Re: [Sidrops] AD Review of: draft-ietf-sidrops-rfc6482bis - "A Profile for Route Origin Authorizations (ROAs)"

Job Snijders <> Wed, 20 September 2023 10:47 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 05840C151530 for <>; Wed, 20 Sep 2023 03:47:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id rbFCMyZMu4ae for <>; Wed, 20 Sep 2023 03:46:59 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::636]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by (Postfix) with ESMTPS id 57249C14CE2E for <>; Wed, 20 Sep 2023 03:46:59 -0700 (PDT)
Received: by with SMTP id a640c23a62f3a-99c3c8adb27so885412366b.1 for <>; Wed, 20 Sep 2023 03:46:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; t=1695206817; x=1695811617;; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=++HLWzAHzS+P2sOE9rpJIavPX5n6tjAunRfTOAF6MuY=; b=ZVCKXUkgb+Wqxd1XBnjb3uf5g3h3c/B5JjA8Koc9P222207MssjSh+XmxD+rx0bkzU L3h9LSWGPk5NUxZod7IjLQOtNWHD1mME2rd16+i9N/eA10gVZpp2gWwvWSk8ZtmouxFA PUx7sqCtix3+++Q+gPRdvR0gFE6n9dVWEyQKA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20230601; t=1695206817; x=1695811617; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=++HLWzAHzS+P2sOE9rpJIavPX5n6tjAunRfTOAF6MuY=; b=BPPIMpk3FOMhAlwc9/jylRvWZJL2etJY/nJ6O405saoNjI54KqZdlDEvAmoY1swJHJ uSiVjQ0tgvutCJa2ncDUC6yhvOK8ruTLJHxFefYxPJ2CYpb9x+p/oTysMr61XiWZMwkO BfurbVJwfhrO1DvYa6JBm+lHx5PaNhzVEg6j7hXUucNjomeIwMTfRqFONS+QxqT7ThVz 9za6LM7O94v+0y/dhOZObFlkVfg8GvYSXNjjlbKT18bNh0Mfq52I6Tq8p0ubeMAcTO0t mTHWaSPn26V2+Tl9nYk5BlpYEN0sPmdnDemXWe6OWBcNgIV9lw74/KqXDkIUY5hE2JzP 2Dcw==
X-Gm-Message-State: AOJu0Yx+yvqLwfF9PVd1MuZZYsPq3fnuebxENErQ5V0koLJAozwm4GeX NplwJCL27In5eafWJ8INfQExkQ==
X-Google-Smtp-Source: AGHT+IHV+Wn83BKu0mq/qd/5YfeuLLrpdh6ZBbdObcD0gFdSpgNbV++tuktHEXm9HN6WAYLr/bP8cQ==
X-Received: by 2002:a17:906:d86:b0:9a9:f042:dec0 with SMTP id m6-20020a1709060d8600b009a9f042dec0mr1614938eji.38.1695206817644; Wed, 20 Sep 2023 03:46:57 -0700 (PDT)
Received: from snel ( []) by with ESMTPSA id z19-20020a170906435300b009aa292a2df2sm9092210ejm.217.2023. (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Sep 2023 03:46:57 -0700 (PDT)
Date: Wed, 20 Sep 2023 12:46:55 +0200
From: Job Snijders <>
To: Warren Kumari <>
Cc: SIDR Operations WG <>,
Message-ID: <ZQrNn4mgpA9vJijj@snel>
References: <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <>
Subject: Re: [Sidrops] AD Review of: draft-ietf-sidrops-rfc6482bis - "A Profile for Route Origin Authorizations (ROAs)"
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 20 Sep 2023 10:47:03 -0000

On Sun, Sep 17, 2023 at 10:10:22AM -0700, Warren Kumari wrote:
> How about, at the end of "5.  ROA Validation", at the end of:
> "Before a relying party can use a ROA to validate a routing announcement,
> the relying party MUST first validate the ROA.  To  validate a ROA, the
> relying party MUST perform all the validation checks specified in [RFC6488]
> as well as the following additional ROA-specific validation steps."
> you add: "If any of these constraints fail, the profile is deemed corrupt,
> and the entire ROA should be discarded (probably after reporting an
> error)." or similar.

Thank you for the suggestion, how about the following?

Kind regards,