Summary
- RPKI improves routing confidence by letting resource holders make cryptographic statements about authorized route origins, but its value depends on governance as much as engineering.
- Hosted RPKI, certificate revocation, ROA correction, account authority, transfer timing, and appeal routes can become control points if registry discretion is not transparent and limited.
- The risk is not that LACNIC should avoid RPKI; the risk is that a security layer may be treated as neutral machinery while it quietly decides who can keep routes valid during disputes, mistakes, corporate changes, or policy actions.
- Latin America and the Caribbean need RPKI as resilient public infrastructure, with continuity, notice, review, and separation of routine maintenance from exceptional intervention built into the way certification authority is exercised.
Routing Trust Has A Governance Layer
RPKI is often described in the language of cryptography and routing hygiene. That is understandable. The technology lets a holder of IP address resources publish Route Origin Authorizations, which state which autonomous system is authorized to originate a prefix. Networks that perform route-origin validation can then treat routes as valid, invalid, or not found. The practical aim is to make accidental route leaks and malicious hijacks easier to detect and filter.
That technical description is accurate, but incomplete. RPKI is also a governance arrangement. It links routing confidence to the administrative recognition of number resources. It depends on certificate authorities, repositories, revocation, account control, policy, customer support, and operational continuity. In the hosted model, which many resource holders use because it is simpler than running delegated infrastructure, the registry is not merely a source of public data. It is a custodian of the mechanism by which the holder's routing assertions remain valid.
For LACNIC, this matters because the region has real routing-security needs and uneven administrative capacity. Some operators have mature security teams. Others are small access providers, public institutions, enterprises, universities, or local networks with limited resources. Hosted RPKI can make adoption easier, which is a public good. But the same convenience also creates dependence. If the registry account is locked, if a correction is delayed, if a ROA is removed after a transfer dispute, if a certificate is revoked, or if an appeal path is slow, the holder's routing posture can change before the commercial or legal dispute is resolved.
The issue is not whether RPKI is good or bad. It is good in the specific sense that it reduces certain routing risks. The issue is whether the control points around it are governed with enough restraint. A security mechanism becomes more powerful as more networks rely on it. When route-origin validation is rare, a mistaken or contested ROA decision has limited effect. When validation is widespread, the same decision can affect reachability, procurement confidence, customer continuity, and the value of scarce IPv4 resources.
This is why RPKI must be understood as critical market infrastructure. It is part of routing security, but also part of address economics. A block whose routes are reliably validated is easier to operate, easier to sell, easier to finance, and easier to defend. A block whose certification status can be interrupted by administrative uncertainty is less liquid. The trust layer that makes the market safer can also become a point of leverage.
The Promise And The Bargain
RPKI offers a useful bargain. In exchange for some additional administrative work, a resource holder can publish machine-readable evidence that a given origin ASN is authorized for a prefix. Other networks can use that evidence to filter obvious mistakes and attacks. The Internet does not become perfectly secure, because BGP has many other risks, but one important class of origin problem becomes easier to manage.
The bargain is strongest when the statements are accurate, timely, and under the practical control of the resource holder. A provider changing transit arrangements can update ROAs before a routing change. A network acquiring address space can create new authorizations as recognition changes. A holder discovering an error can fix it quickly. A small ISP can use a hosted portal rather than operating its own certificate authority. Validators can consume repositories and make consistent decisions. Each step reduces uncertainty.
But the bargain includes a hidden governance premise: the holder's ability to make and maintain ROAs depends on institutional access. In delegated RPKI, the holder assumes more responsibility for its own certificate authority and repository. In hosted RPKI, the registry handles much of that complexity. Hosted service is attractive precisely because it reduces technical burden. It also means that account authority, registry recognition, and support decisions sit closer to the path by which routes remain valid.
That dependence is not inherently improper. Banks custody securities. Domain registrars manage name records. Cloud providers hold keys for customers who choose managed services. The common question is not whether custody exists, but how it is bounded. Who can act? What events justify suspension or revocation? What notice is given? What happens during a dispute? How quickly can mistakes be corrected? What evidence is required? What review is available when the decision threatens continuity?
RPKI deserves these questions because routing is unforgiving. A delayed document review may be annoying in a transfer file. A delayed ROA correction can create invalid routes, reachability loss, customer complaints, or pressure to route in less secure ways. The consequence may not come from malice. It may come from ordinary administrative delay, account confusion, or overbroad caution. Governance risk often begins in routine operations.
The market bargain therefore has two sides. Networks should adopt RPKI because the routing system benefits from more accurate origin information. Registries should exercise the resulting control with transparency, predictability, and a bias toward continuity except where clear evidence requires intervention. Without that second side, adoption may create a new source of dependency that smaller networks cannot easily manage.
Hosted Custody Is Convenience With A Control Surface
Hosted RPKI lowers the barrier to entry. A holder logs in, creates ROAs, and relies on the registry's infrastructure to publish certification material. For many networks, this is the only realistic path to adoption. Running delegated RPKI requires technical competence, repository availability, key management, monitoring, and discipline. A small or mid-sized operator may reasonably prefer a hosted service from the registry.
The governance risk is that hosted custody turns ordinary account control into routing control. If the account is compromised, the attacker may be able to create harmful ROAs. If the account is frozen, the holder may be unable to correct a route change. If the registered authority is disputed after a merger, the party actually operating the network may depend on someone else to maintain attestations. If a transfer is pending, both seller and buyer may need continuity while recognition moves. If support staff remove, correct, or decline a ROA, the decision may affect reachability beyond the portal.
These risks can be managed, but only if they are acknowledged. A hosted RPKI system should not be treated as a mere settings page. It is a delegated control mechanism for a scarce resource. Strong account security, role separation, change history, multi-person authorization for sensitive changes, emergency recovery, and careful support handling are not luxuries. They are part of the continuity promise.
The control surface also includes silence. If a holder cannot tell whether a ROA change has propagated, whether a repository problem is temporary, whether validation failures are caused by its own error or by hosted publication, it may struggle to respond. Public status information, clear support escalation, and reliable publication matter because validators around the world make automated decisions. RPKI is global in effect even when the administrative conversation is regional.
Small operators face a particular dilemma. They may need hosted service most, but have the least bargaining power if a custody problem occurs. A large carrier can escalate through personal relationships, public pressure, or redundant engineering. A small ISP may only have a ticket and an outage. Governance design should protect the weaker user, because the legitimacy of a regional registry is tested most sharply where the user cannot self-insure.
The answer is not to push everyone into delegated RPKI. That would reduce adoption and burden networks that are not ready. The answer is to treat hosted custody as a fiduciary-like responsibility inside Internet coordination. The registry may not be a financial trustee in legal terms, but it holds an operational control point whose misuse or mishandling can harm the holder. That calls for restraint, records, and review.
ROAs Are Small Objects With Large Consequences
A ROA looks simple: prefix, maximum length, origin ASN, signature. The commercial consequences can be large. A wrong maximum length can make a legitimate more-specific route invalid. An old origin ASN can persist after a network migration. A missing authorization can leave a route without protection. An unauthorized ROA can validate an origin that should not be trusted. These are technical details, but they translate directly into service continuity and counterparty confidence.
The problem becomes sharper during transitions. In an acquisition, the buyer may change origin ASNs or operate parallel networks while customers migrate. In a sale of address space, the seller may need to maintain old ROAs until the buyer can create new ones. In a customer reassignment, a downstream network may need authorization for a subset. In a dispute, one party may claim operational need while another claims recognized holding. RPKI can either make these transitions safer or turn them into cliff edges.
LACNIC's role, like that of any RIR, is not to adjudicate every commercial disagreement hidden behind a routing change. But the design of RPKI service can reduce harm. The routine creation and correction of ROAs should be fast, auditable, and clearly tied to holder authority. Exceptional interventions should be narrow. Where an administrative dispute exists, the default should avoid unnecessary reachability disruption unless there is a clear security or policy reason to act. Where action is necessary, affected parties should know what happened and what evidence can reverse it.
Market participants should also avoid treating ROAs as permanent title signals. RPKI shows an authorization for route origin, not complete ownership, financial encumbrance, or commercial entitlement. A buyer that sees a valid ROA still needs transfer evidence, corporate authority, clean history, and contractual rights. A lender that sees good RPKI hygiene still needs diligence. A procurement team that sees validated routes still needs vendor accountability. RPKI is powerful because it answers one routing question well. It becomes dangerous when people ask it to answer everything.
