BGP AS_PATH Verification Based on Autonomous System Provider Authorization (ASPA) Objects

	draft-ietf-sidrops-aspa-verification-19.txt
	Date:	27/09/2024
	Authors:	Alexander Azimov, Eugene Bogomazov, Randy Bush, Keyur Patel, Job Snijders, Kotikalapudi Sriram
	Working Group:	SIDR Operations (sidrops)

This document describes procedures that make use of Autonomous System Provider Authorization (ASPA) objects in the Resource Public Key Infrastructure (RPKI) to verify the Border Gateway Protocol (BGP) AS_PATH attribute of advertised routes. This type of AS_PATH verification provides detection and mitigation of route leaks and some forms of AS path manipulation. It also provides protection, to some degree, against prefix hijacks with forged-origin or forged- path-segment.

A Profile for Autonomous System Provider Authorization

	draft-ietf-sidrops-aspa-profile-18.txt
	Date:	25/06/2024
	Authors:	Alexander Azimov, Eugene Uskov, Randy Bush, Job Snijders, Russ Housley, Ben Maddison
	Working Group:	SIDR Operations (sidrops)

This document defines a Cryptographic Message Syntax (CMS) protected content type for Autonomous System Provider Authorization (ASPA) objects for use with the Resource Public Key Infrastructure (RPKI). An ASPA is a digitally signed object through which the issuer (the holder of an Autonomous System identifier), can authorize one or more other Autonomous Systems (ASes) as its upstream providers. When validated, an ASPA's eContent can be used for detection and mitigation of route leaks.

The Resource Public Key Infrastructure (RPKI) to Router Protocol,Version 2

	draft-ietf-sidrops-8210bis-16.txt
	Date:	27/09/2024
	Authors:	Randy Bush, Rob Austein
	Working Group:	SIDR Operations (sidrops)

In order to validate the origin Autonomous Systems (ASes) and Autonomous System relationships behind BGP announcements, routers need a simple but reliable mechanism to receive Resource Public Key Infrastructure (RFC6480) prefix origin data and Router Keys from a trusted cache. This document describes a protocol to deliver them. This document describes version 2 of the RPKI-Router protocol. [RFC6810] describes version 0, and [RFC8210] describes version 1. This document is compatible with both.

A profile for Signed Prefix Lists for Use in the Resource Public Key Infrastructure (RPKI)

	draft-ietf-sidrops-rpki-prefixlist-04.txt
	Date:	16/09/2024
	Authors:	Job Snijders, Geoff Huston
	Working Group:	SIDR Operations (sidrops)

This document defines a "Signed Prefix List", a Cryptographic Message Syntax (CMS) protected content type for use with the Resource Public Key Infrastructure (RPKI) to carry the complete list of prefixes which an Autonomous System (the subject AS) may originate to all or any of its routing peers. The validation of a Signed Prefix List confirms that the holder of the subject AS produced the object, and that this list is a current, accurate and complete description of address prefixes that may be announced into the routing system originated by the subject AS.

Human Readable Validate ROA Payload Notation

	draft-ietf-sidrops-vrp-notation-02.txt
	Date:	21/10/2024
	Authors:	Tim Bruijnzeels, Ties de Kock, Oliver Borchert, Di Ma
	Working Group:	SIDR Operations (sidrops)

This document defines a human readable notation for Validated ROA Payloads (VRP, RFC 6811) based on ABNF (RFC 5234) for use with RPKI tooling and documentation.

Human Readable ASPA Notation

	draft-ietf-sidrops-aspa-notation-02.txt
	Date:	21/10/2024
	Authors:	Tim Bruijnzeels, Oliver Borchert, Di Ma, Ties de Kock
	Working Group:	SIDR Operations (sidrops)

This document defines a human readable notation for Validated ASPA Payloads (VAP, see ID-aspa-profile) for use with RPKI tooling based on ABNF (RFC 5234).

Simplified Local Internet Number Resource Management (SLURM) with RPKI Autonomous System Provider Authorizations (ASPA)

	draft-ietf-sidrops-aspa-slurm-02.txt
	Date:	27/11/2024
	Authors:	Job Snijders, Ben Cartwright-Cox
	Working Group:	SIDR Operations (sidrops)

ISPs may want to establish a local view of exceptions to the Resource Public Key Infrastructure (RPKI) data in the form of local filters or additional attestations. This document defines an addendum to RFC 8416 by specifying a format for local filters and local assertions for Autonomous System Provider Authorizations (ASPA) for use with the RPKI.

Guidance to Avoid Carrying RPKI Validation States in Transitive BGP Path Attributes

	draft-ietf-sidrops-avoid-rpki-state-in-bgp-01.txt
	Date:	03/10/2024
	Authors:	Job Snijders, Tobias Fiebig, Massimiliano Stucchi
	Working Group:	SIDR Operations (sidrops)

This document provides guidance to avoid carrying Resource Public Key Infrastructure (RPKI) derived Validation States in Transitive Border Gateway Protocol (BGP) Path Attributes. Annotating routes with transitive attributes signaling Validation State may cause needless flooding of BGP UPDATE messages through the global Internet routing system, for example when Route Origin Authorizations (ROAs) are issued, or are revoked, or when RPKI-To-Router sessions are terminated. Operators SHOULD ensure Validation States are not signaled in transitive BGP Path Attributes. Specifically, Operators SHOULD NOT group BGP routes by their Prefix Origin Validation state into BGP Communities.

Revision of the RPKI Validation Algorithm

	draft-ietf-sidrops-rpki-validation-update-01.txt
	Date:	15/10/2024
	Authors:	Job Snijders, Ben Maddison
	Working Group:	SIDR Operations (sidrops)

This document describes an improved validation procedure for Resource Public Key Infrastructure (RPKI) signed objects. This document updates RFC 6487. This document updates RFC 9582. This document obsoletes RFC 8360.

RPKI Manifest Number Handling

	draft-ietf-sidrops-manifest-numbers-02.txt
	Date:	08/10/2024
	Authors:	Tom Harrison, George Michaelson, Job Snijders
	Working Group:	SIDR Operations (sidrops)

The Resource Public Key Infrastructure (RPKI) makes use of signed objects called manifests. A manifest lists each file that a publisher intends to include within an RPKI repository, and can be used to detect certain forms of attack against a repository. Manifests include a "manifest number" (manifestNumber), which the publisher must increment whenever it issues a new manifest, and Relying Parties (RPs) are required to verify that a newly-retrieved manifest for a given Certification Authority (CA) has a higher manifestNumber than the previously-validated manifest. However, the manifestNumber field is 20 octets in length (i.e. not unbounded), and no behaviour is specified for when a manifestNumber reaches the largest possible value. This document specifies publisher and RP behaviour for this scenario.

Signed Prefix List (SPL) Based Route Origin Verification and Operational Considerations

	draft-ietf-sidrops-spl-verification-01.txt
	Date:	14/12/2024
	Authors:	Kotikalapudi Sriram, Job Snijders, Doug Montgomery
	Working Group:	SIDR Operations (sidrops)

The Signed Prefix List (SPL) is an RPKI object that attests to the complete list of prefixes which an Autonomous System (AS) may originate in the Border Gateway Protocol (BGP). This document specifies an SPL-based Route Origin Verification (SPL-ROV) methodology and combines it with the ROA-based ROV (ROA-ROV) to facilitate an integrated mitigation strategy for prefix hijacks and AS forgery. The document also explains the various BGP security threats that SPL can help address and provides operational considerations associated with SPL-ROV deployment.

RPKI Publication Server Best Current Practices

	draft-ietf-sidrops-publication-server-bcp-01.txt
	Date:	26/09/2024
	Authors:	Tim Bruijnzeels, Ties de Kock, Frank Hill, Tom Harrison
	Working Group:	SIDR Operations (sidrops)

This document describes best current practices for operating an RFC 8181 RPKI Publication Server and its rsync (RFC 5781) and RRDP (RFC 8182) public repositories.

Relying Party Handling of Resource Public Key Infrastructure (RPKI) Certificate Revocation List (CRL) Number Extensions

	draft-ietf-sidrops-rpki-crl-numbers-00.txt
	Date:	10/09/2024
	Authors:	Job Snijders, Ben Maddison, Theo Buehler
	Working Group:	SIDR Operations (sidrops)

This document clarifies how Resource Public Key Infrastructure (RPKI) Relying Parties (RPs) handle Certificate Revocation List (CRL) Number extensions. This document updates RFC 6487.

A Profile for Mapping Origin Authorizations (MOAs)

	draft-ietf-sidrops-moa-profile-00.txt
	Date:	09/10/2024
	Authors:	Chongfeng Xie, Guozhen Dong, Xing Li, Geoff Huston, Di Ma
	Working Group:	SIDR Operations (sidrops)

This document proposes a new approach by leveraging Resource Public Key Infrastructure (RPKI) architecture to verify the authenticity of the mapping origin of an IPv4 address block. MOA is a newly defined cryptographically signed object, it provides a means that the address holder can authorize an IPv6 mapping prefix to originate mapping for one or more IPv4 prefixes. When receiving the MOA objects from the relying partie, PE device can verify and discard invalid address mapping announcements from unauthorized IPv6 mapping prefixes to prevent IPv4 prefix hijacking.

