[DBWG] RIPE proposed changes to the routing registry

Daniel Shaw daniel at afrinic.net
Fri Jun 8 11:07:55 UTC 2018

On 08/06/2018, 14:55, Job Snijders	typed

> Wait - AfriNIC staff should NOT be creating additional "autnum:" objects
> in the AFRINIC database. Those objects already exist in other databases,
> AfriNIC is not authoritative for non-AfriNIC managed objects. Can you
> elaborate? It would truly be a shame if the community expends
> significant energy to clean up one database to introduce a new level of
> pollution in another database.
> Simply don't require the Origin ASN to be a reference to any object,
> consider it a 32-bit integer (and forbid the private & bogon asns).

Ok. You have a point there :)
I am making some assumptions. I will confirm. 

Separate from ease of use, keeping the DB clean and unpolluted is indeed a very good additional motivation! :)

>>> It is no different with RPKI ROAs. With a RPKI ROA the prefix owner
>>> can input any ASN they want in the Origin ASN field.
>> Preaching to the choir :) - which is why I am comfortable in saying
>> we'll probably do this. At some point.
> Is the creation of RPKI ROAs a fully automated process which can be
> initiated by end users through the AfriNIC portal?

Yes, it is. :)

Once you are set up for RPKI in general. In the portal currently, RPKI requires browser client certificate authentication after the normal portal login. This client certificate involves one manual step with staff too. Once.

In AFRINIC, the overall RPKI process is:
step 0.0 - do a CSR for a "BPKI" certificate - this auto generates an item in staff's work queue.
step 0.1 - staff contact you and ask for ID verification. and then issue the client certificate.
step 0.2 - you use the certificate to authenticate in the portal and the "initialise your member RPKI engine".

All of step 0 is a once in a lifetime only step.

Then, thereafter steps, 1, 2... etc (issuing and managing ROAs) are fully automated and self-service.

When adding a new ROA, you can select an ASN already associated with your portal login form a drop-down. But this simply populates a lower field in the form using ajax for you.
You are also able to enter any other ASN into the field you like.

Specifically, "ASN must be between 0 - 4294967295 in ASPLAIN format. "Reserved" and "Unallocated" ASNs will be rejected."

You then have to select IPv4 and/or IPv6 from your own resources, set validity dates, and click [Add ROA]. Done.

More information about the DBWG mailing list