Draft Policy ARIN-2021-8: Deprecation of the 'Autonomous System Originations' Field [1] has received scant discussion so far [2]. However, I believe that significant issues exist with this proposal and its downstream effects on the greater internet ecosystem and thus object to it. While a conversation regarding the role and future of this dated service is undoubtedly warranted, moving directly to deprecation may be premature. First, let's properly evaluate its role, usage, and future.
The optional Whois 'OriginAS' field exists in a weird place in the routing information landscape. The current policy proposal's problem statement notes that it is now one of several overlapping means for IP resource holders to publish intended route originations. Newer information services, namely RPKI and authenticated IRR, bring some advantages and, accordingly, receive more attention. OriginAS data is challenging to acquire, consume, and employ due to its home in the Whois system, which was not designed for accessible or scalable distribution of routing policy. The proposal cites these hurdles as supporting reasons for discontinuance. Additionally, the field is a legacy ARIN-ism, with no equivalence at the other RIRs. As a result, ARIN carries an extra burden of complexity and technical debt. Unsurprisingly, these points prompted valid questions regarding the future of Whois OriginAS. Nonetheless, a community of consumers at several internet exchange points and network operators rely on Whois OriginAS data to build filters and perform other tasks. Such usage was not previously mentioned in this forum, and analyzing it is vital to understanding the role the 'Autonomous System Originations' Field currently plays. Moving ahead with its deprecation now may set off a situation similar to the recent ARIN-NONAUTH retirement, but with much less forethought. We need to seek out the users of Whois OriginAS and include their perspectives in a thorough analysis. Like RPKI and authenticated IRR, OriginAS is used to guard against prefix mis-origination by providing a trustworthy linkage between IP space and associated autonomous systems. Furthermore, Whois OriginAS sidesteps much of the cruft surrounding IRR databases. All IP resources already have one authoritative Whois record and will never have more than one. The jumble of records across numerous disparate stores, as seen in IRR, is avoided. Old, surplus entries, such as the proxy records seen in IRR, cannot accumulate. It's easy to add or edit Whois OriginAS information, in contrast to the rather intimidating RPKI setup procedure [3]. Like RPKI and the new ARIN IRR, OriginAS data is authenticated and trustworthy. Also, everyone possessing IP resources in the ARIN region, including all legacy IPv4 block holders, can provide OriginAS information in their Whois records. Per recent posts from John Curran [4], legacy issuances without an LRSA comprise just over a third of ARIN IPv4 space. Whois OriginAS is the only way for these entities to securely assert authorized prefix originations, as they cannot publish in RPKI or the new ARIN IRR [5]. If the Autonomous System Originations Field were deprecated, many networks could lose important routing security protections. Today, Whois OriginAS exists on an isolated informational island. Policy ARIN-2006-3 [6] gives "constructing routing filter lists to counter bogus originations" as its first rationale for maintaining lists of authorized prefix originations, but the present arrangement does not facilitate this. Current ARIN documentation [7] envisages OriginAS data as a tool for LOA validation but makes no mention of possible uses in operational filtering. However, various third parties independently synthesize IRR information from the authenticated prefix-origin pairs provided by OriginAS, in addition to RPKI. Past roadmaps for the new ARIN IRR did mention the possibility of creating mirrored IRR records from RPKI ROAs [8], but Whois OriginAS was not included in that push. Amending NRPM 3.5.2 [9] to specify improved OriginAS publication routes, such as via IRR mirroring, seems to be a plausible avenue to enable easier consumption of OriginAS data. The intrepid ecosystem of OriginAS data consumers was perhaps born by Job Snijders, who pioneered this usage [10] and made several NOG presentations spreading the word [11]. Job encountered several thousand impacted prefix announcements, which lacked IRR records but were confirmed with OriginAS data. At a prominent IRR aggregator [12], community infrastructure performs conversion to IRR format. Several IXPs utilize this on their route servers [13]. Ultimately, we need additional data and input from ARIN and the community to empower a fact-based review. First, I'd like to know how many ARIN Whois records have OriginAS information, broken down by prefixes and address space. Second, is all of the data in a consistent and normalized machine-readable form? Third, how well does the OriginAS information conform with observed routing reality? Fourth, what experiences or observations do users of ARIN Whois OriginAS have? I am a newcomer to this space and was not here for the birth of OriginAS, so please share anything I've missed. I lack any personal experience using the Autonomous System Originations field, but I know that others who do are yet to speak up regarding this draft policy. Sincerely, James Hulce ARIN 49 Fellow [1] https://www.arin.net/participate/policy/drafts/2021_8/ [2] https://lists.arin.net/pipermail/arin-ppml/2022-January/069395.html [3] https://www.arin.net/vault/participate/meetings/reports/ARIN_35/PDF/sunday/newton_rpki.pdf [4] https://lists.arin.net/pipermail/arin-ppml/2022-April/069547.html and https://mailman.nanog.org/pipermail/nanog/2022-April/218945.html [5] https://www.arin.net/resources/guide/legacy/services/ [6] https://www.arin.net/vault/policy/proposals/2006_3.html [7] https://www.arin.net/resources/registry/originas/ and https://www.arin.net/blog/2016/07/07/origin-as-an-easier-way-to-validate-letters-of-authority/ see also https://mailman.nanog.org/pipermail/nanog/2022-April/218944.html [8] https://www.arin.net/vault/resources/routing/2018_roadmap.html see also https://lists.arin.net/pipermail/arin-consult/2018-April/001084.html aside: what is the current status on this? I can't find any recent updates on RPKI mirroring in IRR [9] https://www.arin.net/participate/policy/nrpm/#3-5-autonomous-system-originations [10] https://medium.com/@jobsnijders/a-new-source-for-authoritative-routing-data-arin-whois-5ea6e1f774ed and https://mailman.nanog.org/pipermail/nanog/2017-December/093525.html interestingly, this conflicts with https://mailman.nanog.org/pipermail/nanog/2022-April/218944.html [11] Examples: NANOG: https://pc.nanog.org/static/published/meetings/NANOG72/1634/20180221_Snijders_Using_Arin_Whois_v1.pdf RIPE: https://ripe76.ripe.net/presentations/43-RIPE76_IRR101_Job_Snijders.pdf [12] NTT at https://www.gin.ntt.net/support-center/policies-procedures/routing-registry/#irrd note that, like many consumers, they refer to ARIN-sourced Whois OriginAS as "ARIN-WHOIS" [13] Assorted IXP Examples: Seattle-IX: https://www.seattleix.net/route-servers YYCIX: https://yycix.ca/communities.html QCIX: https://www.qcix.net/rs_description.html _______________________________________________ ARIN-PPML You are receiving this message because you are subscribed to the ARIN Public Policy Mailing List ([email protected]). Unsubscribe or manage your mailing list subscription at: https://lists.arin.net/mailman/listinfo/arin-ppml Please contact [email protected] if you experience any issues.
