Your IP address could not be determined at this time.

Resource Public Key Infrastructure (RPKI)

RPKI is a free, opt-in service that allows users to certify their RSA/LRSA-covered Internet number resources to help secure Internet routing. Using cryptographically verifiable certificates, RPKI allows IP address holders to specify which Autonomous Systems (AS's) are authorized to originate their IP address prefixes. These statements, known as Route Origin Authorizations (ROAs), allow network operators to make informed routing decisions, and help secure Internet routing in general. This initiative has been developed within the IETF's SIDR Working Group, with involvement from Regional Internet Registries (RIRs), Local Internet Registries (LIRs), and numerous Internet Service Providers (ISPs).

For those seeking a basic understanding of Internet number resource certification (RPKI) and how it can help create a more secure Internet routing environment, the Number Resource Organization (NRO) has developed a brief video, seen below. If you are having trouble viewing the embedded video, view it on YouTube.

Which RPKI Model is Right For Me?

ARIN has released two models of RPKI: Hosted and Delegated.

Hosted RPKI

Hosted RPKI is an infrastructure in which ARIN hosts a Certificate Authority (CA) and signs all ROAs for resources within the ARIN region. Only direct resource holders can participate in RPKI. Any downstream organization must have their upstream provider submit ROA Requests on their behalf.

Hosted RPKI requires that ARIN hosts the private key of your ROA Request Generation Key Pair. Hosted RPKI's benefits include:

  • Ease of use
  • Little to no coding required from participants
  • Certificate Authority functionality work taken care of by ARIN
  • Data security via a Hardware Security Module (HSM)
  • Functioning repository provided by ARIN

Delegated RPKI

Delegated RPKI does NOT require ARIN to host the private key of your Delegated RPKI Key Pair, and allows you to, in turn, offer either Hosted or Delegated RPKI resources to your customers. However, there are a number of resource and knowledge requirements for any organization wishing to participate.

  • Before signing up, you must have:
    • IPv4 or IPv6 resources obtained directly from ARIN
    • A signed RSA or LRSA covering the resources you wish to certify
    • An ARIN Online account linked to an admin, tech, or abuse Point of Contact (POC) with authority to manage the resources you wish to certify
  • Once you become a participant, you must:
    • Exchange your public key associated with your Delegated RPKI private key with ARIN via ARIN Online
      • Create an infrastructure in which to host a CA, both hardware- and software-wise
      • Perform all work required for maintaining a CA and publishing a Certificate Practice Statement
      • Create an RPKI repository in which to host resource certificates and ROAs, as well as a manifest and Certificate Revocation List.

Up/Down RPKI

Up/Down RPKI refers to an alternative Delegated RPKI provisioning interface, in which users provide ARIN with an RFC 6492 identity XML and use the Up/Down Protocol to provision their resource certificates. Up/Down RPKI users are still responsible for maintaining their own RPKI repository.

For more information about Delegated RPKI, click here.

Operational Test and Evaluation (OT&E) Environment

ARIN has created an RPKI instance within its Operational Test and Evaluation environment (OT&E) for those wishing to experiment with RPKI without affecting production data. For more information, see the OT&E page.

Why Use RPKI?

Internet routing is dependent upon many chains of network relationships that are based on mutual trust. Each party trusts that the route used to transmit information is safe, accurate, and will not be maliciously altered. This model proved sufficient in the early stages of Internet development, but has become increasingly vulnerable to abuse and attack as the Internet's resources have undergone a massive increase in usage. As IPv4 address space depletes, an urgent need exists to strengthen routing security. Using cryptographically verifiable statements, RPKI helps to ensure that Internet number resource holders are certifiably linked to those resources, and reliable routing origin data is available upon which to base routing decisions.

