{"draft":"draft-ietf-sidrops-rpkimaxlen-15","doc_id":"RFC9319","title":"The Use of maxLength in the Resource Public Key Infrastructure (RPKI)","authors":["Y. Gilad","S. Goldberg","K. Sriram","J. Snijders","B. Maddison"],"format":["HTML","TEXT","PDF","XML"],"page_count":"13","pub_status":"BEST CURRENT PRACTICE","status":"BEST CURRENT PRACTICE","source":"SIDR Operations","abstract":"This document recommends ways to reduce the forged-origin hijack\r\nattack surface by prudently limiting the set of IP prefixes that are\r\nincluded in a Route Origin Authorization (ROA). One recommendation is\r\nto avoid using the maxLength attribute in ROAs except in some\r\nspecific cases. The recommendations complement and extend those in\r\nRFC 7115. This document also discusses the creation of ROAs for\r\nfacilitating the use of Distributed Denial of Service (DDoS)\r\nmitigation services. Considerations related to ROAs and RPKI-based\r\nRoute Origin Validation (RPKI-ROV) in the context of\r\ndestination-based Remotely Triggered Discard Route (RTDR) (elsewhere\r\nreferred to as \"Remotely Triggered Black Hole\") filtering are also\r\nhighlighted.","pub_date":"October 2022","keywords":["Secure Internet routing","Resource public key infrastructure"],"obsoletes":[],"obsoleted_by":[],"updates":[],"updated_by":[],"see_also":["BCP0185"],"doi":"10.17487\/RFC9319","errata_url":null}