SIDR Operations (sidrops) Internet Drafts

      
 BGP AS_PATH Verification Based on Autonomous System Provider Authorization (ASPA) Objects
 
 draft-ietf-sidrops-aspa-verification-24.txt
 Date: 19/10/2025
 Authors: Alexander Azimov, Eugene Bogomazov, Randy Bush, Keyur Patel, Job Snijders, Kotikalapudi Sriram
 Working Group: SIDR Operations (sidrops)
 This document describes procedures that make use of Autonomous System Provider Authorization (ASPA) objects in the Resource Public Key Infrastructure (RPKI) to verify the Border Gateway Protocol (BGP) AS_PATH attribute of advertised routes. This AS_PATH verification enhances routing security by adding means to detect and mitigate route leaks and AS_PATH manipulations.
 A Profile for Autonomous System Provider Authorization
 
 draft-ietf-sidrops-aspa-profile-22.txt
 Date: 06/02/2026
 Authors: Alexander Azimov, Eugene Uskov, Randy Bush, Job Snijders, Russ Housley, Ben Maddison
 Working Group: SIDR Operations (sidrops)
 This document defines a Cryptographic Message Syntax (CMS) protected content type for Autonomous System Provider Authorization (ASPA) objects for use with the Resource Public Key Infrastructure (RPKI). An ASPA is a digitally signed object through which the issuer (the holder of an Autonomous System identifier), can authorize one or more other Autonomous Systems (ASes) as its upstream providers. When validated, an ASPA's eContent can be used for detection and mitigation of route leaks.
 The Resource Public Key Infrastructure (RPKI) to Router Protocol,Version 2
 
 draft-ietf-sidrops-8210bis-24.txt
 Date: 05/02/2026
 Authors: Randy Bush, Rob Austein, Tom Harrison
 Working Group: SIDR Operations (sidrops)
 In order to validate the origin Autonomous Systems (ASes) and Autonomous System relationships behind BGP announcements, routers need a simple but reliable mechanism to receive Resource Public Key Infrastructure (RFC6480) prefix origin data, Router Keys, and ASPA data from a trusted cache. This document describes a protocol to deliver them. This document describes version 2 of the RPKI-Router protocol. [RFC6810] describes version 0, and [RFC8210] describes version 1. This document is compatible with both.
 A profile for Signed Prefix Lists for Use in the Resource Public Key Infrastructure (RPKI)
 
 draft-ietf-sidrops-rpki-prefixlist-05.txt
 Date: 10/12/2025
 Authors: Job Snijders, Geoff Huston
 Working Group: SIDR Operations (sidrops)
 This document defines a "Signed Prefix List", a Cryptographic Message Syntax (CMS) protected content type for use with the Resource Public Key Infrastructure (RPKI) to carry the complete list of prefixes which an Autonomous System (the subject AS) may originate to all or any of its routing peers. The validation of a Signed Prefix List confirms that the holder of the subject AS produced the object, and that this list is a current, accurate and complete description of address prefixes that may be announced into the routing system originated by the subject AS.
 Human Readable Validate ROA Payload Notation
 
 draft-ietf-sidrops-vrp-notation-04.txt
 Date: 02/10/2025
 Authors: Tim Bruijnzeels, Ties de Kock, Oliver Borchert, Di Ma
 Working Group: SIDR Operations (sidrops)
 This document defines a human readable notation for Validated ROA Payloads (VRP, RFC 6811) based on ABNF (RFC 5234) for use with RPKI tooling and documentation.
 Human Readable ASPA Notation
 
 draft-ietf-sidrops-aspa-notation-04.txt
 Date: 02/10/2025
 Authors: Tim Bruijnzeels, Oliver Borchert, Di Ma, Ties de Kock
 Working Group: SIDR Operations (sidrops)
 This document defines a human readable notation for Validated ASPA Payloads (VAP, see ID-aspa-profile) for use with RPKI tooling based on ABNF (RFC 5234).
 Simplified Local Internet Number Resource Management (SLURM) with RPKI Autonomous System Provider Authorizations (ASPA)
 
