Resource Certification (RPKI)
Resource Public Key Infrastructure (RPKI) is an opt-in service at ARIN that provides security for Internet routing. You can use ARIN’s RPKI system in two ways:
Using ARIN’s RPKI Repository for Routing: You can obtain information about routes from ARIN’s RPKI repository to make routing decisions for your network. This is also known as being a relying party. You need to download the ARIN Trust Anchor Locator (TAL) and use it with an RPKI validator. More information is provided in Using ARIN’s RPKI Repository for Routing.
Providing Certification for Your ARIN Resources: If you have ARIN Internet Number Resources that are covered by a Registration Services Agreement (RSA) or Legacy Registration Services Agreement (LRSA), you can certify that you have authority over routes that originate from your resources. You do this by requesting certificates and creating Route Origin Authorizations (ROAs) in ARIN’s RPKI system. ARIN offers two models of of RPKI: Hosted and Delegated. More information is provided in Certifying Your Resources in ARIN’s RPKI.
Why Use RPKI?
Internet routing is dependent upon many chains of network relationships that are based on mutual trust. Each party trusts that the route used to transmit information is safe, accurate, and will not be maliciously altered. This model proved sufficient in the early stages of Internet development, but has become increasingly vulnerable to abuse and attack as the Internet’s resources have undergone a massive increase in usage. Using cryptographically-verifiable statements, RPKI helps to ensure that Internet number resource holders are certifiably linked to those resources, and reliable routing origin data is available upon which to base routing decisions. RPKI allows IP address holders to specify which Autonomous Systems (ASes) are authorized to originate their IP address prefixes. With RPKI, Border Gateway Protocol (BGP) route announcements that are issued from a router are validated to make sure that the route is coming from the resource holder and that it is a valid route.
To ensure that an AS is authorized to route from a set of prefixes, the resource holder must a) obtain a resource certificate ensuring that a set of IP address prefixes has been assigned or allocated to them; and b) create Route Origin Authorizations (ROAs) that specify an IP address prefix, the prefix length, and the originating Autonomous System Number (ASN). These ROAs are created by network operators and used by other network operators to make decisions on routing. The ROAs provide verification that the routes being advertised are correct and can be used safely in routing tables.
Using ARIN’s RPKI Repository for Routing
To use information from ARIN’s RPKI repository in your routing (also known as being a relying party), you’ll need to do the following:
Obtain an RPKI Validator and Install It
- Obtain an RPKI Validator, which is also called “relying party software.” There are various options, which include:
- Dragon Research
- Fort Validator
- NLnet Labs (Routinator)
- RIPE NCC RPKI Validator
- Install the validator in your network. Consult the instructions from the specific validator you chose for requirements and instructions.
Obtain ARIN’s Routing Information via Its Trust Anchor Locator (TAL)
A Trust Anchor Locator (TAL) is a file used to allow relying parties to retrieve RPKI data from a repository. Each Regional Internet Registry (RIR) has a trust anchor, which can be thought of as a “map” that provides the route to a particular RPKI repository’s trusted, verified routing data. For example, ARIN’s TAL contains two things: the URL of ARIN’s published RPKI repository, and ARIN’s encrypted public key, which is used to cryptographically verify that ARIN has signed the artifacts within ARIN’s repository. Some validators may already include TALs from other RIRs, but usually do not include ARIN’s TAL.
You need ARIN’s TAL to work with your RPKI validator. If ARIN’s TAL has not been provided in the validator software, you’ll need to download it from the ARIN website and transfer it to the server where you installed RPKI Validator.
By downloading ARIN’s TAL, you indicate your agreement with and acceptance of ARIN’s Relying Party Agreement (RPA). Validator software requires that you agree to the RPA as well.
After you’ve installed your validator and ARIN’s TAL, the validator will connect to ARIN’s RPKI repository via rsync or RPKI Repository Delta Protocol (RRDP) and download the validated RPKI certificates and ROAs upon which your system will base routing decisions. Most validators can be configured to periodically fetch data from ARIN’s repository, which is updated every few minutes.
Certifying Your Resources in ARIN’s RPKI
In order to do this, you will need:
- IPv4 or IPv6 resources issued to you directly from ARIN and covered by a signed RSA/LRSA
- An ARIN Online account linked to an Admin, Tech, Abuse, or Routing Point of Contact (POC) with authority to manage the resources you wish to certify
Perform the following steps:
- Create an ARIN Online account.
- Set up a test account on the OT&E Server. (This is optional, but recommended.)
- Decide if you are using the Hosted (recommended) or Delegated model of RPKI, and follow the instructions provided on the pertinent page to create the necessary files and configure RPKI in ARIN Online.
Hosted RPKI: With hosted RPKI, ARIN hosts a Certificate Authority (CA) and signs all Route Origin Associations (ROAs) for resources within the ARIN region.
Delegated RPKI: With delegated RPKI, ARIN direct resource holders request their own delegated resource certificates and can host their own Certificate Authority (CA).
Additional RPKI Information
More information about RPKI is available at the following URLs (external to ARIN):
- RPKI Documentation at readthedocs.io
- RFC 6810: The Resource Public Key Infrastructure (RPKI) to Router Protocol
- Resource Certification Explained video from the Number Resource Organization
- IETF’s SIDR Working Group
- RPKI at AFRINIC
- Resource Certification at APNIC
- Certification of Resources at LACNIC
- Resource Certification (RPKI) at RIPE NCC
Resource Certification (RPKI)
- ARIN's Trust Anchor Locator (TAL)
- Hosted RPKI
- Delegated RPKI
- Route Origin Authorizations (ROAs)
- RPKI Frequently Asked Questions
- RPKI Troubleshooting
Registration Services Help Desk
7:00 AM to 7:00 PM ET