1

Route Management Guide to manage your routes and (RPKI) ROA

2

Route/ROAmanagement.......................................................................................3

1 MyAPNICroutesandWhoisrouteobjects.......................................................41.1 HowMyAPNICroutesandWHOISrouteobjectsaredifferent.......................................41.2 SynchronizingMyAPNICroutesandWHOISrouteobjects..............................................41.3 ConflictsbetweenMyAPNICroutesandWHOISrouteobjects.......................................42 Importroutes.................................................................................................5

3 CreateRoutes.................................................................................................83.1 ROAoption.............................................................................................................................................93.2 ‘WhoisRouteAttributes’option................................................................................................103.3 ‘Notifyadditionalcontacts’option...........................................................................................123.4 Sub-routeselection.........................................................................................................................133.5 RouteRequests–Actionlog........................................................................................................153.6 RouteTaskDetails...........................................................................................................................164 EditRoutes...................................................................................................17

5 Userpermission............................................................................................195.1 Checkinguserpermission............................................................................................................196 FAQ..............................................................................................................206.1 WhatisROAandRPKI...................................................................................................................206.2 WhydoIget“authorizationfailed”..........................................................................................206.3 Howdoesauthorizationwork?..................................................................................................206.4 HowdoIenableTwofactorauthentication(2FA)............................................................216.4.1 Time-basedOneTimePassword(TOTP)..............................................................................216.4.2 DigitalCertificates.........................................................................................................................21

3

Route/ROAmanagementToaccesstheRoute/ROAmanagementfeature:

1) LogintoMyAPNIC2) Goto:ResourcesàRouteManagement(seeimagebelow)

4

1 MyAPNICroutesandWhoisrouteobjectsTheroutemanagementtoolisaninteractivefeatureinMyAPNICwhereuserscanmanageroutesandROAsatonce.

1.1 HowMyAPNICroutesandWHOISrouteobjectsaredifferentThroughthistool,userscancreate/manageMyAPNICroutes,whicharementionedas“routes”throughoutthisdocument.These‘routes’actasatemplateforcreatingactualroutesinwhoisdatabase,whicharementionedas“routeobjects”inthisdocument.Routesandrouteobjectscanexistseparately;thatisarouteinMyAPNICcanexistwithoutanactualrouteobjectinwhoisdatabase,androuteobjectsinwhoisdatabasecanexistwithoutarouteentryinMyAPNIC.

1.2 SynchronizingMyAPNICroutesandWHOISrouteobjectsUserscandecidetoimportroutesinthewhoisdatabasethroughRouteManagementtool.ThiswillensurearouteentryinMyAPNICiscreatedforeveryrouteobjectassociatedtothataccount.(routeswithaccountsIPprefixesandASNs).OncearouteentryiscreatedinMyAPNIC,userscanmanagewhoisrouteobjectsthroughthetoolsinterface.Whenausercreates/updates/deletesaroutethroughthistool,thetoolwillattempttocreateawhoisrouteobjectassoonaspossible.Ifyouareupdatingmultipleobjectsatthesametime,thetoolmayshow“pending”statusagainsttherouteswhicharenotyetsynchronized.

1.3 ConflictsbetweenMyAPNICroutesandWHOISrouteobjectsRoutemanagementtoolisnottheonlywaythatawhoisrouteobjectcanbemanaged.Ifawhoisrouteobjectischanged,theMyAPNICrouteentrywillnotchange.Itwillindicatethatthereisconflict.ThisensuresthatuserismadeawareofchangesdoneoutsidetheRouteManagementtool.Theusercanthentakeactiontoresolvetheconflict.Eitheracceptthechanges,orreverttherouteobjectbacktoMyAPNICroutetemplate.

5

2 ImportroutesWhenauseropensorrefreshestheRoutemanagementpage,thetoolchecksforanyrouteobjectsintheAPNICwhoisdatabasewhicharenotmanagedbytheroutemanagementtoolinMyAPNIC.Ifanysuchrouteobjectsexist,theusercanselectandimportthemandstartmanagingthemthroughthetool.

Ifuserclickson“Review&Import”,followingscreenwillappear.

6

Fromthispage,theusercanviewandselectrouteobjectstobemanagedbythetool.Whentheuserfinishesselecting,andclickson“Import”thefollowingmessagewillappearonthescreentoconfirmthattheimporttaskisbeinghandledinthebackground.

Toseemoredetailsaboutthetask,theusercaneitherclickontheabovemessagewhileitsbeingdisplayed,orclickonthe“Requests”linkatthetopofRouteManagementpage.Byclickingeitherofthelinks,usercanseefollowingdetailedinformationaboutthetask.

Byclickingonthe“View”buttonaparticularrequestontheRoutetaskrequestwindow,thetoolwillshowanychangesthatweredoneintheAPNICwhoisdatabaseregardingthisrequest.Inthecaseofimporting,therouteobjectwillnotbechanged,hencethemessage“Objectalreadyexists”isdisplayed.

7

Oncetheroutesareimported,anyfurtherchangestotherouteobjectwillchangetherouteobjectintheAPNICwhoisdatabase.Seesection3,Editroutesformoreinformationaboutmakingchangestoanexistingroute.

8

3 CreateRoutesTocreateanewrouteobject,pleaseselectthe‘createrouteobject’

Thefollowingtemplateshowstheminimuminformationthatauserneedstoinputtocreatearoute.

Prefix TheIPv4orIPv6prefixinCIDRnotationOriginAS TheASNumberwhichisusedtoannouncetheIPprefixMostSpecificAnnouncement

Bydefault,thiswillbeprefilledbytheIPprefixessize.However,theusercanchosetoannouncemorespecificIPprefixesifhewishesto.Ifamorespecificannouncementischosen,thetoolwillcreatealltherouteobjectsfromtheleastspecificannouncement,uptothemostspecificannouncement,includinganyprefixesinbetween.

ROA SeeROAoptionDefinewhosisrouteattributes

See‘WhoisRouteAttributes’option

NotifyAdditionalContacts

SeeNotifyAdditionalContacts

9

3.1 ROAoptionIfthememberwhologsintoMyAPNIChas:-RPKIupdatepermission–AND--TwoFactorAuthenticationenabledTheROAoptionwillbetickedbydefault.Ifproceeded,withtheoption,matchingROAswillbecreatedfortheprefixandalsoformostspecificannouncement.Optioncanbeun-tickediftheuserdoesnotrequireROAstobecreated.IfthememberwhologsintoMyAPNIChas:-RPKIupdatepermissionrevoked–OR--TwoFactorAuthenticationdisabledTheROAoptionwillbeun-tickedbydefault.Usercannottickthisoption.IftheuserwantstocreateROAs,hecanclick“here”togototheTwoFactorAuthenticationconfigurationpage.

10

3.2 ‘WhoisRouteAttributes’option

Usercanaddnumberofattributesthroughthisoption,fromthedropdownmenu,onebyone.ToseeadetailedexplanationaboutalltheseattributespleasevisitthefollowingURL.https://www.apnic.net/apnic-info/whois_search/using-whois/guide/routeIfthisoptionisnotselected,aroutewillbecreatedwiththemandatoryattributesfilledwithinformationfromyour.

11

Routeobjecttemplatefor‘route’(IPv4routes)

Routeobjecttemplatefor‘route6’(IPv6routes)

12

3.3 ‘Notifyadditionalcontacts’optionBydefault,ifarouteiscreated,automaticnotificationswillbesendtoASNcustodian.NotificationswillbesendtoAPNICaccountcontacts.IftheASNisfromadifferentRIR,‘whois’databasecontactsassociatedtothatASNwillbenotified.Ifneitheroftheabovecontactswerefound,APNIChelpdeskwillbenotified.WiththeNotify‘Notifyadditionalcontacts’,theuserisabletosendroutecreationnoticestoanyotherpartythathewishestoinform.Multiplee-mailcontactscanbeincludedbyseparatingthemwithcommasorspaces.

13

3.4 Sub-routeselectionOncealltheinformationisfilled,andwhenuserclicks“NEXT”,theConfirmationwindowappears,wherefurtheradjustmentscanbemade.

Theconfirmationscreenaboveshowsalltheroutesthataregoingtobecreated.Themandatoryattributestheuserenteredaredisplayedatthetopofthescreen.Itisfollowedbyalistofroutesthatwillbecreated.Listwillhavemorethanonerouteifthe‘mostspecificannouncement’ishigherthan‘prefixsize’.Allroutesinthelistwouldbeselectedbydefault.Theuserhastheoptiontounselectanyrouteifrequired.Selectall Ticksallthesub-routesinthelistDeselectall Un-tickallthesub-routesinthelistShow‘X’entries

Determinesthenumberofsub-routestobedisplayedperpage.Optionsare10,25,50and100

Previous Goestothepreviouspageofthelistifthenumberofsub-routesdoesnotfitintoanewpage

14

Next Goestothenextpageofthelistifthenumberofsub-routesdoesnotfitintoanewpage

Cancel AbortstheroutecreationGoback Goestothepreviouspagewhererouteattributescanbe

updatedSubmit Allselectedsub-routeswillbecreated.Routeobjectswillbe

injectedtothewhoisdatabase.IfROAoptionisenabled,matchingROAswillbecreated

Oncethee‘Submit’buttonisclicked,thetoolwillstartprocessingtheroutecreation.Adialogboxappearingasbelowwillindicatethis.

ThisdialogboxwilldisappearautomaticallyoncetheroutesarecreatedinMyAPNIC.Asshowninthedialogbox,toseedetailsclickthe‘Routerequests’linkshownbelow.

15

3.5 RouteRequests–ActionlogThe‘Routerequests’link(please1.1.4ConfirmandSubmit)willtaketheusertoalogofallactivitiesassociatedtheRouteManagementpage.Actionlogwilllooksimilartothebelowscreen.

ID ActionlogIDCreated DateandtimestampofthesubmissionUser MyAPNICuserIDType Typeofactionrequests.CreateRoute,ModifyRouteorDelete

RouteRoute TheIPprefixwhichwillbeannounced.Sub-routeprefixescanbe

viewedbyclicking‘View’Status Greentickmarkindicatesallsub-routesarecreatedsuccessfully.

Redcrossiconindicatesthatatleastonesub-routecreationhasfailed.

View Showsmoredetailsaboutaspecificactionitem

16

3.6 RouteTaskDetailsThescreenbelowshowshowroutetaskdetailswillappearifthe‘view’buttonisclickedintherouterequestspage(see1.1.6RouteRequests)

Ifthetaskselectediseither“CreateRoute”or“EditRoute”,theusercanviewtheactualwhoisrouteobjectbyclickingthe“ViewWhoisObject”buttonintheabovescreen.

17

4 EditRoutesTheroutescreatedthroughMyAPNICorthroughothermethodssuchase-mailupdatescanbemodifiedthroughthisinterface.

Clickingontheeditbuttoninfrontofarouteentrycanmodifythespecificroute.

18

MostSpecificAnnouncement

Usercanchangethisattribute.Bychangingthis,thenumberofsub-routeentrieswillautomaticallychange.

ROA UsercantogglebetweenROAenableandROAdisable.UserneedtohavepermissiontoenableROA(See:UserPermission)

Enable/Disable IfManagedsetto‘Enabled’,itmeansthereisawhoisrouteobjectexisting.IfManagedsetto‘Disabled’,itmeanswhoisrouteobjectdoesnotexist.Bytogglingbetweenthetwostates,theusercancreateanddeletewhoisrouteobjects.Iftheuserdisablesasub-routeforwhichROAisenabled,ROAwillautomaticallygetdeletedaswell.

Submit Changeswillbeprocessed,andwhoisrouteobjectswillbeupdatedaccordingly.

UpdateWhois Thisbuttonwillopenwhoisupdatepageforthatparticularwhoisrouteobject.

19

5 UserpermissionTobeabletocreateROAstogetherwithroutes,userrequire:

1) ResourceCertificationpermissionenabled–AND-2) TwoFactorAuthenticationenabled(2FA)

a. TimebasedOneTimePasswords(TOTP)–ORb. DigitalCertificates

Tolearnmoreabout:ResourcesCertification:www.apnic.net/ROATwoFactoreAuthentication:www.apnic.net/2FABydefault,CorporateContactshaveResourceCertificationpermissionEnabled.TechnicalContactsandBilling(Admin)Contactsdonothaveaccessbydefault.TheCorporateContactcangrantthemaccessthroughMyAPNIC.Noneofthecontactshave2FAenabled.Therefore,allcontactpersonsmustselectedoneoftheabove2FAmethodsandconfigureitbeforetheycancreateROAs.

