Your IP address could not be determined at this time.

ROA Requests

Submitting a ROA Request

A ROA is a cryptographically signed object that states which Autonomous System (AS) is authorized to originate a particular IP address prefix or set of prefixes. ROAs may only be generated for Internet number resources covered by your resource certificate. A ROA is composed of:

  • A ROA name
  • An AS number (ASN)
  • A validity date range
  • One or more IP Addresses (along with a CIDR block designation and an optional max length). 

Understanding the Parts of a ROA Request

ROA Requests contain the following information:

  1. Version Number: This must be set to 1.
  2. Trailing Vertical Bar: This character must follow each section of the ROA Request.
  3. Timestamp: This must be specified in seconds since 1 January 1970 (AKA seconds since the epoch), such as '1340135296'.
  4. ROA Name: This can be any name of your choosing, it is for your own identification purposes only. A ROA name can only contain letters, numbers, spaces and dash "-" characters. There may not be more than 256 characters to a name.
  5. Origin Autonomous System (AS): The number of the AS that will be authorized to announce the IP prefix(es) you specify. You are not restricted to putting in your own AS, however you can only put in one AS per ROA. If you intend to originate your prefixes from more than one AS, you will need to create a ROA for each one.
  6. Validity Start Date: The first date for which this ROA should be considered valid. However, the date must be within the validity date range of your CA certificate, and expressed in mm-dd-yyyy format.
  7. Validity End Date: The last date for which this ROA should be considered valid. However, the date must be within the validity date range of your CA certificate, and expressed in mm-dd-yyyy format.
  8. Prefix and Prefix Length: The prefix is the range of IP addresses authorized to be announced by the AS Number you specify. This prefix must be allocated to your organization and certified by your CA certificate. The prefix length specifies the size of that IP address range. 
    • You may include more than one prefix at a time within a ROA Request. If you wish to specify more than one prefix, you must provide a Prefix, Prefix Length, and Max Length field (may be blank) for each prefix.

Max Length: The Max Length field is the smallest exact prefix length announcement you will allow for this route and is optional. If it is not provided then only the exact prefix entered will be specified in the ROA.

If generating a ROA Request manually (not within your browser), you will need to put all the fields together, on one line, each field delimited by the | character.

Examples:

  • 1|1340135296|My First ROA|1234|05-25-2011|05-25-2012|10.0.0.0|8|16|
  • 1|1340135296|My First ROA|1234|05-25-2011|05-25-2012|10.0.0.0|8|16|192.168.0.0|18||

Creating a ROA Request in ARIN Online

  1. Log in to ARIN Online and select Your Account > Organization Identifiers from the navigation menu.
  2. Choose the organization for which you want to configure RPKI.
  3. Choose Actions and select Manage RPKI.
  4. Sign the request.
  5. Copy and paste the contents of the ROA Request file into the Submit Signed ROA tab.

Signing a Request

Signing a ROA Request may be done in two ways: in ARIN Online (browser-signed), or from the command line (manually signed).

In-Browser

Using the browser-signed method is the quickest method:

  1. Log in to ARIN Online and select Your Account > Organization Identifiers from the navigation menu.
  2. Choose the organization for which you want to configure RPKI.
  3. Choose Actions and select Manage RPKI.
  4. In the Browser Signed tab, enter the information for the ROA Request.
  5. In the Private Key field, browse for and attach the private key from the ROA Request Generation Key Pair you provided ARIN for that particular organization. Using JavaScript, the browser signs the data you provided.

Note: Your private key is never uploaded to ARIN and the signing code is run only on your computer.

Using OpenSSL

If signing your ROA Request manually, the easiest way to do so is to fill out the ROA Request in the required format by putting it into a text file and then signing that file with OpenSSL as shown in the following example (this example assumes a Bourne compatible shell).

Note: The following ROA data field data is for example only, and should be replaced with content appropriate to your organization and ROA Request

    • echo -n "1|1340135296|My First ROA|1234|05-25-2011|05-25-2012|10.0.0.0|8|16|" > roadata.txt

      • This command uses echo to save your data to a text file
    • openssl dgst -sha256 -sign orgkeypair.pem -keyform PEM -out signature roadata.txt
      • This command generates the signature of the ROA data file using OpenSSL and your private key
    • openssl enc -base64 -in signature > sig_base64
      • This command converts the signature to Base64 using OpenSSL. It should look something like the example below:

RGWqTwh/z7+mC/R9VJIcb1eUgTTigB8xFV+DYzEhim4wM00hp4GRfeJQL6JFXG1l mAfVWCVe5rFxP7Py/hGslQF43wt/PMztYSc0YIiYXjVB+heLgzDt4iaFdjJS4oxT rJhawuaYCwYIwzFyDsOEX+Tt9aq0votJxSe0dkw5FCIC5/oGIpW6+fDMeBQir3p9 wDIIGhyOlgwz2xlOu3d/qNbgCp0UKkgMs1QrKauw4dDJSVh0YlE/No6Ao9Ez3gWc 9kk367y5fZgeWiF6ucFsDq2VDtCvcQ/yS+NMbRuK51+V4ZUmBg8US+wwwEPpBMt8
MCQ5BTShwlAdejOykIsviQ==

After using the above command lines, wrap the contents of the ROA data and the Base64 encoded signature with a Begin and End block as follows:

-----BEGIN ROA REQUEST-----

<ROA Request data>

-----END ROA REQUEST-----

-----BEGIN SIGNATURE-----

<signature>

-----END SIGNATURE-----

The contents should now look similar to example below:

-----BEGIN ROA REQUEST-----

1|1340135296|My First ROA|1234|05-25-2011|05-25-2012|10.0.0.0|8|16|

-----END ROA REQUEST-----

-----BEGIN SIGNATURE-----

RGWqTwh/z7+mC/R9VJIcb1eUgTTigB8xFV+DYzEhim4wM00hp4GRfeJQL6JFXG1l
mAfVWCVe5rFxP7Py/hGslQF43wt/PMztYSc0YIiYXjVB+heLgzDt4iaFdjJS4oxT
rJhawuaYCwYIwzFyDsOEX+Tt9aq0votJxSe0dkw5FCIC5/oGIpW6+fDMeBQir3p9
wDIIGhyOlgwz2xlOu3d/qNbgCp0UKkgMs1QrKauw4dDJSVh0YlE/No6Ao9Ez3gWc
9kk367y5fZgeWiF6ucFsDq2VDtCvcQ/yS+NMbRuK51+V4ZUmBg8US+wwwEPpBMt8
MCQ5BTShwlAdejOykIsviQ==

-----END SIGNATURE-----

After signing the file with SSL:

  1. Log in to ARIN Online and select Your Account > Organization Identifiers from the navigation menu.
  2. Choose the organization for which you want to configure RPKI.
  3. Choose Actions and select Manage RPKI.
  4. Choose the Signed tab.
  5. Enter the request into the Signed ROA Request field and choose Continue.

Viewing Your ROA Requests

  1. Log in to ARIN Online and select Your Account > Organization Identifiers from the navigation menu.
  2. Choose the organization.
  3. Choose Actions and select Manage RPKI.
  4. Select the applicable resource certificate entry.
  5. Choose View ROAs.

Search Related Content

Loading

full site search

Registration Services Help Desk

Interacting With ARIN

Monday through Friday
7:00 AM to 7:00 PM ET
Phone: +1.703.227.0660
Fax: +1.703.997.8844
Email: hostmaster@arin.net
Tips for Calling the Help Desk