[44net] Suggestions on ROA and route records for AMPRnet space

I think there are a few things that could be done in terms of BGP subnets. Adding a property to Allocations and Assignments in the AMPRnet Portal that adds a column to the table when browsing with the authorized ASN. The fixing of whois.ampr.org The addition of origin: properties, similar to regular RPSL (RFC2622) route records to the aforementioned whois server using the ASN property. Additionally in future with that property in the portal creating an ROA for the subnet automatically. With that/those ASN(s) being added to the origin property in the whois as mentioned. Making BGP routing of 44net more secure cause of the ROAs. Note: for those not familiar with RPKI ROAs, it's a system of cryptography that allow verifiable authorization of BGP announcements. Since none of the data ever sent is encrypted, but simply signed with all the public keys, no data is not readable. It would to my knowledge at least comply with Canadian amateur regulations in regards to cryptography for over the air amateur transmissions. Further using that same data to automatically generate route records in ARIN. The addition of an ASN property to the portal with automatic ARIN route records and ROAs could make significant strides in helping ensure announcements are consistent with ARDC's goals. Whilst it won't fix abuse and commercial usage of AMPRnet. It will help in the enforcement of policies and eliminate hijacking of AMPRnet space, where I have several times reported such hijacks as I've come across them. As more and more networks and internet backbones reject routes that have invalid ROAs with more doing so over the years makes prefixes routable across the internet effectively impossible with an ROA that mismatches. In terms of the automation of this, I am not aware of how the backend of the portal functions but no doubt it wouldn't require a massive overhaul to implement the automatic ROA and route record functions I've mentioned. ARIN provides a method for organizations to use an API to submit ROAs and route records automatically. I have used the API myself and am working on an automated system for some of my other networks. I would suggest that once the system has been put into place, that all allocatees that hold a /24 or more receive an email stating they must submit the authorized ASN(s) by $date via the portal. And at such time an AS0 (or UCSD's AS7377) ROA for 44.0.0.0/9 and 44.128.0.0/10 will be issued making their announcement invalid without submitting an ASN and thus an ROA issued having their address space un-announceable via BGP. I have mainly kept silent on this mailing list however I think that the addition of these changes are the best way to go all things considered. I thought this would be relevant considering the talk about abuse and how to control unauthorized announcements. And these changes would make revoking BGP announcements on unresponsive parties possible, easy and efficient for ARDC. Please be easy on me, I'm not that comfortable talking on mailing lists. Just some suggestions that could help. Thought this was going to be a shorter email. woops. Sincerely, Keaton VE5LPL A Saskatchewian ham who does stuff and things https://kagl.me me(a)kagl.me On 11/20/21 12:01 PM, Steve L via 44Net wrote: