Add ARIN support for IRR route objects and RPKI ROAs

Author: VegasNative

README.md

@@ -1,6 +1,6 @@
 # rir-updater
 
-CLI tool for syncing route objects to RIPE NCC and RADb, and RPKI ROAs to RIPE.
+CLI tool for syncing route objects to RIPE NCC, ARIN, and RADb, and RPKI ROAs to RIPE and ARIN.
 
 ## Requirements
 
@@ -16,7 +16,7 @@ uv sync
 
 ## Configuration
 
-Copy `config.example.yaml` and fill in your values. Both `ripe` and `radb` sections are optional — include only the registries you use.
+Copy `config.example.yaml` and fill in your values. All registry sections (`ripe`, `arin`, `radb`) are optional — include only the registries you use.
 
 ```yaml
 ripe:
@@ -44,6 +44,25 @@ ripe:
       origin: "AS12345"
       max_length: 32
 
+arin:
+  org_handle: "EXAMPLEORG-1"
+  credentials:
+    api_key: "op://vault/item/arin-api-key"
+  routes:
+    - prefix: "192.0.2.0/24"
+      origin: "AS12345"
+      description: "Example IPv4 prefix"
+    - prefix: "2001:db8::/32"
+      origin: "AS12345"
+      description: "Example IPv6 prefix"
+  roas:
+    - prefix: "192.0.2.0/24"
+      origin: "AS12345"
+      max_length: 24
+    - prefix: "2001:db8::/32"
+      origin: "AS12345"
+      max_length: 32
+
 radb:
   maintainer: "MAINT-AS12345"
   contact_email: "admin@example.com"
@@ -76,6 +95,14 @@ Secrets are fetched from 1Password via the `op` CLI. The `credentials` block in
 | `test_db_username` | RIPE test DB username (optional, overrides `db_username` in test mode) |
 | `test_db_password` | RIPE test DB password (optional, overrides `db_password` in test mode) |
 
+### ARIN
+
+| Field | Used for |
+|-------|----------|
+| `api_key` | ARIN API key for all IRR and RPKI requests |
+
+The API key must be linked to a POC with authority over your organization's resources. Create one at ARIN Online → Settings → Security Info → Manage API Keys.
+
 ### RADb
 
 | Field | Used for |
@@ -102,7 +129,7 @@ uv run rir-updater config.yaml --production --commit
 uv run rir-updater config.yaml --setup-test
 ```
 
-RADb always runs against production — `--production` and `--setup-test` only affect the RIPE section.
+RADb always runs against production — `--production` and `--setup-test` only affect the RIPE and ARIN sections. ARIN uses its OT&E environment in test mode (`reg.ote.arin.net`) and production otherwise.
 
 ### RIPE test database bootstrap
 

config.example.yaml

@@ -23,6 +23,25 @@ ripe:
     - prefix: "2001:db8::/32"
       origin: "AS12345"
 
+arin:
+  org_handle: "EXAMPLEORG-1"
+  credentials:
+    api_key: "op://vault/item/arin-api-key"
+  routes:
+    - prefix: "192.0.2.0/24"
+      origin: "AS12345"
+      description: "Example IPv4 prefix"
+    - prefix: "2001:db8::/32"
+      origin: "AS12345"
+      description: "Example IPv6 prefix"
+  roas:                           # optional
+    - prefix: "192.0.2.0/24"
+      origin: "AS12345"
+      max_length: 24
+    - prefix: "2001:db8::/32"
+      origin: "AS12345"
+      max_length: 32
+
 radb:
   maintainer: "MAINT-AS12345"
   contact_email: "admin@example.com"

