SIDR Operations (sidrops) Internet Drafts

RPKI Signed Object for Trust Anchor Key

	draft-ietf-sidrops-signed-tal-15.txt
	Date:	09/04/2024
	Authors:	Carlos Martinez, George Michaelson, Tom Harrison, Tim Bruijnzeels, Rob Austein
	Working Group:	SIDR Operations (sidrops)

A Trust Anchor Locator (TAL) is used by Relying Parties (RPs) in the Resource Public Key Infrastructure (RPKI) to locate and validate a Trust Anchor (TA) Certification Authority (CA) certificate used in RPKI validation. This document defines an RPKI signed object for a Trust Anchor Key (TAK), that can be used by a TA to signal the location(s) of the accompanying CA certificate for the current key to RPs, as well as the successor key and the location(s) of its CA certificate. This object helps to support planned key rolls without impacting RPKI validation.

BGP AS_PATH Verification Based on Autonomous System Provider Authorization (ASPA) Objects

	draft-ietf-sidrops-aspa-verification-17.txt
	Date:	29/02/2024
	Authors:	Alexander Azimov, Eugene Bogomazov, Randy Bush, Keyur Patel, Job Snijders, Kotikalapudi Sriram
	Working Group:	SIDR Operations (sidrops)

This document describes procedures that make use of Autonomous System Provider Authorization (ASPA) objects in the Resource Public Key Infrastructure (RPKI) to verify the Border Gateway Protocol (BGP) AS_PATH attribute of advertised routes. This type of AS_PATH verification provides detection and mitigation of route leaks and improbable AS paths. It also provides protection, to some degree, against prefix hijacks with forged-origin or forged-path-segment.

A Profile for Autonomous System Provider Authorization

	draft-ietf-sidrops-aspa-profile-17.txt
	Date:	07/11/2023
	Authors:	Alexander Azimov, Eugene Uskov, Randy Bush, Job Snijders, Russ Housley, Ben Maddison
	Working Group:	SIDR Operations (sidrops)

This document defines a Cryptographic Message Syntax (CMS) protected content type for Autonomous System Provider Authorization (ASPA) objects for use with the Resource Public Key Infrastructure (RPKI). An ASPA is a digitally signed object through which the issuer (the holder of an Autonomous System identifier), can authorize one or more other Autonomous Systems (ASes) as its upstream providers. When validated, an ASPA's eContent can be used for detection and mitigation of route leaks.

The Resource Public Key Infrastructure (RPKI) to Router Protocol,Version 2

	draft-ietf-sidrops-8210bis-12.txt
	Date:	04/03/2024
	Authors:	Randy Bush, Rob Austein
	Working Group:	SIDR Operations (sidrops)

In order to verifiably validate the origin Autonomous Systems and Autonomous System Paths of BGP announcements, routers need a simple but reliable mechanism to receive Resource Public Key Infrastructure (RFC 6480) prefix origin data and router keys from a trusted cache. This document describes a protocol to deliver them. This document describes version 2 of the RPKI-Router protocol. RFC 6810 describes version 0, and RFC 8210 describes version 1. This document is compatible with both.

A Profile for Route Origin Authorizations (ROAs)

	draft-ietf-sidrops-rfc6482bis-09.txt
	Date:	14/12/2023
	Authors:	Job Snijders, Ben Maddison, Matt Lepinski, Derrick Kong, Stephen Kent
	Working Group:	SIDR Operations (sidrops)

This document defines a standard profile for Route Origin Authorizations (ROAs). A ROA is a digitally signed object that provides a means of verifying that an IP address block holder has authorized an Autonomous System (AS) to originate routes to one or more prefixes within the address block. This document obsoletes RFC 6482.

Source Address Validation Using BGP UPDATEs,ASPA,and ROA (BAR-SAV)

	draft-ietf-sidrops-bar-sav-03.txt
	Date:	04/03/2024
	Authors:	Kotikalapudi Sriram, Igor Lubashev, Doug Montgomery
	Working Group:	SIDR Operations (sidrops)

Designing an efficient source address validation (SAV) filter requires minimizing false positives (i.e., avoiding blocking legitimate traffic) while maintaining directionality (see RFC8704). This document advances the technology for SAV filter design through a method that makes use of BGP UPDATE messages, Autonomous System Provider Authorization (ASPA), and Route Origin Authorization (ROA). The proposed method's name is abbreviated as BAR-SAV. BAR-SAV can be used by network operators to derive more robust SAV filters and thus improve network resilience. This document updates RFC8704.

