ROA Requests

Route Origin Authorization (ROA) Request Overview

A ROA is a cryptographically signed object that states which Autonomous System (AS) is authorized to originate a particular IP address prefix or set of prefixes. ROAs may only be generated for Internet number resources covered by your resource certificate. A ROA is composed of:

  • A ROA name
  • An AS number (ASN)
  • A validity date range
  • One or more IP Addresses (along with a CIDR block designation and an optional max length).

ROA requests contain the following information:

diagram showing parts of an ipv4 roa
diagram showing parts of an ipv6 roa

  1. Version Number: This must be set to 1.
  2. Timestamp: This must be specified in seconds since 1 January 1970 (seconds since the epoch), such as 1340135296.
  3. Trailing Vertical Bar (|): This character must follow each section of the ROA Request.
  4. ROA Name: This can be any name of your choosing, and it is for your own identification purposes only. A ROA name can only contain letters, numbers, spaces and dash (-) characters. There may not be more than 256 characters to a name.
  5. Origin Autonomous System (AS): The number of the AS that will be authorized to announce the IP prefixes you specify. You are not restricted to putting in your own AS, however you can only put in one AS per ROA. If you intend to originate your prefixes from more than one AS, you will need to create a ROA for each one.
  6. Validity Start Date: The first date for which this ROA should be considered valid. However, the date must be within the validity date range of your Certificate Authority (CA) certificate, and expressed in mm-dd-yyyy format.
  7. Validity End Date: The last date for which this ROA should be considered valid. However, the date must be within the validity date range of your CA certificate, and expressed in mm-dd-yyyy format.
  8. Prefix and Prefix Length: The prefix is the range of IP addresses authorized to be announced by the AS Number you specify. This prefix must be allocated to your organization and certified by your CA certificate. The prefix length specifies the size of that IP address range.

    You may include more than one prefix at a time within a ROA request. If you wish to specify more than one prefix, you must provide a Prefix, Prefix Length, and Max Length field (may be blank) for each prefix. For example:

    1|1340135296|My First ROA|1234|05-25-2011|05-25-2012|10.0.0.0|8|16|192.168.0.0|18||192.168.0.0|16|20|

  9. Max Length: The Max Length field is the smallest exact prefix length announcement you will allow for this route and is optional. If it is not provided, then only the exact prefix entered will be specified in the ROA. Example of the ROA request with a blank Max Length field:

    1|1340135296|My First ROA|1234|05-25-2011|05-25-2012|10.0.0.0|8|16|192.168.0.0|18||

If generating a ROA request manually (i.e., not from within your browser), you will need to put all the fields together, on one line, each field delimited by the | character.

Submitting a ROA Request

You can submit ROA requests using these methods:

Creating a ROA Request in ARIN Online

  1. Log in to ARIN Online and select Your Records > Organization Identifiers from the navigation menu.
  2. Choose the organization for which you want to configure RPKI.
  3. Choose Actions and select Manage RPKI.
  4. Choose Create ROA.
  5. Choose the tab corresponding to how you want to create and submit the ROA Request: Browser Signed (easiest) or Sign the request.

Signing a Request

Signing a ROA Request may be done in two ways: in ARIN Online (browser-signed), or from the command line (manually signed).

Using the Browser-Signed Method

Using the browser-signed method is the quickest and easiest method. Follow these instructions:

  1. In the Create a Route Origin Authorization window, in the Browser Signed tab, enter the information for the ROA request.
  2. In the Private Key field, browse for and attach the ROA Request Generation Key Pair file (you provided ARIN the public key part of that pair when you requested a resource certificate). Note: Your private key is never uploaded to ARIN and the signing code is run only on your computer.
  3. Choose Next Step.
  4. After reviewing the summary of the ROA information, choose Submit. Using JavaScript, the browser signs the data you provided. Your ROA request is processed and a ticket is generated to notify you that the ROA was created. To view your ROA, return to the Manage RPKI page.

Using a Signed ROA Request

If you choose to use a signed ROA Request, you’ll need to create a precisely-formatted text block that includes your ROA information, and sign it using the private key that corresponds with the public key you provided to ARIN. You then copy and paste the entire signed text block into the Signed tab.

