--------------------------------------------------------------------
Secretariat Impact Assessment
--------------------------------------------------------------------
APNIC notes this proposal would restrict APNIC account holders from
creating a non-hierarchical as-set in the APNIC Whois Database.
APNIC would be required to notify all Members who already have a
non-hierarchical as-set to recommend they move to a hierarchical
as-set as defined in Section 5 of RFC2622.
APNIC also notes that an as-set object can only be created by the
maintainer of the ASN that is used in the as-set object, and this
must be the only allowed method for creating a hierarchical as-set
in the APNIC Whois Database.
This proposal may require changes to APNIC systems. If this proposal
reaches consensus and endorsed by the EC, implementation may be
completed within three months.
Regards,
Sunny
--
_______________________________________________________________________
Srinivas (Sunny) Chendi (he/him)
Senior Advisor - Policy and Community Development
Asia Pacific Network Information Centre (APNIC) | Tel: +61 7 3858 3100
PO Box 3646 South Brisbane, QLD 4101 Australia | Fax: +61 7 3858 3199
6 Cordelia Street, South Brisbane, QLD | http://www.apnic.net
_______________________________________________________________________
NOTICE: This email message is for the sole use of the intended recipient(s)
and may contain confidential and privileged information. Any unauthorized
review, use, disclosure or distribution is prohibited. If you are not the
intended recipient, please contact the sender by reply email and destroy all
copies of the original message.
On 20/01/2023 10:25 am, Bertrand Cherrier wrote:
Dear SIG members,
The proposal "prop-151: Restricting non hierarchical as-set" has been
sent to
the Policy SIG for review.
It will be presented at the Open Policy Meeting (OPM) at APNIC 55 on
Wednesday, 1 March 2023.
https://conference.apnic.net/55/program/schedule/#/day/10
We invite you to review and comment on the proposal on the mailing list
before the OPM.
The comment period on the mailing list before the OPM is an important
part of the Policy Development Process (PDP). We encourage you to
express your views on the proposal:
- Do you support or oppose this proposal?
- Does this proposal solve a problem you are experiencing? If so,
tell the community about your situation.
- Do you see any disadvantages in this proposal?
- Is there anything in the proposal that is not clear?
- What changes could be made to this proposal to make it more
effective?
Information about this proposal is appended below as well as available
at:
http://www.apnic.net/policy/proposals/prop-151
Regards,
Bertrand, Shaila, and Anupam
APNIC Policy SIG Chairs
----------------------------------------------------
prop-151-v001: Restricting non hierarchical as-set
----------------------------------------------------
Proposer: Aftab Siddiqui ([email protected])
1. Problem statement
--------------------
An as-set (RFC 2622 Section 5.1) provides a way to document the
relationship between ASes which can then be publicly verified. RFC2622
further defines 2 categories for as-set which can be Hierarchical or
Non Hierarchical. A hierarchical set name is a sequence of set names
and AS numbers separated by colons ‘:’ e.g. AS4826:AS-VOCUS
Non hierarchical as-set pose a security issue where any one can create
an as-set without any authentication or authorisation e.g. any member
can create AS-FACEBOOK (if available) without authorisation from
Facebook. Since many peering filters are based on as-set, creating a
blank as-set or as-set with wrong members can cause automated filters
to apply empty prefix-filters to BGP session.
2. Objective of policy change
-----------------------------
Restrict APNIC members to create non hierarchical as-set and notify
all members who already have non hierarchical as-set that it is
recommended to move them to hierarchical as-set.
3. Situation in other regions
-----------------------------
- RIPE NCC has recently implemented restriction of non hierarchical
as-set
- LACNIC IRR supports only hierarchical as-set
4. Proposed policy solution
---------------------------
APNIC members are only allowed to create hierarchical as-set. As
defined in the RFC2622 Section 5 "A hierarchical set name is a
sequence of set names and AS numbers separated by colons ":". At least
one component of such a name must be an actual set name (i.e. start
with one of the prefixes above). All the set name components of an
hierarchical name has to be of the same type."
An as-set object with name AS65536:...... can only be created by the
maintainer of the AS65536. Therefore, this must be the only allowed
structure for hierarchical as-set.
Any non hierarchical as-set can not be used as a parent to create a
hierarchical as-set e.g. AS-AFTAB (non hierarchical as-set) should not
be allowed to create AS-AFTAB:AS141384 (hierarchical as-set).
5. Advantages / Disadvantages
-----------------------------
Advantages:
This will protect members from intentional or unintentional creation
of as-set which already exist in other IRR databases creating name
collision.
Disadvantages:
Overhead for APNIC to notify existing non hierarchical as-set
maintainers about the policy update.
6. Impact on resource holders
-----------------------------
APNIC has to request members to update their non hierarchical as-set
as a new recommended policy. No changes will be enforced to existing
non hierarchical as-set.
7. References
-------------
- Thanks to Job Snijders, Nick Hilliard and other community members on
for providing in depth details on various platforms.
- RIPE db-wg proposal:
https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ripe.net%2Fripe%2Fmail%2Farchives%2Fdb-wg%2F2022-November%2F007646.html&data=05%7C01%7C%7C2ff23b767b3d4a92eefd08dafa7ce108%7C127d8d0d7ccf473dab096e44ad752ded%7C0%7C0%7C638097711504331572%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=EQCGpG%2BUtO2dxPzgrR5nCvNwzYbl5r7eRtd7lMepRNM%3D&reserved=0
- IRRd 4 update:
https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Firrdnet%2Firrd%2Fissues%2F408&data=05%7C01%7C%7C2ff23b767b3d4a92eefd08dafa7ce108%7C127d8d0d7ccf473dab096e44ad752ded%7C0%7C0%7C638097711504331572%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=h2AonNzxNPeejgttsFE6AGJxP7%2BdRMLClxBlXpey5tc%3D&reserved=0
-
https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.manrs.org%2F2022%2F12%2Fwhy-network-operators-should-use-hierarchical-as-sets%2F&data=05%7C01%7C%7C2ff23b767b3d4a92eefd08dafa7ce108%7C127d8d0d7ccf473dab096e44ad752ded%7C0%7C0%7C638097711504331572%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=sslzOtsWnz39TDvYbWM3%2F97%2Fyysb8mkXQW8TP6Mtqk8%3D&reserved=0
_______________________________________________
sig-policy - https://mailman.apnic.net/[email protected]/
To unsubscribe send an email to [email protected]
_______________________________________________
sig-policy - https://mailman.apnic.net/[email protected]/
To unsubscribe send an email to [email protected]
