Your IP address could not be determined at this time.

RPKI Frequently Asked Questions

What is a Resource?

In the context of RPKI, a resource is a grouping of Internet Protocol (IP) addresses or Autonomous Systems Numbers (ASNs) that uniquely identify a computer or a network on the Internet. Routers use these numbers much like the Post Office uses addresses to help route mail to recipients.

What is a Resource Certificate?

A resource certificate is an electronic file that serves as proof that a resource has been assigned to an individual or company for their use. These certificates list a collection of Internet number resources (IPv4 addresses, IPv6 addresses, and ASNs) that are associated with a holder of those resources. resource certificates provide a means of third-party validation of assertions related to resource allocations using proven cryptographic algorithms. These certificates contain no identifying information about who the holder of the resources is; resource holders can prove their legitimacy using their private key to sign information such as a Route Origin Authorization (ROA) Request. Relying Parties can then validate these signed objects with the corresponding public key.

For information on obtaining resource certificates using ARIN Online click here.

How do I Access my Resource Certificate Once It Has Been Generated?

Once ARIN has generated a resource certificate for you, there are two ways to find it.

  1. Download the file from the ARIN ticket:
    • Log into ARIN Online
    • Select TRACK TICKETS from the left-hand menu
    • Find the ticket within which ARIN generated your resource certificate
    • Your resource certificate will be within this ticket as a downloadable attachment
  2. View the information from the Manage RPKI page:
    • Log into ARIN Online
    • Select ORGANIZATION DATA from the left-hand menu
    • Select the organization you wish to view the resource certificate for
    • Select "manage rpki" from the right-hand menu
    • Select "view cert" on the appropriate certificate entry
      • The resource certificate information will be displayed in the body of the page

WHY DOES ARIN ONLY NEED MY PUBLIC KEY TO CREATE A RESOURCE CERTIFICATE FOR ME?

ARIN uses the organization and Internet number resource data linked to your ARIN Online account to create a certificate file as a convenience. The only information ARIN cannot automatically fill in is the public key of your ROA Request Generation Key Pair.

What is a Public Key Infrastructure (PKI)?

A PKI is an infrastructure centered around creating, managing, distributing, using, storing, and revoking digital certificates.

What is Resource Public Key Infrastructure (RPKI)?

RPKI is a free, opt-in service that allows users to certify their IPv4 and IPv6 address space and help secure Internet routing. Using cryptographically verifiable certificates, RPKI allows IP address holders to create public statements specifying which Autonomous Systems are authorized to originate their IP address prefixes. These statements, known as Route Origin Authorizations (ROAs), allow network operators to make informed routing decisions. This work is a bootstrap to end-to-end secure routing that is being tackled within IETF's SIDR working group, with involvement from Regional Internet Registries (RIRs), Local Internet Registries (LIRs), and numerous Internet Service Providers (ISPs).

Which RPKI Model is Right For Me?

Hosted RPKI

Hosted RPKI is an infrastructure in which ARIN hosts a Certificate Authority (CA) and signs all ROAs for resources within the ARIN region. Only direct resource holders can participate in RPKI. Any downstream organization must have their upstream provider submit ROA Requests on their behalf.

Hosted RPKI requires that ARIN hosts the private key of your ROA Request Generation Key Pair. Hosted RPKI's benefits include:

  • Ease of use
  • Little to no coding required from participants
  • Certificate Authority functionality work taken care of by ARIN
  • Data security via a Hardware Security Module (HSM)
  • Functioning repository provided by ARIN

Delegated RPKI

Delegated RPKI refers to an infrastructure in which ARIN allows direct resource holders to host their own CA and sign ROAs on their own. Resources then are linked to ARIN's RPKI repository. This hierarchical system of verification allows customers of direct Internet number resource holders to participate in RPKI, using their resource provider as a CA.

Delegated RPKI does NOT require ARIN to host the private key of your Delegated RPKI Key Pair, and allows you to, in turn, offer either Hosted or Delegated RPKI resources to your customers. However, there are a number of resource and knowledge requirements for any organization wishing to participate.

  • Before signing up, you must have:
    • IPv4 or IPv6 resources obtained directly from ARIN
    • A signed RSA or LRSA covering the resources you wish to certify
    • An ARIN Online account linked to an admin, tech, or abuse Point of Contact (POC) with authority to manage the resources you wish to certify
    • An Up/Down identity
  • Once you become a participant, you must:
    • Exchange your public key associated with your Delegated RPKI private key with ARIN via ARIN Online
      • Create an infrastructure in which to host a CA, both hardware- and software-wise
      • Perform all work required for maintaining a CA and publishing a Certificate Practice Statement
      • Create an RPKI repository in which to host resource certificates and ROAs, as well as a manifest and Certificate Revocation List.

For more information about Delegated RPKI, click here.

What is Early Registration Transfer Project (ERX) space?

The Early Registration Transfer Project (ERX), initiated in 2002, transferred the management of the resources to the applicable RIR according to the region in which the resource registrants resided. The ERX project was completed in February 2005.

Why is some ERX space not eligible for resource certificates?

Some ERX space may not be eligible to be covered by resource certificates issued from ARIN because ARIN must coordinate with other RIRs for some of the early registration /8s. Any ERX space within one of these /8s is therefor ineligible to participate in ARIN's hosted RPKI at this time. This situation will change in the future once ARIN deploys the up-down protocol.

What is a Certificate Authority (CA)?

A CA is an entity that issues digital certificates. ARIN currently acts as a CA for its RPKI, issuing resource certificates within the ARIN region. In the future, ARIN plans to provide delegated RPKI, which will allow for entities with IP addresses and Autonomous System Numbers assigned directly from ARIN to act as a CA to their customers.

What is a ROA Request Generation Key Pair?

The term "key pair" refers to the two separate pieces of data (a public key and a private key) created using Public-key cryptography, a system used to secure data. As a hosted RPKI participant, you will generate and use ROA Request Generation Key Pairs to secure your Route Origin Authorization (ROA) and resource certificate data and cryptographically verify your identity. Your public key is provided to ARIN when you sign up to participate in Hosted RPKI, and is used to cryptographically verify Route Origin Authorization (ROA) Requests which have been signed by the corresponding private key. Hosted RPKI users must create a ROA Request Generation Key Pair before requesting resource certificates or generating ROA Requests. For ARIN Online users with authority over multiple organizations and their resources, it is highly recommended to use a separate ROA Request Generation Key Pair for each organization.

How do I Make a ROA Request Generation Key Pair?

WHAT IS A DELEGATED RPKI KEY PAIR?

The term "key pair" refers to the two separate pieces of data (a public key and a private key) created using Public-key cryptography, a system used to secure data. As a Delegated RPKI participant, you will generate and use a Delegated RPKI Key Pair for two reasons. The public key of this key pair will be given to ARIN when requesting a resource certificate from ARIN. The private key of this key pair will be used to sign the manifest and Certificate Revocation List (CRL) within the RPKI repository you create. For ARIN Online users with authority over multiple organizations and their resources, it is highly recommended to use a separate Delegated RPKI Key Pair for each organization.

How do I Make a Delegated RPKI Key Pair?

What is a public key?

A public key is the part of a key pair that may be distributed safely to others. It is mathematically paired with the private key that was generated alongside it. This key is provided to ARIN when the user signs up to participate in RPKI, and is used to cryptographically verify Route Origin Authorization (ROA) Requests which have been signed by the corresponding private key. 

What is a private key?

A private key is the part of the key pair that MUST be securely stored, and must NOT be distributed. RPKI participants use private keys to sign Route Authorization (ROA) requests. When a block of data is signed using a resource holder's private key, their public key can be used to verify that data.

Note: Private keys MUST be kept private, and must not be shared with anyone outside your organization. Should another entity have access to your private key, that entity would be able to effectively represent itself as your organization, voiding the security RPKI is designed to maintain.

IF YOUR PRIVATE KEY IS LOST OR COMPROMISED, YOU MUST START THE RESOURCE CERTIFICATION PROCESS AGAIN FROM SCRATCH

How do I Make a ROA Request Generation or Delegated RPKI Key Pair?

ROA Request Generation and Delegated RPKI Key Pairs may be generated numerous ways. A recommended method is through OpenSSL using the following commands:

  • openssl genrsa -out orgkeypair.pem 2048
    • This command generates a ROA Request Generation Key Pair and saves it as a file named orgkeypair.pem
  • openssl rsa -in orgkeypair.pem -pubout -outform PEM -out org_pubkey.pem
    • This command extracts the public key from the ROA Request Generation key pair and writes it to a file named org_pubkey.pem
  • Your key pair is now in a file called orgkeypair.pem, and the public key is in org_pubkey.pem. The private key contained in the key pair file is not to be shared and should be kept secure.

