Your IP address could not be determined at this time.

Delegated RPKI

Overview

Delegated RPKI is an infrastructure in which ARIN direct resource holders may request their own delegated resource certificates, allowing them to host their own Certificate Authority (CA). Using their CA, Delegated RPKI participants may then may sign Route Origin Authorizations (ROAs) and issue resource certificates for their customers. This hierarchical system widens the availability of RPKI by allowing customers of direct ARIN resource holders to participate using their resource provider as a CA.

This hierarchy of resource certificates is validated from the top down, beginning with the nominated Trust Anchor. ARIN is the Trust Anchor for RPKI in its region. ARIN's RPKI repository holds a certificate for each organization participating in Delegated RPKI. In turn, each Delegated RPKI participant's repository will hold a resource certificate for each customer participating in Delegated RPKI through them. By following this chain, any resource certificate may be located and validated.

Note: ARIN has invested significant resources in the development of RPKI, and plans to continually evolve the service, including the migration to a single global Trust Anchor (TA).

Prerequisites for Delegated RPKI

Delegated RPKI does not require ARIN to host the private key of your Delegated RPKI Key Pair, and allows you to, in turn, offer either Hosted or Delegated RPKI resources to your customers. However, there are a number of resource and knowledge requirements for any organization wishing to participate.

Before signing up, you must have:

    • IPv4 or IPv6 resources obtained directly from ARIN
    • A signed RSA or LRSA covering the resources you wish to certify
    • An ARIN Online account linked to an admin or tech Point of Contact (POC) with authority to manage the resources you wish to certify
    • An Up/Down identity

Once you become a participant, you must:

    • Exchange your public key associated with your Delegated RPKI private key with ARIN via ARIN Online
    • Create an infrastructure in which to host a CA, both hardware- and software-wise
    • Perform all work required for maintaining a CA and publishing a Certificate Practice Statement
    • Create an RPKI repository in which to host resource certificates and ROAs, as well as a manifest and Certificate Revocation List.

    Overview of Configuration Steps

  1. Create an ARIN Online account.
  2. Set up a test account on the OT&E Server. (This is optional, but recommended.)
  3. Create a Delegated RPKI Key Pair.
  4. Submit an Up/Down Request using ARIN Online.
  5. Submit Route Origin Authorizations (ROAs) in ARIN Online.

Using the Operational Test and Evaluation (OT&E) Environment

ARIN has created an RPKI instance within its Operational Test and Evaluation environment (OT&E) for those wishing to experiment with RPKI without affecting production data. For more information, see the OT&E page.

Understanding Delegated RPKI Key Pairs

The term "key pair" refers to the two separate pieces of data (a public key and a private key) created using public key cryptography, a system used to secure data. As a Delegated RPKI participant, you will generate and use a Delegated RPKI Key Pair for two reasons. The public key of this key pair will be given to ARIN when requesting a resource certificate from ARIN. The private key of this key pair will be used to sign the manifest and Certificate Revocation List (CRL) within the RPKI repository you create. For ARIN Online users with authority over multiple organizations and their resources, it is highly recommended to use a separate Delegated RPKI Key Pair for each organization.

Understanding Public Keys

A public key is the part of a key pair that may be distributed safely to others. It is mathematically paired with the private key that was generated alongside it. This key is provided to ARIN when the user signs up to participate in RPKI, and is used to cryptographically verify Route Origin Authorization (ROA) Requests which have been signed by the corresponding private key. 

Understanding Private Keys

A private key is the part of the key pair that MUST be securely stored, and must NOT be distributed. RPKI participants use private keys to sign Route Authorization (ROA) requests. When a block of data is signed using a resource holder's private key, their public key can be used to verify that data.

Note: Private keys MUST be kept private, and must not be shared with anyone outside your organization. Should another entity have access to your private key, that entity would be able to effectively represent itself as your organization, voiding the security RPKI is designed to maintain.

IF YOUR PRIVATE KEY IS LOST OR COMPROMISED, YOU MUST START THE RESOURCE CERTIFICATION PROCESS AGAIN.

Configuring Delegated RPKI in ARIN Online

Configuring an Up/Down Identify

Before configuring delegated RPKI in ARIN Online, you must configure an up/down identity and create an Identify XML file using your own Delegated RPKI software. The up/down information is used when you submit your up/down request using ARIN Online.

Generating a Delegated RPKI Key Pair

You also need to generate a delegated RPKI key pair to use when signing resources submitted to ARIN. A delegated RPKI key pair can be generated multiple ways. A recommended method is through OpenSSL using the following commands:

  • openssl genrsa -out orgkeypair.pem 2048
    • This command generates a ROA Request Generation Key Pair and saves it as a file named orgkeypair.pem
  • openssl rsa -in orgkeypair.pem -pubout -outform PEM -out org_pubkey.pem
    • This command extracts the public key from the ROA Request Generation key pair and writes it to a file named org_pubkey.pem
  • Your key pair is now in a file called orgkeypair.pem, and the public key is in org_pubkey.pem. The private key contained in the key pair file is not to be shared and should be kept secure.

