Thanks for the clarifications Aftab. Regards, Sunny
On 2/09/2021 2:57 pm, Aftab Siddiqui wrote:
Responding to Secretariat questions. Clarifications required: 1. Since the route management interface in MyAPNIC (Member Portal) permits Members to create both route objects and ROAs with arbitrary ASNs, should this proposal be extended to include restricting of AS-ID in route objects as well?Yes. It should be uniform for both route objects and ROAs. Currently, APNIC restricts the creation of route-objects with "Reserved" ASNs using whois update panel but allows the same using ROA creation panel.2. Does this proposal requires the deletion of all existing ROAs referencing unallocated, private, and reserved ASNs? ROAs already created should be revoked.Another point raised during yesterday's discussion. Whether there is a need to have a policy or guideline would be enough. I'm fine either way and leave this on community consensus.I will submit an updated version with the same statement in it. Regards, Sunny On 13/08/2021 9:58 am, Bertrand Cherrier wrote: > Dear SIG members, > > The proposal "prop-138-v001: Restricting AS-ID in ROA" has been > sent to the Policy SIG for review. > > It will be presented at the Open Policy Meeting (OPM) at APNIC 52 > on Thursday, 16 September 2021. > > https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fconference.apnic.net%2F52%2Fprogram%2Fschedule%2F%23%2Fday%2F4&data=04%7C01%7C%7Cbafa554ae97d4bc47b7008d95ded0f93%7C127d8d0d7ccf473dab096e44ad752ded%7C0%7C0%7C637644095039717635%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=0g1ckVVVxjWuI8efLzNSHLehu%2Bbu2cD5DwSFzgjsHmY%3D&reserved=0 <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fconference.apnic.net%2F52%2Fprogram%2Fschedule%2F%23%2Fday%2F4&data=04%7C01%7C%7C15782b5f4bb14baeb5d508d96dce2746%7C127d8d0d7ccf473dab096e44ad752ded%7C0%7C0%7C637661555369156693%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=KXfkDkGfhpqo7MSl9cbmg%2B8izHDGTiXk2s917qa1Xq4%3D&reserved=0> > > > We invite you to review and comment on the proposal on the mailing > list before the OPM. > > The comment period on the mailing list before the OPM is an important > part of the Policy Development Process (PDP). We encourage you to > express your views on the proposal: > > - Do you support or oppose this proposal? > - Does this proposal solve a problem you are experiencing? If so, > tell the community about your situation. > - Do you see any disadvantages in this proposal? > - Is there anything in the proposal that is not clear? > - What changes could be made to this proposal to make it more > effective? > > Information about this proposal is appended below and also available at: > > https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.apnic.net%2Fpolicy%2Fproposals%2Fprop-138&data=04%7C01%7C%7Cbafa554ae97d4bc47b7008d95ded0f93%7C127d8d0d7ccf473dab096e44ad752ded%7C0%7C0%7C637644095039717635%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=wbpAlgDbnl7%2FAPD5c2odGyVRKC83KeO%2F4T9BrgF9U%2FE%3D&reserved=0 <https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.apnic.net%2Fpolicy%2Fproposals%2Fprop-138&data=04%7C01%7C%7C15782b5f4bb14baeb5d508d96dce2746%7C127d8d0d7ccf473dab096e44ad752ded%7C0%7C0%7C637661555369166649%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=0jUP51A%2FBXpxmhXW0PBScllkXJidT%2BdAjzzYtBBHGyU%3D&reserved=0> > > > Regards, > Bertrand and Ching-Heng > APNIC Policy SIG Chairs > > > ------------------------------------------------------- > > prop-138-v001: Restricting AS-ID in ROA > > ------------------------------------------------------- > > Proposer: Aftab Siddiqui (aftab.siddi...@gmail.com <mailto:aftab.siddi...@gmail.com>) > > > 1. Problem statement > -------------------- > RFC6482 - A Profile for Route Origin Authorisations (ROAs) defines the > content of a ROA and one of the field is called "asID" Autonomous > System Identifier. It is defined in the RFC as "The asID field > contains the AS number that is authorised to originate routes to the > given IP address prefixes." > > asID is an Integer value and the RFC doesn't restrict the range of > numbers which can be placed here but technically only allocated ASNs > should only be allowed to be added as "asID" or "Origin AS". APNIC ROA > management system allows any number between 0 - 4294967295, which > includes many ranges of Private ASNs, Reserved ASNs and