RPKI/IRR Consultation Reminder and Update

Posted: Friday, 25 August 2023

ARIN would like to remind the community about the ongoing consultation on possible new features in ARIN Online that will provide tighter integration of ARIN’s Resource Public Key Infrastructure (RPKI) and Internet Routing Registry (IRR) routing security services. This consultation is slated to close on Sunday, 10 September, so be sure to submit your comments to the arin-consult mailing list before then. Read the full text of the consultation at:

https://www.arin.net/participate/community/acsp/consultations/2023/2023-4/

As of 24 August, we have received a range of opinions on how best to proceed. As a result of the feedback received so far, we are planning to develop the following features:

  • A per-OrgID setting entitled “ Automatic IRR Route Object Maintenance for RPKI ROAs”. This setting will be “on” by default when we add it to all OrgIDs, but customers can readily turn it off
  • On the Routing Security Dashboard, there will be a checkbox entitled “Automatic IRR Route Object Maintenance” which is where an Org can opt-out of the default IRR route automation
  • At the Org ID level, there will be an option for a one-time “catch up” that will automatically create Route Objects for each ROA in question. This one time “catch up” will also result in existing Route Objects being automatically maintained.

We are also planning to make the following changes to RPKI and IRR functionality:

  • Upon creation or removal of a ROA with the default automation attribute set to on, we will make the appropriate change to corresponding IRR Route Object(s)
  • When a Route Object is automatically generated by ROA creation, its existence is dependent on the ROA; however, the customer will maintain the ability to delete or modify the Route Object and not impact the state of its corresponding ROA

Regarding the question of the appropriate number of Route Objects that should be created based on the ROA prefix and max length configuration, ARIN plans to provide an additional checkpoint that will require a user to positively select the option to apply a maxLength value, only after being presented with information about the RFC 9319 best practice recommendation to limit the use of maxLength in ROAs, and the exposure to a potential forced origin sub-prefix hijack with a liberal use of maxLength. If an organization has automatic IRR generation turned on, and a maxLength is set on a ROA, ARIN will generate the IRR Route Object with the least specific match based on the prefix(s) in the triggering ROA.

There has been strong and consistent feedback against automatically creating managed IRR Route Objects for all validated ROAs in the Hosted RPKI repository that do not have matching IRR Route Objects, so we will not force this action. No IRR objects will be created without the customers’ expressed permission.

There is still time to share your thoughts on this important consultation on pending features and functionality that will integrate ARIN’s routing security services. We would appreciate your feedback on the changes proposed above.

Please provide your comments to arin-consult@arin.net.

You can subscribe to this mailing list at:

http://lists.arin.net/mailman/listinfo/arin-consult.

We look forward to your feedback on this important topic.

Regards,

John Curran
President and CEO
American Registry for Internet Numbers (ARIN)