Network Working Group J. Snijders Internet-Draft Fastly Intended status: Informational T. Buehler Expires: 19 October 2024 OpenBSD 17 April 2024 Constraining RPKI Trust Anchors draft-snijders-constraining-rpki-trust-anchors-05 Abstract This document describes an approach for Resource Public Key Infrastructure (RPKI) Relying Parties (RPs) to impose locally configured Constraints on cryptographic products subordinate to publicly-trusted Trust Anchors (TAs), as implemented in OpenBSD's rpki-client validator. The ability to constrain a Trust Anchor operator's effective signing authority to a limited set of Internet Number Resources (INRs) allows Relying Parties to enjoy the potential benefits of assuming trust - within a bounded scope. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 19 October 2024. Copyright Notice Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Snijders & Buehler Expires 19 October 2024 [Page 1] Internet-Draft Constraining RPKI Trust Anchors April 2024 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Definitions . . . . . . . . . . . . . . . . . . . . . . . 2 1.2. Required Reading . . . . . . . . . . . . . . . . . . . . 3 2. Considerations on Trust Anchor over-claiming . . . . . . . . 3 3. Constraining Trust Anchors by constraining End-Entity Certificates . . . . . . . . . . . . . . . . . . . . . . 4 4. Operational Considerations . . . . . . . . . . . . . . . . . 5 5. Security Considerations . . . . . . . . . . . . . . . . . . . 6 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 6.1. Informative References . . . . . . . . . . . . . . . . . 6 Appendix A. Example listings of Constraints . . . . . . . . . . 10 Constraints applicable to AFRINIC's Trust Anchor . . . . . . . 10 Constraints applicable to ARIN's Trust Anchor . . . . . . . . . 24 Constraints applicable to APNIC's Trust Anchor . . . . . . . . 45 Constraints applicable to LACNIC's Trust Anchor . . . . . . . . 65 Constraints applicable to LACNIC's Trust Anchor . . . . . . . . 81 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 102 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 102 1. Introduction This document describes an approach for Resource Public Key Infrastructure (RPKI) Relying Parties (RPs) to impose locally configured Constraints on cryptographic products subordinate to publicly-trusted Trust Anchors (TAs), as implemented in the [OpenBSD] [rpki-client] validator. The ability to constrain a Trust Anchor operator's effective signing authority to a limited set of Internet Number Resources (INRs) allows Relying Parties to enjoy the potential benefits of assuming trust - within a bounded scope. It is important to emphasize that each Relying Party makes its Trust Anchor inclusion decisions independently, on its own timelines, based on its own inclusion criteria; and that imposed Constraints (if any) are a matter of local configuration. This document is intended to address user (meaning, Network Operator and Relying Party) needs and concerns, and was authored to benefit users and providers of RPKI services by providing a common body of knowledge to be communicated within the global Internet routing system community. 1.1. Definitions Assumed Trust In the RPKI hierarchical structure, a Trust Anchor is Snijders & Buehler Expires 19 October 2024 [Page 2] Internet-Draft Constraining RPKI Trust Anchors April 2024 an authority for which trust is assumed and not derived. Assuming trust means that violation of that trust is out-of-scope for the threat model. Derived Trust Derived Trust can be automatically and securely computed with subjective logic. In the context of the RPKI, trust is derived according to the rules for validation of RPKI Certificates and Signed Objects. Constraints The locally configured union set of IP prefixes, IP address ranges, AS identifiers, and AS identifier ranges for which the Relying Party operator anticipates the Trust Anchor operator to issue cryptographic products. 1.2. Required Reading Readers should be familiar with the RPKI, the RPKI repository structure, and the various RPKI objects, uses, and interpretations described in the following: [RFC3779], [RFC6480], [RFC6481], [RFC6487], and [RFC6488]. 2. Considerations on Trust Anchor over-claiming Currently, all five Regional Internet Registries (RIRs) list 'all- resources' (0.0.0.0/0, ::/0, and AS 0-4294967295) as subordinate on their Trust Anchor certificates in order to reduce some potential for risk of invalidation in the case of transient registry inconsistencies [I-D.rir-rpki-allres-ta-app-statement]. Such 'all- resources' listings demonstrate that - in the course of normal operations - Trust Anchors may claim authority for INRs outside the registry's current resource holdings. The primary reason for transient registry inconsistencies to occur would be when resources are transferred from one registry to another. However, the ability to transfer resources between registries is not universally available: this ability depends on the implementation of registry-specific consensus-driven policy development reciprocated by other registries. Another source of churn would be the inflow of new resources following allocations made by the IANA; but because of IPv4 address exhaustion, IPv6 abundance, and 32-bit ASNs being allocated in large blocks - IANA allocations occur far less often than they used to. Absent a registry's ability to execute inter-registry transfers or frequently receive new allocations from IANA, that registry's set of holdings would be a fairly static list of resources. Snijders & Buehler Expires 19 October 2024 [Page 3] Internet-Draft Constraining RPKI Trust Anchors April 2024 Therefore, a Relying Party need not trust each and every signed product in a derived trust relationship to any and all INRs subordinate to the registry's Trust Anchor, even when the Trust Anchor certificate lists 'all-resources' as subordinate. Following the widely deployed information security principle of least privilege [PRIVSEP], constraining a given Trust Anchor's capacity strictly to just that what relates to the their respective current INR holdings, provides some degree of risk reduction for all stakeholders involved. Consequently, knowing a registry's current resource holdings and knowing this set of holdings will not change in the near-term future; following the principle of least privilege, operators can consider applying a restricted-service operating mode towards what otherwise would be an unbounded authority. The principle of constraining Trust Anchors might be useful when for example working with RPKI testbeds [OTE], risky Trust Anchors which cover unallocated space with AS0 ROAs [AS0TAL], but also in dealings with publicly-trusted registries. 3. Constraining Trust Anchors by constraining End-Entity Certificates As noted in Section 2, publicly-trusted RPKI TA certificates are expected to overclaim in the course of normal operations. However, applying a bespoke implementation of the certification path validation algorithm to CA certificates to prune all possible certificate paths related to INRs not contained within the locally configured Constraints would not be a trivial task. Instead, an alternative and simpler approach operating on EE certificates is proposed. To constrain a Trust Anchor, the IP address and AS number resources listed in a given EE certificate's [RFC3779] extensions MUST be fully contained within the locally configured union set of IP prefixes, IP address ranges, AS identifiers, and AS identifier ranges for which the Relying Party operator anticipates the Trust Anchor operator to issue cryptographic products. If a given EE certificate's listed resources are not fully contained within the Constraints, the RP should halt processing and consider the EE certificate invalid. The above described approach applies to all RPKI objects for which an explicit listing of resources is mandated in their respective [RFC3779] extensions; such as BGPSec Router Certificates [RFC8209], ROAs [I-D.ietf-sidrops-rfc6482bis], ASPAs [I-D.ietf-sidrops-aspa-profile], RSCs [RFC9323], and Geofeeds [I-D.ietf-opsawg-9092-update]. Snijders & Buehler Expires 19 October 2024 [Page 4] Internet-Draft Constraining RPKI Trust Anchors April 2024 The approach has no application in context of Signed Objects unrelated to INRs (which thus use 'inherit' elements); such as Ghostbusters records [RFC6493], Signed TALs [I-D.ietf-sidrops-signed-tal], and Manifests [RFC9286]. The validation of Constraint containment is a check in addition to all the validation checks specified in [RFC6487], [RFC6488], and each Signed Object's profile specification. 4. Operational Considerations When assessing the feasibility of constraining a Trust Anchor's effective signing abilities to the registry's current set of holdings, it is important to take note of existing policies (or lack thereof) and possible future events which might impact the degree of churn in the registry's holdings. Examples are: The ARIN policy development community abandoned a proposal to allow inter-regional IPv6 resource transfers [ARIN-2019-4]. Since it's currently not possible to transfer IPv6 resources from ARIN to any other RIR, ARIN's IANA-allocated IPv6 resources should not appear subordinate to any Trust Anchor other than ARIN's own Trust Anchor. The APNIC policy development community has not developed policy [APNIC-interrir] to support inter-RIR IPv6 transfers. The LACNIC policy development community has not developed policy [LACNIC-interrir] to support inter-RIR IPv6 or ASN transfers. The RIPE NCC policy development community _did_ develop policy [RIPE-interrir] to support inter-RIR IPv6 transfers, but being the _only_ community to have done so, inter-RIR transfers are not possible. AFRINIC has not ratified an inter-registry transfer policy [AFPUB-2020-GEN-006-DRAFT03]. The policy proposal indicates implementation is expected to take an additional 12 months after ratification. Since it's not possible to transfer resources into AFRINIC, non-AFRINIC resources should not appear subordinate to AFRINIC's Trust Anchor for the foreseeable future. The RIRs collectively manage only a subset of 0.0.0.0/0 [IANA-IPV4] and 2000::/3 [IANA-IPV6]; and have no authority over any parts of 10.0.0.0/8 [RFC1918], 2001:db8::/32 [RFC3849], and AS 64512 - 65534 [RFC6996], for example. Since it's not possible to transfer private internet allocations, documentation prefixes, or private use ASNs into an RIR's management, such resources should not appear subordinate to any RIR's Trust Anchor. Snijders & Buehler Expires 19 October 2024 [Page 5] Internet-Draft Constraining RPKI Trust Anchors April 2024 In recent times IANA has not made allocations from the Current Recovered IPv4 Pool [IANA-RECOVERED], and Autonomous System Number allocations are also fairly infrequent [IANA-ASNS]. The aforementioned observations suggest there is a lot of operational runway to manage and distribute Trust Anchor Constraints in a timely manner. Maintainers of Constraint lists disseminated as part of an operating system or a third-party software package release process would do well to assume a six month delay for users to update. 5. Security Considerations The routing security benefits promised by the RPKI are derived from assuming trust in registry operators to run flawless certification services. Assuming such trust exposes users to some potential for [risks] and adverse actions by Certificate Authorities [RFC8211]. Restricting a Trust Anchor's effective signing abilities to its respective registry's current holdings - rather assuming unbounded trust in such authorities - is a constructive approach to limit some potential for risk. 6. References 6.1. Informative References [AFPUB-2020-GEN-006-DRAFT03] Ehoumi, G. O., Maina, N., and A. A. P. Aina, "AFRINIC Number Resources Transfer Policy (Draft-3)", February 2022, . [APNIC-interrir] APNIC, "Transfer of unused IPv4 addresses and/or AS numbers", 2023, . [ARIN-2019-4] Snijders, J., Farmer, D., and J. Provo, "Draft Policy ARIN-2019-4: Allow Inter-regional IPv6 Resource Transfers", September 2019, . [AS0TAL] APNIC, "Important notes on the APNIC AS0 ROA", 2023, . Snijders & Buehler Expires 19 October 2024 [Page 6] Internet-Draft Constraining RPKI Trust Anchors April 2024 [I-D.ietf-opsawg-9092-update] Bush, R., Candela, M., Kumari, W. A., and R. Housley, "Finding and Using Geofeed Data", Work in Progress, Internet-Draft, draft-ietf-opsawg-9092-update-11, 22 February 2024, . [I-D.ietf-sidrops-aspa-profile] Azimov, A., Uskov, E., Bush, R., Snijders, J., Housley, R., and B. Maddison, "A Profile for Autonomous System Provider Authorization", Work in Progress, Internet-Draft, draft-ietf-sidrops-aspa-profile-17, 7 November 2023, . [I-D.ietf-sidrops-rfc6482bis] Snijders, J., Maddison, B., Lepinski, M., Kong, D., and S. Kent, "A Profile for Route Origin Authorizations (ROAs)", Work in Progress, Internet-Draft, draft-ietf-sidrops- rfc6482bis-09, 14 December 2023, . [I-D.ietf-sidrops-signed-tal] Martínez, C. M., Michaelson, G. G., Harrison, T., Bruijnzeels, T., and R. Austein, "RPKI Signed Object for Trust Anchor Key", Work in Progress, Internet-Draft, draft-ietf-sidrops-signed-tal-15, 9 April 2024, . [I-D.rir-rpki-allres-ta-app-statement] Newton, A., Martínez, C. M., Shaw, D., Bruijnzeels, T., and B. Ellacott, "RPKI Multiple "All Resources" Trust Anchors Applicability Statement", Work in Progress, Internet-Draft, draft-rir-rpki-allres-ta-app-statement-02, 18 July 2017, . [IANA-ASNS] IANA, "Autonomous System (AS) Numbers", August 2023, . [IANA-IPV4] IANA, "IANA IPv4 Address Space Registry", July 2023, . Snijders & Buehler Expires 19 October 2024 [Page 7] Internet-Draft Constraining RPKI Trust Anchors April 2024 [IANA-IPV6] IANA, "IPv6 Global Unicast Address Assignments", November 2019, . [IANA-RECOVERED] IANA, "IPv4 Recovered Address Space", March 2019, . [LACNIC-interrir] LACNIC, "LACNIC POLICY MANUAL (v2.19 - 22/08/2023)", August 2023, . [OpenBSD] de Raadt, T., "The OpenBSD Project", 2023, . [OTE] ARIN, "Operational Test and Evaluation (OT&E) Environment", 2023, . [PRIVSEP] Obser, F., "Privilege drop, privilege separation, and restricted-service operating mode in OpenBSD", . [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G. J., and E. Lear, "Address Allocation for Private Internets", BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996, . [RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP Addresses and AS Identifiers", RFC 3779, DOI 10.17487/RFC3779, June 2004, . [RFC3849] Huston, G., Lord, A., and P. Smith, "IPv6 Address Prefix Reserved for Documentation", RFC 3849, DOI 10.17487/RFC3849, July 2004, . [RFC6480] Lepinski, M. and S. Kent, "An Infrastructure to Support Secure Internet Routing", RFC 6480, DOI 10.17487/RFC6480, February 2012, . Snijders & Buehler Expires 19 October 2024 [Page 8] Internet-Draft Constraining RPKI Trust Anchors April 2024 [RFC6481] Huston, G., Loomans, R., and G. Michaelson, "A Profile for Resource Certificate Repository Structure", RFC 6481, DOI 10.17487/RFC6481, February 2012, . [RFC6487] Huston, G., Michaelson, G., and R. Loomans, "A Profile for X.509 PKIX Resource Certificates", RFC 6487, DOI 10.17487/RFC6487, February 2012, . [RFC6488] Lepinski, M., Chi, A., and S. Kent, "Signed Object Template for the Resource Public Key Infrastructure (RPKI)", RFC 6488, DOI 10.17487/RFC6488, February 2012, . [RFC6493] Bush, R., "The Resource Public Key Infrastructure (RPKI) Ghostbusters Record", RFC 6493, DOI 10.17487/RFC6493, February 2012, . [RFC6996] Mitchell, J., "Autonomous System (AS) Reservation for Private Use", BCP 6, RFC 6996, DOI 10.17487/RFC6996, July 2013, . [RFC8209] Reynolds, M., Turner, S., and S. Kent, "A Profile for BGPsec Router Certificates, Certificate Revocation Lists, and Certification Requests", RFC 8209, DOI 10.17487/RFC8209, September 2017, . [RFC8211] Kent, S. and D. Ma, "Adverse Actions by a Certification Authority (CA) or Repository Manager in the Resource Public Key Infrastructure (RPKI)", RFC 8211, DOI 10.17487/RFC8211, September 2017, . [RFC9286] Austein, R., Huston, G., Kent, S., and M. Lepinski, "Manifests for the Resource Public Key Infrastructure (RPKI)", RFC 9286, DOI 10.17487/RFC9286, June 2022, . [RFC9323] Snijders, J., Harrison, T., and B. Maddison, "A Profile for RPKI Signed Checklists (RSCs)", RFC 9323, DOI 10.17487/RFC9323, November 2022, . Snijders & Buehler Expires 19 October 2024 [Page 9] Internet-Draft Constraining RPKI Trust Anchors April 2024 [RIPE-interrir] NCC, R., "Inter-RIR Transfers", February 2023, . [risks] Cooper, D., Heilman, E., Brogle, K., Reyzin, L., and S. Goldberg, "On the Risk of Misbehaving RPKI Authorities", . [rpki-client] Jeker, C., Snijders, J., Dzonsons, K., and T. Buehler, "rpki-client", July 2023, . Appendix A. Example listings of Constraints This section contains examples of Constraints listings related to ARIN & AFRINIC managed INRs, and INRs allocated for private or non- public use. Constraint suggestions are offered specific to each of the five RIR Trust Anchors. As it's clumsy and error prone to calculate the complement of a block of resources, for efficiency a simple notation in the form of *allow* and *deny* keywords is used to indicate INRs which may or may not appear subordinate to a Trust Anchor (rather than merely using lengthy exhaustive allowlists of what INRs may appear under a given Trust Anchor). Denylist entries (entries prefixed with *deny*) take precedence over allowlist entries (entries prefixed with *allow*). Denylist entries may not overlap with other denylist entries. Allowlist entries may not overlap with other allowlist entries. The ordering of entries is not significant. Constraints applicable to AFRINIC's Trust Anchor The below listing is intended to be an exhaustive list of Constraints related to AFRINIC-managed Internet Number Resources. Inter-RIR resource transfers aren't possible into and out of the AFRINIC registry. By placing the below contents in a file named *afrinic.constraints* next to a Trust Anchor Locator file named *afrinic.tal*, the [rpki-client] implementation will consider all End-Entity certificates invalid which list resources not fully contained within the resources listed in the *afrinic.constraints* file. Snijders & Buehler Expires 19 October 2024 [Page 10] Internet-Draft Constraining RPKI Trust Anchors April 2024 # $OpenBSD: afrinic.constraints,v 1.3 2023/12/19 08:10:19 job Exp $ # From https://www.iana.org/assignments/ipv4-address-space/ allow 41.0.0.0/8 allow 102.0.0.0/8 allow 105.0.0.0/8 allow 154.0.0.0/16 allow 154.16.0.0/16 allow 154.65.0.0 - 154.255.255.255 allow 196.0.0.0 - 196.1.0.255 allow 196.1.4.0/24 allow 196.1.7.0 - 196.1.63.255 allow 196.1.71.0/24 allow 196.1.74.0 - 196.1.103.255 allow 196.1.115.0 - 196.1.133.255 allow 196.1.137.0/24 allow 196.1.143.0 - 196.1.159.255 allow 196.1.176.0 - 196.1.255.255 allow 196.2.2.0/23 allow 196.2.8.0 - 196.2.255.255 allow 196.3.14.0/23 allow 196.3.57.0 - 196.3.64.255 allow 196.3.90.0/24 allow 196.3.92.0 - 196.3.94.255 allow 196.3.96.0/21 allow 196.3.105.0/24 allow 196.3.107.0 - 196.3.131.255 allow 196.3.148.0/22 allow 196.3.154.0 - 196.3.183.255 allow 196.3.224.0 - 196.4.45.255 allow 196.4.71.0 - 196.11.171.255 allow 196.11.174.0 - 196.11.239.255 allow 196.11.248.0/21 allow 196.12.10.0 - 196.12.31.255 allow 196.12.128.0/19 allow 196.12.192.0 - 196.15.15.255 allow 196.15.64.0 - 196.26.255.255 allow 196.27.64.0 - 196.28.47.255 allow 196.28.64.0 - 196.29.63.255 allow 196.29.96.0 - 196.31.255.255 allow 196.32.8.0 - 196.32.31.255 allow 196.32.96.0/19 allow 196.32.160.0 - 196.39.255.255 allow 196.40.96.0 - 196.41.255.255 allow 196.42.64.0 - 196.216.0.255 allow 196.216.2.0 - 197.255.255.255 Snijders & Buehler Expires 19 October 2024 [Page 11] Internet-Draft Constraining RPKI Trust Anchors April 2024 # From https://www.iana.org/assignments/ipv6-address-space/ allow 2001:4200::/23 allow 2c00::/12 # From https://www.iana.org/assignments/as-numbers/ allow 36864 - 37887 allow 327680 - 328703 allow 328704 - 329727 # From https://www.iana.org/assignments/ipv4-recovered-address-space allow 45.96.0.0 - 45.111.255.255 allow 45.192.0.0 - 45.222.255.255 allow 45.240.0.0 - 45.247.255.255 allow 66.251.128.0 - 66.251.191.255 allow 139.26.0.0 - 139.26.255.255 allow 146.196.128.0 - 146.196.255.255 # 154.16.0.0 - 154.16.255.255 # already contained within 154/8 allow 160.19.36.0 - 160.19.39.255 allow 160.19.60.0 - 160.19.63.255 allow 160.19.96.0 - 160.19.103.255 allow 160.19.112.0 - 160.19.143.255 allow 160.19.152.0 - 160.19.155.255 allow 160.19.188.0 - 160.19.191.255 allow 160.19.192.0 - 160.19.199.255 allow 160.19.232.0 - 160.19.239.255 allow 160.20.24.0 - 160.20.31.255 allow 160.20.112.0 - 160.20.115.255 allow 160.20.213.0 - 160.20.213.255 allow 160.20.217.0 - 160.20.217.255 allow 160.20.221.0 - 160.20.221.255 allow 160.20.226.0 - 160.20.227.255 allow 160.20.252.0 - 160.20.255.255 allow 160.238.11.0 - 160.238.11.255 allow 160.238.48.0 - 160.238.49.255 allow 160.238.50.0 - 160.238.50.255 allow 160.238.57.0 - 160.238.57.255 allow 160.238.101.0 - 160.238.101.255 allow 161.123.0.0 - 161.123.255.255 allow 164.160.0.0 - 164.160.255.255 allow 192.12.110.0 - 192.12.111.255 allow 192.12.116.0 - 192.12.117.255 allow 192.47.36.0 - 192.47.36.255 allow 192.51.240.0 - 192.51.240.255 allow 192.70.200.0 - 192.70.201.255 allow 192.75.236.0 - 192.75.236.255 allow 192.83.208.0 - 192.83.215.255 allow 192.91.200.0 - 192.91.200.255 allow 192.142.0.0 - 192.143.255.255 Snijders & Buehler Expires 19 October 2024 [Page 12] Internet-Draft Constraining RPKI Trust Anchors April 2024 allow 192.145.128.0 - 192.145.191.255 allow 192.145.230.0 - 192.145.230.255 allow 204.8.204.0 - 204.8.207.255 allow 208.85.156.0 - 208.85.159.255 # From https://web.archive.org/web/20131120040037/http://www.ripe.net/lir-services/resource-management/erx/transferred-resources # From https://afrinic.net/fr/library/policies/220-erx-transfer allow 2561 allow 3208 allow 5536 allow 6127 allow 6713 allow 6879 allow 8524 allow 8770 allow 9129 allow 11380 allow 12455 allow 12556 allow 13224 allow 15399 allow 13569 allow 15475 allow 15706 allow 15804 allow 15825 allow 15834 allow 15964 allow 16058 allow 16214 allow 16284 allow 16853 allow 16907 allow 17652 allow 19676 allow 20294 allow 20484 allow 20858 allow 20928 allow 21003 allow 21152 allow 21242 allow 21271 allow 21278 allow 21280 allow 21391 allow 21452 allow 23549 Snijders & Buehler Expires 19 October 2024 [Page 13] Internet-Draft Constraining RPKI Trust Anchors April 2024 allow 23889 allow 24736 allow 24757 allow 24788 allow 24801 allow 24835 allow 24863 allow 24878 allow 24987 allow 25163 allow 25250 allow 25362 allow 25364 allow 25543 allow 25568 allow 25576 allow 28683 allow 28698 allow 28913 allow 29091 allow 29338 allow 29340 allow 29428 allow 29495 allow 29544 allow 29571 allow 29614 allow 29674 allow 30896 allow 31065 allow 31245 allow 31619 allow 83.143.24.0 - 83.143.31.255 allow 84.205.96.0 - 84.205.127.255 allow 131.176.0.0 - 131.176.255.255 allow 163.121.0.0 - 163.121.255.255 allow 165.231.0.0 - 165.231.255.255 allow 192.52.232.0 - 192.52.232.255 allow 193.17.215.0 - 193.17.215.255 allow 193.19.232.0 - 193.19.235.255 allow 193.41.146.0 - 193.41.147.255 allow 193.108.23.0 - 193.108.23.255 allow 193.108.28.0 - 193.108.28.255 allow 193.109.66.0 - 193.109.67.255 allow 193.110.104.0 - 193.110.105.255 allow 193.194.128.0 - 193.194.128.255 allow 193.227.128.0 - 193.227.128.255 allow 194.9.64.0 - 194.9.65.255 Snijders & Buehler Expires 19 October 2024 [Page 14] Internet-Draft Constraining RPKI Trust Anchors April 2024 allow 194.9.82.0 - 194.9.83.255 allow 195.24.80.0 - 195.24.87.255 allow 195.39.218.0 - 195.39.219.255 allow 195.234.120.0 - 195.234.123.255 allow 195.234.168.0 - 195.234.168.255 allow 195.234.185.0 - 195.234.185.255 allow 195.234.252.0 - 195.234.255.255 # From https://www.ripe.net/participate/internet-governance/internet-technical-community/the-rir-system/afrinic/ripe-ncc-to-afrinic-transition allow 30980 allow 30982 - 30999 # From https://afrinic.net/ast/pdf/afrinic-whois-audit-report-full-20210121.pdf # 12.3 Appendix A3 allow 193.188.7.0/24 allow 193.189.0.0/18 allow 193.189.128.0/24 allow 193.194.160.0/19 allow 193.221.218.0/24 # From https://ftp.arin.net/afrinic/afrinic-transfers-by-resource.txt # Feb 21, 2005 allow 1228 - 1232 allow 2018 allow 2905 allow 3067 allow 3068 allow 3741 allow 4178 allow 4571 allow 5713 allow 5734 allow 6083 allow 6089 allow 6149 allow 6180 allow 6187 allow 6351 allow 6529 allow 6560 allow 6968 allow 7020 allow 7154 allow 7231 allow 7390 allow 7420 allow 7460 allow 7971 Snijders & Buehler Expires 19 October 2024 [Page 15] Internet-Draft Constraining RPKI Trust Anchors April 2024 allow 7972 allow 8094 allow 10247 allow 10262 allow 10331 allow 10393 allow 10474 allow 10505 allow 10540 allow 10575 allow 10798 allow 10803 allow 10898 allow 10922 allow 11125 allow 11157 allow 11201 allow 11259 allow 11265 allow 11569 allow 11645 allow 11744 allow 11845 allow 11909 allow 12091 allow 12143 allow 12258 allow 13402 allow 13519 allow 13854 allow 14029 allow 14115 allow 14331 allow 14360 allow 14429 allow 14516 allow 14988 allow 15022 allow 15159 allow 16416 allow 16547 allow 16630 allow 16637 allow 16800 allow 17148 allow 17220 allow 17260 allow 17312 Snijders & Buehler Expires 19 October 2024 [Page 16] Internet-Draft Constraining RPKI Trust Anchors April 2024 allow 17400 allow 18775 allow 18922 allow 18931 allow 19136 allow 19232 allow 19711 allow 19832 allow 19847 allow 20011 allow 20086 allow 20095 allow 20180 allow 20459 allow 21739 allow 21819 allow 22354 allow 22355 allow 22386 allow 22572 allow 22690 allow 22735 allow 22750 allow 22939 allow 23058 allow 25695 allow 25726 allow 25793 allow 25818 allow 26106 allow 26130 allow 26422 allow 26625 allow 26754 allow 27576 allow 27598 allow 29918 allow 29975 allow 30073 allow 30306 allow 30429 allow 30619 allow 31810 allow 31856 allow 31960 allow 32017 allow 32279 allow 32398 Snijders & Buehler Expires 19 October 2024 [Page 17] Internet-Draft Constraining RPKI Trust Anchors April 2024 allow 32437 allow 32653 allow 32714 allow 32717 allow 32842 allow 32860 allow 33567 allow 33579 allow 33762 - 33791 allow 64.57.112.0 - 64.57.127.255 allow 66.8.0.0 - 66.8.127.255 allow 66.18.64.0 - 66.18.95.255 allow 69.63.64.0 - 69.63.79.255 allow 69.67.32.0 - 69.67.47.255 allow 137.158.0.0 - 137.158.255.255 allow 137.214.0.0 - 137.214.255.255 allow 137.215.0.0 - 137.215.255.255 allow 139.53.0.0 - 139.53.255.255 allow 143.128.0.0 - 143.128.255.255 allow 143.160.0.0 - 143.160.255.255 allow 146.64.0.0 - 146.64.255.255 allow 146.141.0.0 - 146.141.255.255 allow 146.182.0.0 - 146.182.255.255 allow 146.230.0.0 - 146.230.255.255 allow 146.231.0.0 - 146.231.255.255 allow 146.232.0.0 - 146.232.255.255 allow 147.110.0.0 - 147.110.255.255 allow 152.106.0.0 - 152.106.255.255 allow 152.107.0.0 - 152.107.255.255 allow 152.108.0.0 - 152.108.255.255 allow 152.109.0.0 - 152.109.255.255 allow 152.110.0.0 - 152.110.255.255 allow 152.111.0.0 - 152.111.255.255 allow 152.112.0.0 - 152.112.255.255 allow 155.159.0.0 - 155.159.255.255 allow 155.232.0.0 - 155.232.255.255 allow 155.233.0.0 - 155.233.255.255 allow 155.234.0.0 - 155.234.255.255 allow 155.235.0.0 - 155.235.255.255 allow 155.236.0.0 - 155.236.255.255 allow 155.237.0.0 - 155.237.255.255 allow 155.238.0.0 - 155.238.255.255 allow 155.239.0.0 - 155.239.255.255 allow 155.240.0.0 - 155.240.255.255 allow 156.8.0.0 - 156.8.255.255 allow 160.115.0.0 - 160.115.255.255 allow 160.116.0.0 - 160.116.255.255 allow 160.117.0.0 - 160.117.255.255 Snijders & Buehler Expires 19 October 2024 [Page 18] Internet-Draft Constraining RPKI Trust Anchors April 2024 allow 160.118.0.0 - 160.118.255.255 allow 160.119.0.0 - 160.119.255.255 allow 160.120.0.0 - 160.120.255.255 allow 160.121.0.0 - 160.121.255.255 allow 160.122.0.0 - 160.122.255.255 allow 160.123.0.0 - 160.123.255.255 allow 160.124.0.0 - 160.124.255.255 allow 163.195.0.0 - 163.195.255.255 allow 163.196.0.0 - 163.196.255.255 allow 163.197.0.0 - 163.197.255.255 allow 163.198.0.0 - 163.198.255.255 allow 163.199.0.0 - 163.199.255.255 allow 163.200.0.0 - 163.200.255.255 allow 163.201.0.0 - 163.201.255.255 allow 163.202.0.0 - 163.202.255.255 allow 163.203.0.0 - 163.203.255.255 allow 164.88.0.0 - 164.88.255.255 allow 164.146.0.0 - 164.151.255.255 allow 164.155.0.0 - 164.155.255.255 allow 165.3.0.0 - 165.5.255.255 allow 165.8.0.0 - 165.11.255.255 allow 165.25.0.0 - 165.25.255.255 allow 165.143.0.0 - 165.149.255.255 allow 165.165.0.0 - 165.165.255.255 allow 165.180.0.0 - 165.180.255.255 allow 165.233.0.0 - 165.233.255.255 allow 166.85.0.0 - 166.85.255.255 allow 168.76.0.0 - 168.76.255.255 allow 168.80.0.0 - 168.81.255.255 allow 168.89.0.0 - 168.89.255.255 allow 168.128.0.0 - 168.128.255.255 allow 168.142.0.0 - 168.142.255.255 allow 168.155.0.0 - 168.155.255.255 allow 168.164.0.0 - 168.164.255.255 allow 168.167.0.0 - 168.167.255.255 allow 168.172.0.0 - 168.172.255.255 allow 168.206.0.0 - 168.206.255.255 allow 168.209.0.0 - 168.210.255.255 allow 169.129.0.0 - 169.129.255.255 allow 169.202.0.0 - 169.202.255.255 allow 192.33.10.0 - 192.33.10.255 allow 192.42.99.0 - 192.42.99.255 allow 192.48.253.0 - 192.48.253.255 allow 192.68.138.0 - 192.68.138.255 allow 192.70.237.0 - 192.70.237.255 allow 192.82.142.0 - 192.82.142.255 allow 192.84.244.0 - 192.84.244.255 allow 192.94.61.0 - 192.94.61.255 Snijders & Buehler Expires 19 October 2024 [Page 19] Internet-Draft Constraining RPKI Trust Anchors April 2024 allow 192.94.210.0 - 192.94.210.255 allow 192.94.240.0 - 192.94.240.255 allow 192.94.241.0 - 192.94.241.255 allow 192.94.246.0 - 192.94.246.255 allow 192.96.0.0 - 192.96.255.255 allow 192.100.1.0 - 192.100.1.255 allow 192.101.142.0 - 192.101.142.255 allow 192.102.9.0 - 192.102.9.255 allow 192.133.250.0 - 192.133.250.255 allow 192.136.55.0 - 192.136.55.255 allow 192.136.56.0 - 192.136.56.255 allow 192.136.57.0 - 192.136.57.255 allow 192.157.190.0 - 192.157.190.255 allow 192.188.164.0 - 192.188.167.255 allow 192.189.75.0 - 192.189.75.255 allow 192.189.139.0 - 192.189.140.255 allow 192.231.237.0 - 192.231.237.255 allow 192.231.254.0 - 192.231.254.255 allow 192.245.148.0 - 192.245.148.255 allow 192.251.202.0 - 192.251.202.255 allow 198.54.0.0 - 198.54.255.255 allow 200.16.8.0 - 200.16.15.255 allow 204.12.128.0 - 204.12.143.255 allow 204.87.179.0 - 204.87.179.255 allow 204.152.14.0 - 204.152.15.255 allow 204.235.32.0 - 204.235.43.255 allow 205.159.79.0 - 205.159.79.255 allow 206.223.136.0 - 206.223.136.255 allow 209.203.0.0 - 209.203.63.255 allow 209.212.96.0 - 209.212.127.255 allow 216.236.176.0 - 216.236.191.255 # From rpki.afrinic.net/repository/04E8B0D80F4D11E0B657D8931367AE7D/apnic-to-afrinic.cer # CN=APNICTOAFRINIC/serialNumber=6F1A103E1427FF03483ABFD9E34DACBE1524FF8B # Not Before: Mar 30 14:17:08 2020 GMT / Not After : Mar 30 00:00:00 2025 GMT # SHA256:B6w5P1mkoNyJtM99GfGLaaKkGfSkQ6+4eC4tPijBLyM= allow 202.123.0.0/19 # From rpki.afrinic.net/repository/04E8B0D80F4D11E0B657D8931367AE7D/ripe-to-afrinic.cer # CN=RIPETOAFRINIC/serialNumber=7F7AC180897983E29E937C0A187803C072755545 # Not Before: Mar 30 14:17:12 2020 GMT / Not After : Mar 30 00:00:00 2025 GMT # SHA256:64eh2w7qQrFQVPaQrRJ4kA83gUgE3EDvm0D0AWHCXHM= allow 62.8.64.0/19 allow 62.12.96.0/19 allow 62.24.96.0/19 allow 62.61.192.0/18 allow 62.68.32.0/19 allow 62.68.224.0/19 Snijders & Buehler Expires 19 October 2024 [Page 20] Internet-Draft Constraining RPKI Trust Anchors April 2024 allow 62.114.0.0/16 allow 62.117.32.0/19 allow 62.135.0.0/17 allow 62.139.0.0/16 allow 62.140.64.0/18 allow 62.173.32.0/19 allow 62.193.64.0/18 allow 62.193.160.0/19 allow 62.240.32.0/19 allow 62.240.96.0/19 allow 62.241.128.0/19 allow 62.251.128.0/17 allow 77.220.0.0/19 allow 80.67.128.0/20 allow 80.72.96.0/20 allow 80.75.160.0/19 allow 80.87.64.0/19 allow 80.88.0.0/20 allow 80.95.0.0/20 allow 80.240.192.0/20 allow 80.246.0.0/20 allow 80.248.0.0/20 allow 80.248.64.0/20 allow 80.249.64.0/20 allow 80.250.32.0/20 allow 81.4.0.0/18 allow 81.10.0.0/17 allow 81.21.96.0/20 allow 81.22.64.0/19 allow 81.26.64.0/20 allow 81.29.96.0/20 allow 81.91.224.0/20 allow 81.192.0.0/16 allow 82.101.128.0/18 allow 82.128.0.0/17 allow 82.129.128.0/17 allow 82.151.64.0/19 allow 82.201.128.0/17 allow 84.36.0.0/16 allow 84.233.0.0/17 allow 87.255.96.0/19 allow 193.95.0.0/17 allow 193.108.214.0/24 allow 193.108.252.0/22 allow 193.189.64.0 - 193.189.65.255 allow 193.194.1.0 - 193.194.5.255 allow 193.194.32.0 - 193.194.95.255 allow 193.227.0.0/18 Snijders & Buehler Expires 19 October 2024 [Page 21] Internet-Draft Constraining RPKI Trust Anchors April 2024 allow 194.6.224.0/24 allow 194.79.96.0/19 allow 194.204.192.0/18 allow 195.24.192.0/19 allow 195.43.0.0/19 allow 195.166.224.0/19 allow 195.202.64.0/19 allow 195.246.32.0/19 allow 212.0.128.0/19 allow 212.12.224.0/19 allow 212.22.160.0/19 allow 212.49.64.0/19 allow 212.52.128.0/19 allow 212.60.64.0/19 allow 212.85.192.0/19 allow 212.88.96.0/19 allow 212.96.0.0/19 allow 212.100.64.0/19 allow 212.103.160.0/19 allow 212.122.224.0/19 allow 212.217.0.0/17 allow 213.55.64.0/18 allow 213.131.64.0/19 allow 213.136.96.0/19 allow 213.147.64.0/19 allow 213.150.96.0/19 allow 213.150.160.0 - 213.150.223.255 allow 213.152.64.0/19 allow 213.154.32.0 - 213.154.95.255 allow 213.158.160.0/19 allow 213.172.128.0/19 allow 213.179.160.0/19 allow 213.181.224.0/19 allow 213.193.32.0/19 allow 213.212.192.0/18 allow 213.247.0.0/19 allow 213.255.128.0/19 allow 217.14.80.0/20 allow 217.20.224.0/20 allow 217.21.112.0/20 allow 217.29.128.0/20 allow 217.29.208.0/20 allow 217.52.0.0/14 allow 217.64.96.0/20 allow 217.77.64.0/20 allow 217.78.64.0/20 allow 217.117.0.0/20 allow 217.139.0.0/16 Snijders & Buehler Expires 19 October 2024 [Page 22] Internet-Draft Constraining RPKI Trust Anchors April 2024 allow 217.170.144.0/20 allow 217.199.144.0/20 # From rpki.afrinic.net/repository/04E8B0D80F4D11E0B657D8931367AE7D/arin-to-afrinic.cer # CN=ARINTOAFRINIC/serialNumber=B87C5A75F3D957413AB998646946D4541D511455 # Not Before: Mar 30 14:17:09 2020 GMT / Not After : Mar 30 00:00:00 2025 GMT # SHA256:wmJV3qcwiPcLtEMLBcvvyjs4V1Lz690bK3b8cv5v8F8= allow 129.0.0.0/16 allow 129.18.0.0/16 allow 129.45.0.0/16 allow 129.56.0.0/16 allow 129.122.0.0/16 allow 129.140.0.0/16 allow 129.205.0.0/16 allow 129.232.0.0/16 allow 137.63.0.0 - 137.64.255.255 allow 137.115.0.0/16 allow 137.171.0.0/16 allow 137.196.0.0/16 allow 137.255.0.0/16 allow 155.0.0.0/16 allow 155.11.0.0 - 155.12.255.255 allow 155.89.0.0/16 allow 155.93.0.0/16 allow 155.196.0.0/16 allow 155.251.0.0/16 allow 155.255.0.0 - 156.0.255.255 allow 156.38.0.0/16 allow 156.155.0.0 - 156.255.255.255 allow 160.0.0.0/16 allow 160.77.0.0/16 allow 160.89.0.0 - 160.90.255.255 allow 160.105.0.0/16 allow 160.113.0.0/16 allow 160.152.0.0/16 allow 160.154.0.0 - 160.179.255.255 allow 160.181.0.0 - 160.184.255.255 allow 160.224.0.0 - 160.226.255.255 allow 160.242.0.0/16 allow 160.255.0.0/16 allow 165.0.0.0/16 allow 165.16.0.0/16 allow 165.49.0.0 - 165.63.255.255 allow 165.73.0.0/16 allow 165.90.0.0/16 allow 165.169.0.0/16 allow 165.210.0.0/15 allow 165.255.0.0/16 Snijders & Buehler Expires 19 October 2024 [Page 23] Internet-Draft Constraining RPKI Trust Anchors April 2024 allow 168.211.0.0 - 168.211.255.255 allow 168.253.0.0/16 allow 169.0.0.0/15 allow 169.159.0.0/16 allow 169.239.0.0/16 allow 169.255.0.0/16 allow 192.109.242.0/24 Constraints applicable to ARIN's Trust Anchor Most of the below constraints relate to IP addresses and ASNs which are not globally unique and not managed by any RIR, as such these INRs are not expected to appear subordinate to any publicly-trusted Trust Anchor. LACNIC ASNs cannot be transferred to ARIN. Finally, since inter-RIR transfers involving ARIN may not include IPv6 addresses; ARIN's Trust Anchor is constrained to just its own IANA allocated IPv6 blocks. By placing the below content in a file named *arin.constraints*; the associated Trust Anchor reachable via *arin.tal* is constrained such that any EE certificates listing private-use INRs, or non-ARIN IPv6 blocks, or AFRINIC superblocks, are considered invalid. # $OpenBSD: arin.constraints,v 1.5 2024/04/17 14:31:59 job Exp $ # From