Your IP address could not be determined at this time.

Resource Public Key Infrastructure (RPKI)

Overview

RPKI is a free, opt-in service that allows users to certify their ARIN Internet number resources that are covered by a RSA/LRSA to help secure Internet routing. Using cryptographically-verifiable certificates, RPKI allows IP address holders to specify which Autonomous Systems (AS's) are authorized to originate their IP address prefixes. With RPKI, Border Gateway Protocol (BGP) route announcements that are issued from a router are validated to make sure that the route is coming from the resource holder and that it is a valid route. This is done through Route Origin Authorizations (ROAs). These ROAs are created by network operators and used by other network operators to make decisions on routing. The ROAs provide verification that the routes being advertised are correct and can be used safely in routing tables.

Benefits of RPKI

Internet routing is dependent upon many chains of network relationships that are based on mutual trust. Each party trusts that the route used to transmit information is safe, accurate, and will not be maliciously altered. This model proved sufficient in the early stages of Internet development, but has become increasingly vulnerable to abuse and attack as the Internet's resources have undergone a massive increase in usage. Using cryptographically verifiable statements, RPKI helps to ensure that Internet number resource holders are certifiably linked to those resources, and reliable routing origin data is available upon which to base routing decisions.

Components of RPKI

RPKI fulfills security requirements through the generation of:

  • Resource certificates: These certificates digitally verify that a resource has been allocated or assigned to a specific entity
  • Route Origin Authorizations (ROAs): Digital statements specifying which Autonomous System may originate a specific IP address or range
  • Trust Anchor Locator (TAL): File used to allow relying parties to retrieve the data within ARIN's RPKI validator (via rsync) and base routing decisions upon that data. ARIN's TAL contains two things: The URL of ARIN's published RPKI repository, and ARIN's PEM-encoded public key.

Prerequisites for Using RPKI at ARIN

In order to participate in RPKI, you will need:

Note: Some Early Registration Transfer Project Space (ERX space) will not be covered by resource certificates at this time. ARIN plans on implementing this feature in future releases of RPKI functionality. This involves ongoing coordination with other Regional Registries that is ongoing.

Participating in RPKI

RPKI participation can be divided into two main areas. Choose the type of RPKI you want to implement to view instructions and additional information.

  • Using RPKI as a Relying Party: Obtaining information about routes and using RPKI as a relying party (to make routing decisions for your network). You need to download the ARIN Trust Anchor Locator (TAL) and use it with an RPKI validator.
  • Providing Certification for Your Resources: Certify that you have authority over routes that originate from your resources by creating certificates and Route Origin Authorizations (ROAs).

Additional RPKI Information

More information about RPKI is available at the following URLs (external to ARIN):

Search Related Content

Loading

full site search

Registration Services Help Desk

Interacting With ARIN

Monday through Friday
7:00 AM to 7:00 PM ET
Phone: +1.703.227.0660
Fax: +1.703.997.8844
Email: hostmaster@arin.net
Tips for Calling the Help Desk