Responding to Secretariat questions.
> Clarifications required: > 1. Since the route management interface in MyAPNIC (Member Portal) > permits Members to create both route objects and ROAs > with arbitrary ASNs, should this proposal be extended to include > restricting of AS-ID in route objects as well? > Yes. It should be uniform for both route objects and ROAs. Currently, APNIC restricts the creation of route-objects with "Reserved" ASNs using whois update panel but allows the same using ROA creation panel. > 2. Does this proposal requires the deletion of all existing ROAs > referencing unallocated, private, and reserved ASNs? > ROAs already created should be revoked. Another point raised during yesterday's discussion. Whether there is a need to have a policy or guideline would be enough. I'm fine either way and leave this on community consensus. I will submit an updated version with the same statement in it. > > Regards, > Sunny > > On 13/08/2021 9:58 am, Bertrand Cherrier wrote: > > Dear SIG members, > > > > The proposal "prop-138-v001: Restricting AS-ID in ROA" has been > > sent to the Policy SIG for review. > > > > It will be presented at the Open Policy Meeting (OPM) at APNIC 52 > > on Thursday, 16 September 2021. > > > > > https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fconference.apnic.net%2F52%2Fprogram%2Fschedule%2F%23%2Fday%2F4&data=04%7C01%7C%7Cbafa554ae97d4bc47b7008d95ded0f93%7C127d8d0d7ccf473dab096e44ad752ded%7C0%7C0%7C637644095039717635%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=0g1ckVVVxjWuI8efLzNSHLehu%2Bbu2cD5DwSFzgjsHmY%3D&reserved=0 > > > > > > We invite you to review and comment on the proposal on the mailing > > list before the OPM. > > > > The comment period on the mailing list before the OPM is an important > > part of the Policy Development Process (PDP). We encourage you to > > express your views on the proposal: > > > > - Do you support or oppose this proposal? > > - Does this proposal solve a problem you are experiencing? If so, > > tell the community about your situation. > > - Do you see any disadvantages in this proposal? > > - Is there anything in the proposal that is not clear? > > - What changes could be made to this proposal to make it more > > effective? > > > > Information about this proposal is appended below and also available at: > > > > > https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.apnic.net%2Fpolicy%2Fproposals%2Fprop-138&data=04%7C01%7C%7Cbafa554ae97d4bc47b7008d95ded0f93%7C127d8d0d7ccf473dab096e44ad752ded%7C0%7C0%7C637644095039717635%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=wbpAlgDbnl7%2FAPD5c2odGyVRKC83KeO%2F4T9BrgF9U%2FE%3D&reserved=0 > > > > > > Regards, > > Bertrand and Ching-Heng > > APNIC Policy SIG Chairs > > > > > > ------------------------------------------------------- > > > > prop-138-v001: Restricting AS-ID in ROA > > > > ------------------------------------------------------- > > > > Proposer: Aftab Siddiqui ([email protected]) > > > > > > 1. Problem statement > > -------------------- > > RFC6482 - A Profile for Route Origin Authorisations (ROAs) defines the > > content of a ROA and one of the field is called "asID" Autonomous > > System Identifier. It is defined in the RFC as "The asID field > > contains the AS number that is authorised to originate routes to the > > given IP address prefixes." > > > > asID is an Integer value and the RFC doesn't restrict the range of > > numbers which can be placed here but technically only allocated ASNs > > should only be allowed to be added as "asID" or "Origin AS". APNIC ROA > > management system allows any number between 0 - 4294967295, which > > includes many ranges of Private ASNs, Reserved ASNs and unallocated > > ASNs as well. This may lead to creating ROAs with Origin AS which > > should not be in the global routing table. > > > > > > 2. Objective of policy change > > ----------------------------- > > Restrict APNIC members to create ROAs with private, reserved or > > unallocated ASN. > > > > > > 3. Situation in other regions > > ----------------------------- > > In process of verifying this information. > > > > > > 4. Proposed policy solution > > --------------------------- > > Route Origin Authorisation (ROA) is an RPKI object signed by a prefix > > holder authorising origination of said prefix from an origin AS > > specified in said ROA. It verifies whether an AS is authorised to > > announce a specific IP prefix or not. ROA contains 3 mandatory fields > > > > Prefix, Origin AS and Maxlength. > > > > Prefix: The prefix you would like to originate from the specified ASN. > > IPv4 and IPv6 Prefixes listed under "Internet Resources" on My APNIC > > portal can be only be used here. > > > > Origin AS: The authorised ASN which can originate the "Prefix". The > > origin AS can only be from the IANA specified range and MUST not > > contain an ASN from: > > > > - 23456 # AS_TRANS RFC6793 > > - 64496-64511 # Reserved for use in docs and code RFC5398 > > - 64512-65534 # Reserved for Private Use RFC6996 > > - 65535 # Reserved RFC7300 > > - 65536-65551 # Reserved for use in docs and code RFC5398 > > - 65552-131071 # Reserved > > - 4200000000-4294967294 # Reserved for Private Use RFC6996 > > - 4294967295 # Reserved RFC7300 > > > > And any IANA unallocated ASN. > > > > > > 5. Advantages / Disadvantages > > ----------------------------- > > Advantages: > > This will help APNIC members avoid mistakenly creating unnecessary > > Bogon ROAs. > > > > > > Disadvantages: > > Overhead in implementing Origin AS check. > > > > > > 6. Impact on resource holders > > ----------------------------- > > APNIC has to request members to delete existing Bogon ROAs, as of 5th > > August 2021 there are around 30+ Bogon ROAs of APNIC delegated resources. > > > > > > 7. References > > ------------- > > None. > > * sig-policy: APNIC SIG on resource management > > policy * > > _______________________________________________ > > sig-policy mailing list > > [email protected] > > > https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmailman.apnic.net%2Fmailman%2Flistinfo%2Fsig-policy&data=04%7C01%7C%7Cbafa554ae97d4bc47b7008d95ded0f93%7C127d8d0d7ccf473dab096e44ad752ded%7C0%7C0%7C637644095039717635%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SzrZsXvMGCFWE6E%2FLzOcrIX%2FvMeA9cTwZN3wqPoXEWs%3D&reserved=0 > > -- > > _______________________________________________________________________ > > Srinivas (Sunny) Chendi > Senior Advisor - Policy and Community Development > > Asia Pacific Network Information Centre (APNIC) | Tel: +61 7 3858 3100 > PO Box 3646 South Brisbane, QLD 4101 Australia | Fax: +61 7 3858 3199 > 6 Cordelia Street, South Brisbane, QLD | http://www.apnic.net > _______________________________________________________________________ > > * sig-policy: APNIC SIG on resource management policy > * > _______________________________________________ > sig-policy mailing list > [email protected] > https://mailman.apnic.net/mailman/listinfo/sig-policy
* sig-policy: APNIC SIG on resource management policy * _______________________________________________ sig-policy mailing list [email protected] https://mailman.apnic.net/mailman/listinfo/sig-policy