The governance challenge is therefore two-sided. Registry discretion must be constrained so ROA control is not misused. Market interpretation must also be disciplined so validation status is not mistaken for a full legal conclusion. The healthiest market treats RPKI as a high-quality routing signal inside a broader evidence set.
Revocation, Suspension, And The Continuity Problem
Revocation is necessary. Certificates may need to be revoked when resources are no longer held, when keys are compromised, when administrative recognition changes, or when policy requires removal. A system without revocation would be insecure. But revocation is also the sharpest control in the RPKI environment because it can invalidate dependent attestations and alter how validators treat routes.
The governance question is not whether revocation should exist. It is what limits apply when revocation affects live routing. If a resource holder loses recognition after a completed transfer, revocation may be appropriate. If the holder is in a billing dispute, corporate dispute, administrative correction, or appeal, immediate revocation may be disproportionate unless there is a clear security reason. If the problem is an account-compromise concern, temporary protective action may be justified, but it should be paired with rapid recovery.
Continuity matters because routing decisions are automated and distributed. A revocation decision in the registry layer can be consumed by validators far from the region. The affected network may discover the issue through customers, monitoring alerts, or transit-provider filters. Even if the mistake is later corrected, the reputational and commercial damage may already have occurred. In a scarce IPv4 market, a block associated with certification instability may be treated as riskier.
The right standard is not paralysis. A registry must protect the integrity of the system. It cannot allow stale or fraudulent attestations to persist indefinitely. But it should distinguish between clear loss of authority and contested or curable defects. It should also preserve evidence. Who requested revocation? What resource set was affected? What notice was given? What appeal or correction path existed? What temporary continuity measures were considered? These questions matter after the fact, and knowing they will be asked improves behaviour before the fact.
Suspension creates similar problems. Account suspension may be administratively easier than targeted action, but it can block legitimate ROA maintenance. If the suspension is unrelated to routing risk, its effect on certification should be carefully limited. The principle is proportionality: the control used should match the risk being addressed. A billing issue, an incomplete contact update, and a suspected hijack are not the same event.
This proportionality is especially important for smaller networks. They may lack redundant address holdings, multiple upstreams, or legal staff. A certification interruption that a large carrier can absorb may be existential for a local provider. Regional governance should not let operational dependence become administrative leverage.
Transfers, Legacy Resources, And Timing Risk
IPv4 transfer markets and RPKI governance intersect in uncomfortable ways. A transfer changes recognized control. RPKI expresses routing authorization based on recognized resources. The interval between commercial agreement, registry recognition, routing migration, and customer transition can create timing risk. If ROAs are removed too soon, routes may become invalid. If old ROAs remain too long, a seller or prior operator may retain apparent routing authority. If buyer and seller both need authorization during transition, the system must support controlled overlap.
The clean case is easy. Seller and buyer agree, the registry recognizes the transfer, ROAs are updated in sequence, and routing changes follow. The hard cases are partial transfers, mergers, reorganizations, distress sales, disputed authority, legacy-resource confirmations, and customer suballocations. These are not rare edge cases in a scarce market. They are part of the ordinary commercial life of IPv4.
Legacy resources deserve particular care. Historical assignments may not fit neatly into modern service relationships. LACNIC has encouraged legacy holders to regularize or confirm their records. That is sensible from a data-quality perspective. But when legacy status interacts with certification, the stakes rise. A holder that has routed a block for decades may experience a certification question as a threat to continuity. A registry may view the same question as necessary hygiene. Both concerns can be legitimate. Good governance provides a path that regularizes records without using routing instability as unnecessary pressure.
Transfer state should therefore be visible enough for operational planning. Parties need to know when old ROAs should be retained, when new ROAs can be created, and who is responsible for customer continuity. A transfer file should not be walled off from routing reality. Nor should routing convenience override transfer policy. The two must be coordinated, because the market experiences them as one sequence.
There is also a price effect. Buyers will discount blocks whose certification transition looks risky. Sellers with disciplined RPKI maintenance, clear account authority, and prepared transition plans can command more confidence. Brokers and advisers already ask about clean history, route origin, and transferability. As validation becomes more common, RPKI transition hygiene will become a normal part of IPv4 diligence.
This is one reason registry discretion over ROAs cannot be casual. It affects not only packet delivery but market value. A decision that interrupts certification during a transfer may alter bargaining power. A system that lacks transparent timing rules may invite suspicion even when staff act in good faith.
Appeals Must Be Faster Than The Harm
Every control system makes mistakes. The institutional question is whether mistakes can be corrected before they cause disproportionate harm. In RPKI, this question is urgent because routing consequences can be immediate. An appeal path that works over weeks may be too slow for a network whose routes are invalid today. A support response that merely acknowledges receipt may not be enough when customers are offline or transit providers are filtering.
Appeals in this context do not have to resemble a court. They need to be clear, rapid, documented, and independent enough to give affected holders confidence that the same person or unit that made the contested decision is not the only reviewer. For routine ROA mistakes, technical support may suffice. For revocation, account lockout, disputed holder authority, or transfer-related certification changes, a more formal route is needed.
Notice is equally important. A holder should not first learn of a consequential change from a customer. Where advance notice is possible, it should be given. Where emergency action is necessary, notice should follow quickly and explain the reason at a level that allows response. The registry must protect sensitive security details where appropriate, but secrecy should not become a habit. The more powerful the control, the stronger the explanation should be.
Evidence standards should also be predictable. If a holder must prove account authority, corporate change, transfer completion, or operational emergency, it should know what documents or attestations matter. Unclear evidence standards turn appeals into negotiation. Clear standards turn them into resolution. This is particularly valuable for smaller operators that cannot rely on private access or legal sophistication.
The test is practical: can a legitimate holder restore correct certification quickly enough to avoid lasting damage? If the answer is no, the system may be secure in form but fragile in operation. Security systems that cannot correct their own errors lose legitimacy. Operators then route around them, delay adoption, or treat validation status as optional. That would weaken the public good RPKI is meant to provide.
Appeals are not an obstacle to enforcement. They are a condition of credible enforcement. A registry that can explain and review its most consequential certification actions will command more trust than one that asks the community to rely on institutional goodwill alone.
Operational Failure Is Also Governance Risk
Not every RPKI governance risk comes from a contested decision. Some come from ordinary operational failure: repository outages, publication delays, expired manifests, inconsistent RRDP and rsync data, support delays, account-recovery failures, or monitoring gaps. These incidents may look technical, but they become governance issues because the registry has invited holders and validators to rely on its infrastructure.
In a delegated model, the holder bears more of this burden. In a hosted model, the registry bears more. That allocation should be reflected in service discipline. Publication infrastructure must be monitored. Incidents must be communicated. Recovery expectations must be realistic. Holders need to know whether the problem is theirs, the registry's, a validator's, or a broader Internet issue. Validators need stable repositories. The public needs enough transparency to maintain trust without turning every incident into panic.
RPKI has a peculiar failure mode: silence can be mistaken for safety. If a repository is stale or a publication point is unreachable, routes may continue for a while, depending on validator behaviour and cached data. Operators may not immediately see the problem. By the time they do, the diagnosis may be diffuse. This makes communication critical. A registry that publishes timely incident information helps the community respond rationally. A registry that treats operational issues as private support matters forces every network to guess.
Operational risk also affects adoption incentives. If a small provider hears that RPKI can improve security but worries that a hosted outage might make its routes invalid, it may hesitate. If the registry can show reliability, status visibility, and rapid repair, adoption becomes easier. Technical evangelism is less persuasive than operational evidence.
There is a market dimension too. Buyers and lenders may begin to ask whether a holder's routing-security posture is resilient. That includes not only whether ROAs exist, but whether account access, emergency recovery, and transition plans are in place. A block with excellent RPKI hygiene and reliable custody is more attractive than a block whose routing attestations depend on one forgotten account.
Operational failure is therefore not a side issue. It is one of the ways governance becomes real. Institutions are judged not only by policy statements, but by how they behave when mundane systems break.
