Issuing ROA‘s in RIPE‘s LIR portal is easy:
- Login with your account to RIPE‘s LIR portal at https://my.ripe.net
- On the left menu click „Resources – My Resources“.
- Check what IP resources you want to be covered by ROA.
- Click on „Resources – RPKI Dashboard“.
If it‘s your first time trying to issue ROA you will see the screen where RIPE NCC offers to create Certificate Authority for your LIR.
Read the Terms and Conditions carefully, in the "Article 2", for easier ROAs management by RIPE NCC, select "Hosted" type of certificate authority.
If you agree with Terms and Conditions, click on the blue button „I accept. Create my Certificate Authority“. See screenshots below:
- If you don‘t agree with RIPE‘s agreement you wont be able to issue ROA‘s for your IP resources.
- If you agreed, wait for RPKI dashboard to load. On the tab „BGP Announcements“ you should see all AS numbers that are currently announcing your IP resources regardless of if there was any ROAs issued earlier or not. Let‘s issue a new ROA. Click on the tab „Route Origin Authorisations (ROAs)“ and then click on „New Roa“:
- Type in the following info:
- AS number which you want to „allow“ to announce your IP resources via BGP. If you want to allow Heficed to announce your IP resources type „61317“;
- Type the address prefix which you want to be announced. For example 220.127.116.11/22
- Type most specific length allowed to announce. This must be set to „24“, because if you typed other, e.g. „22“ , it means that AS61317 is allowed to announce 18.104.22.168/22 but not more-specific prefixes. Therefore, if AS61317 tries to announce prefix 22.214.171.124/24, such announcement will be marked as „invalid“.
To repeat ourselves, Heficed requires you to use "24" as most specific prefix.
- Click on the Floppy Disk Icon (Save) on right.
You have created and saved a ROA for your IP resources, but in order for it to take effect you need to publish it. Once you saved your ROA you might have noticed that a popup „Review an Publish“ appeared the lower right corner of the screen. Click on it.
- Review your saved ROA and if you‘re sure that you made no mistakes, click on „Publish!”.
There you go. You have successfully created a ROA for your IP resources. If needed you can create as many of them as you like.
- You might as well delete previously created ROAs but keep in mind that providers who follow RPKI strictly, might drop the announcements of your IP resources (usually this happens in a couple of hours) forcing the internet services assigned with your IP resources to stop working. Delete your ROAs carefully!