If using an alternate method, be sure to generate a key pair that:

  • Is an RSA key pair
  • Is 2048 bits in length
  • Uses the public exponent F4

Before participating in Hosted or Delegated RPKI, you must provide contents of org_pubkey.pem within the Manage RPKI page in ARIN Online. This content should look somewhat like the example below:

-----BEGIN PUBLIC KEY-----

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzh/1Ws2aiqyxR0tqpkAC tLGhQMrkYfcxYl7BzxFaSEitdsNhxqNZjAt+IB/yQ9XEKaHL87cqmZlrtEGju0Dk QKym0onn3JXtS7S1OTRQbjWPN0k9/1HnP/R5xnQvGfaMOPm9S5If6DPr63109inX 5JXv4yNx/x8GZAT+RrhRW/I+PzmXVeSwc89LbADblpQR5x9x6173ncHUV+6UJr2M niBl7OcFW61jbGhTQSrb9xoUli7IyAciziESE6cG2gqw0fW/ZOo7pUToPaDAPxHJ vLq0uqtlpG5z3MpAoVibtdtuF9BF2dKHFF6TMwUKJaQ5EQZ+/iODk6CuWz6Q5iZN
GwIDAQAB

-----END PUBLIC KEY-----

What is a Base CA Repository Uniform Resource Identifier (URI)?

A URI is a string of characters used to identify a name or resource, allowing it to be found and interacted with over a network, such as the Internet (Example: rsync://rpki.example.com/repository/). When signing up for Delegated RPKI with ARIN, you must provide a Base CA Repository URI that matches the location of your RPKI repository, which allows ARIN to reference it.

Every resource certificate has a CA Repository URI which describes where to find the delegated RPKI repository. ARIN will set the CA Repository URI of your resource certificate by combining the Base CA Repository URI you specify at request time with the distinguished name of your resource certificate.

For example, assume you specify a Base CA Repository URI of 'rsync://rpki.example.com/repository/' and your resource certificate has a distingished name of 'aaa-bbb-ccc'. Your CA Repository URI is 'rsync://rpki.example.com/repository/aaa-bbb-ccc/'. Effectively, you will need to create a CRL at 'rsync://rpki.example.com/repository/aaa-bbb-ccc/aaa-bbb-ccc.crl' and a manifest at 'rsync://rpki.example.com/repository/aaa-bbb-ccc/aaa-bbb-ccc.mft'.

What is a Hardware Security Module (HSM)

An HSM is a secure cryptographic processor that manages digital keys and certificates used in ARIN's RPKI as well as other forms of public key cryptography. ARIN uses an HSM and Route Origin Authorization (ROA) Request Generation Key Pairs in order to establish nonrepudiation. Nonrepudiation refers to the inability for a party (in this case, an ARIN customer) to dispute or deny having performed an action (in this case, submitting a ROA Request). Any ROA Request received by ARIN is logged and traceable to the customer who initiated it.

What is a Route Origin Authorization (ROA)?

A ROA is a cryptographically signed object that states which Autonomous System (AS) is authorized to originate a particular prefix or set of prefixes. ROAs may only be generated for Internet number resources covered by your resource certificate. A ROA is composed of:

  • A ROA name
  • An AS number (ASN)
  • A validity date range
  • One or more IP Addresses (along with a CIDR block designation and an optional max length). 

Once generated, your ROAs may be viewed by selecting view ROAs on the resource certificate entry found on your organization's "Manage RPKI" page.

What is a ROA Request?

A ROA Request is a request for ARIN to generate a ROA for you. 

If you are having trouble viewing the graphic below, click here.

Content on this page requires a newer version of Adobe Flash Player.

Get Adobe Flash player

After providing the above information, a ROA Request must be signed with your private key. This request is then submitted to ARIN. ARIN will generate and sign the ROA, and publish it to ARIN's RPKI repository. 

Note: Once an RPKI user has successfully received a resource certificate from ARIN, ROA requests may be submitted either through ARIN Online or programmatically via REST. For the specific RESTful method, visit the RESTful Methods page.

How do I Sign a ROA Request?

Signing a ROA Request may be done in two ways: Within ARIN Online (browser-signed), or from the command line (manually signed).

