Native tracking of RPKI ROAs to tie ASN + Prefix + Aggregates together #6711

New Issue

Closed

opened 2025-12-29 19:44:21 +01:00 by adam · 4 comments

adam commented 2025-12-29 19:44:21 +01:00

Owner

Copy Link

Originally created by @falz on GitHub (Jul 23, 2022).

NetBox version

3.2.7

Feature type

Data model extension

Proposed functionality

IP Aggregate and prefix tracking is a pivotal feature of netbox that i suspect is widely used. It would be keen to have native support to help track RPKI ROAs (https://en.wikipedia.org/wiki/Resource_Public_Key_Infrastructure) which would help network operators determine which ROAs should be created and which should be a part of which RPKI manifest.

Key fields to ROAs are:

1. ROA name (arbitrary)
2. prefix + length
3. Origin ASN
4. Start / End date
5. Private Key

Of these fields, I believe we only would need to track 2, 3, and possibly 1. 2 and 3 are supported in Netbox, but there is no way to tie them together. Issue https://github.com/netbox-community/netbox/issues/8782 also speaks of this (and RPKI is mentioned in a comment).

Im envisioning two different ways to possibly do this. My preference is item 2 but I'd take either.

1. "not called rpki" - This would track item 2 and 3 above. Sites and ASNs in netbox can currently be tied together (an ASN can have multiple sites), having this same type of reltationship for ASNs to Prefixes and Aggregates would achieve this.

2. "RPKI ROA" netbox object - This would track 1, 2, 3 above. In the IPAM section, have a top level RPKI ROA area. A ROA would have 3 required fields - ROA name, a link to a single existing ASN, and a 1:many link to Prefixes AND Aggregates (unsure if this is possible). This would also mean that an Aggregate or Prefix would have an optional field where you could select a single ROA that it is a part of (1:1 from the prefix/aggregate perspective)

Use case

While you may be able to track such objects in Netbox using Tags and Custom Fields, it seems like it may be a widespread enough use case to support it natively, which may also help with RPKI awareness and adoption.

If one were to use a custom field on a prefix or aggregate, it would be for an ASN and we would then have duplicate data.

We are a service provider-ish organization. We have our own IP space. We have some downstream eyeballs with prefixes (/24s, /23s, etc) advertised from a customer ASN, while we have the covering /16 advertised from our prefix, which is standard in service provider environments. To create a single ROA manifest we need the complete list of all prefixes and origin ASNs that are within that /16, the current method to track this is a spreadsheet, which quickly becomes out of date.

Please note that I'm writing this request before we fully have RPKI ROAs signed, and encountered this request in the planning phases. It's possible that we're missing something key here to ROA deployment and we'd love to hear feedback from folks with operational experience if this feature would be beneficial.

Database changes

IPAM -> RPKI object type must be created, then tied to prefixes + aggregates + asns.

External dependencies

none?

Originally created by @falz on GitHub (Jul 23, 2022). ### NetBox version 3.2.7 ### Feature type Data model extension ### Proposed functionality IP Aggregate and prefix tracking is a pivotal feature of netbox that i suspect is widely used. It would be keen to have native support to help track RPKI ROAs (https://en.wikipedia.org/wiki/Resource_Public_Key_Infrastructure) which would help network operators determine which ROAs should be created and which should be a part of which RPKI manifest. Key fields to ROAs are: 1) ROA name (arbitrary) 2) prefix + length 3) Origin ASN 4) Start / End date 5) Private Key Of these fields, I believe we only would need to track 2, 3, and possibly 1. 2 and 3 are supported in Netbox, but there is no way to tie them together. Issue https://github.com/netbox-community/netbox/issues/8782 also speaks of this (and RPKI is mentioned in a comment). Im envisioning two different ways to possibly do this. My preference is item 2 but I'd take either. 1) "not called rpki" - This would track item 2 and 3 above. Sites and ASNs in netbox can currently be tied together (an ASN can have multiple sites), having this same type of reltationship for ASNs to Prefixes *and* Aggregates would achieve this. 2) "RPKI ROA" netbox object - This would track 1, 2, 3 above. In the IPAM section, have a top level RPKI ROA area. A ROA would have 3 required fields - ROA name, a link to a single existing ASN, and a 1:many link to Prefixes AND Aggregates (unsure if this is possible). This would also mean that an Aggregate or Prefix would have an optional field where you could select a single ROA that it is a part of (1:1 from the prefix/aggregate perspective) ### Use case While you may be able to track such objects in Netbox using Tags and Custom Fields, it seems like it may be a widespread enough use case to support it natively, which may also help with RPKI awareness and adoption. If one were to use a custom field on a prefix or aggregate, it would be for an ASN and we would then have duplicate data. We are a service provider-ish organization. We have our own IP space. We have some downstream eyeballs with prefixes (/24s, /23s, etc) advertised from a customer ASN, while we have the covering /16 advertised from our prefix, which is standard in service provider environments. To create a single ROA manifest we need the complete list of all prefixes and origin ASNs that are within that /16, the current method to track this is a spreadsheet, which quickly becomes out of date. Please note that I'm writing this request before we fully have RPKI ROAs signed, and encountered this request in the planning phases. It's possible that we're missing something key here to ROA deployment and we'd love to hear feedback from folks with operational experience if this feature would be beneficial. ### Database changes IPAM -> RPKI object type must be created, then tied to prefixes + aggregates + asns. ### External dependencies none?

adam added the type: featureplugin candidate labels 2025-12-29 19:44:21 +01:00

adam closed this issue 2025-12-29 19:44:21 +01:00

adam commented 2025-12-29 19:44:22 +01:00

Author

Owner

Copy Link

@falz commented on GitHub (Jul 23, 2022):

I missed an item that's required to create a ROA - "max prefix length" - this would have to exist as an optional field when using implementation method 2 - native support for RPKI.

Additionally, an RPKI object should be able to optionally be assigned a tenant.

@falz commented on GitHub (Jul 23, 2022): I missed an item that's required to create a ROA - "max prefix length" - this would have to exist as an optional field when using implementation method 2 - native support for RPKI. Additionally, an RPKI object should be able to optionally be assigned a tenant.

adam commented 2025-12-29 19:44:22 +01:00

Author

Owner

Copy Link

@github-actions[bot] commented on GitHub (Sep 27, 2022):

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. NetBox is governed by a small group of core maintainers which means not all opened issues may receive direct feedback. Do not attempt to circumvent this process by "bumping" the issue; doing so will result in its immediate closure and you may be barred from participating in any future discussions. Please see our contributing guide.

@github-actions[bot] commented on GitHub (Sep 27, 2022): This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. NetBox is governed by a small group of core maintainers which means not all opened issues may receive direct feedback. **Do not** attempt to circumvent this process by "bumping" the issue; doing so will result in its immediate closure and you may be barred from participating in any future discussions. Please see our [contributing guide](https://github.com/netbox-community/netbox/blob/develop/CONTRIBUTING.md).

adam commented 2025-12-29 19:44:22 +01:00

Author

Owner

Copy Link

@ryanmerolle commented on GitHub (Oct 22, 2022):

This feels like a good plugin to me. It could really model out RPKI. netbox-rpki

@ryanmerolle commented on GitHub (Oct 22, 2022): This feels like a good plugin to me. It could really model out RPKI. netbox-rpki

adam commented 2025-12-29 19:44:22 +01:00

Author

Owner

Copy Link

@jeremystretch commented on GitHub (Nov 16, 2022):

Agreed; I'd like to see this implemented as a plugin. I feel that it needs someone very familiar with the intricacies of RPKI to own it. If it gains traction, we could consider incorporating the functionality into core in the future.

@jeremystretch commented on GitHub (Nov 16, 2022): Agreed; I'd like to see this implemented as a plugin. I feel that it needs someone very familiar with the intricacies of RPKI to own it. If it gains traction, we could consider incorporating the functionality into core in the future.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

update-changelog-comments-docs

feature-removal-issue-type

20911-dropdown

20239-plugin-menu-classes-mutable-state

21097-graphql-id-lookups

feature

fix_module_substitution

20923-dcim-templates

20044-elevation-stuck-lightmode

feature-ip-prefix-link

v4.5-beta1-release

20068-import-moduletype-attrs

20766-fix-german-translation-code-literals

20378-del-script

7604-filter-modifiers-v3

circuit-swap

12318-case-insensitive-uniqueness

20637-improve-device-q-filter

20660-script-load

19724-graphql

20614-update-ruff

14884-script

02496-max-page

19720-macaddress-interface-generic-relation

19408-circuit-terminations-export-templates

20203-openapi-check

fix-19669-api-image-download

7604-filter-modifiers

19275-fixes-interface-bulk-edit

fix-17794-get_field_value_return_list

11507-show-aggregate-and-rir-on-api

9583-add_column_specific_search_field_to_tables

v4.5.0

v4.4.10

v4.4.9

v4.5.0-beta1

v4.4.8

v4.4.7

v4.4.6

v4.4.5

v4.4.4

v4.4.3

v4.4.2

v4.4.1

v4.4.0

v4.3.7

v4.4.0-beta1

v4.3.6

v4.3.5

v4.3.4

v4.3.3

v4.3.2

v4.3.1

v4.3.0

v4.2.9

v4.3.0-beta2

v4.2.8

v4.3.0-beta1

v4.2.7

v4.2.6

v4.2.5

v4.2.4

v4.2.3

v4.2.2

v4.2.1

v4.2.0

v4.1.11

v4.1.10

v4.1.9

v4.1.8

v4.2-beta1

v4.1.7

v4.1.6

v4.1.5

v4.1.4

v4.1.3

v4.1.2

v4.1.1

v4.1.0

v4.0.11

v4.0.10

v4.0.9

v4.1-beta1

v4.0.8

v4.0.7

v4.0.6

v4.0.5

v4.0.3

v4.0.2

v4.0.1

v4.0.0

v3.7.8

v3.7.7

v4.0-beta2

v3.7.6

v3.7.5

v4.0-beta1

v3.7.4

v3.7.3

v3.7.2

v3.7.1

v3.7.0

v3.6.9

v3.6.8

v3.6.7

v3.7-beta1

v3.6.6

v3.6.5

v3.6.4

v3.6.3

v3.6.2

v3.6.1

v3.6.0

v3.5.9

v3.6-beta2

v3.5.8

v3.6-beta1

v3.5.7

v3.5.6

v3.5.5

v3.5.4

v3.5.3

v3.5.2

v3.5.1

v3.5.0

v3.4.10

v3.4.9

v3.5-beta2

v3.4.8

v3.5-beta1

v3.4.7

v3.4.6

v3.4.5

v3.4.4

v3.4.3

v3.4.2

v3.4.1

v3.4.0

v3.3.10

v3.3.9

v3.4-beta1

v3.3.8

v3.3.7

v3.3.6

v3.3.5

v3.3.4

v3.3.3

v3.3.2

v3.3.1

v3.3.0

v3.2.9

v3.2.8

v3.3-beta2

v3.2.7

v3.3-beta1

v3.2.6

v3.2.5

v3.2.4

v3.2.3

v3.2.2

v3.2.1

v3.2.0

v3.1.11

v3.1.10

v3.2-beta2

v3.1.9

v3.2-beta1

v3.1.8

v3.1.7

v3.1.6

v3.1.5

v3.1.4

v3.1.3

v3.1.2

v3.1.1

v3.1.0

v3.0.12

v3.0.11

v3.0.10

v3.1-beta1

v3.0.9

v3.0.8

v3.0.7

v3.0.6

v3.0.5

v3.0.4

v3.0.3

v3.0.2

v3.0.1

v3.0.0

v2.11.12

v3.0-beta2

v2.11.11

v2.11.10

v3.0-beta1

v2.11.9

v2.11.8

v2.11.7

v2.11.6

v2.11.5

v2.11.4

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.10

v2.10.9

v2.11-beta1

v2.10.8

v2.10.7

v2.10.6

v2.10.5

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.11

v2.10-beta2

v2.9.10

v2.10-beta1

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.9-beta2

v2.8.9

v2.9-beta1

v2.8.8

v2.8.7

v2.8.6

v2.8.5

v2.8.4

v2.8.3

v2.8.2

v2.8.1

v2.8.0

v2.7.12

v2.7.11

v2.7.10

v2.7.9

v2.7.8

v2.7.7

v2.7.6

v2.7.5

v2.7.4

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.12

v2.6.11

v2.6.10

v2.6.9

v2.7-beta1

Solcon-2020-01-06

v2.6.8

v2.6.7

v2.6.6

v2.6.5

v2.6.4

v2.6.3

v2.6.2

v2.6.1

v2.6.0

v2.5.13

v2.5.12

v2.6-beta1

v2.5.11

v2.5.10

v2.5.9

v2.5.8

v2.5.7

v2.5.6

v2.5.5

v2.5.4

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v2.4.9

v2.5-beta2

v2.4.8

v2.5-beta1

v2.4.7

v2.4.6

v2.4.5

v2.4.4

v2.4.3

v2.4.2

v2.4.1

v2.4.0

v2.3.7

v2.4-beta1

v2.3.6

v2.3.5

v2.3.4

v2.3.3

v2.3.2

v2.3.1

v2.3.0

v2.2.10

v2.3-beta2

v2.2.9

v2.3-beta1

v2.2.8

v2.2.7

v2.2.6

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.6

v2.2-beta2

v2.1.5

v2.2-beta1

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v2.0.10

v2.1-beta1

v2.0.9

v2.0.8

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v2.0-beta3

v1.9.6

v1.9.5

v2.0-beta2

v1.9.4-r1

v1.9.3

v2.0-beta1

v1.9.2

v1.9.1

v1.9.0-r1

v1.8.4

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.7.3

v1.7.2-r1

v1.7.1

v1.7.0

v1.6.3

v1.6.2-r1

v1.6.1-r1

1.6.1

v1.6.0

v1.5.2

v1.5.1

v1.5.0

v1.4.2

v1.4.1

v1.4.0

v1.3.2

v1.3.1

v1.3.0

v1.2.2

v1.2.1

v1.2.0

v1.1.0

v1.0.7-r1

v1.0.7

v1.0.6

v1.0.5

v1.0.4

v1.0.3-r1

v1.0.3

1.0.0

Labels

Clear labels

beta

breaking change

complexity: high

complexity: low

complexity: medium

needs milestone

netbox

pending closure

plugin candidate

pull-request

Mirrored from GitHub Pull Request

severity: high

severity: low

severity: medium

status: accepted

status: backlog

status: blocked

status: duplicate

status: needs owner

status: needs triage

status: revisions needed

status: under review

topic: GraphQL

topic: Internationalization

topic: OpenAPI

topic: UI/UX

topic: cabling

topic: event rules

topic: htmx navigation

topic: industrialization

topic: migrations

topic: plugins

topic: scripts

topic: templating

topic: testing

type: bug

type: deprecation

type: documentation

type: feature

type: housekeeping

type: translation

No Label plugin candidate type: feature

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/netbox#6711