How to Issue ROA in AFRINIC

What is RPKI and ROA?

RPKI stands for Resource Public Key Infrastructure, and ROA stands for Route Origin Authorization. It is a certificate-based system that enables IP address holders to define which AS (Autonomous System) can originate specific prefixes. The use of RPKI can be explained using a simple example.

Let’s say a hosting company owns IP addresses and wants to originate them from its AS number. Assuming IP addresses and the AS number are already obtained from RIR (Regional Internet Registry), the last thing left to do is create RPKI records with the AS number from which IP addresses will be originated.

Once that is done, the company can start originating IP addresses from their routing device to the ISP provider with which the company has a BGP connection. Once the prefixes are originated, the ISP uses RPKI to validate the announcements.

RPKI states

There are several RPKI states that are used to determine if the announcements are coming from the correct AS number.

  • VALID – the correct ROA record was found for the given prefix and AS number
  • INVALID – ROA record exists for the given prefix, but with incorrect AS number, which makes the announcement invalid
  • UNKNOWN – there is no ROA record that covers the given prefix

If an ISP discovers that the RPKI state for the given prefix is either VALID or UNKNOWN, it accepts this announcement, and a hosting company successfully advertises the prefix to the global routing table.

If the state is INVALID, the prefix might not be accepted by certain ISPs who use RPKI to verify the authenticity of the announcements.

How to create ROA via AFRINIC LIR portal

Follow these steps to create a ROA record in the AFRINIC LIR portal.

1. Log in to the AFRINIC portal using your account.

2. Navigate to Resources > Resource Certification.

NOTE: To access ROA management, you will need a BPKI certificate.

3. In the User Identification Request pop-up, choose a certificate for identification and click OK.

User Identification Request pop-up in AFRINIC's Resource Certification menu.

4. In the Manage Your RPKI Resources page, select Issue ROA. If you are asked to select an identification certificate again, select the same one.

AFRINIC's Manage Your RPKI Resources menu with the Issue ROA option.

5. Provide the requested information.

AFRINIC's Issue ROA form requesting ROA's name, ASN and other information.
  • Name: The name of the ROA record
  • AS Number: The ASN that will originate the prefix
  • IPv4 address range: The IPv4 range from which you are going to create the ROA record
  • IPv4 prefixes: The prefix, prefix length and maximum length
  • IPv6 address range: The IPv6 range from which you require to create the ROA record, if any
  • Not Valid Before (YYYY-MM-DD): The date from which the ROA record should be valid
  • Not Valid After (YYYY-MM-DD): The date until which the ROA record should be valid

6. Click Add ROA to finalize the process.

If you are successful, you will be routed to your ROAs list.

A list of blurred ROAs in AFRINIC's portal.

To access your newly created ROA, click its name.

A ROA record with the option to Revoke ROA in AFRINIC's portal.

Here, you can see if your ROA in the AFRINIC portal is revoked and find the AS number, validity date, and prefix. You can also use this menu to Revoke the ROA.

NOTE: ROA records in the AFRINIC LIR portal are not extended automatically after passing the Not Valid After date. Therefore, it is recommended to review the records manually once in a while and recreate them if necessary.

Was this article helpful?

Still need help?

Heficed Slack Community

Get involved in Heficed Slack community. Get updates, ask questions, connect with peers.

Heficed Slack

Need support?

If you need any further help, don't hesitate to send a support request to our support team.