unallocated > ASNs as well. This may lead to creating ROAs with Origin AS which > should not be in the global routing table. > > > 2. Objective of policy change > ----------------------------- > Restrict APNIC members to create ROAs with private, reserved or > unallocated ASN. > > > 3. Situation in other regions > ----------------------------- > In process of verifying this information. > > > 4. Proposed policy solution > --------------------------- > Route Origin Authorisation (ROA) is an RPKI object signed by a prefix > holder authorising origination of said prefix from an origin AS > specified in said ROA. It verifies whether an AS is authorised to > announce a specific IP prefix or not. ROA contains 3 mandatory fields > > Prefix, Origin AS and Maxlength. > > Prefix: The prefix you would like to originate from the specified ASN. > IPv4 and IPv6 Prefixes listed under "Internet Resources" on My APNIC > portal can be only be used here. > > Origin AS: The authorised ASN which can originate the "Prefix". The > origin AS can only be from the IANA specified range and MUST not > contain an ASN from: > > - 23456 # AS_TRANS RFC6793 > - 64496-64511 # Reserved for use in docs and code RFC5398 > - 64512-65534 # Reserved for Private Use RFC6996 > - 65535 # Reserved RFC7300 > - 65536-65551 # Reserved for use in docs and code RFC5398 > - 65552-131071 # Reserved > - 4200000000-4294967294 # Reserved for Private Use RFC6996 > - 4294967295 # Reserved RFC7300 > > And any IANA unallocated ASN. > > > 5. Advantages / Disadvantages > ----------------------------- > Advantages: > This will help APNIC members avoid mistakenly creating unnecessary > Bogon ROAs. > > > Disadvantages: > Overhead in implementing Origin AS check. > > > 6. Impact on resource holders > ----------------------------- > APNIC has to request members to delete existing Bogon ROAs, as of 5th > August 2021 there are around 30+ Bogon ROAs of APNIC delegated resources. > > > 7. References > ------------- > None. > * sig-policy: APNIC SIG on resource management > policy * > _______________________________________________ > sig-policy mailing list > sig-policy@lists.apnic.net <mailto:sig-policy@lists.apnic.net> > https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmailman.apnic.net%2Fmailman%2Flistinfo%2Fsig-policy&data=04%7C01%7C%7Cbafa554ae97d4bc47b7008d95ded0f93%7C127d8d0d7ccf473dab096e44ad752ded%7C0%7C0%7C637644095039717635%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SzrZsXvMGCFWE6E%2FLzOcrIX%2FvMeA9cTwZN3wqPoXEWs%3D&reserved=0 <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmailman.apnic.net%2Fmailman%2Flistinfo%2Fsig-policy&data=04%7C01%7C%7C15782b5f4bb14baeb5d508d96dce2746%7C127d8d0d7ccf473dab096e44ad752ded%7C0%7C0%7C637661555369166649%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=T9uzruJy%2F9CbMj5NHFFVU09SD3mt8RE4oSGyvUDo6uY%3D&reserved=0>--_______________________________________________________________________ Srinivas (Sunny) Chendi Senior Advisor - Policy and Community Development Asia Pacific Network Information Centre (APNIC) | Tel: +61 7 3858 3100 PO Box 3646 South Brisbane, QLD 4101 Australia | Fax: +61 7 3858 3199 6 Cordelia Street, South Brisbane, QLD | http://www.apnic.net <https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.apnic.net%2F&data=04%7C01%7C%7C15782b5f4bb14baeb5d508d96dce2746%7C127d8d0d7ccf473dab096e44ad752ded%7C0%7C0%7C637661555369176605%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=aZ5Xpje3eOebCMJQb7mtzRRiLwU%2FhCHz14ldfhZ1vQI%3D&reserved=0> _______________________________________________________________________ * sig-policy: APNIC SIG on resource management policy * _______________________________________________ sig-policy mailing list sig-policy@lists.apnic.net <mailto:sig-policy@lists.apnic.net> https://mailman.apnic.net/mailman/listinfo/sig-policy <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmailman.apnic.net%2Fmailman%2Flistinfo%2Fsig-policy&data=04%7C01%7C%7C15782b5f4bb14baeb5d508d96dce2746%7C127d8d0d7ccf473dab096e44ad752ded%7C0%7C0%7C637661555369176605%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=c93q6PrEsy5W79bFiGWeUB5ZVa1NMG4hcafeIr04YEI%3D&reserved=0>
* sig-policy: APNIC SIG on resource management policy * _______________________________________________ sig-policy mailing list sig-policy@lists.apnic.net https://mailman.apnic.net/mailman/listinfo/sig-policy
