Internet-Draft Constraining RPKI Trust Anchors April 2024
Snijders & Buehler Expires 19 October 2024 [Page]
Workgroup:
Network Working Group
Published:
Intended Status:
Informational
Expires:
Authors:
J. Snijders
Fastly
T. Buehler
OpenBSD

Constraining RPKI Trust Anchors

Abstract

This document describes an approach for Resource Public Key Infrastructure (RPKI) Relying Parties (RPs) to impose locally configured Constraints on cryptographic products subordinate to publicly-trusted Trust Anchors (TAs), as implemented in OpenBSD's rpki-client validator. The ability to constrain a Trust Anchor operator's effective signing authority to a limited set of Internet Number Resources (INRs) allows Relying Parties to enjoy the potential benefits of assuming trust - within a bounded scope.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 19 October 2024.

Table of Contents

1. Introduction

This document describes an approach for Resource Public Key Infrastructure (RPKI) Relying Parties (RPs) to impose locally configured Constraints on cryptographic products subordinate to publicly-trusted Trust Anchors (TAs), as implemented in the [OpenBSD] [rpki-client] validator. The ability to constrain a Trust Anchor operator's effective signing authority to a limited set of Internet Number Resources (INRs) allows Relying Parties to enjoy the potential benefits of assuming trust - within a bounded scope.

It is important to emphasize that each Relying Party makes its Trust Anchor inclusion decisions independently, on its own timelines, based on its own inclusion criteria; and that imposed Constraints (if any) are a matter of local configuration.

This document is intended to address user (meaning, Network Operator and Relying Party) needs and concerns, and was authored to benefit users and providers of RPKI services by providing a common body of knowledge to be communicated within the global Internet routing system community.

1.1. Definitions

Assumed Trust
In the RPKI hierarchical structure, a Trust Anchor is an authority for which trust is assumed and not derived. Assuming trust means that violation of that trust is out-of-scope for the threat model.
Derived Trust
Derived Trust can be automatically and securely computed with subjective logic. In the context of the RPKI, trust is derived according to the rules for validation of RPKI Certificates and Signed Objects.
Constraints
The locally configured union set of IP prefixes, IP address ranges, AS identifiers, and AS identifier ranges for which the Relying Party operator anticipates the Trust Anchor operator to issue cryptographic products.

1.2. Required Reading

Readers should be familiar with the RPKI, the RPKI repository structure, and the various RPKI objects, uses, and interpretations described in the following: [RFC3779], [RFC6480], [RFC6481], [RFC6487], and [RFC6488].

2. Considerations on Trust Anchor over-claiming

Currently, all five Regional Internet Registries (RIRs) list 'all-resources' (0.0.0.0/0, ::/0, and AS 0-4294967295) as subordinate on their Trust Anchor certificates in order to reduce some potential for risk of invalidation in the case of transient registry inconsistencies [I-D.rir-rpki-allres-ta-app-statement]. Such 'all-resources' listings demonstrate that - in the course of normal operations - Trust Anchors may claim authority for INRs outside the registry's current resource holdings.

The primary reason for transient registry inconsistencies to occur would be when resources are transferred from one registry to another. However, the ability to transfer resources between registries is not universally available: this ability depends on the implementation of registry-specific consensus-driven policy development reciprocated by other registries. Another source of churn would be the inflow of new resources following allocations made by the IANA; but because of IPv4 address exhaustion, IPv6 abundance, and 32-bit ASNs being allocated in large blocks - IANA allocations occur far less often than they used to.

Absent a registry's ability to execute inter-registry transfers or frequently receive new allocations from IANA, that registry's set of holdings would be a fairly static list of resources.

Therefore, a Relying Party need not trust each and every signed product in a derived trust relationship to any and all INRs subordinate to the registry's Trust Anchor, even when the Trust Anchor certificate lists 'all-resources' as subordinate. Following the widely deployed information security principle of least privilege [PRIVSEP], constraining a given Trust Anchor's capacity strictly to just that what relates to the their respective current INR holdings, provides some degree of risk reduction for all stakeholders involved.

Consequently, knowing a registry's current resource holdings and knowing this set of holdings will not change in the near-term future; following the principle of least privilege, operators can consider applying a restricted-service operating mode towards what otherwise would be an unbounded authority. The principle of constraining Trust Anchors might be useful when for example working with RPKI testbeds [OTE], risky Trust Anchors which cover unallocated space with AS0 ROAs [AS0TAL], but also in dealings with publicly-trusted registries.

3. Constraining Trust Anchors by constraining End-Entity Certificates

As noted in Section 2, publicly-trusted RPKI TA certificates are expected to overclaim in the course of normal operations. However, applying a bespoke implementation of the certification path validation algorithm to CA certificates to prune all possible certificate paths related to INRs not contained within the locally configured Constraints would not be a trivial task. Instead, an alternative and simpler approach operating on EE certificates is proposed.

To constrain a Trust Anchor, the IP address and AS number resources listed in a given EE certificate's [RFC3779] extensions MUST be fully contained within the locally configured union set of IP prefixes, IP address ranges, AS identifiers, and AS identifier ranges for which the Relying Party operator anticipates the Trust Anchor operator to issue cryptographic products. If a given EE certificate's listed resources are not fully contained within the Constraints, the RP should halt processing and consider the EE certificate invalid.

The above described approach applies to all RPKI objects for which an explicit listing of resources is mandated in their respective [RFC3779] extensions; such as BGPSec Router Certificates [RFC8209], ROAs [I-D.ietf-sidrops-rfc6482bis], ASPAs [I-D.ietf-sidrops-aspa-profile], RSCs [RFC9323], and Geofeeds [I-D.ietf-opsawg-9092-update].

The approach has no application in context of Signed Objects unrelated to INRs (which thus use 'inherit' elements); such as Ghostbusters records [RFC6493], Signed TALs [I-D.ietf-sidrops-signed-tal], and Manifests [RFC9286].

The validation of Constraint containment is a check in addition to all the validation checks specified in [RFC6487], [RFC6488], and each Signed Object's profile specification.

4. Operational Considerations

When assessing the feasibility of constraining a Trust Anchor's effective signing abilities to the registry's current set of holdings, it is important to take note of existing policies (or lack thereof) and possible future events which might impact the degree of churn in the registry's holdings. Examples are:

The ARIN policy development community abandoned a proposal to allow inter-regional IPv6 resource transfers [ARIN-2019-4]. Since it's currently not possible to transfer IPv6 resources from ARIN to any other RIR, ARIN's IANA-allocated IPv6 resources should not appear subordinate to any Trust Anchor other than ARIN's own Trust Anchor.

The APNIC policy development community has not developed policy [APNIC-interrir] to support inter-RIR IPv6 transfers.

The LACNIC policy development community has not developed policy [LACNIC-interrir] to support inter-RIR IPv6 or ASN transfers.

The RIPE NCC policy development community did develop policy [RIPE-interrir] to support inter-RIR IPv6 transfers, but being the only community to have done so, inter-RIR transfers are not possible.

AFRINIC has not ratified an inter-registry transfer policy [AFPUB-2020-GEN-006-DRAFT03]. The policy proposal indicates implementation is expected to take an additional 12 months after ratification. Since it's not possible to transfer resources into AFRINIC, non-AFRINIC resources should not appear subordinate to AFRINIC's Trust Anchor for the foreseeable future.

The RIRs collectively manage only a subset of 0.0.0.0/0 [IANA-IPV4] and 2000::/3 [IANA-IPV6]; and have no authority over any parts of 10.0.0.0/8 [RFC1918], 2001:db8::/32 [RFC3849], and AS 64512 - 65534 [RFC6996], for example. Since it's not possible to transfer private internet allocations, documentation prefixes, or private use ASNs into an RIR's management, such resources should not appear subordinate to any RIR's Trust Anchor.

In recent times IANA has not made allocations from the Current Recovered IPv4 Pool [IANA-RECOVERED], and Autonomous System Number allocations are also fairly infrequent [IANA-ASNS].

The aforementioned observations suggest there is a lot of operational runway to manage and distribute Trust Anchor Constraints in a timely manner. Maintainers of Constraint lists disseminated as part of an operating system or a third-party software package release process would do well to assume a six month delay for users to update.

5. Security Considerations

The routing security benefits promised by the RPKI are derived from assuming trust in registry operators to run flawless certification services. Assuming such trust exposes users to some potential for [risks] and adverse actions by Certificate Authorities [RFC8211]. Restricting a Trust Anchor's effective signing abilities to its respective registry's current holdings - rather assuming unbounded trust in such authorities - is a constructive approach to limit some potential for risk.

6. References

6.1. Informative References

[AFPUB-2020-GEN-006-DRAFT03]
Ehoumi, G. O., Maina, N., and A. A. P. Aina, "AFRINIC Number Resources Transfer Policy (Draft-3)", , <https://afrinic.net/policy/proposals/2020-gen-006-d3>.
[APNIC-interrir]
APNIC, "Transfer of unused IPv4 addresses and/or AS numbers", , <https://www.apnic.net/manage-ip/manage-resources/transfer-resources/transfer-of-unused-ip-and-as-numbers/>.
[ARIN-2019-4]
Snijders, J., Farmer, D., and J. Provo, "Draft Policy ARIN-2019-4: Allow Inter-regional IPv6 Resource Transfers", , <https://www.arin.net/vault/policy/proposals/2019_4.html>.
[AS0TAL]
APNIC, "Important notes on the APNIC AS0 ROA", , <https://www.apnic.net/community/security/resource-certification/apnic-limitations-of-liability-for-rpki-2/>.
[I-D.ietf-opsawg-9092-update]
Bush, R., Candela, M., Kumari, W. A., and R. Housley, "Finding and Using Geofeed Data", Work in Progress, Internet-Draft, draft-ietf-opsawg-9092-update-11, , <https://datatracker.ietf.org/doc/html/draft-ietf-opsawg-9092-update-11>.
[I-D.ietf-sidrops-aspa-profile]
Azimov, A., Uskov, E., Bush, R., Snijders, J., Housley, R., and B. Maddison, "A Profile for Autonomous System Provider Authorization", Work in Progress, Internet-Draft, draft-ietf-sidrops-aspa-profile-17, , <https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-aspa-profile-17>.
[I-D.ietf-sidrops-rfc6482bis]
Snijders, J., Maddison, B., Lepinski, M., Kong, D., and S. Kent, "A Profile for Route Origin Authorizations (ROAs)", Work in Progress, Internet-Draft, draft-ietf-sidrops-rfc6482bis-09, , <https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rfc6482bis-09>.
[I-D.ietf-sidrops-signed-tal]
Martínez, C. M., Michaelson, G. G., Harrison, T., Bruijnzeels, T., and R. Austein, "RPKI Signed Object for Trust Anchor Key", Work in Progress, Internet-Draft, draft-ietf-sidrops-signed-tal-15, , <https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-signed-tal-15>.
[I-D.rir-rpki-allres-ta-app-statement]
Newton, A., Martínez, C. M., Shaw, D., Bruijnzeels, T., and B. Ellacott, "RPKI Multiple "All Resources" Trust Anchors Applicability Statement", Work in Progress, Internet-Draft, draft-rir-rpki-allres-ta-app-statement-02, , <https://datatracker.ietf.org/doc/html/draft-rir-rpki-allres-ta-app-statement-02>.
[IANA-ASNS]
IANA, "Autonomous System (AS) Numbers", , <https://www.iana.org/assignments/as-numbers/>.
[IANA-IPV4]
IANA, "IANA IPv4 Address Space Registry", , <https://www.iana.org/assignments/ipv4-address-space/>.
[IANA-IPV6]
IANA, "IPv6 Global Unicast Address Assignments", , <https://www.iana.org/assignments/ipv6-unicast-address-assignments/>.
[IANA-RECOVERED]
IANA, "IPv4 Recovered Address Space", , <https://www.iana.org/assignments/ipv4-recovered-address-space/>.
[LACNIC-interrir]
LACNIC, "LACNIC POLICY MANUAL (v2.19 - 22/08/2023)", , <https://www.lacnic.net/innovaportal/file/680/1/manual-politicas-en-2-19.pdf>.
[OpenBSD]
de Raadt, T., "The OpenBSD Project", , <https://www.openbsd.org/>.
[OTE]
ARIN, "Operational Test and Evaluation (OT&E) Environment", , <https://www.arin.net/reference/tools/testing/>.
[PRIVSEP]
Obser, F., "Privilege drop, privilege separation, and restricted-service operating mode in OpenBSD", <https://sha256.net/privsep.html>.
[RFC1918]
Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G. J., and E. Lear, "Address Allocation for Private Internets", BCP 5, RFC 1918, DOI 10.17487/RFC1918, , <https://www.rfc-editor.org/info/rfc1918>.
[RFC3779]
Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP Addresses and AS Identifiers", RFC 3779, DOI 10.17487/RFC3779, , <https://www.rfc-editor.org/info/rfc3779>.
[RFC3849]
Huston, G., Lord, A., and P. Smith, "IPv6 Address Prefix Reserved for Documentation", RFC 3849, DOI 10.17487/RFC3849, , <https://www.rfc-editor.org/info/rfc3849>.
[RFC6480]
Lepinski, M. and S. Kent, "An Infrastructure to Support Secure Internet Routing", RFC 6480, DOI 10.17487/RFC6480, , <https://www.rfc-editor.org/info/rfc6480>.
[RFC6481]
Huston, G., Loomans, R., and G. Michaelson, "A Profile for Resource Certificate Repository Structure", RFC 6481, DOI 10.17487/RFC6481, , <https://www.rfc-editor.org/info/rfc6481>.
[RFC6487]
Huston, G., Michaelson, G., and R. Loomans, "A Profile for X.509 PKIX Resource Certificates", RFC 6487, DOI 10.17487/RFC6487, , <https://www.rfc-editor.org/info/rfc6487>.
[RFC6488]
Lepinski, M., Chi, A., and S. Kent, "Signed Object Template for the Resource Public Key Infrastructure (RPKI)", RFC 6488, DOI 10.17487/RFC6488, , <https://www.rfc-editor.org/info/rfc6488>.
[RFC6493]
Bush, R., "The Resource Public Key Infrastructure (RPKI) Ghostbusters Record", RFC 6493, DOI 10.17487/RFC6493, , <https://www.rfc-editor.org/info/rfc6493>.
[RFC6996]
Mitchell, J., "Autonomous System (AS) Reservation for Private Use", BCP 6, RFC 6996, DOI 10.17487/RFC6996, , <https://www.rfc-editor.org/info/rfc6996>.
[RFC8209]
Reynolds, M., Turner, S., and S. Kent, "A Profile for BGPsec Router Certificates, Certificate Revocation Lists, and Certification Requests", RFC 8209, DOI 10.17487/RFC8209, , <https://www.rfc-editor.org/info/rfc8209>.
[RFC8211]
Kent, S. and D. Ma, "Adverse Actions by a Certification Authority (CA) or Repository Manager in the Resource Public Key Infrastructure (RPKI)", RFC 8211, DOI 10.17487/RFC8211, , <https://www.rfc-editor.org/info/rfc8211>.
[RFC9286]
Austein, R., Huston, G., Kent, S., and M. Lepinski, "Manifests for the Resource Public Key Infrastructure (RPKI)", RFC 9286, DOI 10.17487/RFC9286, , <https://www.rfc-editor.org/info/rfc9286>.
[RFC9323]
Snijders, J., Harrison, T., and B. Maddison, "A Profile for RPKI Signed Checklists (RSCs)", RFC 9323, DOI 10.17487/RFC9323, , <https://www.rfc-editor.org/info/rfc9323>.
[RIPE-interrir]
NCC, R., "Inter-RIR Transfers", , <https://www.ripe.net/manage-ips-and-asns/resource-transfers-and-mergers/inter-rir-transfers>.
[risks]
Cooper, D., Heilman, E., Brogle, K., Reyzin, L., and S. Goldberg, "On the Risk of Misbehaving RPKI Authorities", <https://www.cs.bu.edu/~goldbe/papers/hotRPKI.pdf>.
[rpki-client]
Jeker, C., Snijders, J., Dzonsons, K., and T. Buehler, "rpki-client", , <https://www.rpki-client.org/>.

