RPKI Deployment Options

Available RPKI Services

ARIN offers services supporting two models of RPKI deployment: Hosted and Delegated. Only direct resource holders can participate in RPKI. Any downstream organization must have their upstream provider submit Route Origin Authorizations (ROAs) on their behalf.

With Hosted RPKI, ARIN hosts a Certificate Authority and signs all ROAs for resources allocated within the ARIN region. With Delegated RPKI, ARIN will produce a delegated resource certificate at your request that can be used in your own Certificate Authority to sign your ROAs. You can maintain your own repository and publication server, or you can choose to use ARIN’s Repository Publication Service. In both models, ARIN serves as the trust anchor certifying that the rightful resource holder is the one who created the ROA.

Which one is right for my organization?

If your organization is just getting started with RPKI, you may want to choose the Hosted option; it is the easiest to use because the only thing your organization needs to do is create ROAs to cover your resources. ARIN is responsible for serving as the Certificate Authority and publishing the high-availability repository, as well as providing tools for easy creation and management. Over 95 percent of ARIN RPKI deployments use the Hosted service. Delegated RPKI is an option for an organization that wants to maintain cryptographic control and independence, but you should have in-depth knowledge about RPKI and the resources — both human and technological — to run a Certificate Authority and publication server.