Skip to main content

Publishing End-Site Prefix Lengths
draft-gasser-opsawg-prefix-lengths-02

Document Type Active Internet-Draft (opsawg WG)
Authors Oliver Gasser , Randy Bush , Massimo Candela , Russ Housley
Last updated 2024-11-18 (Latest revision 2024-11-04)
RFC stream Internet Engineering Task Force (IETF)
Intended RFC status (None)
Formats
Additional resources Mailing list discussion
Stream WG state Candidate for WG Adoption
Document shepherd (None)
IESG IESG state I-D Exists
Consensus boilerplate Unknown
Telechat date (None)
Responsible AD (None)
Send notices to (None)
draft-gasser-opsawg-prefix-lengths-02
Network Working Group                                          O. Gasser
Internet-Draft                                                    IPinfo
Intended status: Standards Track                                 R. Bush
Expires: 8 May 2025                                IIJ Research & Arrcus
                                                              M. Candela
                                                                     NTT
                                                              R. Housley
                                                          Vigil Security
                                                         4 November 2024

                   Publishing End-Site Prefix Lengths
                 draft-gasser-opsawg-prefix-lengths-02

Abstract

   This document specifies how to augment the Routing Policy
   Specification Language (RPSL) inetnum: class to refer specifically to
   prefixlen comma-separated values (CSV) data files and describes an
   optional scheme that uses the Resource Public Key Infrastructure
   (RPKI) to authenticate the prefixlen data files.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 8 May 2025.

Copyright Notice

   Copyright (c) 2024 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights

Gasser, et al.             Expires 8 May 2025                   [Page 1]
Internet-Draft     Publishing End-Site Prefix Lengths      November 2024

   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Requirements Language . . . . . . . . . . . . . . . . . . . .   3
   3.  prefixlen Files . . . . . . . . . . . . . . . . . . . . . . .   3
   4.  inetnum: Class  . . . . . . . . . . . . . . . . . . . . . . .   5
   5.  Fetching prefixlen Data . . . . . . . . . . . . . . . . . . .   7
   6.  Authenticating prefixlen Data (Optional)  . . . . . . . . . .   8
   7.  Operational Considerations  . . . . . . . . . . . . . . . . .  11
   8.  Implementation Status . . . . . . . . . . . . . . . . . . . .  12
   9.  Security Considerations . . . . . . . . . . . . . . . . . . .  12
   10. IANA Considerations . . . . . . . . . . . . . . . . . . . . .  13
   11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . .  14
   12. References  . . . . . . . . . . . . . . . . . . . . . . . . .  14
     12.1.  Normative References . . . . . . . . . . . . . . . . . .  14
     12.2.  Informative References . . . . . . . . . . . . . . . . .  16
   Appendix A.  Example  . . . . . . . . . . . . . . . . . . . . . .  18
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  27

1.  Introduction

   Internet service providers (ISPs) delegate IP addresses or entire IP
   prefixes to their users.  Similarly, cloud providers assign customers
   who use their services such as virtual machines a prefix of a
   specific size.  Therefore, there are countless variations of
   different end-site prefix length present in the Internet.  Currently,
   there is no easy way for content providers to know the end-site
   prefix size of someone accessing their service.  Knowing the correct
   end-site's prefix size has multiple implications such as:

   *  Blocklisting/throttling: In IPv4, IP addresses can be blocked at
      different prefix levels, such as /24 or /32.  In IPv6 on the other
      hand, blocking at e.g. the /64 level could lead to overblocking
      (throwing multiple VMs from different users into the same bucket),
      while blocking at the e.g. /128 level would lead to filling up
      space in the blocklist pretty quickly.  The same applies to
      throttling.  [I-D.ietf-opsec-ipv6-addressing] recently also raised
      this issue.

Gasser, et al.             Expires 8 May 2025                   [Page 2]
Internet-Draft     Publishing End-Site Prefix Lengths      November 2024

   *  Rate limiting/CAPTCHAs: A similar issue arises on the Web, where
      "close" prefixes might be thrown together (e.g. in the same /56,
      even though the ISP hands out /64s), which leads to people
      "jointly" running into rate limits and then either being blocked
      from a service or having to solve annoying CAPTCHAs.

   *  Geolocation: Getting the right prefix size for IPv6 geolocation is
      similarly hard.  If you aggregate too little, you throw together
      different clients in different locations, and if you aggregate too
      much, you fill up the geolocation database with unnecessary
      entries.

   This document specifies how to augment the Routing Policy
   Specification Language (RPSL) [RFC2725] inetnum: class to refer
   specifically to prefixlen data files and how to use them.  In all
   places inetnum: is used, inet6num: should also be assumed [RFC4012].

   The reader may find [INETNUM] and [INET6NUM] informative, and
   certainly more verbose, descriptions of the inetnum: database
   classes.

   An optional means for authenticating prefixlen data is also defined
   in Section 6.

2.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in BCP
   14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

3.  prefixlen Files

   prefixlen files are CSV (Comma Separated Values) [RFC4180] files in
   UTF-8 [RFC3629] text format; not HTML, richtext, or other formats.
   Lines MUST be delimited by a line break (CRLF), and blank lines MUST
   be ignored.  Text from a '#' character to the end of the current line
   MUST be treated as a comment only and is similarly ignored.  The
   first field of each non-ignored line specifies the prefix in question
   and the second field the end-site prefix length within that prefix as
   an integer.

   If an ISP delegates /56 IPv6 prefixes of the 2001:db8::/32 range, and
   /32 IPv4 prefixes (i.e. a single IPv4 address) of the 192.0.2.0/24
   range to its customers, it would create a prefix length file
   containing the following example entries:

Gasser, et al.             Expires 8 May 2025                   [Page 3]
Internet-Draft     Publishing End-Site Prefix Lengths      November 2024

       2001:db8::/32,56
       192.0.2.0/24,32

   If a cloud provider assigns /120 IPv6 prefixes to each customer VM
   and a /64 prefix to premium customers, it would create a prefix
   length file containing the following example entries:

       2001:db8::/32,120
       2001:db8:abcd::/48,64

   Note that the second entry in the above example is a subprefix of the
   first entry.  Therefore, longest prefix matching has to be taken into
   account when parsing prefixlen files.

   prefixlen files can also be used to signal the presence of Carrier-
   Grade NAT (CGN) [RFC6598] networks.  This is especially useful for
   cases where multiple end-sites behind a CGN accessing a service at
   the same time might run into rate limiting issues by service
   providers.  In case a prefixlen file signals the presence of a CGN,
   service providers can treat these prefixes in a way that rate limits
   are not triggered.  To signal the presence of a CGN, a prefixlen file
   contains a prefix length field larger than the most specific prefix
   sizes, i.e., 32 for IPv4 and 128 for IPv6.  Specifically, the prefix
   length field value is specified as prefix_length +
   log_2(number_of_cgn_end_sites).  For example, a CGN prefix
   192.0.2.0/24 containing 65,536 end sites would lead to a prefix
   length value of 24 + log_2(65536) = 24 + 16 = 40 and is specified as
   follows:

       192.0.2.0/24,40

   Duplicate prefix entries MUST be considered an error, and consumer
   implementations SHOULD log the repeated entries for further
   administrative review.  Publishers SHOULD take measures to ensure
   there is one and only one entry per prefix.

   Content providers and other parties who wish to differentiate
   services based on end site prefixes need to find the relevant
   prefixlen data.  In Section 4, this document specifies how to find
   the relevant prefixlen file given an IP address.

   prefixlen data for large providers with significant horizontal scale
   and high granularity can be quite large.  The size of a file can be
   even larger if an unsigned prefixlen file combines data for many
   prefixes, if dual IPv4/IPv6 spaces are represented, etc.

   This document also suggests an optional signature to strongly
   authenticate the data in the prefixlen files.

Gasser, et al.             Expires 8 May 2025                   [Page 4]
Internet-Draft     Publishing End-Site Prefix Lengths      November 2024

4.  inetnum: Class

   The original RPSL specifications starting with [RIPE81], [RIPE181],
   and a trail of subsequent documents were written by the RIPE
   community.  The IETF standardized RPSL in [RFC2622] and [RFC4012].
   Since then, it has been modified and extensively enhanced in the
   Regional Internet Registry (RIR) community, mostly by RIPE [RIPE-DB].
   At the time of publishing this document, change control of RPSL
   effectively lies in the operator community.

   The RPSL, and [RFC2725] and [RFC4012] used by the Regional Internet
   Registries (RIRs), specify the inetnum: database class.  Each of
   these objects describes an IP address range and its attributes.  The
   inetnum: objects form a hierarchy ordered on the address space.

   Ideally, RPSL would be augmented to define a new RPSL prefixlen:
   attribute in the inetnum: class.  Absent implementation of the
   prefixlen: attribute in a particular RIR database, this document
   defines the syntax of a prefixlen remarks: attribute, which contains
   an HTTPS URL of a prefixlen file.  The format of the inetnum:
   prefixlen remarks: attribute MUST be as in this example, "remarks:
   Prefixlen ", where the token "prefixlen" MUST be case sensitive,
   followed by a URL that will vary, but it MUST refer only to a single
   prefixlen file.

       inetnum: 192.0.2.0/24 # example
       remarks: Prefixlen https://example.com/prefixlen

   While we leave global agreement of RPSL modification to the relevant
   parties, we specify that a proper prefixlen: attribute in the
   inetnum: class MUST be "prefixlen:" and MUST be followed by a single
   URL that will vary, but it MUST refer only to a single prefixlen
   file.

       inetnum: 192.0.2.0/24 # example
       prefixlen: https://example.com/prefixlen

   The URL uses HTTPS, so the WebPKI provides authentication, integrity,
   and confidentiality for the fetched prefixlen file.  However, the
   WebPKI can not provide authentication of IP address space assignment.
   In contrast, the RPKI (see [RFC6481]) can be used to authenticate IP
   space assignment; see optional authentication in Section 6.

Gasser, et al.             Expires 8 May 2025                   [Page 5]
Internet-Draft     Publishing End-Site Prefix Lengths      November 2024

   In addition to publishing the location of prefixlen files in WHOIS
   with the prefixlen: or remarks: approaches, there is currently a
   proposal being discussed to introduce a new RPSL attribute of type
   extref: for generic external references
   [I-D.ymbk-opsawg-rpsl-extref].  With this extref approach a prefixlen
   can be referenced as follows:

             inetnum: 192.0.2.0/24 # example
             extref: Prefixlen https://example.com/prefixlen

   Until all producers of inetnum: objects, i.e., the RIRs, state that
   they have migrated to supporting a prefixlen: or extref: attribute,
   consumers looking at inetnum: objects to find prefixlen URLs MUST be
   able to consume the remarks:, prefixlen:, and extref: forms.

   The migration not only implies that the RIRs support the prefixlen:
   or extref: attributes, but that all registrants have migrated any
   inetnum: objects from remarks: to prefixlen: or extref: attributes.

   Any particular inetnum: object SHOULD have, at most, one prefixlen
   reference, whether a remarks:, extref:, or prefixlen: attribute when
   it is implemented.  As the remarks: form can not be formally checked
   by the RIR, this can not be formally enforced.  A prefixlen: or
   extref: attribute is preferred, of course, if the RIR supports it.
   If there is more than one type of attribute in the inetnum: object,
   the prefixlen: or extref: attributes MUST be used.

   For inetnum:s covering the same address range, a signed prefixlen
   file MUST be preferred over an unsigned file.  If none are signed, or
   more than one is signed, the (signed) inetnum: with the most recent
   last-modified: attribute MUST be preferred.

   If a prefixlen file describes multiple disjoint ranges of IP address
   space, there are likely to be prefixlen references from multiple
   inetnum: objects.  Files with prefixlen references from multiple
   inetnum: objects are not compatible with the signing procedure in
   Section 6.

   An unsigned, and only an unsigned, prefixlen file MAY be referenced
   by multiple inetnum:s and MAY contain prefixes from more than one
   registry.

   When fetching, the most specific inetnum: object with a prefixlen
   reference MUST be used.

Gasser, et al.             Expires 8 May 2025                   [Page 6]
Internet-Draft     Publishing End-Site Prefix Lengths      November 2024

   It is significant that prefixlen data may have finer granularity than
   the inetnum: that refers to them.  For example, an inetnum: object
   for an address range P could refer to a prefixlen file in which P has
   been subdivided into one or more longer prefixes.

5.  Fetching prefixlen Data

   This document is to provides a guideline for how interested parties
   should fetch and read prefixlen files.

   To minimize the load on RIRs' WHOIS [RFC3912] services, the RIR's FTP
   [RFC0959] services SHOULD be used for large-scale access to gather
   inetnum:s with prefixlen references.  This uses efficient bulk access
   instead of fetching via brute-force search through the IP space.

