Issuing ROA‘s in APNIC's LIR portal is easy:
- Login with your account to RIPE‘s LIR portal at https://myapnic.net
- On the top menu click „Resources – RPKI“.
- Check what IP resources you want to be covered by ROA.
- If you already have RPKI engine enabled, then just click on "here" in the following page.
However, if it‘s your first time trying to issue ROA you will see the screen where APNIC's NCC offers to create Certificate Authority for your LIR. Firstly, select "I want to operate in the MyAPNIC RPKI portal".
Click "Next" and then click "I accept. Create my Certification Authority".
Note that you may be asked to setup TOTP login in "My profile" > "TOTP" to complete the steps above.
If you don‘t agree with APNIC‘s agreement you wont be able to issue ROA‘s for your IP resources.
- If you agreed, wait for RPKI engine to be activated.
- Now go to "Resourses" > "Routes" and press "Create route".
- Type in the following info:
- AS number which you want to „allow“ to announce your IP resources via BGP. If you want to allow Heficed to announce your IP resources type „61317“;
- Type the address prefix which you want to be announced. For example 188.8.131.52/22
- Type most specific length allowed to announce(MSA). This must be set to „24“, because if you typed other, e.g. „22“ , it means that AS61317 is allowed to announce 184.108.40.206/22 but not more-specific prefixes. Therefore, if AS61317 tries to announce prefix 220.127.116.11/24, such announcement will be marked as „invalid“.
- Next to "ROA" put a tick so that ROA would be created for the route.
To repeat ourselves, Heficed requires you to use "24" as most specific prefix (MTA).
- Click on the "Next".
- Select the sub-routes (by default all of them are enabled) and press "Submit". Afterwards, you should see the message below.
- To review the progress of routes and ROA, click on "Requests”.
Here you can see the progress of ROA and route management. Once you see a green tick next to "Create Route" task, and you can see the route at the "Routes" page (picture above), the task is done and ROA is created.
- You might as well delete previously created ROAs but keep in mind that providers who follow RPKI strictly, might drop the announcements of your IP resources (usually this happens in a couple of hours) forcing the internet services assigned with your IP resources to stop working. Delete your ROAs carefully!