5.1 CheckinguserpermissionUserscancheckwhatpermissionsareenabledforthembygoingto:HomeàMyProfileàAccountPermission

TobeabletocreateROAsboth“View”and“Update”permissionsshouldbeenabled.

http://www.apnic.net/ROAhttp://www.apnic.net/2FA

20

6 FAQ

6.1 WhatisROAandRPKIPleasevisitAPNICwebsiteformoreinformation.www.apnic.net/ROA

6.2 WhydoIget“authorizationfailed”Itcouldbeduetooneormoreofthefollowingreasons.

1) IPprefixnotintheAPNICaccount.RouteobjectscanbecreatedbyIPprefixcustodiansonly.Pleasegoto:HomeàResourcesàIPv4/IPv6andcheckiftheIPprefixisavailable.

2) TheaccountmaintainerhasnotbeenaddedtoyourMyAPNIC.Youcanrequestforthepasswordifthereareotheruserswhoalreadyhavethemaintaineradded.Pleasegoto:HomeàResourcesàmaintainersandcheckifthemaintainerisregistered.

3) Antherrouteobjectexistswhichissameorlargerthantherouteobject

youaretryingtocreate,andithasadifferent“mnt-lower”or“mnt-routes”.Inthatcase,pleaseregisterthatmaintainerinyourMyAPNICanduseitformorespecificrouteannouncements.

6.3 Howdoesauthorizationwork?Whois objects are protected bymaintainers. In the case of route objects, it’s a little bit morecomplicated.Tobeconsistentwith theobjectswhichalreadyexist, therearedifferent levelsofcheckswhichneedstobevalidatedbeforearoutecanbeinjectedintowhoisdatabase.If you are creating a route object (eg : 198.51.100.0/24 with AS64511), maintainerauthorizationwillbecheckedinthefollowingorder.

1) IstherearouteobjectwiththesameIPprefix?a. Ifyes:Goto5b. IfNo:Goto2

2) IstherearouteobjectwithalessspecificIPprefix?(overlappingtherouteyouwanttocreate)

a. Ifyes:Goto5b. IfNo:Goto3

3) IsthereaninetnumobjectwiththesameIPprefix?

a. Ifyes:Goto5b. IfNo:Goto4

4) IsthereaninetnumobjectwithalessspecificIPprefix?(overlappingtherouteyouwant

tocreate)a. Ifyes:Goto5b. IfNo:routecreationfailerrorgiven

5) Isthereamnt-routesdefinedintheexistingobject

http://www.apnic.net/ROA

21

a. Ifyes:Goto8b. IfNo:Goto6

6) Isthereamnt-lowerdefinedintheexistingobjecta. Ifyes:Goto8b. IfNo:Goto7

7) Isthereamntnerdefinedintheexistingobjecta. Ifyes:Goto8b. IfNo:routecreationfailerrorgiven

8) Doesthemnt-routes/mnt-lower/mntneroftheexistingobjectmatchthemntneroftherouteyouwishtocreate?

a. Ifyes:CreateRouteb. IfNo:routecreationfailerrorgiven

If you still cannot find the reason why it fails, please contact APNIC helpdek.(helpdesk@apnic.net)

6.4 HowdoIenableTwofactorauthentication(2FA)Therearetwooptionstoenable2FA.Formoreinformationabout2FA,pleasevisitwww.apnic.net/2FA

6.4.1 Time-basedOneTimePassword(TOTP)Toconfigure,pleaseseefollowingguide:www.apnic.net/2fa

6.4.2 DigitalCertificatesToconfigure,pleaseseefollowingguide:https://www.apnic.net/manage-ip/myapnic/digital-certificates

mailto:helpdesk@apnic.net)http://www.apnic.net/2fahttps://www.apnic.net/manage-ip/myapnic/digital-certificates