Resource Certification (RPKI)

Resource Public Key Infrastructure (RPKI) is an opt-in service that provides security for Internet routing. You can use ARIN’s RPKI system in two ways:

Why Use RPKI?

In the early Internet, routing was dependent on network relationships based on mutual trust. This model proved sufficient when each party expected that transmitted information was safe, accurate, and not affected by accidental or malicious activity. As the Internet grew from a simple platform for sharing information to a commercial platform, it has become increasingly vulnerable to abuse and attack.

RPKI uses cryptographically verifiable statements to ensure that Internet number resources are certifiably linked to the stated holders of those resources. This enables resource holders to attest which Autonomous System Numbers (ASNs) should originate their prefixes (i.e. blocks of IP addresses). Network operators can compare Border Gateway Protocol (BGP) announcements from the global Internet routing table with RPKI validity data to make informed decisions to enhance their routing security.

To authorize an Autonomous System Number (ASN) to route a set of prefixes, the resource holder must first obtain a resource certificate from their issuing Regional Internet Registry (RIR) that verifies the IP addresses allocated to them. After receiving a resource certificate, the resource holder creates signed Route Origin Authorizations (ROAs) that specify the ASN authorized to originate their IP addresses. Typically network operators for the resource holder create the ROAs, which are then used by other network operators to make decisions on routing. The ROAs provide verification that the routes being advertised are valid and can be used safely in routing tables.

Using ARIN’s RPKI Repository to Perform Route Origin Validation

In order to collect information from ARIN’s RPKI repository you’ll need to do the following:

Obtain an RPKI Validator and Install It

Download an RPKI validator (Relying Party software) by selecting one or more of the packages below and install it in your network. Consult the validator’s software documentation for system requirements and installation instructions.

Obtain ARIN’s Routing Information via its Trust Anchor Locator

A Trust Anchor Locator (TAL) is a file used to allow Relying Parties to retrieve RPKI data from a repository. Each Regional Internet Registry (RIR) has a TAL needed to access its RPKI repository.

ARIN’s TAL contains the URL of ARIN’s published RPKI repository and ARIN’s encrypted public key. The public key is used to cryptographically verify that ARIN has signed the artifacts within the repository.

If ARIN’s TAL has not been provided in the validator software, you will need to download it from the ARIN website and transfer it to the server where you installed the RPKI validator.

Your validator will connect to ARIN’s RPKI repository via RPKI Repository Delta Protocol (RRDP) or rsync and download the validated RPKI certificates and ROAs from which you can make routing decisions based on RPKI validity data. Validators periodically fetch data from ARIN’s repository every few minutes.

Certifying Your Resources in ARIN’s RPKI

To certify your resources, you need:

ARIN offers two models of RPKI: Hosted and Delegated. Decide whether you are using the Hosted or Delegated model of RPKI, and follow the instructions provided on the pertinent page to create the necessary files and configure RPKI in ARIN Online.

  • Hosted RPKI: With Hosted RPKI, ARIN hosts a Certificate Authority (CA) and signs all Route Origin Authorizations (ROAs) for resources within the ARIN region. Visit Hosted RPKI for more information.
  • Delegated RPKI: With Delegated RPKI, you request your own delegated resource certificates and host your own Certificate Authority (CA) to sign ROAs. You can maintain your own publication server to publish your resource certificate and ROAs to make them available to other entities, or you can use ARIN’s publication service. Visit Delegated RPKI for more information.

If you want to change between the Delegated and Hosted models, you must log in to ARIN Online and submit an Ask ARIN ticket by choosing Ask ARIN from the navigation menu, or contact the Registration Services Help Desk by phone Monday through Friday, 7:00 AM to 7:00 PM ET at +1.703.227.0660.

Additional RPKI Information

More information about RPKI is available at the following external sites: