Using ARIN’s RPKI with Bring Your Own IP Services

Bring Your Own IP (BYOIP) is a process available from multiple service providers where you can bring your own IP prefix to an upstream ISP, carrier, or cloud provider, and that upstream provider can advertise your prefix from their network.

ARIN plays an integral role in the configuration and deployment of BYOIP for some service providers, particularly in the creation of Route Origin Authorizations (ROAs). These records allow a resource holder to authorize an upstream provider to advertise its downstream customer’s prefix from its Autonomous System Number (ASN).

After consulting with Amazon Web Services (AWS), Google Cloud, Microsoft Azure, and Oracle, ARIN is providing information regarding their BYOIP process as it relates to ARIN services.

Keep in mind that this information is subject to change. ARIN will update this information to reflect any changes as we are made aware of them, but also encourages the community to reach out to the BYOIP service providers directly to address any questions you may have regarding their services.

Amazon Web Services BYOIP Requirements

Amazon Web Services (AWS) requires a ROA for the prefix your organization is bringing to their network. Instructions for signing up for Hosted RPKI and creating ROAs through ARIN can be found here. If you are using Delegated RPKI, then use the Certificate Authority (CA) or the package your organization is using to create ROAs.

AWS also requires a self-signed x509 certificate to be placed in the Public Comments section of the prefix’s network record in ARIN’s Whois/RDAP. Instructions on how to update the record can be found here.

Amazon Web Services BYOIP FAQ

Is there documentation from Amazon for AWS’s BYOIP service?

Yes. That documentation from Amazon can be found here.

Does AWS require a unique x509 certificate for every prefix an organization brings to their BYOIP service?

No. AWS does not require unique x509 certificates for every prefix an organization brings to the service. One x509 certificate can be used for multiple prefixes across multiple network records in Whois/RDAP.

Does AWS require the prefix I am bringing to be a direct allocation?

No. AWS allows customers to bring IP prefixes designated as reassigned or reallocated. However, if your prefix is a reassignment or reallocation from another ISP (an organization that is not your own), then you will not be RPKI authoritative for that prefix. In these cases, you must ask your organization’s upstream IP provider to create the ROA on behalf of your organization.

Whether or not they can create the ROA for your organization will depend on the following:

  • The upstream IP resource provider is participating in RPKI.
  • The parent allocation is covered by the upstream organization’s RPKI certificate.
  • The upstream organization’s internal policies permit them to create ROAs on behalf of their downstream customers.

Am I required to leave the x509 certificate in the Public Comments after I have successfully configured the prefix for BYOIP?

No. AWS only checks for the x509 certificate during the configuration process. It does not run a subsequent, continuous, or repetitive check for the presence of x509 certificate after the BYOIP prefix has been configured successfully. The certificate can be removed from the Public Comments section after the prefix has been onboarded to AWS’s BYOIP service successfully.

If I delete the ROA record after I have successfully configured the prefix for BYOIP, will that disrupt my advertisements from AWS?

No. At this time AWS only requires a ROA for the initial configuration process. It can be removed after your BYOIP prefix is announced. However, you are strongly advised to keep that ROA record active to ensure your routing remains secure and ISPs further upstream continue to accept the advertisement(s).

Google Cloud BYOIP Requirements

Google Could requires a ROA for the prefix your organization is bringing to their network. Instructions for signing up for Hosted RPKI and creating ROAs through ARIN can be found here. If you are using Delegated RPKI, then use the Certificate Authority (CA) or the package your organization is using to create ROAs.

Google Cloud BYOIP FAQ

Is there documentation for Google Cloud’s BYOIP service?

Yes. That documentation can be found here.

Does Google Cloud require the prefix I am bringing to be a direct allocation?

No. Google Cloud allows customers to bring IP prefixes designated as reassigned or reallocated. However, if your prefix is a reassignment or reallocation from another ISP (an organization that is not your own), then you will not be RPKI authoritative for that prefix. In these cases, you must ask your organization’s upstream IP provider to create the ROA on behalf of your organization.

