--------------------------------------------------------------------
Secretariat Impact Assessment
--------------------------------------------------------------------
A similar proposal was presented at the APNIC 52 OPM and was accepted
as a guideline with the understanding that it will assist APNIC
account holders in not creating ROAs (Routing Origin Authorizations)
with Private, Reserved, and unallocated ASN ranges. This guideline was
published in December 2021.
https://www.apnic.net/about-apnic/corporate-documents/documents/resource-guidelines/route-roa/
APNIC notes this proposal would restrict an account holder's ability
to create ROAs (Routing Origin Authorizations) with private, reserved,
or unallocated ASNs (Autonomous System Numbers) as listed on the IANA
website, except for AS 0 (zero), which may be used to identify
non-routed networks. Internet number resources visible in account holders'
MyAPNIC portal can only be used to create ROAs.
https://www.iana.org/assignments/as-numbers/as-numbers.xhtml
APNIC must notify the account holder as to why the ASN used to create the
ROA is unacceptable and must not renew the ROAs and route/route6 objects
currently in the APNIC Whois Database. All these unacceptable objects
must automatically be deleted from the APNIC Whois Database.
APNIC also needs to notify the account holder in case the Origin ASN used
in creating a ROA is unallocated and/or reserved and should be removed,
and the same proposed solution would apply for creating corresponding
route/route6 objects in the APNIC Whois Database.
This proposal may require changes to APNIC systems and procedures. If this
proposal reaches consensus and endorsed by the EC, implementation may be
completed within three months.
Regards,
Sunny
--
_______________________________________________________________________
Srinivas (Sunny) Chendi (he/him)
Senior Advisor - Policy and Community Development
Asia Pacific Network Information Centre (APNIC) | Tel: +61 7 3858 3100
PO Box 3646 South Brisbane, QLD 4101 Australia | Fax: +61 7 3858 3199
6 Cordelia Street, South Brisbane, QLD | http://www.apnic.net
_______________________________________________________________________
NOTICE: This email message is for the sole use of the intended recipient(s)
and may contain confidential and privileged information. Any unauthorized
review, use, disclosure or distribution is prohibited. If you are not the
intended recipient, please contact the sender by reply email and destroy all
copies of the original message.
On 30/01/2023 10:54 am, Bertrand Cherrier wrote:
Dear SIG members,
A new version of the proposal "prop-150: ROA/whois object with Private,
Reserved and Unallocated (reserved/available) Origin ASN" has been
sent to
the Policy SIG for review.
It will be presented at the Open Policy Meeting (OPM) at APNIC 55 on
Wednesday, 1 March 2023.
https://conference.apnic.net/55/program/schedule/#/day/10
We invite you to review and comment on the proposal on the mailing list
before the OPM.
The comment period on the mailing list before the OPM is an important
part of the Policy Development Process (PDP). We encourage you to
express your views on the proposal:
- Do you support or oppose this proposal?
- Does this proposal solve a problem you are experiencing? If so,
tell the community about your situation.
- Do you see any disadvantages in this proposal?
- Is there anything in the proposal that is not clear?
- What changes could be made to this proposal to make it more
effective?
Information about this proposal is appended below as well as available
at:
http://www.apnic.net/policy/proposals/prop-150
Regards,
Bertrand, Shaila, and Anupam
Chairing the best SIG of all : The APNIC Policy SIG
------------------------------------------------------------------------------------------------------
prop-150-v002: ROA/whois object with Private, Reserved and Unallocated
(reserved/available) Origin ASN
------------------------------------------------------------------------------------------------------
Proposer: Aftab Siddiqui ([email protected])
1. Problem statement
--------------------
Prop-138v2 was converted into a guideline with the understanding that
it will help members to understand not to create ROA with Private,
Reserved and unallocated ASN range. Unfortunately, there are still
ROAs with specified ranges.
Additionally, if a member creates a ROA with someone else's ASN as
Origin and if APNIC reclaims that ASN due to any policy reason
(non-payment, account closure etc) then this leaves a security issue
for the member.
2. Objective of policy change
-----------------------------
Restrict APNIC members to create ROAs with private, reserved or
unallocated ASN. Also, notify members if the Origin ASN in their ROA
has been unallocated (reserved/available) and don't automatically
renew those ROAs with unallocated (reserved/available) ASN.
3. Situation in other regions
-----------------------------
ROAs containing Private and Reserved ASN are visible from APNIC,
LACNIC and RIPE NCC region.
4. Proposed policy solution
---------------------------
Route Origin Authorisation (ROA) is an RPKI object signed by a prefix
holder authorising origination of said prefix from an origin AS
specified in said ROA. It verifies whether an AS is authorised to
announce a specific IP prefix or not. ROA contains 3 mandatory fields
Prefix, Origin AS and Maxlength.
Prefix: The prefix you would like to originate from the specified ASN.
IPv4 and IPv6 Prefixes listed under "Internet Resources" on My APNIC
portal can only be used here.
Origin AS: The authorised ASN which can originate the "Prefix". The
origin AS can only be from the IANA specified range and MUST not
contain an ASN from:
- 23456 # AS_TRANS RFC6793
- 64496-64511 # Reserved for use in docs and code RFC5398
- 64512-65534 # Reserved for Private Use RFC6996
- 65535 # Reserved RFC7300
- 65536-65551 # Reserved for use in docs and code RFC5398
- 65552-131071 # Reserved
- 4200000000-4294967294 # Reserved for Private Use RFC6996
- 4294967295 # Reserved RFC7300
And any IANA unallocated ASN. Route Management system should inform
the member why these Origin ASNs are not acceptable. AS0 (zero) is
also a Reserved ASN (RFC7607) but will be exempted from this
restriction as AS0 is reserved by the IANA such that it may be used to
identify non-routed networks (RFC6483 Sec 4).
- Same policy should be applied to corresponding route/route6 whois
objects.
- ROAs and route/route6 objects already in the database with Private,
Reserved and unallocated ASN MUST NOT be renewed (after expiry) and
deleted respectively after notifying the prefix holder.
Part B - Notify in case of Origin ASN has been marked as unallocated
(reserved/available)
When a member creates a ROA with Origin ASN other than their own then
there is a possibility that Origin ASN can be unallocated by APNIC due
to closure of account or any other reason deemed appropriate. In this
scenario the prefix holder should receive a notification (via email -
if email notifications are enabled OR via myapnic portal) suggesting
that the ROA doesn't contain valid Origin ASN and should be removed.
This ROA should not be automatically renewed as well.
This should also apply to route/route6 objects as well.
5. Advantages / Disadvantages
-----------------------------
Advantages:
This will help APNIC members avoid mistakenly creating unnecessary
ROAs with Private, Reserved and unallocated resources and in case of
creating ROAs with unallocated (reserved/available) ASN this will
avoid a security issues.
Disadvantages:
Overhead for APNIC to develop Origin AS check.
6. Impact on resource holders
-----------------------------
APNIC has to request members to delete existing ROAs and route/route6
objects with Private, Reserved and unallocated origin AS.
7. References
-------------
None.
_______________________________________________
sig-policy - https://mailman.apnic.net/[email protected]/
To unsubscribe send an email to [email protected]
_______________________________________________
sig-policy - https://mailman.apnic.net/[email protected]/
To unsubscribe send an email to [email protected]
