BCP 185

RFC 9319

The Use of maxLength in the Resource Public Key Infrastructure (RPKI), October 2022

File formats:

icon for HTML icon for text file icon for v3pdf icon for XML
Also available: XML file for editing
 
Status:
BEST CURRENT PRACTICE
Authors:
Y. Gilad
S. Goldberg
K. Sriram
J. Snijders
B. Maddison
Stream:
IETF
Source:
sidrops (ops)

Cite this RFC: TXT  |  XML  |   BibTeX

DOI:  https://doi.org/10.17487/RFC9319

Discuss this RFC: Send questions or comments to the mailing list sidrops@ietf.org

Other actions: Submit Errata  |  Find IPR Disclosures from the IETF  |  View History of RFC 9319


Abstract

This document recommends ways to reduce the forged-origin hijack attack surface by prudently limiting the set of IP prefixes that are included in a Route Origin Authorization (ROA). One recommendation is to avoid using the maxLength attribute in ROAs except in some specific cases. The recommendations complement and extend those in RFC 7115. This document also discusses the creation of ROAs for facilitating the use of Distributed Denial of Service (DDoS) mitigation services. Considerations related to ROAs and RPKI-based Route Origin Validation (RPKI-ROV) in the context of destination-based Remotely Triggered Discard Route (RTDR) (elsewhere referred to as "Remotely Triggered Black Hole") filtering are also highlighted.


For the definition of Status, see RFC 2026.

For the definition of Stream, see RFC 8729.




Advanced Search