[arin-ppml] Draft Policy ARIN-2021-8: Deprecation of the 'Autonomous System Originations' Field

James Hulce james.hulce at students.tesu.edu
Fri Apr 22 05:23:17 EDT 2022


Draft Policy ARIN-2021-8: Deprecation of the 'Autonomous System
Originations' Field [1] has received scant discussion so far [2].
However, I believe that significant issues exist with this proposal
and its downstream effects on the greater internet ecosystem and thus
object to it. While a conversation regarding the role and future of
this dated service is undoubtedly warranted, moving directly to
deprecation may be premature. First, let's properly evaluate its role,
usage, and future.

The optional Whois 'OriginAS' field exists in a weird place in the
routing information landscape. The current policy proposal's problem
statement notes that it is now one of several overlapping means for IP
resource holders to publish intended route originations. Newer
information services, namely RPKI and authenticated IRR, bring some
advantages and, accordingly, receive more attention. OriginAS data is
challenging to acquire, consume, and employ due to its home in the
Whois system, which was not designed for accessible or scalable
distribution of routing policy. The proposal cites these hurdles as
supporting reasons for discontinuance. Additionally, the field is a
legacy ARIN-ism, with no equivalence at the other RIRs. As a result,
ARIN carries an extra burden of complexity and technical debt.
Unsurprisingly, these points prompted valid questions regarding the
future of Whois OriginAS.

Nonetheless, a community of consumers at several internet exchange
points and network operators rely on Whois OriginAS data to build
filters and perform other tasks. Such usage was not previously
mentioned in this forum, and analyzing it is vital to understanding
the role the 'Autonomous System Originations' Field currently plays.
Moving ahead with its deprecation now may set off a situation similar
to the recent ARIN-NONAUTH retirement, but with much less forethought.
We need to seek out the users of Whois OriginAS and include their
perspectives in a thorough analysis.

Like RPKI and authenticated IRR, OriginAS is used to guard against
prefix mis-origination by providing a trustworthy linkage between IP
space and associated autonomous systems. Furthermore, Whois OriginAS
sidesteps much of the cruft surrounding IRR databases. All IP
resources already have one authoritative Whois record and will never
have more than one. The jumble of records across numerous disparate
stores, as seen in IRR, is avoided. Old, surplus entries, such as the
proxy records seen in IRR, cannot accumulate. It's easy to add or edit
Whois OriginAS information, in contrast to the rather intimidating
RPKI setup procedure [3]. Like RPKI and the new ARIN IRR, OriginAS
data is authenticated and trustworthy. Also, everyone possessing IP
resources in the ARIN region, including all legacy IPv4 block holders,
can provide OriginAS information in their Whois records. Per recent
posts from John Curran [4], legacy issuances without an LRSA comprise
just over a third of ARIN IPv4 space. Whois OriginAS is the only way
for these entities to securely assert authorized prefix originations,
as they cannot publish in RPKI or the new ARIN IRR [5]. If the
Autonomous System Originations Field were deprecated, many networks
could lose important routing security protections.

Today, Whois OriginAS exists on an isolated informational island.
Policy ARIN-2006-3 [6] gives "constructing routing filter lists to
counter bogus originations" as its first rationale for maintaining
lists of authorized prefix originations, but the present arrangement
does not facilitate this. Current ARIN documentation [7] envisages
OriginAS data as a tool for LOA validation but makes no mention of
possible uses in operational filtering. However, various third parties
independently synthesize IRR information from the authenticated
prefix-origin pairs provided by OriginAS, in addition to RPKI. Past
roadmaps for the new ARIN IRR did mention the possibility of creating
mirrored IRR records from RPKI ROAs [8], but Whois OriginAS was not
included in that push. Amending NRPM 3.5.2 [9] to specify improved
OriginAS publication routes, such as via IRR mirroring, seems to be a
plausible avenue to enable easier consumption of OriginAS data.

The intrepid ecosystem of OriginAS data consumers was perhaps born by
Job Snijders, who pioneered this usage [10] and made several NOG
presentations spreading the word [11]. Job encountered several
thousand impacted prefix announcements, which lacked IRR records but
were confirmed with OriginAS data. At a prominent IRR aggregator [12],
community infrastructure performs conversion to IRR format. Several
IXPs utilize this on their route servers [13].

Ultimately, we need additional data and input from ARIN and the
community to empower a fact-based review. First, I'd like to know how
many ARIN Whois records have OriginAS information, broken down by
prefixes and address space. Second, is all of the data in a consistent
and normalized machine-readable form? Third, how well does the
OriginAS information conform with observed routing reality? Fourth,
what experiences or observations do users of ARIN Whois OriginAS have?

I am a newcomer to this space and was not here for the birth of
OriginAS, so please share anything I've missed. I lack any personal
experience using the Autonomous System Originations field, but I know
that others who do are yet to speak up regarding this draft policy.

Sincerely,
James Hulce
ARIN 49 Fellow

[1] https://www.arin.net/participate/policy/drafts/2021_8/
[2] https://lists.arin.net/pipermail/arin-ppml/2022-January/069395.html
[3] https://www.arin.net/vault/participate/meetings/reports/ARIN_35/PDF/sunday/newton_rpki.pdf
[4] https://lists.arin.net/pipermail/arin-ppml/2022-April/069547.html
and https://mailman.nanog.org/pipermail/nanog/2022-April/218945.html
[5] https://www.arin.net/resources/guide/legacy/services/
[6] https://www.arin.net/vault/policy/proposals/2006_3.html
[7] https://www.arin.net/resources/registry/originas/ and
https://www.arin.net/blog/2016/07/07/origin-as-an-easier-way-to-validate-letters-of-authority/
see also https://mailman.nanog.org/pipermail/nanog/2022-April/218944.html
[8] https://www.arin.net/vault/resources/routing/2018_roadmap.html
see also https://lists.arin.net/pipermail/arin-consult/2018-April/001084.html
aside: what is the current status on this? I can't find any recent
updates on RPKI mirroring in IRR
[9] https://www.arin.net/participate/policy/nrpm/#3-5-autonomous-system-originations
[10] https://medium.com/@jobsnijders/a-new-source-for-authoritative-routing-data-arin-whois-5ea6e1f774ed
and https://mailman.nanog.org/pipermail/nanog/2017-December/093525.html
interestingly, this conflicts with
https://mailman.nanog.org/pipermail/nanog/2022-April/218944.html
[11] Examples:
NANOG: https://pc.nanog.org/static/published/meetings/NANOG72/1634/20180221_Snijders_Using_Arin_Whois_v1.pdf
RIPE: https://ripe76.ripe.net/presentations/43-RIPE76_IRR101_Job_Snijders.pdf
[12] NTT at https://www.gin.ntt.net/support-center/policies-procedures/routing-registry/#irrd
note that, like many consumers, they refer to ARIN-sourced Whois
OriginAS as "ARIN-WHOIS"
[13] Assorted IXP Examples:
Seattle-IX: https://www.seattleix.net/route-servers
YYCIX: https://yycix.ca/communities.html
QCIX: https://www.qcix.net/rs_description.html


More information about the ARIN-PPML mailing list