https://www.iana.org/assignments/ipv6-unicast-address-assignments allow 2001:400::/23 allow 2001:1800::/23 allow 2001:4800::/23 allow 2600::/12 allow 2610::/23 allow 2620::/23 allow 2630::/12 # LACNIC ASNs cannot be transferred to ARIN # From https://www.iana.org/assignments/as-numbers/as-numbers.xhtml deny 27648 - 28671 deny 52224 - 53247 deny 61440 - 61951 deny 64099 - 64197 deny 262144 - 273820 # LACNIC ASNs cannot be transferred to ARIN # From nro-delegated-stats 20240417 deny 278 deny 676 deny 1251 deny 1292 Snijders & Buehler Expires 19 October 2024 [Page 24] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 1296 deny 1797 deny 1831 deny 1840 deny 1916 deny 2146 deny 2277 deny 2549 deny 2638 deny 2708 deny 2715 - 2716 deny 2739 deny 2904 deny 3132 deny 3141 deny 3449 deny 3454 deny 3484 deny 3487 deny 3496 deny 3548 deny 3551 deny 3556 deny 3596 - 3597 deny 3603 deny 3631 - 3632 deny 3636 deny 3640 deny 3790 deny 3816 deny 3905 deny 3968 deny 4141 deny 4209 deny 4230 deny 4242 deny 4244 deny 4270 deny 4387 deny 4493 deny 4535 deny 4914 deny 4926 deny 4944 deny 4964 deny 4967 deny 4995 deny 5005 Snijders & Buehler Expires 19 October 2024 [Page 25] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 5633 deny 5639 deny 5648 deny 5692 deny 5708 deny 5722 deny 5745 deny 5772 deny 6057 deny 6063 - 6065 deny 6084 deny 6121 deny 6125 deny 6133 deny 6135 deny 6147 - 6148 deny 6193 deny 6240 deny 6306 deny 6332 deny 6342 deny 6400 deny 6429 deny 6458 deny 6471 deny 6487 deny 6495 deny 6503 deny 6505 deny 6535 deny 6543 deny 6545 deny 6568 deny 6590 deny 6927 deny 6945 deny 6957 deny 7002 deny 7004 - 7005 deny 7038 deny 7048 - 7049 deny 7056 deny 7063 deny 7080 deny 7087 deny 7103 deny 7120 deny 7125 Snijders & Buehler Expires 19 October 2024 [Page 26] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 7137 deny 7149 deny 7157 deny 7162 deny 7167 deny 7173 deny 7184 deny 7195 deny 7199 deny 7236 deny 7298 deny 7303 deny 7313 deny 7315 deny 7325 deny 7340 deny 7365 deny 7399 deny 7408 deny 7414 deny 7417 - 7418 deny 7428 deny 7437 - 7438 deny 7465 deny 7727 deny 7738 deny 7803 deny 7864 deny 7890 deny 7906 deny 7908 deny 7910 deny 7927 deny 7934 deny 7953 deny 7965 deny 7974 deny 7980 deny 7984 deny 7993 - 7995 deny 7997 deny 8007 deny 8024 deny 8026 deny 8048 deny 8053 - 8056 deny 8065 - 8066 deny 8096 Snijders & Buehler Expires 19 October 2024 [Page 27] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 8140 - 8141 deny 8151 deny 8163 deny 8167 deny 8178 deny 10269 deny 10277 deny 10285 deny 10293 deny 10299 deny 10301 deny 10318 deny 10362 deny 10391 deny 10412 deny 10417 deny 10420 deny 10429 deny 10436 deny 10452 deny 10454 deny 10463 deny 10476 deny 10479 deny 10481 deny 10495 deny 10502 deny 10531 deny 10560 deny 10569 deny 10586 deny 10600 deny 10605 - 10606 deny 10617 deny 10620 deny 10624 deny 10630 deny 10640 deny 10649 deny 10670 - 10671 deny 10688 deny 10691 deny 10697 deny 10704 deny 10706 deny 10715 deny 10733 deny 10757 Snijders & Buehler Expires 19 October 2024 [Page 28] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 10778 deny 10785 deny 10795 deny 10824 deny 10834 deny 10841 deny 10847 deny 10875 deny 10881 deny 10895 deny 10897 deny 10906 deny 10938 deny 10954 deny 10964 deny 10983 deny 10986 deny 10992 deny 11008 deny 11014 deny 11053 deny 11058 deny 11063 deny 11081 deny 11083 deny 11087 deny 11097 deny 11136 deny 11172 deny 11193 deny 11237 deny 11242 deny 11254 deny 11256 deny 11271 deny 11284 deny 11295 deny 11311 deny 11315 deny 11335 deny 11338 deny 11340 deny 11356 deny 11373 deny 11390 deny 11392 deny 11411 deny 11415 Snijders & Buehler Expires 19 October 2024 [Page 29] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 11419 deny 11431 - 11432 deny 11447 deny 11450 - 11451 deny 11497 - 11498 deny 11503 deny 11514 deny 11519 deny 11556 deny 11562 deny 11571 deny 11581 deny 11585 deny 11592 deny 11599 deny 11617 deny 11642 deny 11644 deny 11664 deny 11673 deny 11677 deny 11694 deny 11706 deny 11750 - 11752 deny 11786 deny 11800 - 11802 deny 11815 - 11816 deny 11830 deny 11835 deny 11844 deny 11888 deny 11896 deny 11921 deny 11947 deny 11960 deny 11993 deny 12034 deny 12066 deny 12127 deny 12135 - 12136 deny 12140 deny 12146 deny 12150 deny 12248 deny 12252 deny 12264 deny 13316 deny 13318 Snijders & Buehler Expires 19 October 2024 [Page 30] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 13320 deny 13353 deny 13357 deny 13381 deny 13424 deny 13440 deny 13459 deny 13474 deny 13489 deny 13495 deny 13514 deny 13521 - 13522 deny 13544 deny 13579 deny 13584 - 13585 deny 13591 deny 13643 deny 13679 deny 13682 deny 13761 deny 13774 deny 13835 deny 13874 deny 13878 deny 13914 deny 13929 deny 13934 - 13936 deny 13991 deny 13999 - 14000 deny 14026 deny 14030 deny 14069 deny 14080 deny 14084 deny 14087 deny 14111 deny 14117 deny 14122 deny 14178 - 14179 deny 14186 - 14187 deny 14202 deny 14204 deny 14231 - 14232 deny 14234 deny 14249 - 14250 deny 14259 deny 14282 deny 14285 - 14286 Snijders & Buehler Expires 19 October 2024 [Page 31] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 14316 deny 14318 deny 14339 deny 14346 deny 14377 deny 14420 deny 14457 deny 14463 deny 14522 deny 14535 deny 14553 deny 14560 deny 14571 deny 14624 deny 14650 deny 14664 deny 14674 deny 14692 deny 14708 - 14709 deny 14723 deny 14754 deny 14759 deny 14769 deny 14795 deny 14840 deny 14845 deny 14867 - 14868 deny 14886 deny 14966 deny 14970 deny 15030 deny 15034 deny 15064 deny 15066 deny 15075 deny 15078 deny 15107 deny 15125 deny 15151 deny 15180 deny 15201 deny 15208 deny 15236 deny 15241 deny 15246 deny 15252 deny 15256 deny 15274 Snijders & Buehler Expires 19 October 2024 [Page 32] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 15311 deny 16397 deny 16418 deny 16471 deny 16506 deny 16522 deny 16528 deny 16531 deny 16592 deny 16594 deny 16596 deny 16606 - 16607 deny 16629 deny 16663 deny 16685 deny 16689 deny 16701 deny 16712 deny 16732 deny 16735 - 16736 deny 16742 deny 16762 deny 16772 deny 16780 deny 16814 deny 16847 deny 16849 deny 16864 deny 16874 deny 16885 deny 16891 deny 16906 deny 16911 deny 16960 deny 16973 deny 16975 deny 16990 deny 17069 deny 17072 deny 17079 deny 17086 deny 17108 deny 17126 deny 17147 deny 17182 deny 17205 deny 17208 deny 17222 Snijders & Buehler Expires 19 October 2024 [Page 33] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 17249 - 17250 deny 17255 deny 17257 deny 17287 deny 17329 deny 17376 deny 17379 deny 17399 deny 17401 deny 18449 deny 18455 deny 18466 deny 18479 deny 18492 deny 18496 deny 18532 deny 18547 deny 18576 deny 18579 deny 18592 deny 18644 deny 18667 deny 18678 deny 18734 deny 18739 deny 18782 deny 18809 deny 18822 deny 18836 deny 18840 deny 18846 deny 18869 deny 18881 deny 18941 deny 18998 deny 19033 deny 19037 - 19038 deny 19064 deny 19077 deny 19089 - 19090 deny 19109 deny 19114 deny 19132 deny 19169 deny 19180 deny 19182 deny 19192 deny 19196 Snijders & Buehler Expires 19 October 2024 [Page 34] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 19200 deny 19228 deny 19244 deny 19259 deny 19278 deny 19315 deny 19332 deny 19338 deny 19361 deny 19373 deny 19411 deny 19422 deny 19429 deny 19447 deny 19519 deny 19553 deny 19582 - 19583 deny 19611 deny 19632 deny 19688 deny 19723 deny 19731 deny 19763 deny 19767 deny 19863 deny 19873 deny 19889 deny 19960 deny 19978 deny 19989 - 19990 deny 20002 deny 20015 deny 20032 deny 20043 - 20044 deny 20106 deny 20116 - 20117 deny 20121 deny 20142 deny 20173 deny 20191 deny 20207 deny 20232 deny 20244 deny 20255 - 20256 deny 20266 deny 20297 deny 20299 deny 20305 Snijders & Buehler Expires 19 October 2024 [Page 35] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 20312 deny 20321 deny 20345 deny 20361 deny 20363 deny 20418 deny 21506 deny 21520 deny 21571 deny 21574 - 21575 deny 21578 deny 21590 deny 21599 deny 21603 deny 21612 deny 21614 deny 21674 deny 21692 deny 21741 deny 21753 deny 21756 deny 21765 deny 21768 deny 21824 deny 21826 deny 21838 deny 21862 deny 21883 deny 21888 deny 21911 deny 21917 deny 21980 deny 22010 - 22011 deny 22019 deny 22047 deny 22055 deny 22080 deny 22085 deny 22092 deny 22122 deny 22128 - 22129 deny 22133 deny 22148 deny 22177 deny 22185 deny 22227 deny 22250 deny 22305 Snijders & Buehler Expires 19 October 2024 [Page 36] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 22313 deny 22341 deny 22356 deny 22368 deny 22371 deny 22381 - 22382 deny 22407 deny 22411 deny 22431 deny 22453 deny 22501 deny 22508 deny 22515 deny 22529 deny 22541 deny 22548 deny 22566 deny 22628 deny 22661 deny 22678 deny 22689 deny 22698 - 22699 deny 22706 deny 22724 deny 22726 deny 22745 deny 22798 deny 22818 - 22819 deny 22833 deny 22860 deny 22869 deny 22876 deny 22882 deny 22884 deny 22889 deny 22894 deny 22908 deny 22924 deny 22927 deny 22975 deny 23002 deny 23007 deny 23020 deny 23031 deny 23074 deny 23091 deny 23105 - 23106 deny 23113 Snijders & Buehler Expires 19 October 2024 [Page 37] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 23128 deny 23140 deny 23201 - 23202 deny 23216 deny 23243 deny 23246 deny 23289 deny 23353 deny 23360 deny 23382 - 23383 deny 23416 deny 23487 - 23488 deny 23495 deny 23541 deny 25607 deny 25620 deny 25701 deny 25705 deny 25718 deny 25734 deny 25812 deny 25832 deny 25908 deny 25927 deny 25933 deny 25998 deny 26048 deny 26061 deny 26090 deny 26104 - 26105 deny 26107 deny 26112 deny 26118 - 26119 deny 26136 deny 26162 deny 26173 deny 26194 deny 26210 deny 26218 deny 26317 deny 26418 deny 26426 deny 26434 deny 26473 deny 26505 deny 26592 - 26596 deny 26598 - 26623 Snijders & Buehler Expires 19 October 2024 [Page 38] Internet-Draft Constraining RPKI Trust Anchors April 2024 # AFRINIC IPv4 resources cannot be transferred to ARIN # From https://www.iana.org/assignments/ipv4-address-space/ deny 41.0.0.0/8 deny 102.0.0.0/8 deny 105.0.0.0/8 deny 154.0.0.0/16 deny 154.16.0.0/16 deny 154.65.0.0 - 154.255.255.255 deny 196.0.0.0 - 196.1.0.255 deny 196.1.4.0/24 deny 196.1.7.0 - 196.1.63.255 deny 196.1.71.0/24 deny 196.1.74.0 - 196.1.103.255 deny 196.1.115.0 - 196.1.133.255 deny 196.1.137.0/24 deny 196.1.143.0 - 196.1.159.255 deny 196.1.176.0 - 196.1.255.255 deny 196.2.2.0/23 deny 196.2.8.0 - 196.2.255.255 deny 196.3.14.0/23 deny 196.3.57.0 - 196.3.64.255 deny 196.3.90.0/24 deny 196.3.92.0 - 196.3.94.255 deny 196.3.96.0/21 deny 196.3.105.0/24 deny 196.3.107.0 - 196.3.131.255 deny 196.3.148.0/22 deny 196.3.154.0 - 196.3.183.255 deny 196.3.224.0 - 196.4.45.255 deny 196.4.71.0 - 196.11.171.255 deny 196.11.174.0 - 196.11.239.255 deny 196.11.248.0/21 deny 196.12.10.0 - 196.12.31.255 deny 196.12.128.0/19 deny 196.12.192.0 - 196.15.15.255 deny 196.15.64.0 - 196.26.255.255 deny 196.27.64.0 - 196.28.47.255 deny 196.28.64.0 - 196.29.63.255 deny 196.29.96.0 - 196.31.255.255 deny 196.32.8.0 - 196.32.31.255 deny 196.32.96.0/19 deny 196.32.160.0 - 196.39.255.255 deny 196.40.96.0 - 196.41.255.255 deny 196.42.64.0 - 196.216.0.255 deny 196.216.2.0 - 197.255.255.255 # AFRINIC ASNs cannot be transferred to ARIN # From https://www.iana.org/assignments/as-numbers/ Snijders & Buehler Expires 19 October 2024 [Page 39] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 36864 - 37887 deny 327680 - 328703 deny 328704 - 329727 # AFRINIC ASNs cannot be transferred to ARIN # From nro-delegated-stats 20240417 deny 1228 - 1232 deny 2018 deny 2561 deny 2905 deny 3067 - 3068 deny 3208 deny 3741 deny 4178 deny 4571 deny 5536 deny 5713 deny 5734 deny 6083 deny 6089 deny 6127 deny 6149 deny 6180 deny 6187 deny 6351 deny 6529 deny 6560 deny 6713 deny 6879 deny 6968 deny 7020 deny 7154 deny 7231 deny 7390 deny 7420 deny 7460 deny 7971 - 7972 deny 8094 deny 8524 deny 8770 deny 9129 deny 10247 deny 10262 deny 10331 deny 10393 deny 10474 deny 10505 deny 10540 Snijders & Buehler Expires 19 October 2024 [Page 40] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 10575 deny 10798 deny 10803 deny 10898 deny 11125 deny 11157 deny 11201 deny 11259 deny 11265 deny 11380 deny 11569 deny 11645 deny 11744 deny 11845 deny 11909 deny 12091 deny 12143 deny 12258 deny 12455 deny 