From 10 August to 20 September, ARIN held a consultation seeking feedback from
the community regarding a specific aspect of the recent ARIN Online
functionality that was deployed on 7 August 2023. This upgrade to ARIN Online
brought several new features – including tighter integration of ARIN’s Resource
Public Key Infrastructure (RPKI) and Internet Routing Registry (IRR) routing
security services. First, thank you to the ARIN community for the robust
discussion. There was spirited input both in favor and in opposition to the
various methods proposed to integrate ARIN’s RPKI and IRR services.
The intended purpose of creating auto-managed IRR Route Objects during Route
Origin Authorization (ROA) creation is to reduce risk from the IRR ecosystem
where users can create Route Objects for Internet number resources for which
they are not the authorized resource holder in third-party, non-authenticated
IRR databases. Knowledgeable network operators have embraced the
ARIN-authenticated IRR database as a reliable source of date and prioritize
this data over unauthenticated sources, so increasing the number of
authenticated IRR route objects improves the integrity of data in the IRR
ecosystem.
Taking the feedback from the community into consideration, ARIN plans to work
to deploy the following set of features in ARIN Online and our API for Hosted
RPKI users:
- Organizations in ARIN Online will have the ability to set an Organizational
default for automatic creation of managed Route Objects for RPKI ROAs.
- The default setting of this default will be “On” (i.e., to create
auto-managed Route Objects when creating ROAs).
- Users will be able to opt in or opt out of the creation of a managed
Route Object at individual ROA creation time without changing the Organization
level setting.
- This default setting will not apply to existing ROAs at autorenewal.
- All auto-managed Route Objects will be identified as such in a remark field
on the object.
- At ROA creation, there will be a check to see if there is an existing,
matching, and unmanaged Route Object. If so, the user will have the option to
replace it with an auto-managed Route Object or continue and leave the
unmanaged Route Object in place.
- Auto-managed Route Objects resulting from ROA creation will not consider the
maxLength value and use the prefix entry only (least specific match) as
recommended in RFC 9319/BCP 185. ROAs with multiple prefixes will create an
auto-managed Route Object for each prefix. Users may manually create longer
match IRR objects, and these manually created objects will not be auto-managed.
- Deleting a ROA will remove an auto-managed Route Object(s). A user can opt
out of deleting a Route Object at individual ROA deletion without changing the
Organization level setting. If a Route Object is separated from the associated
ROA in this manner, it will no longer be auto-managed, and the corresponding
notation about auto-management in the Route Object’s remark field will be
removed.
- The API will be updated for Reg-RWS to reflect these new capabilities.
ARIN will notify the community 90 days prior to the deployment of these new
features, with reminders at 60 and 30 days.
ARIN thanks those who provided valuable feedback on this consultation. We rely
on this input from our members and community to help steer the organization as
we continue our mission in support of the operation and growth of the Internet.
Regards,
John Curran
President and CEO
American Registry for Internet Numbers (ARIN)
_______________________________________________
ARIN-Announce
You are receiving this message because you are subscribed to
the ARIN Announce Mailing List (ARIN-announce@arin.net).
Unsubscribe or manage your mailing list subscription at:
https://lists.arin.net/mailman/listinfo/arin-announce
Please contact i...@arin.net if you experience any issues.
