Filtering Out RPKI Data by Type based on Enhanced SLURM Filters
draft-fu-sidrops-enhanced-slurm-filter-04
This document is an Internet-Draft (I-D).
Anyone may submit an I-D to the IETF.
This I-D is not endorsed by the IETF and has no formal standing in the
IETF standards process.
| Document | Type | Active Internet-Draft (individual) | |
|---|---|---|---|
| Authors | Yu Fu , Nan Geng | ||
| Last updated | 2026-01-04 | ||
| RFC stream | (None) | ||
| Intended RFC status | (None) | ||
| Formats | |||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-fu-sidrops-enhanced-slurm-filter-04
sidrops Y. Fu
Internet-Draft China Telecom
Intended status: Standards Track N. Geng
Expires: 8 July 2026 Huawei
4 January 2026
Filtering Out RPKI Data by Type based on Enhanced SLURM Filters
draft-fu-sidrops-enhanced-slurm-filter-04
Abstract
Simplified Local Internet Number Resource Management with the RPKI
(SLURM) helps operators create a local view of the global RPKI by
generating sets of filters and assertions. This document proposes to
filter out RPKI data by type based on enhanced SLURM filters. Only
the RPKI data types that the network or routers are interested in
will appear in the Relying Party's output.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 8 July 2026.
Copyright Notice
Copyright (c) 2026 IETF Trust and the persons identified as the
document authors. All rights reserved.
Fu & Geng Expires 8 July 2026 [Page 1]
Internet-Draft Enhanced SLURM Filters January 2026
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
2. Use Case . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Enhanced SLURM Filters . . . . . . . . . . . . . . . . . . . 4
3.1. Design 1: RPKI Data Type Filters . . . . . . . . . . . . 4
3.1.1. RPKI Data Type Filters . . . . . . . . . . . . . . . 5
3.2. Design 2: Special ASNs . . . . . . . . . . . . . . . . . 6
4. Security Considerations . . . . . . . . . . . . . . . . . . . 7
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
6. References . . . . . . . . . . . . . . . . . . . . . . . . . 7
6.1. Normative References . . . . . . . . . . . . . . . . . . 7
6.2. Informative References . . . . . . . . . . . . . . . . . 8
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9
1. Introduction
Relying Party (RP) collects signed RPKI objects from global RPKI
publication points. The RPKI data passing RP's validation will
appear in RP's output. Then, the RPKI-to-Router (RTR) protocol
[RFC6810][RFC8210][I-D.ietf-sidrops-8210bis] will synchronize the
validated RPKI data from RP to routers. Currently, four types of
RPKI data including IPv4 Prefix, IPv6 Prefix, Router Key, and ASPA
are supported in the RTR protocol.
However, in some cases, routers may be interested in a part of RPKI
data types, instead of all [I-D.geng-sidrops-rtr-selective-sync]. In
such cases, storing unused data on the router is unreasonable, and
synchronizing all types of data will induce some unnecessary
transmission and storage overhead. Besides, multiple types of data
can be transmitted together. The router cannot use any type of these
data unless it waits for all data to complete transmission.
Furthermore, there may be more types of RPKI data in the RPKI
repositories and RPs, which makes the above problem more significant
and worse. The followings are example types, and some of them may be
possibly supported in the RPKI system in the future: - Secured
Fu & Geng Expires 8 July 2026 [Page 2]
Internet-Draft Enhanced SLURM Filters January 2026
Routing Policy Specification Language (RPSL) [RFC7909] - Signed
Prefix Lists [I-D.ietf-sidrops-rpki-prefixlist] - Autonomous Systems
Cones [I-D.ietf-grow-rpki-as-cones] - Mapping Origin Authorizations
(MOAs) [I-D.ietf-sidrops-moa-profile] - Signed SAVNET-Peering
Information (SiSPI) [I-D.chen-sidrops-sispi] - Path validation with
RPKI [I-D.van-beijnum-sidrops-pathrpki] - Signed Groupings of
Autonomous System Numbers [I-D.spaghetti-sidrops-rpki-asgroup]
To deal with the problem, configuring routers directly ignoring the
uninterested RPKI data transmitted by RTR protocol may not be a good
solution. While storage overhead is avoided, transmission delay is
not optimized. Extending RTR protocol for supporting selective
synchronization of RPKI data is an alternative solution
[I-D.geng-sidrops-rtr-selective-sync]. Both of the two solutions
require the upgrade of router software.
SLURM provides a simple way to enable an RP to establish a local and
customized view of the RPKI ([RFC8416],
[I-D.ietf-sidrops-aspa-slurm]). It defines Validation Output Filters
to filter out specific RPKI data items and Locally Added Assertions
to add RPKI data items. Unfortunately, SLURM cannot efficiently
filter out RPKI data by type, i.e., filter out all the RPKI data
belonging to a specific type.
This document proposes enhanced SLURM filters which can filter out
RPKI data by type. With enhanced SLURM filters, operators can
efficiently select which type of RPKI data need to be synchronized to
routers.
The proposed method requires some modifications on the SLURM-related
process of RP software. Upgrades of RTR implementations and router
software implementations are not involved.
1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
Fu & Geng Expires 8 July 2026 [Page 3]
Internet-Draft Enhanced SLURM Filters January 2026
2. Use Case
One of use cases is IPv6-only network. Suppose a IPv6-only network
wants to enable ROV on BGP border routers. The routers should be
only interested in IPv6-related BGP validation because the routers
can only receive IPv6 routes from neighbor ASes. Therefore, IPv4
Prefix data is not useful for the network. An example of IPv6-only
network is New China Education and Research Network (named Future
Internet Technology Infrastructure, FITI).
+------------+
| Rely Party |
+------------+
/ \
/ Sync RPKI \
/ data by RTR \
+---------/----------------\---------+
IPv6 | / \ |IPv6
routes| +----------+ +----------+ |routes
------->|BGP router| |BGP router| |------>
| +----------+ +----------+ |
| IPv6-only |
+------------------------------------+
As described in Section 1, there may be more types of RPKI data in
the RPKI repositories and RPs. Thus, there will be more use cases
where a network does not need all types of RPKI data in the future.
3. Enhanced SLURM Filters
This section proposes two optional designs.
3.1. Design 1: RPKI Data Type Filters
A SLURM file consists of a single JSON [RFC8259] object containing
the following members:
* A "slurmVersion" member that MUST be set to 3, encoded as a number
* A "validationOutputFilters" member whose value is an object. The
object MUST contain exactly four members:
- A "prefixFilters" member, see Section 3.3.1 [RFC8416]
- A "bgpsecFilters" member, see section 3.3.2 [RFC8416]
- A "aspaFilters" member, see Section 3.1
[I-D.ietf-sidrops-aspa-slurm]
Fu & Geng Expires 8 July 2026 [Page 4]
Internet-Draft Enhanced SLURM Filters January 2026
- A "typeFilters" member
* A "locallyAddedAssertions" member whose value is an object. The
object MUST contain exactly three members:
- A "prefixAssertions" member, see Section 3.4.1 [RFC8416]
- A "bgpsecAssertions" member, see Section 3.4.2 [RFC8416]
- A "aspaAssertions" member, see Section 3.2
[I-D.ietf-sidrops-aspa-slurm]
The following JSON structure with JSON members represents a SLURM
file that has no filters or assertions:
{
"slurmVersion": 2,
"validationOutputFilters": {
"aspaFilters": [],
"bgpsecFilters": [],
"prefixFilters": [],
"typeFilters": []
},
"locallyAddedAssertions": {
"aspaAssertions": [],
"bgpsecAssertions": [],
"prefixAssertions": []
}
}
3.1.1. RPKI Data Type Filters
There are currently four types of RPKI data (which follows the RTR
PDU definitions). The number of data types may increase with time.
* IPv4 Prefix
* IPv6 Prefix
* Router Key
* ASPA
The RP can configure zero or at most four RPKI Data Type Filters
("Type Filter" for short). Each Type Filter contains a single
'rpkiDataType' and optionally a single 'comment'.
