I think it much more likely that if someone had a dispute with an specific AS0 ROA for an unallocated resource, that you would just white list the specific one in your validating cache.
It is important to remember that an AS0 ROA does not automatically make any route that it covers invalid …. That is only the case if there is no other covering ROA that matches the origin
Or put another way, if you don’t agree with the RIR that a give resource is unallocated, will you also disagree with its subsequent allocation to someone else? i.e., the ROA that invalidates
the originations of the previous owner/squatter could also come from the allocated space TAL if we are splitting the two.
Solve these one offs in the local policy of your validator and/or router. If you don’t trust the RIR to have an accurate record of allocations … the trust in the enrollment system that
is the real root of trust for the RPKI goes out the window.
<security-wg-request@internet2.edu> on behalf of Brad Fleming <bdfleming@kanren.net>
Reply-To: "security-wg@internet2.edu List:" <security-wg@internet2.edu>
Date: Friday, August 9, 2019 at 5:53 PM
To: "security-wg@internet2.edu List:" <security-wg@internet2.edu>
Subject: Re: [Security-WG] Fwd: [sig-policy] prop-132-v001 AS0 for Bogons
Assuming the idea were to spread to other regions the freedom might be nice if policy of a number authority regarding bogons was overly draconian. So if KanREN felt APNIC's reclamation / revocation policy was detrimental
or not fair we could simply not use their bogon TAL but continue using the primary TAL. Seems unlikely we would make a decision like that; however, larger operators might like the flexibility.
Brad Fleming
Director for Technology
Kansas Research and Education Network
While in theory one may want all these degrees of freedom, I can’t see it being useful in practice.
The typical choices you get in RPKI-ROV are:
To decide which peering sessions to enable it on. E.g., ATT uses it with peers but not customers.
To decide local policy for how ROV results effect the BGP decision process.
To use SLURM (white lists) to override global RPKI results.
I can’t really envision wanting to differentiate in the amongst classes of bogons beyond those things that could be done with the mechanisms above. And as pointed
out the proposal is only suggesting this for the unallocated space of the specific RIR.
One could think of having something like export filtering rules on the rpki-router protocol at the validating cache. i.e., only provide me VRP’s with AS=0.
That might be a cleaner way of opting in to bogon filtering but nothing else. That would allow the same cache to provide full VRP feeds to some routers and subsets (e.g., bogons only) to others.
Yes, that or the other way around too. You might want general RPKI ROA validation but I don't want ROA based bogon filtering.
And there are many different classes of bogons there is IANA reserved and RIR unallocated, you might want to treat them differently.
Ah, I see, you are thinking of someone opting-in for ROA based bogon filtering, but not general RPKI based route origin validation and filtering.
It is a sad enough state of affairs right now that we have 5 trust anchors, I don’t want 10.
I think from the RIR’s perspective, this is a RPKI-ROV value add (i.e., you get bogon filtering for free with the same infrastructure). That is, an incentive
to enable RPKI ROV.
If part of the rationale here is an incentive model, I doubt that the RIRs would be interested in making the bogon list a separate TAL.
Doug Montgomery, Manager Internet & Scalable Systems Research @ NIST
I interpret the proposal as APNIC issuing AS0 ROAs for only it's unallocated space, not the other RIR's unallocated space, and maybe the IANA reserved space.
I was thinking a separate TAL would simplify the opt-in or opt-out. Or, maybe that is too big of a stick. Otherwise, as an operator, how would I separate these unallocated AS0 ROAs from resource holders AS0 ROAs,
or maybe there is another way to do that?
I was thinking IANA could issue a TAL with AS0 ROAs for the IANA reserved space as appropriate.
Then the RIRs issue TALs with AS0 ROAs for their unallocated space, separate from the TALs for their allocated space.
But, I have really worked with the validator tools yet, so I'd be interested in other opinions.
Seems like a good (and obvious) idea. I don’t think we need a separate TAL for this, although it was not clear to me if APNIC would be doing this only for resources
that should be in their region or if they would be doing it globally? The latter would raise interesting questions.
Individual resource holders can also issue AS0 ROAs for parts of their address space that are not currently advertised in the routing system.
Doug Montgomery, Manager Internet & Scalable Systems Research @ NIST
The is an intriguing policy proposal in APNIC's hopper that I thought I would bring to our group's attention.
However, it does create questions regarding chronically late payment of your RIR bill and when reclaimed resources become bogons.
Also, maybe this should have a separate TAL so you can opt-in or opt-out of this.
