Policy prop-132 (AS0 for unallocated space) deployed in service

By on 2 Sep 2020

Categories: Tech matters, Policy

Tags: , ,

Blog home

The implementation of prop-132 (AS0 for unallocated and unassigned spaces) is completed, and APNIC is now publishing an AS0 Route Origin Authorization (ROA) covering the undelegated IPv4 and IPv6 ranges under our management.

The AS0 ROA provides a standardized way to manage BGP routing to address blocks that have not been allocated officially, and which are often used for harmful purposes like spam or Distributed Denial of Service attacks. It was described in RFC 6483, after which prop-132 was presented to the APNIC community across 2019, and approved on 4 December 2019 by the APNIC Executive Council.

The contents of the AS0 ROA are derived from the APNIC registry, and include all IPv4 and IPv6 ranges that are considered to be ‘available’ or ‘reserved’.  This is aligned with the ‘delegated statistics‘ files APNIC publishes daily.

I reported on this project during APNIC 49 in Melbourne, where I presented and asked for feedback on the main implementation considerations at the time:

  • The Trust Anchor (TA) would operate from the APNIC Hardware Security Module (HSM), but with different keys to the main APNIC Resource Public Key Infrastructure (RPKI) TA, and therefore with a different Trust Anchor Locator (TAL).
  • A single AS0 ROA would be maintained for all unallocated and unassigned space managed by APNIC.
  • Operational processes would be improved to reduce delay for republication of the AS0 ROA following allocation processes (that is, the removal of resources from AS0 ROA) to under five minutes in normal circumstances.
  • As for our mainline RPKI system, all parts of the AS0 system would be under 24/7 monitoring.

All of these implementation considerations were accepted, and the implementation we have deployed conforms to these goals and guidelines.

Route validation using AS0

If you wish to use the AS0 ROA for route validation, you will need to add the AS0 TAL to your validator, as follows:

 rsync://rpki-as0.apnic.net/repository/APNIC-AS0-AP/apnic-rpki-root-as0-origin.cer

 MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7xn+C9dYQDHGaEIqFteu
 EnW3r9KJOajc6Jl2ZdgB7qps+dvij1ZAhK/FTKBNGgzM7zLLg2dcDiZRBYd7bgFB
 C+nZouOCsm/o6JRSZqk84bNqNcxuWuyt0iIBc9n0rZIo4YoJOh1Xjs1lq6B6MikR
 2iTC1aApFC/haZAS1/i1awNcvAb9xfVdp0/MpI0Ip8rmJix33NCWtaORkn21JgTr
 E3H0Ov8oAxYfbHLZQ8sI8gI7yrpipCDok8cCVi7+F579ROXvSpZUFF5a/rtWABoN
 fXT5nFYMAZJoGoAazBIFBiCUaxUJsaTVChDdAw10qFQu7ZPKyTdoHh+LD0r8Sro7
 qwIDAQAB 

This TAL file, suitable for use in a validator configuration is also published at: https://tal.apnic.net/apnic-as0.tal.

The TAL above includes only the RSYNC URL of the AS0 TA certificate. It is our intention to deprecate RSYNC and prioritize use of RRDP and HTTPS to fetch RPKI products in the repository as a later activity.

Alternative forms of the TAL are available.

Caveats and warnings

The full terms and conditions governing the use of the APNIC RPKI and the AS0 ROA are documented on the APNIC website. Please read these, especially the section which documents our recommendations for use of the AS0 ROA.

Future work and report to the community

We are collecting usage information and statistics about operation of this new service, and will report to the community at APNIC 50 in the Policy SIG, the Products and Service session and the new Routing Security SIG, which is the home of decision-making for this service. This is the forum for discussion about the AS0 activity by the routing community at large.

SIDROPS (the IETF WG for RPKI) and NOG lists as well as the APNIC Talk and Policy mailing lists have also been informed of the deployment.

Reminder

Please review the caveats and warnings mentioned above, before making use of the AS0 ROA.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

Leave a Reply

Your email address will not be published. Required fields are marked *

Please answer the math question * Time limit is exhausted. Please click the refresh button next to the equation below to reload the CAPTCHA (Note: your comment will not be deleted).

Top