Hosted RPKI

What is Hosted RPKI?

Hosted Resource Public Key Infrastructure (RPKI) is an infrastructure in which ARIN hosts a Certificate Authority (CA) and signs all Route Origin Authorizations (ROAs) for resources within the ARIN region. Only direct resource holders can participate in RPKI. Any downstream organization must have their upstream provider submit ROAs on their behalf.

Hosted RPKI’s benefits include:

  • Ease of use
  • Little to no coding required from participants
  • CA functionality work taken care of by ARIN
  • Data security via a Hardware Security Module (HSM)
  • Functioning repository provided by ARIN

In Hosted RPKI, ARIN first issues you a certificate that means you are authorized to submit routing information for your resources. (For example, you can specify that all traffic for a certain IP address that you manage should originate from a specified Autonomous System.) You then add your routing information in ARIN Online, and that information is propagated every few minutes to ARIN’s RPKI repository. Other organizations then use ARIN’s RPKI information to determine authorized routes for traffic on the Internet.

The ARIN Internet number resources you want to certify with RPKI must be covered by a Registration Services Agreement (RSA) or Legacy Registration Services Agreement (LRSA).

Limitations on the Hosted RPKI Service

See the FAQ for some information about RPKI limitations, including:

Configuring Hosted RPKI in ARIN Online

Configuring Hosted RPKI requires the following steps. Choose the links to obtain additional information about each step.

  1. Log in to ARIN Online and select Routing Security from the navigation menu.

Navigating to Routing Security

  1. On the ‘Routing Security Dashboard’ page, under “Your Organizations,” select Sign Up for RPKI for the organization for which you want to configure Hosted RPKI.

Sign up for RPKI

  1. On the ‘Manage RPKI’ page, under “Choose Between Two Models of RPKI,” select Sign Up for Hosted to make your resource certificate request.

Choose between two models of RPKI

  1. In the top bar of the ‘Manage RPKI’ page, select Hosted Certificate to begin your certificate request.

  2. After you submit your request, you will be returned to the ‘Routing Security Dashboard’ page. Select Manage RPKI.

Manage RPKI - Manage ROAs

  1. On the ‘RPKI: ROAs’ page, you can begin creating ROAs for your resources by selecting Create ROA.

Create ROA

  1. After entering the required information, select Next Step. Verify the information in your ROA is correct, choose whether to create a matching IRR route object, and select Submit.

Enter ROA Information
Confirm ROA Information

You will be returned to the ‘RPKI: ROAs’ page, where you will receive confirmation that your ROA has been created, and your ROA will be listed in the “Route Origin Authorizations” table.

New ROA Created

VIDEO: Creating a ROA

What is a Resource Certificate?

A resource certificates list is a collection of Internet number resources (IPv4 addresses, IPv6 addresses, and Autonomous System Numbers [ASNs]) that are associated with the authorized holder of those resources. They provide cryptographic validation that these resources belong to you. These certificates contain no identifying information about the holder of the resources.

Accessing Your Resource Certificates

To view the information on your resource certificate from the ‘Manage RPKI’ page:

  1. Log in to ARIN Online and select Routing Security, then RPKI from the navigation menu.
  2. Select View Details for the organization whose resource certificate you wish to see.
  3. Select Certified Resources from the top menu.

Managing RPKI Resources

  1. Log in to ARIN Online and select Routing Security, then RPKI from the navigation menu.
  2. In the ‘Your Organization’ window, select View Details for the organization for which you want to manage RPKI resources.
  3. You can perform the following actions:
  • View, create and delete ROAs
  • View your certified resources

Using the Operational Test and Evaluation (OT&E) Environment

ARIN has created an RPKI instance within its OT&E for those wishing to experiment with RPKI without affecting production data. For more information, see the OT&E page.