Appendix A. Example listings of Constraints

This section contains examples of Constraints listings related to ARIN & AFRINIC managed INRs, and INRs allocated for private or non-public use. Constraint suggestions are offered specific to each of the five RIR Trust Anchors.

As it's clumsy and error prone to calculate the complement of a block of resources, for efficiency a simple notation in the form of allow and deny keywords is used to indicate INRs which may or may not appear subordinate to a Trust Anchor (rather than merely using lengthy exhaustive allowlists of what INRs may appear under a given Trust Anchor). Denylist entries (entries prefixed with deny) take precedence over allowlist entries (entries prefixed with allow). Denylist entries may not overlap with other denylist entries. Allowlist entries may not overlap with other allowlist entries. The ordering of entries is not significant.

Constraints applicable to AFRINIC's Trust Anchor

The below listing is intended to be an exhaustive list of Constraints related to AFRINIC-managed Internet Number Resources. Inter-RIR resource transfers aren't possible into and out of the AFRINIC registry.

By placing the below contents in a file named afrinic.constraints next to a Trust Anchor Locator file named afrinic.tal, the [rpki-client] implementation will consider all End-Entity certificates invalid which list resources not fully contained within the resources listed in the afrinic.constraints file.

#       $OpenBSD: afrinic.constraints,v 1.3 2023/12/19 08:10:19 job Exp $

# From https://www.iana.org/assignments/ipv4-address-space/
allow 41.0.0.0/8
allow 102.0.0.0/8
allow 105.0.0.0/8

allow 154.0.0.0/16
allow 154.16.0.0/16
allow 154.65.0.0 - 154.255.255.255
allow 196.0.0.0 - 196.1.0.255
allow 196.1.4.0/24
allow 196.1.7.0 - 196.1.63.255
allow 196.1.71.0/24
allow 196.1.74.0 - 196.1.103.255
allow 196.1.115.0 - 196.1.133.255
allow 196.1.137.0/24
allow 196.1.143.0 - 196.1.159.255
allow 196.1.176.0 - 196.1.255.255
allow 196.2.2.0/23
allow 196.2.8.0 - 196.2.255.255
allow 196.3.14.0/23
allow 196.3.57.0 - 196.3.64.255
allow 196.3.90.0/24
allow 196.3.92.0 - 196.3.94.255
allow 196.3.96.0/21
allow 196.3.105.0/24
allow 196.3.107.0 - 196.3.131.255
allow 196.3.148.0/22
allow 196.3.154.0 - 196.3.183.255
allow 196.3.224.0 - 196.4.45.255
allow 196.4.71.0 - 196.11.171.255
allow 196.11.174.0 - 196.11.239.255
allow 196.11.248.0/21
allow 196.12.10.0 - 196.12.31.255
allow 196.12.128.0/19
allow 196.12.192.0 - 196.15.15.255
allow 196.15.64.0 - 196.26.255.255
allow 196.27.64.0 - 196.28.47.255
allow 196.28.64.0 - 196.29.63.255
allow 196.29.96.0 - 196.31.255.255
allow 196.32.8.0 - 196.32.31.255
allow 196.32.96.0/19
allow 196.32.160.0 - 196.39.255.255
allow 196.40.96.0 - 196.41.255.255
allow 196.42.64.0 - 196.216.0.255
allow 196.216.2.0 - 197.255.255.255

# From https://www.iana.org/assignments/ipv6-address-space/
allow 2001:4200::/23
allow 2c00::/12

# From https://www.iana.org/assignments/as-numbers/
allow 36864 - 37887
allow 327680 - 328703
allow 328704 - 329727

# From https://www.iana.org/assignments/ipv4-recovered-address-space
allow 45.96.0.0 - 45.111.255.255
allow 45.192.0.0 - 45.222.255.255
allow 45.240.0.0 - 45.247.255.255
allow 66.251.128.0 - 66.251.191.255
allow 139.26.0.0 - 139.26.255.255
allow 146.196.128.0 - 146.196.255.255
# 154.16.0.0 - 154.16.255.255 # already contained within 154/8
allow 160.19.36.0 - 160.19.39.255
allow 160.19.60.0 - 160.19.63.255
allow 160.19.96.0 - 160.19.103.255
allow 160.19.112.0  -  160.19.143.255
allow 160.19.152.0 - 160.19.155.255
allow 160.19.188.0 - 160.19.191.255
allow 160.19.192.0 - 160.19.199.255
allow 160.19.232.0 - 160.19.239.255
allow 160.20.24.0 - 160.20.31.255
allow 160.20.112.0 - 160.20.115.255
allow 160.20.213.0 - 160.20.213.255
allow 160.20.217.0 - 160.20.217.255
allow 160.20.221.0 - 160.20.221.255
allow 160.20.226.0 - 160.20.227.255
allow 160.20.252.0 - 160.20.255.255
allow 160.238.11.0 - 160.238.11.255
allow 160.238.48.0 - 160.238.49.255
allow 160.238.50.0 - 160.238.50.255
allow 160.238.57.0 - 160.238.57.255
allow 160.238.101.0 - 160.238.101.255
allow 161.123.0.0 - 161.123.255.255
allow 164.160.0.0 - 164.160.255.255
allow 192.12.110.0 - 192.12.111.255
allow 192.12.116.0 - 192.12.117.255
allow 192.47.36.0 - 192.47.36.255
allow 192.51.240.0 - 192.51.240.255
allow 192.70.200.0 - 192.70.201.255
allow 192.75.236.0 - 192.75.236.255
allow 192.83.208.0 - 192.83.215.255
allow 192.91.200.0 - 192.91.200.255
allow 192.142.0.0 - 192.143.255.255
allow 192.145.128.0 - 192.145.191.255
allow 192.145.230.0 - 192.145.230.255
allow 204.8.204.0 - 204.8.207.255
allow 208.85.156.0 - 208.85.159.255

# From https://web.archive.org/web/20131120040037/http://www.ripe.net/lir-services/resource-management/erx/transferred-resources
# From https://afrinic.net/fr/library/policies/220-erx-transfer
allow 2561
allow 3208
allow 5536
allow 6127
allow 6713
allow 6879
allow 8524
allow 8770
allow 9129
allow 11380
allow 12455
allow 12556
allow 13224
allow 15399
allow 13569
allow 15475
allow 15706
allow 15804
allow 15825
allow 15834
allow 15964
allow 16058
allow 16214
allow 16284
allow 16853
allow 16907
allow 17652
allow 19676
allow 20294
allow 20484
allow 20858
allow 20928
allow 21003
allow 21152
allow 21242
allow 21271
allow 21278
allow 21280
allow 21391
allow 21452
allow 23549
allow 23889
allow 24736
allow 24757
allow 24788
allow 24801
allow 24835
allow 24863
allow 24878
allow 24987
allow 25163
allow 25250
allow 25362
allow 25364
allow 25543
allow 25568
allow 25576
allow 28683
allow 28698
allow 28913
allow 29091
allow 29338
allow 29340
allow 29428
allow 29495
allow 29544
allow 29571
allow 29614
allow 29674
allow 30896
allow 31065
allow 31245
allow 31619
allow 83.143.24.0 - 83.143.31.255
allow 84.205.96.0 - 84.205.127.255
allow 131.176.0.0 - 131.176.255.255
allow 163.121.0.0 - 163.121.255.255
allow 165.231.0.0 - 165.231.255.255
allow 192.52.232.0 - 192.52.232.255
allow 193.17.215.0 - 193.17.215.255
allow 193.19.232.0 - 193.19.235.255
allow 193.41.146.0 - 193.41.147.255
allow 193.108.23.0 - 193.108.23.255
allow 193.108.28.0 - 193.108.28.255
allow 193.109.66.0 - 193.109.67.255
allow 193.110.104.0 - 193.110.105.255
allow 193.194.128.0 - 193.194.128.255
allow 193.227.128.0 - 193.227.128.255
allow 194.9.64.0 - 194.9.65.255
allow 194.9.82.0 - 194.9.83.255
allow 195.24.80.0 - 195.24.87.255
allow 195.39.218.0 - 195.39.219.255
allow 195.234.120.0 - 195.234.123.255
allow 195.234.168.0 - 195.234.168.255
allow 195.234.185.0 - 195.234.185.255
allow 195.234.252.0 - 195.234.255.255

# From https://www.ripe.net/participate/internet-governance/internet-technical-community/the-rir-system/afrinic/ripe-ncc-to-afrinic-transition
allow 30980
allow 30982 - 30999

# From https://afrinic.net/ast/pdf/afrinic-whois-audit-report-full-20210121.pdf
# 12.3 Appendix A3
allow 193.188.7.0/24
allow 193.189.0.0/18
allow 193.189.128.0/24
allow 193.194.160.0/19
allow 193.221.218.0/24

# From https://ftp.arin.net/afrinic/afrinic-transfers-by-resource.txt
# Feb 21, 2005
allow 1228 - 1232
allow 2018
allow 2905
allow 3067
allow 3068
allow 3741
allow 4178
allow 4571
allow 5713
allow 5734
allow 6083
allow 6089
allow 6149
allow 6180
allow 6187
allow 6351
allow 6529
allow 6560
allow 6968
allow 7020
allow 7154
allow 7231
allow 7390
allow 7420
allow 7460
allow 7971
allow 7972
allow 8094
allow 10247
allow 10262
allow 10331
allow 10393
allow 10474
allow 10505
allow 10540
allow 10575
allow 10798
allow 10803
allow 10898
allow 10922
allow 11125
allow 11157
allow 11201
allow 11259
allow 11265
allow 11569
allow 11645
allow 11744
allow 11845
allow 11909
allow 12091
allow 12143
allow 12258
allow 13402
allow 13519
allow 13854
allow 14029
allow 14115
allow 14331
allow 14360
allow 14429
allow 14516
allow 14988
allow 15022
allow 15159
allow 16416
allow 16547
allow 16630
allow 16637
allow 16800
allow 17148
allow 17220
allow 17260
allow 17312
allow 17400
allow 18775
allow 18922
allow 18931
allow 19136
allow 19232
allow 19711
allow 19832
allow 19847
allow 20011
allow 20086
allow 20095
allow 20180
allow 20459
allow 21739
allow 21819
allow 22354
allow 22355
allow 22386
allow 22572
allow 22690
allow 22735
allow 22750
allow 22939
allow 23058
allow 25695
allow 25726
allow 25793
allow 25818
allow 26106
allow 26130
allow 26422
allow 26625
allow 26754
allow 27576
allow 27598
allow 29918
allow 29975
allow 30073
allow 30306
allow 30429
allow 30619
allow 31810
allow 31856
allow 31960
allow 32017
allow 32279
allow 32398
allow 32437
allow 32653
allow 32714
allow 32717
allow 32842
allow 32860
allow 33567
allow 33579
allow 33762 - 33791
allow 64.57.112.0 - 64.57.127.255
allow 66.8.0.0 - 66.8.127.255
allow 66.18.64.0 - 66.18.95.255
allow 69.63.64.0 - 69.63.79.255
allow 69.67.32.0 - 69.67.47.255
allow 137.158.0.0 - 137.158.255.255
allow 137.214.0.0 - 137.214.255.255
allow 137.215.0.0 - 137.215.255.255
allow 139.53.0.0 - 139.53.255.255
allow 143.128.0.0 - 143.128.255.255
allow 143.160.0.0 - 143.160.255.255
allow 146.64.0.0 - 146.64.255.255
allow 146.141.0.0 - 146.141.255.255
allow 146.182.0.0 - 146.182.255.255
allow 146.230.0.0 - 146.230.255.255
allow 146.231.0.0 - 146.231.255.255
allow 146.232.0.0 - 146.232.255.255
allow 147.110.0.0 - 147.110.255.255
allow 152.106.0.0 - 152.106.255.255
allow 152.107.0.0 - 152.107.255.255
allow 152.108.0.0 - 152.108.255.255
allow 152.109.0.0 - 152.109.255.255
allow 152.110.0.0 - 152.110.255.255
allow 152.111.0.0 - 152.111.255.255
allow 152.112.0.0 - 152.112.255.255
allow 155.159.0.0 - 155.159.255.255
allow 155.232.0.0 - 155.232.255.255
allow 155.233.0.0 - 155.233.255.255
allow 155.234.0.0 - 155.234.255.255
allow 155.235.0.0 - 155.235.255.255
allow 155.236.0.0 - 155.236.255.255
allow 155.237.0.0 - 155.237.255.255
allow 155.238.0.0 - 155.238.255.255
allow 155.239.0.0 - 155.239.255.255
allow 155.240.0.0 - 155.240.255.255
allow 156.8.0.0 - 156.8.255.255
allow 160.115.0.0 - 160.115.255.255
allow 160.116.0.0 - 160.116.255.255
allow 160.117.0.0 - 160.117.255.255
allow 160.118.0.0 - 160.118.255.255
allow 160.119.0.0 - 160.119.255.255
allow 160.120.0.0 - 160.120.255.255
allow 160.121.0.0 - 160.121.255.255
allow 160.122.0.0 - 160.122.255.255
allow 160.123.0.0 - 160.123.255.255
allow 160.124.0.0 - 160.124.255.255
allow 163.195.0.0 - 163.195.255.255
allow 163.196.0.0 - 163.196.255.255
allow 163.197.0.0 - 163.197.255.255
allow 163.198.0.0 - 163.198.255.255
allow 163.199.0.0 - 163.199.255.255
allow 163.200.0.0 - 163.200.255.255
allow 163.201.0.0 - 163.201.255.255
allow 163.202.0.0 - 163.202.255.255
allow 163.203.0.0 - 163.203.255.255
allow 164.88.0.0 - 164.88.255.255
allow 164.146.0.0 - 164.151.255.255
allow 164.155.0.0 - 164.155.255.255
allow 165.3.0.0 - 165.5.255.255
allow 165.8.0.0 - 165.11.255.255
allow 165.25.0.0 - 165.25.255.255
allow 165.143.0.0 - 165.149.255.255
allow 165.165.0.0 - 165.165.255.255
allow 165.180.0.0 - 165.180.255.255
allow 165.233.0.0 - 165.233.255.255
allow 166.85.0.0 - 166.85.255.255
allow 168.76.0.0 - 168.76.255.255
allow 168.80.0.0 - 168.81.255.255
allow 168.89.0.0 - 168.89.255.255
allow 168.128.0.0 - 168.128.255.255
allow 168.142.0.0 - 168.142.255.255
allow 168.155.0.0 - 168.155.255.255
allow 168.164.0.0 - 168.164.255.255
allow 168.167.0.0 - 168.167.255.255
allow 168.172.0.0 - 168.172.255.255
allow 168.206.0.0 - 168.206.255.255
allow 168.209.0.0 - 168.210.255.255
allow 169.129.0.0 - 169.129.255.255
allow 169.202.0.0 - 169.202.255.255
allow 192.33.10.0 - 192.33.10.255
allow 192.42.99.0 - 192.42.99.255
allow 192.48.253.0 - 192.48.253.255
allow 192.68.138.0 - 192.68.138.255
allow 192.70.237.0 - 192.70.237.255
allow 192.82.142.0 - 192.82.142.255
allow 192.84.244.0 - 192.84.244.255
allow 192.94.61.0 - 192.94.61.255
allow 192.94.210.0 - 192.94.210.255
allow 192.94.240.0 - 192.94.240.255
allow 192.94.241.0 - 192.94.241.255
allow 192.94.246.0 - 192.94.246.255
allow 192.96.0.0 - 192.96.255.255
allow 192.100.1.0 - 192.100.1.255
allow 192.101.142.0 - 192.101.142.255
allow 192.102.9.0 - 192.102.9.255
allow 192.133.250.0 - 192.133.250.255
allow 192.136.55.0 - 192.136.55.255
allow 192.136.56.0 - 192.136.56.255
allow 192.136.57.0 - 192.136.57.255
allow 192.157.190.0 - 192.157.190.255
allow 192.188.164.0 - 192.188.167.255
allow 192.189.75.0 - 192.189.75.255
allow 192.189.139.0 - 192.189.140.255
allow 192.231.237.0 - 192.231.237.255
allow 192.231.254.0 - 192.231.254.255
allow 192.245.148.0 - 192.245.148.255
allow 192.251.202.0 - 192.251.202.255
allow 198.54.0.0 - 198.54.255.255
allow 200.16.8.0 - 200.16.15.255
allow 204.12.128.0 - 204.12.143.255
allow 204.87.179.0 - 204.87.179.255
allow 204.152.14.0 - 204.152.15.255
allow 204.235.32.0 - 204.235.43.255
allow 205.159.79.0 - 205.159.79.255
allow 206.223.136.0 - 206.223.136.255
allow 209.203.0.0 - 209.203.63.255
allow 209.212.96.0 - 209.212.127.255
allow 216.236.176.0 - 216.236.191.255

# From rpki.afrinic.net/repository/04E8B0D80F4D11E0B657D8931367AE7D/apnic-to-afrinic.cer
# CN=APNICTOAFRINIC/serialNumber=6F1A103E1427FF03483ABFD9E34DACBE1524FF8B
# Not Before: Mar 30 14:17:08 2020 GMT / Not After : Mar 30 00:00:00 2025 GMT
# SHA256:B6w5P1mkoNyJtM99GfGLaaKkGfSkQ6+4eC4tPijBLyM=
allow 202.123.0.0/19

# From rpki.afrinic.net/repository/04E8B0D80F4D11E0B657D8931367AE7D/ripe-to-afrinic.cer
# CN=RIPETOAFRINIC/serialNumber=7F7AC180897983E29E937C0A187803C072755545
# Not Before: Mar 30 14:17:12 2020 GMT / Not After : Mar 30 00:00:00 2025 GMT
# SHA256:64eh2w7qQrFQVPaQrRJ4kA83gUgE3EDvm0D0AWHCXHM=
allow 62.8.64.0/19
allow 62.12.96.0/19
allow 62.24.96.0/19
allow 62.61.192.0/18
allow 62.68.32.0/19
allow 62.68.224.0/19
allow 62.114.0.0/16
allow 62.117.32.0/19
allow 62.135.0.0/17
allow 62.139.0.0/16
allow 62.140.64.0/18
allow 62.173.32.0/19
allow 62.193.64.0/18
allow 62.193.160.0/19
allow 62.240.32.0/19
allow 62.240.96.0/19
allow 62.241.128.0/19
allow 62.251.128.0/17
allow 77.220.0.0/19
allow 80.67.128.0/20
allow 80.72.96.0/20
allow 80.75.160.0/19
allow 80.87.64.0/19
allow 80.88.0.0/20
allow 80.95.0.0/20
allow 80.240.192.0/20
allow 80.246.0.0/20
allow 80.248.0.0/20
allow 80.248.64.0/20
allow 80.249.64.0/20
allow 80.250.32.0/20
allow 81.4.0.0/18
allow 81.10.0.0/17
allow 81.21.96.0/20
allow 81.22.64.0/19
allow 81.26.64.0/20
allow 81.29.96.0/20
allow 81.91.224.0/20
allow 81.192.0.0/16
allow 82.101.128.0/18
allow 82.128.0.0/17
allow 82.129.128.0/17
allow 82.151.64.0/19
allow 82.201.128.0/17
allow 84.36.0.0/16
allow 84.233.0.0/17
allow 87.255.96.0/19
allow 193.95.0.0/17
allow 193.108.214.0/24
allow 193.108.252.0/22
allow 193.189.64.0 - 193.189.65.255
allow 193.194.1.0 - 193.194.5.255
allow 193.194.32.0 - 193.194.95.255
allow 193.227.0.0/18
allow 194.6.224.0/24
allow 194.79.96.0/19
allow 194.204.192.0/18
allow 195.24.192.0/19
allow 195.43.0.0/19
allow 195.166.224.0/19
allow 195.202.64.0/19
allow 195.246.32.0/19
allow 212.0.128.0/19
allow 212.12.224.0/19
allow 212.22.160.0/19
allow 212.49.64.0/19
allow 212.52.128.0/19
allow 212.60.64.0/19
allow 212.85.192.0/19
allow 212.88.96.0/19
allow 212.96.0.0/19
allow 212.100.64.0/19
allow 212.103.160.0/19
allow 212.122.224.0/19
allow 212.217.0.0/17
allow 213.55.64.0/18
allow 213.131.64.0/19
allow 213.136.96.0/19
allow 213.147.64.0/19
allow 213.150.96.0/19
allow 213.150.160.0 - 213.150.223.255
allow 213.152.64.0/19
allow 213.154.32.0 - 213.154.95.255
allow 213.158.160.0/19
allow 213.172.128.0/19
allow 213.179.160.0/19
allow 213.181.224.0/19
allow 213.193.32.0/19
allow 213.212.192.0/18
allow 213.247.0.0/19
allow 213.255.128.0/19
allow 217.14.80.0/20
allow 217.20.224.0/20
allow 217.21.112.0/20
allow 217.29.128.0/20
allow 217.29.208.0/20
allow 217.52.0.0/14
allow 217.64.96.0/20
allow 217.77.64.0/20
allow 217.78.64.0/20
allow 217.117.0.0/20
allow 217.139.0.0/16
allow 217.170.144.0/20
allow 217.199.144.0/20

# From rpki.afrinic.net/repository/04E8B0D80F4D11E0B657D8931367AE7D/arin-to-afrinic.cer
# CN=ARINTOAFRINIC/serialNumber=B87C5A75F3D957413AB998646946D4541D511455
# Not Before: Mar 30 14:17:09 2020 GMT / Not After : Mar 30 00:00:00 2025 GMT
# SHA256:wmJV3qcwiPcLtEMLBcvvyjs4V1Lz690bK3b8cv5v8F8=
allow 129.0.0.0/16
allow 129.18.0.0/16
allow 129.45.0.0/16
allow 129.56.0.0/16
allow 129.122.0.0/16
allow 129.140.0.0/16
allow 129.205.0.0/16
allow 129.232.0.0/16
allow 137.63.0.0 - 137.64.255.255
allow 137.115.0.0/16
allow 137.171.0.0/16
allow 137.196.0.0/16
allow 137.255.0.0/16
allow 155.0.0.0/16
allow 155.11.0.0 - 155.12.255.255
allow 155.89.0.0/16
allow 155.93.0.0/16
allow 155.196.0.0/16
allow 155.251.0.0/16
allow 155.255.0.0 - 156.0.255.255
allow 156.38.0.0/16
allow 156.155.0.0 - 156.255.255.255
allow 160.0.0.0/16
allow 160.77.0.0/16
allow 160.89.0.0 - 160.90.255.255
allow 160.105.0.0/16
allow 160.113.0.0/16
allow 160.152.0.0/16
allow 160.154.0.0 - 160.179.255.255
allow 160.181.0.0 - 160.184.255.255
allow 160.224.0.0 - 160.226.255.255
allow 160.242.0.0/16
allow 160.255.0.0/16
allow 165.0.0.0/16
allow 165.16.0.0/16
allow 165.49.0.0 - 165.63.255.255
allow 165.73.0.0/16
allow 165.90.0.0/16
allow 165.169.0.0/16
allow 165.210.0.0/15
allow 165.255.0.0/16
allow 168.211.0.0 - 168.211.255.255
allow 168.253.0.0/16
allow 169.0.0.0/15
allow 169.159.0.0/16
allow 169.239.0.0/16
allow 169.255.0.0/16
allow 192.109.242.0/24

Constraints applicable to ARIN's Trust Anchor

Most of the below constraints relate to IP addresses and ASNs which are not globally unique and not managed by any RIR, as such these INRs are not expected to appear subordinate to any publicly-trusted Trust Anchor. LACNIC ASNs cannot be transferred to ARIN. Finally, since inter-RIR transfers involving ARIN may not include IPv6 addresses; ARIN's Trust Anchor is constrained to just its own IANA allocated IPv6 blocks.

By placing the below content in a file named arin.constraints; the associated Trust Anchor reachable via arin.tal is constrained such that any EE certificates listing private-use INRs, or non-ARIN IPv6 blocks, or AFRINIC superblocks, are considered invalid.

