RPKI ASN 0 ROA - N/D

General information

English
27/02/2020
Implemented
100 %.

Ricardo Patara - Version [1, 2]
Aftab Sidiqui - Version [1, 2]
In discussion
12/11/2019 - 05/05/2020
First consensus
06/05/2020 - 20/05/2020
Last call for comments
20/05/2020 - 16/06/2020
Second consensus
16/06/2020 - 18/06/2020
Ratification by the board
18/06/2020
Ratified
23/07/2020
Implemented
23/06/2021

Public comments by LACNIC staff for this version

LACNIC Staff's Interpretation of the Proposal
---------------------------------------------

Applicability
------------
This proposal would apply to unassigned or unallocated resources.

Modifications to the current text
--------------------------------
The following text would be added in Section 1 of the Policy Manual:

“LACNIC will create specific Routing Origin Authorizations (ROAs) in the RPKI infrastructure with ASN 0 in the Origin ASN field and the list of unallocated or unassigned Internet Number Resources exclusively under LACNIC administration in the Prefixes list such ROAs.

The number of the before mentioned ROAs and maximum prefix values and validity is a decision of LACNIC.

These ROAs would be seen by RPKI relaying parties as an instruction to invalidate routes to network prefixes listed in them.

Only LACNIC would have authority to create RPKI ROAs for Internet Number Resources not yet allocated or assigned or either recovered or returned, to which LACNIC is the rightful custodian.

Once an Internet Number Resource is allocated or assigned, LACNIC will invalidated ROAs with that Resource in it and then issue new ones without it, as it fits necessary.”

LACNIC Staff's Comments
--------------------------
(Comments are observations intended to help distinguish the changes introduced by the proposal from the current text of the Policy Manual)

Recommendations
-------------------

1. The meaning of “maximum prefix values and validity” is unclear. We recommend the following wording: “the number of ROAs and all other technical parameters of the ROAs will be decided by LACNIC.”

2. We recommend an editorial review of the final paragraph, changing “(...) LACNIC will invalidated ROAs with that Resource in it and then issue new ones without it, as it fits necessary” to “(...) LACNIC will invalidate ROAs that contain such resources and will issue new ROAs that do not include them, as necessary.”

3. We recommend moving “This ROA would be seen by RPKI relaying parties as an instruction to invalidate routes to network prefixes listed in it” — which is currently part of the text — to the rationale behind the proposal.

NOTE
According to point 3.2.4 of the PDP, about the editorial adjustments suggested by the moderators, and previously agreed with the authors, this version was edited taking into account the 3 recommendations mentioned above.

Impact of the policy on LACNIC's systems
-------------------------------------------
This proposal would require changes to the RPKI infrastructure.

Official Sources
----------------
Other RIRs

AFRINIC
The proposal achieved consensus at the AFRINIC 31 event and is currently in its last call for comments period.

APNIC
The proposal achieved consensus and was ratified by the APNIC Board. Preparations are underway for its implementation, which will be presented during APNIC 49.

ARIN
No similar proposal has been submitted yet.

RIPE
The proposal has just completed the discussion phase. It is currently awaiting feedback from the author and the working group to see whether it can move on to the “Review phase.”


Summary

When using RPKI an organization can issue a Routing Origin Authorization, ROA, that indicate a set of address block that can be announced with origin an a specific ASN also indicated in it.
Other organizations also using RPKI can use that information to make decisions about withe route announcements are legit and with are not.

It is also possible to issue a ROA with ASN 0 (zero) in its ASid field to sign that address blocks in it should not be accepted.

This policy proposal recommend LACNIC to issue ASN 0 ROAs, with unallocated and unassigned addresses block in it, as a method to indicate that route announcements with those addresses should be not accepted by networks using RPKI Routing Origin Validation (ROV),

Rationale (Describe the problem you intend to solve)

RIRs have under its responsibility a set of Internet Resource Numbers that are not yet allocated neither assigned. Associated with the custodianship is the responsibility to distribute them to organizations with justified need and accordingly with policies in place. That set of unallocated or unassigned Internet Resources should not be used until allocated or assigned to the organization with the justification to use them.

