Hi all, To add a small datapoint: not a single one of the Internet's 124,647 ROAs (discoverable today through the 5 RIR TALs) carries the AS Resources extension in the ROA EE certificate. This means that all current CA implementations deployed in the field omit this extension.
I submitted this report in spirit of a similar issue (described in Errata #3166 https://www.rfc-editor.org/errata/eid3166) Kind regards, Job On Wed, Aug 10, 2022 at 07:41:36AM -0700, RFC Errata System wrote: > The following errata report has been submitted for RFC6482, > "A Profile for Route Origin Authorizations (ROAs)". > > -------------------------------------- > You may review the report below and at: > https://www.rfc-editor.org/errata/eid7079 > > -------------------------------------- > Type: Technical > Reported by: Job Snijders <j...@fastly.com> > > Section: 4 > > Original Text > ------------- > Before a relying party can use a ROA to validate a routing > announcement, the relying party MUST first validate the ROA. To > validate a ROA, the relying party MUST perform all the validation > checks specified in [RFC6488] as well as the following additional > ROA-specific validation step. > > o The IP address delegation extension [RFC3779] is present in the > end-entity (EE) certificate (contained within the ROA), and each > IP address prefix(es) in the ROA is contained within the set of IP > addresses specified by the EE certificate's IP address delegation > extension. > > Corrected Text > -------------- > Before a relying party can use a ROA to validate a routing > announcement, the relying party MUST first validate the ROA. To > validate a ROA, the relying party MUST perform all the validation > checks specified in [RFC6488] as well as the following additional > ROA-specific validation step. > > o The IP address delegation extension [RFC3779] is present in the > end-entity (EE) certificate (contained within the ROA), and each > IP address prefix(es) in the ROA is contained within the set of IP > addresses specified by the EE certificate's IP address delegation > extension. > o The AS Resources extension is not used in Route Origin Authorizations > and MUST be omitted. > > Notes > ----- > The ROA RFC is a bit under-specified compared to other RPKI Signed Object > profile definitions. (For example, RFC 8209 ยง 3.1.3.4 is less ambiguous on > the matter of RFC3779 extensions.) > > Instructions: > ------------- > This erratum is currently posted as "Reported". If necessary, please > use "Reply All" to discuss whether it should be verified or > rejected. When a decision is reached, the verifying party > can log in to change the status and edit the report, if necessary. > > -------------------------------------- > RFC6482 (draft-ietf-sidr-roa-format-12) > -------------------------------------- > Title : A Profile for Route Origin Authorizations (ROAs) > Publication Date : February 2012 > Author(s) : M. Lepinski, S. Kent, D. Kong > Category : PROPOSED STANDARD > Source : Secure Inter-Domain Routing > Area : Routing > Stream : IETF > Verifying Party : IESG _______________________________________________ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr