Summary

  • An AS0 ROA is a signed disavowal of public route origination. Because AS 0 is reserved and must not appear as a usable BGP origin, a real-world announcement covered only by that ROA will be classified Invalid by origin validation.
  • RFC 6491 gives IANA a standards basis to issue AS0 ROAs for unallocated resources and reserved or special-purpose resources that are not intended to be globally routed. It also prohibits such ROAs for reserved or special-purpose space that is expected to be routed.
  • RIR authority is narrower and regionally governed. It rests on current administration of undelegated space, community policy and accurate resource records. APNIC and LACNIC implemented policies for AS0 coverage of address space under their administration; this does not create authority over another RIR's pool or every form of disputed resource.
  • AS0 is useful as a conservation control because it expresses a default against unauthorized use before an allocation exists, and because a concurrent positive ROA can make an authorized route Valid. It does not prove that every observed route is malicious or eliminate the operator's local policy choice.
  • The largest governance risk is classification error at transition. Available, reserved, quarantined, returned, reclaimed, special-purpose, assigned and legacy-held space have different factual and legal histories. A label derived from a daily registry snapshot cannot settle a contested entitlement by itself.
  • Withdrawal must precede or be safely coordinated with delegation. Removing a prefix from AS0 is not complete until updated publication reaches validators, caches and routers. Operators that discard Invalid paths also need a safe reevaluation method when the correction arrives.
  • Separate trust inputs and monitoring-first use can contain risk. APNIC has warned that errors could interrupt routing and recommends its AS0 material for advisory or alerting use rather than automatic filtering. Such separation protects operator choice only if the trust input, scope and default are visible.
  • Legitimate AS0 operation requires a public scope rule, signed and versioned classification evidence, pre-publication conflict checks, fast authenticated challenge, measurable withdrawal targets, preserved history and independent BGP observation. A Number Resource Society can audit these controls without claiming power to allocate space or compel routing policy.

Zero is a disavowal, not a destination

AS0 works because two standards ideas meet. The first is the ROA: a signed entity stating which autonomous system is authorized to originate a route for an address prefix, within a specified maximum prefix length. The second is the reservation of AS 0 itself. RFC 7607, published in 2015, requires BGP speakers not to originate or propagate a route containing AS 0 in the relevant path attributes and not to establish a session claiming AS 0.

An AS0 ROA therefore does not authorize a special null network to originate a prefix. It selects an origin that cannot legitimately appear in the public BGP path. RFC 6483 describes the result as a disavowal: the prefix holder states that the prefix and any more-specific prefix should not be used in a routing context. Any ordinary public origin AS will fail to match that AS0 authorization.

The validation logic has an important qualification. Origin validation examines all candidate ROAs covering the route. If any valid ROA authorizes the observed origin and prefix length, the route is Valid even if an AS0 ROA considered alone would make it Invalid. RFC 6483 therefore says AS0 has lower relative preference than a concurrent positive authorization. AS0 establishes a default denial; it is not an absolute veto over a matching positive ROA.

That property makes AS0 both useful and delicate. A registry can mark an undelegated pool as not intended for routing without naming every possible unauthorized origin. When it later delegates part of the pool, a correctly issued positive ROA can protect an announcement while AS0 coverage is being changed. Yet relying on overlap as a routine cure would hide poor change control. The default should still be removal or reissuance of the AS0 entity before the new holder needs to announce.

The technical effect is narrower than some policy language suggests. An AS0 ROA causes an Invalid classification in relying parties that accept the relevant trust input and receive the current entity. It does not itself delete a route from BGP. RFC 8481 leaves policy action to the operator. Some networks reject Invalid routes, some de-prefer or monitor them, and others do not use that AS0 trust input at all.

The mechanism is thus a signed recommendation backed by cryptographic resource authority and operator adoption. Calling it merely informational understates its effect. Calling it a global routing prohibition overstates it. Governance begins with the exact middle: an authoritative default disavowal that independent networks may turn into enforcement.

The authority question has three different answers

Who may authorize AS0 depends on which address space is being described. IANA, an RIR and an ordinary resource holder do not derive authority from the same relationship.

RFC 6491 addresses IANA's RPKI objects for resources that remain at the top of the allocation structure. It says IANA should issue AS0 ROAs for unallocated resources. For reserved and special-purpose resources, the test is intended public routing: IANA should issue AS0 for resources not intended to be globally routed and must not issue any ROA for reserved or special-purpose resources expected to be routed. The deliberate use of “should” recognizes that registry actions and technical transitions may require removal or non-issuance before a status change.

An RIR's authority begins after resources are placed under its administration. It can certify undelegated portions of its own pool because it is the current custodian and because regional policy authorizes the act. APNIC's policy states that only APNIC may create AS0 ROAs for APNIC address space not yet delegated to an account holder, and that APNIC will remove the prefix when it delegates the space. LACNIC's adopted policy similarly limits AS0 to unallocated, unassigned, recovered or returned resources under LACNIC administration and requires affected ROAs to be invalidated or reissued when resources are allocated or assigned.

An existing holder can also use AS0 for space it controls and does not wish to route. Its authority follows its certificate and resource relationship, not a general conservation mandate. This use may support a dormant reserve or an aggregate within which only specifically authorized more-specifics should route. It should not be confused with an RIR declaring that no holder exists.

These distinctions prevent authority creep. An RIR cannot infer power over another region's pool because it observes an announcement. A measurement project cannot sign AS0 simply because registration data look incomplete. A standards body can define how reserved space should be used but does not automatically operate the relevant certificate authority. A court dispute over a legacy block cannot be resolved by calling the block “available” in a convenience list.

The proper authority statement identifies the prefix, current administrative chain, classification, policy basis and effective period. If any of those elements is contested, AS0 publication may still be justified as interim protection, but the dispute and challenge route should be visible. Cryptographic ability to sign is necessary evidence of control; it is not by itself proof that every underlying classification was procedurally sound.

Conservation is a real duty in a scarce and abuse-prone environment

The affirmative case for AS0 should not be lost in concern about denial. Undelegated address space is not free for opportunistic use. RIRs hold it for future allocation, special needs, returns, quarantine or policy-defined purposes. Announcements from such space can arise from mistake, private configurations leaking into public routing, obsolete filters or deliberate abuse. A machine-readable disavowal can help operators distinguish that space from merely unsigned but legitimately routed prefixes.

Before AS0, operators commonly relied on lists of “bogon” prefixes built from allocation records. Those lists require regular refresh and careful interpretation. RPKI can bind the warning to the same certificate hierarchy used for positive route-origin authorization. A validator can then deliver the result with other payloads, and a router can apply one origin-validation policy rather than a separate unverified list.

APNIC's policy rationale is explicit: address space marked unallocated or unassigned under APNIC administration should not be publicly advertised, and AS0 is intended to restrict propagation of announcements covering it. LACNIC's rationale similarly ties custodianship to distribution under policy and seeks to reduce the burden on operators maintaining separate filters. These are legitimate public-interest goals.

The security benefit is preventive. A malicious actor cannot make a route Valid merely by choosing an origin AS because no routable AS matches zero. If operators reject Invalid routes, AS0 raises the chance that a misorigin from unused space will be stopped near an import boundary. It also creates an authenticated alert for operators that do not yet reject.

But conservation is not ownership in the ordinary property sense, and route visibility is not definitive evidence of theft. Some records are historical, some resources are in transition, and some address uses are private or special-purpose. A public route may reveal an error in the registry's own classification rather than an abusive origin. AS0's value lies in establishing a strong rebuttable default, not an irrebuttable accusation.

The bounded thesis is therefore pro-conservation. RIRs and IANA should be able to protect genuinely undelegated, non-routed resources within their authority. They should do so with the discipline expected of a control whose mistakes can affect connectivity: narrow scope, reliable records, warning before change where possible, rapid withdrawal, observable propagation and meaningful challenge.

“Unallocated” and “reserved” are not synonyms

AS0 policy often begins with a list of labels: available, reserved, unallocated, unassigned, returned, recovered or quarantined. These labels can all support non-routing in a particular setting, but they are not interchangeable.

Unallocated space has not been delegated down the relevant administrative chain. The default case is straightforward: no network currently has authority to originate it publicly. Unassigned space may sit within a larger allocation but has not been assigned to an end user or sub-holder. Whether an RIR can sign directly for it depends on the certificate and policy structure; a parent holder may retain relevant authority.

Reserved space is held back for a reason. Some reservations are not intended for global routing, such as private or documentation use. Others may be intended for a future routable service or a temporary assignment procedure. RFC 6491 expressly recognizes reserved and special-purpose resources that are expected to be globally routed and prohibits IANA from issuing ROAs for those cases. “Reserved” therefore cannot be a mechanical synonym for “never route.”

