Results of Consultation on Pending Functionality for Automatic Creation of IRR Route Objects for Uncovered ROAs

Posted: Wednesday, 11 October 2023

From 10 August to 20 September, ARIN held a consultation seeking feedback from the community regarding a specific aspect of the recent ARIN Online functionality that was deployed on 7 August 2023. This upgrade to ARIN Online brought several new features – including tighter integration of ARIN’s Resource Public Key Infrastructure (RPKI) and Internet Routing Registry (IRR) routing security services. First, thank you to the ARIN community for the robust discussion. There was spirited input both in favor and in opposition to the various methods proposed to integrate ARIN’s RPKI and IRR services.

The intended purpose of creating auto-managed IRR Route Objects during Route Origin Authorization (ROA) creation is to reduce risk from the IRR ecosystem where users can create Route Objects for Internet number resources for which they are not the authorized resource holder in third-party, non-authenticated IRR databases. Knowledgeable network operators have embraced the ARIN-authenticated IRR database as a reliable source of date and prioritize this data over unauthenticated sources, so increasing the number of authenticated IRR route objects improves the integrity of data in the IRR ecosystem.   

Taking the feedback from the community into consideration, ARIN plans to work to deploy the following set of features in ARIN Online and our API for Hosted RPKI users:

  • Organizations in ARIN Online will have the ability to set an Organizational default for automatic creation of managed Route Objects for RPKI ROAs.
    • The default setting of this default will be “On” (i.e., to create auto-managed Route Objects when creating ROAs).
    • Users will be able to opt in or opt out of the creation of a managed Route Object at individual ROA creation time without changing the Organization level setting.
    • This default setting will not apply to existing ROAs at autorenewal.
  • All auto-managed Route Objects will be identified as such in a remark field on the object.
  • At ROA creation, there will be a check to see if there is an existing, matching, and unmanaged Route Object. If so, the user will have the option to replace it with an auto-managed Route Object or continue and leave the unmanaged Route Object in place.
  • Auto-managed Route Objects resulting from ROA creation will not consider the maxLength value and use the prefix entry only (least specific match) as recommended in RFC 9319/BCP 185. ROAs with multiple prefixes will create an auto-managed Route Object for each prefix. Users may manually create longer match IRR objects, and these manually created objects will not be auto-managed.
  • Deleting a ROA will remove an auto-managed Route Object(s). A user can opt out of deleting a Route Object at individual ROA deletion without changing the Organization level setting. If a Route Object is separated from the associated ROA in this manner, it will no longer be auto-managed, and the corresponding notation about auto-management in the Route Object’s remark field will be removed.
  • The API will be updated for Reg-RWS to reflect these new capabilities.

ARIN will notify the community 90 days prior to the deployment of these new features, with reminders at 60 and 30 days.

ARIN thanks those who provided valuable feedback on this consultation. We rely on this input from our members and community to help steer the organization as we continue our mission in support of the operation and growth of the Internet.

Regards,

John Curran
President and CEO
American Registry for Internet Numbers (ARIN)