12556 deny 13224 deny 13402 deny 13519 deny 13569 deny 13854 deny 14029 deny 14115 deny 14331 deny 14429 deny 14516 deny 14988 deny 15022 deny 15159 deny 15399 deny 15475 deny 15706 deny 15804 deny 15825 deny 15834 deny 15964 deny 16058 deny 16214 deny 16284 deny 16416 deny 16547 deny 16630 deny 16637 deny 16800 Snijders & Buehler Expires 19 October 2024 [Page 41] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 16853 deny 16907 deny 17148 deny 17220 deny 17260 deny 17312 deny 17400 deny 17652 deny 18775 deny 18922 deny 18931 deny 19136 deny 19232 deny 19676 deny 19711 deny 19832 deny 19847 deny 20011 deny 20086 deny 20095 deny 20180 deny 20294 deny 20459 deny 20484 deny 20858 deny 20928 deny 21003 deny 21152 deny 21242 deny 21271 deny 21278 deny 21280 deny 21391 deny 21452 deny 21739 deny 21819 deny 22354 - 22355 deny 22386 deny 22572 deny 22690 deny 22735 deny 22750 deny 22939 deny 23058 deny 23549 deny 23889 deny 24736 deny 24757 Snijders & Buehler Expires 19 October 2024 [Page 42] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 24788 deny 24801 deny 24835 deny 24863 deny 24878 deny 24987 deny 25163 deny 25250 deny 25362 deny 25364 deny 25543 deny 25568 deny 25576 deny 25695 deny 25726 deny 25793 deny 25818 deny 26106 deny 26130 deny 26422 deny 26625 deny 26754 deny 27576 deny 27598 deny 28683 deny 28698 deny 28913 deny 29091 deny 29338 deny 29340 deny 29428 deny 29495 deny 29544 deny 29571 deny 29614 deny 29674 deny 29918 deny 29975 deny 30073 deny 30306 deny 30429 deny 30619 deny 30896 deny 30980 deny 30982 - 30999 deny 31065 deny 31245 deny 31619 Snijders & Buehler Expires 19 October 2024 [Page 43] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 31810 deny 31856 deny 31960 deny 32017 deny 32279 deny 32398 deny 32437 deny 32653 deny 32714 deny 32717 deny 32842 deny 32860 deny 33567 deny 33579 deny 33762 - 33791 # Private use IPv4 & IPv6 addresses and ASNs deny 0.0.0.0/8 # RFC 1122 Local Identification deny 10.0.0.0/8 # RFC 1918 private space deny 100.64.0.0/10 # RFC 6598 Carrier Grade NAT deny 127.0.0.0/8 # RFC 1122 localhost deny 169.254.0.0/16 # RFC 3927 link local deny 172.16.0.0/12 # RFC 1918 private space deny 192.0.2.0/24 # RFC 5737 TEST-NET-1 deny 192.88.99.0/24 # RFC 7526 6to4 anycast relay deny 192.168.0.0/16 # RFC 1918 private space deny 198.18.0.0/15 # RFC 2544 benchmarking deny 198.51.100.0/24 # RFC 5737 TEST-NET-2 deny 203.0.113.0/24 # RFC 5737 TEST-NET-3 deny 224.0.0.0/4 # Multicast deny 240.0.0.0/4 # Reserved deny 23456 # RFC 4893 AS_TRANS deny 64496 - 64511 # RFC 5398 deny 64512 - 65534 # RFC 6996 deny 65535 # RFC 7300 deny 65536 - 65551 # RFC 5398 deny 65552 - 131071 # IANA Reserved deny 4200000000 - 4294967294 # RFC 6996 deny 4294967295 # RFC 7300 # ARIN supports IPv4 and ASN transfers: allow the complement of what is denied allow 0.0.0.0/0 allow 1 - 4199999999 Snijders & Buehler Expires 19 October 2024 [Page 44] Internet-Draft Constraining RPKI Trust Anchors April 2024 Constraints applicable to APNIC's Trust Anchor Given that ARIN, LACNIC, and RIPE NCC IPv6 resources cannot be transferred to APNIC, only APNIC IPv6 resources should appear subordinate to APNIC's Trust Anchor, private use INRs are not managed by any RIR, LACNIC ASNs cannot be transferred, and AFRINIC resources of any type cannot be transferred to and from any other RIR; the below constraints can be applied to APNIC Trust Anchor. By placing the below content in files named *apnic.constraints*; the associated Trust Anchor reachable via *apnic.tal* is constrained such that any EE certificates or Signed Objects related to out-of-scope resources are considered invalid. # $OpenBSD: apnic.constraints,v 1.6 2024/04/17 14:31:59 job Exp $ # From https://www.iana.org/assignments/ipv6-unicast-address-assignments allow 2001:200::/23 allow 2001:c00::/23 allow 2001:e00::/23 allow 2001:4400::/23 allow 2001:8000::/19 allow 2001:a000::/20 allow 2001:b000::/20 allow 2400::/12 # IX Assignments allow 2001:7fa::/32 # LACNIC ASNs cannot be transferred to APNIC # From https://www.iana.org/assignments/as-numbers/as-numbers.xhtml deny 27648 - 28671 deny 52224 - 53247 deny 61440 - 61951 deny 64099 - 64197 deny 262144 - 273820 # LACNIC ASNs cannot be transferred to APNIC # From nro-delegated-stats 20240417 deny 278 deny 676 deny 1251 deny 1292 deny 1296 deny 1797 deny 1831 deny 1840 deny 1916 Snijders & Buehler Expires 19 October 2024 [Page 45] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 2146 deny 2277 deny 2549 deny 2638 deny 2708 deny 2715 - 2716 deny 2739 deny 2904 deny 3132 deny 3141 deny 3449 deny 3454 deny 3484 deny 3487 deny 3496 deny 3548 deny 3551 deny 3556 deny 3596 - 3597 deny 3603 deny 3631 - 3632 deny 3636 deny 3640 deny 3790 deny 3816 deny 3905 deny 3968 deny 4141 deny 4209 deny 4230 deny 4242 deny 4244 deny 4270 deny 4387 deny 4493 deny 4535 deny 4914 deny 4926 deny 4944 deny 4964 deny 4967 deny 4995 deny 5005 deny 5633 deny 5639 deny 5648 deny 5692 deny 5708 Snijders & Buehler Expires 19 October 2024 [Page 46] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 5722 deny 5745 deny 5772 deny 6057 deny 6063 - 6065 deny 6084 deny 6121 deny 6125 deny 6133 deny 6135 deny 6147 - 6148 deny 6193 deny 6240 deny 6306 deny 6332 deny 6342 deny 6400 deny 6429 deny 6458 deny 6471 deny 6487 deny 6495 deny 6503 deny 6505 deny 6535 deny 6543 deny 6545 deny 6568 deny 6590 deny 6927 deny 6945 deny 6957 deny 7002 deny 7004 - 7005 deny 7038 deny 7048 - 7049 deny 7056 deny 7063 deny 7080 deny 7087 deny 7103 deny 7120 deny 7125 deny 7137 deny 7149 deny 7157 deny 7162 deny 7167 Snijders & Buehler Expires 19 October 2024 [Page 47] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 7173 deny 7184 deny 7195 deny 7199 deny 7236 deny 7298 deny 7303 deny 7313 deny 7315 deny 7325 deny 7340 deny 7365 deny 7399 deny 7408 deny 7414 deny 7417 - 7418 deny 7428 deny 7437 - 7438 deny 7465 deny 7727 deny 7738 deny 7803 deny 7864 deny 7890 deny 7906 deny 7908 deny 7910 deny 7927 deny 7934 deny 7953 deny 7965 deny 7974 deny 7980 deny 7984 deny 7993 - 7995 deny 7997 deny 8007 deny 8024 deny 8026 deny 8048 deny 8053 - 8056 deny 8065 - 8066 deny 8096 deny 8140 - 8141 deny 8151 deny 8163 deny 8167 deny 8178 Snijders & Buehler Expires 19 October 2024 [Page 48] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 10269 deny 10277 deny 10285 deny 10293 deny 10299 deny 10301 deny 10318 deny 10362 deny 10391 deny 10412 deny 10417 deny 10420 deny 10429 deny 10436 deny 10452 deny 10454 deny 10463 deny 10476 deny 10479 deny 10481 deny 10495 deny 10502 deny 10531 deny 10560 deny 10569 deny 10586 deny 10600 deny 10605 - 10606 deny 10617 deny 10620 deny 10624 deny 10630 deny 10640 deny 10649 deny 10670 - 10671 deny 10688 deny 10691 deny 10697 deny 10704 deny 10706 deny 10715 deny 10733 deny 10757 deny 10778 deny 10785 deny 10795 deny 10824 deny 10834 Snijders & Buehler Expires 19 October 2024 [Page 49] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 10841 deny 10847 deny 10875 deny 10881 deny 10895 deny 10897 deny 10906 deny 10938 deny 10954 deny 10964 deny 10983 deny 10986 deny 10992 deny 11008 deny 11014 deny 11053 deny 11058 deny 11063 deny 11081 deny 11083 deny 11087 deny 11097 deny 11136 deny 11172 deny 11193 deny 11237 deny 11242 deny 11254 deny 11256 deny 11271 deny 11284 deny 11295 deny 11311 deny 11315 deny 11335 deny 11338 deny 11340 deny 11356 deny 11373 deny 11390 deny 11392 deny 11411 deny 11415 deny 11419 deny 11431 - 11432 deny 11447 deny 11450 - 11451 deny 11497 - 11498 Snijders & Buehler Expires 19 October 2024 [Page 50] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 11503 deny 11514 deny 11519 deny 11556 deny 11562 deny 11571 deny 11581 deny 11585 deny 11592 deny 11599 deny 11617 deny 11642 deny 11644 deny 11664 deny 11673 deny 11677 deny 11694 deny 11706 deny 11750 - 11752 deny 11786 deny 11800 - 11802 deny 11815 - 11816 deny 11830 deny 11835 deny 11844 deny 11888 deny 11896 deny 11921 deny 11947 deny 11960 deny 11993 deny 12034 deny 12066 deny 12127 deny 12135 - 12136 deny 12140 deny 12146 deny 12150 deny 12248 deny 12252 deny 12264 deny 13316 deny 13318 deny 13320 deny 13353 deny 13357 deny 13381 deny 13424 Snijders & Buehler Expires 19 October 2024 [Page 51] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 13440 deny 13459 deny 13474 deny 13489 deny 13495 deny 13514 deny 13521 - 13522 deny 13544 deny 13579 deny 13584 - 13585 deny 13591 deny 13643 deny 13679 deny 13682 deny 13761 deny 13774 deny 13835 deny 13874 deny 13878 deny 13914 deny 13929 deny 13934 - 13936 deny 13991 deny 13999 - 14000 deny 14026 deny 14030 deny 14069 deny 14080 deny 14084 deny 14087 deny 14111 deny 14117 deny 14122 deny 14178 - 14179 deny 14186 - 14187 deny 14202 deny 14204 deny 14231 - 14232 deny 14234 deny 14249 - 14250 deny 14259 deny 14282 deny 14285 - 14286 deny 14316 deny 14318 deny 14339 deny 14346 deny 14377 Snijders & Buehler Expires 19 October 2024 [Page 52] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 14420 deny 14457 deny 14463 deny 14522 deny 14535 deny 14553 deny 14560 deny 14571 deny 14624 deny 14650 deny 14664 deny 14674 deny 14692 deny 14708 - 14709 deny 14723 deny 14754 deny 14759 deny 14769 deny 14795 deny 14840 deny 14845 deny 14867 - 14868 deny 14886 deny 14966 deny 14970 deny 15030 deny 15034 deny 15064 deny 15066 deny 15075 deny 15078 deny 15107 deny 15125 deny 15151 deny 15180 deny 15201 deny 15208 deny 15236 deny 15241 deny 15246 deny 15252 deny 15256 deny 15274 deny 15311 deny 16397 deny 16418 deny 16471 deny 16506 Snijders & Buehler Expires 19 October 2024 [Page 53] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 16522 deny 16528 deny 16531 deny 16592 deny 16594 deny 16596 deny 16606 - 16607 deny 16629 deny 16663 deny 16685 deny 16689 deny 16701 deny 16712 deny 16732 deny 16735 - 16736 deny 16742 deny 16762 deny 16772 deny 16780 deny 16814 deny 16847 deny 16849 deny 16864 deny 16874 deny 16885 deny 16891 deny 16906 deny 16911 deny 16960 deny 16973 deny 16975 deny 16990 deny 17069 deny 17072 deny 17079 deny 17086 deny 17108 deny 17126 deny 17147 deny 17182 deny 17205 deny 17208 deny 17222 deny 17249 - 17250 deny 17255 deny 17257 deny 17287 deny 17329 Snijders & Buehler Expires 19 October 2024 [Page 54] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 17376 deny 17379 deny 17399 deny 17401 deny 18449 deny 18455 deny 18466 deny 18479 deny 18492 deny 18496 deny 18532 deny 18547 deny 18576 deny 18579 deny 18592 deny 18644 deny 18667 deny 18678 deny 18734 deny 18739 deny 18782 deny 18809 deny 18822 deny 18836 deny 18840 deny 18846 deny 18869 deny 18881 deny 18941 deny 18998 deny 19033 deny 19037 - 19038 deny 19064 deny 19077 deny 19089 - 19090 deny 19109 deny 19114 deny 19132 deny 19169 deny 19180 deny 19182 deny 19192 deny 19196 deny 19200 deny 19228 deny 19244 deny 19259 deny 19278 Snijders & Buehler Expires 19 October 2024 [Page 55] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 19315 deny 19332 deny 19338 deny 19361 deny 19373 deny 19411 deny 19422 deny 19429 deny 19447 deny 19519 deny 19553 deny 19582 - 19583 deny 19611 deny 19632 deny 19688 deny 19723 deny 19731 deny 19763 deny 19767 deny 19863 deny 19873 deny 19889 deny 19960 deny 19978 deny 19989 - 19990 deny 20002 deny 20015 deny 20032 deny 20043 - 20044 deny 20106 deny 20116 - 20117 deny 20121 deny 20142 deny 20173 deny 20191 deny 20207 deny 20232 deny 20244 deny 20255 - 20256 deny 20266 deny 20297 deny 20299 deny 20305 deny 20312 deny 20321 deny 20345 deny 20361 deny 20363 Snijders & Buehler Expires 19 October 2024 [Page 56] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 20418 deny 21506 deny 21520 deny 21571 deny 21574 - 21575 deny 21578 deny 21590 deny 21599 deny 21603 deny 21612 deny 21614 deny 21674 deny 21692 deny 21741 deny 21753 deny 21756 deny 21765 deny 21768 deny 21824 deny 21826 deny 21838 deny 21862 deny 21883 deny 21888 deny 21911 deny 21917 deny 21980 deny 22010 - 22011 deny 22019 deny 22047 deny 22055 deny 22080 deny 22085 deny 22092 deny 22122 deny 22128 - 22129 deny 22133 deny 22148 deny 22177 deny 22185 deny 22227 deny 22250 deny 22305 deny 22313 deny 22341 deny 22356 deny 