   On the other hand, RIRs are converging on RDAP support which includes
   geofeed data, see [I-D.ietf-regext-rdap-geofeed].  It is hoped that
   this will be extended, or generalized, to support prefixlen data.

   When reading data from an unsigned prefixlen file, one MUST ignore
   data outside the referring inetnum: object's address range.  This is
   to avoid importing data about ranges not under the control of the
   operator.  Note that signed files MUST only contain prefixes within
   the referring inetnum:'s range as mandated in Section 6.

   If prefixlen files are fetched, other prefix length information from
   the inetnum: MUST be ignored.

   Given an address range of interest, the most specific inetnum: object
   with a prefixlen reference MUST be used to fetch the prefixlen file.
   For example, if the fetching party finds the following inetnum:
   objects:

       inetnum: 192.0.0.0/22 # example
       remarks: Prefixlen https://example.com/prefixlen_1

       inetnum: 192.0.2.0/24 # example
       remarks: Prefixlen https://example.com/prefixlen_2

   An application looking for prefixlen data for 192.0.2.0/29, MUST
   ignore data in prefixlen_1 because 192.0.2.0/29 is within the more
   specific 192.0.2.0/24 inetnum: covering that address range and that
   inetnum: does have a prefixlen reference.

Gasser, et al.             Expires 8 May 2025                   [Page 7]
Internet-Draft     Publishing End-Site Prefix Lengths      November 2024

6.  Authenticating prefixlen Data (Optional)

   The question arises whether a particular prefixlen [RFC8805] data set
   is valid, i.e., is authorized by the "owner" of the IP address space
   and is authoritative in some sense.  The inetnum: that points to the
   prefixlen [RFC8805] file provides some assurance.  Unfortunately, the
   RPSL in some repositories is weakly authenticated at best.  An
   approach where RPSL was signed per [RFC7909] would be good, except it
   would have to be deployed by all RPSL registries, and there is a fair
   number of them.

   The remainder of this section specifies an optional authenticator for
   the prefixlen data set that follows the Signed Object Template for
   the Resource Public Key Infrastructure (RPKI) [RFC6488].

   A single optional authenticator MAY be appended to a prefixlen
   [RFC8805] file.  It is a digest of the main body of the file signed
   by the private key of the relevant RPKI certificate for a covering
   address range.  The following format bundles the relevant RPKI
   certificate with a signature over the prefixlen text.

   The canonicalization procedure converts the data from their internal
   character representation to the UTF-8 [RFC3629] character encoding,
   and the <CRLF> sequence MUST be used to denote the end of each line
   of text.  A blank line is represented solely by the <CRLF> sequence.
   For robustness, any non-printable characters MUST NOT be changed by
   canonicalization.  Trailing blank lines MUST NOT appear at the end of
   the file.  That is, the file must not end with multiple consecutive
   <CRLF> sequences.  Any end-of-file marker used by an operating system
   is not considered to be part of the file content.  When present, such
   end-of-file markers MUST NOT be covered by the digital signature.

   If the authenticator is not in the canonical form described above,
   then, the authenticator is invalid.

   Borrowing detached signatures from [RFC5485], after file
   canonicalization, the Cryptographic Message Syntax (CMS) [RFC5652] is
   used to create a detached DER-encoded signature that is then Base64
   encoded with padding (as defined in Section 4 of [RFC4648]) and line
   wrapped to 72 or fewer characters.  The same digest algorithm MUST be
   used for calculating the message digest of the content being signed,
   which is the prefixlen file, and for calculating the message digest
   on the SignerInfo SignedAttributes [RFC8933].  The message digest
   algorithm identifier MUST appear in both the CMS SignedData
   DigestAlgorithmIdentifiers and the SignerInfo
   DigestAlgorithmIdentifier [RFC5652].  The RPKI certificate covering
   the prefixlen inetnum: object's address range is included in the CMS
   SignedData certificates field [RFC5652].

Gasser, et al.             Expires 8 May 2025                   [Page 8]
Internet-Draft     Publishing End-Site Prefix Lengths      November 2024

   The address range of the signing certificate MUST cover all prefixes
   in the signed prefixlen file.  If not, the authenticator is invalid.

   The signing certificate MUST NOT include the Autonomous System
   Identifier Delegation certificate extension [RFC3779].  If it is
   present, the authenticator is invalid.

   As with many other RPKI signed objects, the IP Address Delegation
   certificate extension MUST NOT use the "inherit" capability defined
   in Section 2.2.3.5 of [RFC3779].  If "inherit" is used, the
   authenticator is invalid.

   An IP Address Delegation extension using "inherit" would complicate
   processing.  The implementation would have to build the certification
   path from the end-entity to the trust anchor, then validate the path
   from the trust anchor to the end-entity, and then the parameter would
   have to be remembered when the validated public key was used to
   validate a signature on a CMS object.  Having to remember things from
   certification path validation for use with CMS object processing
   would be quite complex and error prone.  And, the certificates do not
   get that much bigger by repeating the information.

   An address range A "covers" address range B if the range of B is
   identical to or a subset of A.  "Address range" is used here because
   inetnum: objects and RPKI certificates need not align on Classless
   Inter-Domain Routing (CIDR) [RFC4632] prefix boundaries, while those
   of the lines in a prefixlen file do align.

   The Certification Authority (CA) SHOULD sign only one prefixlen file
   with each generated private key and SHOULD generate a new key pair
   for each new version of a perticular prefixlen file.  The CA MUST
   generate a new End Entity (EE) certificate for each signing of a
   particular prefixlen file.  An associated EE certificate used in this
   fashion is termed a "one-time-use" EE certificate (see Section 3 of
   [RFC6487]).

   Identifying the private key associated with the certificate and
   getting the department that controls the private key (which might be
   stored in a Hardware Security Module (HSM)) to generate the CMS
   signature is left as an exercise for the implementor.  On the other
   hand, verifying the signature has no similar complexity; the
   certificate, which is validated in the RPKI, contains the needed
   public key.  The RPKI trust anchors for the RIRs are available to the
   party performing signature validation.  Validation of the CMS
   signature over the prefixlen file involves:

Gasser, et al.             Expires 8 May 2025                   [Page 9]
Internet-Draft     Publishing End-Site Prefix Lengths      November 2024

   1.  Obtaining the signer's certificate from the CMS SignedData
       CertificateSet [RFC5652].  The certificate SubjectKeyIdentifier
       extension [RFC5280] MUST match the SubjectKeyIdentifier in the
       CMS SignerInfo SignerIdentifier [RFC5652].  If the key
       identifiers do not match, then validation MUST fail.

   2.  Validating the signer's certificate MUST ensure that it is part
       of the current [RFC9286] manifest and that all resources are
       covered by the RPKI certificate.

   3.  Construct and validate the certification path for the signer's
       certificate.  All of the needed certificates are expected to be
       readily available in the RPKI repository.  The certification path
       MUST be valid according to the validation algorithm in [RFC5280]
       and the additional checks specified in [RFC3779] associated with
       the IP Address Delegation certificate extension and the
       Autonomous System Identifier Delegation certificate extension.
       If certification path validation is unsuccessful, then validation
       MUST fail.

   4.  Validating the CMS SignedData as specified in [RFC5652] using the
       public key from the validated signer's certificate.  If the
       signature validation is unsuccessful, then validation MUST fail.

   5.  Confirming that the eContentType object identifier (OID) is id-
       ct-prefixlenCSVwithCRLF (1.2.840.113549.1.9.16.1.TBD).  This OID
       MUST appear within both the eContentType in the encapContentInfo
       object and the ContentType signed attribute in the signerInfo
       object (see [RFC6488]).

   6.  Verifying that the IP Address Delegation certificate extension
       [RFC3779] covers all of the address ranges of the prefixlen file.
       If all of the address ranges are not covered, then validation
       MUST fail.

   All of the above steps MUST be successful to consider the prefixlen
   file signature as valid.

   The authenticator MUST be hidden as a series of "#" comments at the
   end of the prefixlen file.  The following simple example is
   cryptographically incorrect:

Gasser, et al.             Expires 8 May 2025                  [Page 10]
Internet-Draft     Publishing End-Site Prefix Lengths      November 2024

       # RPKI Signature: 192.0.2.0 - 192.0.2.255
       # MIIGlwYJKoZIhvcNAQcCoIIGiDCCBoQCAQMxDTALBglghkgBZQMEAgEwDQYLKoZ
       # IhvcNAQkQAS+gggSxMIIErTCCA5WgAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZu
       ...
       # imwYkXpiMxw44EZqDjl36MiWsRDLdgoijBBcGbibwyAfGeR46k5raZCGvxG+4xa
       # O8PDTxTfIYwAnBjRBKAqAZ7yX5xHfm58jUXsZJ7Ileq1S7G6Kk=
       # End Signature: 192.0.2.0 - 192.0.2.255

   A correct and full example is in Appendix A.

   The CMS signature does not cover the signature lines.

   The bracketing "# RPKI Signature:" and "# End Signature:" MUST be
   present as shown in the example.  The RPKI Signature's IP address
   range MUST match that of the prefixlen URL in the inetnum: that
   points to the prefixlen file.

7.  Operational Considerations

   To create the needed inetnum: objects, an operator wishing to
   register the location of their prefixlen file needs to coordinate
   with their Regional Internet Registry (RIR) or National Internet
   Registry (NIR) and/or any provider Local Internet Registry (LIR) that
   has assigned address ranges to them.  RIRs/NIRs provide means for
   assignees to create and maintain inetnum: objects.  They also provide
   means of assigning or sub-assigning IP address resources and allowing
   the assignee to create WHOIS data, including inetnum: objects,
   thereby referring to prefixlen files.

   The prefixlen files MUST be published via and fetched using HTTPS
   [RFC9110].

   When using data from a prefixlen file, one MUST ignore data outside
   the referring inetnum: object's inetnum: attribute address range.

   If and only if the prefixlen file is not signed per Section 6, then
   multiple inetnum: objects MAY refer to the same prefixlen file, and
   the consumer MUST use only lines in the prefixlen file where the
   prefix is covered by the address range of the inetnum: object's URL
   it has followed.

   If the prefixlen file is signed, and the signer's certificate
   changes, the signature in the prefixlen file MUST be updated.

   It is good key hygiene to use a given key for only one purpose.  To
   dedicate a signing private key for signing a prefixlen file, an RPKI
   Certification Authority (CA) may issue a subordinate certificate
   exclusively for the purpose shown in Appendix A.

Gasser, et al.             Expires 8 May 2025                  [Page 11]
Internet-Draft     Publishing End-Site Prefix Lengths      November 2024

   Harvesting and publishing aggregated prefixlen data outside of the
   RPSL model should be avoided as it can have the effect that more
   specifics from one aggregatee could undesirably affect the less
   specifics of a different aggregatee.  Moreover, publishing aggregated
   prefixlen data prevents the reader of the data to perform the checks
   described in Section 5 and Section 6.

   An anonymized version of bulk WHOIS data is openly available for all
   RIRs except ARIN, which requires an authorization.  However, for
   users without such authorization, the same result can be achieved
   with extra RDAP effort.  There is open-source code to pass over such
   data across all RIRs, collect all prefixlen references, and process
   them [PREFIXLEN-FINDER].

   To prevent undue load on RPSL and prefixlen servers, entity-fetching
   prefixlen data using these mechanisms MUST NOT do frequent real-time
   lookups. prefixlen servers SHOULD send an HTTP Expires header
   [RFC7234] to signal when prefixlen data should be refetched.  As the
   data change very infrequently, in the absence of such an HTTP Header
   signal, collectors SHOULD NOT fetch more frequently than weekly.  It
   would be polite not to fetch at magic times such as midnight UTC, the
   first of the month, etc., because too many others are likely to do
   the same.

8.  Implementation Status

   At the time of publishing this document, the prefixlen: attribute in
   inetnum objects has not yet been implemented by any RIR database.

   Registrants in databases which do not yet support the prefixlen:
   attribute are using the remarks:, or equivalent, attribute.

   At the time of publishing this document, the registry data published
   by ARIN are not the same RPSL as that of the other registries (see
   [RFC7485] for a survey of the WHOIS Tower of Babel); therefore, when
   fetching from ARIN via FTP [RFC0959], WHOIS [RFC3912], the
   Registration Data Access Protocol (RDAP) [RFC9082], etc., the
   "NetRange" attribute/key must be treated as "inetnum", and the
   "Comment" attribute must be treated as "remarks".

   [rpki-client] can be used to authenticate a signed prefixlen file.

9.  Security Considerations

   The consumer of prefixlen data SHOULD fetch and process the data
   themselves.  Importing datasets produced and/or processed by a third-
   party places significant trust in the third-party.

