The MOA technology led by Chinese experts has been approved for initiation in the IETF.

On October 9, 2024, the standard proposal "A Profile for Mapping Origin Authorizations (MOAs)" jointly drafted by experts from China Telecom, Tsinghua University, the National Engineering Research Center for Internet Domain Name Systems (ZDNS), and the Asia - Pacific Network Information Centre (APNIC) was approved for initiation in the "Security in Inter - Domain Routing Operations" (SIDROPS) working group of the Internet Engineering Task Force (IETF). The MOA proposed in this document is the first core data object in the "Resource Public Key Infrastructure" (RPKI) led by Chinese experts.

The routing security of the Internet is the core issue in current cyberspace security. RPKI is the only internationally deployed and operational authentication system for Internet basic resources. Based on the Public Key Infrastructure (PKI) technology, it manages the security of basic resources such as Internet routes, addresses, and devices through several types of core data objects, and serves as the cornerstone of global Internet resource security.

IPv6 - only is a major direction for the global Internet's transition from IPv4 to IPv6. To ensure that the IPv6 - only Internet can continue to communicate with the IPv4 Internet, since 2008, the research team from Tsinghua University has led the proposal of the Stateless IPv4/IPv6 Translation (IVI) technology, which has formed a series of IETF - standard RFC6052, RFC7915, etc. With the further deployment of IPv6, the evolution of the network towards IPv6 - only has become an inevitable trend. Solving the access to remaining IPv4 services and ensuring the user experience are key issues to be addressed in IPv6 - only networks. In 2023, the standard proposal for the multi - domain IPv6 - only network architecture led by the research team of China Telecom Research Institute was approved for initiation in IETF. The address processing part of this architecture inherits the technical idea of IVI, that is, it realizes the stateless mapping from IPv4 addresses to the IPv6 address space by adding an IPv6 address prefix, so as to reduce the processing burden of network edge conversion devices. This mapping relationship from the IPv4 to the IPv6 address space exists in the form of address mapping rules at the network edge. It is the key to accurately transmitting IPv4 service data in the IPv6 - only network, so its security is of utmost importance. Currently, the IPv6 - only network exchanges address mapping rules across domains through the extension of the BGP protocol.

This standard document proposes the MOA technology under RPKI to verify the authenticity of the address mapping rule information transmitted by BGP in the IPv6 - only network, ensuring the accurate transmission of IPv4 service data in the IPv6 - only network. Corresponding to the Internet number resource allocation architecture, the RPKI certificate - issuing system conducts resource authorization by issuing resource certificates from top to bottom. The content of the certificate includes the binding relationship between the IP address prefix/AS number and the receiving institution, indicating that the resource holder has obtained legal authorization to use this part of the number resources. Based on the above information, the address holder (such as an ISP) uses its own certificate to issue an MOA object, and through this signature, authorizes a specific IPv6 address prefix to initiate a mapping origin announcement for a specific IPv4 address block. On the receiving side, when an MOA object is received from the RPKI relying - party system, the PE device at the network edge can verify and discard address mapping announcements from unauthorized sources, preventing the hijacking of IPv4 prefixes.

Currently, RPKI manages data objects such as ROA, ASPA, Router - Certificate, and RTA, which play a crucial role in the security management of Internet resources. The proposed MOA object is the first RPKI core data object led by Chinese experts, representing an important contribution of Chinese experts to the international Internet basic resource security protection technology.