22368 deny 22371 Snijders & Buehler Expires 19 October 2024 [Page 57] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 22381 - 22382 deny 22407 deny 22411 deny 22431 deny 22453 deny 22501 deny 22508 deny 22515 deny 22529 deny 22541 deny 22548 deny 22566 deny 22628 deny 22661 deny 22678 deny 22689 deny 22698 - 22699 deny 22706 deny 22724 deny 22726 deny 22745 deny 22798 deny 22818 - 22819 deny 22833 deny 22860 deny 22869 deny 22876 deny 22882 deny 22884 deny 22889 deny 22894 deny 22908 deny 22924 deny 22927 deny 22975 deny 23002 deny 23007 deny 23020 deny 23031 deny 23074 deny 23091 deny 23105 - 23106 deny 23113 deny 23128 deny 23140 deny 23201 - 23202 deny 23216 deny 23243 Snijders & Buehler Expires 19 October 2024 [Page 58] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 23246 deny 23289 deny 23353 deny 23360 deny 23382 - 23383 deny 23416 deny 23487 - 23488 deny 23495 deny 23541 deny 25607 deny 25620 deny 25701 deny 25705 deny 25718 deny 25734 deny 25812 deny 25832 deny 25908 deny 25927 deny 25933 deny 25998 deny 26048 deny 26061 deny 26090 deny 26104 - 26105 deny 26107 deny 26112 deny 26118 - 26119 deny 26136 deny 26162 deny 26173 deny 26194 deny 26210 deny 26218 deny 26317 deny 26418 deny 26426 deny 26434 deny 26473 deny 26505 deny 26592 - 26596 deny 26598 - 26623 # AFRINIC IPv4 resources cannot be transferred to APNIC # From https://www.iana.org/assignments/ipv4-address-space/ deny 41.0.0.0/8 deny 102.0.0.0/8 deny 105.0.0.0/8 Snijders & Buehler Expires 19 October 2024 [Page 59] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 154.0.0.0/16 deny 154.16.0.0/16 deny 154.65.0.0 - 154.255.255.255 deny 196.0.0.0 - 196.1.0.255 deny 196.1.4.0/24 deny 196.1.7.0 - 196.1.63.255 deny 196.1.71.0/24 deny 196.1.74.0 - 196.1.103.255 deny 196.1.115.0 - 196.1.133.255 deny 196.1.137.0/24 deny 196.1.143.0 - 196.1.159.255 deny 196.1.176.0 - 196.1.255.255 deny 196.2.2.0/23 deny 196.2.8.0 - 196.2.255.255 deny 196.3.14.0/23 deny 196.3.57.0 - 196.3.64.255 deny 196.3.90.0/24 deny 196.3.92.0 - 196.3.94.255 deny 196.3.96.0/21 deny 196.3.105.0/24 deny 196.3.107.0 - 196.3.131.255 deny 196.3.148.0/22 deny 196.3.154.0 - 196.3.183.255 deny 196.3.224.0 - 196.4.45.255 deny 196.4.71.0 - 196.11.171.255 deny 196.11.174.0 - 196.11.239.255 deny 196.11.248.0/21 deny 196.12.10.0 - 196.12.31.255 deny 196.12.128.0/19 deny 196.12.192.0 - 196.15.15.255 deny 196.15.64.0 - 196.26.255.255 deny 196.27.64.0 - 196.28.47.255 deny 196.28.64.0 - 196.29.63.255 deny 196.29.96.0 - 196.31.255.255 deny 196.32.8.0 - 196.32.31.255 deny 196.32.96.0/19 deny 196.32.160.0 - 196.39.255.255 deny 196.40.96.0 - 196.41.255.255 deny 196.42.64.0 - 196.216.0.255 deny 196.216.2.0 - 197.255.255.255 # AFRINIC ASNs cannot be transferred to APNIC # From https://www.iana.org/assignments/as-numbers/ deny 36864 - 37887 deny 327680 - 328703 deny 328704 - 329727 # AFRINIC ASNs cannot be transferred to APNIC Snijders & Buehler Expires 19 October 2024 [Page 60] Internet-Draft Constraining RPKI Trust Anchors April 2024 # From nro-delegated-stats 20240417 deny 1228 - 1232 deny 2018 deny 2561 deny 2905 deny 3067 - 3068 deny 3208 deny 3741 deny 4178 deny 4571 deny 5536 deny 5713 deny 5734 deny 6083 deny 6089 deny 6127 deny 6149 deny 6180 deny 6187 deny 6351 deny 6529 deny 6560 deny 6713 deny 6879 deny 6968 deny 7020 deny 7154 deny 7231 deny 7390 deny 7420 deny 7460 deny 7971 - 7972 deny 8094 deny 8524 deny 8770 deny 9129 deny 10247 deny 10262 deny 10331 deny 10393 deny 10474 deny 10505 deny 10540 deny 10575 deny 10798 deny 10803 deny 10898 deny 11125 Snijders & Buehler Expires 19 October 2024 [Page 61] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 11157 deny 11201 deny 11259 deny 11265 deny 11380 deny 11569 deny 11645 deny 11744 deny 11845 deny 11909 deny 12091 deny 12143 deny 12258 deny 12455 deny 12556 deny 13224 deny 13402 deny 13519 deny 13569 deny 13854 deny 14029 deny 14115 deny 14331 deny 14429 deny 14516 deny 14988 deny 15022 deny 15159 deny 15399 deny 15475 deny 15706 deny 15804 deny 15825 deny 15834 deny 15964 deny 16058 deny 16214 deny 16284 deny 16416 deny 16547 deny 16630 deny 16637 deny 16800 deny 16853 deny 16907 deny 17148 deny 17220 deny 17260 Snijders & Buehler Expires 19 October 2024 [Page 62] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 17312 deny 17400 deny 17652 deny 18775 deny 18922 deny 18931 deny 19136 deny 19232 deny 19676 deny 19711 deny 19832 deny 19847 deny 20011 deny 20086 deny 20095 deny 20180 deny 20294 deny 20459 deny 20484 deny 20858 deny 20928 deny 21003 deny 21152 deny 21242 deny 21271 deny 21278 deny 21280 deny 21391 deny 21452 deny 21739 deny 21819 deny 22354 - 22355 deny 22386 deny 22572 deny 22690 deny 22735 deny 22750 deny 22939 deny 23058 deny 23549 deny 23889 deny 24736 deny 24757 deny 24788 deny 24801 deny 24835 deny 24863 deny 24878 Snijders & Buehler Expires 19 October 2024 [Page 63] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 24987 deny 25163 deny 25250 deny 25362 deny 25364 deny 25543 deny 25568 deny 25576 deny 25695 deny 25726 deny 25793 deny 25818 deny 26106 deny 26130 deny 26422 deny 26625 deny 26754 deny 27576 deny 27598 deny 28683 deny 28698 deny 28913 deny 29091 deny 29338 deny 29340 deny 29428 deny 29495 deny 29544 deny 29571 deny 29614 deny 29674 deny 29918 deny 29975 deny 30073 deny 30306 deny 30429 deny 30619 deny 30896 deny 30980 deny 30982 - 30999 deny 31065 deny 31245 deny 31619 deny 31810 deny 31856 deny 31960 deny 32017 deny 32279 Snijders & Buehler Expires 19 October 2024 [Page 64] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 32398 deny 32437 deny 32653 deny 32714 deny 32717 deny 32842 deny 32860 deny 33567 deny 33579 deny 33762 - 33791 # Private use IPv4 & IPv6 addresses and ASNs deny 0.0.0.0/8 # RFC 1122 Local Identification deny 10.0.0.0/8 # RFC 1918 private space deny 100.64.0.0/10 # RFC 6598 Carrier Grade NAT deny 127.0.0.0/8 # RFC 1122 localhost deny 169.254.0.0/16 # RFC 3927 link local deny 172.16.0.0/12 # RFC 1918 private space deny 192.0.2.0/24 # RFC 5737 TEST-NET-1 deny 192.88.99.0/24 # RFC 7526 6to4 anycast relay deny 192.168.0.0/16 # RFC 1918 private space deny 198.18.0.0/15 # RFC 2544 benchmarking deny 198.51.100.0/24 # RFC 5737 TEST-NET-2 deny 203.0.113.0/24 # RFC 5737 TEST-NET-3 deny 224.0.0.0/4 # Multicast deny 240.0.0.0/4 # Reserved deny 23456 # RFC 4893 AS_TRANS deny 64496 - 64511 # RFC 5398 deny 64512 - 65534 # RFC 6996 deny 65535 # RFC 7300 deny 65536 - 65551 # RFC 5398 deny 65552 - 131071 # IANA Reserved deny 4200000000 - 4294967294 # RFC 6996 deny 4294967295 # RFC 7300 # APNIC supports IPv4 and ASN transfers: allow the complement of what is denied allow 0.0.0.0/0 allow 1 - 4199999999 Constraints applicable to LACNIC's Trust Anchor Given that Autonomous System Numbers & IPv6 resources cannot be transferred from ARIN, APNIC, and RIPE NCC to LACNIC, only LACNIC ASNs & IPv6 resources should appear subordinate to LACNIC's Trust Anchor, private use INRs are not managed by any RIR, and AFRINIC resources of any type cannot be transferred to and from any other RIR; the below constraints can be applied to LACNIC Trust Anchor. Snijders & Buehler Expires 19 October 2024 [Page 65] Internet-Draft Constraining RPKI Trust Anchors April 2024 By placing the below content in files named *lacnic.constraints*; the associated Trust Anchor reachable via *lacnic.tal* is constrained such that any EE certificates or Signed Objects related to out-of- scope resources are considered invalid. # $OpenBSD: lacnic.constraints,v 1.6 2024/04/17 14:31:59 job Exp $ # From https://www.iana.org/assignments/ipv6-unicast-address-assignments allow 2001:1200::/23 allow 2800::/12 # From https://www.iana.org/assignments/as-numbers/ allow 27648 - 28671 allow 52224 - 53247 allow 61440 - 61951 allow 64099 - 64197 allow 262144 - 274844 # From nro-delegated-stats 20240417 allow 278 allow 676 allow 1251 allow 1292 allow 1296 allow 1797 allow 1831 allow 1840 allow 1916 allow 2146 allow 2277 allow 2549 allow 2638 allow 2708 allow 2715 - 2716 allow 2739 allow 2904 allow 3132 allow 3141 allow 3449 allow 3454 allow 3484 allow 3487 allow 3496 allow 3548 allow 3551 allow 3556 allow 3596 - 3597 allow 3603 Snijders & Buehler Expires 19 October 2024 [Page 66] Internet-Draft Constraining RPKI Trust Anchors April 2024 allow 3631 - 3632 allow 3636 allow 3640 allow 3790 allow 3816 allow 3905 allow 3968 allow 4141 allow 4209 allow 4230 allow 4242 allow 4244 allow 4270 allow 4387 allow 4493 allow 4535 allow 4914 allow 4926 allow 4944 allow 4964 allow 4967 allow 4995 allow 5005 allow 5633 allow 5639 allow 5648 allow 5692 allow 5708 allow 5722 allow 5745 allow 5772 allow 6057 allow 6063 - 6065 allow 6084 allow 6121 allow 6125 allow 6133 allow 6135 allow 6147 - 6148 allow 6193 allow 6240 allow 6306 allow 6332 allow 6342 allow 6400 allow 6429 allow 6458 allow 6471 Snijders & Buehler Expires 19 October 2024 [Page 67] Internet-Draft Constraining RPKI Trust Anchors April 2024 allow 6487 allow 6495 allow 6503 allow 6505 allow 6535 allow 6543 allow 6545 allow 6568 allow 6590 allow 6927 allow 6945 allow 6957 allow 7002 allow 7004 - 7005 allow 7038 allow 7048 - 7049 allow 7056 allow 7063 allow 7080 allow 7087 allow 7103 allow 7120 allow 7125 allow 7137 allow 7149 allow 7157 allow 7162 allow 7167 allow 7173 allow 7184 allow 7195 allow 7199 allow 7236 allow 7298 allow 7303 allow 7313 allow 7315 allow 7325 allow 7340 allow 7365 allow 7399 allow 7408 allow 7414 allow 7417 - 7418 allow 7428 allow 7437 - 7438 allow 7465 allow 7727 Snijders & Buehler Expires 19 October 2024 [Page 68] Internet-Draft Constraining RPKI Trust Anchors April 2024 allow 7738 allow 7803 allow 7864 allow 7890 allow 7906 allow 7908 allow 7910 allow 7927 allow 7934 allow 7953 allow 7965 allow 7974 allow 7980 allow 7984 allow 7993 - 7995 allow 7997 allow 8007 allow 8024 allow 8026 allow 8048 allow 8053 - 8056 allow 8065 - 8066 allow 8096 allow 8140 - 8141 allow 8151 allow 8163 allow 8167 allow 8178 allow 10269 allow 10277 allow 10285 allow 10293 allow 10299 allow 10301 allow 10318 allow 10362 allow 10391 allow 10412 allow 10417 allow 10420 allow 10429 allow 10436 allow 10452 allow 10454 allow 10463 allow 10476 allow 10479 allow 10481 Snijders & Buehler Expires 19 October 2024 [Page 69] Internet-Draft Constraining RPKI Trust Anchors April 2024 allow 10495 allow 10502 allow 10531 allow 10560 allow 10569 allow 10586 allow 10600 allow 10605 - 10606 allow 10617 allow 10620 allow 10624 allow 10630 allow 10640 allow 10649 allow 10670 - 10671 allow 10688 allow 10691 allow 10697 allow 10704 allow 10706 allow 10715 allow 10733 allow 10757 allow 10778 allow 10785 allow 10795 allow 10824 allow 10834 allow 10841 allow 10847 allow 10875 allow 10881 allow 10895 allow 10897 allow 10906 allow 10938 allow 10954 allow 10964 allow 10983 allow 10986 allow 10992 allow 11008 allow 11014 allow 11053 allow 11058 allow 11063 allow 11081 allow 11083 Snijders & Buehler Expires 19 October 2024 [Page 70] Internet-Draft Constraining RPKI Trust Anchors April 2024 allow 11087 allow 11097 allow 11136 allow 11172 allow 11193 allow 11237 allow 11242 allow 11254 allow 11256 allow 11271 allow 11284 allow 11295 allow 11311 allow 11315 allow 11335 allow 11338 allow 11340 allow 11356 allow 11373 allow 11390 allow 11392 allow 11411 allow 11415 allow 11419 allow 11431 - 11432 allow 11447 allow 11450 - 11451 allow 11497 - 11498 allow 11503 allow 11514 allow 11519 allow 11556 allow 11562 allow 11571 allow 11581 allow 11585 allow 11592 allow 11599 allow 11617 allow 11642 allow 11644 allow 11664 allow 11673 allow 11677 allow 11694 allow 11706 allow 11750 - 11752 allow 11786 Snijders & Buehler Expires 19 October 2024 [Page 71] Internet-Draft Constraining RPKI Trust Anchors April 2024 allow 11800 - 11802 allow 11815 - 11816 allow 11830 allow 11835 allow 11844 allow 11888 allow 11896 allow 11921 allow 11947 allow 11960 allow 11993 allow 12034 allow 12066 allow 12127 allow 12135 - 12136 allow 12140 allow 12146 allow 12150 allow 12248 allow 12252 allow 12264 allow 13316 allow 13318 allow 13320 allow 13353 allow 13357 allow 13381 allow 13424 allow 13440 allow 13459 allow 13474 