I support this proposal.
Regards/ Jahangir On Fri, Jan 20, 2023 at 6:25 AM Bertrand Cherrier <[email protected]> wrote: > Dear SIG members, > > The proposal "prop-151: Restricting non hierarchical as-set" has been > sent to > the Policy SIG for review. > > It will be presented at the Open Policy Meeting (OPM) at APNIC 55 on > Wednesday, 1 March 2023. > > https://conference.apnic.net/55/program/schedule/#/day/10 > > We invite you to review and comment on the proposal on the mailing list > before the OPM. > > The comment period on the mailing list before the OPM is an important > part of the Policy Development Process (PDP). We encourage you to > express your views on the proposal: > > - Do you support or oppose this proposal? > - Does this proposal solve a problem you are experiencing? If so, > tell the community about your situation. > - Do you see any disadvantages in this proposal? > - Is there anything in the proposal that is not clear? > - What changes could be made to this proposal to make it more effective? > > Information about this proposal is appended below as well as available at: > > http://www.apnic.net/policy/proposals/prop-151 > > Regards, > Bertrand, Shaila, and Anupam > APNIC Policy SIG Chairs > > > ---------------------------------------------------- > > prop-151-v001: Restricting non hierarchical as-set > > ---------------------------------------------------- > > Proposer: Aftab Siddiqui ([email protected]) > > > 1. Problem statement > -------------------- > An as-set (RFC 2622 Section 5.1) provides a way to document the > relationship between ASes which can then be publicly verified. RFC2622 > further defines 2 categories for as-set which can be Hierarchical or Non > Hierarchical. A hierarchical set name is a sequence of set names and AS > numbers separated by colons ‘:’ e.g. AS4826:AS-VOCUS > > Non hierarchical as-set pose a security issue where any one can create > an as-set without any authentication or authorisation e.g. any member > can create AS-FACEBOOK (if available) without authorisation from > Facebook. Since many peering filters are based on as-set, creating a > blank as-set or as-set with wrong members can cause automated filters to > apply empty prefix-filters to BGP session. > > > 2. Objective of policy change > ----------------------------- > Restrict APNIC members to create non hierarchical as-set and notify all > members who already have non hierarchical as-set that it is recommended > to move them to hierarchical as-set. > > > 3. Situation in other regions > ----------------------------- > - RIPE NCC has recently implemented restriction of non hierarchical as-set > - LACNIC IRR supports only hierarchical as-set > > > 4. Proposed policy solution > --------------------------- > APNIC members are only allowed to create hierarchical as-set. As defined > in the RFC2622 Section 5 "A hierarchical set name is a sequence of set > names and AS numbers separated by colons ":". At least one component of > such a name must be an actual set name (i.e. start with one of the > prefixes above). All the set name components of an hierarchical name > has to be of the same type." > > An as-set object with name AS65536:...... can only be created by the > maintainer of the AS65536. Therefore, this must be the only allowed > structure for hierarchical as-set. > > Any non hierarchical as-set can not be used as a parent to create a > hierarchical as-set e.g. AS-AFTAB (non hierarchical as-set) should not > be allowed to create AS-AFTAB:AS141384 (hierarchical as-set). > > > 5. Advantages / Disadvantages > ----------------------------- > Advantages: > This will protect members from intentional or unintentional creation of > as-set which already exist in other IRR databases creating name collision. > > Disadvantages: > Overhead for APNIC to notify existing non hierarchical as-set > maintainers about the policy update. > > > 6. Impact on resource holders > ----------------------------- > APNIC has to request members to update their non hierarchical as-set as > a new recommended policy. No changes will be enforced to existing non > hierarchical as-set. > > > 7. References > ------------- > - Thanks to Job Snijders, Nick Hilliard and other community members on > for providing in depth details on various platforms. > - RIPE db-wg proposal: > https://www.ripe.net/ripe/mail/archives/db-wg/2022-November/007646.html > - IRRd 4 update: https://github.com/irrdnet/irrd/issues/408 > - > > https://www.manrs.org/2022/12/why-network-operators-should-use-hierarchical-as-sets/ > > > > _______________________________________________ > sig-policy - https://mailman.apnic.net/[email protected]/ > To unsubscribe send an email to [email protected]
_______________________________________________ sig-policy - https://mailman.apnic.net/[email protected]/ To unsubscribe send an email to [email protected]