RPKI can help fill these requirements through the generation of:

  • Resource certificates, which digitally verify that a resource has been allocated or assigned to a specific entity
  • Route Origin Authorizations (ROAs): digital statements specifying which Autonomous System may originate a specific IP address or range

ARIN encourages members of the Internet community to certify their resources through RPKI. Internet routing today is vulnerable to hijacking and the provisioning/use of certificates is one of steps required to make routing more secure. Widespread RPKI adoption will help simplify IP address holder verification and routing decision-making throughout the ARIN region.

ARIN Customers Wishing to Participate in RPKI:

In order to participate in RPKI, you will need:

Note: Some Early Registration Transfer Project Space (ERX space) will not be covered by resource certificates at this time. ARIN plans on implementing this feature in future releases of RPKI functionality. This involves ongoing coordination with other Regional Registries that is ongoing.

How to Participate in Hosted RPKI

  1. Log into ARIN Online and select MANAGE RESOURCES on the left-hand side
  2. Choose the organization you wish to manage RPKI for  
  3. Select MANAGE RPKI on the right-hand side
  4. Select Hosted RPKI
  5. Select "create resource certificate" on the right-hand side
  6. Read and agree to the RPKI Terms of Service
  7. Generate a ROA Request Generation Key Pair
  8. Enter your public key into the field provided
  9. Click Submit
    • This will generate a ticketed request for ARIN to generate a resource certificate covering your Internet number resources

Within the MANAGE RPKI section of ARIN Online, you may request and manage resource certificates and ROAs, as well as view which IPv4/IPv6 resources are currently covered.

Hosted RPKI ROA Creation and ARIN's Hardware Security Module (HSM)

Note: ROA Requests will only be accepted if signed using a private key that corresponds with a public key linked to the customer submitting the request. This is enforced by custom programming on ARIN's HSM which may not be tampered with or altered in any way. Before submitting ROA Requests, you must sign up for RPKI and submit your public key. Once an RPKI user has successfully received a resource certificate from ARIN, ROA requests may be submitted either through ARIN Online or programmatically via REST. For the specific RESTful method, visit the RESTful Methods page.

ROAs generated and signed by ARIN are published in ARIN's RPKI repository, and may be downloaded and validated (using publicly available tools) by network operators looking for statements to base their routing decisions upon. ROA data is secured by performing all cryptographic functions in a trusted environment on a Hardware Security Module (HSM) designed specifically for this type of encryption.

How to Participate in Delegated RPKI

Visit ARIN's Delegated RPKI page for more information.

Relying Parties Wishing to Utilize RPKI Data to Make Routing Decisions

Any entity may become an RPKI relying party, which will allow them to retrieve data from ARIN's RPKI database. 

ARIN's Trust Anchor Locator (TAL)

In RPKI, a validator is used to fetch repositories that can be located via a TAL. ARIN's TAL contains both the location of ARIN’s repository and ARIN's public key, which is used to cryptographically verify that ARIN has signed the artifacts within ARIN's repository. The validator can then verify the certificates and ROAs within the repository. 

In order to access ARIN's TAL:

  • Click¬†here
  • Accept the ARIN Relying Party Agreement
  • Select Continue
  • Provide an email address to which ARIN will send the TAL
  • Select Continue
    • ARIN's TAL will then be emailed to the email address you provided.

If you are logged into ARIN Online:

  • Select DOWNLOADS & SERVICES on the left-hand side
  • Select "ARIN Trust Anchor Locator" from the list of downloads
  • Accept the ARIN Relying Party Agreement
  • Select Continue
    • ARIN's TAL will then be emailed to the email address you provided.

Validation Tools

The following tools may be used to fetch ARIN RPKI repository information via ARIN's TAL:

Once you have downloaded a validator, ARIN recommends reading "The RPKI/Router Protocol" to learn about transferring RPKI information to routers.

RPKI at the OTHER RIRs

More information about RPKI at other RIRs is available at the following URLs:

 

Advanced Search

Registration Services Help Desk

Interacting With ARIN

Monday through Friday
7:00 AM to 7:00 PM ET
Phone: +1.703.227.0660
Fax: +1.703.997.8844
Email: hostmaster@arin.net
Tips for Calling the Help Desk