Delegated RPKI

Overview

Delegated RPKI is an infrastructure in which ARIN direct resource holders may request their own delegated resource certificates, allowing them to host their own Certificate Authority (CA). Using their CA, delegated RPKI participants may then may sign Route Origin Authorizations (ROAs) and issue resource certificates for their customers. This hierarchical system widens the availability of RPKI by allowing customers of direct ARIN resource holders to participate using their resource provider as a CA.

This hierarchy of resource certificates is validated from the top down, beginning with the nominated Trust Anchor. ARIN is the Trust Anchor for RPKI in its region. ARIN’s RPKI repository holds a certificate for each organization participating in delegated RPKI. In turn, each delegated RPKI participant’s repository will hold a resource certificate for each customer participating in delegated RPKI through them. By following this chain, any resource certificate may be located and validated.

Note: ARIN has invested significant resources in the development of RPKI, and plans to continually evolve the service, including the migration to a single global Trust Anchor (TA).

With delegated RPKI, you must have your own infrastructure to host a certificate authority and RPKI repository. You can, in turn, offer either hosted or delegated RPKI resources to your customers. With delegated RPKI, you are responsible for cryptographic verification of certificate requests and ROAs. ARIN’s Delegated RPKI service uses the Up/Down RPKI protocol and supports RFC 8183 for setup of delegated RPKI. In this out-of-band setup, organizations provide ARIN with their child request XML file when setting up the identity exchange in delegated RPKI. Delegated RPKI users are responsible for maintaining their own RPKI repository.

If you offer to host repositories using RPKI Repository Delta Protocol (RRDP), ARIN’s RPKI service provides RRDP support.

Prerequisites for Delegated RPKI

Before signing up, you must have:

  • IPv4 or IPv6 resources obtained directly from ARIN
  • A signed RSA or LRSA covering the resources you wish to certify
  • An ARIN Online account linked to an admin or tech Point of Contact (POC) with authority to manage the resources you wish to certify
  • A software/hardware infrastructure in which to host a CA and make it highly available
  • An Up/Down Identity (created with software that supports Delegated RPKI; additional information is given in the following section)

Configuring Delegated RPKI

  1. Obtain software that supports Delegated RPKI, such as Krill or Dragon Research Lab’s RPKI Toolkit.
  2. Set up the CA in your software.
  3. Use your RPKI software to generate a child request XML file, which contains your up/down identity information. (This file obsoletes the identity.xml file, but references may still exist to the identity.xml file in software and in documentation.) If your child request file uses a tag, we return it when we send the parent response XML file.

The child request XML file contains the Base CA Repository URI that matches the location of your RPKI repository, which allows ARIN to reference it. This file will be uploaded to ARIN.

If you are using Krill to generate your child request XML file, do not select the “ARIN Compatible” option.

After performing the previous steps, log in to ARIN Online and:

  1. Select Your Records > Organization Identifiers from the navigation menu.
  2. Choose the organization for which you want to configure RPKI.
  3. Choose Actions and select Manage RPKI. (Note: If you do not see this option, ensure that you meet the requirements for participation).
  4. Choose Configure Delegated.
  5. Read and agree to the RPKI Terms of Service. (Note: Not required for resources covered by an RSA version 12 or greater.)
  6. Browse to select your Child Request XML file (as described in RFC 8183) and choose Submit. (This file obsoletes the identity.xml file, but references may still exist to the identity.xml file in software and documentation.) A ticketed request is generated for ARIN to sign up your organization for Managed RPKI. Upon approval of your request, your ticket will be updated and include the Parent Response XML File as an attachment. You will need to use this Parent Response XML file in your RPKI software (for example, Krill) when you are configuring your Delegated RPKI.

Next Steps

Once you have received a delegated resource certificate, you will need to perform the following steps.

1. Create an RPKI repository in which to host resource certificates and ROAs. The repository also needs to include the following:

  • A CRL and manifest that have been signed using the private key that corresponds with the public key you provided ARIN. In the context of Public Key Infrastructures (PKIs), a CRL is a list of resource certificates that have been revoked, and should not be relied upon. ARIN publishes its CRL for hosted RPKI within its RPKI repository every 24 hours. A CRL is always issued by the Certificate Authority (CA) which issues the corresponding certificates. A delegated RPKI participant must publish its own CRL inside the repository located at the Production URI provided to ARIN. When you provided your Base CI Repository URL in your Child Request file, ARIN set the CA Repository URI of your resource certificate by combining that Base CA Repository URI with the distinguished name of your resource certificate. For example, assume you specified a Base CA Repository URI of rsync://rpki.example.com/repository/ and your resource certificate has a distinguished name of aaa-bbb-ccc. Your CA Repository URI is rsync://rpki.example.com/repository/aaa-bbb-ccc/. Effectively, you will need to create a CRL at rsync://rpki.example.com/repository/aaa-bbb-ccc/aaa-bbb-ccc.crl and a manifest at rsync://rpki.example.com/repository/aaa-bbb-ccc/aaa-bbb-ccc.mft.

  • A Certification Practice Statement (see RFC 7382 for a template).

2. Use the Up/Down protocol to submit a Certificate Signing Request (CSR) with your repository location information included. ARIN will then publish a signed certificate with your ARIN-issued resources.

3. Ensure your repository is highly available.

4. (Optional) Test your RPKI service using the Operational Test and Evaluation (OT&E) Environment. ARIN has created an RPKI instance within its OT&E environment for those wishing to experiment with RPKI without affecting production data. For more information, see the OT&E page.

Additional Information

For additional information on RPKI, including delegated RPKI, visit the following resources: