RPKI Frequently Asked Questions

What if our organization doesn’t have a public Autonomous System Number (ASN) assigned?

If your organization doesn’t have a public ASN assigned, your routing announcements are being handled by your upstream provider. You can sign up for Hosted RPKI services and create ROAs for your Internet number resources using your provider’s ASN as the Origin AS.

Does ARIN have plans to require resource holders to use RPKI?

There is no ARIN policy that requires the use of RPKI. RPKI is an opt-in feature with ARIN. However, a growing number of service providers require you to make ROAs for your resources before finalizing a business agreement.

Why am I unable to create ROAs or IRR objects for directly issued Internet number resources?

In order to use ARIN’s routing security services, Internet number resources must be covered by an ARIN Agreement. Autonomous System Numbers (ASNs) must be covered to use IRR aut-num objects.

Where can I get a full list of my resources that are ineligible for use with ARIN’s routing security services?

If applicable, an alert will be on your ARIN Online dashboard directing you to a search result restricted to your ineligible networks. Additionally, these results can be downloaded as a CSV file via the ‘Download CSV’ button on the lower right corner.

How do I bring my directly issued resources under an ARIN Agreement?

Contact ARIN Registration Services for more information.

Why am I unable to create ROAs or IRR objects for resources assigned to me by my upstream provider?

ARIN’s RPKI services only support directly issued resources. Internet number resources reassigned to you by your upstream provider without a signed ARIN Agreement on file are ineligible to use RPKI. ARIN’s IRR services are available to users with resources as long as the upstream provider at the top allocation has a signed agreement on file for those resources.

What are my options if resources reassigned to me by my upstream provider are not covered by an RSA or LRSA?

If your resources are not under an ARIN Agreement, you will need to contact your upstream provider for resolution.

How can I determine who my upstream provider is?

This info is available in the RDAP, Whois, and on Net View.

Which RPKI model is right for me?

Hosted RPKI

Hosted RPKI: Easiest to use; Recommended for most organizations just getting started with RPKI. Nearly 95% of ARIN RPKI participants use Hosted RPKI.

Delegated RPKI

Delegated RPKI: Highest responsibility and uptime requirement; Only for organizations with an in-depth knowledge of RPKI and resources to run a Certificate Authority and a publication server, or other have other individual needs.

Repository Publication Service

Repository Publication Service - also known as ‘Hybrid’ RPKI: Suggested for use if your organization wishes to keep control of the Certificate Authority but does not want to maintain a repository and run the publication server.

How do I change between a hosted and delegated RPKI deployment?

If you want to change your organization’s RPKI deployment between hosted and delegated, you must contact ARIN’s Registration Services Department for assistance.

Registration Services
Hours: 7 AM to 7 PM ET
Phone: +1.703.227.0660
Fax: +1.703.997.8844
Tips for Calling the Registration Services Help Desk
To open a ticket, visit Ask ARIN in your ARIN Online account

Resource certificates

What is the lifespan of an RPKI resource certificate?

At ARIN, RPKI resource certificates are set with a two-year lifespan, and they auto-renew after one year, which will reset the two-year lifespan.

How do I access my resource certificate once it has been generated?

Once a resource certificate has been generated for you, you may access it in your ARIN Online account.

Is the customer responsible for maintaining the certificate?

If a customer is using ARIN’s Hosted RPKI, ARIN will automatically renew the existing hosted certificate.

If a customer is using ARIN’s Delegated RPKI product, the customer is directly responsible for rolling the certificate using the UP/DOWN protocol. Their ROAs will behave similarly with respect to the renewed certificate.

Does a reroll on an RPKI certificate extend the certificate’s expiration date?

No, it only changes the resources listed on the certificate.

Route Origin Authorizations (ROAs)

If I create a new ROA, when will it be published?

When ROAs are created, they are put into the repository immediately. The ARIN repository is published every five minutes.

All of the components in the RPKI ecosystem have different timers associated with them. Users should expect it to take between 30 and 60 minutes after the ROA is generated before their ROA impacts routing on the Internet.

If I remove a ROA, will all ROAs with the same name will be removed?