src/rir_updater/arin/__init__.py

@@ -0,0 +1,221 @@
+import ipaddress
+import xml.etree.ElementTree as ET
+from xml.etree.ElementTree import Element, SubElement
+
+import httpx
+
+from rir_updater.config import ROA, RouteObject
+from rir_updater.exceptions import ApiError
+
+PROD_BASE = "https://reg.arin.net/rest"
+OTE_BASE = "https://reg.ote.arin.net/rest"
+
+# XML namespace for IRR route objects
+CORE_NS = "http://www.arin.net/regrws/core/v1"
+# XML namespace for RPKI ROA objects
+RPKI_NS = "http://www.arin.net/regrws/rpki/v1"
+
+ET.register_namespace("", CORE_NS)
+
+
+def _find_text(element: ET.Element, local_name: str) -> str | None:
+    """Find a child element by local name, ignoring namespace prefixes."""
+    for child in element:
+        tag = child.tag.split("}")[-1] if "}" in child.tag else child.tag
+        if tag == local_name:
+            return child.text
+    return None
+
+
+def _raise_for_status(resp: httpx.Response, context: str) -> None:
+    if resp.is_error:
+        try:
+            root = ET.fromstring(resp.text)
+            detail = _find_text(root, "message") or resp.text[:200]
+        except ET.ParseError:
+            detail = resp.text[:200] or "(empty body)"
+        raise ApiError(f"{context} failed ({resp.status_code}): {detail}")
+
+
+class ArinClient:
+    """Client for the ARIN IRR REST API and RPKI Management API.
+
+    All requests are authenticated with an API key passed as a `?apikey=`
+    query parameter. Request and response bodies use XML.
+    """
+
+    def __init__(
+        self,
+        org_handle: str,
+        api_key: str,
+        dry_run: bool = False,
+        use_test_env: bool = True,
+    ):
+        self._org_handle = org_handle
+        self._api_key = api_key
+        self._dry_run = dry_run
+        self._base = OTE_BASE if use_test_env else PROD_BASE
+        self._http = httpx.Client(
+            headers={
+                "Accept": "application/xml",
+                "Content-Type": "application/xml",
+            },
+            timeout=30,
+        )
+
+    def close(self) -> None:
+        self._http.close()
+
+    def __enter__(self):
+        return self
+
+    def __exit__(self, *_):
+        self.close()
+
+    def _params(self) -> dict:
+        return {"apikey": self._api_key}
+
+    # --- Route objects ---
+
+    def _route_url(self, route: RouteObject) -> str:
+        # ARIN uses /irr/route/ for both IPv4 and IPv6; the prefix distinguishes them.
+        # Key URL segments: network/prefix_len/asn (same pattern as RADb).
+        network, prefix_len = route.prefix.split("/")
+        asn = route.origin.upper()
+        return f"{self._base}/irr/route/{network}/{prefix_len}/{asn}"
+
+    def _route_body(self, route: RouteObject) -> str:
+        root = Element(f"{{{CORE_NS}}}route")
+        SubElement(root, f"{{{CORE_NS}}}orgHandle").text = self._org_handle
+        SubElement(root, f"{{{CORE_NS}}}originAS").text = route.origin.upper()
+        SubElement(root, f"{{{CORE_NS}}}prefix").text = route.prefix
+        if route.description:
+            SubElement(root, f"{{{CORE_NS}}}description").text = route.description
+        SubElement(root, f"{{{CORE_NS}}}source").text = "ARIN"
+        return ET.tostring(root, encoding="unicode")
+
+    def _route_exists(self, route: RouteObject) -> bool:
+        resp = self._http.get(self._route_url(route), params=self._params())
+        return resp.status_code == 200
+
+    def sync_route(self, route: RouteObject) -> str:
+        """Sync a route object. Returns 'created', 'updated', or 'dry-run'."""
+        exists = self._route_exists(route)
+        obj_type = "route6" if ":" in route.prefix else "route"
+        asn = route.origin.upper()
+
+        if self._dry_run:
+            action = "update" if exists else "create"
+            print(f"[dry-run] would {action} arin {obj_type} {route.prefix} {asn}")
+            return "dry-run"
+
+        body = self._route_body(route)
+        url = self._route_url(route)
+        if exists:
+            resp = self._http.put(url, params=self._params(), content=body)
+            _raise_for_status(resp, f"update arin route {route.prefix} {asn}")
+            return "updated"
+        else:
+            # Unlike RIPE, ARIN POST uses the key URL (not the collection URL).
+            resp = self._http.post(url, params=self._params(), content=body)
+            _raise_for_status(resp, f"create arin route {route.prefix} {asn}")
+            return "created"
+
+    # --- ROAs ---
+
+    def _roa_key(self, roa: ROA) -> tuple[str, str, int]:
+        prefix_len = int(roa.prefix.split("/")[1])
