US Government Orders RPKI Deployment

January 20, 2025

The internet has grown organically from a cooperative lab experiment into economic infrastructure. In the early days, configuration mistakes were an annoyance, but not much more. Today a mistake can cost organizations money, enable security threats, and degrade reputations.

A crucial configuration problem occurs when a networks claims they are the right destination for someone else’s IP addresses. When this happens, the legitimate network can lose traffic and the mistaken – or worse miscreant – network can be overwhelmed. That’s what happened when Pakistan Telecom claimed to be the right destination for YouTube’s IP addresses in 2008.

Working Towards Routing Security

To address such issues, internet engineers created databases where networks publish computer readable policies describing the addresses they announce. These records describe where addresses are announced them and to which other networks. This information can be used to create filters that minimize outages arising from misconfigurations.

RPKI is the Resource Public Key Infrastructure. It’s an X.509 digital certificate hierarchy for IP addresses and AS Numbers (ASNs) run by the five RIRs. In other words, networks can publish a link between the identifier for their network – an ASN – and their IP addresses. They do this with RPKI Route Origin Authorizations (ROAs) – a digital object linking the two. Other networks can then validate that claim with software and build filters that protect against accidental claims.

The Executive Order

In January 2025 the US government ordered its civilian agencies to deploy RPKI. And it has ordered them to buy services from network operators that use RPKI data to filter out bogus claims to IP addresses. The key requirements in the order are:

  • All civilian agency IP addresses must be registered with ARIN or another Regional Internet Registry.
  • RPKI ROAs must be published for those IP addresses.
  • Agencies will be encouraged to use new contract language requiring internet service providers to both publish ROAs and perform Route Origin Validation filtering based.

Not all IP address assignments are registered at the RIRs. Some older networks have large blocks of address space from the early days of the internet. But their customers won’t have access to RPKI services with IP addresses from these networks.

Agencies using addresses from them will need to get addresses from the market.

And some US government agencies have offices overseas because their missions are international. They will need to make sure their addresses are registered with the RIR for that region.

Improving on Past Experience

This is not the first time the US government has used policy to promote an internet security technology. In 2008 it ordered its agencies to deploy DNSSEC. Two years later, just over a third had done so and the latest measurements show that about 20 percent of .gov domains still aren’t signed with DNSSEC.

There were two key problems with getting agencies to implement DNSSEC and this new order attempts to resolve them.

Signing DNS records with a digital certificate – and that’s what DNSSEC does – doesn’t add any security if no one checks those signatures. And if anyone makes a mistake generating those signatures, then users of validating DNS resolvers cannot access the service using the DNS name. That’s exactly what happened when Comcast checked NASA’s DNSSEC signatures, found that they didn’t validate, and so denied its users access to their website.

Comcast had done the right thing. NASA had made a mistake. But Comcast’s customers were angry. Comcast took on risk by being an early adopter of DNSSEC validation. And it is still an outlier with only about 30 percent of users protected.

By urging its agencies to use their purchasing power to push for RPKI Route Origin Validation, this order has more chance of success. That is because the risk of being an early adopter is balanced by government spending and the knowledge that other providers will also be making the same changes.

It also comes at a time where internet security improvements are taken more seriously. The last quarter has seen unencrypted telephone communications hacked and claims of interference with subsea cables. So, while this executive order does a better job of creating incentives, the executives it is aimed at are more likely to see the benefit than the people holding those offices 15 years ago.

Contact Us

Blog Directory

A listing of thoughts and reflections on the IPv4 industry and marketplace.

News & Insights

Reports, announcements and industry news.

Checklists

Buyer Checklist

A step-by-step guide to our marketplace and transferring addresses.

Seller Checklist

A straightforward guide to the procedure.

Next Post →