I created a ROA to authorise an AS to originate one of my prefixes, but the announcement is still "Invalid". Why is that?
A ROA contains three informational elements:
- An Autonomous System Number
- An IP prefix
- The maximum prefix length
An Invalid BGP route announcement that is covered by a matching ROA is usually caused by an incorrect maximum prefix length. That is, the actual announcement is more specific than is allowed by the maximum length set in the ROA.
When present, the maximum length specifies the most specific IP prefix that the AS is authorised to advertise. When it is not present, the AS is only authorised to advertise exactly the prefix specified. Any more specific announcement of the prefix will be considered RPKI Invalid.
You can find more information on ROAs, including several examples, on the Route Origin Authorisation (ROA) page.