Resource Certification (RPKI)
RPKI is an opt-in service that allows users to certify their ARIN Internet number resources (that are covered by a RSA/LRSA) to help secure Internet routing. Using cryptographically-verifiable certificates, RPKI allows IP address holders to specify which Autonomous Systems (ASes) are authorized to originate their IP address prefixes. With RPKI, Border Gateway Protocol (BGP) route announcements that are issued from a router are validated to make sure that the route is coming from the resource holder and that it is a valid route. This is done through Route Origin Authorizations (ROAs). These ROAs are created by network operators and used by other network operators to make decisions on routing. The ROAs provide verification that the routes being advertised are correct and can be used safely in routing tables.
Benefits of RPKI
Internet routing is dependent upon many chains of network relationships that are based on mutual trust. Each party trusts that the route used to transmit information is safe, accurate, and will not be maliciously altered. This model proved sufficient in the early stages of Internet development, but has become increasingly vulnerable to abuse and attack as the Internet’s resources have undergone a massive increase in usage. Using cryptographically-verifiable statements, RPKI helps to ensure that Internet number resource holders are certifiably linked to those resources, and reliable routing origin data is available upon which to base routing decisions.
Components of RPKI
RPKI fulfills security requirements through the generation of:
- Resource certificates: These certificates digitally verify that a resource has been allocated or assigned to a specific entity
- Route Origin Authorizations (ROAs): Digital statements that specify which Autonomous System may originate a specific IP address or range
- Trust Anchor Locator (TAL): File used to allow relying parties to retrieve the data within ARIN’s RPKI validator (via rsync) and base routing decisions upon that data. ARIN’s TAL contains two things: the URL of ARIN’s published RPKI repository, and ARIN’s PEM-encoded public key.
Prerequisites for Using RPKI at ARIN
In order to participate in RPKI, you will need:
- IPv4 or IPv6 resources obtained directly from ARIN
- A signed RSA or LRSA covering the resources you wish to certify
- An ARIN Online account linked to an admin, tech, or abuse Point of Contact (POC) with authority to manage the resources you wish to certify
Participating in RPKI
RPKI participation can be divided into two main areas:
- Using RPKI as a Relying Party: Obtain information about routes and use RPKI as a relying party (to make routing decisions for your network). You need to download the ARIN Trust Anchor Locator (TAL) and use it with an RPKI validator.
- Providing Certification for Your Resources: Certify that you have authority over routes that originate from your resources by creating certificates and Route Origin Authorizations (ROAs).
Certifying Your Resources
To use RPKI at ARIN to certify your resources, you need to do the following:
- Create an ARIN Online account.
- Set up a test account on the OT&E Server. (This is optional, but recommended.)
- Decide which model of RPKI you’ll use, and follow the instructions provided on the pertinent page to create the necessary files and configure RPKI in ARIN Online.
Hosted RPKI: With hosted RPKI, ARIN hosts a Certificate Authority (CA) and signs all Route Origin Associations (ROAs) for resources within the ARIN region.
Delegated RPKI: With delegated RPKI, ARIN direct resource holders request their own delegated resource certificates and can host their own Certificate Authority (CA).
Additional RPKI Information
More information about RPKI is available at the following URLs (external to ARIN):