RPKI ASN 0 ROA

Original Language English Date Published 13/11/2019 Last Modified 11/11/2019
Last Call for Comments Period Does not apply Date Ratified Does not apply Implementation Date Does not apply
Status Under discussion Download TXT PDF XML DOCX
See other versions 1.0 (compare)

Authors

Name: Ricardo Patara
Email: patara@registro.br
Organization: NIC.br

Name: Aftab Sidiqui
Email: aftab.siddiqui@gmail.com
Organization: PERSONAL

Proposal Data

Policy Type: LACNIC
Id: LAC-2019-12
Last version: 1

Summary

When using RPKI an organization can issue a Routing Origin Authorization, ROA, that indicate a set of address block that can be announced with origin an a specific ASN also indicated in it.
Other organizations also using RPKI can use that information to make decisions about withe route announcements are legit and with are not.

It is also possible to issue a ROA with ASN 0 (zero) in its ASid field to sign that address blocks in it should not be accepted.

This policy proposal recommend LACNIC to issue ASN 0 ROAs, with unallocated and unassigned addresses block in it, as a method to indicate that route announcements with those addresses should be not accepted by networks using RPKI Routing Origin Validation (ROV),

Rationale

RIRs have under its responsibility a set of Internet Resource Numbers that are not yet allocated neither assigned. Associated with the custodianship is the responsibility to distribute them to organizations with justified need and accordingly with policies in place. That set of unallocated or unassigned Internet Resources should not be used until allocated or assigned to the organization with the justification to use them.

Several recommendations and good practices states about how to filter those unallocated or unassigned resources, as they are normally associated with some kind of abuse or attack.

Considering the good adoption of RPKI and Routing Origin Validation (ROV) it will be of great contribution the publication of ROAs with ASN 0 to indicate the set of addresses that should not be used.

It will also alleviate the network operators from the burn to update the set of filters based on the list of unallocated or unassigned Internet Resources.

Text

This would apply to section 1 of LACNIC policy manual.

New text:
LACNIC could create specific Routing Origin Authorization (ROAs) in the RPKI infrastructure with ASN 0 in the Origin ASN field and the list of unallocated or unassigned Internet Number Resources exclusively under LACNIC administration in the Prefixes list of this ROA.

This ROA would be seen by RPKI relaying parties as an instruction to invalidate routes to network prefixes listed in it.

Only LACNIC would have authority to create RPKI ROAs for Internet Number Resources not yet allocated or assigned or either recovered or returned, to which LACNIC is the rightful custodian.

In the case an specific Internet Number Resource, present in a ASN0 ROA, is to be allocated or assigned, that ROA must be invalidated and new one would be issued without the soon to be allocated Internet Number Resource.

Additional Information

Similar proposal was approved in APNIC

Timetable

-

References

-

Privacy Policy