Quarantine adds time and history. A returned or reclaimed block may be withheld before reissue so that stale routing, reputation, geolocation or abuse records can settle. The registry may have good reason to discourage public origination during quarantine. It also needs to know whether a former holder still asserts rights, whether a transfer is incomplete, and whether a residual route represents an unresolved dispute rather than random misuse.

Available usually means eligible for allocation under policy. The label may change daily as requests, reservations and delegations are processed. An AS0 entity derived from an available list must be linked to transactional controls so that a prefix cannot be delegated while still accidentally covered without an effective positive authorization.

Legacy-held resources are the hardest category. Registration history may predate modern agreements and certificate services. A resource can appear poorly documented without being unallocated. Classification should use registration history, transfer records, contracts, correspondence and observable routing, not a missing modern field alone. AS0 must never become a shortcut for extinguishing an inconvenient claim.

A legitimate publication service defines each included status and exclusion. It names the authoritative data set, update time and reconciliation rules. It performs overlap checks against current certificates, assignments, positive ROAs, pending delegations and known disputes. If it cannot explain why a prefix is inside the set, the set is not ready to influence routing.

Daily statistics are evidence, not title instruments

The RIR statistics exchange format provides a useful public snapshot of allocations and assignments. Participating registries publish files on a regular schedule, with a common naming and record structure. Extended forms can include statuses used by operational systems. APNIC's AS0 implementation has drawn its undelegated set from resources marked available or reserved in its published statistics.

This is a strong starting point because the input is public, machine-readable and repeatable. An observer can compare the classified resource set with the AS0 payloads and identify unexplained differences. Versioning and checksums improve integrity. Automation reduces the chance that a manually maintained list silently decays.

The format also states its limits. It summarizes current allocations and assignments and does not supply transactional or historical detail. Counts of records do not equal amounts of address space. Transfers can create temporary overlap across registry files. Some non-registry historical assignments fall outside RIR-produced records. A snapshot can report a status without proving how, when or under what contested authority it arose.

That is why daily statistics should not be the sole predicate for denial. The AS0 service should reconcile them with the live registration system, certificate inventory, positive ROAs, pending allocation transactions, transfer locks and dispute flags. It should reject publication when sources conflict rather than choose the most convenient label. A human review path is especially important for recovered, returned and legacy space.

The public should be able to reconstruct the decision without gaining access to private account data. For each included prefix, a signed manifest or transparency record can identify the source status, observation time, authorizing policy and AS0 entity. For each removal, it can identify the new status and withdrawal time. Sensitive customer identity can remain protected until ordinary registration rules permit disclosure.

External observers can then ask a meaningful question: did the AS0 set correspond to the registry's declared undelegated set at that time? They need not accept the registry's legal conclusion in every dispute to verify operational consistency. If a prefix appears as assigned while still in AS0, the discrepancy becomes visible before a routing incident is dismissed as a holder mistake.

Machine-readable evidence makes authority review possible, but it does not convert data publication into adjudication. The registry remains responsible for the classification procedure behind the record and for correcting errors when documentary evidence changes the result.

The transition out of AS0 is the constitutional moment

The easiest AS0 case is a block that remains unused for years. The difficult case is the hour in which it becomes usable. A new allocation changes a conservation default into a holder's right to authorize routing. If the registry's processes do not coordinate that transition, a security control can deny the very use the allocation was meant to enable.

APNIC's current resource policy says that when it delegates space to an account holder, it will remove the prefix from the AS0 ROA. LACNIC's policy requires it to invalidate ROAs containing a resource that is about to be allocated or assigned and issue replacement ROAs without that resource. The ordering is important. The denial should be withdrawn before or in a transaction safely coordinated with the new authority.

Publication is not instantaneous, however. Removing a prefix in an internal allocation system does not immediately remove every validated payload. The repository must publish a coherent new state. Relying parties fetch on their own schedules. Cache-to-router sessions use refresh and retry behaviour. Routers must receive a withdrawal and reevaluate routes. Different networks can hold different valid views during convergence.

