Operational Test and Evaluation Environment (OT&E)

OT&E is an environment that contains data that is similar to the data that exists in ARIN’s production environment. The OT&E environment allows developers to experiment with ARIN interactions without affecting production data. OT&E allows for experimentation with the following main ARIN services:

Note: OT&E exists solely for experimental usage and research, and is not linked to ARIN’s production system. User data (including API keys) is copied from the production database to OT&E monthly. Note that email interactions are not supported in OT&E.

Benefits of using OT&E:

  • Testing can be done without affecting production data.
  • RPKI is restricted to those organizations that have signed a Registration Services Agreement (RSA) with ARIN. However, OT&E can be used by those organizations without signing an RSA to experiment with these new services.
  • When using RPKI, test Route Authorization Requests (ROAs) can be created and validated without impacting production RPKI data.

Drawbacks of using OT&E:

  • Data is refreshed each month, so any data created in OT&E (e.g., resource certifications and ROAs) is deleted after the refresh and must be recreated.
  • The Ask ARIN feature is not monitored in OT&E; questions or requests must be submitted in the production environment. (For example, you must log in to ARIN Online and create a ticket using Ask ARIN there.)

Prerequisites

Before using OT&E, you need the following:

  • ARIN Online user account: This account must have been created before the first of the month in which you are using OT&E. (User accounts [including API keys] are copied from ARIN Online’s production environment to the OT&E environment on the first Monday of every month.)
  • Authority over resources in ARIN Online: Your user account in ARIN Online must be linked to a POC that has been associated with an Org with resources.
  • API key: You must have an API key for your user account. Note: If you want to use a different API key for OT&E than the API key you use in the production system, you can change your API key in OT&E by choosing Settings - Profile and Security Information from the “Welcome, yourname” drop-down menu in OT&E. Under Security Info, choose Actions > Manage API Keys. Because user data (including account and API key information) is copied from the production database to OT&E at the beginning of each month, you will have to change your API key again after each monthly database refresh.

Mailing List

ARIN encourages all OT&E users to subscribe and participate on the ARIN Technical Discussions mailing list for information sharing and outage information.

Data Refresh

Every month, you will need to reconfigure any changes that you made to your resources in OT&E, because OT&E data is replaced with new data during the refresh that occurs on the first Monday of the month.

OT&E Hosts

The following URLs should be used when interacting with ARIN’s OT&E services in place of their production counterparts:

  • whois.ote.arin.net: Whois-RWS
  • www.ote.arin.net: ARIN Online
  • reg.ote.arin.net: Reg-RWS and the IRR RESTful API
  • rpki.ote.arin.net: RPKI
  • updown.ote.arin.net: Up/Down RPKI
  • rdap.ote.arin.net: RDAP

More information is available in the following sections.

Using Whois-RWS in OT&E

whois.ote.arin.net is used to access Whois-RWS in OT&E; this functionality within OT&E is a mirror of production. Remember to use http://whois.ote.arin.net in place of http://whois.arin.net. For more information on the Whois-RWS API, visit Whois-RWS API Documentation).

Using ARIN Online in OT&E

The address www.ote.arin.net is used to reach the OT&E ARIN Online service. It provides a mirror of production data and allows you to perform the same functions as in production, but on a test environment. Note that because this environment is not monitored by the Registration Services Department, ticketed requests, including the Ask ARIN help desk ticket, will not receive a response.

Using Reg-RWS and the IRR RESTful API in OT&E

The reg.ote.arin.net URL provides Reg-RWS and IRR RESTful API functionality within OT&E. This system is a mirror of production. Remember to use https://reg.ote.arin.net as RESTful calls to https://reg.arin.net will affect production data. For more information on Reg-RWS usage, visit Automating Record Management with Reg-RWS. For more information on the IRR RESTful API, visit Automating Your Workflow Using the IRR RESTful API.

Using RPKI in ARIN’s OT&E Environment

OT&E allows you to test RPKI in a non-production environment.

Signing up for RPKI in OT&E

To use RPKI in OT&E:

If you don’t have any resources covered under RPKI in production, you’ll first need to request access to RPKI. To request access to RPKI:

  1. Log in to ARIN Online in the OT&E environment and follow the steps to configure RPKI.
  2. When you submit your resource certificate request, a ticket will be created for you in the OT&E environment. Record this ticket number.
  3. Contact ARIN staff by submitting an Ask ARIN ticket as described in the next section.

