The APNIC answer to Internet routing security

APNIC, in conjunction with other Regional Internet Registries (RIRs), is at the forefront of establishing this essential common infrastructure for the Internet. The system is based on digital (X.509) certificates with an extended format that incorporates Internet resources, such as, IPv4 and IPv6 address blocks and Autonomous System (AS) numbers.

Huston continues, “APNIC sees Resources Certification as an important development to assist the Asia Pacific Internet industry to maintain the integrity of network transactions.”

The core of resource certification is establishing the authority and trust in the peer network that is the Internet. The 8-year project has been incredibly complex utilizing experts in IP addressing, networking and security from across the work to establish a solution that takes into account the dynamic evolution of the Internet.

Using public key certificates through Public Key Infrastructure (PKI), resource holders encrypt or sign routing instructions with a private key that can only be decrypted or unlocked with the corresponding public key.

The private key is kept private, but the public key is openly published for others to access. APNIC, acting as the Certificate Authority, publishes the public key in a certificate and attests that the key belongs to the resource holder identified in the certificate. APNIC signs this attestation with its own private key and makes the APNIC public key available.

In this way, Resource Certificates extend the public key certification model and affirm that the resource holder is the ‘right-of-use’ holder or controller of a specific set of IP address and AS number resources.

Included in this system of routing security is a mechanism that allows entities to verify that an AS has permission from an IP address block holder to advertise routes to one or more prefixes within that address block. The address block holder would sign a route origin attestation (ROA). Where an AS advertises routes with one or more Autonomous Systems (ASes), it would sign as adjacency attestation (AAO). This attests that there is an inter-domain adjacency or that the local AS is a routing peer with those ASes adjacent to it.

APNIC members, the majority of ISPs, telecommunication operators and large network managers across the Asia Pacific, can access resource certification via the secure online portal, MyAPNIC. This is a one-stop-shop that allows members to manage resource certificates, route origin attestations, and other signed objects all within the resource management GUI. Users are able to create, manage, apply, and destroy certificates over all their resources and see them published in the worldwide resource certificate repository hierarchy at APNIC.