The implementation of prop-132 (AS0 for unallocated and unassigned spaces) is completed, and APNIC is now publishing an AS0 Route Origin Authorization (ROA) covering the undelegated IPv4 and IPv6 ranges under our management.
The AS0 ROA provides a standardized way to manage BGP routing to address blocks that have not been allocated officially, and which are often used for harmful purposes like spam or Distributed Denial of Service attacks. It was described in RFC 6483, after which prop-132 was presented to the APNIC community across 2019, and approved on 4 December 2019 by the APNIC Executive Council.
The contents of the AS0 ROA are derived from the APNIC registry, and include all IPv4 and IPv6 ranges that are considered to be ‘available’ or ‘reserved’. This is aligned with the ‘delegated statistics‘ files APNIC publishes daily.
I reported on this project during APNIC 49 in Melbourne, where I presented and asked for feedback on the main implementation considerations at the time:
- The Trust Anchor (TA) would operate from the APNIC Hardware Security Module (HSM), but with different keys to the main APNIC Resource Public Key Infrastructure (RPKI) TA, and therefore with a different Trust Anchor Locator (TAL).
- A single AS0 ROA would be maintained for all unallocated and unassigned space managed by APNIC.
- Operational processes would be improved to reduce delay for republication of the AS0 ROA following allocation processes (that is, the removal of resources from AS0 ROA) to under five minutes in normal circumstances.
- As for our mainline RPKI system, all parts of the AS0 system would be under 24/7 monitoring.
All of these implementation considerations were accepted, and the implementation we have deployed conforms to these goals and guidelines.
Route validation using AS0
If you wish to use the AS0 ROA for route validation, you will need to add the AS0 TAL to your validator, as follows:
rsync://rpki-as0.apnic.net/repository/APNIC-AS0-AP/apnic-rpki-root-as0-origin.cer MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7xn+C9dYQDHGaEIqFteu EnW3r9KJOajc6Jl2ZdgB7qps+dvij1ZAhK/FTKBNGgzM7zLLg2dcDiZRBYd7bgFB C+nZouOCsm/o6JRSZqk84bNqNcxuWuyt0iIBc9n0rZIo4YoJOh1Xjs1lq6B6MikR 2iTC1aApFC/haZAS1/i1awNcvAb9xfVdp0/MpI0Ip8rmJix33NCWtaORkn21JgTr E3H0Ov8oAxYfbHLZQ8sI8gI7yrpipCDok8cCVi7+F579ROXvSpZUFF5a/rtWABoN fXT5nFYMAZJoGoAazBIFBiCUaxUJsaTVChDdAw10qFQu7ZPKyTdoHh+LD0r8Sro7 qwIDAQAB
This TAL file, suitable for use in a validator configuration is also published at: https://tal.apnic.net/apnic-as0.tal.
The TAL above includes only the RSYNC URL of the AS0 TA certificate. It is our intention to deprecate RSYNC and prioritize use of RRDP and HTTPS to fetch RPKI products in the repository as a later activity.
Alternative forms of the TAL are available.
Caveats and warnings
The full terms and conditions governing the use of the APNIC RPKI and the AS0 ROA are documented on the APNIC website. Please read these, especially the section which documents our recommendations for use of the AS0 ROA.
Future work and report to the community
We are collecting usage information and statistics about operation of this new service, and will report to the community at APNIC 50 in the Policy SIG, the Products and Service session and the new Routing Security SIG, which is the home of decision-making for this service. This is the forum for discussion about the AS0 activity by the routing community at large.
SIDROPS (the IETF WG for RPKI) and NOG lists as well as the APNIC Talk and Policy mailing lists have also been informed of the deployment.
Reminder
Please review the caveats and warnings mentioned above, before making use of the AS0 ROA.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.