What is a Route Origin Authorisation (ROA)?

A ROA is a cryptographically signed object that states which Autonomous System (AS) is authorised to originate a certain prefix. Because a ROA is a child object of a resource certificate, only the legitimate holder of a certain IP address block can create a valid ROA for one of the prefixes that the LIR holds.

In addition, a ROA can specify a maximum prefix length. When present, this specifies the length of the most specific IP prefix that the AS is authorised to advertise. When it is not present, the AS is only authorised to advertise exactly the prefix specified. Any more specific announcement of the prefix will be considered RPKI Invalid. This is a way to enforce aggregation and prevent hijacking through the announcement of a more specific prefix.

More information on ROAs, including several examples, is available.