RPKI Best Practices and Troubleshooting
Best Practices
Limit the use of the maxLength variables in Your ROAs
If you create a ROA for a /16 block with a maxLength of /24, you are indicating that every potential prefix – from the aggregate /16 down to the longest matching /24 originating from the specified AS – should be treated as authentic. This includes 511 prefixes: all /24s, all /23s, all /22s, and so on. Liberal use of maxLength in ROAs exposes you to a forged-origin sub-prefix hijack.
More information can be found in RFC 9319: The Use of maxLength in the Resource Public Key Infrastructure (RPKI).
Create exact matching ROAs for prefixes announced to the Internet and nothing more
If you have a /16 of IPv4 space or a /32 of IPv6 space, chances are you are not announcing every /24 or /48 subnet. Creating ROAs that exactly match your announcements should reduce the number of ROAs you create, which not only saves time but also limits your exposure to hijacks resulting from misconfiguration or nefarious announcements.
Create ROAs for the most specific prefixes first and work back to your aggregates
Suppose you are announcing a /16 aggregate and a subset of /24s within the aggregate block. If you create a ROA for only the /16 aggregate, all the /24 announcements will be marked as RPKI invalid. In other words, go backwards (/24, /23, /22, …, /16).
Troubleshooting
I don’t see a “Manage RPKI” option on my organization’s page in ARIN Online
You will not see this option if your resources:
- Are not under an ARIN Agreement
- Are not issued directly to your organization by ARIN
I can’t create a ROA
Are your resources covered by a resource certificate? In order for a ROA to be valid, each IP address included must be covered by the resource certificate. If any IP address (IPv4 or IPv6) in any ROA prefix is not covered by the resource certificate, the entire ROA is considered invalid and will not be signed.
Note: Your Autonomous System Numbers (ASNs) will be in your resource certificate. However, any Autonomous System (AS) may be authorized to originate your ROA prefixes.
Resources have been added to or removed from my certificate
During the process of issuing or revoking Internet number resources, ARIN may add or remove them from your RPKI resource certificate as appropriate. If resources are removed, the resource certificate will reflect that change and ROAs that no longer fit in that resource set will be removed. Additional resources will be added to the existing certificate and will not change the existing ROAs. You then can add or modify new ROAs at your leisure to reflect changes to your new resources. Note that some resources may not eligible to be certified in RPKI, such as:
- Resources not directly issued to your organization by ARIN
- Resources not covered by an ARIN Agreement
Note: If you have signed up for RPKI and you believe that all or some of your resources are not properly covered by your certificate, please create a ticket using Ask ARIN in ARIN Online or by calling +1 703-227-0660 for further assistance.
RPKI Help and Information
- Using ARIN’s RPKI with Bring Your Own IP Services
- RPKI Best Practices and Troubleshooting
- Common RPKI Terms and Definitions
- RPKI Frequently Asked Questions
Registration Services Help Desk
7:00 AM to 7:00 PM ET
Phone: +1.703.227.0660
Fax: +1.703.997.8844