Gasser, et al.             Expires 8 May 2025                  [Page 12]
Internet-Draft     Publishing End-Site Prefix Lengths      November 2024

   As mentioned in Section 6, some RPSL repositories have weak, if any,
   authentication.  This allows spoofing of inetnum: objects pointing to
   malicious prefixlen files.  Section 6 suggests an unfortunately
   complex method for stronger authentication based on the RPKI.

   For example, if an inetnum: for a wide address range (e.g., a /16)
   points to an RPKI-signed prefixlen file, a customer or attacker could
   publish an unsigned equal or narrower (e.g., a /24) inetnum: in a
   WHOIS registry that has weak authorization, abusing the rule that the
   most-specific inetnum: object with a prefixlen reference MUST be
   used.

   If signatures were mandatory, the above attack would be stymied, but
   of course that is not happening anytime soon.

   The RPSL providers have had to throttle fetching from their servers
   due to too-frequent queries.  Usually, they throttle by the querying
   IP address or block.  Similar defenses will likely need to be
   deployed by prefixlen file servers.

   As prefixlen files disclose which parts of a prefix belong to an end
   site, attackers could better focus DDoS traffic towards a website
   hosted by a cloud provider by overwhelming only IP addresses from
   that specific end site.  Furthermore, information collected from
   prefixlen files could allow for more targeted IPv6 scanning/
   reconnaisance, where scanners (be it benevolent or malicious ones)
   can target specific sub-prefixes which they deem more interesting.

10.  IANA Considerations

   IANA is asked to register object identifiers for one content type in
   the "SMI Security for S/MIME CMS Content Type
   (1.2.840.113549.1.9.16.1)" registry as follows:

   Description             OID                         Specification
   -----------------------------------------------------------------
   id-ct-prefixlenCSVwithCRLF  1.2.840.113549.1.9.16.1.47  [RFC-TBD]

   In the SMI Security for S/MIME CMS Content Type
   (1.2.840.113549.1.9.16.1) in the Structure of Management Information
   (SMI) Numbers (MIB Module Registrations) registry group located at:
   https://www.iana.org/assignments/smi-numbers/ there is no existing
   registration for prefixlen files yet.  On publication of this
   document, that reference needs to be changed to the new [ RFC-to-be
   ].

Gasser, et al.             Expires 8 May 2025                  [Page 13]
Internet-Draft     Publishing End-Site Prefix Lengths      November 2024

11.  Acknowledgments

   Thanks to the authors of [RFC8805], [RFC9092], and [RFC9632] and the
   folk they acknowledge from whom ideas and text have been liberally
   expropriated.

12.  References

12.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC2622]  Alaettinoglu, C., Villamizar, C., Gerich, E., Kessens, D.,
              Meyer, D., Bates, T., Karrenberg, D., and M. Terpstra,
              "Routing Policy Specification Language (RPSL)", RFC 2622,
              DOI 10.17487/RFC2622, June 1999,
              <https://www.rfc-editor.org/info/rfc2622>.

   [RFC2725]  Villamizar, C., Alaettinoglu, C., Meyer, D., and S.
              Murphy, "Routing Policy System Security", RFC 2725,
              DOI 10.17487/RFC2725, December 1999,
              <https://www.rfc-editor.org/info/rfc2725>.

   [RFC3629]  Yergeau, F., "UTF-8, a transformation format of ISO
              10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November
              2003, <https://www.rfc-editor.org/info/rfc3629>.

   [RFC3779]  Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP
              Addresses and AS Identifiers", RFC 3779,
              DOI 10.17487/RFC3779, June 2004,
              <https://www.rfc-editor.org/info/rfc3779>.

   [RFC4012]  Blunk, L., Damas, J., Parent, F., and A. Robachevsky,
              "Routing Policy Specification Language next generation
              (RPSLng)", RFC 4012, DOI 10.17487/RFC4012, March 2005,
              <https://www.rfc-editor.org/info/rfc4012>.

   [RFC4180]  Shafranovich, Y., "Common Format and MIME Type for Comma-
              Separated Values (CSV) Files", RFC 4180,
              DOI 10.17487/RFC4180, October 2005,
              <https://www.rfc-editor.org/info/rfc4180>.

   [RFC4648]  Josefsson, S., "The Base16, Base32, and Base64 Data
              Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006,
              <https://www.rfc-editor.org/info/rfc4648>.

Gasser, et al.             Expires 8 May 2025                  [Page 14]
Internet-Draft     Publishing End-Site Prefix Lengths      November 2024

   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
              Housley, R., and W. Polk, "Internet X.509 Public Key
              Infrastructure Certificate and Certificate Revocation List
              (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
              <https://www.rfc-editor.org/info/rfc5280>.

   [RFC5652]  Housley, R., "Cryptographic Message Syntax (CMS)", STD 70,
              RFC 5652, DOI 10.17487/RFC5652, September 2009,
              <https://www.rfc-editor.org/info/rfc5652>.

   [RFC6481]  Huston, G., Loomans, R., and G. Michaelson, "A Profile for
              Resource Certificate Repository Structure", RFC 6481,
              DOI 10.17487/RFC6481, February 2012,
              <https://www.rfc-editor.org/info/rfc6481>.

   [RFC6487]  Huston, G., Michaelson, G., and R. Loomans, "A Profile for
              X.509 PKIX Resource Certificates", RFC 6487,
              DOI 10.17487/RFC6487, February 2012,
              <https://www.rfc-editor.org/info/rfc6487>.

   [RFC6488]  Lepinski, M., Chi, A., and S. Kent, "Signed Object
              Template for the Resource Public Key Infrastructure
              (RPKI)", RFC 6488, DOI 10.17487/RFC6488, February 2012,
              <https://www.rfc-editor.org/info/rfc6488>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

   [RFC8805]  Kline, E., Duleba, K., Szamonek, Z., Moser, S., and W.
              Kumari, "A Format for Self-Published IP Geolocation
              Feeds", RFC 8805, DOI 10.17487/RFC8805, August 2020,
              <https://www.rfc-editor.org/info/rfc8805>.

   [RFC8933]  Housley, R., "Update to the Cryptographic Message Syntax
              (CMS) for Algorithm Identifier Protection", RFC 8933,
              DOI 10.17487/RFC8933, October 2020,
              <https://www.rfc-editor.org/info/rfc8933>.

   [RFC9110]  Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
              Ed., "HTTP Semantics", STD 97, RFC 9110,
              DOI 10.17487/RFC9110, June 2022,
              <https://www.rfc-editor.org/info/rfc9110>.

   [RFC9286]  Austein, R., Huston, G., Kent, S., and M. Lepinski,
              "Manifests for the Resource Public Key Infrastructure
              (RPKI)", RFC 9286, DOI 10.17487/RFC9286, June 2022,
              <https://www.rfc-editor.org/info/rfc9286>.

Gasser, et al.             Expires 8 May 2025                  [Page 15]
Internet-Draft     Publishing End-Site Prefix Lengths      November 2024

12.2.  Informative References

   [I-D.ietf-opsec-ipv6-addressing]
              Gont, F. and G. Gont, "Implications of IPv6 Addressing on
              Security Operations", Work in Progress, Internet-Draft,
              draft-ietf-opsec-ipv6-addressing-00, 2 June 2023,
              <https://datatracker.ietf.org/doc/html/draft-ietf-opsec-
              ipv6-addressing-00>.

   [I-D.ietf-regext-rdap-geofeed]
              Singh, J. and T. Harrison, "An RDAP Extension for Geofeed
              Data", Work in Progress, Internet-Draft, draft-ietf-
              regext-rdap-geofeed-08, 18 October 2024,
              <https://datatracker.ietf.org/doc/html/draft-ietf-regext-
              rdap-geofeed-08>.

   [I-D.ymbk-opsawg-rpsl-extref]
              Bush, R., "Generalized RPSL External Reference", Work in
              Progress, Internet-Draft, draft-ymbk-opsawg-rpsl-extref-
              01, 21 October 2024,
              <https://datatracker.ietf.org/doc/html/draft-ymbk-opsawg-
              rpsl-extref-01>.

   [INET6NUM] RIPE NCC, "Description of the INET6NUM Object", October
              2019, <https://www.ripe.net/manage-ips-and-
              asns/db/support/documentation/ripe-database-documentation/
              rpsl-object-types/4-2-descriptions-of-primary-
              objects/4-2-3-description-of-the-inet6num-object>.

   [INETNUM]  RIPE NCC, "Description of the INETNUM Object", June 2020,
              <https://www.ripe.net/manage-ips-and-
              asns/db/support/documentation/ripe-database-documentation/
              rpsl-object-types/4-2-descriptions-of-primary-
              objects/4-2-4-description-of-the-inetnum-object>.

   [PREFIXLEN-FINDER]
              "prefixlen-finder", commit 5f557a4, June 2021,
              <https://github.com/massimocandela/prefixlen-finder>.

   [RFC0959]  Postel, J. and J. Reynolds, "File Transfer Protocol",
              STD 9, RFC 959, DOI 10.17487/RFC0959, October 1985,
              <https://www.rfc-editor.org/info/rfc959>.

   [RFC3912]  Daigle, L., "WHOIS Protocol Specification", RFC 3912,
              DOI 10.17487/RFC3912, September 2004,
              <https://www.rfc-editor.org/info/rfc3912>.

Gasser, et al.             Expires 8 May 2025                  [Page 16]
Internet-Draft     Publishing End-Site Prefix Lengths      November 2024

   [RFC4632]  Fuller, V. and T. Li, "Classless Inter-domain Routing
              (CIDR): The Internet Address Assignment and Aggregation
              Plan", BCP 122, RFC 4632, DOI 10.17487/RFC4632, August
              2006, <https://www.rfc-editor.org/info/rfc4632>.

   [RFC5485]  Housley, R., "Digital Signatures on Internet-Draft
              Documents", RFC 5485, DOI 10.17487/RFC5485, March 2009,
              <https://www.rfc-editor.org/info/rfc5485>.

   [RFC6598]  Weil, J., Kuarsingh, V., Donley, C., Liljenstolpe, C., and
              M. Azinger, "IANA-Reserved IPv4 Prefix for Shared Address
              Space", BCP 153, RFC 6598, DOI 10.17487/RFC6598, April
              2012, <https://www.rfc-editor.org/info/rfc6598>.

   [RFC7234]  Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
              Ed., "Hypertext Transfer Protocol (HTTP/1.1): Caching",
              RFC 7234, DOI 10.17487/RFC7234, June 2014,
              <https://www.rfc-editor.org/info/rfc7234>.

   [RFC7485]  Zhou, L., Kong, N., Shen, S., Sheng, S., and A. Servin,
              "Inventory and Analysis of WHOIS Registration Objects",
              RFC 7485, DOI 10.17487/RFC7485, March 2015,
              <https://www.rfc-editor.org/info/rfc7485>.

   [RFC7909]  Kisteleki, R. and B. Haberman, "Securing Routing Policy
              Specification Language (RPSL) Objects with Resource Public
              Key Infrastructure (RPKI) Signatures", RFC 7909,
              DOI 10.17487/RFC7909, June 2016,
              <https://www.rfc-editor.org/info/rfc7909>.

   [RFC9082]  Hollenbeck, S. and A. Newton, "Registration Data Access
              Protocol (RDAP) Query Format", STD 95, RFC 9082,
              DOI 10.17487/RFC9082, June 2021,
              <https://www.rfc-editor.org/info/rfc9082>.

   [RFC9092]  Bush, R., Candela, M., Kumari, W., and R. Housley,
              "Finding and Using Geofeed Data", RFC 9092,
              DOI 10.17487/RFC9092, July 2021,
              <https://www.rfc-editor.org/info/rfc9092>.

   [RFC9632]  Bush, R., Candela, M., Kumari, W., and R. Housley,
              "Finding and Using Geofeed Data", RFC 9632,
              DOI 10.17487/RFC9632, August 2024,
              <https://www.rfc-editor.org/info/rfc9632>.

Gasser, et al.             Expires 8 May 2025                  [Page 17]
Internet-Draft     Publishing End-Site Prefix Lengths      November 2024

   [RIPE-DB]  RIPE NCC, "RIPE Database Documentation",
              <https://www.ripe.net/manage-ips-and-
              asns/db/support/documentation/ripe-database-
              documentation>.

   [RIPE181]  RIPE NCC, "Representation Of IP Routing Policies In A
              Routing Registry", October 1994,
              <https://www.ripe.net/publications/docs/ripe-181>.

   [RIPE81]   RIPE NCC, "Representation Of IP Routing Policies In The
              RIPE Database", February 1993,
              <https://www.ripe.net/publications/docs/ripe-081>.

