Hosted RPKI

What is Hosted RPKI?

Hosted Resource Public Key Infrastructure (RPKI) is an infrastructure in which ARIN hosts a Certificate Authority (CA) and signs all Route Origin Authorizations (ROAs) for resources within the ARIN region. Only direct resource holders can participate in RPKI. Any downstream organization must have their upstream provider submit ROAs on their behalf.

Hosted RPKI’s benefits include:

• Ease of use
• Little to no coding required from participants
• CA functionality work taken care of by ARIN
• Data security via a Hardware Security Module (HSM)
• Functioning repository provided by ARIN

In Hosted RPKI, ARIN first issues you a certificate that means you are authorized to submit routing information for your resources. (For example, you can specify that all traffic for a certain IP address that you manage should originate from a specified Autonomous System.) You then add your routing information in ARIN Online, and that information is propagated every few minutes to ARIN’s RPKI repository. Other organizations then use ARIN’s RPKI information to determine authorized routes for traffic on the Internet.

Limitations on the Hosted RPKI Service

See the FAQ for some information about RPKI limitations, including:

• Certificate Revocation List (CRL) constraints/ROA deletion
• Number of ROAs per organization

Configuring Hosted RPKI in ARIN Online

Configuring Hosted RPKI requires the following steps. Choose the links to obtain additional information about each step.

1. Log in to ARIN Online and select Routing Security from the navigation menu.

2. On the ‘Routing Security Dashboard’ page, under “Your Organizations,” select Sign Up for RPKI for the organization for which you want to configure Hosted RPKI.

3. On the ‘Manage RPKI’ page, under “Choose Between Two Models of RPKI,” select Sign Up for Hosted to make your resource certificate request.

4. In the top bar of the ‘Manage RPKI’ page, select Hosted Certificate to begin your certificate request.

5. Read and agree to the RPKI Terms of Service. The agreement is available for download so you can follow your organization’s internal processes to accept the Terms of Service prior to proceeding. (Note: This is not required for resources covered by an RSA version 12 or greater or LRSA version 4.) ARIN will create a resource certificate that covers the resources allocated to your Org.

6. After you submit your request, you will be returned to the ‘Routing Security Dashboard’ page. Select Manage RPKI.

7. On the ‘RPKI: ROAs’ page, you can begin creating ROAs for your resources by selecting Create ROA.

8. After entering the required information, select Next Step. Verify the information in your ROA is correct and select Submit.

You will be returned to the ‘RPKI: ROAs’ page, where you will receive confirmation that your ROA has been created, and your ROA will be listed in the “Route Origin Authorizations” table.

What is a Resource Certificate?

A resource certificates list is a collection of Internet number resources (IPv4 addresses, IPv6 addresses, and Autonomous System Numbers [ASNs]) that are associated with the authorized holder of those resources. They provide cryptographic validation that these resources belong to you. These certificates contain no identifying information about the holder of the resources.

Accessing Your Resource Certificates

To view the information on your resource certificate from the ‘Manage RPKI’ page:

1. Log in to ARIN Online and select Routing Security, then RPKI from the navigation menu.
2. Select View Details for the organization whose resource certificate you wish to see.
3. Select Certified Resources from the top menu.

Managing RPKI Resources

1. Log in to ARIN Online and select Routing Security, then RPKI from the navigation menu.
2. In the ‘Your Organization’ window, select View Details for the organization for which you want to manage RPKI resources.
3. You can perform the following actions:

• View, create and delete ROAs
• View your certified resources

Using the Operational Test and Evaluation (OT&E) Environment

ARIN has created an RPKI instance within its OT&E for those wishing to experiment with RPKI without affecting production data. For more information, see the OT&E page.