Delegated RPKI is an infrastructure in which ARIN direct resource holders may request their own delegated resource certificates, allowing them to host their own Certificate Authority (CA). Using their CA, delegated RPKI participants may then may sign Route Origin Authorizations (ROAs) and issue resource certificates for their customers. This hierarchical system widens the availability of RPKI by allowing customers of direct ARIN resource holders to participate using their resource provider as a CA.
This hierarchy of resource certificates is validated from the top down, beginning with the nominated Trust Anchor. ARIN is the Trust Anchor for RPKI in its region. ARIN’s RPKI repository holds a certificate for each organization participating in delegated RPKI. In turn, each delegated RPKI participant’s repository will hold a resource certificate for each customer participating in delegated RPKI through them. By following this chain, any resource certificate may be located and validated.
Note: ARIN has invested significant resources in the development of RPKI, and plans to continually evolve the service, including the migration to a single global Trust Anchor (TA).
Prerequisites for Delegated RPKI
With delegated RPKI, you must have your own infrastructure to host a certificate authority and RPKI repository. You can, in turn, offer either hosted or delegated RPKI resources to your customers. With delegated RPKI, you are responsible for cryptographic verification of certificate requests and ROAs. ARIN also supports Up/Down RPKI, or an alternative delegated RPKI provisioning interface, in which users provide ARIN with an RFC 6492 identity XML and use the up/down protocol to provision their resource certificates. Up/down RPKI users are still responsible for maintaining their own RPKI repository.
Before signing up, you must have:
- IPv4 or IPv6 resources obtained directly from ARIN
- A signed RSA or LRSA covering the resources you wish to certify
- An ARIN Online account linked to an admin or tech Point of Contact (POC) with authority to manage the resources you wish to certify
- An Up/Down identity
Once you become a participant, you must:
- Exchange your public key associated with your delegated RPKI private key with ARIN via ARIN Online
- Create a software and hardware infrastructure in which to host a CA
- Perform all work required for maintaining a CA and publishing a Certificate Practice Statement
- Create an RPKI repository in which to host resource certificates and ROAs, as well as a manifest and Certificate Revocation List (CRL)
Overview of Configuration Steps
- Create an ARIN Online account.
- Set up a test account on the OT&E Server. (This is optional, but recommended.)
- Create a Delegated RPKI Key Pair.
- Submit an Up/Down Request using ARIN Online.
- Submit Route Origin Authorizations (ROAs) in ARIN Online.
Using the Operational Test and Evaluation (OT&E) Environment
ARIN has created an RPKI instance within its Operational Test and Evaluation environment (OT&E) for those wishing to experiment with RPKI without affecting production data. For more information, see the OT&E page.
Understanding Delegated RPKI Key Pairs
The term “key pair” refers to the two separate pieces of data (a public key and a private key) created using public key cryptography, a system used to secure data. As a delegated RPKI participant, you will generate and use a delegated RPKI key pair for two reasons. The public key of this key pair will be given to ARIN when requesting a resource certificate from ARIN. The private key of this key pair will be used to sign the manifest and CRL within the RPKI repository you create. For ARIN Online users with authority over multiple organizations and their resources, it is highly recommended to use a separate delegated RPKI Key Pair for each organization.
Understanding Public Keys
A public key is the part of a key pair that may be distributed safely to others. It is mathematically paired with the private key that was generated alongside it. This key is provided to ARIN when the user signs up to participate in RPKI, and is used to cryptographically verify Route Origin Authorization (ROA) Requests which have been signed by the corresponding private key.
Understanding Private Keys
A private key is the part of the key pair that must be securely stored, and must not be distributed. RPKI participants use private keys to sign Route Authorization (ROA) requests. When a block of data is signed using a resource holder’s private key, their public key can be used to verify that data.
Note: Private keys must be kept private, and must not be shared with anyone outside your organization. Should another entity have access to your private key, that entity would be able to effectively represent itself as your organization, voiding the security RPKI is designed to maintain.
IF YOUR PRIVATE KEY IS LOST OR COMPROMISED, YOU MUST START THE RESOURCE CERTIFICATION PROCESS AGAIN.
Configuring Delegated RPKI in ARIN Online
Configuring an Up/Down Identity
Before configuring delegated RPKI in ARIN Online, you must configure an up/down identity and create an Identity XML file using your own delegated RPKI software. The up/down information is used when you submit your up/down request using ARIN Online.
Generating a Delegated RPKI Key Pair
You also need to generate a delegated RPKI key pair to use when signing resources submitted to ARIN. A delegated RPKI key pair can be generated multiple ways. A recommended method is through OpenSSL using the following commands:
OpenSSL> genrsa -out orgkeypair.pem 2048
This command generates a ROA Request Generation Key Pair and saves it as a file named
OpenSSL> rsa -in orgkeypair.pem -pubout -outform PEM -out org_pubkey.pem
This command extracts the public key from the ROA Request Generation key pair and writes it to a file named
Your key pair is now in a file called
orgkeypair.pem, and the public key is in
org_pubkey.pem. The private key contained in the key pair file is not to be shared and should be kept secure.
