ACSP Consultation 2023.4: Consultation on Pending Functionality for Automatic Creation of IRR Route Objects for Uncovered ROAs
Consultation Tracking Information
- Requested By: Staff
- Status: Closed
- Comments Opened: Linked to Discussion Archives: 10 August 2023
- Comments Closed: 20 September 2023
- Suggestion Number: n/a
Dear ARIN Community,
ARIN is seeking feedback from the community regarding a specific aspect of the recent ARIN Online functionality that was deployed on 7 August 2023. This upgrade to ARIN Online brought several new features – including tighter integration of ARIN’s Resource Public Key Infrastructure (RPKI) and Internet Routing Registry (IRR) routing security services.
Upon further review and out of an abundance of caution, we have decided to pause the additional functionality that creates corresponding IRR Route Objects for every Route Origin Authorization (ROA) created. We have also paused the functionality that automatically creates IRR Route Objects for all preexisting ROAs that presently lack a matching Route Object. We recognize the importance of ensuring that our services align with the needs and expectations of our community and believe that additional time for community consultation on this integration functionality is warranted.
The current development plan is to provide an opt-in feature to allow for the creation of IRR Route Objects during new ROA creation in the near future. We are seeking operator input through this community consultation to gather input on the desirability of additional functionality related to integrating RPKI and IRR security services.
The questions for community consideration are:
- Should the automatic creation of IRR route objects for resources that have RPKI ROAs be compulsory, the default setting, or require explicit opt-in?
- Should IRR Objects be managed via a direct linkage to a ROAs such that they can only be deleted through deletion of the covering ROA, or should ARIN continue to support independent management of IRR route objects?
- Should ARIN automatically create managed IRR Route Objects for all validated ROAs in the Hosted RPKI repository that do not have matching IRR Route Objects today?
- If so, what is the anticipated benefit of doing so? Conversely, if this functionality is not desired, why not?
- If a customer agrees to link a ROA with the IRR, what is the appropriate number of route objects that should be created based on the ROA prefix and max length configuration? Would a “least specific” route object meet expectations?
We sincerely apologize for any inconvenience that pausing this functionality may have caused and appreciate your understanding as we work to ensure that our services are aligned with the interests of the community.
I encourage all community members to provide their comments and feedback on this matter – the feedback you provide during this consultation will be instrumental in determining how ARIN moves forward with this RPKI/IRR integration functionality.
Please provide comments to email@example.com. You can subscribe to this mailing list at https://lists.arin.net/mailman/listinfo/arin-consult
This consultation will remain open until 5:00 PM ET on 10 September 2023. ARIN seeks clear direction through community input, so your feedback is important.
Thank you for your continued support and engagement.
22 September 2023
ARIN thanks those who provided valuable feedback during this consultation on pending functionality for automatic creation of Internet Routing Registry (IRR) Route Objects for uncovered Route Origin Authorizations (ROAs). This feedback will be factored into the decision on development of future IRR, Resource Public Key Infrastructure, and ROA features.
8 September 2023
Due to the recent increase of interest and feedback, we are extending the ongoing consultation on possible new features in ARIN Online that will provide tighter integration of ARIN’s Resource Public Key Infrastructure (RPKI) and Internet Routing Registry (IRR) routing security services until 20 September.
We hope you will take advantage of this extra time to share your thoughts on this important consultation on pending features and functionality that will integrate ARIN’s routing security services.
We look forward to your feedback on this important topic.
25 August 2023
As of 24 August, we have received a range of opinions on how best to proceed. As a result of the feedback received so far, we are planning to develop the following features:
- A per-OrgID setting entitled “ Automatic IRR Route Object Maintenance for RPKI ROAs”. This setting will be “on” by default when we add it to all OrgIDs, but customers can readily turn it off
- On the Routing Security Dashboard, there will be a checkbox entitled “Automatic IRR Route Object Maintenance” which is where an Org can opt-out of the default IRR route automation
- At the Org ID level, there will be an option for a one-time “catch up” that will automatically create Route Objects for each ROA in question. This one time “catch up” will also result in existing Route Objects being automatically maintained.
We are also planning to make the following changes to RPKI and IRR functionality:
- Upon creation or removal of a ROA with the default automation attribute set to on, we will make the appropriate change to corresponding IRR Route Object(s)
- When a Route Object is automatically generated by ROA creation, its existence is dependent on the ROA; however, the customer will maintain the ability to delete or modify the Route Object and not impact the state of its corresponding ROA
Regarding the question of the appropriate number of Route Objects that should be created based on the ROA prefix and max length configuration, ARIN plans to provide an additional checkpoint that will require a user to positively select the option to apply a maxLength value, only after being presented with information about the RFC 9319 best practice recommendation to limit the use of maxLength in ROAs, and the exposure to a potential forced origin sub-prefix hijack with a liberal use of maxLength. If an organization has automatic IRR generation turned on, and a maxLength is set on a ROA, ARIN will generate the IRR Route Object with the least specific match based on the prefix(s) in the triggering ROA.
There has been strong and consistent feedback against automatically creating managed IRR Route Objects for all validated ROAs in the Hosted RPKI repository that do not have matching IRR Route Objects, so we will not force this action. No IRR objects will be created without the customers’ expressed permission.