allow 13489 allow 13495 allow 13514 allow 13521 - 13522 allow 13544 allow 13579 allow 13584 - 13585 allow 13591 allow 13643 allow 13679 allow 13682 allow 13761 allow 13774 allow 13835 allow 13874 allow 13878 allow 13914 Snijders & Buehler Expires 19 October 2024 [Page 72] Internet-Draft Constraining RPKI Trust Anchors April 2024 allow 13929 allow 13934 - 13936 allow 13991 allow 13999 - 14000 allow 14026 allow 14030 allow 14069 allow 14080 allow 14084 allow 14087 allow 14111 allow 14117 allow 14122 allow 14178 - 14179 allow 14186 - 14187 allow 14202 allow 14204 allow 14231 - 14232 allow 14234 allow 14249 - 14250 allow 14259 allow 14282 allow 14285 - 14286 allow 14316 allow 14318 allow 14339 allow 14346 allow 14377 allow 14420 allow 14457 allow 14463 allow 14522 allow 14535 allow 14553 allow 14560 allow 14571 allow 14624 allow 14650 allow 14664 allow 14674 allow 14692 allow 14708 - 14709 allow 14723 allow 14754 allow 14759 allow 14769 allow 14795 allow 14840 Snijders & Buehler Expires 19 October 2024 [Page 73] Internet-Draft Constraining RPKI Trust Anchors April 2024 allow 14845 allow 14867 - 14868 allow 14886 allow 14966 allow 14970 allow 15030 allow 15034 allow 15064 allow 15066 allow 15075 allow 15078 allow 15107 allow 15125 allow 15151 allow 15180 allow 15201 allow 15208 allow 15236 allow 15241 allow 15246 allow 15252 allow 15256 allow 15274 allow 15311 allow 16397 allow 16418 allow 16471 allow 16506 allow 16522 allow 16528 allow 16531 allow 16592 allow 16594 allow 16596 allow 16606 - 16607 allow 16629 allow 16663 allow 16685 allow 16689 allow 16701 allow 16712 allow 16732 allow 16735 - 16736 allow 16742 allow 16762 allow 16772 allow 16780 allow 16814 Snijders & Buehler Expires 19 October 2024 [Page 74] Internet-Draft Constraining RPKI Trust Anchors April 2024 allow 16847 allow 16849 allow 16864 allow 16874 allow 16885 allow 16891 allow 16906 allow 16911 allow 16960 allow 16973 allow 16975 allow 16990 allow 17069 allow 17072 allow 17079 allow 17086 allow 17108 allow 17126 allow 17147 allow 17182 allow 17205 allow 17208 allow 17222 allow 17249 - 17250 allow 17255 allow 17257 allow 17287 allow 17329 allow 17376 allow 17379 allow 17399 allow 17401 allow 18449 allow 18455 allow 18466 allow 18479 allow 18492 allow 18496 allow 18532 allow 18547 allow 18576 allow 18579 allow 18592 allow 18644 allow 18667 allow 18678 allow 18734 allow 18739 Snijders & Buehler Expires 19 October 2024 [Page 75] Internet-Draft Constraining RPKI Trust Anchors April 2024 allow 18782 allow 18809 allow 18822 allow 18836 allow 18840 allow 18846 allow 18869 allow 18881 allow 18941 allow 18998 allow 19033 allow 19037 - 19038 allow 19064 allow 19077 allow 19089 - 19090 allow 19109 allow 19114 allow 19132 allow 19169 allow 19180 allow 19182 allow 19192 allow 19196 allow 19200 allow 19228 allow 19244 allow 19259 allow 19278 allow 19315 allow 19332 allow 19338 allow 19361 allow 19373 allow 19411 allow 19422 allow 19429 allow 19447 allow 19519 allow 19553 allow 19582 - 19583 allow 19611 allow 19632 allow 19688 allow 19723 allow 19731 allow 19763 allow 19767 allow 19863 Snijders & Buehler Expires 19 October 2024 [Page 76] Internet-Draft Constraining RPKI Trust Anchors April 2024 allow 19873 allow 19889 allow 19960 allow 19978 allow 19989 - 19990 allow 20002 allow 20015 allow 20032 allow 20043 - 20044 allow 20106 allow 20116 - 20117 allow 20121 allow 20142 allow 20173 allow 20191 allow 20207 allow 20232 allow 20244 allow 20255 - 20256 allow 20266 allow 20297 allow 20299 allow 20305 allow 20312 allow 20321 allow 20345 allow 20361 allow 20363 allow 20418 allow 21506 allow 21520 allow 21571 allow 21574 - 21575 allow 21578 allow 21590 allow 21599 allow 21603 allow 21612 allow 21614 allow 21674 allow 21692 allow 21741 allow 21753 allow 21756 allow 21765 allow 21768 allow 21824 allow 21826 Snijders & Buehler Expires 19 October 2024 [Page 77] Internet-Draft Constraining RPKI Trust Anchors April 2024 allow 21838 allow 21862 allow 21883 allow 21888 allow 21911 allow 21917 allow 21980 allow 22010 - 22011 allow 22019 allow 22047 allow 22055 allow 22080 allow 22085 allow 22092 allow 22122 allow 22128 - 22129 allow 22133 allow 22148 allow 22177 allow 22185 allow 22227 allow 22250 allow 22305 allow 22313 allow 22341 allow 22356 allow 22368 allow 22371 allow 22381 - 22382 allow 22407 allow 22411 allow 22431 allow 22453 allow 22501 allow 22508 allow 22515 allow 22529 allow 22541 allow 22548 allow 22566 allow 22628 allow 22661 allow 22678 allow 22689 allow 22698 - 22699 allow 22706 allow 22724 allow 22726 Snijders & Buehler Expires 19 October 2024 [Page 78] Internet-Draft Constraining RPKI Trust Anchors April 2024 allow 22745 allow 22798 allow 22818 - 22819 allow 22833 allow 22860 allow 22869 allow 22876 allow 22882 allow 22884 allow 22889 allow 22894 allow 22908 allow 22924 allow 22927 allow 22975 allow 23002 allow 23007 allow 23020 allow 23031 allow 23074 allow 23091 allow 23105 - 23106 allow 23113 allow 23128 allow 23140 allow 23201 - 23202 allow 23216 allow 23243 allow 23246 allow 23289 allow 23353 allow 23360 allow 23382 - 23383 allow 23416 allow 23487 - 23488 allow 23495 allow 23541 allow 25607 allow 25620 allow 25701 allow 25705 allow 25718 allow 25734 allow 25812 allow 25832 allow 25908 allow 25927 allow 25933 Snijders & Buehler Expires 19 October 2024 [Page 79] Internet-Draft Constraining RPKI Trust Anchors April 2024 allow 25998 allow 26048 allow 26061 allow 26090 allow 26104 - 26105 allow 26107 allow 26112 allow 26118 - 26119 allow 26136 allow 26162 allow 26173 allow 26194 allow 26210 allow 26218 allow 26317 allow 26418 allow 26426 allow 26434 allow 26473 allow 26505 allow 26592 - 26596 allow 26598 - 26623 # AFRINIC Internet Number Resources cannot be transferred # From https://www.iana.org/assignments/ipv4-address-space/ deny 41.0.0.0/8 deny 102.0.0.0/8 deny 105.0.0.0/8 deny 154.0.0.0/16 deny 154.16.0.0/16 deny 154.65.0.0 - 154.255.255.255 deny 196.0.0.0 - 196.1.0.255 deny 196.1.4.0/24 deny 196.1.7.0 - 196.1.63.255 deny 196.1.71.0/24 deny 196.1.74.0 - 196.1.103.255 deny 196.1.115.0 - 196.1.133.255 deny 196.1.137.0/24 deny 196.1.143.0 - 196.1.159.255 deny 196.1.176.0 - 196.1.255.255 deny 196.2.2.0/23 deny 196.2.8.0 - 196.2.255.255 deny 196.3.14.0/23 deny 196.3.57.0 - 196.3.64.255 deny 196.3.90.0/24 deny 196.3.92.0 - 196.3.94.255 deny 196.3.96.0/21 deny 196.3.105.0/24 Snijders & Buehler Expires 19 October 2024 [Page 80] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 196.3.107.0 - 196.3.131.255 deny 196.3.148.0/22 deny 196.3.154.0 - 196.3.183.255 deny 196.3.224.0 - 196.4.45.255 deny 196.4.71.0 - 196.11.171.255 deny 196.11.174.0 - 196.11.239.255 deny 196.11.248.0/21 deny 196.12.10.0 - 196.12.31.255 deny 196.12.128.0/19 deny 196.12.192.0 - 196.15.15.255 deny 196.15.64.0 - 196.26.255.255 deny 196.27.64.0 - 196.28.47.255 deny 196.28.64.0 - 196.29.63.255 deny 196.29.96.0 - 196.31.255.255 deny 196.32.8.0 - 196.32.31.255 deny 196.32.96.0/19 deny 196.32.160.0 - 196.39.255.255 deny 196.40.96.0 - 196.41.255.255 deny 196.42.64.0 - 196.216.0.255 deny 196.216.2.0 - 197.255.255.255 # Private use IPv4 & IPv6 addresses and ASNs deny 0.0.0.0/8 # RFC 1122 Local Identification deny 10.0.0.0/8 # RFC 1918 private space deny 100.64.0.0/10 # RFC 6598 Carrier Grade NAT deny 127.0.0.0/8 # RFC 1122 localhost deny 169.254.0.0/16 # RFC 3927 link local deny 172.16.0.0/12 # RFC 1918 private space deny 192.0.2.0/24 # RFC 5737 TEST-NET-1 deny 192.88.99.0/24 # RFC 7526 6to4 anycast relay deny 192.168.0.0/16 # RFC 1918 private space deny 198.18.0.0/15 # RFC 2544 benchmarking deny 198.51.100.0/24 # RFC 5737 TEST-NET-2 deny 203.0.113.0/24 # RFC 5737 TEST-NET-3 deny 224.0.0.0/4 # Multicast deny 240.0.0.0/4 # Reserved # LACNIC supports only IPv4 transfers: allow the complement of what is denied allow 0.0.0.0/0 Constraints applicable to LACNIC's Trust Anchor Given that ARIN, APNIC, and LACNIC IPv6 resources cannot be transferred to RIPE NCC, only RIPE NCC IPv6 resources should appear subordinate to RIPE NCC's Trust Anchor, LACNIC ASNs cannot be transferred, private use INRs are not managed by any RIR, and AFRINIC resources of any type cannot be transferred to and from any other RIR; the below constraints can be applied to RIPE NCC Trust Anchor. Snijders & Buehler Expires 19 October 2024 [Page 81] Internet-Draft Constraining RPKI Trust Anchors April 2024 By placing the below content in files named *ripe.constraints*; the associated Trust Anchor reachable via *ripe.tal* is constrained such that any EE certificates or Signed Objects related to out-of-scope resources are considered invalid. # $OpenBSD: ripe.constraints,v 1.5 2024/04/17 14:31:59 job Exp $ # From https://www.iana.org/assignments/ipv6-unicast-address-assignments allow 2001:600::/23 allow 2001:800::/22 allow 2001:1400::/22 allow 2001:1a00::/23 allow 2001:1c00::/22 allow 2001:2000::/19 allow 2001:4000::/23 allow 2001:4600::/23 allow 2001:4a00::/23 allow 2001:4c00::/23 allow 2001:5000::/20 allow 2003::/18 allow 2a00::/12 allow 2a10::/12 # LACNIC ASNs cannot be transferred to RIPE NCC # From https://www.iana.org/assignments/as-numbers/ deny 27648 - 28671 deny 52224 - 53247 deny 61440 - 61951 deny 64099 - 64197 deny 262144 - 273820 # LACNIC ASNs cannot be transferred to RIPE NCC # From nro-delegated-stats 20240417 deny 278 deny 676 deny 1251 deny 1292 deny 1296 deny 1797 deny 1831 deny 1840 deny 1916 deny 2146 deny 2277 deny 2549 deny 2638 deny 2708 deny 2715 - 2716 Snijders & Buehler Expires 19 October 2024 [Page 82] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 2739 deny 2904 deny 3132 deny 3141 deny 3449 deny 3454 deny 3484 deny 3487 deny 3496 deny 3548 deny 3551 deny 3556 deny 3596 - 3597 deny 3603 deny 3631 - 3632 deny 3636 deny 3640 deny 3790 deny 3816 deny 3905 deny 3968 deny 4141 deny 4209 deny 4230 deny 4242 deny 4244 deny 4270 deny 4387 deny 4493 deny 4535 deny 4914 deny 4926 deny 4944 deny 4964 deny 4967 deny 4995 deny 5005 deny 5633 deny 5639 deny 5648 deny 5692 deny 5708 deny 5722 deny 5745 deny 5772 deny 6057 deny 6063 - 6065 deny 6084 Snijders & Buehler Expires 19 October 2024 [Page 83] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 6121 deny 6125 deny 6133 deny 6135 deny 6147 - 6148 deny 6193 deny 6240 deny 6306 deny 6332 deny 6342 deny 6400 deny 6429 deny 6458 deny 6471 deny 6487 deny 6495 deny 6503 deny 6505 deny 6535 deny 6543 deny 6545 deny 6568 deny 6590 deny 6927 deny 6945 deny 6957 deny 7002 deny 7004 - 7005 deny 7038 deny 7048 - 7049 deny 7056 deny 7063 deny 7080 deny 7087 deny 7103 deny 7120 deny 7125 deny 7137 deny 7149 deny 7157 deny 7162 deny 7167 deny 7173 deny 7184 deny 7195 deny 7199 deny 7236 deny 7298 Snijders & Buehler Expires 19 October 2024 [Page 84] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 7303 deny 7313 deny 7315 deny 7325 deny 7340 deny 7365 deny 7399 deny 7408 deny 7414 deny 7417 - 7418 deny 7428 deny 7437 - 7438 deny 7465 deny 7727 deny 7738 deny 7803 deny 7864 deny 7890 deny 7906 deny 7908 deny 7910 deny 7927 deny 7934 deny 7953 deny 7965 deny 7974 deny 7980 deny 7984 deny 7993 - 7995 deny 7997 deny 8007 deny 8024 deny 8026 deny 8048 deny 8053 - 8056 deny 8065 - 8066 deny 8096 deny 8140 - 8141 deny 8151 deny 8163 deny 8167 deny 8178 deny 10269 deny 10277 deny 10285 deny 10293 deny 10299 deny 10301 Snijders & Buehler Expires 19 October 2024 [Page 85] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 10318 deny 10362 deny 10391 deny 10412 deny 10417 deny 10420 deny 10429 deny 10436 deny 10452 deny 10454 deny 10463 deny 10476 deny 10479 deny 10481 deny 10495 deny 10502 deny 10531 deny 10560 deny 10569 deny 10586 deny 10600 deny 10605 - 10606 deny 10617 deny 10620 deny 10624 deny 10630 deny 10640 deny 10649 deny 10670 - 10671 deny 10688 deny 10691 deny 10697 deny 10704 deny 10706 deny 10715 deny 10733 deny 10757 deny 10778 deny 10785 deny 10795 deny 10824 deny 10834 deny 10841 deny 10847 deny 10875 deny 10881 deny 10895 deny 10897 Snijders & Buehler Expires 19 October 2024 [Page 86] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 10906 deny 10938 deny 10954 deny 10964 deny 10983 deny 10986 deny 10992 deny 11008 