---------- Forwarded message ---------
From: Sumon Ahmed Sabir <sasabir@gmail.com>
Date: Fri, Aug 9, 2019 at 5:01 AM
Subject: [sig-policy] prop-132-v001 AS0 for Bogons
To: Policy SIG <sig-policy@apnic.net>
Dear SIG members,
The proposal "prop-132-v001: AS0 for Bogons" has been sent to
the Policy SIG for review.
It will be presented at the Open Policy Meeting at APNIC 48 in
Chiang Mai, Thailand on Thursday, 12 September 2019.
We invite you to review and comment on the proposal on the mailing list
before the meeting.
The comment period on the mailing list before an APNIC meeting is an
important part of the policy development process. We encourage you to
express your views on the proposal:
- Do you support or oppose this proposal?
- Does this proposal solve a problem you are experiencing? If so,
tell the community about your situation.
- Do you see any disadvantages in this proposal?
- Is there anything in the proposal that is not clear?
- What changes could be made to this proposal to make it more
Information about this proposal is available at:
Sumon, Bertrand, Ching-Heng
APNIC Policy SIG Chairs
prop-132-v001: AS0 for Bogons
Proposer: Aftab Siddiqui
1. Problem statement
Bogons are defined in RFC3871, A "Bogon" (plural: "bogons") is a packet
with an IP source address in an address block not yet allocated by IANA
or the Regional Internet Registries (ARIN, RIPE NCC, APNIC, AFRINIC and
LACNIC) as well as all addresses reserved for private or special use by
RFCs. See [RFC3330] and [RFC1918].
As of now, there are 287 IPv4 bogons and 73 IPv6 bogons in the global
routing table. In the past, several attempts have been made to filter
out such bogons through various methods such as static filters and updating
them occasionally but it is hard to keep an up to date filters,
TeamCymru and
CAIDA provides full bogon list in text format to update such filters.
also provides bogon BGP feed where they send all the bogons via a BGP
which then can be discarded automatically. Beside all these attempts the
of Bogon Advertisement hasn't be resolved so far.
2. Objective of policy change
The purpose of creating AS0 (zero) ROAs for unallocated address space by
is to resolve the issue of Bogon announcement. When APNIC issues an AS0
ROA for
unallocated address space in its bucket then it will be marked as
“Invalid” if
someone tries to advertise the same address space.
Currently, in the absence of any ROA, these bogons are marked as
“NotFound”. Since
many operators have implemented ROV and either planning or already
discarding “Invalid”
then all the AS0 ROAs which APNIC will create for unallocated address
space will be
discarded as well.
3. Situation in other regions
No such policy in any region at the moment.
4. Proposed policy solution
APNIC will create AS0(zero) ROAs for all the unallocated address space
in its bucket
(IPv4 and IPv6). Any resource holder can create AS0 (zero) ROAs for the
resources they
have under their account.
A ROA is a positive attestation that a prefix holder has authorised an
AS to originate a
route for this prefix whereas, a ROA for the same prefixes with AS0
(zero) origin shows
negative intent from the resource holder that they don't want to
advertise the prefix(es)
at this point but they are the rightful custodian.
Only APNIC has the authority to create ROAs for address space not yet
allocated to the members
and only APNIC can issue AS0 (zero) ROAs. Once they ROA is issued and
APNIC wants to allocate
the address space to its member, simply they can revoke the ROA and
delegate the address space
to members. (this proposal doesn't formulate operational process).
5. Advantages / Disadvantages
Those implementing ROV globally and discarding the invalids will be able
to discard bogons from
APNIC region automatically.
No apparent disadvantage
6. Impact on resource holders
No impact to APNIC or respective NIR resource holders not implementing
ROV. Those implementing
ROV and discarding the invalids will not see any bogons in their routing
7. References
RFC6483 - https://tools.ietf.org/rfc/rfc6483.txt
RFC6491 - https://tools.ietf.org/rfc/rfc6491.txt
RFC7607 - https://tools.ietf.org/rfc/rfc7607.txt
David Farmer Email:farmer@umn.edu
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE Phone: 612-626-0815
Minneapolis, MN 55414-3029 Cell: 612-812-9952
David Farmer Email:farmer@umn.edu
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE Phone: 612-626-0815
Minneapolis, MN 55414-3029 Cell: 612-812-9952
David Farmer Email:farmer@umn.edu
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE Phone: 612-626-0815
Minneapolis, MN 55414-3029 Cell: 612-812-9952