Your IP address could not be determined at this time.

Using RPKI at ARIN To Certify Resources

Overview

To use RPKI at ARIN to certify your resources, you need to do the following:

  1. Create an ARIN Online account.
  2. Set up a test account on the OT&E Server. (This is optional, but recommended.)
  3. Decide which model of RPKI you'll use:
  4. Follow the instructions provided to create the necessary files and configure RPKI in ARIN Online.

Which RPKI Model is Right For Me?

ARIN supports two models of RPKI: Hosted and Delegated.

Hosted RPKI

Hosted RPKI is an infrastructure in which ARIN hosts a Certificate Authority (CA) and signs all Route Origin Associations (ROAs) for resources within the ARIN region. Only direct resource holders can participate in RPKI. Any downstream organization must have their upstream provider submit ROA Requests on their behalf.

In Hosted RPKI, you are required to create a key pair, referred to here as a ROA Request Generation Key Pair. When you later submit routing information, ARIN will use the public key of the key pair to cryptographically determine if you are authorized to provide routing information. Hosted RPKI's benefits include:

  • Ease of use
  • Little to no coding required from participants
  • Certificate Authority functionality work taken care of by ARIN
  • Data security via a Hardware Security Module (HSM)
  • Functioning repository provided by ARIN

To configure hosted RPKI, follow these steps.

Delegated RPKI

With Delegated RPKI, you must have your own infrastructure to host a certificate authority and RPKI repository. You can, in turn, offer either Hosted or Delegated RPKI resources to your customers. With Delegated RPKI, you are responsible for cryptographic verification of certificate requests and ROAs. ARIN also supports Up/Down RPKI, or an alternative Delegated RPKI provisioning interface, in which users provide ARIN with an RFC 6492 identity XML and use the Up/Down Protocol to provision their resource certificates. Up/Down RPKI users are still responsible for maintaining their own RPKI repository.

To configure delegated RPKI, follow the steps outlined in this page.

Configuring Hosted RPKI in ARIN Online

Configuring hosted RPKI requires the following steps:

  1. Generate a ROA Request Key Pair.
  2. Submit a Certificate Request using ARIN Online.
  3. Submit ROA requests using ARIN Online.

Generating a ROA Request Key Pair

Before configuring hosted RPKI in ARIN Online, you must generate a ROA Request Key Pair. The term "key pair" refers to the two separate pieces of data (a public key and a private key) created using public key cryptography, a system used to secure data. As a hosted RPKI participant, you generate and use ROA Request Generation Key Pairs to secure your ROAs and resource certificate data and cryptographically verify your identity. Your public key is provided to ARIN and is used to cryptographically verify ROA Requests which have been signed by the corresponding private key.

Note: For ARIN Online users with authority over multiple organizations and their resources, it is highly recommended to use a separate ROA Request Generation Key Pair for each organization.

ROA Request Generation Key Pairs can be generated multiple ways. A recommended method is through OpenSSL using the following commands:

  • openssl genrsa -out orgkeypair.pem 2048
    • This command generates a ROA Request Generation Key Pair and saves it as a file named orgkeypair.pem
  • openssl rsa -in orgkeypair.pem -pubout -outform PEM -out org_pubkey.pem
    • This command extracts the public key from the ROA Request Generation key pair and writes it to a file named org_pubkey.pem
  • Your key pair is now in a file called orgkeypair.pem, and the public key is in org_pubkey.pem. The private key contained in the key pair file is not to be shared and should be kept secure.

If using an alternate method, be sure to generate a key pair that:

  • Is an RSA key pair
  • Is 2048 bits in length
  • Uses the public exponent F4

The key pair (contents of org_pubkey.pem) will look similar to the example below:

-----BEGIN PUBLIC KEY-----

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzh/1Ws2aiqyxR0tqpkAC tLGhQMrkYfcxYl7BzxFaSEitdsNhxqNZjAt+IB/yQ9XEKaHL87cqmZlrtEGju0Dk QKym0onn3JXtS7S1OTRQbjWPN0k9/1HnP/R5xnQvGfaMOPm9S5If6DPr63109inX 5JXv4yNx/x8GZAT+RrhRW/I+PzmXVeSwc89LbADblpQR5x9x6173ncHUV+6UJr2M niBl7OcFW61jbGhTQSrb9xoUli7IyAciziESE6cG2gqw0fW/ZOo7pUToPaDAPxHJ vLq0uqtlpG5z3MpAoVibtdtuF9BF2dKHFF6TMwUKJaQ5EQZ+/iODk6CuWz6Q5iZN
GwIDAQAB

-----END PUBLIC KEY-----

Submitting a Certificate Request

ARIN generates a resource certificate for you when you submit your key pair. Resource certificates list a collection of Internet number resources (IPv4 addresses, IPv6 addresses, and ASNs) that are associated with a holder of those resources. They provide cryptographic validation that these resources belong to you. These certificates contain no identifying information about who the holder of the resources is; resource holders can prove their legitimacy using their private key to sign information such as a Route Origin Authorization (ROA) Request. Relying Parties can then validate these signed objects with the corresponding public key.

To submit a certificate request:

  1. Log in to ARIN Online and select Your Account > Organization Identifiers from the navigation menu.
  2. Choose the organization for which you want to configure RPKI.
  3. Choose Actions and select Manage RPKI. (Note: If you do not see this option, ensure that you meet the requirements for participation.
  4. In the Hosted RPKI Section, choose Hosted RPKI.
  5. Read and agree to the RPKI Terms of Service. (Note: Not required for resources covered by an RSA version 12 or greater.)
  6. Choose Continue.
  7. In the ROA Request Generation Public Key field, copy and paste your public key (see the example in the previous section) into the field.
  8. Choose Submit. This generates a ticketed request for ARIN to generate a resource certificate covering your Internet number resources.
Accessing Your Resource Certificates

After ARIN has generated a resource certificate for you, there are two ways to find it.

To download the file from the ARIN ticket:

  1. Log in to ARIN Online.
  2. Select Tickets & Messages > Tickets from the navigation menu.
  3. Find the ticket that was created when ARIN generated your resource certificate. Your resource certificate will be within this ticket as a downloadable attachment.

View the information from the Manage RPKI page:

  1. Log in to ARIN Online.
  2. Select Your Account > Organization Identifiers from the navigation menu.
  3. Choose the organization for which you want to configure RPKI.
  4. Choose Actions and select Manage RPKI.
  5. Select View Cert on the appropriate certificate entry. The resource certificate information will be displayed in the body of the page.

Creating ROAs

After obtaining a certificate, you need to use your certificate to generate ROAs. A ROA is a cryptographically signed object that states which Autonomous System (AS) is authorized to originate a particular prefix or set of prefixes. ROAs can only be generated for Internet number resources that are covered by your resource certificate. They are published in ARIN's RPKI repository and used by network operators to validate routes.

Note: ROA Requests will only be accepted if signed using a private key that corresponds with a public key linked to the customer submitting the request. This is enforced by custom programming on ARIN's HSM which may not be tampered with or altered in any way. Before submitting ROA Requests, you must sign up for RPKI and submit your public key. Once an RPKI user has successfully received a resource certificate from ARIN, ROA requests may be submitted either through ARIN Online or programmatically via REST. For the specific RESTful method, visit the RESTful Methods page.

You can create ROAs by submitting a request using ARIN Online.

Managing RPKI Resources

  1. Log in to ARIN Online and select Your Account > Organization Identifiers from the navigation menu.
  2. Choose the organization.
  3. Choose Actions and select Manage RPKI. You can select from these actions:
  • Create ROA: Configure a new ROA.
  • View ROAs: View a list of ROAs.
  • View Resources: View the IPv4/IPv6 resources that are currently covered
  • View Cert: View your RPKI Certificate

Using the Operational Test and Evaluation (OT&E) Environment

ARIN has created an RPKI instance within its Operational Test and Evaluation environment (OT&E) for those wishing to experiment with RPKI without affecting production data. For more information, see the OT&E page.

 

 

Search Related Content

Loading

full site search

Registration Services Help Desk

Interacting With ARIN

Monday through Friday
7:00 AM to 7:00 PM ET
Phone: +1.703.227.0660
Fax: +1.703.997.8844
Email: hostmaster@arin.net
Tips for Calling the Help Desk