A 2019 RIPE NCC impact analysis for an AS0 proposal illustrated the problem rather than settling it. It noted that operational triggers might make advance revocation difficult and that global processing could take time. The exact estimates in a proposal analysis should not be treated as universal current performance, but the institutional lesson remains: allocation and routing readiness need an explicit handoff period.

There are three practical safeguards. First, pre-stage removal where the allocation decision is final enough to do so safely. Second, allow the new holder to create a matching positive ROA before announcement, because origin validation treats a matching positive authorization as Valid even alongside AS0. Third, verify from independent validators that the intended payload state has propagated before advising the holder to announce.

These controls require a service promise. The allocation notice should say whether AS0 previously covered the resource, when removal was published, where the holder can inspect it, and when a positive ROA became usable. If urgent routing is expected, a registry engineer should confirm external validation rather than rely on a portal status.

The transition is constitutional because it reveals whose rights take priority and when. Conservation is legitimate while no holder has authority. Once authority is granted, the institution must relinquish the denial promptly and visibly. A registry that can add AS0 automatically but cannot remove it under a measured objective has built a one-way power.

A wrong AS0 classification has a distinctive failure shape

Suppose a /16 is classified as undelegated and covered by an AS0 ROA even though a legitimate holder has been routing a /24 from within it. Before AS0, the route may have been NotFound and accepted. After validators ingest the entity, the /24 becomes Invalid because the AS0 prefix covers its more-specifics and no positive ROA matches. Networks that reject Invalid routes may withdraw reachability at different times.

The visible pattern can resemble a hijack response: selected networks stop carrying the route while others continue. The holder may first blame transit, the transit provider may point to its validator, and the validator may correctly show the signed AS0 payload. Each actor can be technically correct within its own boundary while the underlying registry classification is wrong.

The remedy must begin at the authority layer. A local operator exception can restore one path, but it cannot remove the AS0 entity seen by other networks. The registry must authenticate the claimant, review the resource evidence, withdraw or narrow the entity and publish a reasoned correction. Validators then need to process the changed repository state, and routers need to reevaluate.

The failure can persist after withdrawal if evidence is thin. One validator may not fetch the new state. A cache can be stale. A router may have discarded the route and require a safe recovery mechanism. Some operators may separately maintain bogon lists derived from the same mistaken status. Correcting RPKI alone may not remove every denial.

This shape argues for a coordinated incident record. It should identify the erroneous classification, first AS0 publication, affected prefixes, observed BGP origins, correction authorization, repository withdrawal, independent validator convergence, cache and router recovery, and residual non-RPKI filters. The record should distinguish confirmed effects from inferred ones.

Compensation and fault should follow evidence. A registry that misclassified clear records bears a stronger duty than one confronting a good-faith title dispute. An operator that applied a documented strict policy did not create the classification, but it may be responsible for lacking a customer escalation route or for failing to process the correction. A holder that routed without maintaining contact or authorization records may have contributed to delay without losing every claim.

The goal is not to make AS0 risk-free. It is to ensure that the control has a reversible failure mode and that no institution can point forever to the next link in the chain.

Separate trust inputs can limit blast radius only if operators notice them

APNIC's public notes on its AS0 ROA are unusually candid. They warn that errors could cause unintended routing interruption depending on router configuration, recommend advisory or alerting use rather than automatic filtering, and describe a different Trust Anchor Locator intended to prevent inadvertent use. The material covers only address space for which APNIC is authoritative.

This design separates the decision to trust ordinary positive RPKI material from the decision to consume a broad registry-generated disavowal. An operator can validate the AS0 set in monitoring, compare it with BGP and registration evidence, and choose whether or where to enforce. A mistake need not automatically affect every network using APNIC's standard trust anchor.

Separation is not magic. If software packages the additional trust input as a silent default, the choice disappears. If a managed validator labels the feed generically, a router operator may not know that AS0 came from a distinct source. If an operator merges payloads from several caches without provenance, it may be unable to identify which trust input made the route Invalid.

The control therefore needs interface visibility. Validators should show AS0 trust inputs separately, list the number and scope of payloads without implying universal coverage, and tag provenance in diagnostics. Operators should record explicit approval, intended mode, covered routers and policy. Changes to the trust input should require review comparable to a routing-policy change.

Monitoring-first use has substantive value. An operator can alert when an AS0-covered prefix appears in BGP, contact the apparent origin or upstream, and compare independent registration records before rejection. This is especially prudent during early deployment or where classification history is complex. It also generates evidence about false positives and propagation without risking immediate disconnection.

