[RTG-DIR] Routing Directorate Last Call Review for draft-ietf-sidrops-rpkimaxlen-11 - "The Use of maxLength in the RPKI"
"Acee Lindem (acee)" <acee@cisco.com> Wed, 13 July 2022 21:19 UTC
Return-Path: <acee@cisco.com>
X-Original-To: rtg-dir@ietfa.amsl.com
Delivered-To: rtg-dir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E20BC16ECB5; Wed, 13 Jul 2022 14:19:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.604
X-Spam-Level:
X-Spam-Status: No, score=-9.604 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=T32zxE2V; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=JF7bArtN
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O-Tj1Vz6V2Ih; Wed, 13 Jul 2022 14:19:01 -0700 (PDT)
Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B40E5C14CF00; Wed, 13 Jul 2022 14:19:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=73307; q=dns/txt; s=iport; t=1657747140; x=1658956740; h=from:to:cc:subject:date:message-id:mime-version; bh=cH9C4Eq0Ts5jaJRQsV8PAv66ga5DLrWivf1VXNEoFX8=; b=T32zxE2VePqzeSE1jQBAJovDDyimVNg5nyPM2cIwE11R/lQWLZPtBOKz qG19vL6gthfGfinjwWO6cFx9iXCgDf2E1X2v3eVmrjx4MradnsBdQ0+Zf CKcQG7fhAExL5ssRaLRs+ZgpbBGtv2ZxULH8XurCCiRZkdRAaq3DNvTRK k=;
X-IPAS-Result: A0B8AQBHNs9imIkNJK1agliBITFSfwJZOkWEToNMA4UwhQuDAoEWmjaBLIElA1QLAQEBDQEBNwsEAQGFBRiEeAIlNAkOAQIEAQEBAQMCAwEBAQEBAQMBAQUBAQECAQcEFAEBAQEBAQEBCRQHBgwFDhAnhWgBDIZFFggJHQEBNwERARwkAQIHAgQwJwQOGQ6CWwGCDlcDMAMBD6ERAYE/AoofeoExgQGCCAEBBgQEgU1BgwEYgjgJgT2DFYMNGUdMAQGEfYErgS8cgg2BFSccgjAHg0ULAQECAYF0CYM2N4IumzsHOAMaLS8SgR9sAQgGBgcKBTAGAgwYFAQCExJTFgISBQcKGQ4UGyIXDA8DEgMPAQcCCRAIEiUIAwIDCAMCAxsLAgMWCQ4DHQgKGBIQEgIEERoLCAMWPwkCBA4DQAgOAxEEAw8YCRIIEAQGAzIMJQsDBQ8NAQYDBgIFBQEDIAMUAwUkBwMhDyYNDQQiHQMDBSUDAgIbBwICAwIGFQYCAmw5CAQIBCskDwUCBy8FBC8CHgQFBhEIAhYCBgQFAgQEFgIQCAIIJxcHDQYYGxkBBVkQCSEcKBAFBhUDIW8FCjsPKDQ2PCwfGwqBFSwrFgMEBAMCBhoDAyICECkGMQMVBikVFBoTCSp+CQIDJFAGIh6ce2xEGwsBAwMKRAEBFwoBJgg1GzoEBgQbAQEDCxkFDhKSRQSDAkeKC44NkV2BMQqDUIoAgSKNdIcCBC2DdUmBB4pzmC2WdyCNE5RaIIRzAgQCBAUCDgEBBoFhghVwFWUBgj0JSBkPV41iHoM7hRSFSnUCOQIGAQoBAQMJjD8tghkBAQ
IronPort-PHdr: A9a23:QjpCABY9X7VVdlgZwYKj3OL/LTAphN3EVzX9orIriLNLJ6Kk+Zmqf EnS/u5kg1KBW4LHo+lFhOzbv+GFOyQA7J+NvWpEfMlKUBkI2skTlhYrVciCD0CzJfX2bis8S cJFUlIt/3yyPUVPXsjkYFiHqXyp5jlUERL6ZmJI
IronPort-Data: A9a23:6J7/cKqUAPjTBOxsXtqfD52AkwFeBmLPZRIvgKrLsJaIsI4StFCzt garIBmCbq6Jamrxe9tyPdiw8ksEvZCBxt5kT1dor389FHsW9OPIVI+TRqvS04x+DSFioGZPt Zh2hgzodZhsJpPkjk7xdOCn9xGQ7InQLlbGILas1htZGEk1Ek/NtTo5w7Rj2tEx2oDia++wk YqaT/P3aQfNNwFcagr424rbwP+4lK2v0N+wlgVWicFj5DcypVFMZH4sDf3Zw0/Df2VhNrXSq 9AvY12O1jixEx8FUrtJm1tgG6EAaua60QOm0hK6V0U+6/RPjnRa70o1CBYTQVxmtR6HnI5U8 ekTpaePUjksD6HOlvtIBnG0EwkmVUFH0LbDJX76usuJwgiaNXDt2P5pSkoxOOX0+M4uXjoIr qJecWtLN0vc7w616OrTpu1Ej88uIeHgPZgUvTdryjSx4fMOEMmYH/ySu44AtNs2rodQBquGe MZEU2Zudxfybx5kKg1JEKtryY9EgVGmI2EH9zp5v5Ef6nLe0AV32f7sPcbbUtOPTMRR2E2fo wru5GX1GBYCL/SexCaLtHW2iYfnhz/0HY4TDpW5++JkxlqJyQQ7BAcfW0f+oPSlhAulWt5FL FQPvzA2rqk3/VyvQ9/VXhCkrjiDpBF0ZjZLO+Q+7AfIwa3O7kPFQGMFVTVGLtchsafaWADGy HeSru3CCz8xlYSpF2KmyayqqAK+OyYKeDpqiTA/cSMJ5NzqoYcWhx3JT8p+HKPdsjETMWyvq 