[sig-policy] prop-132 new version email draft (003)

  • To: "Policy SIG" <sig-policy@apnic.net>
  • Subject: [sig-policy] prop-132 new version email draft (003)
  • From: "Bertrand Cherrier" <b.cherrier@micrologic.nc>
  • Date: Tue, 03 Sep 2019 11:45:32 +1100
  • Delivered-to: sig-policy@clove.apnic.net
  • Dkim-filter: OpenDKIM Filter v2.10.3 mandalore.mynet.nc 457E9A22672
  • Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=micrologic.nc; s=DBA9ABE2-4214-11E9-8955-8616915190C0; t=1567471533; bh=LmFHp0XjSeOmOWnRbWUb6yWfT2IslkAuDVL8syHiFJs=; h=From:To:Date:Message-ID:MIME-Version; b=nDFRPFIbMDlPvtnzw4Id+exd2UP00AbApmM38nLLlMB7S/gHx8/luIafWypD4MLiU Ta9MUNwseFr+4IR+YfGhIPjQD/tPwIjatCrIDyTGdTuiDABHJRd9mXcDwSUsZGMNzn K/PnErd4xvfhsBhWMTAFIPeq8pt5aTUxRDmMMhGe26I1pv3iSygoXGu+rq1E2l7AZs FvyeODtiWz4Hz1nyADWPJzvxggudcdZLnnwY5nMIxOYqFGVhVhNubjitk9e8a8aAy0 u+wC/ddyXGMs0SHV20SxDRm0bV1TIbWy4PiyyJAsxwXSIaVT3ViCTZceQ/PBDhqPHY UVi19fUO7ibvQ==
  • List-archive: <http://mailman.apnic.net/mailing-lists/sig-policy/>
  • List-help: <mailto:sig-policy-request@lists.apnic.net?subject=help>
  • List-id: APNIC SIG on resource management policy <sig-policy.lists.apnic.net>
  • List-post: <mailto:sig-policy@lists.apnic.net>
  • List-subscribe: <https://mailman.apnic.net/mailman/listinfo/sig-policy>, <mailto:sig-policy-request@lists.apnic.net?subject=subscribe>
  • List-unsubscribe: <https://mailman.apnic.net/mailman/options/sig-policy>, <mailto:sig-policy-request@lists.apnic.net?subject=unsubscribe>

    • Dear SIG members

      A new version of the proposal "prop-132: RPKI ROAs for unallocated and
      unassigned APNIC address space (was: AS0 for Bogons)" has been sent to
      the Policy SIG for review.

      Information about earlier versions is available from:

      http://www.apnic.net/policy/proposals/prop-132

      You are encouraged to express your views on the proposal:

      • Do you support or oppose the proposal?
      • Is there anything in the proposal that is not clear?
      • What changes could be made to this proposal to make it more effective?

      Please find the text of the proposal below.

      Kind Regards,

      Sumon, Bertrand, Ching-Heng
      APNIC Policy SIG Chairs


      prop-132-v003: RPKI ROAs for unallocated and unassigned APNIC address
      space (was: AS0 for Bogons)


      Proposer: Aftab Siddiqui
      aftab.siddiqui@gmail.com

      1. Problem statement

      Address space managed by APNIC which has is either "Unallocated" or
      "Unassigned" is considered "Bogon address space". Bogons are defined in
      RFC3871, A "Bogon" (plural: "bogons") is a packet with an IP source
      address in an address block not yet allocated by IANA or the Regional
      Internet Registries (ARIN, RIPE NCC, APNIC, AFRINIC and LACNIC) as well
      as all addresses reserved for private or special use by RFCs.

      As of now, there are XXX IPv4 and YYY IPv6 routes in the global Internet
      routing table which cover address space ma naged by APNIC, but which is
      not allocated or assigned by APNIC. In the past, several attempts have
      been made to filter out such bogons through various methods such as
      static filters and updating them occasionally but it is hard to keep an
      up to date filters, TeamCymru and CAIDA provides full bogon list in text
      format to update such filters. TeamCymru also provides bogon BGP feed
      where they send all the bogons via a BGP session which then can be
      discarded automatically. Despite these attempts, the issue of
      unauthorized advertisements of APNIC's address space hasn't be resolved
      so far.

      2. Objective of policy change

      The purpose of creating RPKI ROAs with Origin AS 0 for APNIC's
      unallocated and unassigned address space is to restrict the propagation
      of BGP announcements covering such bogon space. When APNIC issues a ROA
      with AS 0 for unallocated address space under APNIC's administration,
      BGP announcements covering this space will be marked as Invalid by
      networks doing RPKI based BGP Origin Validation using APNIC's TAL.

      Currently, in the absence of any ROA, these bogons are marked as
      NotFound. Since many operators have implemented ROV and either planning
      or already discarding Invalid, then all the AS0 ROAs which APNIC will
      create for unallocated address space will be discarded as well.

      3. Situation in other regions

      No such policy in any region at the moment.

      4. Proposed policy solution

      APNIC will create AS0 (zero) ROAs for all the unallocated and unassigned
      address space (IPv4 and IPv6) for which APNIC is the current
      administrator. Any resource holder (APNIC member) can create AS0 (zero)
      ROAs for the resources they have under their account/administration.

      A RPKI ROA is a positive attestation that a prefix holder has authorised
      an AS to originate a route for this prefix whereas, a RPKI ROA for the
      same prefixes with AS0 (zero) origin shows negative intent from the
      resource holder that they don't want to advertise the prefix(es) at this
      point but they are the rightful custodian.

      Only APNIC has the authority to create RPKI ROAs for address space not
      yet allocated to the members and only APNIC can issue AS0 (zero) RPKI
      ROAs. Once they RPKI ROA is issued and APNIC wants to allocate the
      address space to its member, simply they can revoke the RPKI ROA and
      delegate the address space to members. (this proposal doesn't formulate
      operational process).

      5. Advantages / Disadvantages

      Advantages:
      Network operators who implement RPKI based Origin Validation and discard
      BGP announcements with RPKI state "invalid", will automatically discard
      BGP announcements covering unallocated & unassigned APNIC address space.
      Ensuring unallocated or unassigned address space is not usable by
      unauthorized parties makes more address space available for those who
      qualify to receive an allocation or assignment from APNIC.

      Disadvantages:
      No apparent disadvantage

      6. Impact on resource holders

      No impact to APNIC or respective NIR resource holders not implementing
      ROV. Those implementing ROV and discarding the invalids will not see any
      bogons in their routing table.

      APNIC Member failing to pay fees on time as per membership agreement may
      loose the right to use the allocated resources after membership
      termination and those resources may end up in the unallocated and
      unassigned address space. It is recommended that APNIC should consider
      all possible options before membership termination and before creating
      AS0 (zero) ROAs for those resources there should be a cooling-off
      period. [Note: This is an operational matter and not part of the policy]

      7. References

      RFC6483 - https://tools.ietf.org/rfc/rfc6483.txt
      RFC6491 - https://tools.ietf.org/rfc/rfc6491.txt
      RFC7607 - https://tools.ietf.org/rfc/rfc7607.txt

      Cordialement,


      Bertrand Cherrier
      Micro Logic Systems
      https://www.mls.nc
      Tél : +687 24 99 24
      VoIP : 65 24 99 24
      SAV : +687 36 67 76 (58F/min)