Tiebreaking Resource Public Key Infrastructure (RPKI) Trust Anchors

	draft-ietf-sidrops-rpki-ta-tiebreaker-00.txt
	Date:	04/11/2024
	Authors:	Job Snijders, Theo Buehler, Ties de Kock
	Working Group:	SIDR Operations (sidrops)

A Trust Anchor (TA) in the RPKI is represented by a self-signed X.509 Certification Authority (CA) certificate. Over time, Relying Parties (RP) may have acquired multiple different issuances of valid TA certificates from the same TA operator. This document proposes a tiebreaking scheme to be used by RPs to select one TA certificate for certification path validation. This document updates RFC 8630.

Javascript disabled? Like other modern websites, the IETF Datatracker relies on Javascript. Please enable Javascript for full functionality.

SIDR Operations (sidrops)

WG	Name	SIDR Operations
	Acronym	sidrops
	Area	Operations and Management Area (ops)
	State	Active
	Charter	charter-ietf-sidrops-01 Approved
	Document dependencies	Document dependencies Loading... Pan and zoom the dependency graph after the layout settles. Show legend Loading...
	Additional resources	Issue tracker, Wiki, Zulip Stream
Personnel	Chairs	Chris Morrow, Keyur Patel, Russ Housley
	Area Director	Warren "Ace" Kumari
	Secretary	Krishnaswamy Ananthamurthy
	Delegate	Warren "Ace" Kumari
Mailing list	Address	sidrops@ietf.org
	To subscribe	https://www.ietf.org/mailman/listinfo/sidrops
	Archive	https://mailarchive.ietf.org/arch/browse/sidrops/
Chat	Room address	https://zulip.ietf.org/#narrow/stream/sidrops

Charter for Working Group

The global deployment of SIDR, consisting of RPKI, Origin Validation of
BGP announcements, and BGPSEC, is underway, creating an Internet
Routing System consisting of SIDR-aware and non-SIDR-aware networks.
This deployment must be properly handled to avoid the division of
the Internet into separate networks. Sidrops is responsible for
encouraging deployment of theSIDR technologies while ensuring as secure
of a global routing system, as possible, during the transition.

The SIDR Operations Working Group (sidrops) develops guidelines for
the operation of SIDR-aware networks, and provides operational guidance
on how to deploy and operate SIDR technologies in existing and new
networks.

In the space of sidrops, the term operators will encompass a range
of operational experience: CA Operators, Regional/National and Local
Internet Registries, Relying Party software developers as well as the
research/measurement community all have relevant operational experience
or insight that this working group will consider in its work.

The sidrops working group is focused on deployment and operational
issues and experiences with SIDR technologies that are part of the
global routing system, as well as the repositories and CA systems that
form part of the SIDR architecture.

The goals of the sidrops working group are to:

Solicit input from a range of operators to identify operational
issues with a SIDR-aware Internet, and determine solutions or
workarounds to those issues.
Solicit input from all operators to identify
issues with interaction with the non-SIDR-aware Internet,
and to determine solutions or workarounds to those issues.
Develop operational solutions for identified issues in sidrops and
document them in informational or BCP documents.

These documents should document SIDR operational experience, including
interactions with non-SIDR-aware networks, the interfaces between SIDR-
aware and non-SIDR-aware networks, and the continued operational/
security impacts from non-SIDR-aware networks.

SIDR operational and deployment issues with Interdomain Routing
Protocols as well as BGPSEC maintenance and extension are the
primary responsibility of the IDR working group. The sidrops Working
Group may provide input to that group, as needed, and cooperate with
that group in reviewing solutions to SIDR operational and deployment
problems.

Future work items within this scope will be adopted by the Working
Group if there is a substantial expression of interest from
the community and if the work (for example protocol maintenance)
clearly does not fit elsewhere in the IETF.

There must be a continuous expression of interest for the Working
Group to work on a particular work item. If there is no longer
sufficient interest in the Working Group in a work item, the item
may be removed from the list of Working Group items.

Milestones

Date	Milestone	Associated documents
Sep 2017	BGPSEC Ops document finalized.
Jul 2017	draft-ietf-sidr-rpki-tree-validation
Jul 2017	draft-ietf-sidr-route-server-rpki-light
Jul 2017	draft-ietf-sidr-rtr-keying
Jul 2017	draft-ietf-sidr-bgpsec-rollover