Resource Certification (RPKI)

Effective 26 September 2022, ARIN changed how it manages the ARIN Trust Anchor Locator (TAL). Please see our announcement for more information.

Resource Public Key Infrastructure (RPKI) is an opt-in service that provides security for Internet routing. You can use ARIN’s RPKI system in two ways:

  • Using ARIN’s RPKI Repository for Routing: You can obtain information about routes from ARIN’s RPKI repository to make routing decisions for your network. This is also known as being a Relying Party. You will need to download the ARIN Trust Anchor Locator (TAL) and use it with an RPKI validator. More information is provided in Using ARIN’s RPKI Repository for Routing.

  • Providing Certification for Your ARIN Resources: If you have Internet Number Resources that are covered by an ARIN Registration Services Agreement (RSA) or Legacy Registration Services Agreement (LRSA), you can certify that you have authority over routes that originate your IP addresses. You do this by requesting certificates and creating Route Origin Authorizations (ROAs). The ROAs are then made available to RPKI validators. More information is provided below in Certifying Your Resources in ARIN’s RPKI.

Why Use RPKI?

In the early Internet, routing was dependent on network relationships based on mutual trust. This model proved sufficient when each party expected that transmitted information was safe, accurate, and not affected by accidental or malicious activity. As the Internet grew from a simple platform for sharing information to a commercial platform, it has become increasingly vulnerable to abuse and attack.

RPKI uses cryptographically verifiable statements to ensure that Internet number resources are certifiably linked to the stated holders of those resources. This enables resource holders to attest which Autonomous System Numbers (ASNs) should originate their prefixes (i.e. blocks of IP addresses). Network operators can compare Border Gateway Protocol (BGP) announcements from the global Internet routing table with RPKI validity data to make informed decisions to enhance their routing security.

To authorize an Autonomous System Number (ASN) to route a set of prefixes, the resource holder must first obtain a resource certificate from their issuing Regional Internet Registry (RIR) that verifies the IP addresses assigned or allocated to them. After receiving a resource certificate, the resource holder creates signed Route Origin Authorizations (ROAs) that specify the originating ASN authorized to originate their IP addresses. Typically network operators for the resource holder create the ROAs, which are then used by other network operators to make decisions on routing. The ROAs provide verification that the routes being advertised are valid and can be used safely in routing tables.

Using ARIN’s RPKI Repository for Routing

In order to collect information from ARIN’s RPKI repository you’ll need to do the following:

Obtain an RPKI Validator and Install It

Download an RPKI Validator (Relying Party software) by selecting one or more of the packages below and install it in your network. Consult the valdiator’s software documentation for system requirements and installation instructions.

Obtain ARIN’s Routing Information via its Trust Anchor Locator (TAL)

A Trust Anchor Locator (TAL) is a file used to allow Relying Parties to retrieve RPKI data from a repository. Each Regional Internet Registry (RIR) has a Trust Anchor Locator needed to access its RPKI repository.

ARIN’s TAL contains the URL of ARIN’s published RPKI repository and ARIN’s encrypted public key. The public key is used to cryptographically verify that ARIN has signed the artifacts within the repository.

If ARIN’s TAL has not been provided in the validator software, you will need to download it from the ARIN website and transfer it to the server where you installed the RPKI Validator.

Your validator will connect to ARIN’s RPKI repository via RPKI Repository Delta Protocol (RRDP) or rsync and download the validated RPKI certificates and ROAs which you can make routing decisions based on RPKI validity data. Validators periodically fetch data from ARIN’s repository every few minutes.

Certifying Your Resources in ARIN’s RPKI

To certify your resources, you need:

  • IPv4 or IPv6 resources issued to you directly from ARIN
  • A signed RSA/LRSA covering the resources you wish to certify
  • An ARIN Online account linked to an Admin, Tech, Abuse, or Routing Point of Contact (POC) with authority to manage those resources

ARIN offers two models of RPKI: Hosted and Delegated. Decide whether you are using the Hosted or Delegated model of RPKI, and follow the instructions provided on the pertinent page to create the necessary files and configure RPKI in ARIN Online.

  • Hosted RPKI: With Hosted RPKI, ARIN hosts a Certificate Authority (CA) and signs all Route Origin Associations (ROAs) for resources within the ARIN region. Visit Hosted RPKI for more information.
  • Delegated RPKI: With Delegated RPKI, you request your own delegated resource certificates and host your own Certificate Authority (CA) to sign ROAs. You can maintain your own publication server to publish your resource certificate and ROAs to make them available to other entities, or you can use ARIN’s publication service. Visit Delegated RPKI for more information.

If you want to change between the Delegated and Hosted models, you must log in to ARIN Online and submit an Ask ARIN ticket by choosing Ask ARIN from the navigation menu, or contact the Registration Services Help Desk by phone Monday through Friday, 7:00 AM to 7:00 PM ET at +1.703.227.0660.

Additional RPKI Information

More information about RPKI is available at the following external sites: