rfc9582.original.xml   rfc9582.xml 
<?xml version='1.0' encoding='utf-8'?> <?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE rfc SYSTEM "rfc2629-xhtml.ent">
<?rfc sortrefs="yes"?> <!-- draft submitted in xml v3 -->
<?rfc subcompact="no"?>
<?rfc symrefs="yes"?> <!DOCTYPE rfc [
<?rfc toc="yes"?> <!ENTITY nbsp "&#160;">
<?rfc compact="yes"?> <!ENTITY zwsp "&#8203;">
<?rfc subcompact="no"?> <!ENTITY nbhy "&#8209;">
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" category="std" docName="draft-ie <!ENTITY wj "&#8288;">
tf-sidrops-rfc6482bis-09" ipr="trust200902" xml:lang="en" sortRefs="true" submis ]>
sionType="IETF" consensus="true" obsoletes="6482" version="3">
<rfc xmlns:xi="http://www.w3.org/2001/XInclude"
category="std"
docName="draft-ietf-sidrops-rfc6482bis-09"
number="9582"
ipr="trust200902"
xml:lang="en"
sortRefs="true"
submissionType="IETF"
consensus="true"
updates=""
obsoletes="6482"
symRefs="true"
tocInclude="true"
version="3">
<front> <front>
<title abbrev="Route Origin Authorization"> <title abbrev="Route Origin Authorization">A Profile for Route Origin Author
A Profile for Route Origin Authorizations (ROAs) izations (ROAs)
</title> </title>
<seriesInfo name="Internet-Draft" value="draft-ietf-sidrops-rfc6482bis"/> <seriesInfo name="RFC" value="9582"/>
<author fullname="Job Snijders" initials="J." surname="Snijders"> <author fullname="Job Snijders" initials="J." surname="Snijders">
<organization>Fastly</organization> <organization>Fastly</organization>
<address> <address>
<postal> <postal>
<street/> <postalLine>Amsterdam</postalLine>
<code/> <postalLine>The Netherlands</postalLine>
<city>Amsterdam</city>
<country>Netherlands</country>
</postal> </postal>
<email>job@fastly.com</email> <email>job@fastly.com</email>
</address> </address>
</author> </author>
<author fullname="Ben Maddison" initials="B" surname="Maddison"> <author fullname="Ben Maddison" initials="B" surname="Maddison">
<organization abbrev="Workonline">Workonline</organization> <organization abbrev="Workonline">Workonline</organization>
<address> <address>
<postal> <postal>
<street/> <street/>
<city>Cape Town</city> <city>Cape Town</city>
<country>South Africa</country> <country>South Africa</country>
</postal> </postal>
<email>benm@workonline.africa</email> <email>benm@workonline.africa</email>
</address> </address>
</author> </author>
<author fullname="Matthew Lepinski" initials="M." surname="Lepinski"> <author fullname="Matthew Lepinski" initials="M." surname="Lepinski">
<organization>Carleton College</organization> <organization>Carleton College</organization>
<address> <address>
<postal>
<street/>
<code/>
<city/>
<country/>
</postal>
<email>mlepinski@carleton.edu</email> <email>mlepinski@carleton.edu</email>
</address> </address>
</author> </author>
<author fullname="Derrick Kong" initials="D." surname="Kong"> <author fullname="Derrick Kong" initials="D." surname="Kong">
<organization>Raytheon</organization> <organization>Raytheon</organization>
<address> <address>
<postal>
<street/>
<code/>
<city/>
<country/>
</postal>
<email>derrick.kong@raytheon.com</email> <email>derrick.kong@raytheon.com</email>
</address> </address>
</author> </author>
<author fullname="Stephen Kent" initials="S." surname="Kent"> <author fullname="Stephen Kent" initials="S." surname="Kent">
<organization>Independent</organization> <organization>Independent</organization>
<address> <address>
<postal>
<street/>
<code/>
<city/>
<country/>
</postal>
<email>kent@alum.mit.edu</email> <email>kent@alum.mit.edu</email>
</address> </address>
</author> </author>
<date year="2024" month="May"/>
<area>Operations and Management Area (OPS)</area>
<workgroup>sidrops</workgroup>
<keyword>RPKI</keyword>
<keyword>Routing Security</keyword>
<keyword>BGP</keyword>
<abstract> <abstract>
<t> <t>
This document defines a standard profile for Route Origin Authorization s (ROAs). This document defines a standard profile for Route Origin Authorization s (ROAs).
A ROA is a digitally signed object that provides a means of verifying t hat an IP address block holder has authorized an Autonomous System (AS) to origi nate routes to one or more prefixes within the address block. A ROA is a digitally signed object that provides a means of verifying t hat an IP address block holder has authorized an Autonomous System (AS) to origi nate routes to one or more prefixes within the address block.
This document obsoletes RFC 6482. This document obsoletes RFC 6482.
</t> </t>
</abstract> </abstract>
<note>
<name>Requirements Language</name>
<t>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHO
ULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in t
his document are to be interpreted as described in BCP 14 <xref target="RFC2119"
/> <xref target="RFC8174"/> when, and only when, they appear in all capitals, as
shown here.
</t>
</note>
</front> </front>
<middle> <middle>
<section anchor="intro"> <section anchor="intro">
<name>Introduction</name> <name>Introduction</name>
<t> <t>
The primary purpose of the Resource Public Key Infrastructure (RPKI) is to improve routing security. The primary purpose of the Resource Public Key Infrastructure (RPKI) is to improve routing security.
(See <xref target="RFC6480"/> for more information.) (See <xref target="RFC6480"/> for more information.)
As part of this system, a mechanism is needed to allow entities to verif As part of this system, a mechanism is needed to allow entities to verif
y that an AS has been given permission by an IP address block holder to advertis y that an Autonomous System (AS) has been given permission by an IP address bloc
e routes to one or more prefixes within that block. k holder to advertise routes to one or more prefixes within that block.
A ROA provides this function. A Route Origin Authorization (ROA) provides this function.
</t> </t>
<t> <t>
The ROA makes use of the template for RPKI digitally signed objects [RFC The ROA makes use of the template for RPKI digitally signed objects <xre
6488], which defines a Crytopgraphic Message Syntax (CMS) <xref target="RFC5652" f target="RFC6488"/>, which defines a Cryptographic Message Syntax (CMS) wrapper
/> wrapper for the ROA content as well as a generic validation procedure for RPK <xref target="RFC5652"/> for the ROA content as well as a generic validation pr
I signed objects. ocedure for RPKI signed objects.
Therefore, to complete the specification of the ROA (see Section 4 of <x Therefore, to complete the specification of the ROA (see <xref target="R
ref target="RFC6488"/>), this document defines: FC6488" section="4" sectionFormat="of"/>), this document defines:
</t> </t>
<ul> <ul>
<li> <li>
The OID that identifies the signed object as being a ROA. The OID that identifies the signed object as being a ROA.
(This OID appears within the eContentType in the encapContentInfo obje ct as well as the content-type signed attribute in the signerInfo object). (This OID appears within the eContentType in the encapContentInfo obje ct as well as the content-type signed attribute in the signerInfo object.)
</li> </li>
<li> <li>
The ASN.1 syntax for the ROA eContent. The ASN.1 syntax for the ROA eContent.
(This is the payload that specifies the AS being authorized to origina te routes as well as the prefixes to which the AS may originate routes.) (This is the payload that specifies the AS being authorized to origina te routes as well as the prefixes to which the AS may originate routes.)
The ROA eContent is ASN.1 encoded using the Distinguished Encoding Rul es (DER) <xref target="X.690"/>. The ROA eContent is ASN.1 encoded using the Distinguished Encoding Rul es (DER) <xref target="X.690"/>.
</li> </li>
<li> <li>
Additional steps required to validate ROAs (in addition to the validat ion steps specified in <xref target="RFC6488"/>). Additional steps required to validate ROAs (in addition to the validat ion steps specified in <xref target="RFC6488"/>).
</li> </li>
</ul> </ul>
<section anchor="reqs-lang">
<name>Requirements Language</name>
<t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>",
"<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>",
"<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>",
"<bcp14>SHOULD NOT</bcp14>",
"<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document
are to be interpreted as described in BCP&nbsp;14
<xref target="RFC2119"/> <xref target="RFC8174"/> when, and only
when, they appear in all capitals, as shown here.</t>
</section>
<section anchor="Changes"> <section anchor="Changes">
<name>Changes from RFC6482</name> <name>Changes from RFC 6482</name>
<t> <t>
This section summarizes the significant changes between <xref target=" RFC6482"/> and the profile described in this document. This section summarizes the significant changes between <xref target=" RFC6482"/> and the profile described in this document.
</t> </t>
<ul> <ul>
<li>Clarified the requirements for the IP Addresses and AS Identifiers X.509 certificate extensions.</li> <li>Clarified the requirements for the IP address and AS identifier X. 509 certificate extensions.</li>
<li>Strengthened the ASN.1 formal notation and definitions.</li> <li>Strengthened the ASN.1 formal notation and definitions.</li>
<li>Incorporated RFC 6482 Errata.</li> <li>Incorporated errata for RFC 6482.</li>
<li>Added an example ROA eContent payload and an ROA.</li> <li>Added an example ROA eContent payload, and a complete ROA (Appendi
x A).</li>
<li>Specified a canonicalization procedure for the content of ipAddrBl ocks.</li> <li>Specified a canonicalization procedure for the content of ipAddrBl ocks.</li>
</ul> </ul>
</section> </section>
</section> </section>
<section anchor="Related"> <section anchor="Related">
<name>Related Work</name> <name>Related Work</name>
<t> <t>
It is assumed that the reader is familiar with the terms and concepts de scribed in "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile" <xref target="RFC5280"/> and "X.509 Extensions f or IP Addresses and AS Identifiers" <xref target="RFC3779"/>. It is assumed that the reader is familiar with the terms and concepts de scribed in "<xref target="RFC5280" format="title"/>" <xref target="RFC5280" form at="default"/> and "<xref target="RFC3779" format="title"/>" <xref target="RFC37 79" format="default"/>.
</t> </t>
<t> <t>
Additionally, this document makes use of the RPKI signed object profile <xref target="RFC6488"/>; thus, familiarity with that document is assumed. Additionally, this document makes use of the RPKI signed object profile <xref target="RFC6488"/>; thus, familiarity with that document is assumed.
Note that the RPKI signed object profile makes use of certificates adher ing to the RPKI Resource Certificate Profile <xref target="RFC6487"/>; thus, fam iliarly with that profile is also assumed. Note that the RPKI signed object profile makes use of certificates adher ing to the RPKI resource certificate profile <xref target="RFC6487"/>; thus, fam iliarity with that profile is also assumed.
</t> </t>
</section> </section>
<section anchor="content"> <section anchor="content">
<name>The ROA ContentType</name> <name>The ROA Content Type</name>
<t> <t>
The content-type for a ROA is defined as routeOriginAuthz and has the nu merical value of 1.2.840.113549.1.9.16.1.24. The content-type for a ROA is defined as id-ct-routeOriginAuthz and has the numerical value 1.2.840.113549.1.9.16.1.24.
</t> </t>
<t> <t>
This OID MUST appear both within the eContentType in the encapContentInf o object as well as the ContentType signed attribute in the signerInfo object (s ee <xref target="RFC6488"/>). This OID <bcp14>MUST</bcp14> appear within both the eContentType in the encapContentInfo object and the content-type signed attribute in the signerInfo object (see <xref target="RFC6488"/>).
</t> </t>
</section> </section>
<section anchor="econtent"> <section anchor="econtent">
<name>The ROA eContent</name> <name>The ROA eContent</name>
<t> <t>
The content of a ROA identifies a single AS that has been authorized by the address space holder to originate routes and a list of one or more IP addres s prefixes that will be advertised. The content of a ROA identifies a single AS that has been authorized by the address space holder to originate routes and a list of one or more IP addres s prefixes that will be advertised.
If the address space holder needs to authorize multiple ASes to advertis e the same set of address prefixes, the holder issues multiple ROAs, one per AS number. If the address space holder needs to authorize multiple ASes to advertis e the same set of address prefixes, the holder issues multiple ROAs, one per AS number.
A ROA is formally defined as: A ROA is formally defined as:
</t> </t>
<sourcecode type="asn.1" originalSrc="RouteOriginAttestation-2023.asn">RPK
I-ROA-2023 { iso(1) member-body(2) us(840) rsadsi(113549) <sourcecode type="asn.1" originalSrc="RouteOriginAttestation-2023.asn">
pkcs(1) pkcs9(9) smime(16) mod(0) id-mod-rpkiROA-2023(TBD) } RPKI-ROA-2023
{ iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs9(9) smime(16) mod(0)
id-mod-rpkiROA-2023(75) }
DEFINITIONS EXPLICIT TAGS ::= DEFINITIONS EXPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
CONTENT-TYPE CONTENT-TYPE
FROM CryptographicMessageSyntax-2010 -- in [RFC6268] FROM CryptographicMessageSyntax-2010 -- in [RFC6268]
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) } ; pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) } ;
skipping to change at line 184 skipping to change at line 202
RouteOriginAttestation ::= SEQUENCE { RouteOriginAttestation ::= SEQUENCE {
version [0] INTEGER DEFAULT 0, version [0] INTEGER DEFAULT 0,
asID ASID, asID ASID,
ipAddrBlocks SEQUENCE (SIZE(1..2)) OF ROAIPAddressFamily } ipAddrBlocks SEQUENCE (SIZE(1..2)) OF ROAIPAddressFamily }
ASID ::= INTEGER (0..4294967295) ASID ::= INTEGER (0..4294967295)
ROAIPAddressFamily ::= SEQUENCE { ROAIPAddressFamily ::= SEQUENCE {
addressFamily ADDRESS-FAMILY.&amp;afi ({AddressFamilySet}), addressFamily ADDRESS-FAMILY.&amp;afi ({AddressFamilySet}),
addresses ADDRESS-FAMILY.&amp;Addresses ({AddressFamilySet}{@addressFamily addresses ADDRESS-FAMILY.&amp;Addresses
}) } ({AddressFamilySet}{@addressFamily}) }
ADDRESS-FAMILY ::= CLASS { ADDRESS-FAMILY ::= CLASS {
&amp;afi OCTET STRING (SIZE(2)) UNIQUE, &amp;afi OCTET STRING (SIZE(2)) UNIQUE,
&amp;Addresses &amp;Addresses
} WITH SYNTAX { AFI &amp;afi ADDRESSES &amp;Addresses } } WITH SYNTAX { AFI &amp;afi ADDRESSES &amp;Addresses }
AddressFamilySet ADDRESS-FAMILY ::= AddressFamilySet ADDRESS-FAMILY ::=
{ addressFamilyIPv4 | addressFamilyIPv6 } { addressFamilyIPv4 | addressFamilyIPv6 }
addressFamilyIPv4 ADDRESS-FAMILY ::= addressFamilyIPv4 ADDRESS-FAMILY ::=
{ AFI afi-IPv4 ADDRESSES ROAAddressesIPv4 } { AFI afi-IPv4 ADDRESSES ROAAddressesIPv4 }
addressFamilyIPv6 ADDRESS-FAMILY ::= addressFamilyIPv6 ADDRESS-FAMILY ::=
{ AFI afi-IPv6 ADDRESSES ROAAddressesIPv6 } { AFI afi-IPv6 ADDRESSES ROAAddressesIPv6 }
afi-IPv4 OCTET STRING ::= '0001'H afi-IPv4 OCTET STRING ::= '0001'H
afi-IPv6 OCTET STRING ::= '0002'H afi-IPv6 OCTET STRING ::= '0002'H
ROAAddressesIPv4 ::= SEQUENCE (SIZE(1..MAX)) OF ROAIPAddress{32} ROAAddressesIPv4 ::= SEQUENCE (SIZE(1..MAX)) OF ROAIPAddress{ub-IPv4}
ROAAddressesIPv6 ::= SEQUENCE (SIZE(1..MAX)) OF ROAIPAddress{128} ROAAddressesIPv6 ::= SEQUENCE (SIZE(1..MAX)) OF ROAIPAddress{ub-IPv6}
ROAIPAddress {INTEGER: len} ::= SEQUENCE { ub-IPv4 INTEGER ::= 32
address BIT STRING (SIZE(0..len)), ub-IPv6 INTEGER ::= 128
maxLength INTEGER (0..len) OPTIONAL }
ROAIPAddress {INTEGER: ub} ::= SEQUENCE {
address BIT STRING (SIZE(0..ub)),
maxLength INTEGER (0..ub) OPTIONAL }
END END
</sourcecode> </sourcecode>
<section> <section>
<name>Element version</name> <name>The version Element</name>
<t> <t>
The version number of the RouteOriginAttestation MUST be 0. The version number of the RouteOriginAttestation entry <bcp14>MUST</bc p14> be 0.
</t> </t>
</section> </section>
<section> <section>
<name>Element asID</name> <name>The asID Element</name>
<t> <t>
The asID element contains the AS number that is authorized to originat e routes to the given IP address prefixes. The asID element contains the AS number that is authorized to originat e routes to the given IP address prefixes.
</t> </t>
</section> </section>
<section> <section>
<name>Element ipAddrBlocks</name> <name>The ipAddrBlocks Element</name>
<t> <t>
The ipAddrBlocks element encodes the set of IP address prefixes to whi ch the AS is authorized to originate routes. The ipAddrBlocks element encodes the set of IP address prefixes to whi ch the AS is authorized to originate routes.
Note that the syntax here is more restrictive than that used in the IP Address Delegation extension defined in <xref target="RFC3779"/>. Note that the syntax here is more restrictive than that used in the IP address delegation extension defined in <xref target="RFC3779"/>.
That extension can represent arbitrary address ranges, whereas ROAs ne ed to represent only IP prefixes. That extension can represent arbitrary address ranges, whereas ROAs ne ed to represent only IP prefixes.
</t> </t>
<section> <section>
<name>Type ROAIPAddressFamily</name> <name>Type ROAIPAddressFamily</name>
<t> <t>
Within the ROAIPAddressFamily structure, the addressFamily element c ontains the Address Family Identifier (AFI) of an IP address family. Within the ROAIPAddressFamily structure, the addressFamily element c ontains the Address Family Identifier (AFI) of an IP address family.
This specification only supports IPv4 and IPv6, therefore addressFam This specification only supports IPv4 and IPv6; therefore, addressFa
ily MUST be either 0001 or 0002. mily <bcp14>MUST</bcp14> be either 0001 or 0002.
IPv4 prefixes MUST NOT appear as IPv4-Mapped IPv6 Addresses (section IPv4 prefixes <bcp14>MUST NOT</bcp14> appear as IPv4-mapped IPv6 add
2.5.5.2 of <xref target="RFC4291"/>). resses (<xref target="RFC4291" section="2.5.5.2" sectionFormat="of"/>).
</t> </t>
<t> <t>
There MUST be only one instance of ROAIPAddressFamily per unique AFI There <bcp14>MUST</bcp14> be only one instance of ROAIPAddressFamily
in the ROA. per unique AFI in the ROA.
Thus, the ROAIPAddressFamily structure MUST NOT appear more than twi Thus, the ROAIPAddressFamily structure <bcp14>MUST NOT</bcp14> appea
ce. r more than twice.
</t> </t>
<t> <t>
The addresses element represents IP prefixes as a sequence of type R OAIPAddress. The addresses field contains IP prefixes as a sequence of type ROAIP Address.
</t> </t>
</section> </section>
<section> <section>
<name>Type ROAIPAddress</name> <name>Type ROAIPAddress</name>
<t> <t>
A ROAIPAddress structure is a sequence containing an address element A ROAIPAddress structure is a sequence containing an address element
of type IPAddress and an optional maxLength element of type INTEGER. of type BIT STRING and an optional maxLength element of type INTEGER.
See section 2.2.3.8 of <xref target="RFC3779"/> for more details on
type IPAddress.
</t> </t>
<section> <section>
<name>Element address</name> <name>The address Element</name>
<t> <t>
The address element is of type IPAddress and represents a single I The address element is of type BIT STRING and represents a single
P address prefix. IP address prefix. This field uses the same representation of an IP address pref
ix as a
BIT STRING as the IPAddress type defined in <xref target="RFC3779" sectionFormat
="of" section="2.2.3.8"/>.
</t> </t>
</section> </section>
<section> <section>
<name>Element maxLength</name> <name>The maxLength Element</name>
<t> <t>
When present, the maxLength specifies the maximum length of the IP When present, the maxLength element specifies the maximum length o
address prefix that the AS is authorized to advertise. f the IP address prefix that the AS is authorized to advertise.
The maxLength element SHOULD NOT be encoded if the maximum length The maxLength element <bcp14>SHOULD NOT</bcp14> be encoded if the
is equal to the prefix length. maximum length is equal to the prefix length.
Certification Authorities SHOULD anticipate that future Relying Pa Certification Authorities <bcp14>SHOULD</bcp14> anticipate that fu
rties will become increasingly stringent in considering the presence of superflu ture Relying Parties will become increasingly stringent in considering the prese
ous maxLength elements an encoding error. nce of superfluous maxLength elements an encoding error.
</t> </t>
<t> <t>
If present, the maxLength MUST be: If present, the maxLength element <bcp14>MUST</bcp14> be:
</t> </t>
<ul> <ul>
<li>an integer greater than or equal to the length of the accompan ying prefix, and</li> <li>an integer greater than or equal to the length of the accompan ying prefix, and</li>
<li>less than or equal to the maximum length (in bits) of an IP ad dress in the applicable address family: 32 in case of IPv4 and 128 in case of IP v6.</li> <li>less than or equal to the maximum length (in bits) of an IP ad dress in the applicable address family: 32 in the case of IPv4 and 128 in the ca se of IPv6.</li>
</ul> </ul>
<t> <t>
For example, if the IP address prefix is 203.0.113.0/24 and the ma For example, if the IP address prefix is 203.0.113.0/24 and maxLen
xLength is 26, the AS is authorized to advertise any more specific prefix with a gth is 26, the AS is authorized to advertise any more-specific prefix with a max
maximum length of 26. imum length of 26.
In this example, the AS would be authorized to advertise 203.0.113 In this example, the AS would be authorized to advertise 203.0.113
.0/24, 203.0.113.128/25, or 203.0.113.192/26; but not 203.0.113.0/27. .0/24, 203.0.113.128/25, or 203.0.113.192/26, but not 203.0.113.0/27.
See <xref target="RFC9319"/> for more information on the use of ma xLength. See <xref target="RFC9319"/> for more information on the use of ma xLength.
</t> </t>
<t> <t>
When the maxLength is not present, the AS is only authorized to ad vertise the exact prefix specified in the ROAIPAddress' address element. When the maxLength element is not present, the AS is only authoriz ed to advertise the exact prefix specified in the ROAIPAddress structure's addre ss element.
</t> </t>
</section> </section>
<section> <section>
<name>Note on overlapping or superfluous information encoding</name> <name>Note on Overlapping or Superfluous Information Encoding</name>
<t> <t>
Note that a valid ROA may contain an IP address prefix (within a ROAIPAddress element) that is encompassed by another IP address prefix (within a separate ROAIPAddress element). Note that a valid ROA may contain an IP address prefix (within a ROAIPAddress element) that is encompassed by another IP address prefix (within a separate ROAIPAddress element).
For example, a ROA may contain the prefix 203.0.113.0/24 with ma xLength 26, as well as the prefix 203.0.113.0/28 with maxLength 28. For example, a ROA may contain the prefix 203.0.113.0/24 with ma xLength 26, as well as the prefix 203.0.113.0/28 with maxLength 28.
This ROA would authorize the indicated AS to advertise any prefi x beginning with 203.0.113 with a minimum length of 24 and a maximum length of 2 6, as well as the specific prefix 203.0.113.0/28. This ROA would authorize the indicated AS to advertise any prefi x beginning with 203.0.113 with a minimum length of 24 and a maximum length of 2 6, as well as the specific prefix 203.0.113.0/28.
</t> </t>
<t> <t>
Additionally, a ROA MAY contain two ROAIPAddress elements, where Additionally, a ROA <bcp14>MAY</bcp14> contain two ROAIPAddress
the IP address prefix is identical in both cases. elements, where the IP address prefix is identical in both cases.
However, this is NOT RECOMMENDED as, in such a case, the ROAIPAd However, this is <bcp14>NOT RECOMMENDED</bcp14>, because in such
dress with the shorter maxLength grants no additional privileges to the indicate a case, the ROAIPAddress element with the shorter maxLength grants no additiona
d AS and thus can be omitted without changing the meaning of the ROA. l privileges to the indicated AS and thus can be omitted without changing the me
aning of the ROA.
</t> </t>
</section> </section>
</section> </section>
<section> <section>
<name>Canonical form for ipAddrBlocks</name> <name>Canonical Form for ipAddrBlocks</name>
<t> <t>
As the data structure described by the ROA ASN.1 module allows for many different ways to represent the same set of IP address information, a cano nical form is defined such that every set of IP address information has a unique representation. As the data structure described by the ROA ASN.1 module allows for many different ways to represent the same set of IP address information, a cano nical form is defined such that every set of IP address information has a unique representation.
In order to produce and verify this canonical form, the process de In order to produce and verify this canonical form, the process de
scribed in this section SHOULD be used to ensure information elements are unique scribed in this section <bcp14>SHOULD</bcp14> be used to ensure that information
with respect to one another and sorted in ascending order. elements are unique with respect to one another and sorted in ascending order.
Certification Authorities SHOULD anticipate that future Relying Pa Certification Authorities <bcp14>SHOULD</bcp14> anticipate that fu
rties will impose a strict requirement for the ipAddrBlocks field to be in this ture Relying Parties will impose a strict requirement for the ipAddrBlocks field
canonical form. to be in this canonical form.
This canonicalization procedure builds upon the canonicalization p This canonicalization procedure builds upon the canonicalization p
rocedure specified in section 2.2.3.6 of <xref target="RFC3779"/>. rocedure specified in <xref target="RFC3779" section="2.2.3.6" sectionFormat="of
"/>.
</t> </t>
<t> <t>
In order to semantically compare, sort, and deduplicate the conten ts of the ipAddrBlocks field, each ROAIPAddress element is mapped to an abstract data element composed of four integer values: In order to semantically compare, sort, and deduplicate the conten ts of the ipAddrBlocks field, each ROAIPAddress element is mapped to an abstract data element composed of four integer values:
</t> </t>
<dl> <dl>
<dt>afi</dt> <dt>afi</dt>
<dd>The AFI value appearing in the addressFamily field of the contai ning ROAIPAddressFamily as an integer.</dd> <dd>The AFI value appearing in the addressFamily field of the contai ning ROAIPAddressFamily as an integer.</dd>
<dt>addr</dt> <dt>addr</dt>
<dd>The first IP address of the IP prefix appearing in the ROAIPAddr ess address field, as a 32-bit (IPv4) or 128-bit (IPv6) integer value.</dd> <dd>The first IP address of the IP prefix appearing in the ROAIPAddr ess address field, as a 32-bit (IPv4) or 128-bit (IPv6) integer value.</dd>
<dt>plen</dt> <dt>plen</dt>
<dd>The prefix length of the IP prefix appearing in the ROAIPAddress address field as an integer value.</dd> <dd>The length of the IP prefix appearing in the ROAIPAddress addres s field as an integer value.</dd>
<dt>mlen</dt> <dt>mlen</dt>
<dd>The value appearing in the maxLength field of the ROAIPAddress, if present, otherwise the above prefix length value.</dd> <dd>The value appearing in the maxLength field of the ROAIPAddress e lement, if present; otherwise, the above prefix length value.</dd>
</dl> </dl>
<t> <t>
Thus, the equality or relative order of two ROAIPAddress elements can be tested by comparing their abstract representations. Thus, the equality or relative order of two ROAIPAddress elements can be tested by comparing their abstract representations.
</t> </t>
<section> <section>
<name>Comparator</name> <name>Comparator</name>
<t> <t>
The set of ipAddrBlocks is totally ordered. The set of ipAddrBlocks is totally ordered.
The order of two ipAddrBlocks is determined by the first non-equ al comparison in the following list. The order of two ipAddrBlocks is determined by the first non-equ al comparison in the following list.
</t> </t>
skipping to change at line 342 skipping to change at line 365
</li> </li>
<li> <li>
Data elements with a lower mlen value precede data elements wi th a higher mlen value. Data elements with a lower mlen value precede data elements wi th a higher mlen value.
</li> </li>
</ol> </ol>
<t> <t>
Data elements for which all four values compare equal are duplic ates of one another. Data elements for which all four values compare equal are duplic ates of one another.
</t> </t>
</section> </section>
<section> <section>
<name>Example implementations</name> <name>Example Implementations</name>
<t> <ul>
A sorting implementation <xref target="roasort-c"/> in ISO/IEC 9 <li>A sorting implementation <xref target="roasort-c"/> in ISO/I
899:1999 ("ANSI&nbsp;C99"). EC 9899:1999 ("ANSI&nbsp;C99").</li>
</t> <li>A sorting implementation <xref target="roasort-rs"/> in the
<t> Rust 2021 Edition.</li>
A sorting implementation <xref target="roasort-rs"/> in Rust 202 </ul>
1 Edition.
</t>
</section> </section>
</section> </section>
</section> </section>
</section> </section>
<section> <section>
<name>ROA Validation</name> <name>ROA Validation</name>
<t> <t>
Before a relying party can use a ROA to validate a routing announcemen Before a Relying Party can use a ROA to validate a routing announcemen
t, the relying party MUST first validate the ROA. t, the Relying Party <bcp14>MUST</bcp14> first validate the ROA.
To validate a ROA, the relying party MUST perform all the validation c To validate a ROA, the Relying Party <bcp14>MUST</bcp14> perform all t
hecks specified in <xref target="RFC6488"/> as well as the following additional he validation checks specified in <xref target="RFC6488"/> as well as the follow
ROA-specific validation steps: ing additional ROA-specific validation steps:
</t> </t>
<ul> <ul>
<li> <li>
The IP Address Delegation extension <xref target="RFC3779"/> is pres ent in the end-entity (EE) certificate (contained within the ROA), and every IP address prefix in the ROA payload is contained within the set of IP addresses sp ecified by the EE certificate's IP Address Delegation extension. The IP address delegation extension <xref target="RFC3779"/> is pres ent in the end-entity (EE) certificate (contained within the ROA), and every IP address prefix in the ROA payload is contained within the set of IP addresses sp ecified by the EE certificate's IP address delegation extension.
</li> </li>
<li> <li>
The EE certificate's IP Address Delegation extension MUST NOT contai n "inherit" elements described in <xref target="RFC3779"/>. The EE certificate's IP address delegation extension <bcp14>MUST NOT </bcp14> contain "inherit" elements as described in <xref target="RFC3779"/>.
</li> </li>
<li> <li>
The Autonomous System Identifier Delegation Extension described in < xref target="RFC3779"/> is not used in Route Origin Authorizations and MUST NOT be present in the EE certificate. The Autonomous System identifier delegation extension described in < xref target="RFC3779"/> is not used in ROAs and <bcp14>MUST NOT</bcp14> be prese nt in the EE certificate.
</li> </li>
<li> <li>
The ROA content fully conforms with all requirements specified in <x The ROA content fully conforms with all requirements specified in
ref target="content"/> and <xref target="econtent"/>. Sections&nbsp;<xref target="content" format="counter"/> and <xref target="econte
nt" format="counter"/>.
</li> </li>
</ul> </ul>
<t> <t>
If any of the above checks fail, the ROA in its entirety MUST be consi dered invalid and an error SHOULD be logged. If any of the above checks fail, the ROA in its entirety <bcp14>MUST</ bcp14> be considered invalid and an error <bcp14>SHOULD</bcp14> be logged.
</t> </t>
</section> </section>
<section anchor="security"> <section anchor="security">
<name>Security Considerations</name> <name>Security Considerations</name>
<t> <t>
There is no assumption of confidentiality for the data in a ROA; it is a nticipated that ROAs will be stored in repositories that are accessible to all I SPs, and perhaps to all Internet users. There is no assumption of confidentiality for the data in a ROA; it is a nticipated that ROAs will be stored in repositories that are accessible to all I SPs, and perhaps to all Internet users.
There is no explicit authentication associated with a ROA, since the PKI used for ROA validation provides authorization but not authentication. There is no explicit authentication associated with a ROA, since the PKI used for ROA validation provides authorization but not authentication.
Although the ROA is a signed, application-layer object, there is no inte nt to convey non-repudiation via a ROA. Although the ROA is a signed, application-layer object, there is no inte nt to convey non-repudiation via a ROA.
</t> </t>
<t> <t>
The purpose of a ROA is to convey authorization for an AS to originate a The purpose of a ROA is to convey authorization for an AS to originate a
route to the prefix(es) in the ROA. route to the prefix or prefixes in the ROA.
Thus, the integrity of a ROA MUST be established. Thus, the integrity of a ROA <bcp14>MUST</bcp14> be established.
The ROA specification makes use of the RPKI signed object format; thus, This ROA specification makes use of the RPKI signed object format; thus,
all security considerations in <xref target="RFC6488"/> also apply to ROAs. all security considerations discussed in <xref target="RFC6488"/> also apply to
Additionally, the signed object profile uses the CMS signed message form ROAs.
at for integrity; thus, ROAs inherit all security considerations associated with Additionally, the signed object profile uses the CMS signed message format for i
that data structure. ntegrity; thus, ROAs inherit all security considerations associated with that da
ta structure.
</t> </t>
<t> <t>
The right of the ROA signer to authorize the target AS to originate rout The right of the ROA signer to authorize the target AS to originate rout
es to the prefix(es) is established through use of the address space and AS numb es to the prefix or prefixes is established through the use of the address space
er PKI described in <xref target="RFC6480"/>. and AS number PKI as described in <xref target="RFC6480"/>.
Specifically, one MUST verify the signature on the ROA using an X.509 ce Specifically, one <bcp14>MUST</bcp14> verify the signature on the ROA us
rtificate issued under this PKI, and check that the prefix(es) in the ROA are co ing an X.509 certificate issued under this PKI and check that the prefix or pref
ntained within those in the certificate's IP Address Delegation Extension. ixes in the ROA are contained within those in the certificate's IP address deleg
ation extension.
</t> </t>
</section> </section>
<section anchor="iana"> <section anchor="iana">
<name>IANA Considerations</name> <name>IANA Considerations</name>
<section> <section>
<name>SMI Security for S/MIME CMS Content Type (1.2.840.113549.1.9.16.1) </name> <name>SMI Security for S/MIME CMS Content Type (1.2.840.113549.1.9.16.1) </name>
<t> <t>
The IANA is requested to update the id-ct-routeOriginAuthz entry in th IANA has updated the id-ct-routeOriginAuthz entry in the "SMI Security
e "SMI Security for S/MIME CMS Content Type (1.2.840.113549.1.9.16.1)" registry for S&wj;/MIME CMS Content Type (1.2.840.113549.1.9.16.1)" registry as follows:
as follows:
</t>
<artwork>
<![CDATA[
Decimal Description References
24 id-ct-routeOriginAuthz [RFC-to-be]
]]>
</artwork>
<t>
Upon publication of this document, IANA is requested to reference the
RFC publication instead of this draft.
</t> </t>
<table anchor="tab1">
<thead>
<tr>
<th>Decimal</th>
<th>Description</th>
<th>References</th>
</tr>
</thead>
<tbody>
<tr>
<td>24</td>
<td>id-ct-routeOriginAuthz</td>
<td>RFC 9582</td>
</tr>
</tbody>
</table>
</section> </section>
<section> <section>
<name>RPKI Signed Objects sub-registry</name> <name>RPKI Signed Objects Registry</name>
<t> <t>
The IANA is requested to update the entry for the Route Origination Au thorization in the "RPKI Signed Objects" registry created by <xref target="RFC64 88"/> as follows: IANA has updated the Route Origination Authorization entry in the "RPK I Signed Objects" registry created by <xref target="RFC6488"/> as follows:
</t> </t>
<artwork>
<![CDATA[ <table anchor="tab-2">
Name OID Specification <thead>
Route Origination Authorization 1.2.840.113549.1.9.16.1.24 [RFC-to-be] <tr>
]]> <th>Name</th>
</artwork> <th>OID</th>
<th>Reference</th>
</tr>
</thead>
<tbody>
<tr>
<td>Route Origination Authorization</td>
<td>1.2.840.113549.1.9.16.1.24</td>
<td>RFC 9582</td>
</tr>
</tbody>
</table>
</section> </section>
<section> <section>
<name>File Extension</name> <name>File Extension</name>
<t> <t>
The IANA is requested to update the entry for the ROA file extension i IANA has updated the entry for the ROA file extension in the "RPKI Rep
n the "RPKI Repository Name Schemes" registry created by <xref target="RFC6481"/ ository Name Schemes" registry created by <xref target="RFC6481"/> as follows:
> as follows:
</t>
<artwork>
<![CDATA[
Filename Extension RPKI Object Reference
.roa Route Origination Authorization [RFC-to-be]
]]>
</artwork>
<t>
Upon publication of this document, IANA is requested to make this addi
tion permanent and to reference the RFC publication instead of this draft.
</t> </t>
<table anchor="tab3">
<thead>
<tr>
<th>Filename Extension</th>
<th>RPKI Object</th>
<th>Reference</th>
</tr>
</thead>
<tbody>
<tr>
<td>.roa</td>
<td>Route Origination Authorization</td>
<td>RFC 9582</td>
</tr>
</tbody>
</table>
</section> </section>
<section> <section>
<name>SMI Security for S/MIME Module Identifier (1.2.840.113549.1.9.16.0 )</name> <name>SMI Security for S/MIME Module Identifier (1.2.840.113549.1.9.16.0 )</name>
<t> <t>
The IANA is requested to allocate for this document in the "SMI Securi ty for S/MIME Module Identifier (1.2.840.113549.1.9.16.0)" registry: IANA has allocated the following entry in the "SMI Security for S&wj;/ MIME Module Identifier (1.2.840.113549.1.9.16.0)" registry:
</t> </t>
<artwork> <table anchor="tab4">
<![CDATA[ <thead>
Decimal Description Reference <tr>
TBD id-mod-rpkiROA-2023 [RFC-to-be] <th>Decimal</th>
]]> <th>Description</th>
</artwork> <th>References</th>
</tr>
</thead>
<tbody>
<tr>
<td>75</td>
<td>id-mod-rpkiROA-2023</td>
<td>RFC 9582</td>
</tr>
</tbody>
</table>
</section> </section>
<section> <section>
<name>Media Type</name> <name>Media Type</name>
<t> <t>
The IANA is requested to update the media type application/rpki-roa in the "Media Type" registry as follows: IANA has updated the media type application/rpki-roa in the "Media Typ es" registry as follows:
</t> </t>
<artwork>
<![CDATA[ <dl spacing="normal" newline="false">
Type name: application <dt>Type name:</dt><dd>application</dd>
Subtype name: rpki-roa <dt>Subtype name:</dt><dd>rpki-roa</dd>
Required parameters: N/A <dt>Required parameters:</dt><dd>N/A</dd>
Optional parameters: N/A <dt>Optional parameters:</dt><dd>N/A</dd>
Encoding considerations: binary <dt>Encoding considerations:</dt><dd>binary</dd>
Security considerations: Carries an RPKI ROA [RFC-to-be]. <dt>Security considerations:</dt><dd>Carries an RPKI ROA (RFC 9582).
This media type contains no active content. See This media type contains no active content. See
Section 6 of [RFC-to-be] for further information. Section 6 of RFC 9582 for further information.</dd>
Interoperability considerations: None <dt>Interoperability considerations:</dt><dd>None</dd>
Published specification: [RFC-to-be] <dt>Published specification:</dt><dd>RFC 9582</dd>
Applications that use this media type: RPKI operators <dt>Applications that use this media type:</dt><dd>RPKI operators</dd>
Additional information: <dt>Additional information:</dt>
Content: This media type is a signed object, as defined <dd>
in [RFC6488], which contains a payload of a list of <t><br/></t>
prefixes and an AS identifer as defined in [RFC-to-be]. <dl spacing="compact">
Magic number(s): None <dt>Content:</dt><dd>This media type is a signed object, as defined
File extension(s): .roa in <xref target="RFC6488"/>, which contains a payload of a list of
Macintosh file type code(s): prefixes and an AS identifier as defined in RFC 9582.</dd>
Person & email address to contact for further information: <dt>Magic number(s):</dt><dd>None</dd>
Job Snijders <job@fastly.com> <dt>File extension(s):</dt><dd>.roa</dd>
Intended usage: COMMON <dt>Macintosh file type code(s):</dt><dd>None</dd>
Restrictions on usage: None </dl>
Change controller: IETF </dd>
]]> <dt>Person &amp; email address to contact for further information:</dt>
</artwork> <dd><br/>Job Snijders &lt;job@fastly.com&gt;</dd>
<dt>Intended usage:</dt><dd>COMMON</dd>
<dt>Restrictions on usage:</dt><dd>None</dd>
<dt>Change controller:</dt><dd>IETF</dd>
</dl>
</section> </section>
</section> </section>
</middle> </middle>
<back> <back>
<references> <references>
<name>References</name> <name>References</name>
<references> <references>
<name>Normative References</name> <name>Normative References</name>
<reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2
119" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.21
<front> 19.xml"/>
<title>Key words for use in RFCs to Indicate Requirement Levels</tit <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.37
le> 79.xml"/>
<author fullname="S. Bradner" initials="S." surname="Bradner"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.42
<date month="March" year="1997"/> 91.xml"/>
<abstract> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.56
<t>In many standards track documents several words are used to sig 52.xml"/>
nify the requirements in the specification. These words are often capitalized. T <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.62
his document defines these words as they should be interpreted in IETF documents 68.xml"/>
. This document specifies an Internet Best Current Practices for the Internet Co <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.64
mmunity, and requests discussion and suggestions for improvements.</t> 81.xml"/>
</abstract> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.64
</front> 82.xml"/>
<seriesInfo name="BCP" value="14"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.64
<seriesInfo name="RFC" value="2119"/> 87.xml"/>
<seriesInfo name="DOI" value="10.17487/RFC2119"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.64
</reference> 88.xml"/>
<reference anchor="RFC3779" target="https://www.rfc-editor.org/info/rfc3 <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.81
779" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3779.xml"> 74.xml"/>
<front>
<title>X.509 Extensions for IP Addresses and AS Identifiers</title>
<author fullname="C. Lynn" initials="C." surname="Lynn"/>
<author fullname="S. Kent" initials="S." surname="Kent"/>
<author fullname="K. Seo" initials="K." surname="Seo"/>
<date month="June" year="2004"/>
<abstract>
<t>This document defines two X.509 v3 certificate extensions. The
first binds a list of IP address blocks, or prefixes, to the subject of a certif
icate. The second binds a list of autonomous system identifiers to the subject o
f a certificate. These extensions may be used to convey the authorization of the
subject to use the IP addresses and autonomous system identifiers contained in
the extensions. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="3779"/>
<seriesInfo name="DOI" value="10.17487/RFC3779"/>
</reference>
<reference anchor="RFC4291" target="https://www.rfc-editor.org/info/rfc4
291" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4291.xml">
<front>
<title>IP Version 6 Addressing Architecture</title>
<author fullname="R. Hinden" initials="R." surname="Hinden"/>
<author fullname="S. Deering" initials="S." surname="Deering"/>
<date month="February" year="2006"/>
<abstract>
<t>This specification defines the addressing architecture of the I
P Version 6 (IPv6) protocol. The document includes the IPv6 addressing model, te
xt representations of IPv6 addresses, definition of IPv6 unicast addresses, anyc
ast addresses, and multicast addresses, and an IPv6 node's required addresses.</
t>
<t>This document obsoletes RFC 3513, "IP Version 6 Addressing Arch
itecture". [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="4291"/>
<seriesInfo name="DOI" value="10.17487/RFC4291"/>
</reference>
<reference anchor="RFC5652" target="https://www.rfc-editor.org/info/rfc5
652" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5652.xml">
<front>
<title>Cryptographic Message Syntax (CMS)</title>
<author fullname="R. Housley" initials="R." surname="Housley"/>
<date month="September" year="2009"/>
<abstract>
<t>This document describes the Cryptographic Message Syntax (CMS).
This syntax is used to digitally sign, digest, authenticate, or encrypt arbitra
ry message content. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="STD" value="70"/>
<seriesInfo name="RFC" value="5652"/>
<seriesInfo name="DOI" value="10.17487/RFC5652"/>
</reference>
<reference anchor="RFC6268" target="https://www.rfc-editor.org/info/rfc6
268" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6268.xml">
<front>
<title>Additional New ASN.1 Modules for the Cryptographic Message Sy
ntax (CMS) and the Public Key Infrastructure Using X.509 (PKIX)</title>
<author fullname="J. Schaad" initials="J." surname="Schaad"/>
<author fullname="S. Turner" initials="S." surname="Turner"/>
<date month="July" year="2011"/>
<abstract>
<t>The Cryptographic Message Syntax (CMS) format, and many associa
ted formats, are expressed using ASN.1. The current ASN.1 modules conform to the
1988 version of ASN.1. This document updates some auxiliary ASN.1 modules to co
nform to the 2008 version of ASN.1; the 1988 ASN.1 modules remain the normative
version. There are no bits- on-the-wire changes to any of the formats; this is s
imply a change to the syntax. This document is not an Internet Standards Track s
pecification; it is published for informational purposes.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="6268"/>
<seriesInfo name="DOI" value="10.17487/RFC6268"/>
</reference>
<reference anchor="RFC6481" target="https://www.rfc-editor.org/info/rfc6
481" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6481.xml">
<front>
<title>A Profile for Resource Certificate Repository Structure</titl
e>
<author fullname="G. Huston" initials="G." surname="Huston"/>
<author fullname="R. Loomans" initials="R." surname="Loomans"/>
<author fullname="G. Michaelson" initials="G." surname="Michaelson"/
>
<date month="February" year="2012"/>
<abstract>
<t>This document defines a profile for the structure of the Resour
ce Public Key Infrastructure (RPKI) distributed repository. Each individual repo
sitory publication point is a directory that contains files that correspond to X
.509/PKIX Resource Certificates, Certificate Revocation Lists and signed objects
. This profile defines the object (file) naming scheme, the contents of reposito
ry publication points (directories), and a suggested internal structure of a loc
al repository cache that is intended to facilitate synchronization across a dist
ributed collection of repository publication points and to facilitate certificat
ion path construction. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="6481"/>
<seriesInfo name="DOI" value="10.17487/RFC6481"/>
</reference>
<reference anchor="RFC6482" target="https://www.rfc-editor.org/info/rfc6
482" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6482.xml">
<front>
<title>A Profile for Route Origin Authorizations (ROAs)</title>
<author fullname="M. Lepinski" initials="M." surname="Lepinski"/>
<author fullname="S. Kent" initials="S." surname="Kent"/>
<author fullname="D. Kong" initials="D." surname="Kong"/>
<date month="February" year="2012"/>
<abstract>
<t>This document defines a standard profile for Route Origin Autho
rizations (ROAs). A ROA is a digitally signed object that provides a means of ve
rifying that an IP address block holder has authorized an Autonomous System (AS)
to originate routes to one or more prefixes within the address block. [STANDARD
S-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="6482"/>
<seriesInfo name="DOI" value="10.17487/RFC6482"/>
</reference>
<reference anchor="RFC6487" target="https://www.rfc-editor.org/info/rfc6
487" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6487.xml">
<front>
<title>A Profile for X.509 PKIX Resource Certificates</title>
<author fullname="G. Huston" initials="G." surname="Huston"/>
<author fullname="G. Michaelson" initials="G." surname="Michaelson"/
>
<author fullname="R. Loomans" initials="R." surname="Loomans"/>
<date month="February" year="2012"/>
<abstract>
<t>This document defines a standard profile for X.509 certificates
for the purpose of supporting validation of assertions of "right-of-use" of Int
ernet Number Resources (INRs). The certificates issued under this profile are us
ed to convey the issuer's authorization of the subject to be regarded as the cur
rent holder of a "right-of-use" of the INRs that are described in the certificat
e. This document contains the normative specification of Certificate and Certifi
cate Revocation List (CRL) syntax in the Resource Public Key Infrastructure (RPK
I). This document also specifies profiles for the format of certificate requests
and specifies the Relying Party RPKI certificate path validation procedure. [ST
ANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="6487"/>
<seriesInfo name="DOI" value="10.17487/RFC6487"/>
</reference>
<reference anchor="RFC6488" target="https://www.rfc-editor.org/info/rfc6
488" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6488.xml">
<front>
<title>Signed Object Template for the Resource Public Key Infrastruc
ture (RPKI)</title>
<author fullname="M. Lepinski" initials="M." surname="Lepinski"/>
<author fullname="A. Chi" initials="A." surname="Chi"/>
<author fullname="S. Kent" initials="S." surname="Kent"/>
<date month="February" year="2012"/>
<abstract>
<t>This document defines a generic profile for signed objects used
in the Resource Public Key Infrastructure (RPKI). These RPKI signed objects mak
e use of Cryptographic Message Syntax (CMS) as a standard encapsulation format.
[STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="6488"/>
<seriesInfo name="DOI" value="10.17487/RFC6488"/>
</reference>
<reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8
174" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml">
<front>
<title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</ti
tle>
<author fullname="B. Leiba" initials="B." surname="Leiba"/>
<date month="May" year="2017"/>
<abstract>
<t>RFC 2119 specifies common key words that may be used in protoco
l specifications. This document aims to reduce the ambiguity by clarifying that
only UPPERCASE usage of the key words have the defined special meanings.</t>
</abstract>
</front>
<seriesInfo name="BCP" value="14"/>
<seriesInfo name="RFC" value="8174"/>
<seriesInfo name="DOI" value="10.17487/RFC8174"/>
</reference>
<reference anchor="X.690"> <reference anchor="X.690">
<front> <front>
<title>Information Technology -- ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)</title> <title>Information Technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)</title>
<author> <author>
<organization>ITU-T</organization> <organization>ITU-T</organization>
</author> </author>
<date year="2015"/> <date month="February" year="2021"/>
</front> </front>
<seriesInfo name="ITU-T" value="Recommendation X.690"/> <seriesInfo name="ITU-T Recommendation" value="X.690"/>
</reference> </reference>
</references> </references>
<references> <references>
<name>Informative References</name> <name>Informative References</name>
<reference anchor="RFC4648" target="https://www.rfc-editor.org/info/rfc4
648" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4648.xml"> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.46
<front> 48.xml"/>
<title>The Base16, Base32, and Base64 Data Encodings</title> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.52
<author fullname="S. Josefsson" initials="S." surname="Josefsson"/> 80.xml"/>
<date month="October" year="2006"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.64
<abstract> 80.xml"/>
<t>This document describes the commonly used base 64, base 32, and <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.93
base 16 encoding schemes. It also discusses the use of line-feeds in encoded da 19.xml"/>
ta, use of padding in encoded data, use of non-alphabet characters in encoded da
ta, use of different encoding alphabets, and canonical encodings. [STANDARDS-TRA
CK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="4648"/>
<seriesInfo name="DOI" value="10.17487/RFC4648"/>
</reference>
<reference anchor="RFC5280" target="https://www.rfc-editor.org/info/rfc5
280" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5280.xml">
<front>
<title>Internet X.509 Public Key Infrastructure Certificate and Cert
ificate Revocation List (CRL) Profile</title>
<author fullname="D. Cooper" initials="D." surname="Cooper"/>
<author fullname="S. Santesson" initials="S." surname="Santesson"/>
<author fullname="S. Farrell" initials="S." surname="Farrell"/>
<author fullname="S. Boeyen" initials="S." surname="Boeyen"/>
<author fullname="R. Housley" initials="R." surname="Housley"/>
<author fullname="W. Polk" initials="W." surname="Polk"/>
<date month="May" year="2008"/>
<abstract>
<t>This memo profiles the X.509 v3 certificate and X.509 v2 certif
icate revocation list (CRL) for use in the Internet. An overview of this approac
h and model is provided as an introduction. The X.509 v3 certificate format is d
escribed in detail, with additional information regarding the format and semanti
cs of Internet name forms. Standard certificate extensions are described and two
Internet-specific extensions are defined. A set of required certificate extensi
ons is specified. The X.509 v2 CRL format is described in detail along with stan
dard and Internet-specific extensions. An algorithm for X.509 certification path
validation is described. An ASN.1 module and examples are provided in the appen
dices. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="5280"/>
<seriesInfo name="DOI" value="10.17487/RFC5280"/>
</reference>
<reference anchor="RFC6480" target="https://www.rfc-editor.org/info/rfc6
480" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6480.xml">
<front>
<title>An Infrastructure to Support Secure Internet Routing</title>
<author fullname="M. Lepinski" initials="M." surname="Lepinski"/>
<author fullname="S. Kent" initials="S." surname="Kent"/>
<date month="February" year="2012"/>
<abstract>
<t>This document describes an architecture for an infrastructure t
o support improved security of Internet routing. The foundation of this architec
ture is a Resource Public Key Infrastructure (RPKI) that represents the allocati
on hierarchy of IP address space and Autonomous System (AS) numbers; and a distr
ibuted repository system for storing and disseminating the data objects that com
prise the RPKI, as well as other signed objects necessary for improved routing s
ecurity. As an initial application of this architecture, the document describes
how a legitimate holder of IP address space can explicitly and verifiably author
ize one or more ASes to originate routes to that address space. Such verifiable
authorizations could be used, for example, to more securely construct BGP route
filters. This document is not an Internet Standards Track specification; it is p
ublished for informational purposes.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="6480"/>
<seriesInfo name="DOI" value="10.17487/RFC6480"/>
</reference>
<reference anchor="RFC9319" target="https://www.rfc-editor.org/info/rfc9
319" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9319.xml">
<front>
<title>The Use of maxLength in the Resource Public Key Infrastructur
e (RPKI)</title>
<author fullname="Y. Gilad" initials="Y." surname="Gilad"/>
<author fullname="S. Goldberg" initials="S." surname="Goldberg"/>
<author fullname="K. Sriram" initials="K." surname="Sriram"/>
<author fullname="J. Snijders" initials="J." surname="Snijders"/>
<author fullname="B. Maddison" initials="B." surname="Maddison"/>
<date month="October" year="2022"/>
<abstract>
<t>This document recommends ways to reduce the forged-origin hijac
k attack surface by prudently limiting the set of IP prefixes that are included
in a Route Origin Authorization (ROA). One recommendation is to avoid using the
maxLength attribute in ROAs except in some specific cases. The recommendations c
omplement and extend those in RFC 7115. This document also discusses the creatio
n of ROAs for facilitating the use of Distributed Denial of Service (DDoS) mitig
ation services. Considerations related to ROAs and RPKI-based Route Origin Valid
ation (RPKI-ROV) in the context of destination-based Remotely Triggered Discard
Route (RTDR) (elsewhere referred to as "Remotely Triggered Black Hole") filterin
g are also highlighted.</t>
</abstract>
</front>
<seriesInfo name="BCP" value="185"/>
<seriesInfo name="RFC" value="9319"/>
<seriesInfo name="DOI" value="10.17487/RFC9319"/>
</reference>
<reference anchor="roasort-c" target="https://github.com/job/roasort"> <reference anchor="roasort-c" target="https://github.com/job/roasort">
<front> <front>
<title>ROA sorter in C</title> <title>ROA sorter in C</title>
<author initials="J." surname="Snijders"> <author fullname="Job Snijders"/>
<organization>Fastly</organization> <date month="July" year="2023"/>
</author>
</front> </front>
<refcontent>commit 68969ea</refcontent>
</reference> </reference>
<reference anchor="roasort-rs" target="https://github.com/benmaddison/ro asort"> <reference anchor="roasort-rs" target="https://github.com/benmaddison/ro asort">
<front> <front>
<title>ROA sorter in Rust</title> <title>ROA sorter in Rust</title>
<author initials="B." surname="Maddison"> <author fullname="Ben Maddison"/>
<organization>Workonline</organization> <date month="August" year="2023"/>
</author>
</front> </front>
<refcontent>commit 023e756</refcontent>
</reference> </reference>
</references> </references>
</references> </references>
<section anchor="acknowledgements">
<name>Acknowledgements</name>
<t>
The authors wish to thank Theo Buehler, Ties de Kock, Martin Hoffmann, C
harles Gardiner, Russ Housley, Jeffrey Haas, and Bob Beck for their help and con
tributions.
