RS Prefix filtering (ROA and IRR)

Route Server IP prefix filtering

There are about 650,000 route announcements on the Internet today. The most common routing error we see is the accidental mis-origination of a prefix, meaning someone unintentionally announces an IP prefix that they are not the holder of. With filtering we are trying to ensure that:

A particular route announcement is authorised
by the legitimate holder of the address space.

In order for your prefix to be allowed on our RS you must maintain a Route Origin Authorization (ROA) for that prefix with your RIR or the RADB Internet Routing Registry (IRR). If you have downstream peers that you announce to CNX, please ensure that they also maintain ROA records for their prefixes.

You can find more details about route security at the APNIC Services Page and more details about IRR on APNIC’s what is in the IRR DB

Whenever your delegation changes our automated system will pick up this change within 24 to 48 hours. You can test if all your prefixes are correctly stored in the IRR using whois queries against

For example query IPv4/v6 allocations for AS7712 (Sabay)

whois -h '!gas7712' # ipv4 allocation
whois -h '!6as7712' # ipv6 allocation

We are only using information from the IRR database for our filter lists, since this is the most up to date information on allocated ip address space. We will not add any prefixes to our filters manually. Please update your route origin with your RIR if the information in the whois database is incomplete.