If using an alternate method, be sure to generate a key pair that:

  • Is an RSA key pair
  • Is 2048 bits in length
  • Uses the public exponent F4

The key pair (contents of org_pubkey.pem) will look similar to the example below:

-----BEGIN PUBLIC KEY-----

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzh/1Ws2aiqyxR0tqpkAC tLGhQMrkYfcxYl7BzxFaSEitdsNhxqNZjAt+IB/yQ9XEKaHL87cqmZlrtEGju0Dk QKym0onn3JXtS7S1OTRQbjWPN0k9/1HnP/R5xnQvGfaMOPm9S5If6DPr63109inX 5JXv4yNx/x8GZAT+RrhRW/I+PzmXVeSwc89LbADblpQR5x9x6173ncHUV+6UJr2M niBl7OcFW61jbGhTQSrb9xoUli7IyAciziESE6cG2gqw0fW/ZOo7pUToPaDAPxHJ vLq0uqtlpG5z3MpAoVibtdtuF9BF2dKHFF6TMwUKJaQ5EQZ+/iODk6CuWz6Q5iZN
GwIDAQAB

-----END PUBLIC KEY-----

Submitting an Up/Down RPKI Request

  1. Log in to ARIN Online and select Your Account > Organization Identifiers from the navigation menu.
  2. Choose the organization for which you want to configure RPKI.
  3. Choose Actions and select Manage RPKI. (Note: If you do not see this option, ensure that you meet the requirements for participation.
  4. Choose Up/Down.
  5. Read and agree to the RPKI Terms of Service. (Note: Not required for resources covered by an RSA version 12 or greater.)
  6. Choose the XML file of your up/down identify file and select Submit. This generates a ticketed request for ARIN to sign up your organization for Up/Down-managed RPKI. Once approved, an Up/Down Parent Response will be available for download as an attachment on the ticketed request. You will need to configure your own delegated RPKI software using this Parent Response.

Creating ROAs

After obtaining a certificate, you need to use your certificate to generate ROAs. A ROA is a cryptographically signed object that states which Autonomous System (AS) is authorized to originate a particular prefix or set of prefixes. ROAs can only be generated for Internet number resources that are covered by your resource certificate. They are published in ARIN's RPKI repository and used by network operators to validate routes.

Note: ROA Requests will only be accepted if signed using a private key that corresponds with a public key linked to the customer submitting the request. This is enforced by custom programming on ARIN's HSM which may not be tampered with or altered in any way. Before submitting ROA Requests, you must sign up for RPKI and submit your public key. Once an RPKI user has successfully received a resource certificate from ARIN, ROA requests may be submitted either through ARIN Online or programmatically via REST. For the specific RESTful method, visit the RESTful Methods page.

You can create ROAs by submitting a request using ARIN Online.

Next Steps

Once you have received a delegated resource certificate, you will need to create a repository that includes a Certificate Revocation List (CRL) and manifest that have been signed using the private key that corresponds with the public key you provided ARIN.

A URI is a string of characters used to identify a name or resource, allowing it to be found and interacted with over a network, such as the Internet (Example: rsync://rpki.example.com/repository/). When signing up for Delegated RPKI with ARIN, you must provide a Base CA Repository URI that matches the location of your RPKI repository, which allows ARIN to reference it.

Every resource certificate has a CA Repository URI which describes where to find the delegated RPKI repository. ARIN will set the CA Repository URI of your resource certificate by combining the Base CA Repository URI you specify at request time with the distinguished name of your resource certificate.

For example, assume you specify a Base CA Repository URI of 'rsync://rpki.example.com/repository/' and your resource certificate has a distingished name of 'aaa-bbb-ccc'. Your CA Repository URI is 'rsync://rpki.example.com/repository/aaa-bbb-ccc/'. Effectively, you will need to create a CRL at 'rsync://rpki.example.com/repository/aaa-bbb-ccc/aaa-bbb-ccc.crl' and a manifest at 'rsync://rpki.example.com/repository/aaa-bbb-ccc/aaa-bbb-ccc.mft'.

Creating a Certificate Revocation List (CRL)

In the context of Public Key Infrastructures (PKIs), a CRL is a list of resource certificates that have been revoked, and should not be relied upon. ARIN publishes its CRL for Hosted RPKI within its RPKI Repository every 24 hours. A CRL is always issued by the Certificate Authority (CA) which issues the corresponding certificates. A Delegated RPKI participant must publish its own CRL inside the repository located at the Production URI provided to ARIN.

Internet Engineering Task Force (IETF) Requests for Comments (RFCs) Relevant to Delegated RPKI

Search Related Content

Loading

full site search

Registration Services Help Desk

Interacting With ARIN

Monday through Friday
7:00 AM to 7:00 PM ET
Phone: +1.703.227.0660
Fax: +1.703.997.8844
Email: hostmaster@arin.net
Tips for Calling the Help Desk