9xthHVj74j/nfLnxI3gpgme3GzESozhC19ruFqGBwpJ+ysjPOaYi5qUBU83BBqqBK+dSlSH1 JTvs5fDtLlVZX1hedDkfQngNLit4/DAOzrGjBszWZIg7D+qvXWkeOi8AQ2Sxm80ba7omhewP Sc/XD+9ArcIZxNGiocsOeqM5zwCl/SIKDgcfqm8giBySpZwbhSb2ypleFSd2Wvg+GB1z/xgZ szEKZ38VCpAYUiC8NZQb7pNuVPM7n1hrV4/ubigp/ha+ePEPSXMGett3KWmN7lltctoXzk5A /4GZ5fVlH2zocX1YzLc9sYIPEsWIH0gba0aWOQJHtNv1jFOQTl7Y9eImOtJU9U8w8x9y7eZl lngCxQw4Aeu2hXvd17QAlg9M+yHYHqKhS9hVcDaFQz2iyFLjEfGxPp3SqbbipF9rrE9lq8vE qZfEyhCa9wWIgn6F/0mRcGVhORfmN6D3Gpi4wLNjOADQqNd
IronPort-HdrOrdr: A9a23:l8wymKlOiDr2av+NusrkaJUJd3npDfOVimdD5ihNYBxZY6Wkfp +V8sjzhCWatN9OYh0dcIi7SdO9qXO1z+8Q3WBjB8beYOCGghrjEGgG1+rfKlLbalXDH4JmpM VdmstFeZDN5DpB/L3HCWCDer5KqrTmgcOVbIzlvhBQpHRRGthdBnBCe2Cm+yNNNWx7LKt8MK DZyttMpjKmd3hSRN+8HGM5U+/KoMCOvI76YDYdbiRXpDWmvHeN0vrXAhKY1hARX3dk2rE561 XIlAT/++GKr+y78BnBzGXehq4m1+cJi+EzSvBkuPJlagkEuTzYJ7iJnIfy/gzdldvfqWrCVu O85ivIcf4Dr085NVvF3ScFkzOQrwrGrUWSjmNxRRDY0JXErPVQMbsGuWsRSGqp16Jr1usMrp 5jziaXsYFaAgjHmzm479/UVwtynk7xunY6l/UP5kYvGLf2RYUh2rD3xnklZqsoDWb/8sQqAe NuBMbT6LJfdk6bdWnQui1qzMa3Vno+Ex+aSgxa0/blmAR+jTR81Q8V1cYflnAP+NY0TIRF/f 3NNuBtmKtVRsEbYKphDKMKQNexCGbKXRXQWVjiaWjPBeUCITbAupT36LI66KWjf4EJ1oI7nN DbXFZRpQcJCjbT4A21reh2Gzz2MRaAtG7Wu7FjDrBCy8/BeIY=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.92,269,1650931200"; d="scan'208,217";a="913410690"
Received: from alln-core-4.cisco.com ([173.36.13.137]) by alln-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 13 Jul 2022 21:18:59 +0000
Received: from mail.cisco.com (xfe-rtp-004.cisco.com [64.101.210.234]) by alln-core-4.cisco.com (8.15.2/8.15.2) with ESMTPS id 26DLIxoW016016 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Wed, 13 Jul 2022 21:18:59 GMT
Received: from xfe-rcd-003.cisco.com (173.37.227.251) by xfe-rtp-004.cisco.com (64.101.210.234) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.14; Wed, 13 Jul 2022 17:18:58 -0400
Received: from NAM02-DM3-obe.outbound.protection.outlook.com (72.163.14.9) by xfe-rcd-003.cisco.com (173.37.227.251) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.14 via Frontend Transport; Wed, 13 Jul 2022 16:18:58 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jDOo0XvSNpuG1x0FLdtjgskupamkrbCDelKjbRcqKR6n6RXMq0nxNaYwgUjqyClFlVOO8qoEpuTSrdO0uK3DJuvpg72Mi8Hrp89Y+ejuKi++iL9OpHFcQfs6dTkymJXlqCC5NaE20nLAaszioXaodmU9iDuR72KzmTW6O0TQzWa7Xz3jxFa9yMDB9McjVBS36eQiaiiUwU6j5zlUifhlHACiBh0nqHvdk6M/2wi4LhqJshC6oWGHJY92uWXCdSWwFt2Y+0H0litaT0/lT2ochL6GAGn3JcFnqzEMW7XXwThuuzhyX4ex29KSpKYluMnHp53VPqxZbaSbyNr1xIsQmQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=cH9C4Eq0Ts5jaJRQsV8PAv66ga5DLrWivf1VXNEoFX8=; b=nLLNXQdHXJwvVuTcWx4fEZl45RjQhd0vIWgkHxQWDPrPvm8DF4HZl0dKEdf9WX6xbEnOga75ySca0HSJg/ttZqznPrPRNNf/QYz2CDSBLuQutRpCYv5OZa0z05/9Ii6bNpLoMNuXvi4k79aMT+USpWcaZWSEZvwjUOnT67qenwIrCosLakthozHDc6r0ujiqQ+HUVmMV7nCVFNbqx+vw99/6YcmMFH+BEorTAzpM16VvtQwtf2ogEEITJA/yTfgRrnkkLd04pTfFa7zcbKrn4g5chmbK1/rx6NRjZZ7Agg7tmDJjI6FE6m/69EKRrh2EQ4BWYIrJCtXWoIh6PcrbfA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cH9C4Eq0Ts5jaJRQsV8PAv66ga5DLrWivf1VXNEoFX8=; b=JF7bArtNdObYTTQJK2KCWiQX835/hl4NgF7FAWMyKkAb68VERDbYImxfAu58s+UxyXi+297OHV8gM0SZl0N02YDnKj4nGNTktPOHQJlGchkm+vZpTV6T+BKMBEoagWy7yF0YqhbIie2OFBQ1Gf3+YYPNZAVHMgOgR7y+qwbVgTY=
