1

Route Management Guide to manage your routes and (RPKI) ROA

2

1 Introduction....................................................................................................3

2 ActivatingRPKIengine....................................................................................32.1 PermissionsrequiredforResourceCertification.................................................................32.2 RPKIEngineactivation(enablingresourcecertification)..................................................42.3 HostingyourownCertificateAuthority....................................................................................63 RouteandROAmanagement..........................................................................93.1 HowMyAPNICroutesandWHOISrouteobjectsaredifferent....................................103.2 SynchronizingMyAPNICroutesandWHOISrouteobjects...........................................103.3 ConflictsbetweenMyAPNICroutesandWHOISrouteobjects....................................104 Importroutes...............................................................................................11

5 CreateRoutes...............................................................................................145.1 UsingROAoption.............................................................................................................................155.2 ‘WhoisRouteAttributes’option................................................................................................165.3 ‘Notifyadditionalcontacts’option...........................................................................................185.4 Sub-routeselection.........................................................................................................................195.5 RouteRequests–Actionlog........................................................................................................215.6 RouteTaskDetails...........................................................................................................................226 EditRoutes...................................................................................................23

7 Userpermission............................................................................................257.1 Checkinguserpermission............................................................................................................258 FAQ..............................................................................................................268.1 WhatisROAandRPKI...................................................................................................................268.2 WhydoIget“authorizationfailed”..........................................................................................268.3 Howdoesauthorizationwork?..................................................................................................268.4 HowdoIenableTwofactorauthentication(2FA)............................................................278.4.1 Time-basedOneTimePassword(TOTP)..............................................................................278.4.2 DigitalCertificates.........................................................................................................................27

3

1 IntroductionThisdocumentprovidesdetailedinstructionsregardingusingtheRoutesManagementfeatureinMyAPNICtocreaterouteobjectsandROAs.ThenextsectionofthisdocumentisexplaininghowtoactivatetheRPKIengine,whichisrequiredforResourceCertification,followedbyRouteManagement.

2 ActivatingRPKIengineRPKIengineneedstobeactivatedinordertocertifytheresourcesunderaparticularaccount.TheRPKIpageisaccessibleasfollowing:

1) LogintoMyAPNIC2) Goto:ResourcesàResourceCertification(seeimagebelow)

2.1 PermissionsrequiredforResourceCertificationAll users should have Two-Factor-Authentication enabled in MyAPNIC to use the Resource Certification feature

- Corporate Contacts by default have “update” privilege.

- Other contacts by default only have “view” privilege

The Corporate Contact can manage user privileges from the Manage Contact menu in MyAPNIC.

4

2.2 RPKIEngineactivation(enablingresourcecertification)

TostartusingtheResourceCertificationfeature,clickontheCertificationmenuunderResources.SelectifyouwanttooperateintheMyAPNICRPKIportalorifyouwanttohostyourowncertificateauthority.

5

Afterselectingthefirstoption,youwillbetakentothetermsandconditions.Pleasereadcarefully,andifyouagreetotheconditionspleaseacceptbyclickingthefollowingbuttonatthebottomofthepage.

WiththatyourRPKIenginewillbeactivated.Thisisrequiredtorequest/receiveyourResourceCertificatefromAPNICandcreateyourROA(RouteOriginAuthorization)objectsinMyAPNIC.Oncethisserviceisactivated,itisavailabletoallMyAPNICusersfromthataccountwiththeResourceCertificationprivilege.

6

2.3 HostingyourownCertificateAuthority

Selectthesecondoptionandclick“Next”.

7

Readthetermsandconditionsandclickon“Iaccept.EnableprovisioningprotocoltomyownCertificationAuthority”.Clickon“UploadXML”andattachyouridentity.xmlfile.

8

Afteryouattachyouridentity.xmlfile,clickon“Submit”.

Clickon“DownloadparentXML”todownloadtheXMLfilewhichisneededtoconfiguretheparentofyourRPKIengine.ShouldyourRPKIenginesbusinessPKI(BPKI)certificatechangeinthefuture,youneedtouploadyournewidentityXMLfilebyclickingon“UploadnewXML”.

9

3 RouteandROAmanagementTheroutemanagementtoolisaninteractivefeatureinMyAPNICwhereuserscanmanageroutesandROAsatonce.ToaccesstheRoute/ROAmanagementfeature:

3) LogintoMyAPNIC4) Goto:ResourcesàRouteManagement(seeimagebelow)

10

3.1 HowMyAPNICroutesandWHOISrouteobjectsaredifferentThroughthistool,userscancreate/manageMyAPNICroutes,whicharementionedas“routes”throughoutthisdocument.These‘routes’actasatemplateforcreatingactualroutesinwhoisdatabase,whicharementionedas“routeobjects”inthisdocument.Routesandrouteobjectscanexistseparately;thatisarouteinMyAPNICcanexistwithoutanactualrouteobjectinwhoisdatabase,androuteobjectsinwhoisdatabasecanexistwithoutarouteentryinMyAPNIC.

