process
ROA Process
Overview of the process involved in getting Route Origin Authorizations (ROAs) established.
ARIN registration services agreement (RSA)
Check to see if your prefix is under an ARIN RSA or Legacy RSA (LRSA)
Column X of "FRGP R&E" Sheet in the Internet2 Routing Report
If your prefix is not under an RSA/LRSA and you don't have an IPv6 allocation, request an IPv6 allocation from ARIN
Establishes current RSA with ARIN
Migrate existing IP resources under a current RSA as an addendum process (note that a new ARIN Org-ID, with a -Z appended, will be created to associate the legacy resource with the Org that also has a non-Legacy resource)
Get RSA/LRSA in place with ARIN if required. For Governmental entities when submitting the "Ask ARIN" request during the Legacy Application Process direct it to the attention of Lisa Leidel at ARIN if you need to make modifications to the RSA.
Colorado entities (Colorado Community College System) modified ARIN RSA
Wyoming entities (University of Wyoming) have signed ARIN's RSA as is
Create private key for signing no longer needed
Follow ARIN instructions
If you're prefix(es) aren't under a current version of an ARIN RSA you will be prompted with Terms of Service you will need to accept before starting the process.
Submit certificate request (upload public key) to ARIN. The process is usually much quicker than the estimated time that ARIN says it will take, on the order of hours.
Save private key some place safe so future ROAs can be signed
create roa via ARin hosted rpki service
Follow ARIN instructions. The process is typically handled immediately after submitting the request.
Selecting a max length of /24 for IPv4 and /48 for IPv6 resources will be beneficial to take advantage of the longest match available in the Internet routing tables and take advantage of a DDoS scrubbing service should the need arise.
Create a ROA allowing your Autonomous System (AS) as an Origin AS for your prefix(es).
If you need to create different ROAs for suballocations of your Direct Assignment from ARIN, start with your most specific ROAs first ending with a ROA for your full assignment(s) from ARIN.
Create a ROA for any third party DDoS scrubbing service you may be using to allow the scrubbing service to originate the more specific prefix.
ARIN will auto-renew your ROA when it is close to expiring, but setting a calendar reminder for your organization to check would be good.
check roa
Check ROA status at Routinator. It can take some time for the RPKI information to propagate so waiting up to fifteen minutes seems reasonable.
Troubleshoot at JDR if necessary