Additionally, the authors thank Jim Fenton, Vijay Gurbani, Haoyu Song, R
ob Austein, Roque Gagliano, Danny McPherson, Sam Weiler, Jasdip Singh, and Murra
y S. Kucherawy for their careful reviews and helpful comments.
</t>
</section>
<section anchor="example"> <section anchor="example">
<name>Example ROA eContent Payload</name> <name>Example ROA eContent Payload</name>
<t> <t>
Below an example of a DER encoded ROA eContent is provided with annotati on following the '#' character. An example of a DER-encoded ROA eContent is provided below, with annotat ion following the "#" character.
</t> </t>
<artwork> <sourcecode>
<![CDATA[ <![CDATA[
$ echo 302402023CCA301E301C04020002301630090307002001067C208C30090307002A0EB2400 $ echo 16i 301802030100003011300F040200023009300703050020010DB8 P \
000 \ | dc | openssl asn1parse -inform DER -i -dump
| xxd -r -ps \ 0:d=0 hl=2 l= 24 cons: SEQUENCE # RouteOriginAttestation
| openssl asn1parse -i -dump -inform DER 2:d=1 hl=2 l= 3 prim: INTEGER :010000 # asID 65536
0:d=0 hl=2 l= 36 cons: SEQUENCE # RouteOriginAttestation 7:d=1 hl=2 l= 17 cons: SEQUENCE # ipAddrBlocks
2:d=1 hl=2 l= 2 prim: INTEGER :3CCA # asID 15562 9:d=2 hl=2 l= 15 cons: SEQUENCE # ROAIPAddressFamily
6:d=1 hl=2 l= 30 cons: SEQUENCE # ipAddrBlocks 11:d=3 hl=2 l= 2 prim: OCTET STRING # addressFamily
8:d=2 hl=2 l= 28 cons: SEQUENCE # ROAIPAddressFamily 0000 - 00 02 # IPv6
10:d=3 hl=2 l= 2 prim: OCTET STRING # addressFamily 15:d=3 hl=2 l= 9 cons: SEQUENCE # addresses
0000 - 00 02 .. # IPv6 17:d=4 hl=2 l= 7 cons: SEQUENCE # ROAIPAddress
14:d=3 hl=2 l= 22 cons: SEQUENCE # addresses 19:d=5 hl=2 l= 5 prim: BIT STRING # 2001:db8::/32
16:d=4 hl=2 l= 9 cons: SEQUENCE # ROAIPAddress 0000 - 00 20 01 0d b8
18:d=5 hl=2 l= 7 prim: BIT STRING # address ]]></sourcecode>
0000 - 00 20 01 06 7c 20 8c . ..| . # 2001:67c:208c::/4
8
27:d=4 hl=2 l= 9 cons: SEQUENCE # ROAIPAddress
29:d=5 hl=2 l= 7 prim: BIT STRING # address
0000 - 00 2a 0e b2 40 .*..@ # 2a0e:b240::/48
0007 - <SPACES/NULS>
]]>
</artwork>
<t> <t>
Below is a complete <xref target="RFC4648">Base64</xref> encoded RPKI RO A Signed Object. Below is a complete RPKI ROA signed object, <xref target="RFC4648">Base6 4 encoded per</xref>.
</t> </t>
<artwork anchor="object"> <sourcecode anchor="object">
<![CDATA[ <![CDATA[
MIIHCwYJKoZIhvcNAQcCoIIG/DCCBvgCAQMxDTALBglghkgBZQMEAgEwNwYLKoZIhvcNAQkQ MIIGgAYJKoZIhvcNAQcCoIIGcTCCBm0CAQMxDTALBglghkgBZQMEAgEwKwYLKoZI
ARigKAQmMCQCAjzKMB4wHAQCAAIwFjAJAwcAIAEGfCCMMAkDBwAqDrJAAACgggT7MIIE9zCC hvcNAQkQARigHAQaMBgCAwEAADARMA8EAgACMAkwBwMFACABDbigggR8MIIEeDCC
A9+gAwIBAgIDAIb5MA0GCSqGSIb3DQEBCwUAMDMxMTAvBgNVBAMTKDM4ZTE0ZjkyZmRjN2Nj A2CgAwIBAgIBAzANBgkqhkiG9w0BAQsFADAvMS0wKwYDVQQDEyQ4NjUyNWNkNS00
ZmJmYzE4MjM2MTUyM2FlMjdkNjk3ZTk1MmYwHhcNMjIwNjE3MDAyNDIyWhcNMjMwNzAxMDAw NGQ3LTRkZjktODA3OS00YTlkY2RmMjY5NDQwHhcNMjQwNTAxMDAzNDEzWhcNMjUw
MDAwWjAzMTEwLwYDVQQDEyhBM0Q5NjQyNDU3NDlCQjZERDVBQjFGMkU4MzBFMzNBNkM1MTQ2 NTAxMDAzNDEzWjAvMS0wKwYDVQQDEyRlYjg3NmJmMC1lYTlkLTRiMjItYTExZS0y
RThGMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4CRG1t04YFLq3fctx2ThNfr6 YmNhZDA4MzliMTMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsPSYD
Vxsd2wZzcZhQJgUdlvUyfUPISWMwuPfpGjviqtCEzh5aNePGpLopkIES08egzTmJ78Is6+kW JnGOFRSHUZuVxibx2TQfWWoPIHNKgQAwYn1Kz88HaGgVf63G1mJd/cxBNMj5AfNQ
LXwy9CcwT7gmP9qOTSEi8h4qcyajxHbAwDEjROVNSujhLGeB74S9IQTn2Ertp2Et2xPq/kXw m2zKSAb83UAp97DUXf+lvoKj4F+lxCCjFaBpBeehc7X0XPDpbcbqo1YrzIzxxqou
+eiBHtOL2h2I7/UOZxHOHuNuHby+VbhFaxgPA7rVfdlUAf9yYxQvyZtB7kHT/EwAR4c9SYWu GijEwZ4k+BaM2avEFYMBszqWA+ZdneBSuZ3YbHPKp2royn4pJ9a1I5fYdqFQi0eo
0rvbWNJwWehzlT74V1XaknRXQjkKYHe34Fyyx9FY86uX4uN8rPuIzkd7n6g81pUZRIuk/3tc VZbAc8pZmwRVOuedYYqQiy9CSRGsbiGlB0fKt2m/zSsuvl4Zit7+NyGL3wAZecjZ
/DjbHNAD3qWVQ+0aqNdkunoJhQccZwIDAQABo4ICEjCCAg4wHQYDVR0OBBYEFKPZZCRXSbtt XEInsTtQsjQuy5PeJjLDyfWi/ZFi0qPsNlK0M2lMsi5B7QKaagA1RbRVHZyrkWoe
1asfLoMOM6bFFG6PMB8GA1UdIwQYMBaAFDjhT5L9x8z7/BgjYVI64n1pfpUvMBgGA1UdIAEB 20l5rfk1bIGMv/plAgMBAAGjggGdMIIBmTAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0O
/wQOMAwwCgYIKwYBBQUHDgIwZAYDVR0fBF0wWzBZoFegVYZTcnN5bmM6Ly9jaGxvZS5zb2Jv BBYEFN4UWxk/syCyWnRDVSmMi/fCUj0iMB8GA1UdIwQYMBaAFNZyCOpHDp1t1mVA
cm5vc3QubmV0L3Jwa2kvUklQRS1ubGpvYnNuaWpkZXJzL09PRlBrdjNIelB2OEdDTmhVanJp IvVTrcE4mrQ0MBgGA1UdIAEB/wQOMAwwCgYIKwYBBQUHDgIwWgYIKwYBBQUHAQEE
ZldsLWxTOC5jcmwwZAYIKwYBBQUHAQEEWDBWMFQGCCsGAQUFBzAChkhyc3luYzovL3Jwa2ku TjBMMEoGCCsGAQUFBzAChj5yc3luYzovL3Jwa2kuZXhhbXBsZS5uZXQvcmVwby8x
cmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxUL09PRlBrdjNIelB2OEdDTmhVanJpZldsLWxT bklJNmtjT25XM1daVUFpOVZPdHdUaWF0RFNnLmNlcjBRBgNVHR8ESjBIMEagRKBC
OC5jZXIwDgYDVR0PAQH/BAQDAgeAMIGoBggrBgEFBQcBCwSBmzCBmDBfBggrBgEFBQcwC4ZT hkByc3luYzovL3Jwa2kuZXhhbXBsZS5uZXQvcmVwby9BLzFuSUk2a2NPblczV1pV