Market Signals And The Price Of Certification Risk
As RPKI adoption deepens, certification quality will become part of how scarce IPv4 resources are priced. Buyers already ask whether an address block has clean routing history, responsive contacts, and transfer eligibility. It is a small step from there to asking whether ROAs are current, whether account authority is clear, whether hosted custody is resilient, and whether the block can move without a validation cliff. The market will not wait for a formal doctrine. It will turn operational uncertainty into price.
That price can appear in several forms. A buyer may discount a block if the seller cannot show who controls RPKI access. A lender may reduce confidence in a network whose routing attestations depend on one former employee's account. A procurement team may ask why a provider's validated route status changed during an administrative dispute. A carrier may require extra assurance before accepting customer routes for a newly transferred prefix. None of these reactions is dramatic. Together, they make certification governance a market fact.
The same logic works in the other direction. A holder with disciplined RPKI management can signal maturity. It can show that ROAs are reviewed before network changes, that account roles are maintained, that emergency access is documented, and that transfer planning includes certification. That does not prove the holder is financially strong or legally flawless. It does show that the holder understands the control systems around a scarce resource. In a market where many risks are invisible, visible discipline matters.
Certification risk also affects leasing and customer assignments. A provider that authorizes downstream origins must know when those authorizations begin and end. If a lessee, customer, or acquired business continues to benefit from an old authorization after the commercial relationship has changed, the holder may face reputational or routing exposure. If a legitimate downstream announcement loses authorization too early, customers may suffer. The narrower and more accurate the ROA practice, the less the market has to fear these transitions.
Insurance and credit markets may eventually ask similar questions. Even where an insurer does not underwrite RPKI directly, it may look at routing-security controls as part of cyber or operational risk. A credit analyst may not understand every RFC, but can understand that a network whose routes can become invalid through account confusion carries a continuity risk. The more RPKI becomes normal infrastructure, the more its governance failures will be interpreted in ordinary business language.
This is one reason official comfort is not enough. A registry can accurately describe its RPKI service and still leave market participants wondering how exceptional cases are handled. Market confidence comes from observed behaviour, published expectations, and credible correction. If holders believe certification control is disciplined, they will adopt and rely on it. If they believe it is uncertain, they will hedge, discount, or delay.
What Operators Should Expect From A Trust Layer
Operators should expect an RPKI trust layer to be usable, resilient, and limited. Usable means that ordinary ROA creation and correction are straightforward for the people who actually run networks. A system that only experts can manage will either be ignored or misconfigured. Resilient means that account loss, repository problems, and support delays do not immediately become routing crises. Limited means that the registry's control is tied to specific certification purposes, not allowed to expand into broad commercial leverage.
The first expectation is clarity of authority. A holder should know which people can create, modify, or delete ROAs, which roles require stronger approval, and how authority survives staff turnover. Many routing failures begin as personnel problems. The engineer who knew the account leaves. The company merges. A service provider changes. A founder dies. A small operator sells to a larger group. RPKI governance must be strong enough to survive normal corporate life.
The second expectation is safe change. Network operators change upstreams, add origins, split prefixes, migrate customers, and repair errors under time pressure. A hosted system should support these changes without encouraging reckless clicks. That means readable state, useful warnings, history, and the ability to preview consequences. The aim is not to protect people from every mistake. It is to make the important mistakes harder and the recovery path clearer.
The third expectation is continuity during recognition changes. Transfers, mergers, and legacy confirmations should not be treated as purely clerical events when they affect validation. The seller, buyer, and registry may each have legitimate concerns. The routing system, however, needs a controlled sequence. Old authorizations should not survive beyond legitimate authority, but new authority should not be trapped behind paperwork after the commercial and operational reality has moved. A well-governed system reduces the gap.
The fourth expectation is fast repair. The Internet is not patient. A route that becomes invalid because of an error, account problem, or mistaken administrative action can create immediate pressure. Repair channels should be measured against routing harm, not ordinary office convenience. This is especially important for networks outside capital-city centres or large carrier groups, where personal escalation may be unavailable.
The fifth expectation is proportional intervention. If the registry must act, the action should be narrow. Remove the wrong ROA, not every authorization. Restrict a compromised account, not an unrelated resource set. Ask for missing evidence, but avoid breaking reachability where the risk does not justify it. The habit of narrow action is what separates a trust layer from a control lever.
These expectations are not hostile to LACNIC. They are the conditions under which RPKI can succeed as regional infrastructure. A trust layer that is easy to adopt but hard to challenge will eventually create unease. A trust layer that is technically strong and institutionally modest will become part of the region's competitive strength.
Restraint As A Design Principle
The central principle for RPKI governance should be restraint. The registry should have enough authority to protect the accuracy and integrity of certification. It should not have unchecked practical power to alter routing confidence where a narrower action would suffice. Restraint does not mean weakness. It means matching intervention to evidence and harm.
In routine cases, restraint means letting recognized holders manage their ROAs quickly and safely. It means making account recovery robust without making unauthorized changes easy. It means preserving change history and making it available to the holder. It means ensuring that support staff can distinguish between a simple configuration error and a contested control issue.
In transfer cases, restraint means coordinating certification changes with recognized transfer state and operational continuity. The system should not leave buyers unable to route, nor should it give sellers indefinite apparent authority after recognition has moved. Transitional arrangements should be supported where policy and security permit, because real networks do not always change on a single administrative date.
In enforcement cases, restraint means proportionality. If a resource is clearly no longer held, certification should reflect that. If a security compromise is credible, protective action may be urgent. But if the problem is curable, contested, or unrelated to route-origin risk, the response should avoid unnecessary invalidation. A registry should not turn certification control into general-purpose leverage.
In dispute cases, restraint means review. The affected party should have a path to be heard, and the reviewer should be able to correct error without institutional embarrassment. Good systems make correction normal. Weak systems treat correction as defeat. RPKI will produce mistakes because humans, companies, and networks are messy. The question is whether the institution can absorb those mistakes without damaging trust.
The final element is public confidence. The community does not need to see every confidential document, but it does need to believe that consequential actions are governed by standards rather than personality or pressure. Published principles, incident transparency, evidence standards, and review routes all reduce the need for blind trust. In routing security, as in finance, blind trust is fragile. Structured trust is durable.
The Regional Stakes For LACNIC
Latin America and the Caribbean should want broad RPKI adoption. The region benefits when route hijacks are harder, mistakes are easier to detect, and networks can present stronger operational hygiene to global counterparties. Content platforms, carriers, financial institutions, public networks, universities, ISPs, and cloud providers all gain from a cleaner origin-validation environment. The public interest in routing security is real.
The region should also want adoption that does not make smaller networks dependent on opaque control. If RPKI becomes a tool that only large operators can safely manage, the security benefit will be uneven. If hosted service is convenient but poorly governed, small operators may adopt without understanding the dependence they have accepted. If disputes or corrections can interrupt validation without rapid review, the weakest networks will bear the greatest risk.
LACNIC's institutional position is therefore delicate. It must encourage security while preserving confidence that certification authority is exercised narrowly. It must support hosted convenience while avoiding paternalism. It must correct errors without creating fear that records or ROAs can change unpredictably. It must handle transfers and legacy questions without using routing continuity as hidden pressure. It must show governments, operators, and markets that the regional Internet community can manage a powerful trust layer responsibly.
There is no need to dramatize the point. The greatest risk is not a single spectacular abuse. It is a gradual perception that RPKI control is administratively uncertain. Once that perception takes hold, holders will price it into transactions, delay adoption, or insist on private assurances. The security mechanism will still exist, but it will not command full confidence.
Conversely, strong governance can make LACNIC's RPKI environment a market asset. A region where certification is reliable, appeals are timely, transitions are orderly, and hosted custody is disciplined will look safer to investors, customers, and networks. Address blocks from that region will carry less operational doubt. Smaller providers will be able to adopt without fearing that convenience has made them vulnerable.
A Narrow Trust Model Is Stronger
The strongest RPKI governance model is narrow. It says what the system can do well and refuses to pretend that it can do everything. It can show that a recognized resource holder has authorized a route origin. It can help networks reject routes that contradict that statement. It can make origin mistakes more visible. It cannot prove beneficial ownership, solve every commercial dispute, decide whether an acquisition was fair, or certify that a customer relationship is legitimate.
