Demystifying RPKI: New Tools to Simplify ROA Planning and Visualize Validation

By Christina Paladeau – Social Media and Content Specialist

The ARIN 57 Public Policy and Members Meeting, held 19-22 April 2026 in Louisville, Kentucky, and online, featured a keynote address that offered something extremely valuable in the routing security world: practical tools built by someone who spends his days helping real network operators improve routing integrity. Steve Wallace, Director of Routing Integrity at Internet2, delivered “Demystifying RPKI: Exploring Tools to Simplify ROA Planning and Visualize Validation” shortly after the meeting opened on Monday morning. His presentation introduced a suite of openly accessible web-based tools developed through a collaboration between Internet2 and CAIDA, funded in part by National Science Foundation grant OAC-2530871 and designed to make Resource Public Key Infrastructure (RPKI) more approachable — and safer — for network operators of all sizes.

Watch Steve Wallace’s keynote address on YouTube and view the presentation slides in the ARIN 57 Meeting Report.

The Challenge

Steve opened with a candid observation grounded in his own work: Helping network operators create Route Origin Authorizations (ROAs) is a surprisingly nuanced task. Most people who need to create a ROA will do so only once or twice in their career — not enough repetition to develop real fluency. The stakes, however, are high. Creating an incorrect ROA can put a network at risk of an outage.

“If you create a ROA incorrectly, just like if you were configuring the BGP in your router, if you make a mistake, there can be consequences.” — Steve Wallace

The deeper challenge is that looking only at what’s currently in the routing table doesn’t tell the whole story. Through his work assisting research and education institutions with RPKI, Steve has encountered schools that annually hand off portions of their address space to another network and announce it differently — a pattern that wouldn’t be visible in today’s routing table but would absolutely matter when a ROA goes live. Others use on-demand DDoS scrubbing services, disaster-recovery sites, or multi-ASN configurations that only become apparent when you dig into routing history and Internet Routing Registry (IRR) data. Getting a ROA right means understanding all of it.

The ROA Planner

The centerpiece of Steve’s presentation was the RPKI-ROA Planner. Given an IP prefix, the tool synthesizes data from multiple sources — ARIN registration records, current routing data from RouteViews, IRR route objects, and historical routing data from RIPEstat — and presents a comprehensive set of candidate ROAs for the operator to review.

The tool’s output is displayed hierarchically, showing the structure of IP allocations alongside routing data, with columns indicating the source of each entry, how old the data is, the prefix, origin AS, and the status of any existing ROA. Operators can toggle individual rows to include or exclude them from the ROA calculation, filter by routing history age, and see the candidate ROAs — both multi-prefix and single-prefix — update in real time.

One practical feature Steve highlighted: For each allocation and reallocation listed, the tool displays the Points of Contact and makes their information easy to copy. This is particularly useful for regional networks that have reallocated address space to many customers and need to notify those customers before creating a covering ROA.

The tool supports both IPv4 and IPv6. Steve demonstrated it against a variety of real-world prefixes, including a large commercial address block that would require more than a thousand individual ROAs if fully covered — illustrating both the tool’s capabilities and the complexity lurking beneath some prefix allocations.

The ROA Visualizer

Steve also introduced the RPKI-ROA Visualizer, a single-page web tool designed to address one of the most common points of confusion in RPKI: understanding exactly how a ROA is evaluated against a BGP route.

“It’s been my experience that it can be difficult to explain how a ROA is evaluated against a BGP route.” — Steve Wallace

The visualizer lets users type in a BGP route and a ROA and then walk through, bit by bit, how the comparison is made and what the result is. It includes preset examples for valid, invalid, and not-found scenarios, and it also displays the full list of subnets that would be covered by a given ROA — a detail that trips up even experienced operators who are more familiar with longest-prefix-match routing than with RPKI’s covering logic.

In a moment of candor that resonated with the room, Steve revealed that the visualizer was “100 percent vibe coded” in a single day. “I don’t write code anymore, but I write more code than I ever have,” he said, drawing laughs from the audience.

The ASPA Planner

The third tool Steve presented was the RPKI-ASPA Planner — an experimental tool to help network operators build Autonomous System Provider Authorization (ASPA) objects. Given an ASN, the tool draws on CAIDA’s AS relationship data and routing data to suggest a possible ASPA and generates a diagram of the inferred peering relationships.

Steve was careful to temper expectations: The tool works reliably for networks near the edge of the Internet, but its accuracy decreases for networks deeper in the core. It also uses data refreshed daily from CAIDA, so results reflect a snapshot rather than real-time state.

The ASPA discussion surfaced a striking data point: Within the Internet2 community — roughly 1,100 U.S. research and education networks — only two had deployed ASPAs as of the week of the presentation. By contrast, GÉANT, the equivalent research and education network in Europe, had approximately 33 percent of its address space covered by ASPAs. The gap, Steve suggested, likely reflects a combination of earlier ASPA support from RIPE NCC and the influence of vocal ASPA advocates within the European community.

The Room Responds

The Q&A period that followed Steve’s presentation illustrated the real appetite that exists for tools like these. Alison Wood, an ARIN Advisory Council member and a network operator for the State of Oregon, shared that she had pulled up the tool during Steve’s talk, looked up her own AS, and immediately sent screenshots of the ASPA diagrams to her executive staff — who had previously struggled to grasp their network’s routing relationships visually.

“I got a million thumbs up this morning. This is incredibly applicable and amazing. We are going to use this constantly.” — Alison Wood

Kevin Blumberg of the Toronto Internet Exchange raised a broader challenge that the tools can help address but can’t fully solve: the psychological barrier operators face around RPKI adoption. “People don’t do it, because they’re afraid it will break things,” he said. “But they’re okay with people breaking their networks intentionally. They’re okay with their routes being hijacked, just not [with] breaking it themselves.” The tools, he noted, help significantly with that fear — but the community still has work to do to close the gap between leading people to the water and getting them to drink it.

Try It Yourself

All of the tools Steve demonstrated are publicly accessible at rootbeer.internet2.edu. Each tool includes a disclaimer — worth reading carefully — that the output is meant to inform human decision-making, not replace it. As Steve put it: “Everything can hallucinate; don’t just take its output. But I think it helps people make more informed decisions about creating their ROAs.”

The slides from Steve’s presentation and a transcript and recording of the full keynote are available on the ARIN 57 Meeting Report.

Learn about ARIN’s RPKI services at arin.net/RPKI and keep an eye out for an ARIN Deep Dive technical workshop near you to attend free, hands-on RPKI training.

Recent blogs categorized under: RPKI

• NRO RPKI Program — 2025 in Review
• Everything 8.3 & 8.4 Transfer Source and Recipient Organizations Need to Know
• A Solution to Concerns on the Current RPKI Trust Anchor Configuration
• RPKI Best Practices and Lessons Learned