RPKI and ROAs:

RPKI is a certificate-based service that allows users to certify their Internet number resources to help secure Internet routing. It is a Public Key Infrastructure based service that enables IP address holders to specify which Autonomous Systems (ASes) are authorized to originate their IP address prefixes.
RPKI ensures that the BGP announcements coming from a router are validated to ensure that announcements are coming from the resource holder and that a route is a valid route. This is done through Route Object Authorisation (ROA).

A ROA contains three informational elements:

  1. The AS Number that is authorised
  2. The prefix that may be originated from the AS
  3. The Maximum Length of the prefix

Issuing ROA‘s in AFRINIC‘s LIR portal is easy:

  1. Login to https://my.afrinic.net 
  2. Go to Resources
  3.  Resource Certification 
  4.  Select Issue ROA’s 
  5.  Create ROA by providing the following:

· Enter a unique ROA name
· Select the originating ASN
· Select the IPv4 Prefix
          ❖ Click on plus button* for the ROA creation text fields
          ❖ Enter your preferred Max Length (The most specific prefixes that may be originated from the AS)
Note that Heficed requires you to use "24" as the most specific prefix.

· Select the IPv6 Prefix where applicable
          ❖ Click on plus button* for the ROA creation text fields
          ❖ Enter your preferred Max Length (The most specific IPv6 prefixes that may be originated from the AS)
· Select the ROA validity start date
· Select the ROA expiry date
*plus button:

6. Click “add ROA”

Managing ROAs

While adding or editing ROA specifications, you can see the effect on the validity of your BGP announcements in the "View ROA’s" section. Ensure the following sections have valid dates and the ROA’s remain validity with status “NO” to indicate that it is not revoked.

Did this answer your question?