[RPKI] suggestion to remove as0 restriction in krill 0.8.0

Jay Borkenhagen jayb at braeburn.org
Sun Nov 1 16:32:22 UTC 2020 

Hi,

I agree with Job here, that Krill should impose no special
restrictions with respect to AS0 ROAs.

Whatever their rationale, some people do publish ROAs authorizing AS0
along with other ASes, e.g. these VRPs under 80.128.0.0/11:

AS0,80.128.0.0/11,11,ripe
AS3320,80.128.0.0/11,11,ripe
AS3320,80.128.0.0/12,12,ripe
AS3320,80.144.0.0/13,13,ripe
AS3320,80.152.0.0/14,14,ripe
AS3320,80.156.0.0/16,16,ripe
AS3320,80.157.0.0/16,16,ripe
AS3320,80.157.8.0/21,21,ripe
AS3320,80.157.16.0/20,20,ripe
AS34086,80.158.0.0/17,24,ripe
AS6878,80.158.0.0/21,24,ripe
AS6878,80.158.0.0/23,23,ripe
AS6878,80.158.16.0/20,24,ripe
AS6878,80.158.31.0/24,24,ripe
AS6878,80.158.32.0/19,24,ripe
AS6878,80.158.72.0/21,24,ripe
AS6878,80.158.80.0/20,24,ripe
AS6878,80.158.96.0/19,24,ripe
AS2792,80.159.224.0/19,24,ripe

I'd say, if these folks really feel there is value in doing this kind
of thing, let them.

Thanks.

						Jay B.

Job Snijders via RPKI writes:
 > Hi,
 > 
 > I saw in the release notes:
 > 
 >     """
 >     ROAs that use AS0 can be used in the RPKI to indicate that the
 >     holder of a prefix does NOT want the prefix to be routed on the
 >     global internet. In our understanding this precludes that ROAs for a
 >     real ASN for those resources should be made. Krill will therefore
 >     refuse to make AS0 ROAs for prefixes already covered by a real ASN
 >     ROA, and vice versa. Furthermore the presence of an AS0 ROA implies
 >     that announcements for covered prefixes are intentionally RPKI
 >     invalid. Therefore Krill will not suggest to authorize such
 >     announcements.
 >     """
 > 
 > I believe this to be a misunderstanding on the meaning of the value '0'
 > as the asID in RPKI ROAs. I suggest to remove this restriction.
 > 
 > A network operator may create a 'asID 0' ROA for its aggregate, as the
 > starting point of the use of the allocation, and then subsequently
 > create one or more covering ROAs with asID's referencing the customers
 > of such allocations. The co-existence of 'asID 0' and other ROAs can be
 > the result of thinking that as a baseline the space should not be
 > routable, unless specified otherwise.
 > 
 > From a BGP routing perspective the presence of 'asID 0' ROAs is
 > effectively is moot if other ROAs exist too, making this phenomena
 > somewhat counter-intuitive. Combining 'asID 0' with partially or fully
 > covering ROAs with non-zero asIDs is a perfectly valid configuration,
 > which I believe krill should support.
 > 
 > The asID 0 restriction introduced in krill 0.8.0 is not supported by any
 > standards documentation as far as I know.
 > 
 > Kind regards,
 > 
 > Job
 > -- 
 > RPKI mailing list
 > RPKI at lists.nlnetlabs.nl
 > https://lists.nlnetlabs.nl/mailman/listinfo/rpki

More information about the RPKI mailing list