]> Tsinghua University

Beijing China sjy23@mails.tsinghua.edu.cn

Zhongguancun Laboratory

Beijing China liulb@zgclab.edu.cn

Zhongguancun Laboratory

Beijing China qinlc@mail.zgclab.edu.cn

Tsinghua University

Beijing China tolidan@tsinghua.edu.cn

Operations and Management SIDROPS RPKI The Resource Public Key Infrastructure (RPKI) RFC6480 relies on Publication Points (PPs) to distribute cryptographically verifiable objects. Under the current design, Relying Parties (RPs) retrieve the complete set of RPKI objects from repositories, even when their operational requirements are limited to a specific subset, for example, ROAs only. This all-or-nothing retrieval model may result in increased bandwidth consumption, higher synchronization latency, and unnecessary computational overhead. This document examines these challenges and discusses directions for enabling more selective and efficient access to RPKI data.

Introduction As securing the Internet’s routing infrastructure becomes increasingly critical, the Resource Public Key Infrastructure (RPKI) RFC6480 provides a framework for validating the authenticity and integrity of routing information. RPKI relies on cryptographically verifiable objects published at Publication Points (PPs) , which are retrieved and processed by Relying Parties (RPs) to support route validation decisions. While RPKI provides a robust mechanism for publishing and validating routing authorization data, its current data distribution model assumes that RPs retrieve and process the complete repository contents. As the deployment of RPKI-based security mechanisms expands, both the volume and the diversity of data stored at PPs continue to grow. Current RP implementations do not provide sufficient support for selectively retrieving specific types of RPKI objects. Consequently, operators that require only a subset of RPKI functionality must still retrieve and process the complete repository contents, leading to increased bandwidth consumption, longer synchronization latency, and additional computational overhead. For example, an AS that only requires Route Origin Authorization (ROA) for route origin validation will, when using current RPs, also download and process unrelated RPKI objects such as ASPA and MOA. This document analyzes these limitations in the current RPKI data retrieval model and discusses directions for enabling selective, on-demand retrieval of RPKI objects to improve scalability and operational efficiency.

Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Terminology ROA (Route Origin Authorization) : A ROA is a digitally signed object that provides a means of verifying that an IP address block holder has authorized an Autonomous System (AS) to originate routes to one or more prefixes within the address block. ASPA (Autonomous System Provider Authorization) : An ASPA is a digitally signed object through which the issuer (the holder of an Autonomous System identifier), can authorize one or more other ASes as its upstream providers. MOA (Mapping Origin Authorization) : It provides a means that the address holder can authorize an IPv6 mapping prefix to originate mapping for one or more IPv4 prefixes. RP (Relying Party) : A system that downloads and validates RPKI data from a repository. PP (Publication Point) : The location where RPKI objects are published and stored, accessible via rsync or RRDP. RRDP (RPKI Repository Delta Protocol) : A pull-based protocol used by RPs to synchronize with RPKI repositories.

Scope and Non-Goals This document focuses on identifying limitations in the current RPKI data synchronization model with respect to selective and on-demand retrieval of RPKI objects between Publication Points (PPs) and Relying Parties (RPs). The scope of this document is limited to analyzing the problem space, operational impacts, and high-level directions for improvement. It does not specify new protocols, data formats, or concrete mechanisms. In scope for this document are considerations related to the retrieval of different types of RPKI objects, such as ROAs, ASPA objects, and other signed objects, during RP synchronization. The document examines how existing synchronization mechanisms, including Rsync, RRDP, and Erik, currently assume full repository synchronization and discusses why this model may not scale efficiently as the diversity and volume of RPKI objects increase.

Problem Statement As the diversity and volume of RPKI objects continue to grow, there is an increasing need for Relying Parties (RPs) to retrieve only the objects relevant to their operational requirements. However, the current RPKI data synchronization model assumes that RPs synchronize and process the complete repository contents, without support for selective or on-demand retrieval. As a result, some RPs may retrieve and process unnecessary data, increasing both bandwidth consumption and operational overhead. Based on operational measurements, synchronizing a full repository snapshot currently requires approximately 1.1 GB of bandwidth, while incremental updates require around 10 MB. Assuming that emerging object types such as ASPA and MOA generate data volumes comparable to existing ROA objects, an RP that only requires ROA information would still need to download approximately 3.3 GB for a full synchronization and 30 MB for incremental updates. In addition to bandwidth costs, if RPs process all retrieved data, including signature verification and object parsing, it will further increase computational load. These impacts are particularly pronounced in bandwidth- or resource-constrained environments, such as remote or mobile networks, edge deployments, or smaller Autonomous Systems.

Directions and Design Considerations Type-based on-demand retrieval refers to the ability for Relying Parties (RPs) to selectively retrieve specific categories of RPKI objects, such as ROAs, ASPAs, or other types of signed objects, based on their operational requirements. This section discusses high-level directions and design considerations for enabling such selective retrieval within existing RPKI data synchronization mechanisms. This capability may be particularly beneficial in bandwidth constrained environments, specialized network deployments, or scenarios where rapid enablement of specific validation mechanisms is prioritized over comprehensive RPKI coverage.

Direction for Rsync In Rsync servers , each RPKI object is mapped to a unique URI and can be retrieved individually. This model inherently allows RPs to fetch specific objects without requiring full repository synchronization. However, current RP implementations typically retrieve the complete set of published objects rather than leveraging this capability for selective retrieval. From a design perspective, Rsync-based synchronization could support type-based on-demand retrieval by allowing RPs to identify and retrieve only the object types required for their intended validation functions.

Direction for RRDP In RRDP servers, all RPKI objects are published in aggregated snapshot.xml and delta.xml files, including ROAs, associated certificates, and other signed objects. The current RRDP protocol is designed around full repository synchronization and does not provide mechanisms for selectively retrieving specific object types. As a result, RPs must download and process the complete dataset regardless of their actual requirements. To better accommodate type-based on-demand retrieval, RRDP would need the ability to distinguish between different categories of RPKI objects during both initial synchronization and incremental updates, and to support selective transmission accordingly. This may require reconsideration of how snapshot and delta data are structured or organized, so that object type information can be efficiently exposed and used for selective retrieval.

Direction for Erik The Erik Synchronization Protocol is a proposed mechanism for efficient RPKI data replication. Erik employs Merkle trees to detect differences between local and remote datasets, allowing RPs to efficiently identify and retrieve objects that are missing or out of sync. Similar to Rsync, Erik is primarily designed to support efficient synchronization of complete repository datasets. The current specification does not explicitly consider selective retrieval based on RPKI object types. However, Erik’s use of Merkle tree based difference detection and object-level granularity provides a strong technical foundation for supporting more selective retrieval models. With these considerations, Erik could naturally support type-based on-demand retrieval and offer additional flexibility for deployments where only a subset of RPKI objects is required.

Security Considerations This document is informational in nature and focuses on identifying challenges and discussing potential directions for improving RPKI data retrieval. It does not define new protocols, protocol extensions, or modifications to existing RPKI validation procedures or security mechanisms. Therefore, this document does not introduce new security considerations.

IANA Considerations This document has no IANA requirements.

Appendix The data referenced in is based on experiments using Routinator in a production environment, measuring bandwidth consumption during Publication Point (PP) data synchronization. The measurements were conducted in two phases:

• Bootstrapping Phase: This phase tests the bandwidth requirements when an RP synchronizes complete PP data without any local cache, measuring the full snapshot download stage.
• Update Phase: This phase involves incremental updates performed every 10 minutes to measure the bandwidth consumption when RPs download delta files during routine synchronization operations.

References Normative References In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Informative References This document describes an architecture for an infrastructure to support improved security of Internet routing. The foundation of this architecture is a Resource Public Key Infrastructure (RPKI) that represents the allocation hierarchy of IP address space and Autonomous System (AS) numbers; and a distributed repository system for storing and disseminating the data objects that comprise the RPKI, as well as other signed objects necessary for improved routing security. As an initial application of this architecture, the document describes how a legitimate holder of IP address space can explicitly and verifiably authorize one or more ASes to originate routes to that address space. Such verifiable authorizations could be used, for example, to more securely construct BGP route filters. This document is not an Internet Standards Track specification; it is published for informational purposes. This document defines a profile for the structure of the Resource Public Key Infrastructure (RPKI) distributed repository. Each individual repository publication point is a directory that contains files that correspond to X.509/PKIX Resource Certificates, Certificate Revocation Lists and signed objects. This profile defines the object (file) naming scheme, the contents of repository publication points (directories), and a suggested internal structure of a local repository cache that is intended to facilitate synchronization across a distributed collection of repository publication points and to facilitate certification path construction. [STANDARDS-TRACK] In the Resource Public Key Infrastructure (RPKI), Certificate Authorities (CAs) publish certificates, including end-entity certificates, Certificate Revocation Lists (CRLs), and RPKI signed objects to repositories. Relying Parties retrieve the published information from those repositories. This document specifies a new RPKI Repository Delta Protocol (RRDP) for this purpose. RRDP was specifically designed for scaling. It relies on an Update Notification File which lists the current Snapshot and Delta Files that can be retrieved using HTTPS (HTTP over Transport Layer Security (TLS)), and it enables the use of Content Distribution Networks (CDNs) or other caching infrastructures for the retrieval of these files. Yandex Qrator Labs Internet Initiative Japan & Arrcus, Inc. Arrcus USA National Institute of Standards and Technology This document describes procedures that make use of Autonomous System Provider Authorization (ASPA) objects in the Resource Public Key Infrastructure (RPKI) to verify the Border Gateway Protocol (BGP) AS_PATH attribute of advertised routes. This AS_PATH verification enhances routing security by adding means to detect and mitigate route leaks and AS_PATH manipulations. China Telecom China Telecom CERNET Center/Tsinghua University APNIC ZDNS This document proposes a new approach by leveraging Resource Public Key Infrastructure (RPKI) architecture to verify the authenticity of the mapping origin of an IPv4 address block. MOA is a newly defined cryptographically signed object that provides a means for the address holder can authorize an IPv6 mapping prefix to originate mapping for one or more IPv4 prefixes. When receiving the MOA objects from the relying parties, PE devices can verify and discard invalid address mapping announcements from unauthorized IPv6 mapping prefixes to prevent IPv4 prefix hijacking. BSD Software Development RIPE NCC APNIC JPNIC This document specifies the Erik Synchronization Protocol for use with the Resource Public Key Infrastructure (RPKI). Erik Synchronization can be characterized as a data replication system using Merkle trees, a content-addressable naming scheme, concurrency control using monotonically increasing sequence numbers, and HTTP transport. Relying Parties can combine information retrieved via Erik Synchronization with other RPKI transport protocols. The protocol's design is intended to be efficient, fast, easy to implement, and robust in the face of partitions or faults in the network. n.d.