deny 11014 deny 11053 deny 11058 deny 11063 deny 11081 deny 11083 deny 11087 deny 11097 deny 11136 deny 11172 deny 11193 deny 11237 deny 11242 deny 11254 deny 11256 deny 11271 deny 11284 deny 11295 deny 11311 deny 11315 deny 11335 deny 11338 deny 11340 deny 11356 deny 11373 deny 11390 deny 11392 deny 11411 deny 11415 deny 11419 deny 11431 - 11432 deny 11447 deny 11450 - 11451 deny 11497 - 11498 deny 11503 deny 11514 deny 11519 deny 11556 deny 11562 deny 11571 Snijders & Buehler Expires 19 October 2024 [Page 87] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 11581 deny 11585 deny 11592 deny 11599 deny 11617 deny 11642 deny 11644 deny 11664 deny 11673 deny 11677 deny 11694 deny 11706 deny 11750 - 11752 deny 11786 deny 11800 - 11802 deny 11815 - 11816 deny 11830 deny 11835 deny 11844 deny 11888 deny 11896 deny 11921 deny 11947 deny 11960 deny 11993 deny 12034 deny 12066 deny 12127 deny 12135 - 12136 deny 12140 deny 12146 deny 12150 deny 12248 deny 12252 deny 12264 deny 13316 deny 13318 deny 13320 deny 13353 deny 13357 deny 13381 deny 13424 deny 13440 deny 13459 deny 13474 deny 13489 deny 13495 deny 13514 Snijders & Buehler Expires 19 October 2024 [Page 88] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 13521 - 13522 deny 13544 deny 13579 deny 13584 - 13585 deny 13591 deny 13643 deny 13679 deny 13682 deny 13761 deny 13774 deny 13835 deny 13874 deny 13878 deny 13914 deny 13929 deny 13934 - 13936 deny 13991 deny 13999 - 14000 deny 14026 deny 14030 deny 14069 deny 14080 deny 14084 deny 14087 deny 14111 deny 14117 deny 14122 deny 14178 - 14179 deny 14186 - 14187 deny 14202 deny 14204 deny 14231 - 14232 deny 14234 deny 14249 - 14250 deny 14259 deny 14282 deny 14285 - 14286 deny 14316 deny 14318 deny 14339 deny 14346 deny 14377 deny 14420 deny 14457 deny 14463 deny 14522 deny 14535 deny 14553 Snijders & Buehler Expires 19 October 2024 [Page 89] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 14560 deny 14571 deny 14624 deny 14650 deny 14664 deny 14674 deny 14692 deny 14708 - 14709 deny 14723 deny 14754 deny 14759 deny 14769 deny 14795 deny 14840 deny 14845 deny 14867 - 14868 deny 14886 deny 14966 deny 14970 deny 15030 deny 15034 deny 15064 deny 15066 deny 15075 deny 15078 deny 15107 deny 15125 deny 15151 deny 15180 deny 15201 deny 15208 deny 15236 deny 15241 deny 15246 deny 15252 deny 15256 deny 15274 deny 15311 deny 16397 deny 16418 deny 16471 deny 16506 deny 16522 deny 16528 deny 16531 deny 16592 deny 16594 deny 16596 Snijders & Buehler Expires 19 October 2024 [Page 90] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 16606 - 16607 deny 16629 deny 16663 deny 16685 deny 16689 deny 16701 deny 16712 deny 16732 deny 16735 - 16736 deny 16742 deny 16762 deny 16772 deny 16780 deny 16814 deny 16847 deny 16849 deny 16864 deny 16874 deny 16885 deny 16891 deny 16906 deny 16911 deny 16960 deny 16973 deny 16975 deny 16990 deny 17069 deny 17072 deny 17079 deny 17086 deny 17108 deny 17126 deny 17147 deny 17182 deny 17205 deny 17208 deny 17222 deny 17249 - 17250 deny 17255 deny 17257 deny 17287 deny 17329 deny 17376 deny 17379 deny 17399 deny 17401 deny 18449 deny 18455 Snijders & Buehler Expires 19 October 2024 [Page 91] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 18466 deny 18479 deny 18492 deny 18496 deny 18532 deny 18547 deny 18576 deny 18579 deny 18592 deny 18644 deny 18667 deny 18678 deny 18734 deny 18739 deny 18782 deny 18809 deny 18822 deny 18836 deny 18840 deny 18846 deny 18869 deny 18881 deny 18941 deny 18998 deny 19033 deny 19037 - 19038 deny 19064 deny 19077 deny 19089 - 19090 deny 19109 deny 19114 deny 19132 deny 19169 deny 19180 deny 19182 deny 19192 deny 19196 deny 19200 deny 19228 deny 19244 deny 19259 deny 19278 deny 19315 deny 19332 deny 19338 deny 19361 deny 19373 deny 19411 Snijders & Buehler Expires 19 October 2024 [Page 92] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 19422 deny 19429 deny 19447 deny 19519 deny 19553 deny 19582 - 19583 deny 19611 deny 19632 deny 19688 deny 19723 deny 19731 deny 19763 deny 19767 deny 19863 deny 19873 deny 19889 deny 19960 deny 19978 deny 19989 - 19990 deny 20002 deny 20015 deny 20032 deny 20043 - 20044 deny 20106 deny 20116 - 20117 deny 20121 deny 20142 deny 20173 deny 20191 deny 20207 deny 20232 deny 20244 deny 20255 - 20256 deny 20266 deny 20297 deny 20299 deny 20305 deny 20312 deny 20321 deny 20345 deny 20361 deny 20363 deny 20418 deny 21506 deny 21520 deny 21571 deny 21574 - 21575 deny 21578 Snijders & Buehler Expires 19 October 2024 [Page 93] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 21590 deny 21599 deny 21603 deny 21612 deny 21614 deny 21674 deny 21692 deny 21741 deny 21753 deny 21756 deny 21765 deny 21768 deny 21824 deny 21826 deny 21838 deny 21862 deny 21883 deny 21888 deny 21911 deny 21917 deny 21980 deny 22010 - 22011 deny 22019 deny 22047 deny 22055 deny 22080 deny 22085 deny 22092 deny 22122 deny 22128 - 22129 deny 22133 deny 22148 deny 22177 deny 22185 deny 22227 deny 22250 deny 22305 deny 22313 deny 22341 deny 22356 deny 22368 deny 22371 deny 22381 - 22382 deny 22407 deny 22411 deny 22431 deny 22453 deny 22501 Snijders & Buehler Expires 19 October 2024 [Page 94] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 22508 deny 22515 deny 22529 deny 22541 deny 22548 deny 22566 deny 22628 deny 22661 deny 22678 deny 22689 deny 22698 - 22699 deny 22706 deny 22724 deny 22726 deny 22745 deny 22798 deny 22818 - 22819 deny 22833 deny 22860 deny 22869 deny 22876 deny 22882 deny 22884 deny 22889 deny 22894 deny 22908 deny 22924 deny 22927 deny 22975 deny 23002 deny 23007 deny 23020 deny 23031 deny 23074 deny 23091 deny 23105 - 23106 deny 23113 deny 23128 deny 23140 deny 23201 - 23202 deny 23216 deny 23243 deny 23246 deny 23289 deny 23353 deny 23360 deny 23382 - 23383 deny 23416 Snijders & Buehler Expires 19 October 2024 [Page 95] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 23487 - 23488 deny 23495 deny 23541 deny 25607 deny 25620 deny 25701 deny 25705 deny 25718 deny 25734 deny 25812 deny 25832 deny 25908 deny 25927 deny 25933 deny 25998 deny 26048 deny 26061 deny 26090 deny 26104 - 26105 deny 26107 deny 26112 deny 26118 - 26119 deny 26136 deny 26162 deny 26173 deny 26194 deny 26210 deny 26218 deny 26317 deny 26418 deny 26426 deny 26434 deny 26473 deny 26505 deny 26592 - 26596 deny 26598 - 26623 # AFRINIC IPv4 resources cannot be transferred to RIPE NCC # From https://www.iana.org/assignments/ipv4-address-space/ deny 41.0.0.0/8 deny 102.0.0.0/8 deny 105.0.0.0/8 deny 154.0.0.0/16 deny 154.16.0.0/16 deny 154.65.0.0 - 154.255.255.255 deny 196.0.0.0 - 196.1.0.255 deny 196.1.4.0/24 deny 196.1.7.0 - 196.1.63.255 Snijders & Buehler Expires 19 October 2024 [Page 96] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 196.1.71.0/24 deny 196.1.74.0 - 196.1.103.255 deny 196.1.115.0 - 196.1.133.255 deny 196.1.137.0/24 deny 196.1.143.0 - 196.1.159.255 deny 196.1.176.0 - 196.1.255.255 deny 196.2.2.0/23 deny 196.2.8.0 - 196.2.255.255 deny 196.3.14.0/23 deny 196.3.57.0 - 196.3.64.255 deny 196.3.90.0/24 deny 196.3.92.0 - 196.3.94.255 deny 196.3.96.0/21 deny 196.3.105.0/24 deny 196.3.107.0 - 196.3.131.255 deny 196.3.148.0/22 deny 196.3.154.0 - 196.3.183.255 deny 196.3.224.0 - 196.4.45.255 deny 196.4.71.0 - 196.11.171.255 deny 196.11.174.0 - 196.11.239.255 deny 196.11.248.0/21 deny 196.12.10.0 - 196.12.31.255 deny 196.12.128.0/19 deny 196.12.192.0 - 196.15.15.255 deny 196.15.64.0 - 196.26.255.255 deny 196.27.64.0 - 196.28.47.255 deny 196.28.64.0 - 196.29.63.255 deny 196.29.96.0 - 196.31.255.255 deny 196.32.8.0 - 196.32.31.255 deny 196.32.96.0/19 deny 196.32.160.0 - 196.39.255.255 deny 196.40.96.0 - 196.41.255.255 deny 196.42.64.0 - 196.216.0.255 deny 196.216.2.0 - 197.255.255.255 # AFRINIC ASNs cannot be transferred to RIPE NCC # From https://www.iana.org/assignments/as-numbers/ deny 36864 - 37887 deny 327680 - 328703 deny 328704 - 329727 # AFRINIC ASNs cannot be transferred to RIPE NCC # From nro-delegated-stats 20240417 deny 1228 - 1232 deny 2018 deny 2561 deny 2905 deny 3067 - 3068 Snijders & Buehler Expires 19 October 2024 [Page 97] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 3208 deny 3741 deny 4178 deny 4571 deny 5536 deny 5713 deny 5734 deny 6083 deny 6089 deny 6127 deny 6149 deny 6180 deny 6187 deny 6351 deny 6529 deny 6560 deny 6713 deny 6879 deny 6968 deny 7020 deny 7154 deny 7231 deny 7390 deny 7420 deny 7460 deny 7971 - 7972 deny 8094 deny 8524 deny 8770 deny 9129 deny 10247 deny 10262 deny 10331 deny 10393 deny 10474 deny 10505 deny 10540 deny 10575 deny 10798 deny 10803 deny 10898 deny 11125 deny 11157 deny 11201 deny 11259 deny 11265 deny 11380 deny 11569 Snijders & Buehler Expires 19 October 2024 [Page 98] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 11645 deny 11744 deny 11845 deny 11909 deny 12091 deny 12143 deny 12258 deny 12455 deny 12556 deny 13224 deny 13402 deny 13519 deny 13569 deny 13854 deny 14029 deny 14115 deny 14331 deny 14429 deny 14516 deny 14988 deny 15022 deny 15159 deny 15399 deny 15475 deny 15706 deny 15804 deny 15825 deny 15834 deny 15964 deny 16058 deny 16214 deny 16284 deny 16416 deny 16547 deny 16630 deny 16637 deny 16800 deny 16853 deny 16907 deny 17148 deny 17220 deny 17260 deny 17312 deny 17400 deny 17652 deny 18775 deny 18922 deny 18931 Snijders & Buehler Expires 19 October 2024 [Page 99] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 19136 deny 19232 deny 19676 deny 19711 deny 19832 deny 19847 deny 20011 deny 20086 deny 20095 deny 20180 deny 20294 deny 20459 deny 20484 deny 20858 deny 20928 deny 21003 deny 21152 deny 21242 deny 21271 deny 21278 deny 21280 deny 21391 deny 21452 deny 21739 deny 21819 deny 22354 - 22355 deny 22386 deny 22572 deny 22690 deny 22735 deny 22750 deny 22939 deny 23058 deny 23549 deny 23889 deny 24736 deny 24757 deny 24788 deny 24801 deny 24835 deny 24863 deny 24878 deny 24987 deny 25163 deny 25250 deny 25362 deny 25364 deny 25543 Snijders & Buehler Expires 19 October 2024 [Page 100] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 25568 deny 25576 deny 25695 deny 25726 deny 25793 deny 25818 deny 26106 deny 26130 deny 26422 deny 26625 deny 26754 deny 27576 deny 27598 deny 28683 deny 28698 deny 28913 deny 29091 deny 29338 deny 29340 deny 29428 deny 29495 deny 29544 deny 29571 deny 29614 deny 29674 deny 29918 deny 29975 deny 30073 deny 30306 deny 30429 deny 30619 deny 30896 deny 30980 deny 30982 - 30999 deny 31065 deny 31245 deny 31619 deny 31810 deny 31856 deny 31960 deny 32017 deny 32279 deny 32398 deny 32437 deny 32653 deny 32714 deny 32717 deny 32842 Snijders & Buehler Expires 19 October 2024 [Page 101] Internet-Draft Constraining RPKI Trust Anchors April 2024 deny 32860 deny 33567 deny 33579 deny 33762 - 33791 # Private use IPv4 & IPv6 addresses and ASNs deny 0.0.0.0/8 # RFC 1122 Local Identification deny 10.0.0.0/8 # RFC 1918 private space deny 100.64.0.0/10 # RFC 6598 Carrier Grade NAT deny 127.0.0.0/8 # RFC 1122 localhost deny 169.254.0.0/16 # RFC 3927 link local deny 172.16.0.0/12 # RFC 1918 private space deny 192.0.2.0/24 # RFC 5737 TEST-NET-1 deny 192.88.99.0/24 # RFC 7526 6to4 anycast relay deny 192.168.0.0/16 # RFC 1918 private space deny 198.18.0.0/15 # RFC 2544 benchmarking deny 198.51.100.0/24 # RFC 5737 TEST-NET-2 deny 203.0.113.0/24 # RFC 5737 TEST-NET-3 deny 224.0.0.0/4 # Multicast deny 240.0.0.0/4 # Reserved deny 23456 # RFC 4893 AS_TRANS deny 64496 - 64511 # RFC 5398 deny 64512 - 65534 # RFC 6996 deny 65535 # RFC 7300 deny 65536 - 65551 # RFC 5398 deny 65552 - 131071 # IANA Reserved deny 4200000000 - 4294967294 # RFC 6996 deny 4294967295 # RFC 7300 # RIPE NCC supports IPv4 and ASN transfers: allow the complement of what is denied allow 0.0.0.0/0 allow 1 - 4199999999 Acknowledgements Thanks to Niels Bakker, Joel Jaeggli, Tony Tauber, Tom Scholl, and Erik Bais for their feedback and input. Authors' Addresses Job Snijders Fastly Netherlands Email: job@fastly.com Snijders & Buehler Expires 19 October 2024 [Page 102] Internet-Draft Constraining RPKI Trust Anchors April 2024 Theo Buehler OpenBSD Switzerland Email: tb@openbsd.org Snijders & Buehler Expires 19 October 2024 [Page 103]