+        max_length = roa.max_length if roa.max_length is not None else prefix_len
+        return (roa.prefix, roa.origin.upper(), max_length)
+
+    def _get_current_roas(self) -> dict[tuple[str, str, int], str]:
+        """Return a map of (prefix, asn, max_length) -> roaHandle for current ROAs."""
+        resp = self._http.get(
+            f"{self._base}/roa/{self._org_handle}", params=self._params()
+        )
+        if resp.status_code == 404:
+            return {}
+        _raise_for_status(resp, "fetch current ARIN ROAs")
+        result = {}
+        root = ET.fromstring(resp.text)
+        for roa_el in root.iter():
+            if roa_el.tag.split("}")[-1] != "roaSpec":
+                continue
+            handle = _find_text(roa_el, "roaHandle")
+            asn_text = _find_text(roa_el, "asNumber")
+            if not handle or not asn_text:
+                continue
+            asn = f"AS{asn_text}"
+            for res_el in roa_el.iter():
+                if res_el.tag.split("}")[-1] != "resources":
+                    continue
+                start = _find_text(res_el, "startAddress")
+                cidr = _find_text(res_el, "cidrLength")
+                max_len_text = _find_text(res_el, "maxLength")
+                if not start or not cidr:
+                    continue
+                # Normalize to canonical CIDR (handles IPv6 expansion, strict=False
+                # in case startAddress is a host address rather than network address).
+                prefix = str(ipaddress.ip_network(f"{start}/{cidr}", strict=False))
+                max_len = int(max_len_text) if max_len_text else int(cidr)
+                result[(prefix, asn, max_len)] = handle
+        return result
+
+    def _roa_transaction_body(
+        self,
+        to_add: set[tuple[str, str, int]],
+        to_delete_handles: list[str],
+    ) -> str:
+        ET.register_namespace("", RPKI_NS)
+        root = Element(f"{{{RPKI_NS}}}rpkiTransaction")
+        for handle in to_delete_handles:
+            del_el = SubElement(root, f"{{{RPKI_NS}}}roaSpecDelete")
+            handle_el = SubElement(del_el, f"{{{RPKI_NS}}}roaHandle")
+            handle_el.set("autolink", "true")
+            handle_el.text = handle
+        for prefix, asn, max_len in to_add:
+            add_el = SubElement(root, f"{{{RPKI_NS}}}roaSpecAdd")
+            spec_el = SubElement(add_el, f"{{{RPKI_NS}}}roaSpec")
+            SubElement(spec_el, f"{{{RPKI_NS}}}autoLink").text = "true"
+            # ARIN <asNumber> takes the numeric value only, without the "AS" prefix.
+            SubElement(spec_el, f"{{{RPKI_NS}}}asNumber").text = asn.removeprefix("AS")
+            network, prefix_len = prefix.split("/")
+            resources_el = SubElement(spec_el, f"{{{RPKI_NS}}}resources")
+            res_el = SubElement(resources_el, f"{{{RPKI_NS}}}roaSpecResource")
+            SubElement(res_el, f"{{{RPKI_NS}}}startAddress").text = network
+            SubElement(res_el, f"{{{RPKI_NS}}}cidrLength").text = prefix_len
+            if max_len != int(prefix_len):
+                SubElement(res_el, f"{{{RPKI_NS}}}maxLength").text = str(max_len)
+        return ET.tostring(root, encoding="unicode")
+
+    def sync_roas(self, roas: list[ROA]) -> dict[str, int]:
+        """Diff desired ROAs against current state and publish changes.
+
+        Only ROAs whose prefix appears in the config are managed. ROAs for
+        other prefixes in the account are left untouched.
+        """
+        desired = {self._roa_key(r) for r in roas}
+        managed_prefixes = {r.prefix for r in roas}
+
+        if self._dry_run:
+            for prefix, asn, max_len in desired:
+                print(f"[dry-run] would sync arin ROA {prefix} {asn} max={max_len}")
+            return {"added": len(desired), "deleted": 0}
+
+        current = self._get_current_roas()
+        current_managed = {k: v for k, v in current.items() if k[0] in managed_prefixes}
+        to_add = desired - set(current_managed.keys())
+        to_delete_keys = set(current_managed.keys()) - desired
+        to_delete_handles = [current_managed[k] for k in to_delete_keys]
+
+        if not to_add and not to_delete_handles:
+            return {"added": 0, "deleted": 0}
+
+        body = self._roa_transaction_body(to_add, to_delete_handles)
+        resp = self._http.post(
+            f"{self._base}/rpki/{self._org_handle}",
+            params=self._params(),
+            content=body,
+        )
+        _raise_for_status(resp, "publish ARIN ROAs")
+        return {"added": len(to_add), "deleted": len(to_delete_handles)}

