Internet2 Network Security SIG

[Andrew Gallo <>]

Greetings, Security WG:

Seth Garrett and I have been trading some emails about creating a ROA 
request with a lot of prefixes.  I've written a script that can make 
this easier.
https://github.com/CAAREN-engineering/generateSignedROAreq

Here's the scenario and use-case:

If you have a large summary prefix, let's say an IPv4 /16, and you would 
like to cover this prefix AND all the /24s within it, you *could* use 
the Max Length feature to create a ROA request for 172.16.0.0/16-24. 
HOWEVER, use of Max Length field is no longer recommended (can lead to 
larger attack surface).

You might want ROAs covering all the constituent /24s so that they can 
be originated by a DDoS scrubbing service.

At this point, following best practices, you're left with entering 256 
prefixes by hand in the Hosted RPKI portal.  There is another way!

You can pasted into the portal pre-formatted, pre-signed text.

ARIN's instructions are here:
https://www.arin.net/resources/rpki/roarequest.html

I wrote a script to help make this process easier.  What you'll need:
Python 3.3+
a file containing a list of prefixes you want included in the ROA (you 
can mix v4 and v6)
Your private key

The script will ask you some basic information needed to create the ROA 
request data:
Origin ASN
ROA name
Validity Start Date
Validity End Date


Let me know if you have any questions.



--
________________________________
Andrew Gallo
The George Washington University

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature