From: job <job@openbsd.org>
Date: Thu, 14 Dec 2023 12:26:03 +0000 (+0000)
Subject: Constrain the AFRINIC TA further
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=0b77ea89199fbdcca1270232526c325a233ff3de;p=openbsd

Constrain the AFRINIC TA further

Today AFRINIC clarified its actual current resource holdings by issuing
a new CA certificate in response to a report on overclaiming:
https://lists.afrinic.net/pipermail/dbwg/2023-December/000496.html

OK tb@
---

diff --git a/etc/rpki/afrinic.constraints b/etc/rpki/afrinic.constraints
index 9801407b6cc..bab52909a2b 100644
--- a/etc/rpki/afrinic.constraints
+++ b/etc/rpki/afrinic.constraints
@@ -2,8 +2,47 @@
 allow 41.0.0.0/8
 allow 102.0.0.0/8
 allow 105.0.0.0/8
-allow 154.0.0.0/8
-allow 196.0.0.0/7
+
+allow 154.0.0.0/16
+allow 154.16.0.0/16
+allow 154.65.0.0 - 154.255.255.255
+allow 196.0.0.0 - 196.1.0.255
+allow 196.1.4.0/24
+allow 196.1.7.0 - 196.1.63.255
+allow 196.1.71.0/24
+allow 196.1.74.0 - 196.1.103.255
+allow 196.1.115.0 - 196.1.133.255
+allow 196.1.137.0/24
+allow 196.1.143.0 - 196.1.159.255
+allow 196.1.176.0 - 196.1.255.255
+allow 196.2.2.0/23
+allow 196.2.8.0 - 196.2.255.255
+allow 196.3.14.0/23
+allow 196.3.57.0 - 196.3.64.255
+allow 196.3.90.0/24
+allow 196.3.92.0 - 196.3.94.255
+allow 196.3.96.0/21
+allow 196.3.105.0/24
+allow 196.3.107.0 - 196.3.131.255
+allow 196.3.148.0/22
+allow 196.3.154.0 - 196.3.183.255
+allow 196.3.224.0 - 196.4.45.255
+allow 196.4.71.0 - 196.11.171.255
+allow 196.11.174.0 - 196.11.239.255
+allow 196.11.248.0/21
+allow 196.12.10.0 - 196.12.31.255
+allow 196.12.128.0/19
+allow 196.12.192.0 - 196.15.15.255
+allow 196.15.64.0 - 196.26.255.255
+allow 196.27.64.0 - 196.28.47.255
+allow 196.28.64.0 - 196.29.63.255
+allow 196.29.96.0 - 196.31.255.255
+allow 196.32.8.0 - 196.32.31.255
+allow 196.32.96.0/19
+allow 196.32.160.0 - 196.39.255.255
+allow 196.40.96.0 - 196.41.255.255
+allow 196.42.64.0 - 196.216.0.255
+allow 196.216.2.0 - 197.255.255.255
 
 # From https://www.iana.org/assignments/ipv6-address-space/
 allow 2001:4200::/23
@@ -14,43 +53,6 @@ allow 36864 - 37887
 allow 327680 - 328703
 allow 328704 - 329727
 
-# Holes
-deny 154.1.0.0/16                 # ARIN
-deny 154.2.0.0/15                 # ARIN
-deny 154.4.0.0/14                 # ARIN
-deny 154.8.0.0 - 154.8.47.255     # RIPE
-deny 154.8.48.0 - 154.8.255.255   # APNIC
-deny 154.9.0.0/16                 # ARIN
-deny 154.10.0.0/16                # APNIC
-deny 154.11.0.0/16                # ARIN
-deny 154.12.0.0/15                # ARIN
-deny 154.14.0.0/15                # RIPE
-deny 154.17.0.0/16                # ARIN
-deny 154.18.0.0/15                # ARIN
-deny 154.20.0.0/14                # ARIN
-deny 154.24.0.0/13                # ARIN
-deny 154.32.0.0/16                # RIPE
-deny 154.33.0.0 - 154.34.255.255  # APNIC
-deny 154.35.0.0/16                # ARIN
-deny 154.36.0.0/14                # ARIN
-deny 154.40.0.0/13                # ARIN
-deny 154.48.0.0/12                # ARIN
-deny 154.64.0.0/16                # ARIN
-deny 196.1.1.0/24                 # APNIC
-deny 196.1.68.0/24                # APNIC
-deny 196.1.104.0 - 196.1.106.255  # APNIC
-deny 196.1.108.0/22               # APNIC
-deny 196.1.113.0 - 196.1.114.255  # APNIC
-deny 196.1.134.0/24               # APNIC
-deny 196.3.65.0/24                # APNIC
-deny 196.3.72.0/24                # APNIC
-deny 196.12.32.0/19               # APNIC
-deny 196.15.16.0/20               # APNIC
-deny 196.29.64.0/19               # LACNIC
-deny 196.32.32.0/19               # LACNIC
-deny 196.32.64.0/19               # LACNIC
-deny 196.40.0.0 - 196.40.95.255   # LACNIC
-
 # From https://www.iana.org/assignments/ipv4-recovered-address-space
 allow 45.96.0.0 - 45.111.255.255
 allow 45.192.0.0 - 45.222.255.255