The weakness is that monitoring does not conserve routes by itself. A determined abuser may continue announcing. Mature operators may reasonably move to rejection after demonstrating data quality and correction capacity. The governance requirement is not permanent caution but deliberate escalation: measure, notify, test exceptions, publish a date and then enforce under a documented policy.

Different regional choices are legitimate when visible. As of the evidence reviewed, APNIC and LACNIC have implemented AS0 arrangements, with official 2025 NRO guidance describing separate AS0 trust anchors and recommending alerting or monitoring rather than automatic filtering because of risk. This should not be generalized into a claim that every RIR publishes or governs AS0 identically.

Local policy remains the final enforcement decision

An AS0 ROA does not bypass RFC 8481. Validators set origin-validation state; operator configuration decides policy. This matters because the institutions signing AS0 and those bearing connectivity risk are different.

A network may reject every route that is Invalid solely because of an accepted AS0 payload. This gives conservation a direct effect and simplifies policy. It also requires confidence that classification, withdrawal and exception procedures are strong. The network should know whether the Invalid state came from standard holder-issued ROAs, a registry AS0 feed or local assertions, even if the same route-map term ultimately rejects all three.

Another network may alert on AS0 separately. It can contact a customer before enforcing, reject on peer and transit sessions but allow a temporary authenticated customer exception, or apply enforcement only after independent confirmation. Such distinctions can be legitimate because relationship and evidence differ. They should not become permanent loopholes through which customers can announce any undelegated space.

De-preference is an imperfect compromise. An Invalid more-specific route can attract traffic over a less-specific Valid route because forwarding uses longest prefix before BGP preference among routes to the same prefix. Retaining an Invalid path solely for rapid reevaluation is different from allowing it into forwarding. Policy descriptions must distinguish those states.

Operators also need a response when validation data disappear. Cache expiry can remove the AS0 signal or change its treatment. Failing open may permit the undesired route; failing closed on all unknown data may cause broader reachability harm. Redundant caches and explicit expiry policy reduce but do not eliminate the choice.

No registry can assess these local risks for every network. A public-sector provider carrying emergency services may choose a staged exception after authenticating a newly allocated prefix. A backbone with broad observation and mature escalation may reject immediately. A small enterprise may rely entirely on its upstream. Institutional legitimacy comes from clear roles, not identical configuration.

The operator's decision should still be explainable. When a route is rejected, the network should be able to identify the AS0 payload, trust input, validator time and matched policy. When an exception is granted, it should identify scope, evidence, approver and expiry. Local autonomy without a record is indistinguishable from arbitrary treatment to the party affected.

External measurement is part of the safety case

An AS0 publisher can verify its own entities and still miss the most important discrepancy: a prefix it calls unused is visibly originated in BGP. The route may be unauthorized, but it may also be evidence that classification deserves review before broad enforcement. External measurement should therefore run before publication, during operation and after withdrawal.

The first comparison is between proposed AS0 coverage and current BGP observations. RIPE RIS and RouteViews collect routes from participating networks at multiple locations and archive routing tables and updates. A publisher can flag every proposed prefix or more-specific that appears at any selected collector. The result is a review queue, not an automatic exemption. Collector visibility is partial, and non-observation does not prove that a route does not exist.

The second comparison is between authoritative resource status and the validated payload set. Independent validators should derive the same intended AS0 entries from the published entities. Differences can reveal repository lag, certificate errors or software interpretation. The report should identify trust inputs and observation times rather than count validators as votes.

The third comparison concerns effect. Controlled observation can show whether AS0-covered announcements remain visible from selected vantage points, whether visibility changes after operator adoption, and whether a corrected prefix returns. It cannot establish an exact global rejection rate. BGP collectors sample willing peers, and path changes can conceal policy. Active tests require ethical and routing safeguards and still measure only selected paths.

The fourth comparison concerns false positives. Every authenticated challenge should be classified: registry data error, pending delegation, stale route, holder mistake, disputed claim, local private use or unexplained announcement. Time to first response, authority correction, validator convergence and observed restoration should be reported in distributions with clear denominators. A zero-challenge period is not proof of perfect accuracy if affected parties could not find the contact.

Public measurement gives the conservation claim credibility. It shows whether covered space was actually observed in routing, whether abuse fell, and whether legitimate transitions recovered. It also disciplines expansion. A publisher should not add more categories merely because generation is technically easy; it should show that the current set is accurate, reversible and useful.