#       $OpenBSD: arin.constraints,v 1.5 2024/04/17 14:31:59 job Exp $

# From https://www.iana.org/assignments/ipv6-unicast-address-assignments
allow 2001:400::/23
allow 2001:1800::/23
allow 2001:4800::/23
allow 2600::/12
allow 2610::/23
allow 2620::/23
allow 2630::/12

# LACNIC ASNs cannot be transferred to ARIN
# From https://www.iana.org/assignments/as-numbers/as-numbers.xhtml
deny 27648 - 28671
deny 52224 - 53247
deny 61440 - 61951
deny 64099 - 64197
deny 262144 - 273820

# LACNIC ASNs cannot be transferred to ARIN
# From nro-delegated-stats 20240417
deny 278
deny 676
deny 1251
deny 1292
deny 1296
deny 1797
deny 1831
deny 1840
deny 1916
deny 2146
deny 2277
deny 2549
deny 2638
deny 2708
deny 2715 - 2716
deny 2739
deny 2904
deny 3132
deny 3141
deny 3449
deny 3454
deny 3484
deny 3487
deny 3496
deny 3548
deny 3551
deny 3556
deny 3596 - 3597
deny 3603
deny 3631 - 3632
deny 3636
deny 3640
deny 3790
deny 3816
deny 3905
deny 3968
deny 4141
deny 4209
deny 4230
deny 4242
deny 4244
deny 4270
deny 4387
deny 4493
deny 4535
deny 4914
deny 4926
deny 4944
deny 4964
deny 4967
deny 4995
deny 5005
deny 5633
deny 5639
deny 5648
deny 5692
deny 5708
deny 5722
deny 5745
deny 5772
deny 6057
deny 6063 - 6065
deny 6084
deny 6121
deny 6125
deny 6133
deny 6135
deny 6147 - 6148
deny 6193
deny 6240
deny 6306
deny 6332
deny 6342
deny 6400
deny 6429
deny 6458
deny 6471
deny 6487
deny 6495
deny 6503
deny 6505
deny 6535
deny 6543
deny 6545
deny 6568
deny 6590
deny 6927
deny 6945
deny 6957
deny 7002
deny 7004 - 7005
deny 7038
deny 7048 - 7049
deny 7056
deny 7063
deny 7080
deny 7087
deny 7103
deny 7120
deny 7125
deny 7137
deny 7149
deny 7157
deny 7162
deny 7167
deny 7173
deny 7184
deny 7195
deny 7199
deny 7236
deny 7298
deny 7303
deny 7313
deny 7315
deny 7325
deny 7340
deny 7365
deny 7399
deny 7408
deny 7414
deny 7417 - 7418
deny 7428
deny 7437 - 7438
deny 7465
deny 7727
deny 7738
deny 7803
deny 7864
deny 7890
deny 7906
deny 7908
deny 7910
deny 7927
deny 7934
deny 7953
deny 7965
deny 7974
deny 7980
deny 7984
deny 7993 - 7995
deny 7997
deny 8007
deny 8024
deny 8026
deny 8048
deny 8053 - 8056
deny 8065 - 8066
deny 8096
deny 8140 - 8141
deny 8151
deny 8163
deny 8167
deny 8178
deny 10269
deny 10277
deny 10285
deny 10293
deny 10299
deny 10301
deny 10318
deny 10362
deny 10391
deny 10412
deny 10417
deny 10420
deny 10429
deny 10436
deny 10452
deny 10454
deny 10463
deny 10476
deny 10479
deny 10481
deny 10495
deny 10502
deny 10531
deny 10560
deny 10569
deny 10586
deny 10600
deny 10605 - 10606
deny 10617
deny 10620
deny 10624
deny 10630
deny 10640
deny 10649
deny 10670 - 10671
deny 10688
deny 10691
deny 10697
deny 10704
deny 10706
deny 10715
deny 10733
deny 10757
deny 10778
deny 10785
deny 10795
deny 10824
deny 10834
deny 10841
deny 10847
deny 10875
deny 10881
deny 10895
deny 10897
deny 10906
deny 10938
deny 10954
deny 10964
deny 10983
deny 10986
deny 10992
deny 11008
deny 11014
deny 11053
deny 11058
deny 11063
deny 11081
deny 11083
deny 11087
deny 11097
deny 11136
deny 11172
deny 11193
deny 11237
deny 11242
deny 11254
deny 11256
deny 11271
deny 11284
deny 11295
deny 11311
deny 11315
deny 11335
deny 11338
deny 11340
deny 11356
deny 11373
deny 11390
deny 11392
deny 11411
deny 11415
deny 11419
deny 11431 - 11432
deny 11447
deny 11450 - 11451
deny 11497 - 11498
deny 11503
deny 11514
deny 11519
deny 11556
deny 11562
deny 11571
deny 11581
deny 11585
deny 11592
deny 11599
deny 11617
deny 11642
deny 11644
deny 11664
deny 11673
deny 11677
deny 11694
deny 11706
deny 11750 - 11752
deny 11786
deny 11800 - 11802
deny 11815 - 11816
deny 11830
deny 11835
deny 11844
deny 11888
deny 11896
deny 11921
deny 11947
deny 11960
deny 11993
deny 12034
deny 12066
deny 12127
deny 12135 - 12136
deny 12140
deny 12146
deny 12150
deny 12248
deny 12252
deny 12264
deny 13316
deny 13318
deny 13320
deny 13353
deny 13357
deny 13381
deny 13424
deny 13440
deny 13459
deny 13474
deny 13489
deny 13495
deny 13514
deny 13521 - 13522
deny 13544
deny 13579
deny 13584 - 13585
deny 13591
deny 13643
deny 13679
deny 13682
deny 13761
deny 13774
deny 13835
deny 13874
deny 13878
deny 13914
deny 13929
deny 13934 - 13936
deny 13991
deny 13999 - 14000
deny 14026
deny 14030
deny 14069
deny 14080
deny 14084
deny 14087
deny 14111
deny 14117
deny 14122
deny 14178 - 14179
deny 14186 - 14187
deny 14202
deny 14204
deny 14231 - 14232
deny 14234
deny 14249 - 14250
deny 14259
deny 14282
deny 14285 - 14286
deny 14316
deny 14318
deny 14339
deny 14346
deny 14377
deny 14420
deny 14457
deny 14463
deny 14522
deny 14535
deny 14553
deny 14560
deny 14571
deny 14624
deny 14650
deny 14664
deny 14674
deny 14692
deny 14708 - 14709
deny 14723
deny 14754
deny 14759
deny 14769
deny 14795
deny 14840
deny 14845
deny 14867 - 14868
deny 14886
deny 14966
deny 14970
deny 15030
deny 15034
deny 15064
deny 15066
deny 15075
deny 15078
deny 15107
deny 15125
deny 15151
deny 15180
deny 15201
deny 15208
deny 15236
deny 15241
deny 15246
deny 15252
deny 15256
deny 15274
deny 15311
deny 16397
deny 16418
deny 16471
deny 16506
deny 16522
deny 16528
deny 16531
deny 16592
deny 16594
deny 16596
deny 16606 - 16607
deny 16629
deny 16663
deny 16685
deny 16689
deny 16701
deny 16712
deny 16732
deny 16735 - 16736
deny 16742
deny 16762
deny 16772
deny 16780
deny 16814
deny 16847
deny 16849
deny 16864
deny 16874
deny 16885
deny 16891
deny 16906
deny 16911
deny 16960
deny 16973
deny 16975
deny 16990
deny 17069
deny 17072
deny 17079
deny 17086
deny 17108
deny 17126
deny 17147
deny 17182
deny 17205
deny 17208
deny 17222
deny 17249 - 17250
deny 17255
deny 17257
deny 17287
deny 17329
deny 17376
deny 17379
deny 17399
deny 17401
deny 18449
deny 18455
deny 18466
deny 18479
deny 18492
deny 18496
deny 18532
deny 18547
deny 18576
deny 18579
deny 18592
deny 18644
deny 18667
deny 18678
deny 18734
deny 18739
deny 18782
deny 18809
deny 18822
deny 18836
deny 18840
deny 18846
deny 18869
deny 18881
deny 18941
deny 18998
deny 19033
deny 19037 - 19038
deny 19064
deny 19077
deny 19089 - 19090
deny 19109
deny 19114
deny 19132
deny 19169
deny 19180
deny 19182
deny 19192
deny 19196
deny 19200
deny 19228
deny 19244
deny 19259
deny 19278
deny 19315
deny 19332
deny 19338
deny 19361
deny 19373
deny 19411
deny 19422
deny 19429
deny 19447
deny 19519
deny 19553
deny 19582 - 19583
deny 19611
deny 19632
deny 19688
deny 19723
deny 19731
deny 19763
deny 19767
deny 19863
deny 19873
deny 19889
deny 19960
deny 19978
deny 19989 - 19990
deny 20002
deny 20015
deny 20032
deny 20043 - 20044
deny 20106
deny 20116 - 20117
deny 20121
deny 20142
deny 20173
deny 20191
deny 20207
deny 20232
deny 20244
deny 20255 - 20256
deny 20266
deny 20297
deny 20299
deny 20305
deny 20312
deny 20321
deny 20345
deny 20361
deny 20363
deny 20418
deny 21506
deny 21520
deny 21571
deny 21574 - 21575
deny 21578
deny 21590
deny 21599
deny 21603
deny 21612
deny 21614
deny 21674
deny 21692
deny 21741
deny 21753
deny 21756
deny 21765
deny 21768
deny 21824
deny 21826
deny 21838
deny 21862
deny 21883
deny 21888
deny 21911
deny 21917
deny 21980
deny 22010 - 22011
deny 22019
deny 22047
deny 22055
deny 22080
deny 22085
deny 22092
deny 22122
deny 22128 - 22129
deny 22133
deny 22148
deny 22177
deny 22185
deny 22227
deny 22250
deny 22305
deny 22313
deny 22341
deny 22356
deny 22368
deny 22371
deny 22381 - 22382
deny 22407
deny 22411
deny 22431
deny 22453
deny 22501
deny 22508
deny 22515
deny 22529
deny 22541
deny 22548
deny 22566
deny 22628
deny 22661
deny 22678
deny 22689
deny 22698 - 22699
deny 22706
deny 22724
deny 22726
deny 22745
deny 22798
deny 22818 - 22819
deny 22833
deny 22860
deny 22869
deny 22876
deny 22882
deny 22884
deny 22889
deny 22894
deny 22908
deny 22924
deny 22927
deny 22975
deny 23002
deny 23007
deny 23020
deny 23031
deny 23074
deny 23091
deny 23105 - 23106
deny 23113
deny 23128
deny 23140
deny 23201 - 23202
deny 23216
deny 23243
deny 23246
deny 23289
deny 23353
deny 23360
deny 23382 - 23383
deny 23416
deny 23487 - 23488
deny 23495
deny 23541
deny 25607
deny 25620
deny 25701
deny 25705
deny 25718
deny 25734
deny 25812
deny 25832
deny 25908
deny 25927
deny 25933
deny 25998
deny 26048
deny 26061
deny 26090
deny 26104 - 26105
deny 26107
deny 26112
deny 26118 - 26119
deny 26136
deny 26162
deny 26173
deny 26194
deny 26210
deny 26218
deny 26317
deny 26418
deny 26426
deny 26434
deny 26473
deny 26505
deny 26592 - 26596
deny 26598 - 26623

# AFRINIC IPv4 resources cannot be transferred to ARIN
# From https://www.iana.org/assignments/ipv4-address-space/
deny 41.0.0.0/8
deny 102.0.0.0/8
deny 105.0.0.0/8
deny 154.0.0.0/16
deny 154.16.0.0/16
deny 154.65.0.0 - 154.255.255.255
deny 196.0.0.0 - 196.1.0.255
deny 196.1.4.0/24
deny 196.1.7.0 - 196.1.63.255
deny 196.1.71.0/24
deny 196.1.74.0 - 196.1.103.255
deny 196.1.115.0 - 196.1.133.255
deny 196.1.137.0/24
deny 196.1.143.0 - 196.1.159.255
deny 196.1.176.0 - 196.1.255.255
deny 196.2.2.0/23
deny 196.2.8.0 - 196.2.255.255
deny 196.3.14.0/23
deny 196.3.57.0 - 196.3.64.255
deny 196.3.90.0/24
deny 196.3.92.0 - 196.3.94.255
deny 196.3.96.0/21
deny 196.3.105.0/24
deny 196.3.107.0 - 196.3.131.255
deny 196.3.148.0/22
deny 196.3.154.0 - 196.3.183.255
deny 196.3.224.0 - 196.4.45.255
deny 196.4.71.0 - 196.11.171.255
deny 196.11.174.0 - 196.11.239.255
deny 196.11.248.0/21
deny 196.12.10.0 - 196.12.31.255
deny 196.12.128.0/19
deny 196.12.192.0 - 196.15.15.255
deny 196.15.64.0 - 196.26.255.255
deny 196.27.64.0 - 196.28.47.255
deny 196.28.64.0 - 196.29.63.255
deny 196.29.96.0 - 196.31.255.255
deny 196.32.8.0 - 196.32.31.255
deny 196.32.96.0/19
deny 196.32.160.0 - 196.39.255.255
deny 196.40.96.0 - 196.41.255.255
deny 196.42.64.0 - 196.216.0.255
deny 196.216.2.0 - 197.255.255.255

# AFRINIC ASNs cannot be transferred to ARIN
# From https://www.iana.org/assignments/as-numbers/
deny 36864 - 37887
deny 327680 - 328703
deny 328704 - 329727

# AFRINIC ASNs cannot be transferred to ARIN
# From nro-delegated-stats 20240417
deny 1228 - 1232
deny 2018
deny 2561
deny 2905
deny 3067 - 3068
deny 3208
deny 3741
deny 4178
deny 4571
deny 5536
deny 5713
deny 5734
deny 6083
deny 6089
deny 6127
deny 6149
deny 6180
deny 6187
deny 6351
deny 6529
deny 6560
deny 6713
deny 6879
deny 6968
deny 7020
deny 7154
deny 7231
deny 7390
deny 7420
deny 7460
deny 7971 - 7972
deny 8094
deny 8524
deny 8770
deny 9129
deny 10247
deny 10262
deny 10331
deny 10393
deny 10474
deny 10505
deny 10540
deny 10575
deny 10798
deny 10803
deny 10898
deny 11125
deny 11157
deny 11201
deny 11259
deny 11265
deny 11380
deny 11569
deny 11645
deny 11744
deny 11845
deny 11909
deny 12091
deny 12143
deny 12258
deny 12455
deny 12556
deny 13224
deny 13402
deny 13519
deny 13569
deny 13854
deny 14029
deny 14115
deny 14331
deny 14429
deny 14516
deny 14988
deny 15022
deny 15159
deny 15399
deny 15475
deny 15706
deny 15804
deny 15825
deny 15834
deny 15964
deny 16058
deny 16214
deny 16284
deny 16416
deny 16547
deny 16630
deny 16637
deny 16800
deny 16853
deny 16907
deny 17148
deny 17220
deny 17260
deny 17312
deny 17400
deny 17652
deny 18775
deny 18922
deny 18931
deny 19136
deny 19232
deny 19676
deny 19711
deny 19832
deny 19847
deny 20011
deny 20086
deny 20095
deny 20180
deny 20294
deny 20459
deny 20484
deny 20858
deny 20928
deny 21003
deny 21152
deny 21242
deny 21271
deny 21278
deny 21280
deny 21391
deny 21452
deny 21739
deny 21819
deny 22354 - 22355
deny 22386
deny 22572
deny 22690
deny 22735
deny 22750
deny 22939
deny 23058
deny 23549
deny 23889
deny 24736
deny 24757
deny 24788
deny 24801
deny 24835
deny 24863
deny 24878
deny 24987
deny 25163
deny 25250
deny 25362
deny 25364
deny 25543
deny 25568
deny 25576
deny 25695
deny 25726
deny 25793
deny 25818
deny 26106
deny 26130
deny 26422
deny 26625
deny 26754
deny 27576
deny 27598
deny 28683
deny 28698
deny 28913
deny 29091
deny 29338
deny 29340
deny 29428
deny 29495
deny 29544
deny 29571
deny 29614
deny 29674
deny 29918
deny 29975
deny 30073
deny 30306
deny 30429
deny 30619
deny 30896
deny 30980
deny 30982 - 30999
deny 31065
deny 31245
deny 31619
deny 31810
deny 31856
deny 31960
deny 32017
deny 32279
deny 32398
deny 32437
deny 32653
deny 32714
deny 32717
deny 32842
deny 32860
deny 33567
deny 33579
deny 33762 - 33791

