RPKI Objects issued by IANA

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in .

An Infrastructure to Support Secure Internet Routing directs IANA to issue RPKI objects for which it is authoritative. This document describes the objects IANA will issue. The signed objects described here that IANA will issue are the unallocated, reserved, special use IPv4 and IPv6 address blocks, and reserved Autonomous System numbers. These number resources are managed by IANA for the IETF, and thus IANA bears the responsibility of issuing the corresponding RPKI objects. The reader is encouraged to consider the technical effects on the public routing system of the signed object issuance proposed for IANA in this document. This document does not deal with localized BGP routing systems as those are under the policy controls of the organizations that operate them. Readers are directed to Local Trust Anchor Management for the Resource Public Key Infrastructure for a description od how to locally override IANA issued objects, e.g. to enable use of unallocated, reserved, and special use IPv4 and IPv6 address blocks in a local context. The direction to IANA contained herein follows the ideal that it should represent the perfect technical behavior in registry, and related registry, actions.

Readers should be familiar with the RPKI, the RPKI Repository Structure, and the various RPKI objects, uses and interpretations described in the following: , , , , , , , , .

Internet Number Resources (INR): The number identifiers for IPv4 and IPv6 addresses, and for Autonomous Systems. IANA: Internet Assigned Numbers Authority (a traditional name, used here to refer to the technical team making and publishing the assignments of Internet protocol technical parameters). The technical team of IANA is currently a part of ICANN . RPKI: Resource Public Key Infrastructure. A Public Key Infrastructure designed to provide a secure basis for assertions about holdings of Internet numeric resources. Certificates issued under the RPKI contain additional attributes that identify IPv4, IPv6, and Autonomous System Number (ASN) resources. ROA: Route Origination Authorization. A ROA is an RPKI object that enables the holder of the address prefix to specify an AS that is permitted to originate (in BGP) routes for that prefix. AS0 ROA: Validation of Route Origination using the Resource Certificate PKI and ROAs states "A ROA with a subject of AS0 (AS0-ROA) is an attestation by the holder of a prefix that the prefix described in the ROA, and any more specific prefix, should not be used in a routing context." “Not intended to be (publicly) routed”: This phrase refers to prefixes that are not meant to be represented in the global Internet routing table (for example 192.168/16, ).

Reserved IPv4 and IPv6 resources are held back for various reasons by IETF action. Generally such resources are not intended to be globally routed. An example of such a reservation is 127.0.0.0/8 IANA should issue an AS0 ROA for all reserved IPv4 and IPv6 resources not intended to be routed There are a small number of reserved resources which are intended to be routed, for example 192.88.99.0/24 IANA MUST refrain from issuing any ROAs (AS0 or otherwise) for reserved resources that are expected to be globally routed.

Internet Number Resources that have not yet been allocated for special purposes , to Regional Internet Registries (RIRs), or to others are considered as not intended to be globally routed. IANA MUST issue an AS0 ROA for all Unallocated Resources.

Special Registry Resources fall into one of two categories in terms of routing. Either the resource is intended to be seen in the global Internet routing table in some fashion, or it isn't. An example of a special purpose registry INR that is intended for global routing is 2001:0000::/32 . An example of an INR not intended to be seen would be 2001:002::/48 IANA MUST refrain from issuing any ROAs (AS0 or otherwise) for Special Purpose Registry Resources that are intended to be globally routed. IANA MUST issue an AS0 ROA for Special Purpose Registry Resources that are not intended to be globally routed.

Within the IPv4 Multicast and IPv6 Multicast registries there are a number of Multicast registrations that are not intended to be globally routed. IANA MUST issue an AS0 ROA covering the following IPv4 and IPv6 multicast INRs:

IANA MUST refrain from issuing any ROAs (AS0 or otherwise) for any other multicast addresses unless directed.

One informational object that can exist at a publication point of an RPKI repository is the Ghostbusters Record. IANA MUST issue a ghostbusters object appropriate in content for the resources IANA maintains.

Before IANA can issue a ROA it MUST first establish a RPKI Certificate Authority (CA) that covers unallocated, reserved, and special use INRs by containing RFC 3379 extensions for those corresponding number resources in the CA Certificate. This CA MUST issue single use End Entity (EE) certificates for each ROA. The EE certificate will conform to the Resource Certificate Profile and the additional constraints specified in . IANA MUST maintain a publication point for this CA's use and publish manifests (with its corresponding EE certificate). A Certificate Revocation List (CRL) will be issued under this CA certificate. All objects issued by this CA will conform to a published Certificate Policy.

This document directs IANA to issue, or refrain from issuing, the specific objects described here for the current set of reserved, unallocated, and special registry Internet Number Resources. Further it MUST notify all other INR registries that RPKI objects have been issued for specific Internet Number Resources to avoid duplicates being issued thus reducing the burden on any relying party.

This document does not alter the security profile of the RPKI from that already discussed in SIDR-WG documents.

The authors acknowledge Dave Meyer for helpful direction with regard to multicast assignments.