Note:

Specifically for customers who are already enrolled in Delegated (not Hosted) RPKI and who would like to perform some testing in OT&E, you will need to perform some additional steps after each monthly refresh. Please re-exchange the identity.xml in the OT&E public front-end and force your software to perform an issue request. Krill users may find it easiest to set up their Krill client again from scratch.

Working with ARIN Staff for OT&E

The OT&E environment is not actively monitored by ARIN Staff. When you’ve requested a certificate, need resources re-enrolled in the OT&E environment, or are already signed up for delegated RPKI and need your account deleted/re-added to use OT&E, you will need to submit an Ask ARIN ticket in the production environment for ARIN Staff to process your request in OT&E. Follow these steps to complete your resource certificate request:

  1. Log in to ARIN Online in the production environment (www.arin.net).
  2. Use Ask ARIN to create a ticket. Be sure to use the following:
  • Topic: Other
  • Subject: OT&E approval requested
  • Question: Provide the OT&E ticket number or function that ARIN staff needs to process for you.

After you receive notification that your resources have been certified, you can create ROAs in the OT&E environment.

Note: We do a refresh of the production database within OT&E on a monthly basis. All changes that were made prior to the OT&E environment refresh will be lost. Therefore, unless you have resources covered under RPKI in production, you will have to repeat the steps described in this section (starting with the request for access to RPKI). If you are already signed up for delegated RPKI, you will need to submit an Ask ARIN ticket each month after the refresh to request that your account be deleted and re-added before you can test in OT&E.

RPKI Repository Updates

In OT&E, the RPKI repository is updated every few minutes.

ROA Request Generation Key Pairs

OT&E ROA Requests should be signed using a separate ROA Request Generation Key Pair than the one you use in production. ARIN provides the following keys for testing purposes. The benefit to using these default keys is that they persist after the monthly data refresh. Therefore, if you use these default keys, you don’t have to recreate your RPKI certificate each month.

Note: You can use your own RPKI key, but you’ll then need to recreate your RPKI certificate after each monthly refresh of the OT&E database.

Public Key for Testing Purposes

Download the test public key file.

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuC6QLHirotHv+XOpaFpN
9VHtBKp5WCj7bbhYNxuC77HRa9EOzOtzYAiSp2L2TaKndny/kRH7BBzYCQWSLSk3
woHL+Z4RgP+QSLnRsNibYXH9Sx6NCPZamHGsNC0IyJ9MWhtDikl1Tms6wVOSPqlz
M1YMEm9Qv4WrCorlf9t1+owI+1MDYy/TlG0pnJ4xZnGGc1hq5kOTrsNmGEAyO+xi
ZIXe86BPF4ZAjkUZSktfubX5br+qURwPR9mqCr2ckR0Uev1/pZRa9vCZXInkBMv0
rkogZLLnkXch/MceCnhBtgfVCVDR7ueRBv1qGtUgB8O9L1G4B7ybeAmcp6XN0kpp
7QIDAQAB
-----END PUBLIC KEY-----

Private Key for Testing Purposes

Download the test private key file.

