RPKI chain of trust

Fabiano_D_Agostino · August 26, 2020, 8:25am

Good morning everyone,
I have a doubt about RPKI chain of trust. The 5 RIRs hold a self-signed root certificate for all the resources they have in the registry. The root certificate is used to sign the LIR’s certificates that lists LIR’s resources. LIRs use their private key to sign ROAs. LIR’s public key is used to verify ROAs signatures and RIRs public key is used to verify LIR’s signatures.

Is this correct?

Thanks in advance,

Fabiano

Alex_Band · August 26, 2020, 8:39am

Perhaps this clarifies things:

https://rpki.readthedocs.io/en/latest/rpki/introduction.html#mapping-the-resource-allocation-hierarchy-into-the-rpki

As well as this section:

https://rpki.readthedocs.io/en/latest/rpki/securing-bgp.html

Cheers,

Alex

Fabiano_D_Agostino · August 26, 2020, 9:03am

Hi Alex,
thank you. I read that documentation and I was reading this one from page 201:
https://www.ripe.net/support/training/material/bgp-operations-and-security-training-course/BGP-Slides-Single.pdf

It seems that RIRs have a self-signed root certificate. They use this certificate to sign LIR’s certificates and LIR’s private key is used to sign ROAs. I am not very sure about the use of public keys.

Fabiano

Alex_Band · August 26, 2020, 11:01am

Hi Fabiano,