If using an alternate method, be sure to generate a key pair that:
- Is an RSA key pair
- Is 2048 bits in length
- Uses the public exponent F4
The key pair (contents of
org_pubkey.pem) will look similar to the example below:
-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzh/1Ws2aiqyxR0tqpkAC tLGhQMrkYfcxYl7BzxFaSEitdsNhxqNZjAt+IB/yQ9XEKaHL87cqmZlrtEGju0Dk QKym0onn3JXtS7S1OTRQbjWPN0k9/1HnP/R5xnQvGfaMOPm9S5If6DPr63109inX 5JXv4yNx/x8GZAT+RrhRW/I+PzmXVeSwc89LbADblpQR5x9x6173ncHUV+6UJr2M niBl7OcFW61jbGhTQSrb9xoUli7IyAciziESE6cG2gqw0fW/ZOo7pUToPaDAPxHJ vLq0uqtlpG5z3MpAoVibtdtuF9BF2dKHFF6TMwUKJaQ5EQZ+/iODk6CuWz6Q5iZN GwIDAQAB -----END PUBLIC KEY-----
Submitting an Up/Down RPKI Request
- Log in to ARIN Online and select Your Records > Organization Identifiers from the navigation menu.
- Choose the organization for which you want to configure RPKI.
- Choose Actions and select Manage RPKI. (Note: If you do not see this option, ensure that you meet the requirements for participation).
- Choose Configure Delegated.
- Read and agree to the RPKI Terms of Service. (Note: Not required for resources covered by an RSA version 12 or greater.)
- Choose the XML file of your up/down identity file and select Submit. This generates a ticketed request for ARIN to sign up your organization for Up/Down-managed RPKI. Once approved, an Up/Down Parent Response will be available for download as an attachment on the ticketed request. You will need to configure your own delegated RPKI software using this Parent Response.
After obtaining a certificate, you need to use your certificate to generate ROAs. A ROA is a cryptographically-signed object that states which Autonomous System (AS) is authorized to originate a particular prefix or set of prefixes. ROAs can only be generated for Internet number resources that are covered by your resource certificate. They are published in ARIN’s RPKI repository and used by network operators to validate routes.
Note: ROA Requests will only be accepted if signed using a private key that corresponds with a public key linked to the customer submitting the request. This is enforced by custom programming on ARIN’s HSM which may not be tampered with or altered in any way. Before submitting ROA Requests, you must sign up for RPKI and submit your public key. Once an RPKI user has successfully received a resource certificate from ARIN, ROA requests may be submitted either through ARIN Online or programmatically via REST.
Once you have received a delegated resource certificate, you will need to create a repository that includes a CRL and manifest that have been signed using the private key that corresponds with the public key you provided ARIN.
A URI is a string of characters used to identify a name or resource, allowing it to be found and interacted with over a network, such as the Internet (Example: rsync://rpki.example.com/repository/). When signing up for delegated RPKI with ARIN, you must provide a Base CA Repository URI that matches the location of your RPKI repository, which allows ARIN to reference it.
Every resource certificate has a CA Repository URI which describes where to find the delegated RPKI repository. ARIN will set the CA Repository URI of your resource certificate by combining the Base CA Repository URI you specify at request time with the distinguished name of your resource certificate.
For example, assume you specify a Base CA Repository URI of
rsync://rpki.example.com/repository/ and your resource certificate has a distinguished name of
aaa-bbb-ccc. Your CA Repository URI is
rsync://rpki.example.com/repository/aaa-bbb-ccc/. Effectively, you will need to create a CRL at
rsync://rpki.example.com/repository/aaa-bbb-ccc/aaa-bbb-ccc.crl and a manifest at
Creating a Certificate Revocation List (CRL)
In the context of Public Key Infrastructures (PKIs), a CRL is a list of resource certificates that have been revoked, and should not be relied upon. ARIN publishes its CRL for hosted RPKI within its RPKI repository every 24 hours. A CRL is always issued by the Certificate Authority (CA) which issues the corresponding certificates. A delegated RPKI participant must publish its own CRL inside the repository located at the Production URI provided to ARIN.
Internet Engineering Task Force (IETF) Requests for Comments (RFCs) Relevant to Delegated RPKI
- 3986: Uniform Resource Identifier (URI): Generic Syntax
- 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
- 6481: A Profile for Resource Certificate Repository Structure
- 6486: Manifests for the Resource Public Key Infrastructure (RPKI)
- 6492: A Protocol for Provisioning Resource Certificates