Hi all,
Basically we support this proposal.
But now, if this policy implemented and APNIC create AS0 ROAs,
people who want to hijack the route can identify the unallocated and
unassigned address space easily.(Of course, we understand we can now check
these prefixes)
We think that careful consideration is necessary for the implementation.
Regards,
Hiroki
---
Hiroki Kawabata
Japan Network Information Center(JPNIC)
Subject: [sig-policy] prop-132 new version email draft (003)
Date: Tue, 03 Sep 2019 11:45:32 +1100
From: Bertrand Cherrier <b.cherr...@micrologic.nc>
Dear SIG members
A new version of the proposal "prop-132: RPKI ROAs for unallocated and
unassigned APNIC address space (was: AS0 for Bogons)" has been sent to
the Policy SIG for review.
Information about earlier versions is available from:
http://www.apnic.net/policy/proposals/prop-132
You are encouraged to express your views on the proposal:
- Do you support or oppose the proposal?
- Is there anything in the proposal that is not clear?
- What changes could be made to this proposal to make it more
effective?
Please find the text of the proposal below.
Kind Regards,
Sumon, Bertrand, Ching-Heng
APNIC Policy SIG Chairs
-------------------------------------------------------------------------------------------------
prop-132-v003: RPKI ROAs for unallocated and unassigned APNIC address
space (was: AS0 for Bogons)
-------------------------------------------------------------------------------------------------
Proposer: Aftab Siddiqui
aftab.siddi...@gmail.com
1. Problem statement
--------------------
Address space managed by APNIC which has is either "Unallocated" or
"Unassigned" is considered "Bogon address space". Bogons are defined in
RFC3871, A "Bogon" (plural: "bogons") is a packet with an IP source
address in an address block not yet allocated by IANA or the Regional
Internet Registries (ARIN, RIPE NCC, APNIC, AFRINIC and LACNIC) as well
as all addresses reserved for private or special use by RFCs.
As of now, there are XXX IPv4 and YYY IPv6 routes in the global Internet
routing table which cover address space ma naged by APNIC, but which is
not allocated or assigned by APNIC. In the past, several attempts have
been made to filter out such bogons through various methods such as
static filters and updating them occasionally but it is hard to keep an
up to date filters, TeamCymru and CAIDA provides full bogon list in text
format to update such filters. TeamCymru also provides bogon BGP feed
where they send all the bogons via a BGP session which then can be
discarded automatically. Despite these attempts, the issue of
unauthorized advertisements of APNIC's address space hasn't be resolved
so far.
2. Objective of policy change
-----------------------------
The purpose of creating RPKI ROAs with Origin AS 0 for APNIC's
unallocated and unassigned address space is to restrict the propagation
of BGP announcements covering such bogon space. When APNIC issues a ROA
with AS 0 for unallocated address space under APNIC's administration,
BGP announcements covering this space will be marked as Invalid by
networks doing RPKI based BGP Origin Validation using APNIC's TAL.
Currently, in the absence of any ROA, these bogons are marked as
NotFound. Since many operators have implemented ROV and either planning
or already discarding Invalid, then all the AS0 ROAs which APNIC will
create for unallocated address space will be discarded as well.
3. Situation in other regions
-----------------------------
No such policy in any region at the moment.
4. Proposed policy solution
---------------------------
APNIC will create AS0 (zero) ROAs for all the unallocated and unassigned
address space (IPv4 and IPv6) for which APNIC is the current
administrator. Any resource holder (APNIC member) can create AS0 (zero)
ROAs for the resources they have under their account/administration.
A RPKI ROA is a positive attestation that a prefix holder has authorised
an AS to originate a route for this prefix whereas, a RPKI ROA for the
same prefixes with AS0 (zero) origin shows negative intent from the
resource holder that they don't want to advertise the prefix(es) at this
point but they are the rightful custodian.
Only APNIC has the authority to create RPKI ROAs for address space not
yet allocated to the members and only APNIC can issue AS0 (zero) RPKI
ROAs. Once they RPKI ROA is issued and APNIC wants to allocate the
address space to its member, simply they can revoke the RPKI ROA and
delegate the address space to members. (this proposal doesn't formulate
operational process).
5. Advantages / Disadvantages
-----------------------------
Advantages:
Network operators who implement RPKI based Origin Validation and discard
BGP announcements with RPKI state "invalid", will automatically discard
BGP announcements covering unallocated & unassigned APNIC address space.
Ensuring unallocated or unassigned address space is not usable by
unauthorized parties makes more address space available for those who
qualify to receive an allocation or assignment from APNIC.
Disadvantages:
No apparent disadvantage
6. Impact on resource holders
-----------------------------
No impact to APNIC or respective NIR resource holders not implementing
ROV. Those implementing ROV and discarding the invalids will not see any
bogons in their routing table.
APNIC Member failing to pay fees on time as per membership agreement may
loose the right to use the allocated resources after membership
termination and those resources may end up in the unallocated and
unassigned address space. It is recommended that APNIC should consider
all possible options before membership termination and before creating
AS0 (zero) ROAs for those resources there should be a cooling-off
period. [Note: This is an operational matter and not part of the policy]
7. References
-------------------------------------------------------
RFC6483 - https://tools.ietf.org/rfc/rfc6483.txt
RFC6491 - https://tools.ietf.org/rfc/rfc6491.txt
RFC7607 - https://tools.ietf.org/rfc/rfc7607.txt
Cordialement,
___________________________________________
Bertrand Cherrier
Micro Logic Systems
https://www.mls.nc
Tél : +687 24 99 24
VoIP : 65 24 99 24
SAV : +687 36 67 76 (58F/min)
* sig-policy: APNIC SIG on resource management policy *
_______________________________________________
sig-policy mailing list
sig-policy@lists.apnic.net
https://mailman.apnic.net/mailman/listinfo/sig-policy
* sig-policy: APNIC SIG on resource management policy *
_______________________________________________
sig-policy mailing list
sig-policy@lists.apnic.net
https://mailman.apnic.net/mailman/listinfo/sig-policy