One way to sign your ROA is to put it into a text file and then sign that file with OpenSSL as shown in the following example (this example assumes a Bourne-compatible shell).

Step one: Open a terminal window and enter the following series of commands:

  • This command uses echo to save your data to a text file:

Note: The following ROA field data is an example only, and should be replaced with content appropriate to your organization and ROA request.

echo -n "1|1340135296|My First ROA|1234|05-25-2011|05-25-2012|10.0.0.0|8|16|" > roadata.txt

  • This command generates the signature of the ROA data file using OpenSSL and your private key:

OpenSSL> dgst -sha256 -sign orgkeypair.pem -keyform PEM -out signature roadata.txt

  • This command converts the signature to Base64 using OpenSSL.

OpenSSL> enc -base64 -in signature -out sig_base64

Step two: Open the sig_base64 file in a text editor. Your signature should look something like the following example:

RGWqTwh/z7+mC/R9VJIcb1eUgTTigB8xFV+DYzEhim4wM00hp4GRfeJQL6JFXG1l mAfVWCVe5rFxP7Py/hGslQF43wt/PMztYSc0YIiYXjVB+heLgzDt4iaFdjJS4oxT rJhawuaYCwYIwzFyDsOEX+Tt9aq0votJxSe0dkw5FCIC5/oGIpW6+fDMeBQir3p9 wDIIGhyOlgwz2xlOu3d/qNbgCp0UKkgMs1QrKauw4dDJSVh0YlE/No6Ao9Ez3gWc 9kk367y5fZgeWiF6ucFsDq2VDtCvcQ/yS+NMbRuK51+V4ZUmBg8US+wwwEPpBMt8  
MCQ5BTShwlAdejOykIsviQ==

Step three: In the roadata.txt file, wrap the contents of the ROA data with a Begin and End block and add the Base64 encoded signature block from the sig_base64 file as follows:

-----BEGIN ROA REQUEST-----
<ROA Request data>
-----END ROA REQUEST-----
-----BEGIN SIGNATURE-----
<signature>
-----END SIGNATURE-----

The file contents should now look similar to example below:

-----BEGIN ROA REQUEST-----
1|1340135296|My First ROA|1234|05-25-2011|05-25-2012|10.0.0.0|8|16|
-----END ROA REQUEST-----
-----BEGIN SIGNATURE-----
RGWqTwh/z7+mC/R9VJIcb1eUgTTigB8xFV+DYzEhim4wM00hp4GRfeJQL6JFXG1l  
mAfVWCVe5rFxP7Py/hGslQF43wt/PMztYSc0YIiYXjVB+heLgzDt4iaFdjJS4oxT  
rJhawuaYCwYIwzFyDsOEX+Tt9aq0votJxSe0dkw5FCIC5/oGIpW6+fDMeBQir3p9  
wDIIGhyOlgwz2xlOu3d/qNbgCp0UKkgMs1QrKauw4dDJSVh0YlE/No6Ao9Ez3gWc  
9kk367y5fZgeWiF6ucFsDq2VDtCvcQ/yS+NMbRuK51+V4ZUmBg8US+wwwEPpBMt8  
MCQ5BTShwlAdejOykIsviQ==
-----END SIGNATURE-----

Step four: From the roadata.txt file, copy and paste the entire content of the request (which will appear similar to previous example) into the Signed tab in the Create a Route Origin Authorization section of ARIN Online and choose Next Step. Your ROA request is processed and a ticket is generated to notify you that the ROA was created.

Viewing Your ROA Requests

  1. Log in to ARIN Online and select Your Records > Organization Identifiers from the navigation menu.
  2. Choose the organization.
  3. Choose Actions and select Manage RPKI.
  4. Under Hosted Certificate, select the number of ROAs to access a list of ROAs for that certificate.

Registration Services Help Desk
7:00 AM to 7:00 PM ET
Phone: +1.703.227.0660
Fax: +1.703.997.8844

Tips for Calling the Help Desk