The strongest evidence is event-level and reproducible. A monthly claim that “AS0 protects millions of addresses” says little about operational value and can mislead because address counts weight large blocks heavily. A record of detected announcements, reviewed conflicts, corrections and measured convergence tells institutions what the control actually did.

Fast withdrawal is a right, not merely an engineering target

When AS0 is wrong, the affected party needs more than a support ticket. The registry's signed statement can influence distant operators with whom the holder has no contract. A credible challenge procedure is therefore part of the authority to publish.

The entry point should be public, continuously monitored and capable of authenticating urgent claimants. The requester should provide prefix, claimed authority, origin AS, routing evidence and contact. The registry should immediately return a case identifier and identify whether the prefix is currently in AS0, under which policy and from which status record.

Triage should separate obvious administrative error from contested rights. If a newly allocated prefix remained covered due to failed change processing, withdrawal should not await a policy committee. If the claim concerns a returned or legacy block with conflicting records, the registry may need legal and documentary review. Even then, it should consider a time-bounded risk measure, explain the interim decision and preserve appeal.

Withdrawal targets should be defined at controlled checkpoints: approval, repository publication and confirmation by specified independent validators. End-to-end route restoration should be measured and reported but not guaranteed universally because operators control their own polling and policy. The registry should continue assisting until representative external observations show the correction has propagated or the remaining obstruction is located elsewhere.

The historical record must survive correction. Quietly regenerating a large aggregate without an itemized change log makes it difficult to know that the prefix was ever covered. A transparency entry should record old and new scope, reason category, authorization and timestamps. It can protect private claimant details while exposing institutional action.

An appeal should be available when the registry refuses withdrawal. The review body needs access to registration and policy evidence, must be independent enough to question staff classification, and should publish a reasoned outcome with necessary redactions. Court rights and contractual remedies remain where applicable; technical review should not pretend to settle every legal title issue.

Fast withdrawal is a right because reversibility justifies preventive power. The institution asks operators to rely on a classification before harm occurs. In exchange, it must offer the wrongly classified party a rapid, evidenced route out. Without that symmetry, conservation becomes pre-emptive denial without due process.

Preventive power requires stronger change control than ordinary lists

A static bogon list can be wrong, but an RPKI AS0 entity carries cryptographic authority and can enter automated router policy. Its change control should reflect that higher leverage.

Generation should be deterministic from declared inputs but not blind. The candidate set can be computed from resource status, then checked against certificate holdings, positive ROAs, pending allocations, transfer records, dispute flags and observed BGP. Every exclusion and conflict should be logged. A second person or independent control should approve high-risk additions such as returned, reclaimed or legacy ranges.

Entities should be scoped to reduce shared fate. RFC 9455 warns more generally that ROAs containing multiple prefixes share validity as one signed entity. For AS0 operations, excessively broad packing can make investigation and correction harder even when route-validation semantics remain prefix-specific. Smaller, logically grouped entities can support clearer change records, provided operational scale and repository performance are respected.

Pre-publication simulation should calculate which observed BGP announcements would change from NotFound or Valid to Invalid in independent validators. The review should include more-specifics because AS0 is intended to cover them. A positive authorization conflict should be explained, not ignored. The output becomes an approval artifact and a baseline for post-publication observation.

Deployment should be staged. Publish to a monitoring trust input, invite operator review, compare observations, correct classifications, then consider enforcement guidance. A registry can still respond rapidly to obvious abuse; staged adoption concerns the confidence of relying parties, not a delay in signing every entity.

Removal deserves equal engineering. Allocation systems should be unable to complete a delegation without creating a linked AS0 removal event. The service should verify repository publication and independent validator views. Failed removal should page an accountable team rather than wait for the recipient to discover an Invalid route.

Finally, governance bodies should review scope changes publicly. Adding “quarantined” or “recovered” space can alter rights and should not be an unnoticed software release. Policy should define inclusion, transition and appeal. Technical staff should publish impact analysis with conflicts and limitations. Community approval cannot guarantee accuracy, but it makes the asserted conservation mandate contestable before it becomes code.

The case for AS0 is strongest when its limits are explicit

The strongest defence of AS0 does not claim perfect records, universal deployment or automatic elimination of abuse. It says something more modest and more durable: institutions that currently administer address space have a duty to prevent unauthorized use before delegation, and RPKI offers an authenticated way to express that default to willing operators.

