[Sidrops] Re: Call for WG Adoption of draft-snij-sidrops-constraining-rpki-trust-anchors
Job Snijders <job@sobornost.net> Wed, 21 January 2026 18:36 UTC
Return-Path: <job@instituut.net>
X-Original-To: sidrops@mail2.ietf.org
Delivered-To: sidrops@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 482FAAB0EC65 for <sidrops@mail2.ietf.org>; Wed, 21 Jan 2026 10:36:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.881
X-Spam-Level:
X-Spam-Status: No, score=-1.881 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.017, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=instituut-net.20230601.gappssmtp.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DWdK1MIbf1nK for <sidrops@mail2.ietf.org>; Wed, 21 Jan 2026 10:36:24 -0800 (PST)
Received: from mail-ej1-x630.google.com (mail-ej1-x630.google.com [IPv6:2a00:1450:4864:20::630]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id BC14CAB0EC5E for <sidrops@ietf.org>; Wed, 21 Jan 2026 10:36:24 -0800 (PST)
Received: by mail-ej1-x630.google.com with SMTP id a640c23a62f3a-b86f3e88d4dso19012366b.0 for <sidrops@ietf.org>; Wed, 21 Jan 2026 10:36:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=instituut-net.20230601.gappssmtp.com; s=20230601; t=1769020583; x=1769625383; darn=ietf.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=M4cwoBycLkBmI9b6PQITSVP60H4n1dZiiyA6KC+QdQs=; b=T6+Q2NSx2e1hgs434FkrvHGEaeuj/alHIRJe61zyZdIL/H95M8VM+4EPKacHRyy3MU fog5OipshMKfK4rg+ibqGYEW7DNWJnONBEHaH6f8g2AtSutbZkLl80NhTlj2nl/sGx/x JN47/lm/ZdR00+QXxxPx2X6yhQNzZrrPJwyCwitSVOuKgtQCwQRO0JHnFA4uMnjoeKrW gSw6UD4stTsua6djMT1L6+Hrdz+wv2AtMUowMKyGNFoh+yWJAP8BFrnJuetDCrmlBm77 MdtV1Fx0NOpI0Qwkg3kimAwG/t7cZHPrBasE6qxG+AQ687h+xYdCofkwLA7B3Mem7LA0 16SA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769020583; x=1769625383; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:to:from:date:x-gm-gg:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=M4cwoBycLkBmI9b6PQITSVP60H4n1dZiiyA6KC+QdQs=; b=NN1PkiDy+PnhKTwB1B3fGzv7mHNvRurl3xchlJEcyR6CCmCPTSrgIIr7sDLc7zC8DR fmX3bc1iRRqi5eEUDNHsKfCMa3ja7HXMb7hiMo235KCtino4FDA1JGhK5IVyt1vrna1p WXFHfzyjA2kU2fWKiianKlfchjpLxWrgh+NJgPKqFsysiVfyTNgc12BAWITivofBcF+O BT5uUEGfC8OuzxolxvouVUWZvrMJZSOvVGSVz5sDEbAiUqlNQlIiMJacPxTEldFayMAT tSMcgjsh2ZJuTHQDCdUzLIR0QwR07PwOrZQwkaylXJUArAJn8/JhQ88onileUF462itA XPNg==
X-Gm-Message-State: AOJu0YylhUGx4gn9L9qTIxpos+avDIbfeKWphYg0/8S5bRm8BCvz/FZP YO3SYdb2R/jHNvv2o8AORDsiCGWR5ECLL7ujcIani0q0lpx2URFH5Pn/7h4iRHV8HbyHXJAYdkH iUcKj1xA=
X-Gm-Gg: AZuq6aIstZbsEdx4QQuNIaj4FxLwUuFc69U3U/niwHiSiWnAk+MpSEqYbN0esfVYYZV vo9lKhePXrM114nRuHnKIL58xxgDP6lZAqya4ogq1HLjThBElA/pVmCyjpbSP+0O5+n3O9iBSNA 4CGYOyEkZZs6hhj6fDGkM98talffYmmh+lzTB3A5el+xnSsYmXQHtzTDStzg2qxrGdnEDayt8JB x207/tGucSVd0STTl+bq1IBqLmu1WpP4muMKNR8m4u779xD2zYxyLDvxsWSRINs/QjkeRRb0RLK xzZIbYbvejHHmItO7LE58k7Ahtv5DkPpn6h3ZMDcb5IdSPNhrO97633qPXw0l+QyzyQXpkBUXC/ xUZpFYQk5f6acX07qqMbL/2yEgdtuVqHgtlTa4jxkOmvwFbBsxgsrHoEs/S1h/tnUoHA3tME0cT s5dxqtADQK99meNK/thkY/Jk+wTNcqvWlVqRWvWfAZt728nj0tQ4C+K/JbiuKVEVmnlhyaOKn3c RLnFwQmWzkgW9z3H3d8YgdsIHiIkw65lk9N5vKUg2gfyal1IPEV7nXYqJwRv+480hquB7wxfBNa H2Bgk6ptuPHAWkkN
X-Received: by 2002:a17:907:d8f:b0:b83:1349:3a7 with SMTP id a640c23a62f3a-b8792d27479mr1646694366b.10.1769020582953; Wed, 21 Jan 2026 10:36:22 -0800 (PST)
Received: from feather.sobornost.net ([192.147.168.2]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-b87f3b05154sm543802366b.44.2026.01.21.10.36.21 for <sidrops@ietf.org> (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 21 Jan 2026 10:36:22 -0800 (PST)