That narrowness is not a weakness. It is the source of credibility. Systems that answer one important question cleanly are easier to trust than systems that blur their purpose. If RPKI is treated as a routing-security mechanism, governance can focus on holder authority, certificate integrity, publication reliability, correction, and review. If it is treated as a broad control instrument, every commercial conflict around a scarce prefix may try to pull certification into the dispute.
LACNIC can protect the narrow model by keeping certification actions tied to routing and resource-recognition facts. A ROA should not become a prize in a business argument unless recognized authority over the resource has actually changed. Revocation should not be used as a substitute for ordinary dispute resolution. Hosted custody should not turn account administration into silent commercial power. The institution should be able to say, in effect: this trust layer is powerful because it is limited.
Operators have a role in preserving the same discipline. They should not read validation status as a complete character reference for a network. They should not assume that a valid route origin proves clean title, clean abuse history, or clean transfer evidence. They should use RPKI exactly where it is strongest, then use registry data, contracts, routing history, abuse records, and corporate evidence for the other questions. A market that understands the boundaries of its trust tools will use them more confidently.
Routing Trust Needs Institutional Humility
RPKI is one of the most important practical improvements in Internet routing security. It should not be weakened by exaggerated fears or by treating every registry action as suspect. But neither should it be shielded from institutional analysis because it is technical. The more successful RPKI becomes, the more important its governance becomes.
The heart of the matter is humility. A registry operating certification infrastructure should recognize that its administrative decisions can affect live routing, commercial value, customer relationships, and regional legitimacy. That recognition should produce restraint, transparency, and fast correction. It should also produce a clear separation between routine holder control and exceptional intervention.
For LACNIC, the opportunity is to make RPKI not only a security service but a trust service. That means building confidence that hosted custody will not become unbounded control, that revocation will be proportionate, that ROA corrections will be rapid, that transfer state will be handled with continuity, and that appeals will move faster than the harm. Routing trust is not created by cryptography alone. It is created when cryptography is embedded in institutions that know their own power and limit it.
Sources and Further Reading
- LACNIC, "Resource Certification (RPKI)": https://www.lacnic.net/1037/2/lacnic/resource-certification-rpki
- LACNIC, "RPKI in Hosted Mode": https://www.lacnic.net/706/2/lacnic/rpki-in-hosted-mode
- LACNIC, "RPKI in Delegated Mode": https://www.lacnic.net/707/2/lacnic/rpki-in-delegated-mode
- LACNIC, "RPKI Trust Anchor": https://www.lacnic.net/690/2/lacnic/rpki-trust-anchor
- LACNIC, "Route Origin Authorizations": https://www.lacnic.net/709/2/lacnic/route-origin-authorizations
- LACNIC, "LACNIC Policy Manual v2.20": https://www.lacnic.net/680/2/lacnic/lacnic-policy-manual-v220---07_08_2024
- LACNIC, "Transferring IP Addresses": https://www.lacnic.net/1019/2/lacnic/transferring-ip-addresses
- LACNIC, "Legacy Resources": https://www.lacnic.net/1022/2/lacnic/legacy-resources
- LACNIC, "IP and ASN Recovery": https://www.lacnic.net/1020/2/lacnic/ip-y-asn-recovery
- IETF RFC 6480, "An Infrastructure to Support Secure Internet Routing": https://datatracker.ietf.org/doc/html/rfc6480
- IETF RFC 6482, "A Profile for Route Origin Authorizations": https://datatracker.ietf.org/doc/html/rfc6482
- IETF RFC 6484, "Certificate Policy for the Resource Public Key Infrastructure": https://datatracker.ietf.org/doc/html/rfc6484
- IETF RFC 6811, "BGP Prefix Origin Validation": https://datatracker.ietf.org/doc/html/rfc6811
- IETF RFC 8182, "The RPKI Repository Delta Protocol": https://datatracker.ietf.org/doc/html/rfc8182
- IETF RFC 9286, "Manifests for the Resource Public Key Infrastructure": https://datatracker.ietf.org/doc/html/rfc9286
- IETF RFC 9255, "The 'I' in RPKI Does Not Stand for Identity": https://datatracker.ietf.org/doc/html/rfc9255
- NRO, "About the RIRs": https://www.nro.net/about/rirs/
- MANRS, "Route Origin Validation": https://www.manrs.org/isps/guide/rov/