The defence has conditions. The institution must hold current administrative authority for the exact prefix. The resource status must mean that public origination is not intended. Special-purpose resources expected to route must be excluded. Existing holders, pending delegations, positive ROAs and visible announcements must be checked. Regional policy must authorize the act where IANA's top-level standards rule does not directly govern it.

The effect must also be stated honestly. AS0 produces an origin-validation result; operators choose enforcement. A route classified Invalid may reflect malicious use, operational error or bad classification. A matching positive ROA can make a route Valid. Different trust inputs can lead networks to different views. BGP observations are sampled, not universal.

Most importantly, the control must be reversible. The publisher needs measured withdrawal, a challenge service, preserved history and independent confirmation. New holders need transition evidence before announcing. Operators need provenance and safe reevaluation. A control that can add denial in minutes but takes days to correct an obvious error lacks institutional balance even if its cryptography is flawless.

These limits do not weaken conservation. They make operator adoption more defensible. Networks are more likely to enforce a signal when they know how it was produced and how errors are repaired. Holders are more likely to accept preventive coverage when allocation reliably removes it. Researchers can measure effect when the scope and history are public.

An AS0 regime should therefore publish a compact assurance statement: authority, included statuses, exclusions, data sources, refresh schedule, trust input, adoption guidance, conflict checks, challenge contact, withdrawal objectives, external validators and measurement limits. That statement turns a broad negative assertion into an accountable service.

A Number Resource Society can audit without becoming an allocator

A Number Resource Society has a useful role precisely because AS0 crosses institutional boundaries. The registry controls classification and signing. Operators control routing policy. Holders bear the consequences. Researchers observe only parts of the routing system. No single actor naturally assembles the whole safety case.

The Society can maintain a comparative register of AS0 policies: which institution publishes, under which trust input, for which statuses, with what transition order, challenge channel and transparency record. It can test whether published scope matches declared resource data and whether independent validators converge. It can commission event studies around additions, withdrawals and newly delegated prefixes.

It can also represent smaller holders in correction. A common evidence form and escalation directory would reduce the time spent proving that an Invalid route is AS0-related. The Society could track response and restoration without demanding disclosure of protected account material. Repeated failures could be raised in RIR community processes with concrete evidence rather than generalized suspicion.

The boundary is essential. The Society should not issue AS0 ROAs for address space it does not administer, decide contested resource title, compel an RIR to allocate, or order networks to carry routes. It should not merge every regional policy into one universal feed. Those acts would reproduce the concentration that independent review is meant to check.

Its authority would be reputational and procedural. Published methods, reproducible comparisons, balanced membership and declared conflicts can make its findings useful. An RIR could reject a recommendation, but would need to explain why. An operator could choose stricter or looser policy, but could compare the evidence behind each trust input.

The Society should grade controls, not institutions in the abstract. Does the AS0 set have a clear authority basis? Can a new delegation exit safely? Are observed conflicts reviewed? Is withdrawal visible in independent validators? Can an affected holder obtain a reason? Are policy and technical changes public? These questions yield actionable improvement.

Such a role supports a positive Number Resource Society agenda: conservation without confiscation, routing security without hidden central command, and regional autonomy with common evidence. It turns legitimacy from a claim about benevolent purpose into a test of reversible power.

Conservation and denial are separated by procedure

AS0 ROAs are both conservation tools and pre-emptive denials. The two descriptions are not mutually exclusive. The mechanism denies public origination before a legitimate holder is expected to route. That denial conserves resources only when authority, classification and transition are sound.

The standards supply a bounded foundation. AS 0 is unusable as a public BGP origin. RFC 6483 defines the disavowal and allows matching positive ROAs to prevail. RFC 6491 authorizes IANA treatment of unallocated and non-routed reserved or special-purpose space while protecting space intended to route. RFC 8481 keeps final action in operator policy.

Regional policies add a second foundation. APNIC and LACNIC have tied AS0 to address space under their own administration and described removal when resources are delegated. Their choices demonstrate that community policy, not technical capability alone, should define RIR scope. APNIC's separate trust input and caution about automatic filtering also acknowledge the cost of error.

