Resource Certification (RPKI)

Resource Public Key Infrastructure (RPKI) is an opt-in service that provides security for Internet routing. You can use ARIN’s RPKI system in two ways:

  • Using ARIN’s RPKI Repository for Routing: You can obtain information about routes from ARIN’s RPKI repository to make routing decisions for your network. This is also known as being a relying party. You will need to download the ARIN Trust Anchor Locator (TAL) and use it with an RPKI validator. More information is provided in Using ARIN’s RPKI Repository for Routing.

  • Providing Certification for Your ARIN Resources: If you have Internet Number Resources that are covered by an ARIN Registration Services Agreement (RSA) or Legacy Registration Services Agreement (LRSA), you can certify that you have authority over routes that originate your IP addresses. You do this by requesting certificates and creating Route Origin Authorizations (ROAs). The ROAs are then made available to RPKI validators. More information is provided below in Certifying Your Resources in ARIN’s RPKI.

Why Use RPKI?

In the early Internet, routing was dependent on network relationships based on mutual trust. This model proved sufficient when each party expected that transmitted information was safe, accurate, and not affected by accidental or malicious activity. As the Internet grew from a simple platform for sharing information to a commercial platform, it has become increasingly vulnerable to abuse and attack.

RPKI uses cryptographically verifiable statements to ensure that Internet number resources are certifiably linked to the stated holders of those resources. This enables resource holders to attest which Autonomous System Numbers (ASNs) should originate their prefixes (i.e. blocks of IP addresses). Network operators can compare Border Gateway Protocol (BGP) announcements from the global Internet routing table with RPKI validity data to make informed decisions to enhance their routing security.

To authorize an Autonomous System Number (ASN) to route a set of prefixes, the resource holder must first obtain a resource certificate from their issuing Regional Internet Registry (RIR) that verifies the IP addresses assigned or allocated to them. After resource certification, the resource holder creates signed Route Origin Authorizations (ROAs) that specify the originating ASN authorized to originate their IP addresses. Typically network operators for the resource holder create the ROAs, which are then used by other network operators to make decisions on routing. The ROAs provide verification that the routes being advertised are valid and can be used safely in routing tables.

Using ARIN’s RPKI Repository for Routing

To use information from ARIN’s RPKI repository in your routing (also known as being a relying party), you’ll need to do the following:

Obtain an RPKI Validator and Install It

  1. Obtain an RPKI Validator, which is also called “relying party software.” There are various options:

  2. Install the validator in your network. Consult the relying party software documentation for system requirements and installation instructions.

Supported/Tested RPKI Validators

We support and test the following RPKI validators as part of each ARIN Online release:

Obtain ARIN’s Routing Information via its Trust Anchor Locator (TAL)

A Trust Anchor Locator (TAL) is a file used to allow relying parties to retrieve RPKI data from a repository. Each Regional Internet Registry (RIR) has a Trust Anchor Locator needed to access its RPKI repository’s trusted, verified routing data.

ARIN’s TAL contains the URL of ARIN’s published RPKI repository and ARIN’s encrypted public key. The public key is used to cryptographically verify that ARIN has signed the artifacts within the repository. Some validators may already include TALs from other RIRs, but usually do not include ARIN’s TAL.

You need ARIN’s TAL to work with your RPKI validator. If ARIN’s TAL has not been provided in the validator software, you will need to download it from the ARIN website and transfer it to the server where you installed the RPKI Validator.

By downloading ARIN’s TAL, you indicate your agreement with and acceptance of ARIN’s Relying Party Agreement (RPA). Validator software requires that you agree to the RPA as well.

After you’ve installed your validator and ARIN’s TAL, your validator will connect to ARIN’s RPKI repository via rsync or RPKI Repository Delta Protocol (RRDP) and download the validated RPKI certificates and ROAs upon which your system will base routing decisions. Most validators can be configured to periodically fetch data from ARIN’s repository, which is updated every few minutes.

Certifying Your Resources in ARIN’s RPKI

To certify your resources, you need:

  • IPv4 or IPv6 resources issued to you directly from ARIN
  • A signed RSA/LRSA covering the resources you wish to certify
  • An ARIN Online account linked to an Admin, Tech, Abuse, or Routing Point of Contact (POC) with authority to manage those resources

ARIN offers two models of RPKI: Hosted and Delegated. Decide whether you are using the Hosted or Delegated model of RPKI, and follow the instructions provided on the pertinent page to create the necessary files and configure RPKI in ARIN Online.

  • Hosted RPKI: With Hosted RPKI, ARIN hosts a Certificate Authority (CA) and signs all Route Origin Associations (ROAs) for resources within the ARIN region. Visit Hosted RPKI for more information.
  • Delegated RPKI: With Delegated RPKI, you request your own delegated resource certificates and host your own Certificate Authority (CA) to sign ROAs. You can maintain your own publication server to publish your resource certificate and ROAs to make them available to other entities, or you can use ARIN’s publication service. Visit Delegated RPKI for more information.

If you want to change between the Delegated and Hosted models, you must log in to ARIN Online and submit an Ask ARIN ticket by choosing Ask ARIN from the navigation menu, or contact the Registration Services Help Desk by phone Monday through Friday, 7:00 AM to 7:00 PM ET at +1.703.227.0660.

Additional RPKI Information

More information about RPKI is available at the following external sites: