From e1e64b4194d9ec59fb193517857545a6fea0bcd9 Mon Sep 17 00:00:00 2001
From: job <job@openbsd.org>
Date: Tue, 30 Jan 2024 03:40:01 +0000
Subject: [PATCH] Add more RPKI TA constraints: LACNIC ASNs cannot transfer
 to/from other RIRs

OK tb@
---
 etc/rpki/apnic.constraints  | 16 +++++++++++++---
 etc/rpki/arin.constraints   | 16 +++++++++++++---
 etc/rpki/lacnic.constraints | 24 +++++++++---------------
 etc/rpki/ripe.constraints   | 16 +++++++++++++---
 4 files changed, 48 insertions(+), 24 deletions(-)

diff --git a/etc/rpki/apnic.constraints b/etc/rpki/apnic.constraints
index 276409ade69..449555a46ff 100644
--- a/etc/rpki/apnic.constraints
+++ b/etc/rpki/apnic.constraints
@@ -1,4 +1,4 @@
-#	$OpenBSD: apnic.constraints,v 1.4 2023/12/26 13:36:18 job Exp $
+#	$OpenBSD: apnic.constraints,v 1.5 2024/01/30 03:40:01 job Exp $
 
 # From https://www.iana.org/assignments/ipv6-unicast-address-assignments
 allow 2001:200::/23
@@ -13,7 +13,15 @@ allow 2400::/12
 # IX Assignments
 allow 2001:7fa::/32
 
-# AFRINIC Internet Number Resources cannot be transferred
+# LACNIC ASNs cannot be transferred to APNIC
+# From https://www.iana.org/assignments/as-numbers/as-numbers.xhtml
+deny 27648 - 28671
+deny 52224 - 53247
+deny 61440 - 61951
+deny 64099 - 64197
+deny 262144 - 273820
+
+# AFRINIC IPv4 resources cannot be transferred to APNIC
 # From https://www.iana.org/assignments/ipv4-address-space/
 deny 41.0.0.0/8
 deny 102.0.0.0/8
@@ -58,6 +66,8 @@ deny 196.32.160.0 - 196.39.255.255
 deny 196.40.96.0 - 196.41.255.255
 deny 196.42.64.0 - 196.216.0.255
 deny 196.216.2.0 - 197.255.255.255
+
+# AFRINIC ASNs cannot be transferred to APNIC
 # From https://www.iana.org/assignments/as-numbers/
 deny 36864 - 37887
 deny 327680 - 328703
@@ -87,6 +97,6 @@ deny 65552 - 131071          # IANA Reserved
 deny 4200000000 - 4294967294 # RFC 6996
 deny 4294967295              # RFC 7300
 
-# Allow the complement of what is denied
+# APNIC supports IPv4 and ASN transfers: allow the complement of what is denied
 allow 0.0.0.0/0
 allow 1 - 4199999999
diff --git a/etc/rpki/arin.constraints b/etc/rpki/arin.constraints
index 4eb58fd0ca3..711512061bf 100644
--- a/etc/rpki/arin.constraints
+++ b/etc/rpki/arin.constraints
@@ -1,4 +1,4 @@
-#	$OpenBSD: arin.constraints,v 1.3 2023/12/26 13:36:18 job Exp $
+#	$OpenBSD: arin.constraints,v 1.4 2024/01/30 03:40:01 job Exp $
 
 # From https://www.iana.org/assignments/ipv6-unicast-address-assignments
 allow 2001:400::/23
@@ -9,7 +9,15 @@ allow 2610::/23
 allow 2620::/23
 allow 2630::/12
 
-# AFRINIC Internet Number Resources cannot be transferred
+# LACNIC ASNs cannot be transferred to ARIN
+# From https://www.iana.org/assignments/as-numbers/as-numbers.xhtml
+deny 27648 - 28671
+deny 52224 - 53247
+deny 61440 - 61951
+deny 64099 - 64197
+deny 262144 - 273820
+
+# AFRINIC IPv4 resources cannot be transferred to ARIN
 # From https://www.iana.org/assignments/ipv4-address-space/
 deny 41.0.0.0/8
 deny 102.0.0.0/8
@@ -54,6 +62,8 @@ deny 196.32.160.0 - 196.39.255.255
 deny 196.40.96.0 - 196.41.255.255
 deny 196.42.64.0 - 196.216.0.255
 deny 196.216.2.0 - 197.255.255.255
+
+# AFRINIC ASNs cannot be transferred to ARIN
 # From https://www.iana.org/assignments/as-numbers/
 deny 36864 - 37887
 deny 327680 - 328703
@@ -83,6 +93,6 @@ deny 65552 - 131071          # IANA Reserved
 deny 4200000000 - 4294967294 # RFC 6996
 deny 4294967295              # RFC 7300
 
