ARIN's IRR Auto-Manager

As a part of the November 2024 release, ARIN has introduced an Internet Routing Registry (IRR) Auto-Manager. This system is designed to facilitate the management of IRR route objects that reflect the authorized origin/prefix pairs specified in Route Origin Authorizations (ROAs) created with ARIN’s Resource Public Key Infrastructure (RPKI) tools. When enabled, as ROAs are generated, auto-managed IRR route objects will also be created based on the contents of the ROAs. Users will have the option to decline the creation of the auto-managed IRR route object.

The IRR Auto-Manager service provides a convenient way to generate an IRR route object for each Origin AS/prefix pair in an RPKI ROA. Having an IRR route object in the ARIN authenticated IRR database reduces risk from the broader Internet ecosystem where IRR route objects can be created in third-party IRR databases and Resource Public Key Infrastructure (RPKI) validation is not yet implemented.

Using the IRR Auto-Manager in ARIN Online

Global Setting of IRR Auto-Manager per Org ID

By default, the IRR Auto-Manager in ARIN Online is set to ‘On’ for all of your Org IDs. If you wish to turn off this functionality at a global level per Org ID, an ‘IRR Auto-Manager’ tab has been added to the ‘Manage RPKI’ pages under the Routing Security section. Select Routing Security, then Manage RPKI for the organization you want to manage. ‘IRR Auto-Manager’ will be found at the far right of the top navigation menu.

To set the default behavior of the IRR Auto-Manager for the Org, select the appropriate radio button and select Submit. You will receive a confirmation message at the top of the screen informing you your preference has been saved.

When creating ROAs for an Org ID for which the IRR Auto-Manager has been set to ‘Off,’ you will still receive a prompt allowing you create the IRR route object, but doing so will not change the global setting.

ROA Creation Process

The process for creating ROAs in ARIN Online has been updated to allow users to create matching IRR route objects. During the ROA creation processes, you will also have the option to decline the IRR route object creation on a case-by-case basis. The Hosted RPKI page has been updated to reflect these changes in the process.

When creating a ROA, there will be a check to see if there are existing, matching, and unmanaged IRR route objects. If so, you will have the option to replace any matching IRR route objects with auto-managed objects or leave them as-is.

Auto-managed IRR route objects resulting from ROA creation will not consider the maxLength value and use the prefix entry only (least specific match) to limit exposure to potential hijack identified in RFC 9319/BCP 185. Users may manually create longer match IRR objects, and these manually created objects will not be auto-managed.

ROAs with multiple prefixes will create an auto-managed IRR route object for each prefix. IRR objects can be managed (deleted) independently of their ROAs, regardless of their linked status without affecting the corresponding ROA.

During the ROA deletion process, you will be shown any associated auto-managed IRR route objects associated with the ROA. You will be given the option to delete those IRR route objects or allow them to remain and become unmanaged.

Using the IRR Auto-Manager in RegRWS

In order to maintain backward compatibility of ARIN’s RESTful API, the previous RPKI Transaction Endpoint call will not default to creating IRR route objects when used to manage ROAs. An API user must explicitly set the option to create or delete auto-managed IRR route objects. The RPKI Transaction Payload and ROA Spec Payload have both been updated with the instruction to create and delete matching IRR route objects.