Exploring the Potential of RPKI Signed Checklists: The Results Are In

In 2024, the Internet Society received support from the ARIN Community Grant Program to explore new tools that strengthen the resilience and trustworthiness of the Internet’s routing system. This project focused on a newly adopted Internet standard called the RPKI Signed Checklist (RSC), which is designed to allow an Internet resource holder to create a verifiable declaration of control over the signed digital objects.

Read the report: Exploring the Potential of RPKI Signed Checklists

Why does this matter? At the heart of the Internet lies a critical question: Who can announce which part of the Internet’s address space and on what basis?

For decades, the answer rested on trust-based documents and outdated registries—systems that are increasingly insecure and prone to abuse. We show that the RSC can provide a more reliable and verifiable foundation for Internet operations, replacing fragile “paper trails” with cryptographic certainty.

Why the Traditional Paper-based System no Longer Works 

Traditionally, proving that you control a block of IP addresses or an Autonomous System Number (ASN) required little more than a Letter of Authority (LOA)—essentially a signed PDF or email.

While convenient, LOAs are easy to forge, difficult to verify, and prone to manipulation. One infamous incident in 2015 saw attackers forge an LOA to hijack a large block of IPv4 addresses from a Japanese operator, causing Internet-wide disruption for days.

Alongside LOAs, many operators publish routing information using the Internet Routing Registry (IRR). However, IRRs are fragmented, inconsistent, and often filled with stale or incorrect data. Worse, they provide no cryptographic assurance, meaning anyone could enter false information without being challenged.

In short, the legacy system of LOAs and IRRs exposes the Internet to fraud, misconfiguration, and potentially to costly downtime. 

The Rise of RPKI: A Stronger Foundation 

The Resource Public Key Infrastructure (RPKI) was developed to give Internet resource holders cryptographic certificates that prove ownership of their IP addresses and ASNs. Today, the most common use of RPKI is Route Origin Authorization (ROA), which helps prevent accidental or malicious hijacking of Internet routes.

However, while ROAs strengthened one piece of the puzzle—verifying who can announce which addresses—they didn’t cover other critical needs. Networks still had to rely on fragile LOAs for day-to-day tasks like:

• Authorizing upstream providers or peers.
• Proving IP ownership when bringing addresses into a cloud environment.
• Validating information in third-party databases like PeeringDB or geolocation services.

This gap is where the RPKI Signed Checklist (RSC) comes in.

What Is an RPKI Signed Checklist (RSC)? 

Think of an RSC as a digitally signed checklist of files or data tied directly to the network’s Internet resources. It uses the same trusted RPKI certificates already in place, but extends their use beyond just routing. For example: 

• Instead of emailing a static LOA, a network can issue an RSC that cryptographically proves it controls the IP block in question. 
• A cloud customer bringing their own IP addresses (BYOIP) can use an RSC to streamline the onboarding process. 
• Geolocation providers (such as Google or MaxMind) can verify that location data updates truly originate from the IP block’s rightful owner. 

The beauty of RSC is its simplicity. Unlike earlier experimental models, it requires only one signer, no complicated formatting, and no global repository. It can be distributed via email, APIs, or even attached to documents—just like an LOA today, but with much stronger guarantees. 

Why This Matters for Internet Resilience 

From a public and policy perspective, RSC’s importance is related to trust, efficiency, and security. 

• Trust: With RSC, organizations can be confident that the information they receive comes from the legitimate resource holder—not a forged document or an unverifiable database. 
• Efficiency: Automated validation reduces the time and human error associated with checking LOAs or IRR records, enabling businesses to move faster without compromising security. 
• Security: By closing gaps that attackers have previously exploited, RSC helps protect against route hijacks, fraud, and costly downtime. 

Ultimately, widespread adoption of RSC can make the global Internet infrastructure more resilient, reducing risks that affect not just operators but also businesses, governments, and everyday users who rely on a stable Internet.

Real-World Applications 

Our research identified several key use cases where RSCs can bring immediate value: 

1. Replacing LOAs for Routing Authorization: Instead of manually verifying emailed PDFs, operators can validate RSCs automatically using standard RPKI tools. This enables peering and upstream onboarding to be faster, safer, and less error-prone.
2. Bring Your Own IP (BYOIP) in Cloud Environments: Cloud providers require customers to prove ownership of IPs. RSC automates this process, enabling faster deployments and reducing disputes.
3. Third-Party Database Verification: Services like PeeringDB or custom automation systems often rely on self-reported data. RSC allows proof of legitimacy, reducing fraud and inconsistency.
4. Geolocation Accuracy: By signing geolocation feeds with RSCs, resource holders ensure that updates originate from the rightful owner, helping to align databases and improve the user experience.
5. Internal Asset Management: Large operators can use RSCs to manage and audit internal delegations, reducing errors and strengthening governance.

What We Heard from the Community

The Internet Society surveyed operators at regional network events as part of this project. The results highlighted both excitement and hesitation around RSC: 

• 60% of respondents were unfamiliar with RSC, indicating the need for greater awareness.
• 40% cited integration challenges with their existing systems.
• 30% questioned the immediate business value.
• About 50% were open to testing RSC in a pilot environment, while the other half preferred to wait for more apparent benefits.

These findings reflect the classic adoption curve: some are ready to experiment, while others will follow once early successes demonstrate value.

The Path Forward 

For RSC to succeed, several steps are needed: 

• Education: Clearer resources and case studies help technical and non-technical audiences understand RSC’s benefits.
• Tooling: Simple, user-friendly software and APIs to generate and validate RSCs.
• Pilots: Demonstrations with cloud providers, IXPs, and other early adopters to show real-world impact.
• Policy Engagement: RIRs and technical communities should provide frameworks that facilitate the easy and safe use of RSCs by their members.

One promising strategy is to start with cloud providers, already leaders in RPKI adoption. Once they integrate RSC into their workflows, momentum can spread to telecom operators and enterprises.

Building a More Trustworthy Internet

The Internet’s resilience depends not only on technology but also on trust. For too long, that trust has rested on fragile systems like LOAs and outdated registries. The RPKI Signed Checklist (RSC) offers a modern alternative—one that is secure, verifiable, and easy to automate.

With support from the ARIN Community Grant Program, the Internet Society hopes that the outcome of this study will help advance the conversation on how RSCs can strengthen Internet infrastructure. However, broader adoption will require collaboration across operators, cloud providers, policy stakeholders, and standards bodies.

Track the adoption of ROA coverage and Route Validation via the Pulse Technologies page.