-----BEGIN RSA PRIVATE KEY-----  
MIIEpAIBAAKCAQEAuC6QLHirotHv+XOpaFpN9VHtBKp5WCj7bbhYNxuC77HRa9EO
zOtzYAiSp2L2TaKndny/kRH7BBzYCQWSLSk3woHL+Z4RgP+QSLnRsNibYXH9Sx6N
CPZamHGsNC0IyJ9MWhtDikl1Tms6wVOSPqlzM1YMEm9Qv4WrCorlf9t1+owI+1MD
Yy/TlG0pnJ4xZnGGc1hq5kOTrsNmGEAyO+xiZIXe86BPF4ZAjkUZSktfubX5br+q
URwPR9mqCr2ckR0Uev1/pZRa9vCZXInkBMv0rkogZLLnkXch/MceCnhBtgfVCVDR
7ueRBv1qGtUgB8O9L1G4B7ybeAmcp6XN0kpp7QIDAQABAoIBAQCEd0DMK1HOfc1p
jO03l1NgcDbW10EEzhzfMemIYOoQOMTVFXvemCzX0fKgHsXk2mo1Bs3EqbjuoUwj
WPVkM7Pd2fp5Il2WeLguBi8xUOiX8iLphySKYJyR7ZebwxQBLsj8OYWfDOwopWiR
qOiS1s57CpUOIS9jP+DfaTxcc9vrgNhHyJXywuks2lmOQtUGaTlJQUvQuMV087ZO
+ySOJ6Ow+mx/95ALp/Vcg/zkfMuILawkQKhsaW5DvcIidoVXHOUOl/I+FywuQMhQ
Gg6lYDVKIQ43dDj0QnQILdGsuVzXnOQ7wTwE/zNofZpEUVAzFCHch1KJ4IaJG3Eh
Oe/1iXklAoGBAO27MB3GYp9IzY3jUpYPJVo/zhVEDTY7VmCSk45DS5wMHLPqsapQ
gIbKxbqvQP6pG4Tk8lr1ihsxx09u3SVez226npMTVHFWM9UJAgECDgc5CrQM4j4m
oulMn+kcL8CpELTfUMnKBZtnT6sA/l5Sbqcr8V03hJWzqL5670rbw93fAoGBAMZV
6otOUOJfUdH//yfSxO/tuXXxnQqDLOplGz0dBYC4JspsJMxU7GvqY3Y3ytbfkyB1
Shacr4iYo0fuBTFIVL5dGsYxtSpdlgt0Ouf7vIcz61c+1aaeG7X6Kj/Aku+MeEZx
9KYzq67mdUjza7n6Q3IcrexCkTCa47catqsGxJmzAoGAapW9WewjNXUHq/DaiyrZ
PWBT/lbXcZQjAwNUorjrQlhv2f6Ej26uYUCybCO9CTA6hVe8jSl/NPgZezSic+nR
KEo+ZISLHJFghcgXHOqV7YkWkmkgWmsqKV1QaMxZYJCsS9u/tekcoHMuVeYJJbLh
p5PdEEUe7ZtyMYyekrp7U5MCgYAftOp6/Lknh0+AP+mdhy9en+VvOoH9hTzv99vj
6DjR/B6Pa7xyQf1NvznJU2AE+9b8cGO4u7HAJ46q2B1SZJrPl/jIyHeK3002ZY1p
OrBH+P/dgbkMGuiZLfYFHRcgXpd3w4315/rBSixjzi5hm+WeX4FabMXjPE+9HPMo
4jsZywKBgQC6KMe+pL3zjqWXkFINR5zoDwJW5WwJuiczzUEQGLKQIfqaKDyPyNBZ
tvDBxQIw3m6mwXG7wLFpDr6ZphF6lkaFs4JS4ESWDfoDRv2QeeNg2wzlb8qpbYIv
V2Jgt1V6zcwjLUWhtfG1xrAy1c9Oodz7J2BXBvGKeSfOjnz5Rg/VGA==  
-----END RSA PRIVATE KEY-----

Trust Anchor Locator (TAL)

In order to validate your ROAs using ARIN’s OT&E data, you must use the following TAL. Note that this TAL differs from the ARIN production TAL. It is in RFC 7730 format.

rsync://rpki.ote.arin.net/repository/arin-rpki-ta.cer https://rrdp.ote.arin.net/arin-rpki-ta.cer

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA65jF7qjQzl77O5uaKPdisQu7apf9mhAtxH2fbckYL7CFEzrw/Z1XaSd2gmofJbtYBcpa3iqBGquKH0X+ab0sGolHedL+wipqgkH4zstk3AWc+lBd8e7sn0jSqnFL0xQaL2uoHtJetqus39ud0LsWi0OB+COyMXz2jA76j6WsNbE7VUwLLx1pNg7uGGcfFKrzqPvGMzWDynTC4fZfOe2UCtw2YgSsJdjEMdw1PT5RjDI5jtKemguPGeGp0YKmZguq1qgrl5rj2qEuF7hLkWxQsl/J5skfAVm8XjoNMhg069ojxeiQPToOFNlV2VliFenG8Zb3FRIRbbil1Q5l7qs1FQIDAQAB

Validators

The OT&E TAL is used with an RPKI validator to allow for the fetching and validation of ARIN OT&E repository objects. ARIN provides a list of validators that we have tested and support.