Hosted RPKI

What is Hosted RPKI?

Hosted RPKI is an infrastructure in which ARIN hosts a Certificate Authority (CA) and signs all Route Origin Associations (ROAs) for resources within the ARIN region. Only direct resource holders can participate in RPKI. Any downstream organization must have their upstream provider submit ROAs on their behalf.

Hosted RPKI’s benefits include:

  • Ease of use
  • Little to no coding required from participants
  • Certificate Authority functionality work taken care of by ARIN
  • Data security via a Hardware Security Module (HSM)
  • Functioning repository provided by ARIN

In hosted RPKI, ARIN first issues you a certificate that means you are authorized to submit routing information for your resources. (For example, you can specify that all traffic for a certain IP address that you manage should originate from a specified autonomous system.) You then add your routing information in ARIN Online, and that information is propagated every few minutes to ARIN’s RPKI repository. Other organizations then use ARIN’s RPKI information to determine authorized routes for traffic on the Internet.

The ARIN Internet Number Resources you want to certify with RPKI must be covered by a Registration Services Agreement (RSA) or Legacy Registration Services Agreement (LRSA).

Limitations on the Hosted RPKI Service

See the FAQ for some information about RPKI limitations, including:

Configuring Hosted RPKI in ARIN Online

Configuring hosted RPKI requires the following steps. Choose the links to obtain additional information about each step.

  1. Use software such as OpenSSL to generate a key pair.
  2. Use this software to extract the public key from the key pair. You’ll then have two files: a private key file and a public key file.
  3. In ARIN Online, choose your Org ID for which you want to certify resources and choose Manage RPKI from the Actions menu to begin your certificate request.
  4. Choose Configure Hosted and accept the Terms of Service, if required.
  5. Read and agree to the RPKI Terms of Service. (Note: Not required for resources covered by an RSA version 12 or greater.)
  6. Copy and paste the public key you created in Step 1 into your certificate request.
  7. After you submit your request, ARIN will create a certificate request ticket. When your request is approved, ARIN will issue an RPKI certificate that covers the resources assigned to your Org.
  8. To configure your routes, you’ll need to create ROAs in ARIN Online (ROAs designate which Autonomous System (AS) is authorized to originate a particular prefix or set of prefixes). You can generate a signed ROA request on your own using software such as OpenSSL, and paste that into the browser window.
  9. After you create a ROA request, ARIN tickets it and automatically creates your ROA. The RPKI repository is updated every few minutes. You can view your ROAs by choosing your Org and then selecting Actions > Manage RPKI. Choose ROAs from the navigation menu.

Generating a ROA Request Key Pair

Before configuring hosted RPKI in ARIN Online, you must generate a ROA Request Key Pair. The term “key pair” refers to the two separate pieces of data (a public key and a private key) created using public key cryptography, a system used to secure data. As a hosted RPKI participant, you generate and use ROA Request Generation Key Pairs to secure your ROAs and resource certificate data and cryptographically verify your identity. Your public key is provided to ARIN and is used to cryptographically verify ROAs that have been signed by the corresponding private key.

Note: For ARIN Online users with authority over multiple organizations and their resources, it is highly recommended to use a separate ROA Request Generation Key Pair for each organization.

ROA Request Generation Key Pairs can be generated multiple ways. A recommended method is through OpenSSL using the following commands:

OpenSSL> genrsa -out orgkeypair.pem 2048

This command generates a ROA Request Generation Key Pair and saves it as a file named orgkeypair.pem.

Extracting the Public Key

After creating the key pair, you need to extract the public key so that you can enter it in ARIN Online:

OpenSSL> rsa -in orgkeypair.pem -pubout -outform PEM -out org_pubkey.pem

This command extracts the public key from the ROA Request Generation key pair and writes it to a file named org_pubkey.pem.

Your key pair is now in a file called orgkeypair.pem, and the public key is in org_pubkey.pem. The private key contained in the key pair file is not to be shared and should be kept secure.

If using an alternate method (other than OpenSSL) to generate your key pair, be sure to generate a key pair that:

  • Is an RSA key pair
  • Is 2048 bits in length
  • Uses the public exponent F4

Open the Public Key

Use a text editor to open the org_pubkey.pem file. The public key (contents of org_pubkey.pem) will look similar to the example below:


MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzh/1Ws2aiqyxR0tqpkAC tLGhQMrkYfcxYl7BzxFaSEitdsNhxqNZjAt+IB/yQ9XEKaHL87cqmZlrtEGju0Dk QKym0onn3JXtS7S1OTRQbjWPN0k9/1HnP/R5xnQvGfaMOPm9S5If6DPr63109inX 5JXv4yNx/x8GZAT+RrhRW/I+PzmXVeSwc89LbADblpQR5x9x6173ncHUV+6UJr2M niBl7OcFW61jbGhTQSrb9xoUli7IyAciziESE6cG2gqw0fW/ZOo7pUToPaDAPxHJ vLq0uqtlpG5z3MpAoVibtdtuF9BF2dKHFF6TMwUKJaQ5EQZ+/iODk6CuWz6Q5iZN  

-----END PUBLIC KEY-----

Copy the contents of the file to your clipboard. You’ll paste this key into the certificate request in ARIN Online.

Submitting a Certificate Request

ARIN generates a resource certificate for you when you submit your key pair. Resource certificates list a collection of Internet number resources (IPv4 addresses, IPv6 addresses, and Autonomous System Numbers [ASNs]) that are associated with a holder of those resources. They provide cryptographic validation that these resources belong to you. These certificates contain no identifying information about who the holder of the resources is; resource holders can prove their legitimacy using their private key to sign information such as a ROA Request. Relying parties can then validate these signed objects with the corresponding public key. You submit a certificate request and key pair for each organization for which you’re configuring RPKI.

To submit a certificate request:

  1. Log in to ARIN Online and select Your Records > Organization Identifiers from the navigation menu.
  2. Choose the organization for which you want to configure RPKI.
  3. Choose Actions and select Manage RPKI. (Note: If you do not see this option, ensure that you meet the requirements for participation).
  4. In the Hosted RPKI Section, choose Configure Hosted.
  5. Read and agree to the RPKI Terms of Service. (Note: Not required for resources covered by an RSA version 12 or greater.)
  6. Choose Continue.
  7. Paste your public key that you created into the Public Key field.
  8. Choose Submit. This generates a ticketed request for ARIN to generate a resource certificate covering your Internet number resources. You’ll receive a notification in ARIN Online of any actions regarding your request.

Accessing Your Resource Certificates

After ARIN has generated a resource certificate for you, there are two ways to find it.

View the information from the Manage RPKI page:

  1. Log in to ARIN Online.
  2. Select Your Records > Organization Identifiers from the navigation menu.
  3. Choose the organization for which you want to configure RPKI.
  4. Choose Actions and select Manage RPKI.
  5. Select the link for your current certificate. The resource certificate information will be displayed in the body of the page.

To download the file from the ARIN ticket:

  1. Log in to ARIN Online.
  2. Select Tickets from the navigation menu.
  3. Find the ticket that was created when ARIN generated your resource certificate. Your resource certificate is listed in the Attached Files section of the ticket.

Managing RPKI Resources

  1. Log in to ARIN Online and select Your Records > Organization Identifiers from the navigation menu.
  2. Choose the organization.
  3. Choose Actions and select Manage RPKI. You can perform the following actions:

Using the Operational Test and Evaluation (OT&E) Environment

ARIN has created an RPKI instance within its Operational Test and Evaluation environment (OT&E) for those wishing to experiment with RPKI without affecting production data. For more information, see the OT&E page.