Date: Wed, 21 Jan 2026 18:36:20 +0000
From: Job Snijders <job@sobornost.net>
To: sidrops@ietf.org
Message-ID: <CACWOCC-aCvYhYSvp7Sea5h1N=+Y4sezcTXqE07pFVd6waRtaSQ@mail.gmail.com>
References: <5C5B8F40-6E19-4082-89C0-3DDC0AB6364A@gigix.net> <20260120113200.41fa116e@dataplane.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20260120113200.41fa116e@dataplane.org>
Message-ID-Hash: 2L7IYU3VU4Z5O2CUFZ3AS2Z6JJAFNELJ
X-Message-ID-Hash: 2L7IYU3VU4Z5O2CUFZ3AS2Z6JJAFNELJ
X-MailFrom: job@instituut.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-sidrops.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Sidrops] Re: Call for WG Adoption of draft-snij-sidrops-constraining-rpki-trust-anchors
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/1AhnbRcEWnZkQ37bL-9j3cywGCs>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Owner: <mailto:sidrops-owner@ietf.org>
List-Post: <mailto:sidrops@ietf.org>
List-Subscribe: <mailto:sidrops-join@ietf.org>
List-Unsubscribe: <mailto:sidrops-leave@ietf.org>
Hi John, On Tue, 20 Jan 2026 at 18:32, John Kristoff <jtk= 40dataplane.org@dmarc.ietf.org> wrote: > On Mon, 19 Jan 2026 13:46:55 +0100 > Luigi Iannone <ggx@gigix.net> wrote: > > > Title: Constraining RPKI Trust Anchors > > Are there risks of stale or divergent, to the point of being > operationally problematic, constraints at the RPs? In other words, > could this lead to something akin to statically deployed bogon > filters? If I'm interpreting the text correctly, this depends on how > and where the EE certificates are maintained? https://datatracker.ietf.org/doc/html/rfc8416.html#section-6 The constraints content is controlled by the RP operator. What those entities configure their constraints to be is up to them. In this sense the concept is not so different from /etc/pf.conf, /etc/nftables.conf or /etc/rpki/skiplist, or the selection of TALs an RP instance uses. I've seen some operators prefer to deploy by hand, and some automate via apt update, some sysupgrade, some fetch updates via EPEL. I imagine implementers could offer the operators knobs to configure self-expiry of constraints content. The goal of this document primarily is to specify where in the RPKI validation process constraints are attached as information policy, and as secondary goal is an standard format for interexchange to express constraints and make communication about constraints monitoring easier. Kind regards, Job
- [Sidrops] Call for WG Adoption of draft-snij-sidr… Luigi Iannone
- [Sidrops] Re: Call for WG Adoption of draft-snij-… Nick Hilliard
- [Sidrops] Re: Call for WG Adoption of draft-snij-… Tom Strickx
- [Sidrops] Re: Call for WG Adoption of draft-snij-… Tim Bruijnzeels
- [Sidrops] Re: Call for WG Adoption of draft-snij-… Job Snijders
- [Sidrops] Re: Call for WG Adoption of draft-snij-… John Kristoff
- [Sidrops] Re: Call for WG Adoption of draft-snij-… Tony Tauber
- [Sidrops] Re: Call for WG Adoption of draft-snij-… Tobias Fiebig
- [Sidrops] Re: Call for WG Adoption of draft-snij-… Loganaden Velvindron
- [Sidrops] Re: Call for WG Adoption of draft-snij-… Teun Vink
- [Sidrops] Re: Call for WG Adoption of draft-snij-… Job Snijders
- [Sidrops] Re: Call for WG Adoption of draft-snij-… Marco Marzetti
- [Sidrops] Re: Call for WG Adoption of draft-snij-… Carlos Martinez-Cagnazzo
- [Sidrops] Re: Call for WG Adoption of draft-snij-… Bob Beck
- [Sidrops] Re: Call for WG Adoption of draft-snij-… Carlos Martinez-Cagnazzo
- [Sidrops] Re: Call for WG Adoption of draft-snij-… Luigi Iannone