No. When using the ARIN Online interface, only one ROA can be removed at a time.

The ARIN API requires a unique identifier (“ROA Handle”) to remove a ROA. Refer to the ARIN RESTful Methods documentation for additional details.

Can I create a duplicate ROA?

No. ARIN’s auto-renew process deprecated the need for duplicate ROAs. Likewise, ROAs can no longer overlap.

For example, an existing ROA containing a /16 prefix and a maxLength of a /24 will prevent the creation of another ROA with any prefix within that /16 block and the same Origin AS.

What is the lifespan of a ROA?

ARIN ROAs auto-renew every 90 days.

Note: All ROAs created using ARIN Online after the feature release on 13 May 2023 are set to auto-renew. All ROAs in the RPKI repository created using ARIN Online were converted to auto-renew.

How do I know if my ROAs are set to auto-renew?

To confirm your ROAs are set to auto-renew:

Select Routing Security in the left-hand navigation menu in ARIN Online.
Select Manage RPKI for an eligible Org ID.
Select the ROAs tab.
Select the Manage ROA button.
Confirm Auto-renewing is ‘Yes’ in the ROA Details table.

I used ARIN’s API instead of ARIN Online to create my ROAs. Will my ROAs still auto-renew?

ROAs created using the RESTful interface via Reg-RWS will auto-renew.

Can I remove multiple ROAs at the same time?

Yes, by using the RESTful API interface via Reg-RWS. This functionality is not available in the ARIN Online web interface.

Is there a limit on the number of ROAs I can create?

We have tested up to 100,000 ROAs per organization without issue.

How do I originate my resources out of multiple Autonomous Systems?

Each ROA includes exactly one Origin AS number. Additional ROAs are necessary to authorize multiple Origin ASNs.

How do I confirm that a recently acquired number resource has been added to my organization’s RPKI resource certificate?

To confirm that your number resources have been added to your RPKI certificate:

Select Routing Security from the left-hand menu on ARIN Online.
Select Manage RPKI for the net resource’s Org ID.
Select Certified Resources.

The RPKI: Certified Resources page lists all ASN and net resources covered by your organization’s RPKI certificate. If you find a resource is missing, open an Ask ARIN ticket for assistance.

How can I test RPKI without affecting my production data?

ARIN has implemented an RPKI instance within its Operational Test and Evaluation (OT&E) environment, which offers the opportunity to experiment with different facets of RPKI and ROA requests in an environment without any impact on production data.

Internet number resource transfers

I want to transfer Internet number resources currently covered under an ARIN RPKI certificate to another party. What do I need to do to prepare for this?

Upon completion of a transfer, any Internet number resources being transferred to another organization will be removed from the current ARIN RPKI certificate along with any ROAs associated with those resources. Any remaining resources will be automatically rerolled and their associated ROAs retained.

If I transfer all of my Internet number resources that are under agreement, are there any consequences?

If you transfer the entirety of your Internet number resources (all IPs and all ASNs) out of your organization, your current RPKI certificate will be removed. After your certificate is removed, any ROAs referencing those resources will be deleted from the RPKI repository. If you acquire new Internet number resources in the future, you will have to begin the process of signing up for and setting up RPKI to cover the new resources.

What information can ARIN provide in support of BYOIP services?

After consulting with Amazon Web Services (AWS), Google Cloud, Microsoft Azure, and Oracle, ARIN provides information regarding their BYOIP process as it relates to ARIN services here.

Which Internet Engineering Task Force (IETF) Requests for Comments (RFCs) relate to RPKI?

To learn more about RPKIs functions and origin, ARIN recommends reading the following RFCs:

To learn more about delegated RPKI requirements, such as URIs, manifests and CRLs, ARIN recommends reading the following RFCs:

Using ARIN’s RPKI with Bring Your Own IP Services
RPKI Best Practices and Troubleshooting
Common RPKI Terms and Definitions
RPKI Frequently Asked Questions

Learn RPKI with ARIN’s Free On-Demand Webinars

Registration Services Help Desk
7:00 AM to 7:00 PM ET
Phone: +1.703.227.0660
Fax: +1.703.997.8844

Tips for Calling the Help Desk