ROA and LOA: Two Different But Essential Documents
If you are leasing or buying IPv4 addresses, you will encounter two important acronyms: ROA and LOA. Despite sounding similar, they serve very different purposes. Understanding both is critical for successfully deploying IPv4 addresses on your network.
LOA - Letter of Authorization
What Is a LOA?
A Letter of Authorization (LOA) is a document from the IP address holder (owner or lessor) that authorizes another party to announce (route) their IP addresses from a specific Autonomous System (AS). It is primarily used in IPv4 leasing scenarios.
When Do You Need a LOA?
- When you lease IPv4 addresses and need to announce them from your network
- When your upstream provider requires proof that you are authorized to use the IP addresses
- When setting up BGP announcements for IP space you do not own
What Should a LOA Include?
- The IP prefix being authorized (e.g., 185.100.200.0/24)
- The authorized AS number(s)
- The name of the authorized party
- Validity period (start and end dates)
- Signature and contact details of the IP holder
- Date of issuance
ROA - Route Origin Authorization
What Is a ROA?
A Route Origin Authorization (ROA) is a cryptographically signed object within the RPKI (Resource Public Key Infrastructure) framework. It authorizes a specific AS number to originate (announce) a particular IP prefix. Unlike a LOA, which is a paper document, a ROA is a digital, verifiable authorization.
Why ROAs Are Critical
Many networks worldwide now perform RPKI Route Origin Validation (ROV). If your prefix does not have a valid ROA, those networks may:
- Reject your BGP announcement entirely (RPKI Invalid)
- Deprioritize your routes
- Flag your announcement as potentially hijacked
How to Create a ROA
ROAs are created through your RIR's member portal:
- RIPE NCC: my.ripe.net → RPKI → ROAs
- ARIN: ARIN Online → RPKI → ROAs
- APNIC: MyAPNIC → RPKI
LOA vs ROA: Key Differences
| Aspect | LOA | ROA |
|---|---|---|
| Type | Paper/PDF document | Cryptographic digital object |
| Issued by | IP holder/lessor | IP holder via RIR portal |
| Verification | Manual (provider trusts the document) | Automatic (cryptographic validation) |
| Primary use | Leasing, provider authorization | RPKI routing security |
| Required for | ISP/datacenter BGP setup | RPKI-validating networks globally |
| Scope | Between two parties | Global internet routing |
In Practice: Using Both Together
For IPv4 leasing, you typically need both:
- The lessor provides a LOA to authorize you to announce the IPs
- The lessor creates a ROA in the RIR portal for your AS number
- You provide both the LOA and ROA confirmation to your upstream provider
- Your provider configures BGP to announce the prefix
When you lease IPv4 addresses through IPv4.center, LOA and ROA setup assistance are included as part of the service. For purchases, our post-transfer support guides you through ROA creation.