Skip to Content.
Sympa Menu

netsec-sig - Re: [Security-WG] Fwd: [sig-policy] prop-132-v001 AS0 for Bogons

Subject: Internet2 Network Security SIG

List archive

Re: [Security-WG] Fwd: [sig-policy] prop-132-v001 AS0 for Bogons


Chronological Thread 
    < Chronological >      < Thread >
  • From: "Montgomery, Douglas (Fed)" <>
  • To: "" <>
  • Subject: Re: [Security-WG] Fwd: [sig-policy] prop-132-v001 AS0 for Bogons
  • Date: Fri, 9 Aug 2019 17:37:12 +0000
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nist.gov; dmarc=pass action=none header.from=nist.gov; dkim=pass header.d=nist.gov; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=P+aeYOeMHRimy/7WejjwyZ+yb7XexIInsLRN1vD2d6s=; b=XMwgSbZ1NkNMavBOCkdiXF6quGNDy39LwO2HeKP+tw/RfVoJIDJ8G96HkSCdd/hgI3s8aQ91guScmMCCiG16eJhfAC9w+izpXDKt3PmBAosBqsEpwemZ9JhKKlv2SD/XCn/A1FxQUsAITDlndx9m88YQAauEXiRcz+zElCnvU5Of0nSqzlh5QhevZd4jWQnfqDQUYGmvvsuM4noxbCQHxU2yK7pS9WOyy3+oMyMJf5F27A2aIUGGZOrSJHRE8DyotSpkvN7kzYv0aOKX50IT/Jb/jfftgqRJ7j1TRbFwZI469x3aa8mN2bQd3JuHBdGX/MkHYWnCtSFi62GpqxlkVw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XGU7GVlrBgot9BUeFKzJP3cpxw9jwXtFWQM9AFIrN3Rp0kwd88shGLtw87n1DpPl38VGJr7/4kGe6v14wkKBgax/irc2/mlKqOoAXFFZOhwRIri8Y5dwQf2+/47vm9oSlGcK4JMvi4X9sDtpldH2bfyzVMvipCox3BI0OW3OkJ0VfkQPDnH+LTyf7FYuFV8Hzpybf6afRqE28DCsdDBMn+0RMmBh9pYtsmvNlP9lF/rGpin0PV90Ln9KI/sYpE+MvUH2oDUdSaYJotlIQczu+IVjwyzckMurdKhjI7DxIscxDnPNAciyBnnEBNmoziy8JpqNJQH2om2p/j6ziS7Vgw==

Ah, I see, you are thinking of someone opting-in for ROA based bogon filtering, but not general RPKI based route origin validation and filtering.

 

It is a sad enough state of affairs right now that we have 5 trust anchors, I don’t want 10.

 

I think from the RIR’s perspective, this is a RPKI-ROV value add (i.e., you get bogon filtering for free with the same infrastructure).   That is, an incentive to enable RPKI ROV.

If part of the rationale here is an incentive model, I doubt that the RIRs would be interested in making the bogon list a separate TAL.

 

dougm

--

Doug Montgomery, Manager Internet  & Scalable Systems Research @ NIST

 

 

From: <> on behalf of David Farmer <>
Reply-To: " List:" <>
Date: Friday, August 9, 2019 at 12:52 PM
To: " List:" <>
Subject: Re: [Security-WG] Fwd: [sig-policy] prop-132-v001 AS0 for Bogons

 

I interpret the proposal as APNIC issuing AS0 ROAs for only it's unallocated space, not the other RIR's unallocated space, and maybe the IANA reserved space. 

 

I was thinking a separate TAL would simplify the opt-in or opt-out. Or, maybe that is too big of a stick. Otherwise, as an operator, how would I separate these unallocated AS0 ROAs from resource holders AS0 ROAs, or maybe there is another way to do that?

 

I was thinking IANA could issue a TAL with AS0 ROAs for the IANA reserved space as appropriate.

Then the RIRs issue TALs with AS0 ROAs for their unallocated space, separate from the TALs for their allocated space.

 

But, I have really worked with the validator tools yet, so I'd be interested in other opinions.

 

Thoughts?

 

Thanks

 

 

 

On Fri, Aug 9, 2019 at 9:48 AM "Montgomery, Douglas (Fed)" <> wrote:

Seems like a good (and obvious) idea.  I don’t think we need a separate TAL for this, although it was not clear to me if APNIC would be doing this only for resources that should be in their region or if they would be doing it globally?  The latter would raise interesting questions.

 

Individual resource holders can also issue AS0 ROAs for parts of their address space that are not currently advertised in the routing system.

 

dougm

--

Doug Montgomery, Manager Internet  & Scalable Systems Research @ NIST

 

 

From: <> on behalf of David Farmer <>
Reply-To: " List:" <>
Date: Friday, August 9, 2019 at 8:34 AM
To: " List:" <>
Subject: [Security-WG] Fwd: [sig-policy] prop-132-v001 AS0 for Bogons

 

The is an intriguing policy proposal in APNIC's hopper that I thought I would bring to our group's attention.

 

I kind of like the idea.

 

However, it does create questions regarding chronically late payment of your RIR bill and when reclaimed resources become bogons. 

 

Also, maybe this should have a separate TAL so you can opt-in or opt-out of this.

---------- Forwarded message ---------
From: Sumon Ahmed Sabir <>
Date: Fri, Aug 9, 2019 at 5:01 AM
Subject: [sig-policy] prop-132-v001 AS0 for Bogons
To: Policy SIG <>

 


Dear SIG members,

The proposal "prop-132-v001: AS0 for Bogons" has been sent to
the Policy SIG for review.

It will be presented at the Open Policy Meeting at APNIC 48 in
Chiang Mai, Thailand on Thursday, 12 September 2019.

We invite you to review and comment on the proposal on the mailing list
before the meeting.

The comment period on the mailing list before an APNIC meeting is an
important part of the policy development process. We encourage you to
express your views on the proposal:

  - Do you support or oppose this proposal?
  - Does this proposal solve a problem you are experiencing? If so,
    tell the community about your situation.
  - Do you see any disadvantages in this proposal?
  - Is there anything in the proposal that is not clear?
  - What changes could be made to this proposal to make it more
    effective?

Information about this proposal is available at:
http://www.apnic.net/policy/proposals/prop-132

Regards

Sumon, Bertrand, Ching-Heng
APNIC Policy SIG Chairs


----------------------------------------------------------------------

prop-132-v001: AS0 for Bogons

----------------------------------------------------------------------

Proposer: Aftab Siddiqui
           


1. Problem statement
--------------------
Bogons are defined in RFC3871, A "Bogon" (plural: "bogons") is a packet
with an IP source address in an address block not yet allocated by IANA
or the Regional Internet Registries (ARIN, RIPE NCC, APNIC, AFRINIC and
LACNIC) as well as all addresses reserved for private or special use by
RFCs.  See [RFC3330] and [RFC1918].

As of now, there are 287 IPv4 bogons and 73 IPv6 bogons in the global
routing table. In the past, several attempts have been made to filter
out such bogons through various methods such as static filters and updating
them occasionally but it is hard to keep an up to date filters, 
TeamCymru and
CAIDA provides full bogon list in text format to update such filters. 
TeamCymru
also provides bogon BGP feed where they send all the bogons via a BGP 
session
which then can be discarded automatically. Beside all these attempts the 
issue
of Bogon Advertisement hasn't be resolved so far.


2. Objective of policy change
-----------------------------
The purpose of creating AS0 (zero) ROAs for unallocated address space by 
APNIC
is to resolve the issue of Bogon announcement. When APNIC issues an AS0 
ROA for
unallocated address space in its bucket then it will be marked as 
“Invalid” if
someone tries to advertise the same address space.

Currently, in the absence of any ROA, these bogons are marked as 
“NotFound”. Since
many operators have implemented ROV and either planning or already 
discarding “Invalid”
then all the AS0 ROAs which APNIC will create for unallocated address 
space will be
discarded as well.


3. Situation in other regions
-----------------------------
No such policy in any region at the moment.



4. Proposed policy solution
---------------------------
APNIC will create AS0(zero) ROAs for all the unallocated address space 
in its bucket
(IPv4 and IPv6). Any resource holder can create AS0 (zero) ROAs for the 
resources they
have under their account.

A ROA is a positive attestation that a prefix holder has authorised an 
AS to originate a
route for this prefix whereas, a ROA for the same prefixes with AS0 
(zero) origin shows
negative intent from the resource holder that they don't want to 
advertise the prefix(es)
at this point but they are the rightful custodian.

Only APNIC has the authority to create ROAs for address space not yet 
allocated to the members
and only APNIC can issue AS0 (zero) ROAs. Once they ROA is issued and 
APNIC wants to allocate
the address space to its member, simply they can revoke the ROA and 
delegate the address space
to members. (this proposal doesn't formulate operational process).


5. Advantages / Disadvantages
-----------------------------
Advantages:
Those implementing ROV globally and discarding the invalids will be able 
to discard bogons from
APNIC region automatically.

Disadvantages:
No apparent disadvantage



6. Impact on resource holders
-----------------------------
No impact to APNIC or respective NIR resource holders not implementing 
ROV. Those implementing
ROV and discarding the invalids will not see any bogons in their routing 
table.


7. References
-------------------------------------------------------
RFC6483 - https://tools.ietf.org/rfc/rfc6483.txt
RFC6491 - https://tools.ietf.org/rfc/rfc6491.txt
RFC7607 - https://tools.ietf.org/rfc/rfc7607.txt

*              sig-policy:  APNIC SIG on resource management policy           *
_______________________________________________
sig-policy mailing list

https://mailman.apnic.net/mailman/listinfo/sig-policy


 

--

===============================================
David Farmer              
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota  
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================


 

--

===============================================
David Farmer              
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota  
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================


Archive powered by MHonArc 2.6.19.

Top of Page