-# Allow the complement of what is denied
+# ARIN supports IPv4 and ASN transfers: allow the complement of what is denied
 allow 0.0.0.0/0
 allow 1 - 4199999999
diff --git a/etc/rpki/lacnic.constraints b/etc/rpki/lacnic.constraints
index 8c27213895f..2cd227fd765 100644
--- a/etc/rpki/lacnic.constraints
+++ b/etc/rpki/lacnic.constraints
@@ -1,9 +1,16 @@
-#	$OpenBSD: lacnic.constraints,v 1.3 2023/12/26 13:36:18 job Exp $
+#	$OpenBSD: lacnic.constraints,v 1.4 2024/01/30 03:40:01 job Exp $
 
 # From https://www.iana.org/assignments/ipv6-unicast-address-assignments
 allow 2001:1200::/23
 allow 2800::/12
 
+# From https://www.iana.org/assignments/as-numbers/
+allow 27648 - 28671
+allow 52224 - 53247
+allow 61440 - 61951
+allow 64099 - 64197
+allow 262144 - 273820
+
 # AFRINIC Internet Number Resources cannot be transferred
 # From https://www.iana.org/assignments/ipv4-address-space/
 deny 41.0.0.0/8
@@ -49,10 +56,6 @@ deny 196.32.160.0 - 196.39.255.255
 deny 196.40.96.0 - 196.41.255.255
 deny 196.42.64.0 - 196.216.0.255
 deny 196.216.2.0 - 197.255.255.255
-# From https://www.iana.org/assignments/as-numbers/
-deny 36864 - 37887
-deny 327680 - 328703
-deny 328704 - 329727
 
 # Private use IPv4 & IPv6 addresses and ASNs
 deny 0.0.0.0/8               # RFC 1122 Local Identification
@@ -69,15 +72,6 @@ deny 198.51.100.0/24         # RFC 5737 TEST-NET-2
 deny 203.0.113.0/24          # RFC 5737 TEST-NET-3
 deny 224.0.0.0/4             # Multicast
 deny 240.0.0.0/4             # Reserved
-deny 23456                   # RFC 4893 AS_TRANS
-deny 64496 - 64511           # RFC 5398
-deny 64512 - 65534           # RFC 6996
-deny 65535                   # RFC 7300
-deny 65536 - 65551           # RFC 5398
-deny 65552 - 131071          # IANA Reserved
-deny 4200000000 - 4294967294 # RFC 6996
-deny 4294967295              # RFC 7300
 
-# Allow the complement of what is denied
+# LACNIC supports only IPv4 transfers: allow the complement of what is denied
 allow 0.0.0.0/0
-allow 1 - 4199999999
diff --git a/etc/rpki/ripe.constraints b/etc/rpki/ripe.constraints
index ae63ba1903b..6f3879337a6 100644
--- a/etc/rpki/ripe.constraints
+++ b/etc/rpki/ripe.constraints
@@ -1,4 +1,4 @@
-#	$OpenBSD: ripe.constraints,v 1.3 2023/12/26 13:36:18 job Exp $
+#	$OpenBSD: ripe.constraints,v 1.4 2024/01/30 03:40:01 job Exp $
 
 # From https://www.iana.org/assignments/ipv6-unicast-address-assignments
 allow 2001:600::/23
@@ -16,7 +16,15 @@ allow 2003::/18
 allow 2a00::/12
 allow 2a10::/12
 
-# AFRINIC Internet Number Resources cannot be transferred
+# LACNIC ASNs cannot be transferred to RIPE NCC
+# From https://www.iana.org/assignments/as-numbers/
+deny 27648 - 28671
+deny 52224 - 53247
+deny 61440 - 61951
+deny 64099 - 64197
+deny 262144 - 273820
+
+# AFRINIC IPv4 resources cannot be transferred to RIPE NCC
 # From https://www.iana.org/assignments/ipv4-address-space/
 deny 41.0.0.0/8
 deny 102.0.0.0/8
@@ -61,6 +69,8 @@ deny 196.32.160.0 - 196.39.255.255
 deny 196.40.96.0 - 196.41.255.255
 deny 196.42.64.0 - 196.216.0.255
 deny 196.216.2.0 - 197.255.255.255
+
+# AFRINIC ASNs cannot be transferred to RIPE NCC
 # From https://www.iana.org/assignments/as-numbers/
 deny 36864 - 37887
 deny 327680 - 328703
@@ -90,6 +100,6 @@ deny 65552 - 131071          # IANA Reserved
 deny 4200000000 - 4294967294 # RFC 6996
 deny 4294967295              # RFC 7300
 
-# Allow the complement of what is denied
+# RIPE NCC supports IPv4 and ASN transfers: allow the complement of what is denied
 allow 0.0.0.0/0
 allow 1 - 4199999999
-- 
2.20.1