Exploring the Potential of RPKI Signed Checklists for Stronger Trust Models

Exploring the Potential of RPKI Signed Checklists for Stronger Trust Models

By Amreesh Phokeer – Internet Measurement and Data Expert, Internet Society

2024 ARIN Community Grant Program Recipient Report

In 2024, the Internet Society received support from the ARIN Community Grant Program to explore new tools that strengthen the resilience and trustworthiness of the Internet’s routing system. This project focused on a newly adopted Internet standard called the RPKI Signed Checklist (RSC) — a standard designed to allow an Internet resource holder to create a verifiable declaration of control over the signed digital objects.

Why does this matter? At the heart of the Internet lies a critical question: Who is allowed to announce which parts of the Internet’s address space and on what basis? For decades, the answer rested on trust-based documents and outdated registries — systems that are increasingly insecure and prone to abuse. We show that the RSC can provide a more reliable and verifiable foundation for Internet operations, replacing fragile “paper trails” with cryptographic certainty.

Why the Traditional Paper-based System No Longer Works

Traditionally, proving that you control a block of IP addresses or an Autonomous System Number (ASN) required little more than a Letter of Authority (LOA) — essentially a signed PDF or even an email. While convenient, LOAs are easy to forge, difficult to verify, and prone to manipulation. One infamous incident in 2015 saw attackers forge an LOA to hijack a large block of IPv4 addresses from a Japanese operator, causing Internet-wide disruption for days.

Alongside LOAs, many operators used the Internet Routing Registry (IRR) to publish routing information. But IRRs are fragmented, inconsistent, and often filled with stale or incorrect data. Worse, they provide no cryptographic assurance — meaning anyone could enter false information without being challenged.

In short, the legacy system of LOAs and IRRs exposes the Internet to fraud, misconfiguration, and potentially to costly downtime.

The Rise of RPKI: A Stronger Foundation

The Resource Public Key Infrastructure (RPKI) was developed to give Internet resource holders cryptographic certificates that prove ownership of their IP addresses and ASNs. The most common use of RPKI today is Route Origin Authorization (ROA), which helps prevent accidental or malicious hijacking of Internet routes.

But while ROAs strengthen one piece of the puzzle — verifying who can announce which addresses — they don’t cover other critical needs. Networks still rely on fragile LOAs for day-to-day tasks like:

  • Authorizing upstream providers or peers
  • Proving IP ownership when bringing addresses into a cloud environment
  • Validating information in third-party databases like PeeringDB or geolocation services

This gap is where the RSC comes in.

What is an RPKI Signed Checklist?

Think of an RSC as a digitally signed checklist of files or data, tied directly to the Internet resources a network holds. It uses the same trusted RPKI certificates already in place but extends their use beyond just routing.

For example:

  • Instead of emailing a static LOA, a network can issue an RSC that cryptographically proves it controls the IP block in question.
  • A cloud customer bringing their IP addresses (BYOIP) can use an RSC to streamline onboarding.
  • Geolocation providers (like Google or MaxMind) can verify that location data updates truly come from the rightful owner of the IP block.

The beauty of the RSC is its simplicity. Unlike earlier experimental models, it requires only one signer, no complicated formatting, and no global repository. It can be distributed via email, APIs, or even attached to documents — just like an LOA but with much stronger guarantees.

Why This Matters for Internet Resilience

From a public and policy perspective, the importance of RSCs boils down to trust, efficiency, and security.

  • Trust: With an RSC, organizations can be confident that the information they’re receiving comes from the legitimate resource holder — not a forged document or unverifiable database.
  • Efficiency: Automated validation reduces the time and human error involved in checking LOAs or IRR records, helping businesses move faster without sacrificing security.
  • Security: By closing gaps that attackers have exploited in the past, RSCs help protect against route hijacks, fraud, and costly downtime.

Ultimately, widespread adoption of RSCs can make the global Internet infrastructure more resilient, reducing risks that affect not just operators but also businesses, governments, and everyday users who rely on a stable Internet.

Real-World Applications

Our research identified several key use cases where RSCs can bring immediate value:

  1. Replacing LOAs for Routing Authorization: Instead of manually verifying emailed PDFs, operators can validate RSCs automatically using standard RPKI tools. This makes peering and upstream onboarding faster, safer, and less error-prone.
  2. Bring Your Own IP (BYOIP) in Cloud Environments: Cloud providers require customers to prove ownership of IPs. An RSC automates this, enabling faster deployments and fewer disputes.
  3. Third-Party Database Verification: Services like PeeringDB or custom automation systems often rely on self-reported data. RSCs provide proof of legitimacy, reducing fraud and inconsistency.
  4. Geolocation Accuracy: By signing geolocation feeds with RSCs, resource holders ensure that updates come from the rightful owner, helping align databases and improve user experience.
  5. Internal Asset Management: Large operators can use RSCs to manage and audit internal delegations, reducing errors and strengthening governance.

What We Heard from the Community

The Internet Society surveyed operators at regional network events as part of this project. The results highlighted both excitement and hesitation around RSCs:

  • 60 percent of respondents were unfamiliar with RSCs, showing the need for greater awareness.
  • 40 percent cited integration challenges with their existing systems.
  • 30 percent questioned the immediate business value.
  • About 50 percent were open to testing RSCs in a pilot environment, while the other half preferred to wait for clearer benefits.

These findings reflect the classic adoption curve: Some are ready to experiment, while others will follow once early successes demonstrate value.

The Path Forward

For RSCs to succeed, several steps are needed:

  • Education: Clearer resources and case studies to help technical and non-technical audiences understand benefits.
  • Tooling: Simple, user-friendly software and APIs to generate and validate RSCs.
  • Pilots: Demonstrations with cloud providers, Internet exchange points, and other early adopters to show real-world impact.
  • Policy Engagement: Regional Internet Registries and technical communities should provide frameworks that make it easy and safe for members to use RSCs.

One promising strategy is to start with cloud providers, who are already leaders in RPKI adoption. Once they integrate RSCs into their workflows, momentum can spread to telecom operators and enterprises.

Conclusion: Building a More Trustworthy Internet

The Internet’s resilience depends not only on technology but also on trust. For too long, that trust has rested on fragile systems like LOAs and outdated registries. The RPKI Signed Checklist standard offers a modern alternative — one that is secure, verifiable, and easy to automate.

The Internet Society hopes that the outcome of this study, conducted with support from the ARIN Community Grant Program, will help advance the conversation on how RSCs can strengthen Internet infrastructure. But broader adoption will require collaboration across operators, cloud providers, policy stakeholders, and standards bodies.

About the ARIN Community Grant Program

ARIN provides financial grants in support of initiatives that improve the overall Internet industry and Internet user environment. Are you working on a project that advances ARIN’s mission and broadly benefits the Internet community within the ARIN region through informational outreach, research, Internet technical improvements, or Registry processes and technology improvements? Visit the ARIN Community Grant Program page for more information and to find out how your organization can apply in 2026. For application tips and support, read this post on our blog.

Post written by:

Amreesh Phokeer
Internet Measurement and Data Expert, Internet Society

Dr. Amreesh Phokeer is an Internet Measurement and Data Expert at the Internet Society. His broad areas of research are in computer networking, security, and telecommunication policy, with an emphasis on Internet measurements. Currently, he is focused on efforts around designing new tools and techniques to study the global health of the Internet, including Internet resilience, routing security issues, Internet shutdowns, and other market trends that impact the growth of the Internet.

Any views, positions, statements, or opinions of a guest blog post are those of the author alone and do not represent those of ARIN. ARIN does not guarantee the accuracy, completeness, or validity of any claims or statements, nor shall ARIN be liable for any representations, omissions, or errors contained in a guest blog post.

Recent blogs categorized under: Grant Program

GET THE LATEST!  

Sign up to receive the latest news about ARIN and the most pressing issues facing the Internet community.

SIGN ME UP →

Blog Categories

Grant Program •  Tips •  RPKI •  IRR •  IPv6 •  Public Policy •  Caribbean •  Outreach •  Elections •  ARIN Bits •  Fellowship Program •  Training •  Security •  Updates •  Guest Post •  Data Accuracy •  Business Case for IPv6 •  Internet Governance •  IPv4 •  Customer Feedback

 

Connect with us on LinkedIn!