Route Origin Authorizations (ROAs)

Route Origin Authorization (ROA) Overview

A ROA is a cryptographically signed object that states which Autonomous System (AS) is authorized to originate a particular IP address prefix or set of prefixes. ROAs may only be generated for Internet number resources covered by your resource certificate. (The term ROA Request is used interchangeably with ROA on ARIN’s site to mean a route origination authorization created for ARIN’s RPKI repository.)

A ROA is composed of:

  • A ROA name
  • An Autonomous System Number (ASN)
  • A validity date range
  • One or more IP Addresses (along with a CIDR block designation and an optional max length).

ROAs contain the following information:

IPv4 ROA diagram showing parts of an ipv4 roa

IPv6 ROA diagram showing parts of an ipv6 roa

  1. Version Number: This must be set to 1.

  2. Timestamp: This must be specified in seconds since 1 January 1970 (seconds since the epoch), such as 1340135296.

  3. Trailing Vertical Bar (|): This character must follow each section of the ROA.

  4. ROA Name: This can be any name of your choosing, and it is for your own identification purposes only. A ROA name can only contain letters, numbers, spaces, and dash (-) characters. There may not be more than 256 characters to a name.

  5. Origin Autonomous System (AS): The number of the AS that will be authorized to announce the IP prefixes you specify. You are not restricted to putting in your own AS, however you can only put in one AS per ROA. If you intend to originate your prefixes from more than one AS, you will need to create a ROA for each one.

  6. Validity Start Date: The first date for which this ROA should be considered valid. However, the date must be within the validity date range of your Certificate Authority (CA) certificate, and expressed in mm-dd-yyyy format.

  7. Validity End Date: The last date for which this ROA should be considered valid. However, the date must be within the validity date range of your CA certificate, and expressed in mm-dd-yyyy format.

  8. Prefix and Prefix Length: The prefix is the range of IP addresses authorized to be announced by the Autonomous System Number (ASN) Number you specify. This prefix must be allocated to your organization and certified by your CA certificate. The prefix length specifies the size of that IP address range.

    You may include more than one prefix at a time within a ROA. If you wish to specify more than one prefix, you must provide a Prefix, Prefix Length, and Max Length field (may be blank) for each prefix. For example:

    1|1340135296|My First ROA|1234|05-25-2011|05-25-2012|10.0.0.0|8|16|192.168.0.0|18||192.168.0.0|16|20|

  9. Max Length: The Max Length field is the smallest exact prefix length announcement you will allow for this route and is optional. If it is not provided, then only the exact prefix entered will be specified in the ROA. Example of the ROA with a blank Max Length field:

    1|1340135296|My First ROA|1234|05-25-2011|05-25-2012|10.0.0.0|8|16|192.168.0.0|18||

If signing a ROA manually (i.e., not from within your browser), you will need to put all the fields together, on one line, each field delimited by the | character.

Submitting a ROA

Note: ROAs will only be accepted if signed using a private key that corresponds with a public key linked to the customer submitting the ROA. This is enforced by custom programming on ARIN’s HSM which may not be tampered with or altered in any way.

Before submitting ROAs, you must sign up for RPKI and submit your public key. Once you have successfully received a resource certificate from ARIN, you can submit ROAs using the methods described in the following sections.

Creating a ROA Using the API

Visit ARIN’s RESTful provisioning system (Reg-RWS) to create a ROA using the API. (Note that you will need an ARIN Online account with an API Key to use Reg-RWS.)

Creating a ROA in ARIN Online

  1. Log in to ARIN Online and select Routing Security, then RPKI from the navigation menu.
  2. In the ‘Your Organization’ window, select View Details for the organization for which you want to configure RPKI.
  3. In the top bar of the ‘Manage RPKI’ page, select Create ROA from the top line menu.
  4. In the ‘Create a Route Origin Authorization (ROA)’ window, choose the tab corresponding to how you want to create and submit the ROA:
  • Browser Signed (described in the next section): This is the easiest method, where the browser uses JavaScript to parse your private key (it is not uploaded to ARIN) and sign the ROA.
  • Manually Signed: Choose this option if you want to manually sign your ROA using a command-line interface program such as OpenSSL. If you use this method, the browser doesn’t ask for the key pair file.

You can create ROAs for another Organization by using the drop-down menu in the upper left to select a different Org ID, selecting Create ROA in the top menu, and repeating the process above again beginning with Step 4.

Submitting a Browser-Signed ROA

Using the browser-signed method is the quickest and easiest method. Complete the required fields and digitally sign the ROA Request using the private key that corresponds with the public key you registered with ARIN.

  1. In the Create a Route Origin Authorization (ROA) window, in the Browser Signed tab, enter the information for the ROA.
  2. Complete the required fields, including ‘ROA Name,’ ‘Origin AS,’ and Prefixes. Please ensure that the Prefix and Prefix Length are provided in the correct format, detailed in the ROA Overview above.
  3. In the Private Key field, browse for the ROA Request Generation Key Pair file (you provided ARIN the public key part of that pair when you requested a resource certificate). Note: Your private key is never uploaded to ARIN.
  4. Choose Next Step.
  5. After reviewing the summary of the ROA information, choose Submit. Using JavaScript, the browser signs the data you provided. Your ROA is processed and a ticket is generated to notify you that the ROA was created. To view your ROA, return to the Manage RPKI page.