src/rir_updater/arin/client.py

@@ -119,9 +119,25 @@ class RadbConfig(BaseModel):
     routes: list[RouteObject] = []
 
 
+class ArinCredentials(BaseModel):
+    """1Password reference for ARIN API key. Resolved at runtime via `op read`."""
+
+    api_key: str
+
+
+class ArinConfig(BaseModel):
+    """Configuration for the ARIN registry (IRR route objects and RPKI ROAs)."""
+
+    org_handle: str
+    credentials: ArinCredentials
+    routes: list[RouteObject] = []
+    roas: list[ROA] = []
+
+
 class Config(BaseModel):
     ripe: RipeConfig | None = None
     radb: RadbConfig | None = None
+    arin: ArinConfig | None = None
 
 
 def load_config(path: Path) -> Config:

src/rir_updater/config.py

@@ -45,3 +45,8 @@ def get_radb_portal_auth(username_ref: str, password_ref: str) -> tuple[str, str
 def get_radb_mntner_password(password_ref: str) -> str:
     """Return the RADb mntner password used for object-level authorization."""
     return read_op(password_ref)
+
+
+def get_arin_api_key(key_ref: str) -> str:
+    """Return the ARIN API key used for all IRR and RPKI requests."""
+    return read_op(key_ref)

src/rir_updater/credentials.py

@@ -4,8 +4,10 @@
 
 from pydantic import ValidationError
 
+from rir_updater.arin.client import ArinClient
 from rir_updater.config import load_config
 from rir_updater.credentials import (
+    get_arin_api_key,
     get_radb_mntner_password,
     get_radb_portal_auth,
     get_ripe_db_auth,
@@ -101,6 +103,23 @@ def _run(args, parser):
                 result = client.sync_route(route)
                 print(f"{result}: radb route {route.prefix} {route.origin}")
 
+    if config.arin:
+        with ArinClient(
+            org_handle=config.arin.org_handle,
+            api_key=get_arin_api_key(config.arin.credentials.api_key),
+            dry_run=not args.commit,
+            use_test_env=not args.production,
+        ) as client:
+            for route in config.arin.routes:
+                result = client.sync_route(route)
+                print(f"{result}: arin route {route.prefix} {route.origin}")
+
+            if config.arin.roas:
+                counts = client.sync_roas(config.arin.roas)
+                print(
+                    f"ARIN ROAs: {counts['added']} added, {counts['deleted']} deleted"
+                )
+
 
 if __name__ == "__main__":
     main()