Resource Certification (RPKI)

Resource Public Key Infrastructure (RPKI) is an opt-in service that provides security for Internet routing. You can use ARIN’s RPKI system in two ways:

• Using ARIN’s RPKI Repository to Perform Route Origin Validation: You can obtain information about routes from ARIN’s RPKI repository to make routing decisions for your network. This is also known as being a Relying Party. You will need to download the ARIN Trust Anchor Locator (TAL) and use it with an RPKI validator. More information is provided in Using ARIN’s RPKI Repository to Perform Route Origin Validation.

• Providing certification for Your ARIN resources: If you have Internet number resources that are covered by an ARIN Registration Services Agreement (RSA) or Legacy Registration Services Agreement (LRSA), you can certify that you have authority over routes that originate from your IP addresses. You do this by requesting certificates and creating Route Origin Authorizations (ROAs). The ROAs are then made available to RPKI validators. More information is provided below in Certifying Your Resources in ARIN’s RPKI.

Why Use RPKI?

In the early Internet, routing was dependent on network relationships based on mutual trust. This model proved sufficient when each party expected that transmitted information was safe, accurate, and not affected by accidental or malicious activity. As the Internet grew from a simple platform for sharing information to a commercial platform, it has become increasingly vulnerable to abuse and attack.

RPKI uses cryptographically verifiable statements to ensure that Internet number resources are certifiably linked to the stated holders of those resources. This enables resource holders to attest which Autonomous System Numbers (ASNs) should originate their prefixes (i.e. blocks of IP addresses). Network operators can compare Border Gateway Protocol (BGP) announcements from the global Internet routing table with RPKI validity data to make informed decisions to enhance their routing security.

To authorize an Autonomous System Number (ASN) to route a set of prefixes, the resource holder must first obtain a resource certificate from their issuing Regional Internet Registry (RIR) that verifies the IP addresses allocated to them. After receiving a resource certificate, the resource holder creates signed Route Origin Authorizations (ROAs) that specify the ASN authorized to originate their IP addresses. Typically network operators for the resource holder create the ROAs, which are then used by other network operators to make decisions on routing. The ROAs provide verification that the routes being advertised are valid and can be used safely in routing tables.

Using ARIN’s RPKI Repository to Perform Route Origin Validation

In order to collect information from ARIN’s RPKI repository you’ll need to do the following:

Obtain an RPKI Validator and Install It

Download an RPKI validator (Relying Party software) by selecting one or more of the packages below and install it in your network. Consult the validator’s software documentation for system requirements and installation instructions.

• Fort Validator - tested as part of each ARIN Online release
• NLnet Labs (Routinator) - tested as part of each ARIN Online release
• rpki-client - tested as part of each ARIN Online release
• RPSTIR2
• rpki-prover
• OctoRPKI - deprecated by the developer and no longer supported

Obtain ARIN’s Routing Information via its Trust Anchor Locator

A Trust Anchor Locator (TAL) is a file used to allow Relying Parties to retrieve RPKI data from a repository. Each Regional Internet Registry (RIR) has a TAL needed to access its RPKI repository.

ARIN’s TAL contains the URL of ARIN’s published RPKI repository and ARIN’s encrypted public key. The public key is used to cryptographically verify that ARIN has signed the artifacts within the repository.

If ARIN’s TAL has not been provided in the validator software, you will need to download it from the ARIN website and transfer it to the server where you installed the RPKI validator.

Your validator will connect to ARIN’s RPKI repository via RPKI Repository Delta Protocol (RRDP) or rsync and download the validated RPKI certificates and ROAs from which you can make routing decisions based on RPKI validity data. Validators periodically fetch data from ARIN’s repository every few minutes.

Certifying Your Resources in ARIN’s RPKI

To certify your resources, you need:

• IPv4 or IPv6 resources issued to you directly from ARIN
• A signed RSA/LRSA covering the resources you wish to certify
• An ARIN Online account linked to an Admin, Tech, or Routing Point of Contact (POC) with authority to manage those resources

ARIN offers two models of RPKI: Hosted and Delegated. Decide whether you are using the Hosted or Delegated model of RPKI, and follow the instructions provided on the pertinent page to create the necessary files and configure RPKI in ARIN Online.

• Hosted RPKI: With Hosted RPKI, ARIN hosts a Certificate Authority (CA) and signs all Route Origin Authorizations (ROAs) for resources within the ARIN region, and maintains the repository and publishes your resource certificates and ROAs to make them available to other entities. Visit Hosted RPKI for more information.
• Delegated RPKI: With Delegated RPKI, you request your own delegated resource certificates and host your own Certificate Authority (CA) to sign ROAs. You can maintain your own repository and publish your resource certificate and ROAs, or you can use ARIN’s Repository Publication Service. Visit Delegated RPKI for more information.

Additional RPKI Information

More information about RPKI is available at the following external sites:

• RPKI Documentation at readthedocs.io
• RFC 6810: The Resource Public Key Infrastructure (RPKI) to Router Protocol
• Resource Certification Explained video from the Number Resource Organization (NRO)
• SIDR Working Group Documents
• RPKI at AFRINIC
• Resource Certification at APNIC
• Certification of Resources at LACNIC
• Resource Certification (RPKI) at RIPE NCC