Delegated RPKI

Overview

Delegated RPKI is an infrastructure in which an RIR’s direct resource holders may request their own delegated resource certificates and host their own Certificate Authority (CA). Using their CA, Delegated RPKI participants may then sign Route Origin Authorizations (ROAs) and issue resource certificates for their customers. This hierarchy of resource certificates is validated from the top down, beginning with the nominated Trust Anchor. ARIN is the nominated Trust Anchor for RPKI in its region. ARIN’s RPKI repository holds a certificate for each organization participating in its Delegated RPKI service. In turn, each Delegated RPKI participant’s repository holds a resource certificate for any downstream organization participating in Delegated RPKI through them. By following this chain, any resource certificate may be located and validated. Delegated RPKI widens the availability of RPKI by allowing organizations holding direct resources from ARIN and under agreement to serve as the CA for their customers.

ARIN has invested significant resources in the development of RPKI, and plans to continually evolve the service, including the migration to a single global Trust Anchor (TA).

All organizations running Delegated RPKI are responsible for maintaining their own CA. Hosting the CA allows an organization to offer either hosted or delegated RPKI to their downstream customers and assume the responsibility for the cryptographic verification of their customers’ certificate requests and ROAs. ARIN’s Delegated RPKI service uses the Up/Down RPKI protocol and supports RFC 8183 for setup of delegated RPKI. In this out-of-band setup, organizations provide ARIN with their child request XML file when setting up the identity exchange in Delegated RPKI.

Additionally, organizations running Delegated RPKI are responsible for ensuring their resource certificates and ROAs are available to other entities. Publication of repositories can be done in-house or by using ARIN’s publication service.

If you offer to host repositories using RPKI Repository Delta Protocol (RRDP), ARIN’s RPKI service provides RRDP support.

To make your RPKI object repository available to the public (particularly network operators), you will need to publish your repository on a publication server. You can run your own publication server or use ARIN’s publication service. Some CA packages, such as Krill, facilitate running your own publication server. However, as stated on the Krill website, “It is highly recommended to use an RPKI publication server provided by your parent CA, if available. This relieves you of the responsibility to keep a public rsync and web server available at all times.” Krill is a free, open-source RPKI daemon written by NLnet Labs that features a CA and publication server and is recommended for organizations that want to use the ARIN Publication Service for Delegated RPKI.

Prerequisites for Delegated RPKI

Before signing up, you must have:

  • IPv4 or IPv6 resources obtained directly from ARIN and covered by a signed RSA/LRSA
  • An ARIN Online account linked to an Admin, Tech, or Routing Point of Contact with authority to manage those resources
  • An Up/Down Identity (created with software that supports Delegated RPKI; additional information is given below)
  • A software/hardware infrastructure in which to host a CA
  • A software/hardware infrastructure in which to host a highly available publication server OR intent to use ARIN’s publication service, the ARIN Publication Service for Delegated RPKI

Configuring Delegated RPKI

Before configuring Delegated RPKI, you must obtain software that supports Delegated RPKI, such as Krill or Dragon Research Lab’s RPKI Toolkit.

Confirm your access to ARIN Online set up screens, log in to ARIN Online and:

  1. Select Your Records > Organization Identifiers from the navigation menu.
  2. Choose the organization for which you want to configure RPKI.
  3. Choose Actions and select Manage RPKI. (Note: If you do not see this option, ensure that you meet the requirements for participation).
  4. Choose Configure Delegated.
  5. Read and agree to the RPKI Terms of Service. (Note: Not required for resources covered by an RSA version 12 or greater.)
  6. You are now on the “Request Enrollment in Delegated RPKI” screen. Keep this browser window/tab open and continue the next steps in a new window/tab, as you’ll need to come back here to complete the process.

It is optional, but recommended, that you first go through all the configuration steps using your ARIN Online account on the OT&E Server.

The following instructions were developed using Krill v0.9.2.

Install Delegated RPKI Software and Create the CA

  1. Install Krill following the instructions on the Krill website.
  2. Create your Certificate Authority (CA): Set the CA Handle for your organization. Your ARIN Org ID - the unique identifier in ARIN’s database for your organization, also known as Org Handle, is recommended for use as the CA Handle. Choose Create CA.

Krill Welcome Screen

Connect your CA to ARIN with the Child Request XML

  1. Open the Krill software.
  2. Choose the Parents tab to get the generated Child Request XML containing your up/down identity information. (The Child Request XML obsoletes the identity.xml file, but references may still exist to the identity.xml file in ARIN software and documentation.) The Child Request XML file contains the Base CA Repository URI that matches the location of your RPKI repository, which allows ARIN to reference it.

    Note: If you are running your own publication server, ARIN combines the Base CA Repository URI in your Child Request file with the distinguished name of your resource certificate. For example, assume you specified a Base CA Repository URI of rsync://rpki.example.com/repository/ and your resource certificate has a distinguished name of aaa-bbb-ccc. Your CA Repository URI is rsync://rpki.example.com/repository/aaa-bbb-ccc/. Effectively, you will need to create a CRL at rsync://rpki.example.com/repository/aaa-bbb-ccc/aaa-bbb-ccc.crl and a manifest at rsync://rpki.example.com/repository/aaa-bbb-ccc/aaa-bbb-ccc.mft.

  3. Copy the Child Request XML. You will need to paste this XML in ARIN Online.Copy the Child Request XML

Provide the Child Request XML to ARIN

After you’ve generated and copied your Child Request XML:

  1. In the approrpriate browser window/tab, ensure you’re still logged into ARIN Online and on the same “Request Enrollment in Delegated RPKI” screen as you were at the beginning.
  2. Paste the Child Request XML you previously copied, and choose Submit. (This obsoletes the identity.xml file, but references may still exist to the identity.xml file in ARIN software and documentation.)Screen for Configure Delegated page for pasting XML
  3. After providing your Child Request, a ticketed request is generated. This request requires approval by ARIN staff. Upon approval, the ticket will be updated and will include the Parent Response XML file as an attachment.
  4. Download this Parent Response XML file.

Upload the Parent Response XML File to Krill

  1. Open Krill and choose the Parents tab.
  2. Drag and drop the Parent Response XML file you received from ARIN (or click to upload) or open the file to copy the XML and paste it in the appropriate section.
  3. Choose Confirm.Screen for Pasting Parent Response XML

Configure a Publication Server

To ensure that your ROAs and certificate are published and available to other entities, publish your RPKI repository. Choose one of the following options.

Run Your own Publication Server

If you choose this option, you must ensure that your repository is highly available. You must also publish your own CRL (Certificate Revocation List). Provide the location (known as a Production URI) of your server to ARIN in your Child Request XML file (refer to Set Up the Parent CA).

Configure ROAs

After you have received a delegated resource certificate from ARIN, you (or organizations under you whose resources you are certifying) will use a Certificate Authority (CA) package such as Krill to create ROAs. ROAs are stored in the RPKI repository along with a CRL (Certificate Revocation List). A CRL is a list of resource certificates that have been revoked and should not be relied upon. A CRL is always issued by the CA which issues the corresponding certificates. The publication server (either yours or ARIN’s, if you are using the ARIN Publication Service for Delegated RPKI) will provide these objects to requesting entities.

Test Your RPKI Service

(Optional, but recommended) Test your RPKI service using the Operational Test and Evaluation Environment (OT&E). ARIN has created an RPKI instance within its OT&E environment for those wishing to experiment with RPKI without affecting production data. For more information, see the OT&E page.

Additional Information

For additional information on RPKI, including delegated RPKI, visit the following resources: