diff --git a/files/usr/local/bin/update-meta b/files/usr/local/bin/update-meta
index 97251c4..5394490 100644
--- a/files/usr/local/bin/update-meta
+++ b/files/usr/local/bin/update-meta
@@ -26,6 +26,7 @@ reload() {
       echo
       echo bird6: regenerating icvpn peers
       /opt/icvpn-scripts/mkbgp -6 -s /var/lib/icvpn-meta -d icvpn $excluded_peers > /etc/bird/bird6.conf.d/icvpn-peers.conf
+      /opt/icvpn-scripts/mkroa -6 -s /var/lib/icvpn-meta -m 64 $excluded_peers > /etc/bird/bird6.conf.d/icvpn-roa-table.conf
       echo bird6: reload
       # We only want errors
       /usr/sbin/birdc6 configure 1>/dev/null
@@ -34,6 +35,7 @@ reload() {
       echo
       echo bird: regenerating icvpn peers
       /opt/icvpn-scripts/mkbgp -4 -s /var/lib/icvpn-meta -d icvpn $excluded_peers > /etc/bird/bird.conf.d/icvpn-peers.conf
+      /opt/icvpn-scripts/mkroa -4 -s /var/lib/icvpn-meta -m 24 $excluded_peers > /etc/bird/bird.conf.d/icvpn-roa-table.conf
       echo bird: reload
       # We only want errors
       /usr/sbin/birdc configure 1>/dev/null
diff --git a/manifests/bird4.pp b/manifests/bird4.pp
index f33d270..d2fe70d 100644
--- a/manifests/bird4.pp
+++ b/manifests/bird4.pp
@@ -105,6 +105,13 @@
 
   $icvpn_name = $name
 
+  file_line {
+    "icvpn-include-roa":
+      path => '/etc/bird/bird.conf',
+      line => 'include "/etc/bird/bird.conf.d/icvpn-roa.conf";',
+      require => File['/etc/bird/bird.conf'],
+      notify  => Service['bird'];
+  }->
   file_line { 
     "icvpn-template":
       path => '/etc/bird/bird.conf',
@@ -124,18 +131,30 @@
   } 
 
   # Process meta data from tinc directory
-  file { "/etc/bird/bird.conf.d/icvpn-template.conf":
-    mode => "0644",
-    content => template("ffnord/etc/bird/bird.icvpn-template.conf.erb"),
-    require => [ 
-      File['/etc/bird/bird.conf.d/'],
-      Package['bird'],
-      Class['ffnord::tinc'],
-    ],
-    notify  => [
-      Service['bird'],
-      File_line['icvpn-include'],
-      File_line['icvpn-template']
-    ];
-  } 
+  file {
+    "/etc/bird/bird.conf.d/icvpn-template.conf":
+      mode => "0644",
+      content => template("ffnord/etc/bird/bird.icvpn-template.conf.erb"),
+      require => [ 
+        File['/etc/bird/bird.conf.d/'],
+        Package['bird'],
+        Class['ffnord::tinc'],
+      ],
+      notify  => [
+        Service['bird'],
+        File_line['icvpn-include'],
+        File_line['icvpn-template']
+      ];
+  }
+
+  file_line {
+    "icvpn-roa":
+      path => '/etc/bird/bird.conf.d/icvpn-roa.conf',
+      line => 'roa table icvpn_roa { include "icvpn-roa-table.con?" }',
+      require => [
+        File['/etc/bird/bird.conf.d/'],
+        File_line['icvpn-include-roa']
+      ],
+      notify  => Service['bird'];
+  }
 }
diff --git a/manifests/bird6.pp b/manifests/bird6.pp
index e2954d3..90b75ff 100644
--- a/manifests/bird6.pp
+++ b/manifests/bird6.pp
@@ -105,6 +105,13 @@
 
   include ffnord::icvpn
 
+  file_line {
+    "icvpn-include-roa6":
+      path => '/etc/bird/bird6.conf',
+      line => 'include "/etc/bird/bird6.conf.d/icvpn-roa.conf";',
+      require => File['/etc/bird/bird6.conf'],
+      notify  => Service['bird6'];
+  }->
   file_line { 
     "icvpn-template6":
       path => '/etc/bird/bird6.conf',
@@ -137,5 +144,16 @@
       File_line['icvpn-include6'],
       File_line['icvpn-template6']
     ];
-  } 
+  }
+
+  file_line {
+    "icvpn-roa6":
+      path => '/etc/bird/bird6.conf.d/icvpn-roa.conf',
+      line => 'roa table icvpn_roa { include "icvpn-roa-table.con?" }',
+      require => [
+        File['/etc/bird/bird6.conf.d/'],
+        File_line['icvpn-include-roa6']
+      ],
+      notify  => Service['bird'];
+  }
 }
diff --git a/templates/etc/bird/bird.icvpn-template.conf.erb b/templates/etc/bird/bird.icvpn-template.conf.erb
index e6ce727..712e051 100644
--- a/templates/etc/bird/bird.icvpn-template.conf.erb
+++ b/templates/etc/bird/bird.icvpn-template.conf.erb
@@ -1,5 +1,15 @@
 # this is file is generated by puppet
 
+filter icvpn_import_filter {
+  if is_dn42() then accept;
+  if roa_check(icvpn_roa) = ROA_VALID then {
+    accept;
+  } else {
+    print "ROA check failed for ", net, " ASN ", bgp_path.last;
+  }
+  reject;
+}
+
 # template for icvpn route exchange via bgp
 # we exchange freifunk and dn42 routes with peers
 # chaosvpn should not be exchanged because chaosvpn misses a route to not
@@ -8,6 +18,6 @@ template bgp icvpn {
   table mesh;
   local as <%= @icvpn_as %>;
   source address <%= @icvpn_ipv4_address %>;
-  import where is_freifunk() || is_dn42();
-  export where ((source = RTS_BGP) || (source = RTS_STATIC)) && (is_freifunk() || is_dn42());
+  import filter icvpn_import_filter;
+  export where ((source = RTS_BGP) || (source = RTS_STATIC)) && (is_freifunk() || is_dn42()) && !is_default() && !is_chaos();
 };
diff --git a/templates/etc/bird/bird6.icvpn-template.conf.erb b/templates/etc/bird/bird6.icvpn-template.conf.erb
index 843886f..8e23aab 100644
--- a/templates/etc/bird/bird6.icvpn-template.conf.erb
+++ b/templates/etc/bird/bird6.icvpn-template.conf.erb
@@ -1,10 +1,20 @@
 # this is file is generated by puppet
 
+filter icvpn_import_filter {
+  if is_ula() then accept;
+  if roa_check(icvpn_roa) = ROA_VALID then {
+    accept;
+  } else {
+    print "ROA check failed for ", net, " ASN ", bgp_path.last;
+  }
+  reject;
+}
+
 # template for icvpn route exchange via bgp
 template bgp icvpn {
   table mesh;
   local as <%= @icvpn_as %>;
   source address <%= @icvpn_ipv6_address %>;
-  import where (is_ula() || is_freifunk());
+  import filter icvpn_import_filter;
   export where ((source = RTS_BGP) || (source = RTS_STATIC_DEVICE)) && (is_ula() || is_freifunk());
 };