On the use of the CMS signing-time attribute in RPKI Signed Objects

	draft-ietf-sidrops-cms-signing-time-07.txt
	Date:	16/04/2024
	Authors:	Job Snijders, Tom Harrison
	Working Group:	SIDR Operations (sidrops)

In the Resource Public Key Infrastructure (RPKI), Signed Objects are defined as Cryptographic Message Syntax (CMS) protected content types. Signed Objects contain a signing-time attribute, representing the purported time at which the object was signed by its issuer. RPKI repositories are accessible using the rsync and RPKI Repository Delta protocols, allowing Relying Parties (RPs) to synchronize a local copy of the RPKI repository used for validation with the remote repositories. This document describes how the CMS signing-time attribute can be used to avoid needless retransfers of data when switching between different synchronization protocols. This document updates RFC 6488 by mandating the presence of the CMS signing-time attribute and disallowing the use of the binary-signing-time attribute.

A profile for Signed Prefix Lists for Use in the Resource Public Key Infrastructure (RPKI)

	draft-ietf-sidrops-rpki-prefixlist-03.txt
	Date:	21/03/2024
	Authors:	Job Snijders, Geoff Huston
	Working Group:	SIDR Operations (sidrops)

This document defines a "Signed Prefix List", a Cryptographic Message Syntax (CMS) protected content type for use with the Resource Public Key Infrastructure (RPKI) to carry the complete list of prefixes which an Autonomous System (the subject AS) may originate to all or any of its routing peers. The validation of a Signed Prefix List confirms that the holder of the subject AS produced the object, and that this list is a current, accurate and complete description of address prefixes that may be announced into the routing system originated by the subject AS.

Human Readable Validate ROA Payload Notation

	draft-ietf-sidrops-vrp-notation-00.txt
	Date:	23/10/2023
	Authors:	Tim Bruijnzeels, Ties de Kock, Oliver Borchert, Di Ma
	Working Group:	SIDR Operations (sidrops)

This document defines a human readable notation for Validated ROA Payloads (VRP, RFC 6811) based on ABNF (RFC 5234) for use with RPKI tooling and documentation.

Human Readable ASPA Notation

	draft-ietf-sidrops-aspa-notation-00.txt
	Date:	09/01/2024
	Authors:	Tim Bruijnzeels, Oliver Borchert, Di Ma, Ties de Kock
	Working Group:	SIDR Operations (sidrops)

This document defines a human readable notation for Validated ASPA Payloads (VAP, see ID-aspa-profile) for use with RPKI tooling based on ABNF (RFC 5234).

Simplified Local Internet Number Resource Management (SLURM) with RPKI Autonomous System Provider Authorizations (ASPA)

	draft-ietf-sidrops-aspa-slurm-00.txt
	Date:	29/02/2024
	Authors:	Job Snijders, Ben Cartwright-Cox
	Working Group:	SIDR Operations (sidrops)

ISPs may want to establish a local view of exceptions to the Resource Public Key Infrastructure (RPKI) data in the form of local filters or additional attestations. This document defines an addendum to RFC 8416 by specifying a format for local filters and local assertions for Autonomous System Provider Authorizations (ASPA) for use with the RPKI.

Detecting RRDP Session Desynchronization

	draft-ietf-sidrops-rrdp-desynchronization-00.txt
	Date:	05/04/2024
	Authors:	Job Snijders, Ties de Kock
	Working Group:	SIDR Operations (sidrops)

This document describes an approach for Resource Public Key Infrastructure (RPKI) Relying Parties to detect a particular form of RPKI Repository Delta Protocol (RRDP) session desynchronization and how to recover.

Guidance to Avoid Carrying RPKI Validation States in Transitive BGP Path Attributes

	draft-ietf-sidrops-avoid-rpki-state-in-bgp-00.txt
	Date:	09/04/2024
	Authors:	Job Snijders, Tobias Fiebig, Massimiliano Stucchi
	Working Group:	SIDR Operations (sidrops)

This document provides guidance to avoid carrying Resource Public Key Infrastructure (RPKI) derived Validation States in Transitive Border Gateway Protocol (BGP) Path Attributes. Annotating routes with attributes signaling validation state may flood needless BGP UPDATE messages through the global Internet routing system, when, for example, Route Origin Authorizations are issued, revoked, or RPKI-To- Router sessions are terminated. Operators SHOULD ensure Validation States are not signalled in transitive BGP Path Attributes. Specifically, Operators SHOULD NOT group BGP routes by their Prefix Origin Validation state into distinct BGP Communities.

RPKI Validation Re-reconsidered

	draft-ietf-sidrops-rpki-validation-update-00.txt
	Date:	13/04/2024
	Authors:	Job Snijders, Ben Maddison
	Working Group:	SIDR Operations (sidrops)

This document describes an improved validation procedure for Resource Public Key Infrastructure (RPKI) signed objects. This document updates RFC 6482. This document updates RFC 6487. This document obsoletes RFC 8360.

RPKI Manifest Number Handling

	draft-ietf-sidrops-manifest-numbers-00.txt
	Date:	19/04/2024
	Authors:	Tom Harrison, George Michaelson, Job Snijders
	Working Group:	SIDR Operations (sidrops)

The Resource Public Key Infrastructure (RPKI) makes use of signed objects called manifests. A manifest lists each file that a publisher intends to include within an RPKI repository, and can be used to detect certain forms of attack against a repository. Manifests include a "manifest number" (manifestNumber), which the publisher must increment whenever it issues a new manifest, and Relying Parties (RPs) are required to verify that a newly-retrieved manifest for a given Certification Authority (CA) has a higher manifestNumber than the previously-validated manifest. However, the manifestNumber field is 20 octets in length (i.e. not unbounded), and no behaviour is specified for when a manifestNumber reaches the largest possible value. This document specifies publisher and RP behaviour for this scenario.

data-group-menu-data-url="/group/groupmenu.json">

Javascript disabled? Like other modern websites, the IETF Datatracker relies on Javascript. Please enable Javascript for full functionality.

SIDR Operations (sidrops)

WG	Name	SIDR Operations
	Acronym	sidrops
	Area	Operations and Management Area (ops)
	State	Active
	Charter	charter-ietf-sidrops-01 Approved
	Document dependencies	Document dependencies Loading... Pan and zoom the dependency graph after the layout settles. Show legend Loading...
	Additional resources	Issue tracker, Wiki, Zulip Stream
Personnel	Chairs	Chris Morrow, Keyur Patel, Russ Housley
	Area Director	Warren "Ace" Kumari
	Secretary	Krishnaswamy Ananthamurthy
	Delegate	Warren "Ace" Kumari
Mailing list	Address	sidrops@ietf.org
	To subscribe	https://www.ietf.org/mailman/listinfo/sidrops
	Archive	https://mailarchive.ietf.org/arch/browse/sidrops/
Chat	Room address	https://zulip.ietf.org/#narrow/stream/sidrops

Charter for Working Group

The global deployment of SIDR, consisting of RPKI, Origin Validation of
BGP announcements, and BGPSEC, is underway, creating an Internet
Routing System consisting of SIDR-aware and non-SIDR-aware networks.
This deployment must be properly handled to avoid the division of
the Internet into separate networks. Sidrops is responsible for
encouraging deployment of theSIDR technologies while ensuring as secure
of a global routing system, as possible, during the transition.

The SIDR Operations Working Group (sidrops) develops guidelines for
the operation of SIDR-aware networks, and provides operational guidance
on how to deploy and operate SIDR technologies in existing and new
networks.

In the space of sidrops, the term operators will encompass a range
of operational experience: CA Operators, Regional/National and Local
Internet Registries, Relying Party software developers as well as the
research/measurement community all have relevant operational experience
or insight that this working group will consider in its work.

The sidrops working group is focused on deployment and operational
issues and experiences with SIDR technologies that are part of the
global routing system, as well as the repositories and CA systems that
form part of the SIDR architecture.

The goals of the sidrops working group are to:

Solicit input from a range of operators to identify operational
issues with a SIDR-aware Internet, and determine solutions or
workarounds to those issues.
Solicit input from all operators to identify
issues with interaction with the non-SIDR-aware Internet,
and to determine solutions or workarounds to those issues.
Develop operational solutions for identified issues in sidrops and
document them in informational or BCP documents.

These documents should document SIDR operational experience, including
interactions with non-SIDR-aware networks, the interfaces between SIDR-
aware and non-SIDR-aware networks, and the continued operational/
security impacts from non-SIDR-aware networks.

SIDR operational and deployment issues with Interdomain Routing
Protocols as well as BGPSEC maintenance and extension are the
primary responsibility of the IDR working group. The sidrops Working
Group may provide input to that group, as needed, and cooperate with
that group in reviewing solutions to SIDR operational and deployment
problems.

Future work items within this scope will be adopted by the Working
Group if there is a substantial expression of interest from
the community and if the work (for example protocol maintenance)
clearly does not fit elsewhere in the IETF.

There must be a continuous expression of interest for the Working
Group to work on a particular work item. If there is no longer
sufficient interest in the Working Group in a work item, the item
may be removed from the list of Working Group items.

Milestones

Date	Milestone	Associated documents
Sep 2017	BGPSEC Ops document finalized.
Jul 2017	draft-ietf-sidr-rpki-tree-validation
Jul 2017	draft-ietf-sidr-route-server-rpki-light
Jul 2017	draft-ietf-sidr-rtr-keying
Jul 2017	draft-ietf-sidr-bgpsec-rollover