# Private use IPv4 & IPv6 addresses and ASNs
deny 0.0.0.0/8               # RFC 1122 Local Identification
deny 10.0.0.0/8              # RFC 1918 private space
deny 100.64.0.0/10           # RFC 6598 Carrier Grade NAT
deny 127.0.0.0/8             # RFC 1122 localhost
deny 169.254.0.0/16          # RFC 3927 link local
deny 172.16.0.0/12           # RFC 1918 private space
deny 192.0.2.0/24            # RFC 5737 TEST-NET-1
deny 192.88.99.0/24          # RFC 7526 6to4 anycast relay
deny 192.168.0.0/16          # RFC 1918 private space
deny 198.18.0.0/15           # RFC 2544 benchmarking
deny 198.51.100.0/24         # RFC 5737 TEST-NET-2
deny 203.0.113.0/24          # RFC 5737 TEST-NET-3
deny 224.0.0.0/4             # Multicast
deny 240.0.0.0/4             # Reserved
deny 23456                   # RFC 4893 AS_TRANS
deny 64496 - 64511           # RFC 5398
deny 64512 - 65534           # RFC 6996
deny 65535                   # RFC 7300
deny 65536 - 65551           # RFC 5398
deny 65552 - 131071          # IANA Reserved
deny 4200000000 - 4294967294 # RFC 6996
deny 4294967295              # RFC 7300

# ARIN supports IPv4 and ASN transfers: allow the complement of what is denied
allow 0.0.0.0/0
allow 1 - 4199999999

Constraints applicable to APNIC's Trust Anchor

Given that ARIN, LACNIC, and RIPE NCC IPv6 resources cannot be transferred to APNIC, only APNIC IPv6 resources should appear subordinate to APNIC's Trust Anchor, private use INRs are not managed by any RIR, LACNIC ASNs cannot be transferred, and AFRINIC resources of any type cannot be transferred to and from any other RIR; the below constraints can be applied to APNIC Trust Anchor.

By placing the below content in files named apnic.constraints; the associated Trust Anchor reachable via apnic.tal is constrained such that any EE certificates or Signed Objects related to out-of-scope resources are considered invalid.

#       $OpenBSD: apnic.constraints,v 1.6 2024/04/17 14:31:59 job Exp $

# From https://www.iana.org/assignments/ipv6-unicast-address-assignments
allow 2001:200::/23
allow 2001:c00::/23
allow 2001:e00::/23
allow 2001:4400::/23
allow 2001:8000::/19
allow 2001:a000::/20
allow 2001:b000::/20
allow 2400::/12

# IX Assignments
allow 2001:7fa::/32

# LACNIC ASNs cannot be transferred to APNIC
# From https://www.iana.org/assignments/as-numbers/as-numbers.xhtml
deny 27648 - 28671
deny 52224 - 53247
deny 61440 - 61951
deny 64099 - 64197
deny 262144 - 273820

# LACNIC ASNs cannot be transferred to APNIC
# From nro-delegated-stats 20240417
deny 278
deny 676
deny 1251
deny 1292
deny 1296
deny 1797
deny 1831
deny 1840
deny 1916
deny 2146
deny 2277
deny 2549
deny 2638
deny 2708
deny 2715 - 2716
deny 2739
deny 2904
deny 3132
deny 3141
deny 3449
deny 3454
deny 3484
deny 3487
deny 3496
deny 3548
deny 3551
deny 3556
deny 3596 - 3597
deny 3603
deny 3631 - 3632
deny 3636
deny 3640
deny 3790
deny 3816
deny 3905
deny 3968
deny 4141
deny 4209
deny 4230
deny 4242
deny 4244
deny 4270
deny 4387
deny 4493
deny 4535
deny 4914
deny 4926
deny 4944
deny 4964
deny 4967
deny 4995
deny 5005
deny 5633
deny 5639
deny 5648
deny 5692
deny 5708
deny 5722
deny 5745
deny 5772
deny 6057
deny 6063 - 6065
deny 6084
deny 6121
deny 6125
deny 6133
deny 6135
deny 6147 - 6148
deny 6193
deny 6240
deny 6306
deny 6332
deny 6342
deny 6400
deny 6429
deny 6458
deny 6471
deny 6487
deny 6495
deny 6503
deny 6505
deny 6535
deny 6543
deny 6545
deny 6568
deny 6590
deny 6927
deny 6945
deny 6957
deny 7002
deny 7004 - 7005
deny 7038
deny 7048 - 7049
deny 7056
deny 7063
deny 7080
deny 7087
deny 7103
deny 7120
deny 7125
deny 7137
deny 7149
deny 7157
deny 7162
deny 7167
deny 7173
deny 7184
deny 7195
deny 7199
deny 7236
deny 7298
deny 7303
deny 7313
deny 7315
deny 7325
deny 7340
deny 7365
deny 7399
deny 7408
deny 7414
deny 7417 - 7418
deny 7428
deny 7437 - 7438
deny 7465
deny 7727
deny 7738
deny 7803
deny 7864
deny 7890
deny 7906
deny 7908
deny 7910
deny 7927
deny 7934
deny 7953
deny 7965
deny 7974
deny 7980
deny 7984
deny 7993 - 7995
deny 7997
deny 8007
deny 8024
deny 8026
deny 8048
deny 8053 - 8056
deny 8065 - 8066
deny 8096
deny 8140 - 8141
deny 8151
deny 8163
deny 8167
deny 8178
deny 10269
deny 10277
deny 10285
deny 10293
deny 10299
deny 10301
deny 10318
deny 10362
deny 10391
deny 10412
deny 10417
deny 10420
deny 10429
deny 10436
deny 10452
deny 10454
deny 10463
deny 10476
deny 10479
deny 10481
deny 10495
deny 10502
deny 10531
deny 10560
deny 10569
deny 10586
deny 10600
deny 10605 - 10606
deny 10617
deny 10620
deny 10624
deny 10630
deny 10640
deny 10649
deny 10670 - 10671
deny 10688
deny 10691
deny 10697
deny 10704
deny 10706
deny 10715
deny 10733
deny 10757
deny 10778
deny 10785
deny 10795
deny 10824
deny 10834
deny 10841
deny 10847
deny 10875
deny 10881
deny 10895
deny 10897
deny 10906
deny 10938
deny 10954
deny 10964
deny 10983
deny 10986
deny 10992
deny 11008
deny 11014
deny 11053
deny 11058
deny 11063
deny 11081
deny 11083
deny 11087
deny 11097
deny 11136
deny 11172
deny 11193
deny 11237
deny 11242
deny 11254
deny 11256
deny 11271
deny 11284
deny 11295
deny 11311
deny 11315
deny 11335
deny 11338
deny 11340
deny 11356
deny 11373
deny 11390
deny 11392
deny 11411
deny 11415
deny 11419
deny 11431 - 11432
deny 11447
deny 11450 - 11451
deny 11497 - 11498
deny 11503
deny 11514
deny 11519
deny 11556
deny 11562
deny 11571
deny 11581
deny 11585
deny 11592
deny 11599
deny 11617
deny 11642
deny 11644
deny 11664
deny 11673
deny 11677
deny 11694
deny 11706
deny 11750 - 11752
deny 11786
deny 11800 - 11802
deny 11815 - 11816
deny 11830
deny 11835
deny 11844
deny 11888
deny 11896
deny 11921
deny 11947
deny 11960
deny 11993
deny 12034
deny 12066
deny 12127
deny 12135 - 12136
deny 12140
deny 12146
deny 12150
deny 12248
deny 12252
deny 12264
deny 13316
deny 13318
deny 13320
deny 13353
deny 13357
deny 13381
deny 13424
deny 13440
deny 13459
deny 13474
deny 13489
deny 13495
deny 13514
deny 13521 - 13522
deny 13544
deny 13579
deny 13584 - 13585
deny 13591
deny 13643
deny 13679
deny 13682
deny 13761
deny 13774
deny 13835
deny 13874
deny 13878
deny 13914
deny 13929
deny 13934 - 13936
deny 13991
deny 13999 - 14000
deny 14026
deny 14030
deny 14069
deny 14080
deny 14084
deny 14087
deny 14111
deny 14117
deny 14122
deny 14178 - 14179
deny 14186 - 14187
deny 14202
deny 14204
deny 14231 - 14232
deny 14234
deny 14249 - 14250
deny 14259
deny 14282
deny 14285 - 14286
deny 14316
deny 14318
deny 14339
deny 14346
deny 14377
deny 14420
deny 14457
deny 14463
deny 14522
deny 14535
deny 14553
deny 14560
deny 14571
deny 14624
deny 14650
deny 14664
deny 14674
deny 14692
deny 14708 - 14709
deny 14723
deny 14754
deny 14759
deny 14769
deny 14795
deny 14840
deny 14845
deny 14867 - 14868
deny 14886
deny 14966
deny 14970
deny 15030
deny 15034
deny 15064
deny 15066
deny 15075
deny 15078
deny 15107
deny 15125
deny 15151
deny 15180
deny 15201
deny 15208
deny 15236
deny 15241
deny 15246
deny 15252
deny 15256
deny 15274
deny 15311
deny 16397
deny 16418
deny 16471
deny 16506
deny 16522
deny 16528
deny 16531
deny 16592
deny 16594
deny 16596
deny 16606 - 16607
deny 16629
deny 16663
deny 16685
deny 16689
deny 16701
deny 16712
deny 16732
deny 16735 - 16736
deny 16742
deny 16762
deny 16772
deny 16780
deny 16814
deny 16847
deny 16849
deny 16864
deny 16874
deny 16885
deny 16891
deny 16906
deny 16911
deny 16960
deny 16973
deny 16975
deny 16990
deny 17069
deny 17072
deny 17079
deny 17086
deny 17108
deny 17126
deny 17147
deny 17182
deny 17205
deny 17208
deny 17222
deny 17249 - 17250
deny 17255
deny 17257
deny 17287
deny 17329
deny 17376
deny 17379
deny 17399
deny 17401
deny 18449
deny 18455
deny 18466
deny 18479
deny 18492
deny 18496
deny 18532
deny 18547
deny 18576
deny 18579
deny 18592
deny 18644
deny 18667
deny 18678
deny 18734
deny 18739
deny 18782
deny 18809
deny 18822
deny 18836
deny 18840
deny 18846
deny 18869
deny 18881
deny 18941
deny 18998
deny 19033
deny 19037 - 19038
deny 19064
deny 19077
deny 19089 - 19090
deny 19109
deny 19114
deny 19132
deny 19169
deny 19180
deny 19182
deny 19192
deny 19196
deny 19200
deny 19228
deny 19244
deny 19259
deny 19278
deny 19315
deny 19332
deny 19338
deny 19361
deny 19373
deny 19411
deny 19422
deny 19429
deny 19447
deny 19519
deny 19553
deny 19582 - 19583
deny 19611
deny 19632
deny 19688
deny 19723
deny 19731
deny 19763
deny 19767
deny 19863
deny 19873
deny 19889
deny 19960
deny 19978
deny 19989 - 19990
deny 20002
deny 20015
deny 20032
deny 20043 - 20044
deny 20106
deny 20116 - 20117
deny 20121
deny 20142
deny 20173
deny 20191
deny 20207
deny 20232
deny 20244
deny 20255 - 20256
deny 20266
deny 20297
deny 20299
deny 20305
deny 20312
deny 20321
deny 20345
deny 20361
deny 20363
deny 20418
deny 21506
deny 21520
deny 21571
deny 21574 - 21575
deny 21578
deny 21590
deny 21599
deny 21603
deny 21612
deny 21614
deny 21674
deny 21692
deny 21741
deny 21753
deny 21756
deny 21765
deny 21768
deny 21824
deny 21826
deny 21838
deny 21862
deny 21883
deny 21888
deny 21911
deny 21917
deny 21980
deny 22010 - 22011
deny 22019
deny 22047
deny 22055
deny 22080
deny 22085
deny 22092
deny 22122
deny 22128 - 22129
deny 22133
deny 22148
deny 22177
deny 22185
deny 22227
deny 22250
deny 22305
deny 22313
deny 22341
deny 22356
deny 22368
deny 22371
deny 22381 - 22382
deny 22407
deny 22411
deny 22431
deny 22453
deny 22501
deny 22508
deny 22515
deny 22529
deny 22541
deny 22548
deny 22566
deny 22628
deny 22661
deny 22678
deny 22689
deny 22698 - 22699
deny 22706
deny 22724
deny 22726
deny 22745
deny 22798
deny 22818 - 22819
deny 22833
deny 22860
deny 22869
deny 22876
deny 22882
deny 22884
deny 22889
deny 22894
deny 22908
deny 22924
deny 22927
deny 22975
deny 23002
deny 23007
deny 23020
deny 23031
deny 23074
deny 23091
deny 23105 - 23106
deny 23113
deny 23128
deny 23140
deny 23201 - 23202
deny 23216
deny 23243
deny 23246
deny 23289
deny 23353
deny 23360
deny 23382 - 23383
deny 23416
deny 23487 - 23488
deny 23495
deny 23541
deny 25607
deny 25620
deny 25701
deny 25705
deny 25718
deny 25734
deny 25812
deny 25832
deny 25908
deny 25927
deny 25933
deny 25998
deny 26048
deny 26061
deny 26090
deny 26104 - 26105
deny 26107
deny 26112
deny 26118 - 26119
deny 26136
deny 26162
deny 26173
deny 26194
deny 26210
deny 26218
deny 26317
deny 26418
deny 26426
deny 26434
deny 26473
deny 26505
deny 26592 - 26596
deny 26598 - 26623

# AFRINIC IPv4 resources cannot be transferred to APNIC
# From https://www.iana.org/assignments/ipv4-address-space/
deny 41.0.0.0/8
deny 102.0.0.0/8
deny 105.0.0.0/8
deny 154.0.0.0/16
deny 154.16.0.0/16
deny 154.65.0.0 - 154.255.255.255
deny 196.0.0.0 - 196.1.0.255
deny 196.1.4.0/24
deny 196.1.7.0 - 196.1.63.255
deny 196.1.71.0/24
deny 196.1.74.0 - 196.1.103.255
deny 196.1.115.0 - 196.1.133.255
deny 196.1.137.0/24
deny 196.1.143.0 - 196.1.159.255
deny 196.1.176.0 - 196.1.255.255
deny 196.2.2.0/23
deny 196.2.8.0 - 196.2.255.255
deny 196.3.14.0/23
deny 196.3.57.0 - 196.3.64.255
deny 196.3.90.0/24
deny 196.3.92.0 - 196.3.94.255
deny 196.3.96.0/21
deny 196.3.105.0/24
deny 196.3.107.0 - 196.3.131.255
deny 196.3.148.0/22
deny 196.3.154.0 - 196.3.183.255
deny 196.3.224.0 - 196.4.45.255
deny 196.4.71.0 - 196.11.171.255
deny 196.11.174.0 - 196.11.239.255
deny 196.11.248.0/21
deny 196.12.10.0 - 196.12.31.255
deny 196.12.128.0/19
deny 196.12.192.0 - 196.15.15.255
deny 196.15.64.0 - 196.26.255.255
deny 196.27.64.0 - 196.28.47.255
deny 196.28.64.0 - 196.29.63.255
deny 196.29.96.0 - 196.31.255.255
deny 196.32.8.0 - 196.32.31.255
deny 196.32.96.0/19
deny 196.32.160.0 - 196.39.255.255
deny 196.40.96.0 - 196.41.255.255
deny 196.42.64.0 - 196.216.0.255
deny 196.216.2.0 - 197.255.255.255

# AFRINIC ASNs cannot be transferred to APNIC
# From https://www.iana.org/assignments/as-numbers/
deny 36864 - 37887
deny 327680 - 328703
deny 328704 - 329727

# AFRINIC ASNs cannot be transferred to APNIC
# From nro-delegated-stats 20240417
deny 1228 - 1232
deny 2018
deny 2561
deny 2905
deny 3067 - 3068
deny 3208
deny 3741
deny 4178
deny 4571
deny 5536
deny 5713
deny 5734
deny 6083
deny 6089
deny 6127
deny 6149
deny 6180
deny 6187
deny 6351
deny 6529
deny 6560
deny 6713
deny 6879
deny 6968
deny 7020
deny 7154
deny 7231
deny 7390
deny 7420
deny 7460
deny 7971 - 7972
deny 8094
deny 8524
deny 8770
deny 9129
deny 10247
deny 10262
deny 10331
deny 10393
deny 10474
deny 10505
deny 10540
deny 10575
deny 10798
deny 10803
deny 10898
deny 11125
deny 11157
deny 11201
deny 11259
deny 11265
deny 11380
deny 11569
deny 11645
deny 11744
deny 11845
deny 11909
deny 12091
deny 12143
deny 12258
deny 12455
deny 12556
deny 13224
deny 13402
deny 13519
deny 13569
deny 13854
deny 14029
deny 14115
deny 14331
deny 14429
deny 14516
deny 14988
deny 15022
deny 15159
deny 15399
deny 15475
deny 15706
deny 15804
deny 15825
deny 15834
deny 15964
deny 16058
deny 16214
deny 16284
deny 16416
deny 16547
deny 16630
deny 16637
deny 16800
deny 16853
deny 16907
deny 17148
deny 17220
deny 17260
deny 17312
deny 17400
deny 17652
deny 18775
deny 18922
deny 18931
deny 19136
deny 19232
deny 19676
deny 19711
deny 19832
deny 19847
deny 20011
deny 20086
deny 20095
deny 20180
deny 20294
deny 20459
deny 20484
deny 20858
deny 20928
deny 21003
deny 21152
deny 21242
deny 21271
deny 21278
deny 21280
deny 21391
deny 21452
deny 21739
deny 21819
deny 22354 - 22355
deny 22386
deny 22572
deny 22690
deny 22735
deny 22750
deny 22939
deny 23058
deny 23549
deny 23889
deny 24736
deny 24757
deny 24788
deny 24801
deny 24835
deny 24863
deny 24878
deny 24987
deny 25163
deny 25250
deny 25362
deny 25364
deny 25543
deny 25568
deny 25576
deny 25695
deny 25726
deny 25793
deny 25818
deny 26106
deny 26130
deny 26422
deny 26625
deny 26754
deny 27576
deny 27598
deny 28683
deny 28698
deny 28913
deny 29091
deny 29338
deny 29340
deny 29428
deny 29495
deny 29544
deny 29571
deny 29614
deny 29674
deny 29918
deny 29975
deny 30073
deny 30306
deny 30429
deny 30619
deny 30896
deny 30980
deny 30982 - 30999
deny 31065
deny 31245
deny 31619
deny 31810
deny 31856
deny 31960
deny 32017
deny 32279
deny 32398
deny 32437
deny 32653
deny 32714
deny 32717
deny 32842
deny 32860
deny 33567
deny 33579
deny 33762 - 33791

# Private use IPv4 & IPv6 addresses and ASNs
deny 0.0.0.0/8               # RFC 1122 Local Identification
deny 10.0.0.0/8              # RFC 1918 private space
deny 100.64.0.0/10           # RFC 6598 Carrier Grade NAT
deny 127.0.0.0/8             # RFC 1122 localhost
deny 169.254.0.0/16          # RFC 3927 link local
deny 172.16.0.0/12           # RFC 1918 private space
deny 192.0.2.0/24            # RFC 5737 TEST-NET-1
deny 192.88.99.0/24          # RFC 7526 6to4 anycast relay
deny 192.168.0.0/16          # RFC 1918 private space
deny 198.18.0.0/15           # RFC 2544 benchmarking
deny 198.51.100.0/24         # RFC 5737 TEST-NET-2
deny 203.0.113.0/24          # RFC 5737 TEST-NET-3
deny 224.0.0.0/4             # Multicast
deny 240.0.0.0/4             # Reserved
deny 23456                   # RFC 4893 AS_TRANS
deny 64496 - 64511           # RFC 5398
deny 64512 - 65534           # RFC 6996
deny 65535                   # RFC 7300
deny 65536 - 65551           # RFC 5398
deny 65552 - 131071          # IANA Reserved
deny 4200000000 - 4294967294 # RFC 6996
deny 4294967295              # RFC 7300

# APNIC supports IPv4 and ASN transfers: allow the complement of what is denied
allow 0.0.0.0/0
allow 1 - 4199999999

Constraints applicable to LACNIC's Trust Anchor

Given that Autonomous System Numbers & IPv6 resources cannot be transferred from ARIN, APNIC, and RIPE NCC to LACNIC, only LACNIC ASNs & IPv6 resources should appear subordinate to LACNIC's Trust Anchor, private use INRs are not managed by any RIR, and AFRINIC resources of any type cannot be transferred to and from any other RIR; the below constraints can be applied to LACNIC Trust Anchor.

By placing the below content in files named lacnic.constraints; the associated Trust Anchor reachable via lacnic.tal is constrained such that any EE certificates or Signed Objects related to out-of-scope resources are considered invalid.

#       $OpenBSD: lacnic.constraints,v 1.6 2024/04/17 14:31:59 job Exp $

# From https://www.iana.org/assignments/ipv6-unicast-address-assignments
allow 2001:1200::/23
allow 2800::/12

# From https://www.iana.org/assignments/as-numbers/
allow 27648 - 28671
allow 52224 - 53247
allow 61440 - 61951
allow 64099 - 64197
allow 262144 - 274844

# From nro-delegated-stats 20240417
allow 278
allow 676
allow 1251
allow 1292
allow 1296
allow 1797
allow 1831
allow 1840
allow 1916
allow 2146
allow 2277
allow 2549
allow 2638
allow 2708
allow 2715 - 2716
allow 2739
allow 2904
allow 3132
allow 3141
allow 3449
allow 3454
allow 3484
allow 3487
allow 3496
allow 3548
allow 3551
allow 3556
allow 3596 - 3597
allow 3603
allow 3631 - 3632
allow 3636
allow 3640
allow 3790
allow 3816
allow 3905
allow 3968
allow 4141
allow 4209
allow 4230
allow 4242
allow 4244
allow 4270
allow 4387
allow 4493
allow 4535
allow 4914
allow 4926
allow 4944
allow 4964
allow 4967
allow 4995
allow 5005
allow 5633
allow 5639
allow 5648
allow 5692
allow 5708
allow 5722
allow 5745
allow 5772
allow 6057
allow 6063 - 6065
allow 6084
allow 6121
allow 6125
allow 6133
allow 6135
allow 6147 - 6148
allow 6193
allow 6240
allow 6306
allow 6332
allow 6342
allow 6400
allow 6429
allow 6458
allow 6471
allow 6487
allow 6495
allow 6503
allow 6505
allow 6535
allow 6543
allow 6545
allow 6568
allow 6590
allow 6927
allow 6945
allow 6957
allow 7002
allow 7004 - 7005
allow 7038
allow 7048 - 7049
allow 7056
allow 7063
allow 7080
allow 7087
allow 7103
allow 7120
allow 7125
allow 7137
allow 7149
allow 7157
allow 7162
allow 7167
allow 7173
allow 7184
allow 7195
allow 7199
allow 7236
allow 7298
allow 7303
allow 7313
allow 7315
allow 7325
allow 7340
allow 7365
allow 7399
allow 7408
allow 7414
allow 7417 - 7418
allow 7428
allow 7437 - 7438
allow 7465
allow 7727
allow 7738
allow 7803
allow 7864
allow 7890
allow 7906
allow 7908
allow 7910
allow 7927
allow 7934
allow 7953
allow 7965
allow 7974
allow 7980
allow 7984
allow 7993 - 7995
allow 7997
allow 8007
allow 8024
allow 8026
allow 8048
allow 8053 - 8056
allow 8065 - 8066
allow 8096
allow 8140 - 8141
allow 8151
allow 8163
allow 8167
allow 8178
allow 10269
allow 10277
allow 10285
allow 10293
allow 10299
allow 10301
allow 10318
allow 10362
allow 10391
allow 10412
allow 10417
allow 10420
allow 10429
allow 10436
allow 10452
allow 10454
allow 10463
allow 10476
allow 10479
allow 10481
allow 10495
allow 10502
allow 10531
allow 10560
allow 10569
allow 10586
allow 10600
allow 10605 - 10606
allow 10617
allow 10620
allow 10624
allow 10630
allow 10640
allow 10649
allow 10670 - 10671
allow 10688
allow 10691
allow 10697
allow 10704
allow 10706
allow 10715
allow 10733
allow 10757
allow 10778
allow 10785
allow 10795
allow 10824
allow 10834
allow 10841
allow 10847
allow 10875
allow 10881
allow 10895
allow 10897
allow 10906
allow 10938
allow 10954
allow 10964
allow 10983
allow 10986
allow 10992
allow 11008
allow 11014
allow 11053
allow 11058
allow 11063
allow 11081
allow 11083
allow 11087
allow 11097
allow 11136
allow 11172
allow 11193
allow 11237
allow 11242
allow 11254
allow 11256
allow 11271
allow 11284
allow 11295
allow 11311
allow 11315
allow 11335
allow 11338
allow 11340
allow 11356
allow 11373
allow 11390
allow 11392
allow 11411
allow 11415
allow 11419
allow 11431 - 11432
allow 11447
allow 11450 - 11451
allow 11497 - 11498
allow 11503
allow 11514
allow 11519
allow 11556
allow 11562
allow 11571
allow 11581
allow 11585
allow 11592
allow 11599
allow 11617
allow 11642
allow 11644
allow 11664
allow 11673
allow 11677
allow 11694
allow 11706
allow 11750 - 11752
allow 11786
allow 11800 - 11802
allow 11815 - 11816
allow 11830
allow 11835
allow 11844
allow 11888
allow 11896
allow 11921
allow 11947
allow 11960
allow 11993
allow 12034
allow 12066
allow 12127
allow 12135 - 12136
allow 12140
allow 12146
allow 12150
allow 12248
allow 12252
allow 12264
allow 13316
allow 13318
allow 13320
allow 13353
allow 13357
allow 13381
allow 13424
allow 13440
allow 13459
allow 13474
allow 13489
allow 13495
allow 13514
allow 13521 - 13522
allow 13544
allow 13579
allow 13584 - 13585
allow 13591
allow 13643
allow 13679
allow 13682
allow 13761
allow 13774
allow 13835
allow 13874
allow 13878
allow 13914
allow 13929
allow 13934 - 13936
allow 13991
allow 13999 - 14000
allow 14026
allow 14030
allow 14069
allow 14080
allow 14084
allow 14087
allow 14111
allow 14117
allow 14122
allow 14178 - 14179
allow 14186 - 14187
allow 14202
allow 14204
allow 14231 - 14232
allow 14234
allow 14249 - 14250
allow 14259
allow 14282
allow 14285 - 14286
allow 14316
allow 14318
allow 14339
allow 14346
allow 14377
allow 14420
allow 14457
allow 14463
allow 14522
allow 14535
allow 14553
allow 14560
allow 14571
allow 14624
allow 14650
allow 14664
allow 14674
allow 14692
allow 14708 - 14709
allow 14723
allow 14754
allow 14759
allow 14769
allow 14795
allow 14840
allow 14845
allow 14867 - 14868
allow 14886
allow 14966
allow 14970
allow 15030
allow 15034
allow 15064
allow 15066
allow 15075
allow 15078
allow 15107
allow 15125
allow 15151
allow 15180
allow 15201
allow 15208
allow 15236
allow 15241
allow 15246
allow 15252
allow 15256
allow 15274
allow 15311
allow 16397
allow 16418
allow 16471
allow 16506
allow 16522
allow 16528
allow 16531
allow 16592
allow 16594
allow 16596
allow 16606 - 16607
allow 16629
allow 16663
allow 16685
allow 16689
allow 16701
allow 16712
allow 16732
allow 16735 - 16736
allow 16742
allow 16762
allow 16772
allow 16780
allow 16814
allow 16847
allow 16849
allow 16864
allow 16874
allow 16885
allow 16891
allow 16906
allow 16911
allow 16960
allow 16973
allow 16975
allow 16990
allow 17069
allow 17072
allow 17079
allow 17086
allow 17108
allow 17126
allow 17147
allow 17182
allow 17205
allow 17208
allow 17222
allow 17249 - 17250
allow 17255
allow 17257
allow 17287
allow 17329
allow 17376
allow 17379
allow 17399
allow 17401
allow 18449
allow 18455
allow 18466
allow 18479
allow 18492
allow 18496
allow 18532
allow 18547
allow 18576
allow 18579
allow 18592
allow 18644
allow 18667
allow 18678
allow 18734
allow 18739
allow 18782
allow 18809
allow 18822
allow 18836
allow 18840
allow 18846
allow 18869
allow 18881
allow 18941
allow 18998
allow 19033
allow 19037 - 19038
allow 19064
allow 19077
allow 19089 - 19090
allow 19109
allow 19114
allow 19132
allow 19169
allow 19180
allow 19182
allow 19192
allow 19196
allow 19200
allow 19228
allow 19244
allow 19259
allow 19278
allow 19315
allow 19332
allow 19338
allow 19361
allow 19373
allow 19411
allow 19422
allow 19429
allow 19447
allow 19519
allow 19553
allow 19582 - 19583
allow 19611
allow 19632
allow 19688
allow 19723
allow 19731
allow 19763
allow 19767
allow 19863
allow 19873
allow 19889
allow 19960
allow 19978
allow 19989 - 19990
allow 20002
allow 20015
allow 20032
allow 20043 - 20044
allow 20106
allow 20116 - 20117
allow 20121
allow 20142
allow 20173
allow 20191
allow 20207
allow 20232
allow 20244
allow 20255 - 20256
allow 20266
allow 20297
allow 20299
allow 20305
allow 20312
allow 20321
allow 20345
allow 20361
allow 20363
allow 20418
allow 21506
allow 21520
allow 21571
allow 21574 - 21575
allow 21578
allow 21590
allow 21599
allow 21603
allow 21612
allow 21614
allow 21674
allow 21692
allow 21741
allow 21753
allow 21756
allow 21765
allow 21768
allow 21824
allow 21826
allow 21838
allow 21862
allow 21883
allow 21888
allow 21911
allow 21917
allow 21980
allow 22010 - 22011
allow 22019
allow 22047
allow 22055
allow 22080
allow 22085
allow 22092
allow 22122
allow 22128 - 22129
allow 22133
allow 22148
allow 22177
allow 22185
allow 22227
allow 22250
allow 22305
allow 22313
allow 22341
allow 22356
allow 22368
allow 22371
allow 22381 - 22382
allow 22407
allow 22411
allow 22431
allow 22453
allow 22501
allow 22508
allow 22515
allow 22529
allow 22541
allow 22548
allow 22566
allow 22628
allow 22661
allow 22678
allow 22689
allow 22698 - 22699
allow 22706
allow 22724
allow 22726
allow 22745
allow 22798
allow 22818 - 22819
allow 22833
allow 22860
allow 22869
allow 22876
allow 22882
allow 22884
allow 22889
allow 22894
allow 22908
allow 22924
allow 22927
allow 22975
allow 23002
allow 23007
allow 23020
allow 23031
allow 23074
allow 23091
allow 23105 - 23106
allow 23113
allow 23128
allow 23140
allow 23201 - 23202
allow 23216
allow 23243
allow 23246
allow 23289
allow 23353
allow 23360
allow 23382 - 23383
allow 23416
allow 23487 - 23488
allow 23495
allow 23541
allow 25607
allow 25620
allow 25701
allow 25705
allow 25718
allow 25734
allow 25812
allow 25832
allow 25908
allow 25927
allow 25933
allow 25998
allow 26048
allow 26061
allow 26090
allow 26104 - 26105
allow 26107
allow 26112
allow 26118 - 26119
allow 26136
allow 26162
allow 26173
allow 26194
allow 26210
allow 26218
allow 26317
allow 26418
allow 26426
allow 26434
allow 26473
allow 26505
allow 26592 - 26596
allow 26598 - 26623

# AFRINIC Internet Number Resources cannot be transferred
# From https://www.iana.org/assignments/ipv4-address-space/
deny 41.0.0.0/8
deny 102.0.0.0/8
deny 105.0.0.0/8
deny 154.0.0.0/16
deny 154.16.0.0/16
deny 154.65.0.0 - 154.255.255.255
deny 196.0.0.0 - 196.1.0.255
deny 196.1.4.0/24
deny 196.1.7.0 - 196.1.63.255
deny 196.1.71.0/24
deny 196.1.74.0 - 196.1.103.255
deny 196.1.115.0 - 196.1.133.255
deny 196.1.137.0/24
deny 196.1.143.0 - 196.1.159.255
deny 196.1.176.0 - 196.1.255.255
deny 196.2.2.0/23
deny 196.2.8.0 - 196.2.255.255
deny 196.3.14.0/23
deny 196.3.57.0 - 196.3.64.255
deny 196.3.90.0/24
deny 196.3.92.0 - 196.3.94.255
deny 196.3.96.0/21
deny 196.3.105.0/24
deny 196.3.107.0 - 196.3.131.255
deny 196.3.148.0/22
deny 196.3.154.0 - 196.3.183.255
deny 196.3.224.0 - 196.4.45.255
deny 196.4.71.0 - 196.11.171.255
deny 196.11.174.0 - 196.11.239.255
deny 196.11.248.0/21
deny 196.12.10.0 - 196.12.31.255
deny 196.12.128.0/19
deny 196.12.192.0 - 196.15.15.255
deny 196.15.64.0 - 196.26.255.255
deny 196.27.64.0 - 196.28.47.255
deny 196.28.64.0 - 196.29.63.255
deny 196.29.96.0 - 196.31.255.255
deny 196.32.8.0 - 196.32.31.255
deny 196.32.96.0/19
deny 196.32.160.0 - 196.39.255.255
deny 196.40.96.0 - 196.41.255.255
deny 196.42.64.0 - 196.216.0.255
deny 196.216.2.0 - 197.255.255.255

# Private use IPv4 & IPv6 addresses and ASNs
deny 0.0.0.0/8               # RFC 1122 Local Identification
deny 10.0.0.0/8              # RFC 1918 private space
deny 100.64.0.0/10           # RFC 6598 Carrier Grade NAT
deny 127.0.0.0/8             # RFC 1122 localhost
deny 169.254.0.0/16          # RFC 3927 link local
deny 172.16.0.0/12           # RFC 1918 private space
deny 192.0.2.0/24            # RFC 5737 TEST-NET-1
deny 192.88.99.0/24          # RFC 7526 6to4 anycast relay
deny 192.168.0.0/16          # RFC 1918 private space
deny 198.18.0.0/15           # RFC 2544 benchmarking
deny 198.51.100.0/24         # RFC 5737 TEST-NET-2
deny 203.0.113.0/24          # RFC 5737 TEST-NET-3
deny 224.0.0.0/4             # Multicast
deny 240.0.0.0/4             # Reserved

# LACNIC supports only IPv4 transfers: allow the complement of what is denied
allow 0.0.0.0/0

Constraints applicable to LACNIC's Trust Anchor

Given that ARIN, APNIC, and LACNIC IPv6 resources cannot be transferred to RIPE NCC, only RIPE NCC IPv6 resources should appear subordinate to RIPE NCC's Trust Anchor, LACNIC ASNs cannot be transferred, private use INRs are not managed by any RIR, and AFRINIC resources of any type cannot be transferred to and from any other RIR; the below constraints can be applied to RIPE NCC Trust Anchor.

By placing the below content in files named ripe.constraints; the associated Trust Anchor reachable via ripe.tal is constrained such that any EE certificates or Signed Objects related to out-of-scope resources are considered invalid.

#       $OpenBSD: ripe.constraints,v 1.5 2024/04/17 14:31:59 job Exp $

# From https://www.iana.org/assignments/ipv6-unicast-address-assignments
allow 2001:600::/23
allow 2001:800::/22
allow 2001:1400::/22
allow 2001:1a00::/23
allow 2001:1c00::/22
allow 2001:2000::/19
allow 2001:4000::/23
allow 2001:4600::/23
allow 2001:4a00::/23
allow 2001:4c00::/23
allow 2001:5000::/20
allow 2003::/18
allow 2a00::/12
allow 2a10::/12

# LACNIC ASNs cannot be transferred to RIPE NCC
# From https://www.iana.org/assignments/as-numbers/
deny 27648 - 28671
deny 52224 - 53247
deny 61440 - 61951
deny 64099 - 64197
deny 262144 - 273820

# LACNIC ASNs cannot be transferred to RIPE NCC
# From nro-delegated-stats 20240417
deny 278
deny 676
deny 1251
deny 1292
deny 1296
deny 1797
deny 1831
deny 1840
deny 1916
deny 2146
deny 2277
deny 2549
deny 2638
deny 2708
deny 2715 - 2716
deny 2739
deny 2904
deny 3132
deny 3141
deny 3449
deny 3454
deny 3484
deny 3487
deny 3496
deny 3548
deny 3551
deny 3556
deny 3596 - 3597
deny 3603
deny 3631 - 3632
deny 3636
deny 3640
deny 3790
deny 3816
deny 3905
deny 3968
deny 4141
deny 4209
deny 4230
deny 4242
deny 4244
deny 4270
deny 4387
deny 4493
deny 4535
deny 4914
deny 4926
deny 4944
deny 4964
deny 4967
deny 4995
deny 5005
deny 5633
deny 5639
deny 5648
deny 5692
deny 5708
deny 5722
deny 5745
deny 5772
deny 6057
deny 6063 - 6065
deny 6084
deny 6121
deny 6125
deny 6133
deny 6135
deny 6147 - 6148
deny 6193
deny 6240
deny 6306
deny 6332
deny 6342
deny 6400
deny 6429
deny 6458
deny 6471
deny 6487
deny 6495
deny 6503
deny 6505
deny 6535
deny 6543
deny 6545
deny 6568
deny 6590
deny 6927
deny 6945
deny 6957
deny 7002
deny 7004 - 7005
deny 7038
deny 7048 - 7049
deny 7056
deny 7063
deny 7080
deny 7087
deny 7103
deny 7120
deny 7125
deny 7137
deny 7149
deny 7157
deny 7162
deny 7167
deny 7173
deny 7184
deny 7195
deny 7199
deny 7236
deny 7298
deny 7303
deny 7313
deny 7315
deny 7325
deny 7340
deny 7365
deny 7399
deny 7408
deny 7414
deny 7417 - 7418
deny 7428
deny 7437 - 7438
deny 7465
deny 7727
deny 7738
deny 7803
deny 7864
deny 7890
deny 7906
deny 7908
deny 7910
deny 7927
deny 7934
deny 7953
deny 7965
deny 7974
deny 7980
deny 7984
deny 7993 - 7995
deny 7997
deny 8007
deny 8024
deny 8026
deny 8048
deny 8053 - 8056
deny 8065 - 8066
deny 8096
deny 8140 - 8141
deny 8151
deny 8163
deny 8167
deny 8178
deny 10269
deny 10277
deny 10285
deny 10293
deny 10299
deny 10301
deny 10318
deny 10362
deny 10391
deny 10412
deny 10417
deny 10420
deny 10429
deny 10436
deny 10452
deny 10454
deny 10463
deny 10476
deny 10479
deny 10481
deny 10495
deny 10502
deny 10531
deny 10560
deny 10569
deny 10586
deny 10600
deny 10605 - 10606
deny 10617
deny 10620
deny 10624
deny 10630
deny 10640
deny 10649
deny 10670 - 10671
deny 10688
deny 10691
deny 10697
deny 10704
deny 10706
deny 10715
deny 10733
deny 10757
deny 10778
deny 10785
deny 10795
deny 10824
deny 10834
deny 10841
deny 10847
deny 10875
deny 10881
deny 10895
deny 10897
deny 10906
deny 10938
deny 10954
deny 10964
deny 10983
deny 10986
deny 10992
deny 11008
deny 11014
deny 11053
deny 11058
deny 11063
deny 11081
deny 11083
deny 11087
deny 11097
deny 11136
deny 11172
deny 11193
deny 11237
deny 11242
deny 11254
deny 11256
deny 11271
deny 11284
deny 11295
deny 11311
deny 11315
deny 11335
deny 11338
deny 11340
deny 11356
deny 11373
deny 11390
deny 11392
deny 11411
deny 11415
deny 11419
deny 11431 - 11432
deny 11447
deny 11450 - 11451
deny 11497 - 11498
deny 11503
deny 11514
deny 11519
deny 11556
deny 11562
deny 11571
deny 11581
deny 11585
deny 11592
deny 11599
deny 11617
deny 11642
deny 11644
deny 11664
deny 11673
deny 11677
deny 11694
deny 11706
deny 11750 - 11752
deny 11786
deny 11800 - 11802
deny 11815 - 11816
deny 11830
deny 11835
deny 11844
deny 11888
deny 11896
deny 11921
deny 11947
deny 11960
deny 11993
deny 12034
deny 12066
deny 12127
deny 12135 - 12136
deny 12140
deny 12146
deny 12150
deny 12248
deny 12252
deny 12264
deny 13316
deny 13318
deny 13320
deny 13353
deny 13357
deny 13381
deny 13424
deny 13440
deny 13459
deny 13474
deny 13489
deny 13495
deny 13514
deny 13521 - 13522
deny 13544
deny 13579
deny 13584 - 13585
deny 13591
deny 13643
deny 13679
deny 13682
deny 13761
deny 13774
deny 13835
deny 13874
deny 13878
deny 13914
deny 13929
deny 13934 - 13936
deny 13991
deny 13999 - 14000
deny 14026
deny 14030
deny 14069
deny 14080
deny 14084
deny 14087
deny 14111
deny 14117
deny 14122
deny 14178 - 14179
deny 14186 - 14187
deny 14202
deny 14204
deny 14231 - 14232
deny 14234
deny 14249 - 14250
deny 14259
deny 14282
deny 14285 - 14286
deny 14316
deny 14318
deny 14339
deny 14346
deny 14377
deny 14420
deny 14457
deny 14463
deny 14522
deny 14535
deny 14553
deny 14560
deny 14571
deny 14624
deny 14650
deny 14664
deny 14674
deny 14692
deny 14708 - 14709
deny 14723
deny 14754
deny 14759
deny 14769
deny 14795
deny 14840
deny 14845
deny 14867 - 14868
deny 14886
deny 14966
deny 14970
deny 15030
deny 15034
deny 15064
deny 15066
deny 15075
deny 15078
deny 15107
deny 15125
deny 15151
deny 15180
deny 15201
deny 15208
deny 15236
deny 15241
deny 15246
deny 15252
deny 15256
deny 15274
deny 15311
deny 16397
deny 16418
deny 16471
deny 16506
deny 16522
deny 16528
deny 16531
deny 16592
deny 16594
deny 16596
deny 16606 - 16607
deny 16629
deny 16663
deny 16685
deny 16689
deny 16701
deny 16712
deny 16732
deny 16735 - 16736
deny 16742
deny 16762
deny 16772
deny 16780
deny 16814
deny 16847
deny 16849
deny 16864
deny 16874
deny 16885
deny 16891
deny 16906
deny 16911
deny 16960
deny 16973
deny 16975
deny 16990
deny 17069
deny 17072
deny 17079
deny 17086
deny 17108
deny 17126
deny 17147
deny 17182
deny 17205
deny 17208
deny 17222
deny 17249 - 17250
deny 17255
deny 17257
deny 17287
deny 17329
deny 17376
deny 17379
deny 17399
deny 17401
deny 18449
deny 18455
deny 18466
deny 18479
deny 18492
deny 18496
deny 18532
deny 18547
deny 18576
deny 18579
deny 18592
deny 18644
deny 18667
deny 18678
deny 18734
deny 18739
deny 18782
deny 18809
deny 18822
deny 18836
deny 18840
deny 18846
deny 18869
deny 18881
deny 18941
deny 18998
deny 19033
deny 19037 - 19038
deny 19064
deny 19077
deny 19089 - 19090
deny 19109
deny 19114
deny 19132
deny 19169
deny 19180
deny 19182
deny 19192
deny 19196
deny 19200
deny 19228
deny 19244
deny 19259
deny 19278
deny 19315
deny 19332
deny 19338
deny 19361
deny 19373
deny 19411
deny 19422
deny 19429
deny 19447
deny 19519
deny 19553
deny 19582 - 19583
deny 19611
deny 19632
deny 19688
deny 19723
deny 19731
deny 19763
deny 19767
deny 19863
deny 19873
deny 19889
deny 19960
deny 19978
deny 19989 - 19990
deny 20002
deny 20015
deny 20032
deny 20043 - 20044
deny 20106
deny 20116 - 20117
deny 20121
deny 20142
deny 20173
deny 20191
deny 20207
deny 20232
deny 20244
deny 20255 - 20256
deny 20266
deny 20297
deny 20299
deny 20305
deny 20312
deny 20321
deny 20345
deny 20361
deny 20363
deny 20418
deny 21506
deny 21520
deny 21571
deny 21574 - 21575
deny 21578
deny 21590
deny 21599
deny 21603
deny 21612
deny 21614
deny 21674
deny 21692
deny 21741
deny 21753
deny 21756
deny 21765
deny 21768
deny 21824
deny 21826
deny 21838
deny 21862
deny 21883
deny 21888
deny 21911
deny 21917
deny 21980
deny 22010 - 22011
deny 22019
deny 22047
deny 22055
deny 22080
deny 22085
deny 22092
deny 22122
deny 22128 - 22129
deny 22133
deny 22148
deny 22177
deny 22185
deny 22227
deny 22250
deny 22305
deny 22313
deny 22341
deny 22356
deny 22368
deny 22371
deny 22381 - 22382
deny 22407
deny 22411
deny 22431
deny 22453
deny 22501
deny 22508
deny 22515
deny 22529
deny 22541
deny 22548
deny 22566
deny 22628
deny 22661
deny 22678
deny 22689
deny 22698 - 22699
deny 22706
deny 22724
deny 22726
deny 22745
deny 22798
deny 22818 - 22819
deny 22833
deny 22860
deny 22869
deny 22876
deny 22882
deny 22884
deny 22889
deny 22894
deny 22908
deny 22924
deny 22927
deny 22975
deny 23002
deny 23007
deny 23020
deny 23031
deny 23074
deny 23091
deny 23105 - 23106
deny 23113
deny 23128
deny 23140
deny 23201 - 23202
deny 23216
deny 23243
deny 23246
deny 23289
deny 23353
deny 23360
deny 23382 - 23383
deny 23416
deny 23487 - 23488
deny 23495
deny 23541
deny 25607
deny 25620
deny 25701
deny 25705
deny 25718
deny 25734
deny 25812
deny 25832
deny 25908
deny 25927
deny 25933
deny 25998
deny 26048
deny 26061
deny 26090
deny 26104 - 26105
deny 26107
deny 26112
deny 26118 - 26119
deny 26136
deny 26162
deny 26173
deny 26194
deny 26210
deny 26218
deny 26317
deny 26418
deny 26426
deny 26434
deny 26473
deny 26505
deny 26592 - 26596
deny 26598 - 26623

# AFRINIC IPv4 resources cannot be transferred to RIPE NCC
# From https://www.iana.org/assignments/ipv4-address-space/
deny 41.0.0.0/8
deny 102.0.0.0/8
deny 105.0.0.0/8
deny 154.0.0.0/16
deny 154.16.0.0/16
deny 154.65.0.0 - 154.255.255.255
deny 196.0.0.0 - 196.1.0.255
deny 196.1.4.0/24
deny 196.1.7.0 - 196.1.63.255
deny 196.1.71.0/24
deny 196.1.74.0 - 196.1.103.255
deny 196.1.115.0 - 196.1.133.255
deny 196.1.137.0/24
deny 196.1.143.0 - 196.1.159.255
deny 196.1.176.0 - 196.1.255.255
deny 196.2.2.0/23
deny 196.2.8.0 - 196.2.255.255
deny 196.3.14.0/23
deny 196.3.57.0 - 196.3.64.255
deny 196.3.90.0/24
deny 196.3.92.0 - 196.3.94.255
deny 196.3.96.0/21
deny 196.3.105.0/24
deny 196.3.107.0 - 196.3.131.255
deny 196.3.148.0/22
deny 196.3.154.0 - 196.3.183.255
deny 196.3.224.0 - 196.4.45.255
deny 196.4.71.0 - 196.11.171.255
deny 196.11.174.0 - 196.11.239.255
deny 196.11.248.0/21
deny 196.12.10.0 - 196.12.31.255
deny 196.12.128.0/19
deny 196.12.192.0 - 196.15.15.255
deny 196.15.64.0 - 196.26.255.255
deny 196.27.64.0 - 196.28.47.255
deny 196.28.64.0 - 196.29.63.255
deny 196.29.96.0 - 196.31.255.255
deny 196.32.8.0 - 196.32.31.255
deny 196.32.96.0/19
deny 196.32.160.0 - 196.39.255.255
deny 196.40.96.0 - 196.41.255.255
deny 196.42.64.0 - 196.216.0.255
deny 196.216.2.0 - 197.255.255.255

# AFRINIC ASNs cannot be transferred to RIPE NCC
# From https://www.iana.org/assignments/as-numbers/
deny 36864 - 37887
deny 327680 - 328703
deny 328704 - 329727

# AFRINIC ASNs cannot be transferred to RIPE NCC
# From nro-delegated-stats 20240417
deny 1228 - 1232
deny 2018
deny 2561
deny 2905
deny 3067 - 3068
deny 3208
deny 3741
deny 4178
deny 4571
deny 5536
deny 5713
deny 5734
deny 6083
deny 6089
deny 6127
deny 6149
deny 6180
deny 6187
deny 6351
deny 6529
deny 6560
deny 6713
deny 6879
deny 6968
deny 7020
deny 7154
deny 7231
deny 7390
deny 7420
deny 7460
deny 7971 - 7972
deny 8094
deny 8524
deny 8770
deny 9129
deny 10247
deny 10262
deny 10331
deny 10393
deny 10474
deny 10505
deny 10540
deny 10575
deny 10798
deny 10803
deny 10898
deny 11125
deny 11157
deny 11201
deny 11259
deny 11265
deny 11380
deny 11569
deny 11645
deny 11744
deny 11845
deny 11909
deny 12091
deny 12143
deny 12258
deny 12455
deny 12556
deny 13224
deny 13402
deny 13519
deny 13569
deny 13854
deny 14029
deny 14115
deny 14331
deny 14429
deny 14516
deny 14988
deny 15022
deny 15159
deny 15399
deny 15475
deny 15706
deny 15804
deny 15825
deny 15834
deny 15964
deny 16058
deny 16214
deny 16284
deny 16416
deny 16547
deny 16630
deny 16637
deny 16800
deny 16853
deny 16907
deny 17148
deny 17220
deny 17260
deny 17312
deny 17400
deny 17652
deny 18775
deny 18922
deny 18931
deny 19136
deny 19232
deny 19676
deny 19711
deny 19832
deny 19847
deny 20011
deny 20086
deny 20095
deny 20180
deny 20294
deny 20459
deny 20484
deny 20858
deny 20928
deny 21003
deny 21152
deny 21242
deny 21271
deny 21278
deny 21280
deny 21391
deny 21452
deny 21739
deny 21819
deny 22354 - 22355
deny 22386
deny 22572
deny 22690
deny 22735
deny 22750
deny 22939
deny 23058
deny 23549
deny 23889
deny 24736
deny 24757
deny 24788
deny 24801
deny 24835
deny 24863
deny 24878
deny 24987
deny 25163
deny 25250
deny 25362
deny 25364
deny 25543
deny 25568
deny 25576
deny 25695
deny 25726
deny 25793
deny 25818
deny 26106
deny 26130
deny 26422
deny 26625
deny 26754
deny 27576
deny 27598
deny 28683
deny 28698
deny 28913
deny 29091
deny 29338
deny 29340
deny 29428
deny 29495
deny 29544
deny 29571
deny 29614
deny 29674
deny 29918
deny 29975
deny 30073
deny 30306
deny 30429
deny 30619
deny 30896
deny 30980
deny 30982 - 30999
deny 31065
deny 31245
deny 31619
deny 31810
deny 31856
deny 31960
deny 32017
deny 32279
deny 32398
deny 32437
deny 32653
deny 32714
deny 32717
deny 32842
deny 32860
deny 33567
deny 33579
deny 33762 - 33791

# Private use IPv4 & IPv6 addresses and ASNs
deny 0.0.0.0/8               # RFC 1122 Local Identification
deny 10.0.0.0/8              # RFC 1918 private space
deny 100.64.0.0/10           # RFC 6598 Carrier Grade NAT
deny 127.0.0.0/8             # RFC 1122 localhost
deny 169.254.0.0/16          # RFC 3927 link local
deny 172.16.0.0/12           # RFC 1918 private space
deny 192.0.2.0/24            # RFC 5737 TEST-NET-1
deny 192.88.99.0/24          # RFC 7526 6to4 anycast relay
deny 192.168.0.0/16          # RFC 1918 private space
deny 198.18.0.0/15           # RFC 2544 benchmarking
deny 198.51.100.0/24         # RFC 5737 TEST-NET-2
deny 203.0.113.0/24          # RFC 5737 TEST-NET-3
deny 224.0.0.0/4             # Multicast
deny 240.0.0.0/4             # Reserved
deny 23456                   # RFC 4893 AS_TRANS
deny 64496 - 64511           # RFC 5398
deny 64512 - 65534           # RFC 6996
deny 65535                   # RFC 7300
deny 65536 - 65551           # RFC 5398
deny 65552 - 131071          # IANA Reserved
deny 4200000000 - 4294967294 # RFC 6996
deny 4294967295              # RFC 7300

# RIPE NCC supports IPv4 and ASN transfers: allow the complement of what is denied
allow 0.0.0.0/0
allow 1 - 4199999999

Acknowledgements

Thanks to Niels Bakker, Joel Jaeggli, Tony Tauber, Tom Scholl, and Erik Bais for their feedback and input.

Authors' Addresses

Job Snijders
Fastly
Netherlands
Theo Buehler
OpenBSD
Switzerland