Search RPD Archives
Limit search to: Subject & Body Subject Author
Sort by:

[rpd] AFPUB-2019-GEN-006-DRAFT01: "RPKI ROAs for Unallocated and Unassigned AFRINIC Address Space"

Sylvain Baya abscoco at gmail.com
Fri Jan 3 23:01:55 UTC 2020


Hi all,

Best wishes for this new year ; added in the Grace era !

Please my comments are below (inline)...

2020-01-03 17:46 UTC+01:00, Owen DeLong <owen at delong.com>:

>

>

>> On Dec 30, 2019, at 06:38 , Paschal Ochang <pascosoft at gmail.com> wrote:

>>

>> Hello Jordi,

>> feliz Navidad y un Feliz Año Nuevo.

>>

>> I have some concerns regarding this proposal and also some clarifications

>> .

>>

>> I think statistically AFRINIC has a good percentage of IPv4 address space

>> covered by route origin authorization as compared to APNIC. APNIC has a

>> very low percentage statically hence it's hurried acceptance of the

>> proposal.

>

> I corrected the subject line to be descriptive of what is meant by “the

> proposal/this proposal”…

>


Dear Owen,

Thanks for your email.

...yes ! adjusting the subject line helps to focus the discussion,
but i'm not sure that there was a real need in this particular case :-/

...btw, your timing is perfect, with the new year :-D


>

> There’s no relationship between your statement and the proposal.

>


...not sure !
But if you append ‘intent’ to ‘proposal’ ; then i'll certainly agree ; -)

...please see below.


>

> The proposal creates AS0 ROAs for addresses in the RIR inventory which have

> not been issued or which have been reclaimed or returned.

>


Exact !

...but don't forget that usually, in this PDWG, the title and problem statement
(and even the description of the proposed solution) of a DPP (Draft Policy
Proposal) means nothing.

Yes, that's sad ! but true :'-(


>

> It has nothing to do with addresses which have been issued but are not

> covered by an ROA.

>

> As such, I see no problem with the proposal.

>

>> I think using the approach in this policy is majorly to handle accidental

>> incidents rather than malicious attacks whereby someone might try to

>> manipulate an AS path.

>

> RPKI does nothing at all to help with manipulated AS Paths. It is only

> effective against prefixes originated from the wrong ASN.

>

> In the case of this policy, it will aid in the prevention/detection of

> unauthorized use of unallocated number resources.

>

>> It is suggested to always drop invalid announcements, rather than applying

>> a lower preference. This is because sub-prefix hijackings would be still

>> possible if invalids are accepted and this would go against the purpose of

>> RPKI validation. However I think the text should state how invalids

>> should be dropped in order not to trigger loosing connectivity.

>

> I’m not sure how many different ways you think there are to drop a route. At

> least on the routers I’ve run (Cisco, Juniper, Mikrotik, Vyatta, Ascend,

> Livingston, Foundry, etc.), you can either drop a prefix or accept it. The

> decision is binary and there are not multiple “ways” to drop on. In some

> cases, you can choose additional behaviors such as logging, but I hardly see

> that as relevant to whether connectivity is preserved or not.

>

> I think what you may be missing in your understanding is that Invalid is not

> the same as Unknown. RPKI validation provides three possible results:

> 1. Valid — The route matches a ROA and the ROA matches the Origin ASN.

> Further, the ROA signature chain is cryptographically valid.

> 2. Invalid — The route matches a ROA, but either the ROA signature fails

> validation or the Origin ASN does not match or the prefix length is longer

> than the specified maximum.

> 3. Not Found/Unknown — The route does not match a ROA

>

> Note that a prefix which is shorter than an intersecting ROA is considered

> not to match. See table below for details on how this works out:

>

>

> ROA Prefix

> MAX Length

> Origin AS

> Received Prefix

> Origin AS

> Result

>

> 192.0.2.0/24

> 24

> 65550

> 192.0.2.0/24

> 64498

> Invalid

>

> 192.0.2.0/24

> 24

> 65550

> 192.0.2.0/28

> 64498

> Invalid

>

> 192.0.2.0/24

> 24

> 65550

> 192.0.2.0/24

> 65550

> Valid

>

> 192.0.2.0/24

> 24

> 65550

> 192.0.2.0/28

> 65550

> Invalid

>

> 192.0.2.0/28

> 28

> 65550

> 192.0.2.0/24

> 64498

> Unknown

>

> 192.0.2.0/28

> 28

> 65550

> 192.0.2.0/24

> 65550

> Unknown

>

> 192.0.2.0/28

> 28

> 65550

> 192.0.2.0/28

> 64498

> Invalid

>

> 192.0.2.0/28

> 28

> 65550

> 192.0.2.0/28

> 65550

> Valid

>

> 192.0.2.0/24

> 24

> 65550

> 192.0.2.64/26

> 65550

> Invalid

>

> 192.0.2.0/24

> 28

> 65550

> 192.0.2.64/26

> 65550

> Valid

>

>

>> Finally I dont think it will be a nice idea allowing resource holders to

>> create AS0 ROA as I think this scenario might increase the issue of

>> invalid prefixes in the routing tables.

>

> This proposal does not allow resource holders to create AS0 ROAs. It expects

> AfriNIC to create AS0 ROAs for space which is within AfriNIC administration,

> but which is not currently issued.

>


...i think the following portion of the [1] text explains the concerns
raised by Paschal :

“[...] Any resource holder can create AS0 (zero) ROAs for the
resources they have
under their account/administration.

An RPKI ROA is a positive attestation that a prefix holder has
authorized an Autonomous System to originate a route for this prefix
to the global BGP routing table. An RPKI ROA for the same prefixes
with AS0 (zero) origin shows a negative intent from the resource
holder to have the prefixes advertised in the global BGP routing
table. [...]”
__
[1]: <https://afrinic.net/policy/proposals/2019-gen-006-d1/amp>


>

> I hope that clarifies the situation.

>


...not sure, but you did more for most of the participants, in
promoting RPKI (Resource Public Key Infrastructure), ROA (Route Origin
Autorisation) and ROV (RPKI-based route Origin Validation). So,
validate and drop non-valid routes...

IMHO, what would clarify is to :

•—/
•'drop'/remove that portion of the text :-)
• (eventually) create a sub-section to provide definitions
for new concepts. The definition sub-section would remove
any ambiguity.
• (even if i think that this proposal is too much operational)
simplify the core policy text like this :
•1| “AFRINIC MUST/will create ROAs with origin AS0 for all
the unallocated and unassigned address space (IPv4 & IPv6)
for which it is the current administrator.”
•2| (i prefer this less operational version) “AFRINIC MUST/will
flag/mark all the unused (unallocated & unassigned) address
space (IPv4 & IPv6) for which it is the current administrator.
In order to render its unused address space unsquattable
in a global secured routing context.”
• ...
•—\

The difference with my version (2|) is that it's more agnostic
(technologcally/operationally speaking) and portable then it
could (probably) more easily pass in all RIRs with the same
text. To be proposed as a global policy : final/first goal of the
authors :-)

...to be clearer, i prefer ‘resource’ rather than ‘address space’ ;-)

Shalom,
--sb.


>

> Owen

>

>>

>> On Tuesday, November 5, 2019, JORDI PALET MARTINEZ via RPD

>> <rpd at afrinic.net <mailto:rpd at afrinic.net>> wrote:

>> Hi Sylvain,

>>

>>

>>

>>

>>

>>

>>

>> El 5/11/19 6:11, "Sylvain Baya" <abscoco at gmail.com

>> <mailto:abscoco at gmail.com>> escribió:

>>

>>

>>

>> Hi all,

>>

>>

>>

>> Hope you are doing well.

>>

>>

>>

>> Please comments below (inline)...

>>

>>

>>

>> Le mardi 5 novembre 2019, JORDI PALET MARTINEZ via RPD <rpd at afrinic.net

>> <mailto:rpd at afrinic.net>> a écrit :

>>

>> Hi all,

>>

>> [...]

>> This is the list of new policy proposals (note that the numbering can be

>> modified by the staff when published).

>>

>> 1) AFPUB-2019-IPv6-002-DRAFT01: "Adjusting IPv6 PA Policy"

>> Solves a discrepancy between IPv6 PI and IPv6 PA regarding the

>> announcement of aggregated addressing space.

>>

>> 2) AFPUB-2019-GEN-003-DRAFT01: "Chairs Elections Process"

>> Including in the CPM a detailed procedure for the chair's elections.

>>

>> 3) AFPUB-2019-GEN-004-DRAFT01: "M&A Resource Transfers"

>> Including in the CPM intra-RIR M&A for ASN, IPv4 and IPv6.

>>

>> 4) AFPUB-2019-GEN-005-DRAFT01: "Impact Analysis is Mandatory"

>>

>> 5) AFPUB-2019-GEN-006-DRAFT01: "RPKI ROAs for Unallocated and Unassigned

>> AFRINIC Address Space"

>>

>>

>>

>> ...i like this one. I recall that i was thinking ok how to solve the

>> problem of 'Internet resources

>>

>> squatting'. I was naively imagining a solution where a RIR will have to

>> flag all their

>>

>> unallocated|unassigned Address Space ; via a particular attribute of the

>> IRR (Internet Routing

>>

>> Registry). Now i understand that i was not too dummy or even crazy :-)

>>

>>

>>

>> Oh no! In that case the crazy one is me :-) !

>>

>>

>>

>> Please send me your DPP (Draft Policy Proposal), i can not wait more to

>> review it ;-)

>>

>> Thanks.

>>

>>

>>

>> I was thinking in sending them in order (2 more today, 2 more tomorrow),

>> but as you have interest in this one. My next one will be this one, I

>> promise! Give me first a few minutes to respond to all the emails I got

>> till now …

>>

>>

>>

>> Shalom,

>>

>> --sb.

>>

>>

>>

>> Updated policy proposals:

>>

>> a) AFPUB-2019-ASN-001-DRAFT03: "Multihoming not required for ASN"

>>

>> b) AFPUB-2019-IPv4-002-DRAFT02: "IPv4 Inter-RIR Resource Transfers

>> (Comprehensive Scope)"

>>

>> c) AFPUB-2018-GEN-001-DRAFT04: "Abuse Contact Policy Update"

>>

>> Regards,

>> Jordi

>> @jordipalet

>>

>> [...]

>>

>>

>>

>> --

>>

>>

>>

>>

>>

>> --

>>

>>

>>

>> Best Regards !

>>

>>

>>

>> Sylvain BAYA

>>

>> cmNOG's Co-Founder & Coordinator

>>

>> (+237) 677005341

>>

>> PO Box 13107 YAOUNDE / CAMEROON

>>

>> baya.sylvain [AT cmNOG DOT cm]

>>

>> abscoco2001 [AT yahoo DOT fr]

>>

>> http://www.cmnog.cm <http://www.cmnog.cm/>

>> https://cmnog.wordpress.com <https://cmnog.wordpress.com/>

>> ************************

>>

>> ‪#‎LASAINTEBIBLE(‪#‎Romains15:33):"Que LE ‪#‎DIEU de ‪#‎Paix soit avec

>> vous tous!‪#‎Amen!"

>>

>> ‪#‎MaPrière est que tu naisses de nouveau.

>>

>> ‪#‎Chrétiennement

>>

>> « Comme une biche soupire après des courants d’eau, Ainsi mon

>> âme soupire après toi, ô DIEU! » (Psaumes 42 :2)

>>

>>

>>

>>

>> _______________________________________________ RPD mailing list

>> RPD at afrinic.net <mailto:RPD at afrinic.net>

>> https://lists.afrinic.net/mailman/listinfo/rpd

>> <https://lists.afrinic.net/mailman/listinfo/rpd>

>> **********************************************

>> IPv4 is over

>> Are you ready for the new Internet ?

>> http://www.theipv6company.com <http://www.theipv6company.com/>

>> The IPv6 Company

>>

>> This electronic message contains information which may be privileged or

>> confidential. The information is intended to be for the exclusive use of

>> the individual(s) named above and further non-explicilty authorized

>> disclosure, copying, distribution or use of the contents of this

>> information, even if partially, including attached files, is strictly

>> prohibited and will be considered a criminal offense. If you are not the

>> intended recipient be aware that any disclosure, copying, distribution or

>> use of the contents of this information, even if partially, including

>> attached files, is strictly prohibited, will be considered a criminal

>> offense, so you must reply to the original sender to inform about this

>> communication and delete it.

>>

>> _______________________________________________

>> RPD mailing list

>> RPD at afrinic.net

>> https://lists.afrinic.net/mailman/listinfo/rpd

>

>




--
Best Regards !
baya.sylvain [AT cmNOG DOT cm] | <https://www.cmnog.cm> |
<https://survey.cmnog.cm>
Subscribe to Mailing List : <https://lists.cmnog.cm/mailman/listinfo/cmnog/>
__
#‎LASAINTEBIBLE‬|‪#‎Romains15‬:33«*Que LE ‪#‎DIEU‬ de ‪#‎Paix‬ soit avec
vous tous! ‪#‎Amen‬!*»
‪#‎MaPrière‬ est que tu naisses de nouveau. #Chrétiennement‬
«*Comme une biche soupire après des courants d’eau, ainsi mon âme soupire
après TOI, ô DIEU!*» (#Psaumes42:2)



More information about the RPD mailing list