In-Browser

Using the browser-signed method is the quicker of the two. Simply fill in the form provided for you within ARIN Online detailing each part of the ROA Request. Next, browse for and attach the private key from the ROA Request Generation Key Pair you provided ARIN for that particular organization. Using JavaScript, the browser signs the data you provided.

Note: Your private key is never uploaded to ARIN and the signing code is run only on your computer.

Using OpenSSL

If signing your ROA Request manually, the easiest way to do so is to fill out the ROA Request in the required format by putting it into a text file and then signing that file with OpenSSL. Once the text file is signed, its contents should be copied into the online form and submitted to ARIN.

The following commands assume a Bourne compatible shell.

Note: The following ROA data field data is for example only, and should be replaced with content appropriate to your organization and ROA Request

    • echo -n "1|1340135296|My First ROA|1234|05-25-2011|05-25-2012|10.0.0.0|8|16|" > roadata.txt

      • This command uses echo to save your data to a text file
    • openssl dgst -sha256 -sign orgkeypair.pem -keyform PEM -out signature roadata.txt
      • This command generates the signature of the ROA data file using OpenSSL and your private key
    • openssl enc -base64 -in signature > sig_base64
      • This command converts the signature to Base64 using OpenSSL. It should look something like the example below:

RGWqTwh/z7+mC/R9VJIcb1eUgTTigB8xFV+DYzEhim4wM00hp4GRfeJQL6JFXG1l mAfVWCVe5rFxP7Py/hGslQF43wt/PMztYSc0YIiYXjVB+heLgzDt4iaFdjJS4oxT rJhawuaYCwYIwzFyDsOEX+Tt9aq0votJxSe0dkw5FCIC5/oGIpW6+fDMeBQir3p9 wDIIGhyOlgwz2xlOu3d/qNbgCp0UKkgMs1QrKauw4dDJSVh0YlE/No6Ao9Ez3gWc 9kk367y5fZgeWiF6ucFsDq2VDtCvcQ/yS+NMbRuK51+V4ZUmBg8US+wwwEPpBMt8
MCQ5BTShwlAdejOykIsviQ==

After using the above command lines, wrap the contents of the ROA data and the Base64 encoded signature with a Begin and End block as follows:

-----BEGIN ROA REQUEST-----

<ROA Request data>

-----END ROA REQUEST-----

-----BEGIN SIGNATURE-----

<signature>

-----END SIGNATURE-----

The contents should now look similar to example below:

-----BEGIN ROA REQUEST-----

1|1340135296|My First ROA|1234|05-25-2011|05-25-2012|10.0.0.0|8|16|

-----END ROA REQUEST-----

-----BEGIN SIGNATURE-----

RGWqTwh/z7+mC/R9VJIcb1eUgTTigB8xFV+DYzEhim4wM00hp4GRfeJQL6JFXG1l
mAfVWCVe5rFxP7Py/hGslQF43wt/PMztYSc0YIiYXjVB+heLgzDt4iaFdjJS4oxT
rJhawuaYCwYIwzFyDsOEX+Tt9aq0votJxSe0dkw5FCIC5/oGIpW6+fDMeBQir3p9
wDIIGhyOlgwz2xlOu3d/qNbgCp0UKkgMs1QrKauw4dDJSVh0YlE/No6Ao9Ez3gWc
9kk367y5fZgeWiF6ucFsDq2VDtCvcQ/yS+NMbRuK51+V4ZUmBg8US+wwwEPpBMt8
MCQ5BTShwlAdejOykIsviQ==

-----END SIGNATURE-----

Finally, copy the contents of that file into the ‘Submit Signed ROA’ tab within ARIN Online and submit it to ARIN.

What is a Validator?

A validator is a program used to fetch a published repository, validate its contents, and output the results. The results are then used to make informed routing decisions.

Validators available for use include:

What is a Certification Practice Statement (CPS)?

A CPS is a document that explains certificate policies and Certificate Authority (CA) operational procedures. ARIN has published a CPS describing the practices of the ARIN Certificate Authority. The CPS describes the participants, certificate types, processes, and management within ARIN's RPKI, as well as related business and legal issues. This document may be viewed here.

What is a Repository?

Repository refers to the digital listing in which ARIN publishes Route Origin Authorizations, resource certificates, Certificate Revocation Lists (CRLs), and manifests. This repository is available to be downloaded via rsync, and may be automatically fetched using a validator. Relying parties may use this data to make more informed decisions about how they route to various locations on the Internet. ARIN's RPKI repository is updated with the most current data every 24 hours. Relying parties wishing to access ARIN's RPKI repository will need to download ARIN's Trust Anchor Locator (TAL).

What is a Certificate Revocation List (CRL)?

In the context of Public Key Infrastructures (PKIs), a CRL is a list of resource certificates that have been revoked, and should not be relied upon. ARIN publishes its CRL for Hosted RPKI within its RPKI Repository every 24 hours. A CRL is always issued by the Certificate Authority (CA) which issues the corresponding certificates. A Delegated RPKI participant must publish its own CRL inside the repository located at the Production URI provided to ARIN.

What is a Manifest?

In the context of RPKI, a manifest is a signed object containing a listing of all the signed files in a Certificate Authority (CA)'s RPKI repository. Manifests contain a filename and a hash of file content for each resource certificate, Certificate Revocation List (CRL), or other signed object published in the repository. Manifests allow a Relying Party (RP) to detect certain forms of attacks against their RPKI repository.

What is a Relying Party (RP)?

An RP is any entity that uses ARIN's RPKI repository data to help them make informed routing decisions. For information on how to locate and utilize this data, click here.

What is a Resource Trust Anchor (RTA)?

An RTA is a self-signed digital certificate containing ARIN's public key. This certificate is downloaded by relying parties wishing to retrieve information from ARIN's RPKI repository, and used to verify its validity. Before re-syncing information from ARIN's RPKI repository, a relying party should:

  • Retrieve the object referenced by the URL contained in the TAL
  • Confirm that the retrieved object is a current, self-signed RPKI certificate
  • Confirm that the public key in the TAL matches the public key in the retrieved object
  • Perform other checks, as deemed appropriate (locally), to ensure that you are willing to accept the entity publishing this self-signed certificate to be a trust anchor

Note: This certificate is updated when ARIN's resource set changes.

What is a Trust Anchor Locator (TAL)?

In the context of RPKI, the TAL refers to a file used to allow relying parties to retrieve the data within ARIN's RPKI validator (via rsync) and base routing decisions upon that data. ARIN's TAL contains two things:

  1. The URL of ARIN's published RPKI repository
  2. ARIN's PEM-encoded public key

In order to access ARIN's TAL:

  • Click here
  • Accept the ARIN Relying Party Agreement
  • Select Continue
  • Provide an email address to which ARIN will send the TAL
  • Select Continue
    • ARIN's TAL will then be emailed to the email address you provided.

If you are logged into ARIN Online:

  • Select DOWNLOADS & SERVICES on the left-hand side
  • Select "ARIN Trust Anchor Locator" from the list of downloads
  • Accept the ARIN Relying Party Agreement
  • Select Continue
    • ARIN's TAL will then be emailed to the email address you provided.

What is aRIN's Relying Party Agreement (RPA)?

ARIN's RPA comprises a set of terms and restrictions applicable to any entity wishing to access and/or utilize ARIN's TAL. This document is available here, and must be thoroughly read and accepted before ARIN's TAL is distributed to you.

Why must I accept the RPA before retrieving ARIN's TAL?

In an effort to prevent improper distribution, tampering, or forging of data contained within ARIN's TAL, all prospective relying parties must read and accept the RPA before gaining access to it.

How can I test RPKI without affecting my production data?

ARIN has implemented an RPKI instance within its Operational Test and Evaluation environment (OT&E), which offers the opportunity to experiment with different facets of RPKI and ROA requesting in an environment with a production-like repository and UI, without any impact on production data. For more information, see the OT&E page.

Which Internet Engineering Task Force (IETF) Requests for Comments (RFCs) relate to RPKI?

To learn more about RPKI's functions and origin, ARIN recommends reading the following RFCs:

To learn more about Delegated RPKI requirements, such as Uniform Resource Identifiers (URIs), manifests and Certificate Revocation Lists (CRLs), ARIN recommends reading the following RFCs:

Advanced Search

Registration Services Help Desk

Interacting With ARIN

Monday through Friday
7:00 AM to 7:00 PM ET
Phone: +1.703.227.0660
Fax: +1.703.263.0578
Email: hostmaster@arin.net
Tips for Calling the Help Desk