Guidelines for managing Routes and Route Origin Authorization(ROA)
Table of contents
- Introduction
- Resource Public Key Infrastructure (RPKI)
- Route Origin Authorization [ROA]
- Route and Route6 Objects
- Managing ROA, Route and Route6 Objects
- Restrictions on use of unauthorized ASN
- References
1. Introduction
These guidelines complement the policy document [APNIC-127] APNIC Internet Number Resource Policies, and are intended to guide LIRs to manage ROAs and route objects in the APNIC Whois Database.
These guidelines were put into place as a result of a policy proposal, prop-138: Restricting AS-ID in ROA, that reached consensus at APNIC 52 OPM to be a guideline.
These guidelines will be updated from time to time, in consultation with the Asia Pacific and global Internet communities, to ensure they remain appropriate to the current addressing environment.
2. Resource Public Key Infrastructure (RPKI)
Resource Public Key Infrastructure (RPKI) is a public key infrastructure framework designed to secure the Internet’s routing infrastructure, specifically the Border Gateway Protocol. RPKI provides a way to connect Internet number resource information (such as IP Addresses) to a trust anchor. Using RPKI, legitimate holders of number resources are able to control the operation of Internet routing protocols to prevent route hijacking and other attacks.
More information is available here:
https://www.apnic.net/community/security/resource-certification/
3. Route Origin Authorization (ROA)
A ROA or Route Origin Authorization is an attestation of a BGP route announcement. It attests that the origin AS number is authorized to announce the prefix(es). The attestation can be verified cryptographically using RPKI.
More information is available here:
https://www.apnic.net/community/security/resource-certification/#routing
4. Route and Route6 Objects
Route – represents a single IPv4 route injected into the Internet routing mesh.
Route6 – Represents a single IPv6 route injected into the Internet routing mesh.
More information is here:
https://www.apnic.net/manage-ip/using-whois/guide/
5. Managing ROA, Route and Route6 Objects
APNIC resource holders can create and manage their resource certificates and associated objects (for example, ROAs and Route/Route6) via MyAPNIC.
More information is here:
https://help.apnic.net/s/article/roa-objects
6. Restrictions on use of unauthorized ASN
A Route Origin Authorization (ROA) is an attestation of a BGP route announcement. It attests that the origin AS number is authorized to announce the prefix(es). The attestation can be verified cryptographically using RPKI.
The prefix (IPv4 and/or IPv6] you would like to use to attest from the specified ASN must be listed under “Internet Resources” in your MyAPNIC account.
The ASN used to authorize to announce the prefix(es) SHOULD NOT contain available (unallocated) or reserved or special purpose AS Numbers (except AS0) as listed on IANA website and APNIC latest delegated extended resource file.
ROAs and route/route6 objects created in the Whois database with these available (unallocated) or reserved or special purpose AS Numbers (except AS0) will result in APNIC contacting the prefix holder to confirm if the ROAs and route/route6 objects are registered correctly.
7. References
IANA Special-Purpose ASN list
IANA AS numbers list
https://www.iana.org/assignments/as-numbers/as-numbers.xhtml
APNIC latest delegated resource files
http://ftp.apnic.net/apnic/stats/apnic/
RFC6482