Submitting a Manually Signed ROA

If you choose to manually sign your ROA, you’ll need to create a precisely formatted text block that includes your ROA information and sign it using the private key that corresponds with the public key you provided to ARIN. Then copy and paste the entire signed text block into the Signed tab.

One way to sign your ROA is to put it into a text file and then sign that file with OpenSSL as shown in the following example (this example assumes a Bourne-compatible shell).

Step one: Open a terminal window and enter the following series of commands:

  • This command uses echo to save your data to a text file:

    Note: The following ROA field data is an example only, and should be replaced with content appropriate to your organization and ROA.

    echo -n "1|1340135296|My First ROA|1234|05-25-2011|05-25-2012|10.0.0.0|8|16|" > roadata.txt

  • This command generates the signature of the ROA data file using OpenSSL and your private key:

    OpenSSL> dgst -sha256 -sign orgkeypair.pem -keyform PEM -out signature roadata.txt

  • This command converts the signature to Base64 using OpenSSL.

    OpenSSL> enc -base64 -in signature -out sig_base64

Step two: Open the sig_base64 file in a text editor. Your signature should look something like the following example:

RGWqTwh/z7+mC/R9VJIcb1eUgTTigB8xFV+DYzEhim4wM00hp4GRfeJQL6JFXG1l mAfVWCVe5rFxP7Py/hGslQF43wt/PMztYSc0YIiYXjVB+heLgzDt4iaFdjJS4oxT rJhawuaYCwYIwzFyDsOEX+Tt9aq0votJxSe0dkw5FCIC5/oGIpW6+fDMeBQir3p9 wDIIGhyOlgwz2xlOu3d/qNbgCp0UKkgMs1QrKauw4dDJSVh0YlE/No6Ao9Ez3gWc 9kk367y5fZgeWiF6ucFsDq2VDtCvcQ/yS+NMbRuK51+V4ZUmBg8US+wwwEPpBMt8  
MCQ5BTShwlAdejOykIsviQ==

Step three: In the roadata.txt file, wrap the contents of the ROA data with a Begin and End block and add the Base64 encoded signature block from the sig_base64 file as follows:

-----BEGIN ROA REQUEST-----
<ROA Request data>
-----END ROA REQUEST-----
-----BEGIN SIGNATURE-----
<signature>
-----END SIGNATURE-----

The file contents should now look similar to the example below:

-----BEGIN ROA REQUEST-----
1|1340135296|My First ROA|1234|05-25-2011|05-25-2012|10.0.0.0|8|16|
-----END ROA REQUEST-----
-----BEGIN SIGNATURE-----
RGWqTwh/z7+mC/R9VJIcb1eUgTTigB8xFV+DYzEhim4wM00hp4GRfeJQL6JFXG1l  
mAfVWCVe5rFxP7Py/hGslQF43wt/PMztYSc0YIiYXjVB+heLgzDt4iaFdjJS4oxT  
rJhawuaYCwYIwzFyDsOEX+Tt9aq0votJxSe0dkw5FCIC5/oGIpW6+fDMeBQir3p9  
wDIIGhyOlgwz2xlOu3d/qNbgCp0UKkgMs1QrKauw4dDJSVh0YlE/No6Ao9Ez3gWc  
9kk367y5fZgeWiF6ucFsDq2VDtCvcQ/yS+NMbRuK51+V4ZUmBg8US+wwwEPpBMt8  
MCQ5BTShwlAdejOykIsviQ==
-----END SIGNATURE-----

Step four: From the roadata.txt file, copy and paste the entire content of the request (which will appear similar to previous example) into the Signed tab in the Create a Route Origin Authorization section of ARIN Online and choose Next Step. Your ROA is processed and a ticket is generated to notify you that the ROA was created.

Viewing Your ROAs

You can view your ROAs using these methods:

Using the API

Visit ARIN’s RESTful provisioning system (Reg-RWS) to view a list of ROAs for an Org. (Note that you will need an ARIN Online account with an API Key to use Reg-RWS.)

Using ARIN Online

  1. Log in to ARIN Online and select Routing Security, then RPKI from the navigation menu.
  2. In the ‘Your Organization’ window, select View Details for the organization for which you want to configure RPKI.
  3. In the top bar of the Manage RPKI page, select ROAs from the top line menu.

You can view your ROAs for another Organization by using the drop-down menu in the upper left to select a different Org ID and selecting ROAs in the top menu.

Verifying Your ROAs Are Active

The RPKI repository is updated every few minutes. To verify that your resources are active, you’ll need to use an RPKI Validator and obtain ARIN’s routing information. Visit Using ARIN’s RPKI Repository for Routing for more information.

Removing a ROA

Removing a ROA removes it from the RPKI repository, and adds it to the Certificate Revocation List (CRL) of the parent certificate. CRLs are published as part of the repository. Note that there is a system limitation for revocations in CRLs.

You can delete your ROAs using one of the following methods:

Using the API

Visit ARIN’s RESTful provisioning system (Reg-RWS) to delete a ROA. (Note that you will need an ARIN Online account with an API Key to use Reg-RWS.)

Using ARIN Online

  1. Log in to ARIN Online and select Your Records > Organization Identifiers from the navigation menu.
  2. Choose the organization.
  3. Choose Actions and select Manage RPKI.
  4. Choose ROAs to view a list of ROAs. Select the name of the ROA to view its details.
  5. Choose Remove.
  6. Choose Remove again to confirm the removal. Changes will take effect in the RPKI database immediately and will be reflected in the public RPKI repository within 24 hours.