Follow

Q&A Resource Public Key Infrastructure Route Origin Authorizations (ROAs)

Question

What is Route Origin Authorizations (ROAs) and how can one validate the authenticity of an originator? 


Environment

  • Silverline
    • DDoS
      • Routed

Answer

  • Route Origin Authorizations (ROAs) are digitally signed object, it provides a means of certifying that a prefix originator has authorized an AS (Autonomous System) to originate route. 

  • Any certified routes are issued by Trust Anchors (TAs). ROAs are offered by the Regional Internet Registries and National Internet Registries, further details may be found at the following links: AFRINICAPNICARINNIC.BRLACNICJPNIC, and RIPE NCC.

  • RPKI ROA object is validated by querying the provider route, or trust anchors registry.

    • Provider example querying NTT route registry server: rr.ntt.net 

      • $ whois -h rr.ntt.net -- '-s RPKI 166.73.4.0/23'
        route: 166.73.4.0/23
        descr: RPKI ROA for 166.73.4.0/23
        remarks: This route object represents routing data retrieved from the RPKI
        remarks: This route object is the result of an automated RPKI-to-IRR conversion process.
        remarks: maxLength 24
        origin: AS55002
        mnt-by: MAINT-NTTCOM-RPKI
        changed: job@ntt.net 20201214
        source: RPKI # Trust Anchor: arin

        route: 166.73.4.0/23
        descr: RPKI ROA for 166.73.4.0/23
        remarks: This route object represents routing data retrieved from the RPKI
        remarks: This route object is the result of an automated RPKI-to-IRR conversion process.
        remarks: maxLength 23
        origin: AS396982
        mnt-by: MAINT-NTTCOM-RPKI
        changed: job@ntt.net 20201214
        source: RPKI # Trust Anchor: arin
    • Another registry maintained by BGPMON can be queried at whois.bgpmon.net

      • $ whois -h whois.bgpmon.net -- '--roa AS396982 166.73.4.0/23'
        0 - Valid
        ------------------------
        ROA Details
        ------------------------
        Origin ASN: AS396982
        Not valid Before: 2020-08-13 04:00:00
        Not valid After: 2030-08-13 04:00:00 Expires in 9y240d6h44m34.3999999761581s
        Trust Anchor: rpki.arin.net
        Prefixes: 166.73.4.0/23 (max length /23)

        $whois -h whois.bgpmon.net -- '--roa AS55002 166.73.4.0/23'
        0 - Valid
        ------------------------
        ROA Details
        ------------------------
        Origin ASN: AS55002
        Not valid Before: 2020-08-13 04:00:00
        Not valid After: 2030-08-13 04:00:00 Expires in 9y240d6h44m13.3999999761581s
        Trust Anchor: rpki.arin.net
        Prefixes: 166.73.4.0/23 (max length /24)
    • You can check by querying the public validator: https://rpki-validator.ripe.net/roas.
      ASN listed include origin ASN i.e: "AS396982" and Silverline transiting ASN "AS55002" to our carriers. It is recommended to create additional ROAs with Silverline's ASN to fully validate and guaranteed acceptance to our upstream transit carriers.Screen_Shot_2020-12-15_at_9.00.44_AM.png

 

 

Related Content

  • n/a
Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request