ARIN Publication Service (RPS) - "Hybrid RPKI"


As stated in RFC8181, in order to make participation in the RPKI easier, it is helpful to have a few consolidated repositories for RPKI objects, thus saving every participant from the cost of maintaining a new service. Similarly, relying parties using the RPKI objects will find it faster and more reliable to retrieve the necessary set from a smaller number of repositories.

These consolidated RPKI object repositories will in many cases be outside the administrative scope of the organization issuing a given RPKI object. A common term for this type of service is ‘Hybrid RPKI.’

Why Use a Remote RPKI Publication Repository?

In some cases, outsourcing operation of the repository will be an explicit goal: some resource holders who strongly wish to control their own RPKI private keys may lack the resources to operate a 24x7 repository or may simply not wish to do so.

The operator of an RPKI publication repository may well be an Internet registry which issues certificates to its customers, but it need not be; conceptually, operation of an RPKI publication repository is separate from operation of an RPKI Certification Authority (CA).

Even in cases where a resource holder operates both a certificate engine and a publication repository, it can be useful to separate the two functions, as they have somewhat different operational and security requirements.

How to Configure a Certificate Authority to use RPS

The steps below show how an orgnization configures the Krill Certificate Authority software to use the ARIN Publication Service:

  1. In Krill, choose the Repository tab to get the Publisher Request XML it has generated. Copy the XML to the clipboard.Screen for getting Publisher Request
  2. Log in to ARIN Online and:
    1. Select Your Records > Organization Identifiers from the navigation menu and choose the organization.
    2. Choose Actions and select Manage RPKI.
    3. In the Navigation Menu, choose Publication Repository.Screen for ARIN Online Publication Repository
    4. Paste the XML copied from Krill into the Publisher Request XML field and choose Submit.
    5. ARIN will generate and display a Repository Response in XML format. Use Copy to copy the response into the clipboard.
  3. Open the Krill software and choose the Repository tab. Screen for putting Publisher Request in the configuration
  4. Paste the response you copied to clipboard into the appropriate section and choose Confirm.

Creating ROAs

After you have received a delegated resource certificate from ARIN, you (or organizations under you whose resources you are certifying) will use a Certificate Authority (CA) package such as Krill to create ROAs. ROAs are stored in the RPKI repository along with a CRL (Certificate Revocation List). A CRL is a list of resource certificates that have been revoked and should not be relied upon. A CRL is always issued by the CA which issues the corresponding certificates. The publication server (either yours or ARIN’s, if you are using the ARIN Publication Service for Delegated RPKI) will provide these objects to requesting entities.

Additional Information

For additional information on RPKI, including delegated RPKI, visit the following resources: