The Use of maxLength in the Resource Public Key Infrastructure (RPKI)

Yossi Gilad, Sharon Goldberg, Kotikalapudi Sriram, Job Snijders, Ben Maddison

Research output: Contribution to journalArticlepeer-review


This document recommends ways to reduce the forged-origin hijack attack surface by prudently limiting the set of IP prefixes that are included in a Route Origin Authorization (ROA). One recommendation is to avoid using the maxLength attribute in ROAs except in some specific cases. The recommendations complement and extend those in RFC 7115. This document also discusses the creation of ROAs for facilitating the use of Distributed Denial of Service (DDoS) mitigation services. Considerations related to ROAs and RPKI-based Route Origin Validation (RPKI-ROV) in the context of destination-based Remotely Triggered Discard Route (RTDR) (elsewhere referred to as "Remotely Triggered Black Hole") filtering are also highlighted.
Original languageEnglish
Article numberRFC 9319
Pages (from-to)1-13
Number of pages13
JournalRFC Series
VolumeBCP 185
StatePublished - 2022

Bibliographical note

Best Current Practice


Dive into the research topics of 'The Use of maxLength in the Resource Public Key Infrastructure (RPKI)'. Together they form a unique fingerprint.

Cite this