Whether or not they can create the ROA for your organization will depend on the following:

  • The upstream IP resource provider is participating in RPKI.
  • The parent allocation is covered by the upstream organization’s RPKI certificate.
  • The upstream organization’s internal policies permit them to create ROAs on behalf of their downstream customers.

Microsoft Azure BYOIP Requirements

Microsoft Azure requires a ROA for the prefix your organization is bringing to their network. Instructions for signing up for Hosted RPKI and creating ROAs through ARIN can be found here. If you are using Delegated RPKI, then use the Certificate Authority (CA) or the package your organization is using to create ROAs.

Microsoft Azure also requires a self-signed x509 certificate to be placed in the Public Comments section of the prefix’s network record in ARIN’s Whois/RDAP. Instructions on how to update the Public Comments can be found here.

Microsoft Azure BYOIP FAQ

Is there documentation for Microsoft Azure’s BYOIP service?

Yes. That documentation can be found here.

Does Microsoft Azure require a unique x509 certificate for every prefix an organization brings to their BYOIP service?

No. Microsoft Azure does not require unique x509 certificates for every prefix an organization brings to the service. One x509 certificate can be used for multiple prefixes across multiple network records in Whois/RDAP.

Does Microsoft Azure require the prefix I am bringing to be a direct allocation?

No. In fact, Microsoft Azure requires its customer to create a reassignment in ARIN’s Whois/RDAP database for the specific prefix they are bringing. Instructions on how to create a reassignment record in ARIN’s database can be found here. However, if your prefix is a reassignment or reallocation from another ISP (an organization that is not your own), then you will not be RPKI authoritative for that prefix. In these cases, you must ask your organization’s upstream IP provider to create the ROA on behalf of your organization.

Whether or not they can create the ROA for your organization will depend on the following.

  • The upstream IP resource provider is participating in RPKI.
  • The parent allocation is covered by the upstream organization’s RPKI certificate.
  • The upstream organization’s internal policies permit them to create ROAs on behalf of their downstream customers.

Am I required to leave the x509 certificate in the Public Comments after I have successfully configured the prefix for BYOIP?

No. Microsoft Azure only checks for the x509 certificate during the configuration process. It does not run a subsequent, continuous, or repetitive check for the presence of x509 certificate after the BYOIP prefix has been configured successfully. The certificate can be removed from the Public Comments section when it is no longer needed.

Microsoft Azure does monitor ROA repositories. If they find a prefix being announced does not have a corresponding ROA, it will alarm in Microsoft Azure’s systems triggering an investigation to resolution.

Oracle BYOIP Requirements

Oracle requires a ROA for the prefix your organization is bringing to their network. Instructions for signing up for Hosted RPKI and creating ROAs through ARIN can be found here. If you are using Delegated RPKI, then use the Certificate Authority (CA) or the package your organization is using to create ROAs.

Oracle also requires a verification token to be placed in the Public Comments section of the prefix’s network record in ARIN’s Whois/RDAP. Instructions on how to update the Public Comments can be found here.

Oracle BYOIP FAQ

Is there documentation for Oracle’s BYOIP service?

Yes. That documentation can be found here.

Can I create a ROA for a network prefix that has been reassigned or reallocated to my OrgID?

  • If your prefix is a reassignment or reallocation from another ISP (an organization that is not your own), then you will not be RPKI authoritative for that prefix.
  • In these cases, you must ask your organization’s upstream IP provider to create the ROA on behalf of your organization.
  • Whether or not they can create the ROA for your organization will depend on the following:
    • The upstream IP resource provider is participating in RPKI.
    • The parent allocation is covered by the upstream organization’s RPKI certificate.
    • The upstream organization’s internal policies permit them to create ROAs on behalf of their downstream customers.