Several recommendations and good practices states about how to filter those unallocated or unassigned resources, as they are normally associated with some kind of abuse or attack.

Considering the good adoption of RPKI and Routing Origin Validation (ROV) it will be of great contribution the publication of ROAs with ASN 0 to indicate the set of addresses that should not be used.

It will also alleviate the network operators from the burn to update the set of filters based on the list of unallocated or unassigned Internet Resources.

Current text

---

New text
Analyze diff

This would apply to section 1 of LACNIC policy manual.

LACNIC could create specific Routing Origin Authorization (ROAs) in the RPKI infrastructure with ASN 0 in the Origin ASN field and the list of unallocated or unassigned Internet Number Resources exclusively under LACNIC administration in the Prefixes list of this ROA.

This ROA would be seen by RPKI relaying parties as an instruction to invalidate routes to network prefixes listed in it.

Only LACNIC would have authority to create RPKI ROAs for Internet Number Resources not yet allocated or assigned or either recovered or returned, to which LACNIC is the rightful custodian.

In the case an specific Internet Number Resource, present in a ASN0 ROA, is to be allocated or assigned, that ROA must be invalidated and new one would be issued without the soon to be allocated Internet Number Resource.

Additional information

Similar proposal was approved in APNIC

Timetable

-

References

-

Presented at:

LACNIC 33 (online) (05/05/2020)


Summary

When using RPKI an organization can issue a Routing Origin Authorization, ROA, that indicate a set of address block that can be announced with origin an a specific ASN also indicated in it.
Other organizations also using RPKI can use that information to make decisions about withe route announcements are legit and with are not.

It is also possible to issue a ROA with ASN 0 (zero) in its ASid field to sign that address blocks in it should not be accepted.

This policy proposal recommend LACNIC to issue ASN 0 ROAs, with unallocated and unassigned addresses block in it, as a method to indicate that route announcements with those addresses should be not accepted by networks using RPKI Routing Origin Validation (ROV),

Rationale (Describe the problem you intend to solve)

RIRs have under its responsibility a set of Internet Resource Numbers that are not yet allocated neither assigned. Associated with the custodianship is the responsibility to distribute them to organizations with justified need and accordingly with policies in place. That set of unallocated or unassigned Internet Resources should not be used until allocated or assigned to the organization with the justification to use them.

Several recommendations and good practices states about how to filter those unallocated or unassigned resources, as they are normally associated with some kind of abuse or attack.

Considering the good adoption of RPKI and Routing Origin Validation (ROV) it will be of great contribution the publication of ROAs with ASN 0 to indicate the set of addresses that should not be used.

These ROAs would be seen by RPKI relaying parties as an instruction to invalidate routes to network prefixes listed in them.

It will also alleviate the network operators from the burn to update the set of filters based on the list of unallocated or unassigned Internet Resources.

Current text

---

New text
Analyze diff

This would apply to section 1 of LACNIC policy manual.

New text:
LACNIC will create specific Routing Origin Authorizations (ROAs) in the RPKI infrastructure with AS 0 in the Origin ASN field and the list of unallocated or unassigned Internet Number Resources exclusively under LACNIC administration in the Prefixes list such ROAs.

The number of the before mentioned ROAs and any other technical parameter of it will be under LACNIC discretion

Only LACNIC would have authority to create RPKI ROAs for Internet Number Resources not yet allocated or assigned or either recovered or returned, to which LACNIC is the rightful custodian.

Once an Internet Number Resource is allocated or assigned, LACNIC will invalidate ROAs that contain such resources and will issue new ROAs that do not include them, as necessary.

Additional information

Similar proposal was approved in APNIC

Timetable

-

References

-

Presented at:

LACNIC 33 (online) (05/05/2020)

--> --> --> --> --> -->