3.2 SynchronizingMyAPNICroutesandWHOISrouteobjectsUserscandecidetoimportroutesinthewhoisdatabasethroughRouteManagementtool.ThiswillensurearouteentryinMyAPNICiscreatedforeveryrouteobjectassociatedtothataccount.(routeswithaccountsIPprefixesandASNs).OncearouteentryiscreatedinMyAPNIC,userscanmanagewhoisrouteobjectsthroughthetoolsinterface.Whenausercreates/updates/deletesaroutethroughthistool,thetoolwillattempttocreateawhoisrouteobjectassoonaspossible.Ifyouareupdatingmultipleobjectsatthesametime,thetoolmayshow“pending”statusagainsttherouteswhicharenotyetsynchronized.

3.3 ConflictsbetweenMyAPNICroutesandWHOISrouteobjectsRoutemanagementtoolisnottheonlywaythatawhoisrouteobjectcanbemanaged.Ifawhoisrouteobjectischanged,theMyAPNICrouteentrywillnotchange.Itwillindicatethatthereisconflict.ThisensuresthatuserismadeawareofchangesdoneoutsidetheRouteManagementtool.Theusercanthentakeactiontoresolvetheconflict.Eitheracceptthechanges,orreverttherouteobjectbacktoMyAPNICroutetemplate.

11

4 ImportroutesWhenauseropensorrefreshestheRoutemanagementpage,thetoolchecksforanyrouteobjectsintheAPNICwhoisdatabasewhicharenotmanagedbytheroutemanagementtoolinMyAPNIC.Ifanysuchrouteobjectsexist,theusercanselectandimportthemandstartmanagingthemthroughthetool.

Ifuserclickson“Review&Import”,followingscreenwillappear.

12

Fromthispage,theusercanviewandselectrouteobjectstobemanagedbythetool.Whentheuserfinishesselecting,andclickson“Import”thefollowingmessagewillappearonthescreentoconfirmthattheimporttaskisbeinghandledinthebackground.

Toseemoredetailsaboutthetask,theusercaneitherclickontheabovemessagewhileitsbeingdisplayed,orclickonthe“Requests”linkatthetopofRouteManagementpage.Byclickingeitherofthelinks,usercanseefollowingdetailedinformationaboutthetask.

Byclickingonthe“View”buttonaparticularrequestontheRoutetaskrequestwindow,thetoolwillshowanychangesthatweredoneintheAPNICwhoisdatabaseregardingthisrequest.Inthecaseofimporting,therouteobjectwillnotbechanged,hencethemessage“Objectalreadyexists”isdisplayed.

13

Oncetheroutesareimported,anyfurtherchangestotherouteobjectwillchangetherouteobjectintheAPNICwhoisdatabase.Seesection3,Editroutesformoreinformationaboutmakingchangestoanexistingroute.

14

5 CreateRoutesTocreateanewrouteobject,pleaseselectthe‘createrouteobject’

Thefollowingtemplateshowstheminimuminformationthatauserneedstoinputtocreatearoute.

Prefix TheIPv4orIPv6prefixinCIDRnotationOriginAS TheASNumberwhichisusedtoannouncetheIPprefixMostSpecificAnnouncement

Bydefault,thiswillbeprefilledbytheIPprefixessize.However,theusercanchosetoannouncemorespecificIPprefixesifhewishesto.Ifamorespecificannouncementischosen,thetoolwillcreatealltherouteobjectsfromtheleastspecificannouncement,uptothemostspecificannouncement,includinganyprefixesinbetween.

ROA SeeROAoptionDefinewhosisrouteattributes

See‘WhoisRouteAttributes’option

NotifyAdditionalContacts

SeeNotifyAdditionalContacts

15

5.1 UsingROAoptionIfthememberwhologsintoMyAPNIChas:-RPKIupdatepermission–AND--TwoFactorAuthenticationenabledTheROAoptionwillbetickedbydefault.Ifproceeded,withtheoption,matchingROAswillbecreatedfortheprefixandalsoformostspecificannouncement.Optioncanbeun-tickediftheuserdoesnotrequireROAstobecreated.IfthememberwhologsintoMyAPNIChas:-RPKIupdatepermissionrevoked–OR--TwoFactorAuthenticationdisabledTheROAoptionwillbeun-tickedbydefault.Usercannottickthisoption.IftheuserwantstocreateROAs,hecanclick“here”togototheTwoFactorAuthenticationconfigurationpage.

16

5.2 ‘WhoisRouteAttributes’option

Usercanaddnumberofattributesthroughthisoption,fromthedropdownmenu,onebyone.ToseeadetailedexplanationaboutalltheseattributespleasevisitthefollowingURL.https://www.apnic.net/apnic-info/whois_search/using-whois/guide/routeIfthisoptionisnotselected,aroutewillbecreatedwiththemandatoryattributesfilledwithinformationfromyour.

17

Routeobjecttemplatefor‘route’(IPv4routes)

Routeobjecttemplatefor‘route6’(IPv6routes)

18

5.3 ‘Notifyadditionalcontacts’optionBydefault,ifarouteiscreated,automaticnotificationswillbesendtoASNcustodian.NotificationswillbesendtoAPNICaccountcontacts.IftheASNisfromadifferentRIR,‘whois’databasecontactsassociatedtothatASNwillbenotified.Ifneitheroftheabovecontactswerefound,APNIChelpdeskwillbenotified.WiththeNotify‘Notifyadditionalcontacts’,theuserisabletosendroutecreationnoticestoanyotherpartythathewishestoinform.Multiplee-mailcontactscanbeincludedbyseparatingthemwithcommasorspaces.

19

5.4 Sub-routeselectionOncealltheinformationisfilled,andwhenuserclicks“NEXT”,theConfirmationwindowappears,wherefurtheradjustmentscanbemade.

Theconfirmationscreenaboveshowsalltheroutesthataregoingtobecreated.Themandatoryattributestheuserenteredaredisplayedatthetopofthescreen.Itisfollowedbyalistofroutesthatwillbecreated.Listwillhavemorethanonerouteifthe‘mostspecificannouncement’ishigherthan‘prefixsize’.Allroutesinthelistwouldbeselectedbydefault.Theuserhastheoptiontounselectanyrouteifrequired.Selectall Ticksallthesub-routesinthelistDeselectall Un-tickallthesub-routesinthelistShow‘X’entries

Determinesthenumberofsub-routestobedisplayedperpage.Optionsare10,25,50and100

Previous Goestothepreviouspageofthelistifthenumberofsub-routesdoesnotfitintoanewpage

20

Next Goestothenextpageofthelistifthenumberofsub-routesdoesnotfitintoanewpage

Cancel AbortstheroutecreationGoback Goestothepreviouspagewhererouteattributescanbe

updatedSubmit Allselectedsub-routeswillbecreated.Routeobjectswillbe

injectedtothewhoisdatabase.IfROAoptionisenabled,matchingROAswillbecreated

Oncethee‘Submit’buttonisclicked,thetoolwillstartprocessingtheroutecreation.Adialogboxappearingasbelowwillindicatethis.

ThisdialogboxwilldisappearautomaticallyoncetheroutesarecreatedinMyAPNIC.Asshowninthedialogbox,toseedetailsclickthe‘Routerequests’linkshownbelow.

21

5.5 RouteRequests–ActionlogThe‘Routerequests’link(please1.1.4ConfirmandSubmit)willtaketheusertoalogofallactivitiesassociatedtheRouteManagementpage.Actionlogwilllooksimilartothebelowscreen.

ID ActionlogIDCreated DateandtimestampofthesubmissionUser MyAPNICuserIDType Typeofactionrequests.CreateRoute,ModifyRouteorDelete

RouteRoute TheIPprefixwhichwillbeannounced.Sub-routeprefixescanbe

viewedbyclicking‘View’Status Greentickmarkindicatesallsub-routesarecreatedsuccessfully.

Redcrossiconindicatesthatatleastonesub-routecreationhasfailed.

View Showsmoredetailsaboutaspecificactionitem

22

5.6 RouteTaskDetailsThescreenbelowshowshowroutetaskdetailswillappearifthe‘view’buttonisclickedintherouterequestspage(see1.1.6RouteRequests)

Ifthetaskselectediseither“CreateRoute”or“EditRoute”,theusercanviewtheactualwhoisrouteobjectbyclickingthe“ViewWhoisObject”buttonintheabovescreen.

23

6 EditRoutesTheroutescreatedthroughMyAPNICorthroughothermethodssuchase-mailupdatescanbemodifiedthroughthisinterface.

Clickingontheeditbuttoninfrontofarouteentrycanmodifythespecificroute.

24

MostSpecificAnnouncement

Usercanchangethisattribute.Bychangingthis,thenumberofsub-routeentrieswillautomaticallychange.

ROA UsercantogglebetweenROAenableandROAdisable.UserneedtohavepermissiontoenableROA(See:UserPermission)

Enable/Disable IfManagedsetto‘Enabled’,itmeansthereisawhoisrouteobjectexisting.IfManagedsetto‘Disabled’,itmeanswhoisrouteobjectdoesnotexist.Bytogglingbetweenthetwostates,theusercancreateanddeletewhoisrouteobjects.Iftheuserdisablesasub-routeforwhichROAisenabled,ROAwillautomaticallygetdeletedaswell.

Submit Changeswillbeprocessed,andwhoisrouteobjectswillbeupdatedaccordingly.

UpdateWhois Thisbuttonwillopenwhoisupdatepageforthatparticularwhoisrouteobject.

25

7 UserpermissionTobeabletocreateROAstogetherwithroutes,userrequire:

1) ResourceCertificationpermissionenabled–AND-2) TwoFactorAuthenticationenabled(2FA)

a. TimebasedOneTimePasswords(TOTP)–ORb. DigitalCertificates

Tolearnmoreabout:ResourcesCertification:www.apnic.net/ROATwoFactoreAuthentication:www.apnic.net/2FABydefault,CorporateContactshaveResourceCertificationpermissionEnabled.TechnicalContactsandBilling(Admin)Contactsdonothaveaccessbydefault.TheCorporateContactcangrantthemaccessthroughMyAPNIC.Noneofthecontactshave2FAenabled.Therefore,allcontactpersonsmustselectedoneoftheabove2FAmethodsandconfigureitbeforetheycancreateROAs.

7.1 CheckinguserpermissionUserscancheckwhatpermissionsareenabledforthembygoingto:HomeàMyProfileàAccountPermission

TobeabletocreateROAsboth“View”and“Update”permissionsshouldbeenabled.

26

8 FAQ

8.1 WhatisROAandRPKIPleasevisitAPNICwebsiteformoreinformation.www.apnic.net/ROA

8.2 WhydoIget“authorizationfailed”Itcouldbeduetooneormoreofthefollowingreasons.

1) IPprefixnotintheAPNICaccount.RouteobjectscanbecreatedbyIPprefixcustodiansonly.Pleasegoto:HomeàResourcesàIPv4/IPv6andcheckiftheIPprefixisavailable.

2) TheaccountmaintainerhasnotbeenaddedtoyourMyAPNIC.Youcanrequestforthepasswordifthereareotheruserswhoalreadyhavethemaintaineradded.Pleasegoto:HomeàResourcesàmaintainersandcheckifthemaintainerisregistered.

3) Antherrouteobjectexistswhichissameorlargerthantherouteobject

youaretryingtocreate,andithasadifferent“mnt-lower”or“mnt-routes”.Inthatcase,pleaseregisterthatmaintainerinyourMyAPNICanduseitformorespecificrouteannouncements.

8.3 Howdoesauthorizationwork?Whois objects are protected bymaintainers. In the case of route objects, it’s a little bit morecomplicated.Tobeconsistentwith theobjectswhichalreadyexist, therearedifferent levelsofcheckswhichneedstobevalidatedbeforearoutecanbeinjectedintowhoisdatabase.If you are creating a route object (eg : 198.51.100.0/24 with AS64511), maintainerauthorizationwillbecheckedinthefollowingorder.

1) IstherearouteobjectwiththesameIPprefix?a. Ifyes:Goto5b. IfNo:Goto2

2) IstherearouteobjectwithalessspecificIPprefix?(overlappingtherouteyouwanttocreate)

a. Ifyes:Goto5b. IfNo:Goto3

3) IsthereaninetnumobjectwiththesameIPprefix?

a. Ifyes:Goto5b. IfNo:Goto4

4) IsthereaninetnumobjectwithalessspecificIPprefix?(overlappingtherouteyouwant

tocreate)a. Ifyes:Goto5b. IfNo:routecreationfailerrorgiven

5) Isthereamnt-routesdefinedintheexistingobject

27

a. Ifyes:Goto8b. IfNo:Goto6

6) Isthereamnt-lowerdefinedintheexistingobjecta. Ifyes:Goto8b. IfNo:Goto7

7) Isthereamntnerdefinedintheexistingobjecta. Ifyes:Goto8b. IfNo:routecreationfailerrorgiven

8) Doesthemnt-routes/mnt-lower/mntneroftheexistingobjectmatchthemntneroftherouteyouwishtocreate?

a. Ifyes:CreateRouteb. IfNo:routecreationfailerrorgiven

If you still cannot find the reason why it fails, please contact APNIC helpdek.(helpdesk@apnic.net)

8.4 HowdoIenableTwofactorauthentication(2FA)Therearetwooptionstoenable2FA.Formoreinformationabout2FA,pleasevisitwww.apnic.net/2FA

8.4.1 Time-basedOneTimePassword(TOTP)Toconfigure,pleaseseefollowingguide:www.apnic.net/2fa

8.4.2 DigitalCertificatesToconfigure,pleaseseefollowingguide:https://www.apnic.net/manage-ip/myapnic/digital-certificates