 draft-ietf-sidrops-aspa-slurm-04.txt
 Date: 16/11/2025
 Authors: Job Snijders, Ben Cartwright-Cox
 Working Group: SIDR Operations (sidrops)
 ISPs may want to establish a local view of exceptions to the Resource Public Key Infrastructure (RPKI) data in the form of local filters or additional attestations. This document defines an addendum to RFC 8416 by specifying a format for local filters and local assertions for Autonomous System Provider Authorizations (ASPA) for use with the RPKI.
 Guidance to Avoid Carrying RPKI Validation States in Transitive BGP Path Attributes
 
 draft-ietf-sidrops-avoid-rpki-state-in-bgp-03.txt
 Date: 26/01/2026
 Authors: Job Snijders, Tobias Fiebig, Massimiliano Stucchi
 Working Group: SIDR Operations (sidrops)
 This document provides guidance to avoid carrying Resource Public Key Infrastructure (RPKI) derived Validation States in Transitive Border Gateway Protocol (BGP) Path Attributes. Annotating routes with transitive attributes signaling Validation State may cause needless flooding of BGP UPDATE messages through the global Internet routing system, for example when Route Origin Authorizations (ROAs) are issued, or are revoked, or when RPKI-To-Router sessions are terminated. Operators SHOULD ensure Validation States are not signaled in transitive BGP Path Attributes. Specifically, Operators SHOULD NOT associate Prefix Origin Validation state with BGP routes using transitive BGP Communities.
 Revision of the RPKI Validation Algorithm
 
 draft-ietf-sidrops-rpki-validation-update-03.txt
 Date: 16/12/2025
 Authors: Job Snijders, Theo Buehler, Ben Maddison
 Working Group: SIDR Operations (sidrops)
 This document describes an improved validation procedure for Resource Public Key Infrastructure (RPKI) signed objects. This document updates RFC 6487. This document updates RFC 9582. This document obsoletes RFC 8360.
 Resource Public Key Infrastructure (RPKI) Manifest Number Handling
 
 draft-ietf-sidrops-manifest-numbers-09.txt
 Date: 21/01/2026
 Authors: Tom Harrison, George Michaelson, Job Snijders
 Working Group: SIDR Operations (sidrops)
 The Resource Public Key Infrastructure (RPKI) makes use of signed objects called manifests, each of which includes a "manifest number". This document updates RFC9286 by specifying issuer and RP behaviour when a manifest number reaches the largest possible value, a situation not considered in RFC9286.
 Signed Prefix List (SPL) Based Route Origin Verification and Operational Considerations
 
 draft-ietf-sidrops-spl-verification-03.txt
 Date: 16/12/2025
 Authors: Kotikalapudi Sriram, Job Snijders, Doug Montgomery
 Working Group: SIDR Operations (sidrops)
 The Signed Prefix List (SPL) is an RPKI object that attests to the complete list of prefixes which an Autonomous System (AS) may originate in the Border Gateway Protocol (BGP). This document specifies an SPL-based Route Origin Verification (SPL-ROV) methodology and combines it with the ROA-based ROV (ROA-ROV) to facilitate an integrated mitigation strategy for prefix hijacks and AS forgery. The document also explains the various BGP security threats that SPL can help address and provides operational considerations associated with SPL-ROV deployment.
 RPKI Publication Server Best Current Practices
 
 draft-ietf-sidrops-publication-server-bcp-05.txt
 Date: 20/10/2025
 Authors: Tim Bruijnzeels, Ties de Kock, Frank Hill, Tom Harrison, Job Snijders
 Working Group: SIDR Operations (sidrops)
 This document describes best current practices for operating an RFC 8181 RPKI Publication Server and its rsync (RFC 5781) and RRDP (RFC 8182) public repositories.
 A Profile for Mapping Origin Authorizations (MOAs)
 
 draft-ietf-sidrops-moa-profile-03.txt
 Date: 11/01/2026
 Authors: Chongfeng Xie, Guozhen Dong, Xing Li, Geoff Huston, Di Ma
 Working Group: SIDR Operations (sidrops)
 This document proposes a new approach by leveraging Resource Public Key Infrastructure (RPKI) architecture to verify the authenticity of the mapping origin of an IPv4 address block. MOA is a newly defined cryptographically signed object that provides a means for the address holder can authorize an IPv6 mapping prefix to originate mapping for one or more IPv4 prefixes. When receiving the MOA objects from the relying parties, PE devices can verify and discard invalid address mapping announcements from unauthorized IPv6 mapping prefixes to prevent IPv4 prefix hijacking.
 YANG Data Model for RPKI to Router Protocol
 
 draft-ietf-sidrops-rtr-yang-01.txt
 Date: 20/01/2026
 Authors: Yisong Liu, Changwang Lin, Haibo Wang, ROY Jishnu, Jeffrey Haas, Hongwei Liu, Di Ma
 Working Group: SIDR Operations (sidrops)
 This document defines YANG data models for configuring and managing Resource Public Key Infrastructure (RPKI) to Router Protocol (RFC6810 and RFC8210).
 A Profile for Resource Public Key Infrastructure (RPKI) Canonical Cache Representation (CCR)
 
 draft-ietf-sidrops-rpki-ccr-02.txt
 Date: 04/12/2025
 Authors: Job Snijders, Bart Bakker, Tim Bruijnzeels, Theo Buehler
 Working Group: SIDR Operations (sidrops)
 This document specifies a Canonical Cache Representation (CCR) content type for use with the Resource Public Key Infrastructure (RPKI). CCR is a DER-encoded data interchange format which can be used to represent various aspects of the state of a validated cache at a particular point in time. The CCR profile is a compact and versatile format well-suited for a diverse set of applications such as audit trail keeping, validated payload dissemination, and analytics pipelines.
 The Erik Synchronization Protocol for use with the Resource Public Key Infrastructure (RPKI)
 
 draft-ietf-sidrops-rpki-erik-protocol-02.txt
 Date: 04/12/2025
 Authors: Job Snijders, Tim Bruijnzeels, Tom Harrison, Wataru Ohgai
 Working Group: SIDR Operations (sidrops)
 This document specifies the Erik Synchronization Protocol for use with the Resource Public Key Infrastructure (RPKI). Erik Synchronization can be characterized as a data replication system using Merkle trees, a content-addressable naming scheme, concurrency control using monotonically increasing sequence numbers, and HTTP transport. Relying Parties can combine information retrieved via Erik Synchronization with other RPKI transport protocols. The protocol's design is intended to be efficient, fast, easy to implement, and robust in the face of partitions or faults in the network.
 Change Publication Server used by an RPKI CA
 
 draft-ietf-sidrops-change-pubserver-00.txt
 Date: 02/12/2025
 Authors: Tim Bruijnzeels, Martin Hoffmann, Koen van Hove
 Working Group: SIDR Operations (sidrops)
 This document outlines how an RPKI CA can migrate from one RFC 8181 Publication Server to another. The process is similar to the RPKI CA Key Rollover process defined in RFC 6489, except that in this case a new location is used for the new key.
 Constraining RPKI Trust Anchors
 
 draft-ietf-sidrops-constraining-rpki-trust-anchors-00.txt
 Date: 05/02/2026
 Authors: Job Snijders, Theo Buehler
 Working Group: SIDR Operations (sidrops)
 This document describes an approach for Resource Public Key Infrastructure (RPKI) Relying Parties (RPs) to impose locally configured Constraints on cryptographic products subordinate to Trust Anchors (TAs). The ability to constrain a Trust Anchor operator's effective signing authority to a limited set of Internet Number Resources (INRs) allows Relying Parties to enjoy the potential benefits of assuming trust - within a bounded scope. The specified approach and configuration format allow RPKI operators to communicate efficiently about observations related to Trust Anchor operations.

data-group-menu-data-url="/group/groupmenu.json">

SIDR Operations (sidrops)

WG Name SIDR Operations
Acronym sidrops
Area Operations and Management Area (ops)
State Active
Charter charter-ietf-sidrops-02 Approved
Document dependencies
Additional resources Issue tracker, Wiki, Zulip Stream
Personnel Chairs Luigi Iannone, Russ Housley
Area Director Mohamed Boucadair
Tech Advisors Chris Morrow, Keyur Patel
Secretary Krishnaswamy Ananthamurthy
Mailing list Address sidrops@ietf.org
To subscribe https://www.ietf.org/mailman/listinfo/sidrops
Archive https://mailarchive.ietf.org/arch/browse/sidrops/
Chat Room address https://zulip.ietf.org/#narrow/stream/sidrops

Charter for Working Group

The global deployment of Secure Inter-Domain Routing (SIDR), consisting of Resource Public Key Infrastructure (RPKI), Origin Validation of BGP announcements, and BGPsec (RFC 8205), is still underway, creating an Internet Routing System consisting of SIDR-aware and non-SIDR-aware networks. This deployment must be properly handled to avoid the division of the Internet into separate networks. SIDR Operations Working Group (SIDROPS WG) is responsible for continuing the development of SIDR technology, encouraging its deployment, while ensuring as secure of a global routing system as possible, during the transition. Specifically, SIDROPS is responsible for the maintenance of all SIDR components, except BGPsec.

The SIDROPS WG is focused on deployment and operational issues, their mitigations, and experiences with SIDR technologies that are part of the global routing system, as well as the RPKI repositories and RPKI Certification Authority (CA) systems that form part of the SIDR architecture.

SIDROPS will solicit input from a variety of contributors, including but not limited to, CA Operators, Regional/National and Local Internet Registries, Relying Party software developers, researchers, participants of the measurements community, and network operators.

The goals of SIDROPS WG are:

  • Maintain RPKI technology stack.

  • Maintain RPKI-Router protocol, including specifying extensions, updates, and new protocol versions.

  • Identify operational issues with a SIDR-aware Internet and with interaction with the non-SIDR-aware Internet.

  • Develop solutions for identified issues. This includes in particular:

    • Developing guidelines for the operation of SIDR-aware networks and providing operational guidance on how to deploy and operate SIDR technologies in existing and new networks (Informational/BCP).

    • Standardizing protocols and protocol extensions to improve operational efficiency and security of SIDR such as Autonomous System Provider Authorization (ASPA) and reliable cache synchronization mechanisms.

  • Standardize manageability (e.g., YANG data models) and OAM solutions related to SIDR operations.

  • Document common SIDROPS terminology as Informational RFC.

Given the importance of routing security to the overall stability of the Internet, the WG will not submit protocol specifications for publication to the IESG before demonstrating at least two interoperable implementations. See RFC 5657 (part of BCP 9) for guidance on what implementation reports should contain and BCP 205 for guidance on how to raise awareness of running code.

BGPsec maintenance, extensions, and updates belong to IDR WG. SIDROPS may provide input to IDR, as needed, and will cooperate with that WG in reviewing solutions to BGPsec operational and deployment problems. Documenting the operational aspects of securing the Internet routing system other than SIDR belongs to GROW WG.

Gaps in other protocols which impact SIDR operation are the responsibility of the WGs that own those protocols.

Milestones

Date Milestone Associated documents
Jul 2026 Submit draft-ietf-sidrops-aspa-slurm to the IESG for publication draft-ietf-sidrops-aspa-slurm
Jul 2026 Submit draft-ietf-sidrops-aspa-notation to the IESG for publication draft-ietf-sidrops-aspa-notation
Mar 2026 Submit draft-ietf-sidrops-aspa-verification to the IESG for publication draft-ietf-sidrops-aspa-verification
Mar 2026 Submit draft-ietf-sidrops-aspa-profile to the IESG for publication draft-ietf-sidrops-aspa-profile
Mar 2026 Submit draft-ietf-sidrops-8210bis to the IESG for publication draft-ietf-sidrops-8210bis