Received: from BYAPR11MB2757.namprd11.prod.outlook.com (2603:10b6:a02:cb::16) by CH0PR11MB5281.namprd11.prod.outlook.com (2603:10b6:610:bc::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5417.16; Wed, 13 Jul 2022 21:18:56 +0000
Received: from BYAPR11MB2757.namprd11.prod.outlook.com ([fe80::21c3:4614:a08:50a6]) by BYAPR11MB2757.namprd11.prod.outlook.com ([fe80::21c3:4614:a08:50a6%7]) with mapi id 15.20.5438.012; Wed, 13 Jul 2022 21:18:56 +0000
From: "Acee Lindem (acee)" <acee@cisco.com>
To: "draft-ietf-sidrops-rpkimaxlen@ietf.org" <draft-ietf-sidrops-rpkimaxlen@ietf.org>
CC: Routing Directorate <rtg-dir@ietf.org>, "sidrops@ietf.org" <sidrops@ietf.org>, Alvaro Retana <aretana.ietf@gmail.com>
Thread-Topic: Routing Directorate Last Call Review for draft-ietf-sidrops-rpkimaxlen-11 - "The Use of maxLength in the RPKI"
Thread-Index: AQHYlv4pX6zWsTGUFU6w3GVkgl072A==
Date: Wed, 13 Jul 2022 21:18:56 +0000
Message-ID: <8B796D83-EDC9-4BE0-BDEE-404333045BC9@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.62.22061100
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cisco.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c489cb89-e5fb-4fce-a69d-08da65154bdd
x-ms-traffictypediagnostic: CH0PR11MB5281:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Pb38W4sUbZXyesBeuABbl0zPXTCITFQkW0+Qc2MynaniAzRn/9GM3M15xnpK+bj9poW/J783KSH/3rG5pBFT5yU30JqBHlfBXd0Zy/w9t0/f6pBM9vzJ6y8xRW8zCsl3ejrcRqQH7tPY62G4/n+EV+ltPfoC/dD6nDIxVo8vUB2NnbI1uAxj/z126zq4mVzoVkTYA/lNNMnNE9Tac58fKtBZ2k5cpFpFQaa7Nydpxm98WM8rDDNnsgG8qQBKZkFneqp1SgoR9AFDjJyI48AJRVpSbELON/mE2tGUojL8VYc4j5HwX7aRSsRx4YOfYL3648/F9fN+fbW8wkD6x4hvFaXOYmw8v72/NVGi7WH3D1SaBe5PQ18eGZNyg2/AKseD/SaOOoGvo8eLw0SHRw3hMUSDklf3eyEP20CeWw9m8V10wJrI9f4BtpTVB4Scjuuef9kvuhNc7mAFlwMR5mUOB+XcJ3VDxf9X2vsFQdPtP39gI7FWlyiUlYwO1GfYsJ6SPIoVS16yOuZceTLed1deY6eEEkM/6/M9R6rlp684YPRenumF4hAhTqlh72DDi5QxM0BjYshoQXBo1U3P1vRR/P35v4HLNWajuM+D2fj2zfd/2KEx+5JP1ZvQ0r04H6aCCG9R9K2ia148pPTnoz6+wso/BAkd5YCulPS/SB5qfLzHm1U+/TLlIroF0pNokjG1zbH8NTqI5A6WZgWTyxyO+jU7cuOQBmGUQ23D7NPAg53uOlkyQ16pczU0bIxrdWHYvPn8Ycu+jQp8YH8NEtQyFz3bNdODDtS5oLrjlcDozV/fvFvDZplWBh7gmh0MGoFztDNR27/I5Vo2GqjrinzRsUL7huScakG8GgtYBbYX3v4+ibk4fhbBpM6nIyhD7p6J
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BYAPR11MB2757.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(4636009)(366004)(346002)(39860400002)(136003)(376002)(396003)(2616005)(122000001)(64756008)(38070700005)(38100700002)(66476007)(66556008)(9326002)(66946007)(76116006)(5660300002)(66446008)(8676002)(30864003)(186003)(4326008)(8936002)(2906002)(36756003)(83380400001)(41300700001)(478600001)(6512007)(316002)(966005)(54906003)(6506007)(86362001)(6916009)(26005)(33656002)(71200400001)(6486002)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: ShQ8No5i97WSyQwAcXjo+AUtDWbZRXTDiXzoZ8CcRfMerUOeYkRlAwCTLoyw+5TtUDcsYhyPgXaCo1f7WRccdO5oJonFbdsfK818nEEmyPUwFJiuhnqc52oJBWBhNbcsF5ZG9QRce3PZ3XjNqZT8+lkzrMOn3jFx1E6r7EugxXmx4TmVZiHdt/N6MrQXEUzcIv5qKJggxV8vW8gNm/e/mfvaeSA8Togi+1k+VYmj3tCQZjgj1qdrA2O4cEtgOB0Rn4wxRKKN0tbTo02pn0cr1MirfL9Ec4oTRiIJ+x6gnWFJHAqBFweUzAr6Itk3usoPPdY5bRDMtz6vhjO9I1VpFTixBZ4Iz9he0ReWHe/ookMyUQH29eM/u1HxwsoSYbgQMY3e+sik+4b6+POUG9fExmMHKdOAFFPxG9BXaRaFPqnnc3tjev33NFj3W8+kVAEVLAbjU1y/TJ6YyMY1wyPHcCxtrJJWkvrG6TEF4CwJLdo0aTrBq0Ge/H9VIK3gHwZlg3KTJKY+0FbhVPFWzXA9BWZY5N8555tWhkpr5jpT3vDEIPkKelxyNKBciRQ6JcQKL7UD11wIf0yhaO3d2zAhrjcfdbc4nOjXxMkkwzGkeOtc38opR6Za0Qz1BQ5aHtdDS3Q0DBBvmE4yOSd6UtjNvS30kOprXEYfoSJRNtuXUmbyJeKFCyR5ZFYSBN6h8N5uZ/7heUmoW3NXmjjwcJ5k/zY6gXSh7ovg15Tl+wV6Rza9LxdqW4Adr9kW/EiZoYIG6kD8vceqS5zcLdg8LgGZvk0SrSXQkTuHeMSX5Tq2xWTfrvrAX3RFzkrP7+QL6QXy7lTfW8YaFvVC8AgIrjIgkPEl0MfCdbiAC5r8OMfapUpyO8GxvozNN7HPfiQ9kI0Og3ATYsbAZVmBe28LTGQsAwxW/jfKqVvJQxbC5ZnIfq9XruVdp32v9+/1FuOEwsu7K9XPTOo2F1R5Up7G6KkBVj9kivYoK/3y6g+Rb2kU+ykLg2lnT3Z1f0cTACzbHlbg2yhmKw4JMQCTpC7A+MIktbDowefyqlhR/uX6KK3gALNqDwIUWJTCPGugqXK+U5b5raEE5AhrbzWvs/WWH2+huQKdMICKp2gnA1j+/ytTEp7hvbDZMXNaOmamSwldKIEzxSgaDJGfycW8OSUBvarULrXSXhGL/MmlQ1JbRSNFiTIPXVJifJvRpxw6n3gIdN8qyelHkO+W/SqBG7y8aV3hLVBlTZF9C3FOBs1HA8gmSIntL6GsvVCq3HJbk4MBYV47/JIcrwYextR8zs/If0sIAaDZWrgXT7ISd6iBKTxKCIMZ+4hFokNoAhg646nXfA1sj4H4RnO0q2aZHhPH6OMy987lQl5LnZMUlgBFZ4VvAHT0+Lo4gUANLjSGMeHj4vxyZsqr1QgLFrPniOd6PPuWEGpAv3uOqhV7l9EhBhJ/gZ+IAzMAx+VXftqj6S2oaNvo7xW4xvkJXCXFJL1RHvVoCaWpc1ElNCL/Ps8mDYUXzkr7lH6Gwafue68uwgogT9nNXAnfbYILdSKosNP/pt92BlWUmmAopnpePnIUaeZqazrvCEtAVKkpfliIrjqaKJ6A
Content-Type: multipart/alternative; boundary="_000_8B796D83EDC94BE0BDEE404333045BC9ciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BYAPR11MB2757.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c489cb89-e5fb-4fce-a69d-08da65154bdd
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Jul 2022 21:18:56.7413 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Yf4DwTo1+jl70r2YH6ZMHlajXHo5uMohJ8bpbjcyhvaNoBzxX1DQiqi8VvNk7yMT
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR11MB5281
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 64.101.210.234, xfe-rtp-004.cisco.com
X-Outbound-Node: alln-core-4.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-dir/9BjTswMSmOjsSM0qpFgBVAKaJl0>
Subject: [RTG-DIR] Routing Directorate Last Call Review for draft-ietf-sidrops-rpkimaxlen-11 - "The Use of maxLength in the RPKI"
X-BeenThere: rtg-dir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Routing Area Directorate <rtg-dir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-dir>, <mailto:rtg-dir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-dir/>
List-Post: <mailto:rtg-dir@ietf.org>
List-Help: <mailto:rtg-dir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-dir>, <mailto:rtg-dir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jul 2022 21:19:05 -0000
