LAC-2019-12: RPKI ASN 0 ROA

Información General

English
27/02/2020
En discusión
14 %. Next step would be Primeiro consenso

Ricardo Patara - Versión [1, 2, 3]
Aftab Sidiqui - Versión [1, 2, 3]
Discussão inicial
13/11/2019

Notas públicas del Staff de LACNIC para esta versión

LACNIC Staff's Interpretation of the Proposal
---------------------------------------------

Applicability
------------
This proposal would apply to unassigned or unallocated resources.

Modifications to the current text
--------------------------------
The following text would be added in Section 1 of the Policy Manual:

“LACNIC will create specific Routing Origin Authorizations (ROAs) in the RPKI infrastructure with ASN 0 in the Origin ASN field and the list of unallocated or unassigned Internet Number Resources exclusively under LACNIC administration in the Prefixes list such ROAs.

The number of the before mentioned ROAs and maximum prefix values and validity is a decision of LACNIC.

These ROAs would be seen by RPKI relaying parties as an instruction to invalidate routes to network prefixes listed in them.

Only LACNIC would have authority to create RPKI ROAs for Internet Number Resources not yet allocated or assigned or either recovered or returned, to which LACNIC is the rightful custodian.

Once an Internet Number Resource is allocated or assigned, LACNIC will invalidated ROAs with that Resource in it and then issue new ones without it, as it fits necessary.”

LACNIC Staff's Comments
--------------------------
(Comments are observations intended to help distinguish the changes introduced by the proposal from the current text of the Policy Manual)

Recommendations
-------------------

1. The meaning of “maximum prefix values and validity” is unclear. We recommend the following wording: “the number of ROAs and all other technical parameters of the ROAs will be decided by LACNIC.”

2. We recommend an editorial review of the final paragraph, changing “(...) LACNIC will invalidated ROAs with that Resource in it and then issue new ones without it, as it fits necessary” to “(...) LACNIC will invalidate ROAs that contain such resources and will issue new ROAs that do not include them, as necessary.”

3. We recommend moving “This ROA would be seen by RPKI relaying parties as an instruction to invalidate routes to network prefixes listed in it” — which is currently part of the text — to the rationale behind the proposal.

Impact of the policy on LACNIC's systems
-------------------------------------------
This proposal would require changes to the RPKI infrastructure.

Official Sources
----------------
Other RIRs

AFRINIC
The proposal achieved consensus at the AFRINIC 31 event and is currently in its last call for comments period.

APNIC
The proposal achieved consensus and was ratified by the APNIC Board. Preparations are underway for its implementation, which will be presented during APNIC 49.

ARIN
No similar proposal has been submitted yet.

RIPE
The proposal has just completed the discussion phase. It is currently awaiting feedback from the author and the working group to see whether it can move on to the “Review phase.”


Resumen

When using RPKI an organization can issue a Routing Origin Authorization, ROA, that indicate a set of address block that can be announced with origin an a specific ASN also indicated in it.
Other organizations also using RPKI can use that information to make decisions about withe route announcements are legit and with are not.

It is also possible to issue a ROA with ASN 0 (zero) in its ASid field to sign that address blocks in it should not be accepted.

This policy proposal recommend LACNIC to issue ASN 0 ROAs, with unallocated and unassigned addresses block in it, as a method to indicate that route announcements with those addresses should be not accepted by networks using RPKI Routing Origin Validation (ROV),

Justificación

RIRs have under its responsibility a set of Internet Resource Numbers that are not yet allocated neither assigned. Associated with the custodianship is the responsibility to distribute them to organizations with justified need and accordingly with policies in place. That set of unallocated or unassigned Internet Resources should not be used until allocated or assigned to the organization with the justification to use them.

Several recommendations and good practices states about how to filter those unallocated or unassigned resources, as they are normally associated with some kind of abuse or attack.

Considering the good adoption of RPKI and Routing Origin Validation (ROV) it will be of great contribution the publication of ROAs with ASN 0 to indicate the set of addresses that should not be used.

It will also alleviate the network operators from the burn to update the set of filters based on the list of unallocated or unassigned Internet Resources.

Texto Actual

---

Texto Nuevo
Oprima aquí para ver/ocultar las diferencias entre el texto actual y el nuevo

This would apply to section 1 of LACNIC policy manual.

LACNIC could create specific Routing Origin Authorization (ROAs) in the RPKI infrastructure with ASN 0 in the Origin ASN field and the list of unallocated or unassigned Internet Number Resources exclusively under LACNIC administration in the Prefixes list of this ROA.

This ROA would be seen by RPKI relaying parties as an instruction to invalidate routes to network prefixes listed in it.

Only LACNIC would have authority to create RPKI ROAs for Internet Number Resources not yet allocated or assigned or either recovered or returned, to which LACNIC is the rightful custodian.

In the case an specific Internet Number Resource, present in a ASN0 ROA, is to be allocated or assigned, that ROA must be invalidated and new one would be issued without the soon to be allocated Internet Number Resource.

Información Adicional

Similar proposal was approved in APNIC

Tiempo de Implementacion

-

Referencias

-


Resumen

When using RPKI an organization can issue a Routing Origin Authorization, ROA, that indicate a set of address block that can be announced with origin an a specific ASN also indicated in it.
Other organizations also using RPKI can use that information to make decisions about withe route announcements are legit and with are not.

It is also possible to issue a ROA with ASN 0 (zero) in its ASid field to sign that address blocks in it should not be accepted.

This policy proposal recommend LACNIC to issue ASN 0 ROAs, with unallocated and unassigned addresses block in it, as a method to indicate that route announcements with those addresses should be not accepted by networks using RPKI Routing Origin Validation (ROV),

Justificación

RIRs have under its responsibility a set of Internet Resource Numbers that are not yet allocated neither assigned. Associated with the custodianship is the responsibility to distribute them to organizations with justified need and accordingly with policies in place. That set of unallocated or unassigned Internet Resources should not be used until allocated or assigned to the organization with the justification to use them.

Several recommendations and good practices states about how to filter those unallocated or unassigned resources, as they are normally associated with some kind of abuse or attack.

Considering the good adoption of RPKI and Routing Origin Validation (ROV) it will be of great contribution the publication of ROAs with ASN 0 to indicate the set of addresses that should not be used.

It will also alleviate the network operators from the burn to update the set of filters based on the list of unallocated or unassigned Internet Resources.

Texto Actual

---

Texto Nuevo
Oprima aquí para ver/ocultar las diferencias entre el texto actual y el nuevo

This would apply to section 1 of LACNIC policy manual.

New text:
LACNIC will create specific Routing Origin Authorizations (ROAs) in the RPKI infrastructure with ASN 0 in the Origin ASN field and the list of unallocated or unassigned Internet Number Resources exclusively under LACNIC administration in the Prefixes list such ROAs.

The number of the before mentioned ROAs and maximum prefix values and validity is a decision of LACNIC.

These ROAs would be seen by RPKI relaying parties as an instruction to invalidate routes to network prefixes listed in them.

Only LACNIC would have authority to create RPKI ROAs for Internet Number Resources not yet allocated or assigned or either recovered or returned, to which LACNIC is the rightful custodian.

Once an Internet Number Resource is allocated or assigned, LACNIC will invalidated ROAs with that Resource in it and then issue new ones without it, as it fits necessary.

Información Adicional

Similar proposal was approved in APNIC

Tiempo de Implementacion

-

Referencias

-