------------------------------------------------------- prop-138-v002: Restricting AS-ID in ROA ------------------------------------------------------- Proposer: Aftab Siddiqui (aftab.siddiqui@gmail.com) 1. Problem statement -------------------- RFC6482 - A Profile for Route Origin Authorisations (ROAs) defines the content of a ROA and one of the field is called "asID" Autonomous System Identifier. It is defined in the RFC as "The asID field contains the AS number that is authorised to originate routes to the given IP address prefixes." asID is an Integer value and the RFC doesn't restrict the range of numbers which can be placed here but technically only allocated ASNs should only be allowed to be added as "asID" or "Origin AS". APNIC ROA management system allows any number between 0 - 4294967295, which includes many ranges of Private ASNs, Reserved ASNs and unallocated ASNs as well. This may lead to creating ROAs with Origin AS which should not be in the global routing table. 2. Objective of policy change ----------------------------- Restrict APNIC members to create ROAs with private, reserved or unallocated ASN. 3. Situation in other regions ----------------------------- ROAs containing Private and Reserved ASN are from APNIC, LACNIC and RIPE NCC region. 4. Proposed policy solution --------------------------- Route Origin Authorisation (ROA) is an RPKI object signed by a prefix holder authorising origination of said prefix from an origin AS specified in said ROA. It verifies whether an AS is authorised to announce a specific IP prefix or not. ROA contains 3 mandatory fields Prefix, Origin AS and Maxlength. Prefix: The prefix you would like to originate from the specified ASN. IPv4 and IPv6 Prefixes listed under "Internet Resources" on My APNIC portal can be only be used here. Origin AS: The authorised ASN which can originate the "Prefix". The origin AS can only be from the IANA specified range and MUST not contain an ASN from: - 23456 # AS_TRANS RFC6793 - 64496-64511 # Reserved for use in docs and code RFC5398 - 64512-65534 # Reserved for Private Use RFC6996 - 65535 # Reserved RFC7300 - 65536-65551 # Reserved for use in docs and code RFC5398 - 65552-131071 # Reserved - 4200000000-4294967294 # Reserved for Private Use RFC6996 - 4294967295 # Reserved RFC7300 And any IANA unallocated ASN. - Same policy should be applied to corresponding route/route6 whois objects. - ROAs and route/route6 objects already in the database with Private, Reserved and unallocated ASN should be revoked and deleted respectively after notifying the prefix holder. Note: This is up to the community to decide whether this should remain a policy OR just as a guideline for the members which can implemented by the APNIC services team. 5. Advantages / Disadvantages ----------------------------- Advantages: This will help APNIC members avoid mistakenly creating unnecessary ROAs with Private, Reserved and unallocated resources. Disadvantages: Overhead for APNIC to develop Origin AS check. 6. Impact on resource holders ----------------------------- APNIC has to request members to delete existing ROAs and route/route6 objects with Private, Reserved and unallocated origin AS. 7. References -------------