APNIC Members can now run Resource Public Key Infrastructure (RPKI) operations inside MyAPNIC, including generating an ‘AS0’ Route Origin Authorization (ROA).
ROA objects are cryptographically-signed binary structures that encode a list of Internet addresses and validate a specific Origin-Autonomous System (Origin-AS). This is used in BGP route filtering to provide a positive signal of intent to declare what Origin-AS should be seen and accepted.
There can be many ROAs with different Origin-ASs, or referring to more and less specific scopes of the same address. This is because the system is designed to ‘identify’ things that are permitted, not ‘clarify‘ permitted things that are potentially in conflict.
There are rules to address conflict in considering the state of origin declarations, in as much as Internet address prefixes are more or less specific, aggregated and overlap. Of course, for two identical prefixes, the decision logic between two Origin-ASs has to be understood to be ‘either’; except in respect of AS0 as they’re special.
One specific pattern of use, is to specify a range of Internet addresses as originated from AS0. This is a special Autonomous System Number (ASN) that is not allocated to any AS, and is not permitted to be used in BGP to forward packets. So, binding a list of addresses to Origin-AS AS0 is a mechanism to say “I can show I control these resources” without actually causing them to be routed. In fact, it says “This specific set of resources as described, should not be seen in routing”.
That’s kind of odd. A signed declaration to stop something being routed? A negative signal of intent? Why would you want that?
This function is useful because it stands as a declaration alongside the other statement: You can have more than one ROA declared for a set of addresses. So, creating AS0 ROAs for your addresses is a mechanism that says “Don’t route me” except where you have another ROA that says “Do route me” using any Origin-AS except AS0. It’s like a giant lock on your addresses, if thats what you want. It permits you to declare that only RPKI can show your intent to route these resources, unambiguously.
This isn’t just about ‘you’ and ‘your’ resources; it’s also about your downstreams, and customers using your addresses with their own Origin-AS (for instance, to multihome under your covering prefix). Using AS0 you can force them to have to declare their routing intent with Origin-AS to be more specific, because your covering AS0 declaration above them defines them into your ranges, if that’s what you want. You get to decide if they have to turn on RPKI for their more specific announcement of an alternate path to the sub-address prefix.
Adding AS0 creation into MyAPNIC means APNIC resource holders are now able to avail themselves of this routing intent guide, if they wish. Remember that the effects of a specific AS0 ROA have to be understood in the context of all other ROAs that exist over the range, and also the specifics of how people construct routing policy and filters over BGP.
The operational use of declarations regarding AS0 are defined in RFC 7607 while the RPKI definition qualities of an AS0 ROA are defined in RFC 6483.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.