Prerequisites for ROA Creation

Before creating a ROA, the subnet owner must have:

• RIPE NCC LIR Account: Active membership with login credentials

• Resource Certification Enabled: RPKI must be set up for their resources

• IP Ownership: Registered holder of the subnet in RIPE database

• Notification from IPbnb: Email with subnet, ASN, and deadline details

Step-by-Step ROA Creation Instructions

What to expect: The process takes about 5 minutes. You will log in to the RIPE NCC portal, open the RPKI dashboard, and create a ROA by entering the subnet prefix, ASN, and maximum length from your IPbnb notification email. Once saved, the ROA propagates automatically - no manual confirmation to IPbnb is needed.

If you have not listed your subnet on IPbnb yet, see How to List Your Subnet on IPbnb first.

Step 1: Log In to RIPE NCC Portal

1. Go to https://my.ripe.net

2. Click "Login"

3. Enter RIPE NCC credentials

4. Complete two-factor authentication (if enabled)

5. Click "Sign In"

Step 2: Access RPKI Dashboard

1. After login, locate the left navigation menu

2. Click "Certificate Management" or "RPKI"

3. Directed to RPKI Dashboard

First-time RPKI users:

• Choose "Hosted CA" (RIPE NCC manages certificates)

• Read and accept Terms and Conditions

• Click "I accept. Create my Certificate Authority"

• Wait for CA creation (usually instant)

Step 3: Navigate to Route Origin Authorizations

1. In RPKI Dashboard, see several tabs

2. Click "Route Origin Authorisations (ROAs)" tab

3. Shows all existing ROAs

Step 4: Create New ROA

1. Click "+New ROA" button (top-right)

2. Form appears with empty fields

Step 5: Enter ROA Details

Enter information exactly as shown in IPbnb's notification email:

Field 1: Prefix

• Enter the subnet address from IPbnb notification

• Format: IP address with prefix length

• Example: 185.123.45.0/24

• Must be exact match

Field 2: ASN

• Enter the lessee's ASN from IPbnb notification

• Format: With or without "AS" prefix

• Example: AS64512 or 64512

• Must be exact match

Field 3: Maximum Length

• Set equal to prefix length for security

• For /24 subnet → enter 24

• For /23 subnet → enter 23

• For /22 subnet → enter 22

Example Entry:

Prefix: 185.123.45.0/24

ASN: AS64512

Maximum Length: 24

Step 6: Review ROA Configuration

Verify all details before saving:

• Prefix matches IPbnb notification exactly

• ASN matches IPbnb notification exactly

• Maximum Length is set correctly

Step 7: Save the ROA

1. Click "Save" button (may appear as floppy disk icon)

2. System validates input

3. If validation passes, ROA created immediately

4. New ROA appears in ROAs list

5. Status shows "Active" or "Published"

Step 8: Verification

Wait 5-10 minutes for ROA to propagate to RPKI validators.

Check that ROA shows:

• Status: Active or Published

• No error messages or warnings

Step 9: Automatic Notification

No need to manually notify IPbnb:

• IPbnb's system checks RPKI every 15 minutes

• Detects new ROA automatically

• Sends confirmation to both owner and lessee

• Lessee's subnet activates

Timeline:

• ROA propagation: 5-10 minutes

• IPbnb detection: Up to 15 minutes

• Total: Usually confirmed within 30 minutes

Creating ROA for Multiple ASNs

If lessee requests multiple ASNs for one subnet, owner must create separate ROA for each:

Example:

• Subnet: 185.123.45.0/24

• Requested ASNs: AS64512, AS64513, AS64514

Process:

1. Create first ROA (AS64512) as described

2. Click "+New ROA" again

3. Enter same prefix: 185.123.45.0/24

4. Enter second ASN: AS64513

5. Set same Maximum Length: 24

6. Save

7. Repeat for AS64514

Result: Three separate ROAs:

• 185.123.45.0/24 → AS64512 /24

• 185.123.45.0/24 → AS64513 /24

• 185.123.45.0/24 → AS64514 /24

Troubleshooting ROA Issues

Problem: "Overlapping ROA" Error

Solution:

1. Review existing ROAs

2. Check if ROA already exists for this prefix

3. If for different ASN: Normal for multiple ASN scenarios, proceed

4. If for same ASN: Edit existing ROA instead of creating new

Problem: "Invalid Prefix" Error

Solutions:

• Verify prefix format: XXX.XXX.XXX.XXX/XX

• Check you own this prefix in RIPE database

• Ensure prefix registered to your LIR

Problem: "Invalid ASN" Error

Solutions:

• Try with "AS" prefix: AS64512

• Try without "AS": 64512

• Verify ASN exists at stat.ripe.net

• Confirm ASN with lessee via IPbnb

Problem: ROA Not Appearing After Creation

Solutions:

1. Wait 10-15 minutes for propagation

2. Refresh ROAs tab

3. Check Certificate Authority status is "Active"

4. If CA "Pending" or "Inactive", contact RIPE NCC support

Problem: "Certificate Authority Not Found"

Solution:

1. Return to RPKI Dashboard home

2. Look for "Create Certificate Authority"

3. Choose "Hosted CA"

4. Accept Terms

5. Wait 1-2 minutes for creation

6. Retry ROA creation

What Happens If Owner Doesn't Create ROA Within 48 Hours

Automatic consequences:

At 48 Hours:

• Lease automatically cancelled

• Lessee receives full refund

• Subnet returned to IPbnb catalog

Penalties for Owner:

• Reduced priority in future lease matching

• Possible temporary suspension

• Financial penalties per Owner Agreement

• Repeated failures: Removal from platform

How to Avoid:

• Set email alerts for IPbnb notifications

• Create ROAs immediately upon request

• Contact IPbnb support if technical issues

• Keep RPKI credentials accessible

Best Practices for Owners

Security:

1. Verify ASN with lessee before creating ROA

2. Always set Maximum Length equal to prefix length

3. Review ROAs regularly

4. Delete ROAs promptly after lease ends

Efficiency:

1. Create ROAs immediately (don't wait 48 hours)

2. Use Hosted CA (easier than delegated RPKI)

3. If lessee needs multiple ASNs, create all ROAs at once

4. Keep records of which ROAs correspond to which leases

Communication:

1. Check email regularly for IPbnb notifications

2. Respond to IPbnb messages promptly

3. Report technical problems immediately