cnN5bmM6Ly9jaGxvZS5zb2Jvcm5vc3QubmV0L3Jwa2kvUklQRS1ubGpvYnNuaWpkZXJzL285 QWk5Vk90d1RpYXREU2cuY3JsMFwGCCsGAQUFBwELBFAwTjBMBggrBgEFBQcwC4ZA
bGtKRmRKdTIzVnF4OHVndzR6cHNVVWJvOC5yb2EwNQYIKwYBBQUHMA2GKWh0dHBzOi8vY2hs cnN5bmM6Ly9ycGtpLmV4YW1wbGUubmV0L3JlcG8vQS8zaFJiR1QteklMSmFkRU5W
b2Uuc29ib3Jub3N0Lm5ldC9ycGtpL25ld3MueG1sMCsGCCsGAQUFBwEHAQH/BBwwGjAYBAIA S1l5TDk4SlNQU0tnLnJvYTAgBggrBgEFBQcBBwEB/wQRMA8wDQQCAAIwBwMFACAB
AjASAwcAIAEGfCCMAwcAKg6yQAAAMA0GCSqGSIb3DQEBCwUAA4IBAQAY4bd+Y1Os1MbxGWLU DbgwDQYJKoZIhvcNAQELBQADggEBAKFoMax1Gdxb9mvSfKE2Jo+DudqCGjWF3mGv
d7rNVG0c3e0FOwtUOE/Qprt5gkCHO2L19/R1jnXlAaJPID5VhUNl2y/AiwmP47vhk+fvtEdB rkhag8CQYi2CBJZLrkpCRha8doBW4PbrL36waWG55A/TdLKvWzAf66/v3iL5QcXo
wniszL8wCk5b6wwufn1z5/stQ85GRmsqJw5nkOYCyWpTP8k+TUa4w32xNj1dX78FwadDVeSP Krb0+fp1pu/YVK4xFxwYJhbX4OnL4Gqh9+t4fFXhEDj2QemlgjWZyxvgx2Sra/iK
yMgJ0860mkXbV1/82/D60zrWQsVAZiYebhni1QAqmpsxZwdZceFRRVY48YDPOZ73ZBZvf0g6 fOt6gxUhie3oIT+FiYjqF//WIUBP/HjTf+E4IRGN8tCr3NDhMZG6c0njq2keW7w4
Boy1+djlcAkugA92OKLzqjHWfY2iWZkcxXmFDthoeVCGQePkHMOigOyjZPcM8EXumo1rwI7N wnw1+GqSyDhqu0Rsr0m3XUbivkc+h0ZZBBS9SxPM+GfgdzEDV51VcK1SeMa3G3Ca
4CPs0VkmCVCZABYVQ0HJvU08i/Wf6X1VRbNcMYIBqjCCAaYCAQOAFKPZZCRXSbtt1asfLoMO j0cJA99eTM+j52tkNVupftv1Y+4Wt0XGLKmRNKw26XDaphzw3B8xggGqMIIBpgIB
M6bFFG6PMAsGCWCGSAFlAwQCAaBrMBoGCSqGSIb3DQEJAzENBgsqhkiG9w0BCRABGDAcBgkq A4AU3hRbGT+zILJadENVKYyL98JSPSIwCwYJYIZIAWUDBAIBoGswGgYJKoZIhvcN
hkiG9w0BCQUxDxcNMjIwNjE3MDAyNDIyWjAvBgkqhkiG9w0BCQQxIgQgyCDmNy5kR2T3NpBX AQkDMQ0GCyqGSIb3DQEJEAEYMBwGCSqGSIb3DQEJBTEPFw0yNDA1MDEwMDM0MTNa
fNhzFLNQv4PmI8kFb6VIt1kqeRswDQYJKoZIhvcNAQEBBQAEggEAWu1sxXCO/X8voU1zfvL+ MC8GCSqGSIb3DQEJBDEiBCBlz4HExs5A69pxkJqTCbUvc2iTS7C4eDd3aJD4hYJS
My6KXb5va2CIuKD4dn/cllClWp8YizygIb+tPWfsT6DvaLOp1jE0raQyc8nUexLXSlIBGF7j wjANBgkqhkiG9w0BAQEFAASCAQBa2wmuDHbcvfnMRIaOJ6m30zpCZtJVBLDELoA0
GVWYCy4Oo8mXki+YB3AP1eXiBpx8E4Aa3Rq6/FO80fqrVmUTuywGnv9m6zSIrzEPFujpRIDa 2kLb18TfFbxQhUi/jZ9g0hNYksV0n4vOJnCQ3qP6IIfm0ZsKzRnyzZf3f2xegw2p
QQfDEOktRcLvNPXHfipTBzR4VSLkbZbyJBdigEPFUJVIRcAoI4tZAUVcbwANrHpZElFMBgr6 Wzi9Z8QYlc//eY3+XA3bQ37h+s0r7OZkQH7+KmIwDOCYaLh/YB37wp/7giC7bpvi
Rpn9l5nu7kUlZqXbV39Mfv8WCzctaUyc+Ag311sfWu5s6XaX3PtT9V4TnQhbSWcvR9NgM+As c2Fv2illQmctrK7tYDHsNGq+svULTjemUaklqfcRAAJnQTRzTz8So9wKY9SR2VVZ
NqelVbdJ/iA2SeNHU/65xf6dDE2zdHDfsw== 68DDItTBUx8jPYeNQtvxxoVA6HuW9wyurlYQ9m/cF8CzlizVmsHgxzjO9ifmYJj9
]]> YZWMLtjF7Xw1fQZLYMrD5DCZzUw3nv4GyyHxckm2kLF38mze
</artwork> ]]></sourcecode>
<t> <t>
The object in <xref target="object"/> has the following properties: The object in this appendix has the following properties:
</t> </t>
<artwork align="center"> <sourcecode>
<![CDATA[ <![CDATA[
Object Object size: 1668 octets
SHA256 hash: 13afbad09ed59b315efd8722d38b09fd02962e376e4def32247f9de9 Object SHA256 message digest:
05649b47 3a39e0b652e79ddf6efdd178ad5e3b29e0121b1e593b89f1e0ac18f3ba60d5e7
Size: 1807 octets
CMS signing time: Fri 17 Jun 2022 00:24:22 +0000 CMS signing time: Wed 01 May 2024 00:34:13 +0000
X.509 end-entity certificate X.509 end-entity certificate
Subject key id: A3D964245749BB6DD5AB1F2E830E33A6C5146E8F Subject key id: DE145B193FB320B25A744355298C8BF7C2523D22
Authority key id: 38E14F92FDC7CCFBFC182361523AE27D697E952F Authority key id: D67208EA470E9D6DD6654022F553ADC1389AB434
Issuer: /CN=38e14f92fdc7ccfbfc182361523ae27d697e952f Issuer: CN=86525cd5-44d7-4df9-8079-4a9dcdf26944
Serial: 86F9 Serial: 3
Not before: Fri 17 Jun 2022 00:24:22 +0000 Not before: Wed 01 May 2024 00:34:13 +0000
Not after: Sat 01 Jul 2023 00:00:00 +0000 Not after: Thu 01 May 2025 00:34:13 +0000
IP address delegation: 2001:67c:208c::/48, 2a0e:b240::/48 IP address delegation: 2001:db8::/32
eContent ROA eContent
asID: 15562 asID: 65536
addresses: 2001:67c:208c::/48, 2a0e:b240::/48 addresses: 2001:db8::/32
]]> ]]></sourcecode>
</artwork> </section>
<section anchor="acknowledgements" numbered="false">
<name>Acknowledgements</name>
<t>
The authors wish to thank <contact fullname="Theo Buehler"/>, <contact f
ullname="Ties de Kock"/>, <contact fullname="Martin Hoffmann"/>, <contact fullna
me="Charles Gardiner"/>, <contact fullname="Russ Housley"/>, <contact fullname="
Jeffrey Haas"/>, <contact fullname="Bob Beck"/>, and <contact fullname="Tom Harr
ison"/> for their help and contributions.
Additionally, the authors thank <contact fullname="Jim Fenton"/>, <conta
ct fullname="Vijay Gurbani"/>, <contact fullname="Haoyu Song"/>, <contact fullna
me="Rob Austein"/>, <contact fullname="Roque Gagliano"/>, <contact fullname="Dan
ny McPherson"/>, <contact fullname="Sam Weiler"/>, <contact fullname="Jasdip Sin
gh"/>, and <contact fullname="Murray S. Kucherawy"/> for their careful reviews a
nd helpful comments.
</t>
</section> </section>
</back> </back>
</rfc> </rfc>
 End of changes. 95 change blocks. 
631 lines changed or deleted 419 lines changed or added

This html diff was produced by rfcdiff 1.48.