Fu & Geng Expires 8 July 2026 [Page 5]
Internet-Draft Enhanced SLURM Filters January 2026
* The 'rpkiDataType' member MUST be one of the values, i.e., "IPv4
Prefix", "IPv6 Prefix", "Router Key", and "ASPA".
* It is RECOMMENDED that an explanatory comment is included with
each Type Filter so that it can be shown to users of the RP
software.
Any RPKI data item that matches any configured Type Filter MUST be
removed from the RP's output.
A RPKI data item is considered to match with a Type Filter if the
following condition applies: The item is considered to match if the
RPKI data type of the item is equal to the "rpkiDataType" value of
Type Filter.
The following example JSON structure represents a "typeFilter" member
with one object as described above:
"typeFilter": [
{
"rpkiDataType": "IPv4 Prefix",
"comment": "Filter out VRPs with IPv4 Prefixes"
}
]
When a type of RPKI data is to be filtered out, the corresponding
Filters and Assertions MUST be ignored. In the above JSON example,
the prefixFilters with IPv4 prefixes and the prefixAssertions with
IPv4 prefixes will be ignored by RP.
3.2. Design 2: Special ASNs
A SLURM file consists of a single JSON [RFC8259] object which has the
same structure as [I-D.ietf-sidrops-aspa-slurm], except that the
"slurmVersion" member MUST be set to 3.
The structure of ROA filters, BGPsec filters, and ASPA filters are
not changed.
To filter out a specific type of RPKI data, a special value (e.g.,
65535. The value is TBD) can be set to the "asn" member of the above
filters.
The following example JSON structure represents a "prefixFilters"
member with one object as described above:
Fu & Geng Expires 8 July 2026 [Page 6]
Internet-Draft Enhanced SLURM Filters January 2026
"prefixFilters": [
{
"asn": 65535,
"comment": "Filter out VRPs with IPv4 and IPv6 Prefixes"
}
]
When a type of RPKI data is to be filtered out, the corresponding
Filters and Assertions MUST be ignored. In the above JSON example,
the other prefixFilters and all the prefixAssertions will be ignored
by RP.
To filter only IPv4 Prefixes, two special values can be used, i.e.,
one is for IPv4 and the other is for IPv6. The concret design is
TBD.
4. Security Considerations
The security considerations in Section 6 of [RFC8416] are also
applied to this document.
5. IANA Considerations
This document has no IANA actions.
6. References
6.1. Normative References
[RFC8416] Ma, D., Mandelberg, D., and T. Bruijnzeels, "Simplified
Local Internet Number Resource Management with the RPKI
(SLURM)", RFC 8416, DOI 10.17487/RFC8416, August 2018,
<https://www.rfc-editor.org/info/rfc8416>.
[RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
Interchange Format", STD 90, RFC 8259,
DOI 10.17487/RFC8259, December 2017,
<https://www.rfc-editor.org/info/rfc8259>.
[RFC6810] Bush, R. and R. Austein, "The Resource Public Key
Infrastructure (RPKI) to Router Protocol", RFC 6810,
DOI 10.17487/RFC6810, January 2013,
<https://www.rfc-editor.org/info/rfc6810>.
[RFC8210] Bush, R. and R. Austein, "The Resource Public Key
Infrastructure (RPKI) to Router Protocol, Version 1",
RFC 8210, DOI 10.17487/RFC8210, September 2017,
<https://www.rfc-editor.org/info/rfc8210>.
Fu & Geng Expires 8 July 2026 [Page 7]
Internet-Draft Enhanced SLURM Filters January 2026
[I-D.ietf-sidrops-8210bis]
Bush, R. and R. Austein, "The Resource Public Key
Infrastructure (RPKI) to Router Protocol, Version 2", Work
in Progress, Internet-Draft, draft-ietf-sidrops-8210bis-
23, 19 October 2025,
<https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-
8210bis-23>.
[I-D.geng-sidrops-rtr-selective-sync]
Geng, N., Zhuang, S., Fu, Y., and M. Huang, "Selective
Synchronization for RPKI to Router Protocol", Work in
Progress, Internet-Draft, draft-geng-sidrops-rtr-
selective-sync-05, 14 April 2025,
<https://datatracker.ietf.org/doc/html/draft-geng-sidrops-
rtr-selective-sync-05>.
[I-D.ietf-sidrops-aspa-slurm]
Snijders, J. and B. Cartwright-Cox, "Simplified Local
Internet Number Resource Management (SLURM) with RPKI
Autonomous System Provider Authorizations (ASPA)", Work in
Progress, Internet-Draft, draft-ietf-sidrops-aspa-slurm-
04, 16 November 2025,
<https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-
aspa-slurm-04>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
6.2. Informative References
[RFC7909] Kisteleki, R. and B. Haberman, "Securing Routing Policy
Specification Language (RPSL) Objects with Resource Public
Key Infrastructure (RPKI) Signatures", RFC 7909,
DOI 10.17487/RFC7909, June 2016,
<https://www.rfc-editor.org/info/rfc7909>.
[I-D.van-beijnum-sidrops-pathrpki]
van Beijnum, I., "Path validation with RPKI", Work in
Progress, Internet-Draft, draft-van-beijnum-sidrops-
pathrpki-00, 20 June 2019,
<https://datatracker.ietf.org/doc/html/draft-van-beijnum-
sidrops-pathrpki-00>.
Fu & Geng Expires 8 July 2026 [Page 8]
Internet-Draft Enhanced SLURM Filters January 2026
[I-D.ietf-grow-rpki-as-cones]
Snijders, J., stucchi-lists@glevia.com, and M. Aelmans,
"RPKI Autonomous Systems Cones: A Profile To Define Sets
of Autonomous Systems Numbers To Facilitate BGP
Filtering", Work in Progress, Internet-Draft, draft-ietf-
grow-rpki-as-cones-02, 24 April 2020,
<https://datatracker.ietf.org/doc/html/draft-ietf-grow-
rpki-as-cones-02>.
[I-D.spaghetti-sidrops-rpki-asgroup]
Snijders, J. and F. Korsbäck, "A profile for RPKI Signed
Groupings of Autonomous System Numbers (ASGroup)", Work in
Progress, Internet-Draft, draft-spaghetti-sidrops-rpki-
asgroup-00, 16 November 2022,
<https://datatracker.ietf.org/doc/html/draft-spaghetti-
sidrops-rpki-asgroup-00>.
[I-D.ietf-sidrops-rpki-prefixlist]
Snijders, J. and G. Huston, "A profile for Signed Prefix
Lists for Use in the Resource Public Key Infrastructure
(RPKI)", Work in Progress, Internet-Draft, draft-ietf-
sidrops-rpki-prefixlist-05, 10 December 2025,
<https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-
rpki-prefixlist-05>.
[I-D.ietf-sidrops-moa-profile]
Xie, C., Dong, G., Li, X., Huston, G., and D. Ma, "A
Profile for Mapping Origin Authorizations (MOAs)", Work in
Progress, Internet-Draft, draft-ietf-sidrops-moa-profile-
02, 19 July 2025, <https://datatracker.ietf.org/doc/html/
draft-ietf-sidrops-moa-profile-02>.
[I-D.chen-sidrops-sispi]
Chen, L., Liu, L., Li, D., and L. Qin, "A Profile of
Signed SAVNET-Peering Information (SiSPI) Object for
Deploying Inter-domain SAVNET", Work in Progress,
Internet-Draft, draft-chen-sidrops-sispi-04, 14 September
2025, <https://datatracker.ietf.org/doc/html/draft-chen-
sidrops-sispi-04>.
Acknowledgements
TBD
Authors' Addresses
Fu & Geng Expires 8 July 2026 [Page 9]
Internet-Draft Enhanced SLURM Filters January 2026
Yu Fu
China Telecom
Beijing
China
Email: fuy44@chinatelecom.cn
Nan Geng
Huawei
Beijing
China
Email: gengnan@huawei.com
Fu & Geng Expires 8 July 2026 [Page 10]