The remaining work is institutional. Every included prefix should have a visible authority and status basis. Every transition should coordinate removal, positive authorization and external validation. Every challenge should receive an authenticated response and measurable correction. Every claimed effect should identify its BGP vantage points and limitations. Every operator should know that it, not the registry, finally chooses whether Invalid means reject.

With those controls, AS0 is a legitimate conservation instrument: strong enough to discourage misrouting, narrow enough to respect holder authority, and reversible when facts change. Without them, the same signed zero can become an opaque denial imposed before the affected party has any effective hearing.

The governance test is therefore practical rather than rhetorical. Ask who signed, what exact status justified the signature, who checked for existing use, when the denial will be removed, how a claimant can contest it, which validators confirm the change and what sampled routes show afterward. If those questions have good answers, zero can protect a common resource. If they do not, cryptographic validity only proves that the wrong institutionally unsupported statement was signed correctly.

Sources

  • RFC 7607: Codification of AS 0 Processing — Requires BGP speakers not to originate or propagate routes containing AS 0 in specified path attributes. It explains why AS0 can serve as a non-routable subject but does not authorize any institution to classify a particular prefix.
  • RFC 6483: Validation of Route Origination Using RPKI and ROAs — Defines AS0 disavowal, treatment of more-specifics and the ability of a matching positive ROA to produce a Valid outcome. It predates the regional policies assessed here.
  • RFC 6491: Resource Public Key Infrastructure Entities Issued by IANA — Provides the standards basis for IANA AS0 entities covering unallocated and non-routed reserved or special-purpose resources, with explicit exclusions for resources intended to route.
  • RFC 6811: BGP Prefix Origin Validation — Defines Valid, Invalid and NotFound route states. A state does not establish why an announcement conflicts with authorization.
  • RFC 8481: Clarifications to BGP Origin Validation — Requires origin-validation policy action to remain under explicit operator configuration. It does not recommend a unique AS0 policy.
  • RFC 8416: Simplified Local Internet Number Resource Management with the RPKI — Describes local filters and assertions, including cases involving reserved or unallocated space. Local exceptions do not alter other operators' global views.
  • RFC 8210: The RPKI to Router Protocol, Version 1 — Defines payload withdrawals, cache serials and timing between validators and routers. Its timers do not guarantee universal end-to-end correction time.
  • RFC 9455: Avoiding ROAs Containing Multiple IP Prefixes — Explains shared validity fate within multi-prefix ROA objects. Applying its entity-design lesson to AS0 is a governance recommendation, not an AS0-specific mandate in that RFC.
  • APNIC prop-132: RPKI ROAs for Unallocated and Unassigned APNIC Address Space — Records the regional proposal, rationale and implemented status for APNIC-managed space. It does not grant APNIC authority over other regions.
  • APNIC Internet Number Resource Policies, section 5.1.4 — States which APNIC statuses receive AS0 coverage and that APNIC removes a prefix when it delegates the resource. Public policy text does not by itself prove every operational transition is error-free.
  • APNIC: Important Notes on the AS0 ROA — Warns of interruption risk, recommends advisory or alerting use and describes a separate trust input. It is APNIC's own operational statement, not an independent effectiveness study.
  • LACNIC policy LAC-2019-12 — Records implemented regional authority, scope and removal requirements for LACNIC-administered resources. The policy does not settle unrelated legacy or cross-regional claims.
  • RIPE NCC 2019-08 impact analysis — Explored operational timing, scope and transition risks for a proposed AS0 or local-assertion approach. It is evidence of design concerns, not proof that the analysed design became current RIPE NCC practice.
  • RIR Statistics Exchange Format — Defines public snapshots of allocations and assignments and explains their lack of transaction history. Status files are evidence for classification, not a substitute for adjudicating disputed authority.
  • RIPE RIS documentation — Describes distributed BGP collectors and archives suitable for before-and-after observation. Coverage is sampled and cannot establish universal rejection.
  • RouteViews API documentation — Documents current and historical routing observations from participating collectors. Non-observation at a collector is not proof that no route exists elsewhere.
  • LACNIC/NRO RPKI best-practice note — Describes 2025 operational guidance for AS0 trust inputs, monitoring and staged ROV deployment. It is guidance and should not be converted into an exact adoption denominator.
  • NRS Charter — Supports distributed participation and limits on concentrated number-resource authority. The audit and challenge functions proposed in this article remain prospective and do not confer allocation or routing power on NRS.