From “This IP address hacked my Facebook, can you help me?” to “I need more IPv4”, the APNIC Helpdesk receives all kinds of questions. While some are out of scope, there are several common enquiries relating to Member accounts, managing Internet number resources, and verification that are well within the scope of the APNIC Helpdesk. This post will examine the five most commonly asked questions we get, how to solve them, and how to make sure any interaction with the APNIC Helpdesk is as quick and successful as possible. Let’s jump in.
1. How do I get IP addresses?
Usually, when we receive enquiries about IP addresses, it’s about IPv4. Current APNIC policy allows each APNIC Member to receive a maximum of a /23 IPv4 delegation (512 addresses). If the Member’s business is growing rapidly, they can run out of that very quickly. Members will then approach the Helpdesk and request more IPv4 addresses.
Unfortunately, APNIC policy restricts you from getting more than a /23. However, there are other solutions we can offer.
One solution is to submit a referral application.
If a Member, such as an ISP or large enterprise, has customers with networks that can deploy 50 to 60 IP addresses immediately (25% of a /24 or 256 addresses), that Member can easily submit a referral application, so their customers can become APNIC Members and get up to a /23 of IPv4 as a new Member. The original Member can then manage these resources on behalf of their customer, and even make payments on their behalf. However, the legal custodian will be the customer.
Members also enquire about using the services of IPv4 brokers to get additional IP addresses via transfers. APNIC maintains a list of registered IPv4 brokers that have signed an agreement with APNIC to act in the manner described in the Guidelines for IPv4 brokers but APNIC does not sponsor, endorse, or approve services provided by any broker.
2. How do I create ROAs and route objects?
Route Origin Authorization (ROA) has been around since 2007 to provide some protection against route hijacking and human errors, but gained traction in our region in recent years. While route objects are required for Internet Routing Registry (IRR) validation, Route Origin Validation (ROV) looks for ROA objects. These concepts can be confusing. APNIC has clearly written documentation on these topics but they’re still popularly asked topics at the APNIC Helpdesk.
To create a route object, go to the Route Management tool in MyAPNIC and associate your Autonomous System Number (ASN) with your IP prefix; then let your ISP know. The rest is up to the ISP.
Creating and managing ROAs is a slightly more complicated process because if a ROA is created incorrectly, the BGP announcements can be tagged as ‘RPKI invalid’, and potentially dropped. We have created a detailed guide to help you. Stay informed as to whether your upstream is practicing ROV, and as a best practice, create ROAs for the actual announcements you need and keep them updated if you switch upstreams. If you are unsure about any of this, we can assist throughout the entire process, by phone or chat.
3. IPv4 transfers
We get several enquiries about IPv4 transfers. APNIC follows the IPv4 transfer policy when it comes to transfers. If a Member receives a brand new prefix today it will come from the final /8 (103/8 pool). That prefix must be used for at least five years before it becomes eligible for transfer. If the prefix isn’t in use, it should be returned to APNIC.
The transfer policy also allows for merger and acquisition transfers (business restructures). However, Members must still wait five years to transfer IPv4 prefixes received from the final /8. Only through a merger or acquisition can IPv6 be transferred.
We’re often asked how to initiate transfers. If the resources are not in use after five years, the process is straightforward. Members can initiate a transfer through MyAPNIC. APNIC has created a guide to IPv4 and ASN transfers in MyAPNIC (PDF) that is easy to follow.
Another aspect of this question is ‘live transfers’, which relates to minimizing the impact of the change on route objects. APNIC has recently made the live transfer process more seamless by providing a two-week window for the deletion of the existing ROA objects. This prevents any ROA-related issues from impacting existing BGP announcements. Once the transfer is complete, the recipient can create new ROAs to suit their own BGP announcements. The coexistence of the old ROA and new ROA objects will not cause routing problems during this two-week period.
4. Enquiries about IRT validation
This is another policy-related enquiry. The APNIC Whois Database holds public information such as contact details and it’s APNIC’s responsibility as a registry to keep the records up to date. Because anyone can view this database, Members are reluctant to add working email addresses due to the potential for spam, therefore the accounts can be ignored.
These email addresses serve important roles, such as reporting network abuse if a bad actor has hijacked those IP addresses. The listed email addresses must, therefore, be active and checked regularly in case APNIC needs to contact the real custodian. To ensure this, it was made mandatory to register an Incident Response Team (IRT) object for each APNIC account. The IRT object contains a contact email address that must be validated every six months.
So, we send the listed email addresses a validation link every six months. If the address isn’t validated within 30 days, the associated MyAPNIC account access will be suspended. This is quite common — emails to restore MyAPNIC access from non-validation of email addresses are a big part of our queue, but the solution is simple — don’t put any unattended email addresses on the IRT object.
5. Updating Member account contacts
It’s inevitable that the person managing Member resources will change due to organizational or employment changes. When a new person is given the task of managing resources, they may not have access, so they reach out to the APNIC Helpdesk seeking permission to access the account.
There are simple things Member organizations can arrange to avoid this process. The person who’s leaving or no longer managing the resourcing should add the new contact through MyAPNIC’s contact management. To do this, go to ‘administration’, then select ‘contact details’ and add the new resource manager’s details. If the person leaving isn’t willing to login to MyAPNIC, they can just send an email with the new contact details to the APNIC Helpdesk saying ‘I’m leaving. Please appoint this person on behalf of me’. It’s important that those details come from the authorized resource manager’s registered email because it will be accepted without the need for verification.
However, if either of those processes are not possible, the new resource manager can contact us directly by submitting a Corporate Contact Form. The Corporate Contact Form is a legal document stating that you need access to the account and you are the authorized person representing the organization.
The easiest solution to this problem is to keep Member account contacts updated — don’t wait until you lose access.
How to make any enquiry faster
There are some simple steps you can take to make any problem easier to solve. Any time you need to contact the APNIC Helpdesk, gather your organization’s APNIC credentials so you have as much information at your fingertips as possible. If you are an existing Member, it’s preferable to send a short email from the registered email address to firstname.lastname@example.org.
If the situation is urgent, call or contact the Helpdesk via chat immediately after sending the email and refer to the ticket you received from the email.
Let me know in the comments below if you’d like me to clarify more commonly asked questions, or even answer your specific query. Otherwise, you can easily contact APNIC Helpdesk staff for assistance — we’re happy to help.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.