Route Origin Authorizations (ROAs)

Route Origin Authorization (ROA) Overview

A ROA is a cryptographically signed object that states which Autonomous System (AS) is authorized to originate a particular IP address prefix or set of prefixes. ROAs may only be generated for Internet number resources covered by your resource certificate. (The term ROA Request is used interchangeably with ROA on ARIN’s site to mean a route origination authorization created in ARIN’s RPKI repository.)

A ROA is composed of:

  • An Origin AS
  • A prefix and max length
  • A ROA name (optional)

Creating a ROA in ARIN Online

  1. Log in to ARIN Online and select Routing Security from the navigation menu.
  2. In the ‘Your Organization’ window, select Manage RPKI for the organization for which you want to configure RPKI.
  3. On the ‘Routing Security Dashboard’ page, select Create ROA.
  4. In the ‘Create a Route Origin Authorization (ROA)’ window, complete the required fields, then select Next Step.
  5. In the ‘Review ROA’ window, review and submit your ROA request by selecting Submit.

Note: Duplicate and overlapping ROAs are no longer allowed. The necessity for duplicate ROAs was removed with the release of the ROA auto-renew feature. See the RPKI FAQ for additional information.

Viewing Your ROAs

You can view your ROAs using these methods:

Using the API

Visit ARIN’s RESTful provisioning system (Reg-RWS) to view a list of ROAs for an organization. (Note that you will need an ARIN Online account with an API Key to use Reg-RWS.)

Using ARIN Online

  1. Log in to ARIN Online and select Routing Security from the navigation menu.
  2. In the ‘Routing Security Dashboard’ window, select Manage RPKI.
  3. Select ‘ROAs’ in the top menu to view those created for the organization.

You can view your ROAs for another organization by using the drop-down menu in the upper left to select a different Org ID and selecting ROAs in the top menu.

Verifying Your ROAs Are Active

The RPKI repository is updated every few minutes. To verify that your resources are active, you’ll need to use an RPKI validator and obtain ARIN’s RPKI repository. Visit Using ARIN’s RPKI Repository for Routing for more information.

Removing a ROA

Removing a ROA removes it from the RPKI repository, and adds it to the Certificate Revocation List (CRL) of the parent certificate. CRLs are published as part of the repository. Note that there is a system limitation for revocations in CRLs.

You can delete your ROAs using one of the following methods:

Using the API

Visit ARIN’s RESTful provisioning system (Reg-RWS) to delete a ROA (note that you will need an ARIN Online account with an API Key to use Reg-RWS).

Using ARIN Online

  1. Log in to ARIN Online and select Routing Security from the navigation menu.
  2. In the ‘Your Organization’ window, select Manage RPKI to view those created for the organization.
  3. In the ‘Route Origin Authorizations’ window, select Remove.
  4. Choose Remove again to confirm the removal. Changes will take effect in the RPKI database immediately and will be reflected in the public RPKI repository within 24 hours.

ROA Change Log

  1. Log in to ARIN Online and select Routing Security from the navigation menu.
  2. In the “Your Organization” window, select Manage RPKI.
  3. In the “Status Overview” window, select View the ROA Change Log.

On the “RPKI: View ROA Change Log” page, the “Origin AS/Prefix Pair Change Log” will be shown, which lists all new and modified ROAs of an Organization in the past 365 days. Logs longer than 100 items will be paginated.

RPKI: ROA Change Log

The table contains the following columns:

  • Timestamp: Displays the date and time of the change.
  • Operation: Displays either “Added” or “Removed.”
  • Source: Displays either “Web User,” “API User,“ or “ARIN System.”
  • Origin AS: Displays the Origin AS associated with the new or modified ROA.
  • Prefix: Displays the Prefix associated with the new or modified ROA.
  • Max Length: Displays the Max Length associated with the new or modified ROA.
  • Changed By: Displays the first and last name from the profile of the ARIN Online user account that performed the change (as of when they made the change).

Selecting “Request CSV of Log” will submit a ticket requesting a full CSV file, and ARIN will review and respond within two business days. It will then be available for download for 90 days.