------------------------------------------------------------------------------------------------- prop-132-v003: RPKI ROAs for unallocated and unassigned APNIC address space (was: AS0 for Bogons) ------------------------------------------------------------------------------------------------- Proposer: Aftab Siddiqui aftab.siddiqui@gmail.com 1. Problem statement -------------------- Address space managed by APNIC which has is either "Unallocated" or "Unassigned" is considered "Bogon address space". Bogons are defined in RFC3871, A "Bogon" (plural: "bogons") is a packet with an IP source address in an address block not yet allocated by IANA or the Regional Internet Registries (ARIN, RIPE NCC, APNIC, AFRINIC and LACNIC) as well as all addresses reserved for private or special use by RFCs. As of now, there are XXX IPv4 and YYY IPv6 routes in the global Internet routing table which cover address space ma naged by APNIC, but which is not allocated or assigned by APNIC. In the past, several attempts have been made to filter out such bogons through various methods such as static filters and updating them occasionally but it is hard to keep an up to date filters, TeamCymru and CAIDA provides full bogon list in text format to update such filters. TeamCymru also provides bogon BGP feed where they send all the bogons via a BGP session which then can be discarded automatically. Despite these attempts, the issue of unauthorized advertisements of APNIC's address space hasn't be resolved so far. 2. Objective of policy change ----------------------------- The purpose of creating RPKI ROAs with Origin AS 0 for APNIC's unallocated and unassigned address space is to restrict the propagation of BGP announcements covering such bogon space. When APNIC issues a ROA with AS 0 for unallocated address space under APNIC's administration, BGP announcements covering this space will be marked as Invalid by networks doing RPKI based BGP Origin Validation using APNIC's TAL. Currently, in the absence of any ROA, these bogons are marked as NotFound. Since many operators have implemented ROV and either planning or already discarding Invalid, then all the AS0 ROAs which APNIC will create for unallocated address space will be discarded as well. 3. Situation in other regions ----------------------------- No such policy in any region at the moment. 4. Proposed policy solution --------------------------- APNIC will create AS0 (zero) ROAs for all the unallocated and unassigned address space (IPv4 and IPv6) for which APNIC is the current administrator. Any resource holder (APNIC member) can create AS0 (zero) ROAs for the resources they have under their account/administration. A RPKI ROA is a positive attestation that a prefix holder has authorised an AS to originate a route for this prefix whereas, a RPKI ROA for the same prefixes with AS0 (zero) origin shows negative intent from the resource holder that they don't want to advertise the prefix(es) at this point but they are the rightful custodian. Only APNIC has the authority to create RPKI ROAs for address space not yet allocated to the members and only APNIC can issue AS0 (zero) RPKI ROAs. Once they RPKI ROA is issued and APNIC wants to allocate the address space to its member, simply they can revoke the RPKI ROA and delegate the address space to members. (this proposal doesn't formulate operational process). 5. Advantages / Disadvantages ----------------------------- Advantages: Network operators who implement RPKI based Origin Validation and discard BGP announcements with RPKI state "invalid", will automatically discard BGP announcements covering unallocated & unassigned APNIC address space. Ensuring unallocated or unassigned address space is not usable by unauthorized parties makes more address space available for those who qualify to receive an allocation or assignment from APNIC. Disadvantages: No apparent disadvantage 6. Impact on resource holders ----------------------------- No impact to APNIC or respective NIR resource holders not implementing ROV. Those implementing ROV and discarding the invalids will not see any bogons in their routing table. APNIC Member failing to pay fees on time as per membership agreement may loose the right to use the allocated resources after membership termination and those resources may end up in the unallocated and unassigned address space. It is recommended that APNIC should consider all possible options before membership termination and before creating AS0 (zero) ROAs for those resources there should be a cooling-off period. [Note: This is an operational matter and not part of the policy] 7. References ------------------------------------------------------- RFC6483 - https://tools.ietf.org/rfc/rfc6483.txt RFC6491 - https://tools.ietf.org/rfc/rfc6491.txt RFC7607 - https://tools.ietf.org/rfc/rfc7607.txt