Should I run my own RPKI Certificate Authority?
Since 2011, the five RIRs have been offering Resource Public Key Infrastructure (RPKI) systems, aimed at making Internet routing more secure and reduce the risk of …
Talk Title | Should I run my own RPKI Certificate Authority? |
Speakers | Alex Band, NLnet Labs, Martin Hoffmann |
Conference | NANOG75 |
Conf Tag | |
Location | San Francisco, CA |
Date | Feb 18 2019 - Feb 20 2019 |
URL | Talk Page |
Slides | Talk Slides |
Video | Talk Video |
Since 2011, the five RIRs have been offering Resource Public Key Infrastructure (RPKI) systems, aimed at making Internet routing more secure and reduce the risk of BGP hijacking. These systems allow members to log into web-based portals to request an RPKI certificate and use it to publish Route Origin Authorization (ROAs). In the hosted setup certificates, and keys, and signed products are all kept and published in the RIR infrastructure. However, four out of five RIRs also allow members to run their own RPKI infrastructure as a so-called Delegated RPKI Certificate Authority. LACNIC as the last RIR not to provide this option yet, is committed to have this functionality available by the end of 2019. While a hosted set-up serves many small ISPs well, there may be good reasons to run your own infrastructure instead. Possible use cases exist for:
- Operators who require easier RPKI management that is integrated with their own systems in a more streamlined way
- Operators who are security conscious and require that they are the only ones in possession of the private key of a system they use
- Operators who want to be operationally independent from the parent RIR, such as National Internet Registries (NIRs) or Enterprises
- Operators of global networks may wish to operate a single system, rather than maintain ROAs in up to five web interfaces. However, running your own CA comes at a cost. The talk will discuss these as well as possible mitigation strategies. For instance, providing the necessary availability can be managed by outsourcing publication to a cloud service provider. Finally, the talk will look into existing and upcoming options for deploying a CA. At the end of the talk, interested users will have a better understanding of which choice is best for their organization.