Your IP address could not be determined at this time.

Delegated RPKI

Delegated RPKI is an infrastructure in which ARIN direct resource holders may request their own delegated resource certificates, allowing them to host their own Certificate Authority (CA). Using their CA, Delegated RPKI participants may then may sign Route Origin Authorizations (ROAs) and issue resource certificates for their customers. This hierarchical system widens the availability of RPKI by allowing customers of direct ARIN resource holders to participate using their resource provider as a CA.

This hierarchy of resource certificates is validated from the top down, beginning with the nominated Trust Anchor. ARIN is the Trust Anchor for RPKI in its region. ARIN's RPKI repository holds a certificate for each organization participating in Delegated RPKI. In turn, each Delegated RPKI participant's repository will hold a resource certificate for each customer participating in Delegated RPKI through them. By following this chain, any resource certificate may be located and validated.

Note: ARIN has invested significant resources in the development of RPKI, and plans to continually evolve the service, including the migration to a single global Trust Anchor (TA).

Why Use Delegated RPKI?

Internet routing is dependent upon many chains of network relationships that are based on mutual trust. In recent years, this trust model has become increasingly vulnerable to abuse and attack as the Internet's resources have undergone a massive increase in usage. Using cryptographically verifiable statements, RPKI helps to ensure that Internet number resource holders are certifiably linked to those resources, and reliable routing origin data is available upon which to base routing decisions. The Delegated RPKI model requires an initial investment of manpower and resources, but will allow an organization to sign, offer, and maintain cryptographically verifiable for their customers, strengthening the security of Internet routing as a whole and allowing for wider usage of RPKI, thus increasing it's value to the community.

Delegated RPKI involves the signing and maintenance of the following objects:

  • Resource certificates, which digitally verify that a resource has been allocated or assigned to a specific entity
  • Route Origin Authorizations (ROAs): digital statements specifying which Autonomous System (AS) may originate a specific IP address or range

ARIN encourages members of the Internet community to certify their resources through RPKI, whether it be through the Hosted or Delegated model. Internet routing today is vulnerable to hijacking and the provisioning/use of certificates is one of steps required to make routing more secure. Widespread RPKI adoption will help simplify IP address holder verification and routing decision-making throughout the ARIN region.

Note: Some Early Registration Transfer Project Space (ERX space) will not be covered by resource certificates at this time. ARIN plans on implementing this feature in future releases of RPKI functionality. This involves ongoing coordination with other Regional Registries.

Delegated RPKI Reqirements

Delegated RPKI does NOT require ARIN to host the private key of your Delegated RPKI Key Pair, and allows you to, in turn, offer either Hosted or Delegated RPKI resources to your customers. However, there are a number of resource and knowledge requirements for any organization wishing to participate.

  • Before signing up, you must have:
    • IPv4 or IPv6 resources obtained directly from ARIN
    • A signed RSA or LRSA covering the resources you wish to certify
    • An ARIN Online account linked to an admin or tech Point of Contact (POC) with authority to manage the resources you wish to certify
    • An Up/Down identity
  • Once you become a participant, you must:
    • Exchange your public key associated with your Delegated RPKI private key with ARIN via ARIN Online
      • Create an infrastructure in which to host a CA, both hardware- and software-wise
      • Perform all work required for maintaining a CA and publishing a Certificate Practice Statement
      • Create an RPKI repository in which to host resource certificates and ROAs, as well as a manifest and Certificate Revocation List.

How to Participate in Delegated RPKI

  1. Log into ARIN Online and select Your Account > Organization Identifiers on the left-hand side
  2. Choose the organization you wish to manage RPKI for
  3. Select MANAGE RPKI on the right-hand side
  4. If you do not see this link, please ensure you meet the requirements for participation.
  5. Select Up/Down
  6. Read and agree to the RPKI Terms of Service
    • Not required for resources covered by an RSA version 12 or greater
  7. Generate an Up/Down Identity using your own Delegated RPKI software
  8. Submit your Up/Down Identity into the field provided
  9. Click Submit
    • This will generate a ticketed request for ARIN to sign your organization up for Up/Down-managed RPKI. Once approved, an Up/Down Parent Response will be available for download as an attachment on the ticketed request. You will need to configure your own delegated RPKI software using this Parent Response.

Next Steps

Once you have received a delegated resource certificate, you will need to create a repository that includes a Certificate Revocation List (CRL) and manifest that have been signed using the private key that corresponds with the public key you provided ARIN.

Internet Engineering Task Force (IETF) Requests for Comments (RFCs) Relevant to Delegated RPKI

Search Related Content


full site search

Registration Services Help Desk

Interacting With ARIN

Monday through Friday
7:00 AM to 7:00 PM ET
Phone: +1.703.227.0660
Fax: +1.703.997.8844
Tips for Calling the Help Desk