   [rpki-client]
              Snijders, J., "Example on how to use rpki-client to
              authenticate a signed prefixlen", September 2023,
              <https://sobornost.net/~job/
              using_prefixlen_authenticators.txt>.

Appendix A.  Example

   This appendix provides an example, including a trust anchor, a
   Certificate Revocation List (CRL) signed by the trust anchor, a CA
   certificate subordinate to the trust anchor, a CRL signed by the CA,
   an end-entity certificate subordinate to the CA for signing the
   prefixlen, and a detached signature.

   The trust anchor is represented by a self-signed certificate.  As
   usual in the RPKI, the trust anchor has authority over all IPv4
   address blocks, all IPv6 address blocks, and all Autonomous Systam
   (AS) numbers.

Gasser, et al.             Expires 8 May 2025                  [Page 18]
Internet-Draft     Publishing End-Site Prefix Lengths      November 2024

      -----BEGIN CERTIFICATE-----
      MIIEQTCCAymgAwIBAgIUEggycNoFVRjAuN/Fw7URu0DEZNAwDQYJKoZIhvcNAQEL
      BQAwFTETMBEGA1UEAxMKZXhhbXBsZS10YTAeFw0yMzA5MTkyMDMzMzlaFw0zMzA5
      MTYyMDMzMzlaMBUxEzARBgNVBAMTCmV4YW1wbGUtdGEwggEiMA0GCSqGSIb3DQEB
      AQUAA4IBDwAwggEKAoIBAQDQprR+g/i4JyObVURTp1JpGM23vGPyE5fDKFPqV7rw
      M1Amm7cnew66U02IzV0X5oiv5nSGfRX5UxsbR+vwPBMceQyDgS5lexFiv4fB/Vjf
      DT2qX/UjsLL9QOeaSOh7ToJSLjmtpa0D9iz7ful3hdxRjpMMZiE/reX9/ymdpW/E
      dg0F6+T9WGZE1miPeIjl5OZwnmLHCftkN/aaYk1iPNjNniHYIOjC1jSpABmoZyTj
      sgrwLE2F1fIRkVkwASqToq/D5v9voXaYYaXUNJb4H/5wenRuvT5O/n6PXh70rMQy
      F5yzLs96ytxqg5gGX9kabVnvxFU8nHfPa0rhlwfTJnljAgMBAAGjggGHMIIBgzAd
      BgNVHQ4EFgQUwL1SXb7SeLIW7LOjQ5XSBguZCDIwHwYDVR0jBBgwFoAUwL1SXb7S
      eLIW7LOjQ5XSBguZCDIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
      GAYDVR0gAQH/BA4wDDAKBggrBgEFBQcOAjCBuQYIKwYBBQUHAQsEgawwgakwPgYI
      KwYBBQUHMAqGMnJzeW5jOi8vcnBraS5leGFtcGxlLm5ldC9yZXBvc2l0b3J5L2V4
      YW1wbGUtdGEubWZ0MDUGCCsGAQUFBzANhilodHRwczovL3JyZHAuZXhhbXBsZS5u
      ZXQvbm90aWZpY2F0aW9uLnhtbDAwBggrBgEFBQcwBYYkcnN5bmM6Ly9ycGtpLmV4
      YW1wbGUubmV0L3JlcG9zaXRvcnkvMCcGCCsGAQUFBwEHAQH/BBgwFjAJBAIAATAD
      AwEAMAkEAgACMAMDAQAwIQYIKwYBBQUHAQgBAf8EEjAQoA4wDDAKAgEAAgUA////
      /zANBgkqhkiG9w0BAQsFAAOCAQEAa9eLY9QAmnlZOIyOzbpta5wqcOUQV/yR7o/0
      1zkEZaSavKBt19lMK6AXZurx1T5jyjIwG7bEtZZThjtH2m80V5kc2tsFjSq/yp7N
      JBclMHVd3tXse9If3nXYF4bxRIcir1lXlAbYN+Eo1U3i5qJO+fxouzt7Merk2Dih
      nsenTeXKzN7tfmuCYZZHCC8viCoJWdH+o1uRM4TiQApZsUJ8sF4TABrrRJmA/Ed5
      v0CTBbgqTx7yg0+VarFLPdnjYgtpoCJqwE2C1UpX15rZSaLVuGXtbwXd/cHEg5vF
      W6QTsMeMQFEUa6hkicDGtxLTUdhckBgmCGoF2nlZii5f1BTWAg==
      -----END CERTIFICATE-----

   The CRL issued by the trust anchor.

      -----BEGIN X509 CRL-----
      MIIBjjB4AgEBMA0GCSqGSIb3DQEBCwUAMBUxEzARBgNVBAMTCmV4YW1wbGUtdGEX
      DTIzMDkyMzE1NTUzOFoXDTIzMTAyMzE1NTUzOFqgLzAtMB8GA1UdIwQYMBaAFMC9
      Ul2+0niyFuyzo0OV0gYLmQgyMAoGA1UdFAQDAgEEMA0GCSqGSIb3DQEBCwUAA4IB
      AQCngOu+Nq3WC4y/pHtLoheAOtNg32WWsKPNiEyL+QalmOtURUsWMzOq41bmoPzQ
      NDQoRmXe9mvohAVRe0CnM7A07HOtSfjw5aoouPXGTtfwEomHG2CYk+2U1bvxgZyA
      E1c5TvyhkabFMO0+857wqxRP+ht9NV0lMX6kUFlEOCw3ELVd9oNNRBwKQtXj1huM
      6Sf26va2a1tnC5zP01hN+EY3S9T5T1gcgPGBcqRWKoXJEbRzCrLsb/TMj5cMpIje
      AHZoBojVAmvL1AIH/BnGAQj0+XqaJ0axHvlqJa8iX8QwKqhp+o6sv/atY2QDDRmE
      Yjq/VrBVKu5VsDY2Lr29HszA
      -----END X509 CRL-----

   The CA certificate is issued by the trust anchor.  This certificate
   grants authority over one IPv4 address block (192.0.2.0/24) and two
   AS numbers (64496 and 64497).