Hello, I have been selected as the Routing Directorate reviewer for this draft. The Routing Directorate seeks to review all routing or routing-related drafts as they pass through IETF last call and IESG review, and sometimes on special request. The purpose of the review is to provide assistance to the Routing ADs. For more information about the Routing Directorate, please see http://trac.tools.ietf.org/area/rtg/trac/wiki/RtgDir Although these comments are primarily for the use of the Routing ADs, it would be helpful if you could consider them along with any other IETF Early Review/Last Call comments that you receive, and strive to resolve them through discussion or by updating the draft. Document: draft-ietf-sidrops-rpkimaxlen-11 Reviewer: Acee Lindem Review Date: 7/14/2022 IETF LC End Date: 7/20/2022 Intended Status: Best Current Practice Summary: This document is basically ready for publication, but has nits that should be considered prior to publication. The document provides recommendations for the limiting the use of maxLength in RPKI Route Origin Authorizations. The documents also provides the motivation of limiting the attack surface for Forged-Origin Subprefix Hijacks. It is well-written and easy to understand. Major Issues: None Minor Issues: None on this draft - one to consider in IDR. The terms for BLACKHOLE Community and RTHB don't conform to the current IETF guidelines for inclusive language. Nits: 1. The usage of enclosing "*"s arounds words seems arbitrary. For example: *prefix*, *subprefix*, *only*, *any*, and *other*. Please explain this non-standard usage. 2. I'd use "sub-prefix" rather than "subprefix". As in, for example, https://datatracker.ietf.org/doc/html/rfc7695 I didn't put this in the diff since there were so many instances. 3. Define ROV on first use - see in diff. Suggested changes for readability in diff below. Thanks, Acee *** draft-ietf-sidrops-rpkimaxlen-11.txt.orig 2022-07-13 12:29:14.000000000 -0400 --- draft-ietf-sidrops-rpkimaxlen-11.txt 2022-07-13 17:16:01.000000000 -0400 *************** *** 123,130 **** However, measurements of RPKI deployments have found that the use of the maxLength in ROAs tends to lead to security problems. In ! particular, measurements taken in June 2017 showed that 84% of the ! prefixes specified in ROAs that use the maxLength attribute, were vulnerable to a forged-origin subprefix hijack [HARMFUL]. The forged-origin prefix or subprefix hijack involves inserting the legitimate AS as specified in the ROA as the origin AS in the --- 123,130 ---- However, measurements of RPKI deployments have found that the use of the maxLength in ROAs tends to lead to security problems. In ! particular, measurements taken in June 2017 showed that of the ! prefixes specified in ROAs that use the maxLength attribute, 84% were vulnerable to a forged-origin subprefix hijack [HARMFUL]. The forged-origin prefix or subprefix hijack involves inserting the legitimate AS as specified in the ROA as the origin AS in the *************** *** 367,373 **** Another exception is where: (a) the maxLength is substantially larger compared to the specified prefix length in the ROA, and (b) a large number of more specific prefixes in that range are announced by the ! AS in the ROA. This case should occur rarely in practice (if at all). Operator discretion is necessary in this case. This practice requires no changes to the RPKI specification and need --- 367,373 ---- Another exception is where: (a) the maxLength is substantially larger compared to the specified prefix length in the ROA, and (b) a large number of more specific prefixes in that range are announced by the ! AS in the ROA. In practice, this case should occur rarely (if at all). Operator discretion is necessary in this case. This practice requires no changes to the RPKI specification and need *************** *** 380,386 **** perform a review of such objects, especially where they make use of the maxLength attribute, to ensure that the set of included prefixes is "minimal" with respect to the current BGP origination and routing ! policies, and replace the published ROAs as necessary. Such an exercise SHOULD be repeated whenever the operator makes changes to either policy. --- 380,386 ---- perform a review of such objects, especially where they make use of the maxLength attribute, to ensure that the set of included prefixes is "minimal" with respect to the current BGP origination and routing ! policies Published ROAs SHOULD be replaced as necessary. Such an exercise SHOULD be repeated whenever the operator makes changes to either policy. *************** *** 403,409 **** a "scrubbing center". In order to ensure that such ad-hoc routing changes are effective, ! there should exist a ROA validating the new route. However a difficulty arises due to the fact that newly created objects in the RPKI are made visible to relying parties considerably more slowly than routing updates in BGP. --- 403,409 ---- a "scrubbing center". In order to ensure that such ad-hoc routing changes are effective, ! a ROA validating the new route should exist. However a difficulty arises due to the fact that newly created objects in the RPKI are made visible to relying parties considerably more slowly than routing updates in BGP. *************** *** 412,418 **** validates the ad-hoc route, and instead create it "on-the-fly" as required. However, this is practical only if the latency imposed by the propagation of RPKI data is guaranteed to be within acceptable ! limits in the circumstances. For time-critical interventions such as responding to a DDoS attack, this is unlikely to be the case. Thus, the ROA in question will usually need to be created well in --- 412,418 ---- validates the ad-hoc route, and instead create it "on-the-fly" as required. However, this is practical only if the latency imposed by the propagation of RPKI data is guaranteed to be within acceptable ! limits for the circumstances. For time-critical interventions such as responding to a DDoS attack, this is unlikely to be the case. Thus, the ROA in question will usually need to be created well in *************** *** 451,457 **** traffic to itself. The traffic is scrubbed at AS 64500 and then sent ! back to AS 64496 over a backhaul data link. Notice that, during a DDoS attack, the DDoS mitigation service provider AS 64500 originates a /22 prefix that is longer than AS 64496's /16 prefix, and so all the traffic (destined to addresses in 192.168.0.0/22) that normally --- 451,457 ---- traffic to itself. The traffic is scrubbed at AS 64500 and then sent ! back to AS 64496 over a backhaul link. Notice that, during a DDoS attack, the DDoS mitigation service provider AS 64500 originates a /22 prefix that is longer than AS 64496's /16 prefix, and so all the traffic (destined to addresses in 192.168.0.0/22) that normally *************** *** 523,545 **** originate prefix 192.168.0.0/24 during a DDoS attack in that space, it also makes the *other* /24 prefixes covered by the /22 prefix (i.e., 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24) vulnerable to ! a forged-origin subprefix attacks. 5.2. Defensive de-aggregation in response to prefix hijacks In responding to certain classes of prefix hijack, in particular, the forged-origin subprefix hijack described above, it may be desirable ! for the victim to perform "defensive de-aggregation", i.e. to begin originating more-specific prefixes in order to compete with the ! hijack routes for selection as the best path in networks that are not performing RPKI-based route origin validation [RFC6811]. In some topologies, where at least one AS on every path between the ! victim and hijacker filters ROV invalid prefixes, it may be the case ! that the existence of a minimal ROA issued by the victim prevents the ! defensive more-specific prefixes being propagated to the networks ! topologically close to the attacker, thus hampering the effectiveness ! of this response. Nevertheless, this document recommends that where possible, network operators publish minimal ROAs even in the face of this risk. This --- 523,545 ---- originate prefix 192.168.0.0/24 during a DDoS attack in that space, it also makes the *other* /24 prefixes covered by the /22 prefix (i.e., 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24) vulnerable to ! forged-origin subprefix attacks. 5.2. Defensive de-aggregation in response to prefix hijacks In responding to certain classes of prefix hijack, in particular, the forged-origin subprefix hijack described above, it may be desirable ! for the victim to perform "defensive de-aggregation", i.e., to begin originating more-specific prefixes in order to compete with the ! hijacked routes for selection as the best path in networks that are not performing RPKI-based route origin validation [RFC6811]. In some topologies, where at least one AS on every path between the ! victim and hijacker filters Route Origin Validation (ROV) invalid ! prefixes, it may be the case that the existence of a minimal ROA ! issued by the victim prevents the defensive more-specific prefixes ! from being propagated to the networks topologically close to the ! attacker, thus hampering the effectiveness of the response. Nevertheless, this document recommends that where possible, network operators publish minimal ROAs even in the face of this risk. This *************** *** 563,569 **** * Other methods for reducing the size of such neighborhoods are ! available to potential victims, such as establishing direct eBGP adjacencies with networks from whom the defensive routes would otherwise be hidden. --- 563,569 ---- * Other methods for reducing the size of such neighborhoods are ! available to potential victims, such as establishing direct EBGP adjacencies with networks from whom the defensive routes would otherwise be hidden. *************** *** 596,602 **** 7. Operational Considerations ! The recommendations set out in this document, in particular, those in Section 5, involve trade-offs between operational agility and security. --- 596,602 ---- 7. Operational Considerations ! The recommendations specified in this document, in particular, those in Section 5, involve trade-offs between operational agility and security. *************** *** 607,614 **** Even in the case of routing changes that are planned in advance, existing procedures may need to be updated to incorporate changes to ! issued ROAs, and additional time allowed for those changes to ! propagate. --- 607,614 ---- Even in the case of routing changes that are planned in advance, existing procedures may need to be updated to incorporate changes to ! issued ROAs, and may require additional time allowed for those changes ! to propagate. *************** *** 627,633 **** This document makes recommendations regarding the use of RPKI-based origin validation as defined in [RFC6811], and as such introduces no ! additional security considerations beyond those set out therein. 9. IANA Considerations --- 627,633 ---- This document makes recommendations regarding the use of RPKI-based origin validation as defined in [RFC6811], and as such introduces no ! additional security considerations beyond those specified therein. 9. IANA Considerations *************** *** 638,644 **** The authors would like to thank the following people for their review and contributions to this document: Omar Sagga and Aris Lambrianidis. Thanks are also due to Matthias Waehlisch, Ties de Kock, and Amreesh ! Phokeer for comments and suggestions. 11. References --- 638,645 ---- The authors would like to thank the following people for their review and contributions to this document: Omar Sagga and Aris Lambrianidis. Thanks are also due to Matthias Waehlisch, Ties de Kock, and Amreesh ! Phokeer for comments and suggestions. Thanks to Acee Lindem for the ! Routing Directorate review. 11. References
- [RTG-DIR] Routing Directorate Last Call Review fo… Acee Lindem (acee)
- Re: [RTG-DIR] Routing Directorate Last Call Revie… Job Snijders
- Re: [RTG-DIR] [Sidrops] Routing Directorate Last … Randy Bush
- Re: [RTG-DIR] Routing Directorate Last Call Revie… Ben Maddison
- Re: [RTG-DIR] Routing Directorate Last Call Revie… Acee Lindem (acee)