Common RPKI Terms and Definitions

What is a Public Key Infrastructure?

A Public Key Infrastructure (PKI) is centered around creating, managing, distributing, using, storing, and revoking digital certificates.

What is a resource?

In the context of Resource Public Key Infrastructure (RPKI), a resource is a grouping of Internet Protocol (IP) addresses or Autonomous System Numbers (ASNs) that uniquely identify a computer or a network on the Internet. Routers use these numbers much like the post office uses addresses to help route mail to recipients.

What if our organization doesn’t have a public ASN assigned?

If your organization doesn’t have a public ASN assigned, your routing announcements are being handled by your upstream provider. You can sign up for Hosted RPKI services and create ROAs for your IP resources using your provider’s ASN as the Origin AS.

What is a resource certificate?

A resource certificate is an electronic file that serves as proof that a resource has been assigned to an individual or company for their use. These certificates list a collection of Internet number resources (IPv4 addresses, IPv6 addresses, and ASNs) that are associated with a holder of those resources. Resource certificates provide a means of third-party validation of assertions related to resource allocations using proven cryptographic algorithms. These certificates contain no identifying information about who the holder of the resources is; resource holders can prove their legitimacy using their private key to sign information such as a ROA request. Relying Parties can then validate these signed objects with the corresponding public key.

What is the lifespan of an RPKI resource certificate?

At ARIN, RPKI resource certificates are set with a two-year lifespan, and they auto-renew after one year, resetting the two-year lifespan.

What is a Certificate Authority?

A Certificate Authority (CA) is an entity that issues digital certificates. ARIN currently acts as a CA for its Hosted RPKI service, issuing resource certificates for Internet number resources within the ARIN region. In Delegated RPKI, entities with IP addresses and Autonomous System Numbers assigned directly from ARIN are the CA to their customers.

What is a Resource Trust Anchor?

A Resource Trust Anchor is a self-signed digital certificate containing ARIN’s public key. This certificate is downloaded by Relying Parties wishing to retrieve information from ARIN’s RPKI repository and used to verify its validity. Before resyncing information from ARIN’s RPKI repository, a Relying Party should:

Retrieve the object referenced by the URL contained in the Trust Anchor Locator (TAL)
Confirm that the retrieved object is a current, self-signed RPKI certificate
Confirm that the public key in the TAL matches the public key in the retrieved object
Perform other checks locally, as deemed appropriate, to ensure that you are willing to accept the entity publishing this self-signed certificate to be a trust anchor

Note: This certificate is updated when ARIN’s resource set changes.

What is a Trust Anchor Locator?

In the context of RPKI, the Trust Anchor Locator (TAL) is a file used to allow Relying Parties to retrieve the data within ARIN’s RPKI validator (via rsync or RRDP) and base routing decisions upon that data. ARIN’s TAL contains two things:

The URL of ARIN’s published RPKI repository
ARIN’s Privacy Enhanced Mail encoded public key

What is a repository?

Repository refers to the digital listing in which ARIN publishes ROAs, resource certificates, Certificate Revocation Lists (CRLs), and manifests. This repository is available to be downloaded via rsync or RPKI Repository Delta Protocol (RRDP) and may be automatically fetched using a validator. Relying Parties may use this data to make more informed decisions about how they route to various locations on the Internet.

What is a manifest?

In the context of RPKI, a manifest is a signed object containing a listing of all the signed files in a CA’s RPKI repository. Manifests contain a filename and a hash of file content for each resource certificate and the CRL, or other signed object published in the repository. Manifests allow a Relying Party to detect certain forms of attacks against their RPKI repository.

What is a Certification Revocation List?

In the context of PKIs, a Certification Revocation List (CRL) is a list of resource certificates that have been revoked and should not be relied upon. ARIN publishes its CRL for hosted RPKI within its RPKI repository every 24 hours. A CRL is always issued by the CA that issues the corresponding certificates. A delegated RPKI participant must publish its own CRL inside the repository located at the Production Uniform Resource Identifier (URI) provided to ARIN.

What is a Route Origin Authorization?

A Route Origin Authorization (ROA) is a cryptographically signed object that states which Autonomous System (AS) is authorized to originate a particular prefix or set of prefixes. ROAs may only be generated for Internet number resources listed on your resource certificate. A ROA is composed of:

An Origin AS
A prefix and max length
A ROA name (optional)

What is Relying Party software?

Relying Party software (otherwise known as a “validator”) is a program used to fetch ARIN’s RPKI repository data, validate its contents, and store the information in its cache. This data can be used by network operators to make more informed routing decisions.

We provide a list of validators that ARIN has tested and that you can use.

List of RPKI Validators

Fort Validator - tested as part of each ARIN Online release
NLnet Labs (Routinator) - tested as part of each ARIN Online release
rpki-client - tested as part of each ARIN Online release
RPSTIR2
rpki-prover
OctoRPKI - deprecated by the developer and no longer supported; for more information go to the the developer’s Git page

What is a hardware security module?

A hardware security module is a secure cryptographic processor that manages digital keys and certificates used in ARIN’s RPKI as well as other forms of public key cryptography.

What is a Route Origin Authorization request?

A Route Origin Authorization (ROA) request is a request for ARIN to generate a ROA for you.

After providing the required information, this request is then submitted to ARIN. ARIN will generate and publish the ROA to ARIN’s RPKI repository.

Note: Once an RPKI user has received a resource certificate from ARIN, ROA requests may be submitted either through ARIN Online or programmatically via REST.

What is a Certification Practice Statement?

A Certification Practice Statement (CPS) is a document that explains certificate policies and Certification Authority operational procedures. ARIN has published a CPS describing the practices of the ARIN Certificate Authority. The CPS describes the participants, certificate types, processes, and management within ARIN’s RPKI, as well as related business and legal issues. This document may be accessed here.

What is ARIN’s Relying Party Agreement?

ARIN’s Relying Party Agreement comprises a set of terms and restrictions applicable to any entity wishing to utilize ARIN’s RPKI services.

Access the agreement

Using ARIN’s RPKI with Bring Your Own IP Services
RPKI Best Practices and Troubleshooting
Common RPKI Terms and Definitions
RPKI Frequently Asked Questions

Learn RPKI with ARIN’s Free On-Demand Webinars

Registration Services Help Desk
7:00 AM to 7:00 PM ET
Phone: +1.703.227.0660
Fax: +1.703.997.8844

Tips for Calling the Help Desk