Start Here page for more information, but we’re actually looking for contributors who’d be interested in writing a good overview of RPKI for us. If you can help, please get in touch.

In meantime, please follow the links above to the RPKI information on the RIR websites.

‹ Back

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

BGPSec - A reality now
BGPSec - A reality now
Deploy36016 October 2017

BGPSec – A reality now

The Secure Inter Domain Routing (SIDR) initiative held its first BoF at IETF 64 back in November 2005, and was...

Rough Guide to IETF 100: Internet Infrastructure Resilience
Rough Guide to IETF 100: Internet Infrastructure Resilience
IETF7 November 2017

Rough Guide to IETF 100: Internet Infrastructure Resilience

As we approach IETF 100 in Singapore next week, this post in the Rough Guide to IETF 100 has much...

New RFC 8360 – RPKI Validation Reconsidered – Offers Alternative Validation Procedures to Improve Routing Security
New RFC 8360 – RPKI Validation Reconsidered – Offers Alternative Validation Procedures to Improve Routing Security
Securing Border Gateway Protocol (BGP)6 April 2018

New RFC 8360 – RPKI Validation Reconsidered – Offers Alternative Validation Procedures to Improve Routing Security

RFC 8360, Resource Public Key Infrastructure (RPKI) Validation Reconsidered, is now published in the RFC libraries. What is RPKI? Resource...

Join the conversation with Internet Society members around the world