Gasser, et al.             Expires 8 May 2025                  [Page 19]
Internet-Draft     Publishing End-Site Prefix Lengths      November 2024

      -----BEGIN CERTIFICATE-----
      MIIE7DCCA9SgAwIBAgIUcyCzS10hdfG65kbRq7toQAvRDLkwDQYJKoZIhvcNAQEL
      BQAwFTETMBEGA1UEAxMKZXhhbXBsZS10YTAeFw0yMzA5MjMxNTU1MzhaFw0yNDA5
      MjIxNTU1MzhaMDMxMTAvBgNVBAMTKDNBQ0UyQ0VGNEZCMjFCN0QxMUUzRTE4NEVG
      QzFFMjk3QjM3Nzg2NDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDc
      zz1qwTxC2ocw5rqp8ktm2XyYkl8riBVuqlXwfefTxsR2YFpgz9vkYUd5Az9EVEG7
      6wGIyZbtmhK63eEeaqbKz2GHub467498BXeVrYysO+YuIGgCEYKznNDZ4j5aaDbo
      j5+4/z0Qvv6HEsxQd0f8br6lKJwgeRM6+fm7796HNPB0aqD7Zj9NRCLXjbB0DCgJ
      liH6rXMKR86ofgll9V2mRjesvhdKYgkGbOif9rvxVpLJ/6zdru5CE9yeuJZ59l+n
      YH/r6PzdJ4Q7yKrJX8qD6A60j4+biaU4MQ72KpsjhQNTTqF/HRwi0N54GDaknEwE
      TnJQHgLJDYqww9yKWtjjAgMBAAGjggIUMIICEDAdBgNVHQ4EFgQUOs4s70+yG30R
      4+GE78Hil7N3hkIwHwYDVR0jBBgwFoAUwL1SXb7SeLIW7LOjQ5XSBguZCDIwDwYD
      VR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwGAYDVR0gAQH/BA4wDDAKBggr
      BgEFBQcOAjBDBgNVHR8EPDA6MDigNqA0hjJyc3luYzovL3Jwa2kuZXhhbXBsZS5u
      ZXQvcmVwb3NpdG9yeS9leGFtcGxlLXRhLmNybDBOBggrBgEFBQcBAQRCMEAwPgYI
      KwYBBQUHMAKGMnJzeW5jOi8vcnBraS5leGFtcGxlLm5ldC9yZXBvc2l0b3J5L2V4
      YW1wbGUtdGEuY2VyMIG5BggrBgEFBQcBCwSBrDCBqTA+BggrBgEFBQcwCoYycnN5
      bmM6Ly9ycGtpLmV4YW1wbGUubmV0L3JlcG9zaXRvcnkvZXhhbXBsZS1jYS5tZnQw
      NQYIKwYBBQUHMA2GKWh0dHBzOi8vcnJkcC5leGFtcGxlLm5ldC9ub3RpZmljYXRp
      b24ueG1sMDAGCCsGAQUFBzAFhiRyc3luYzovL3Jwa2kuZXhhbXBsZS5uZXQvcmVw
      b3NpdG9yeS8wHwYIKwYBBQUHAQcBAf8EEDAOMAwEAgABMAYDBADAAAIwIQYIKwYB
      BQUHAQgBAf8EEjAQoA4wDDAKAgMA+/ACAwD78TANBgkqhkiG9w0BAQsFAAOCAQEA
      arIrZWb22wFmP+hVjhdg3IsKHB6fQdMuUR0u2DyZTVvbL6C+HyGAH32pi5mR/QLX
      FAfdqALaB7r68tQTGLIW6bGljT+BqUPJmZcj56x3cBLJlltxwFatTloypjFt3cls
      xFCuuD9J2iBxc6odTKi6u0mhQjD+C9m4xkbe8XXWWx85IHm1s6rYbpGgiMWxBC80
      qqAzmBHGROWKUEvh00EYIYdiAvyFcrj7QtDiRJL5TDOySVd9pWJkerDzhqwE1IaZ
      rpHck+lkYTS7jTD++6v32HG62GdsmryOQUk3aU1rLb3kS8vzaGbrgHpGPid0Hd0x
      ZSl1AoIMpp5mZ7/h9aW5+A==
      -----END CERTIFICATE-----

   The CRL issued by the CA.

      -----BEGIN X509 CRL-----
      MIIBrTCBlgIBATANBgkqhkiG9w0BAQsFADAzMTEwLwYDVQQDEygzQUNFMkNFRjRG
      QjIxQjdEMTFFM0UxODRFRkMxRTI5N0IzNzc4NjQyFw0yMzA5MjMxNTU1MzhaFw0y
      MzEwMjMxNTU1MzhaoC8wLTAfBgNVHSMEGDAWgBQ6zizvT7IbfRHj4YTvweKXs3eG
      QjAKBgNVHRQEAwIBATANBgkqhkiG9w0BAQsFAAOCAQEACwCNzcAoqbMcUL1kBY65
      YhL95OnBqAcuc99pD4i9c1BmVOl7bXU3cJqLaOZ6Z8CmN0kBbcHyqlHBJ9oA/aYD
      ByhxsjzKk7jxtM2IlTpEvCEqvnGLSVihgS3h0NA+sgWqHGL3Rhcj6hVsi+j9GENc
      T6F9np1mxbI3i2xhgeDJG1pryvH0hWXh7yJiYS8ItNEaIIXDT3szK/J9wnPjukTR
      5MITiK9P3TCFujawb3O7rIT5PPgkM6eiCdwDgt6gjmw6cow5+rMjNHSRa+GOviSd
      gXljVDfJvF4tKHmw59Jc2aFnSGfX1/ITDNiNfXYpUYFOcsqxkYf8F0uO7AtbRmTF
      2w==
      -----END X509 CRL-----

Gasser, et al.             Expires 8 May 2025                  [Page 20]
Internet-Draft     Publishing End-Site Prefix Lengths      November 2024

   The end-entity certificate is issued by the CA.  This certificate
   grants signature authority for one IPv4 address block (192.0.2.0/24).
   Signature authority for AS numbers is not needed for prefixlen data
   signatures, so no AS numbers are included in the end-entity
   certificate.

      -----BEGIN CERTIFICATE-----
      MIIEVjCCAz6gAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZvAwDQYJKoZIhvcNAQEL
      BQAwMzExMC8GA1UEAxMoM0FDRTJDRUY0RkIyMUI3RDExRTNFMTg0RUZDMUUyOTdC
      Mzc3ODY0MjAeFw0yMzA5MjMxNTU1MzhaFw0yNDA3MTkxNTU1MzhaMDMxMTAvBgNV
      BAMTKDkxNDY1MkEzQkQ1MUMxNDQyNjAxOTg4ODlGNUM0NUFCRjA1M0ExODcwggEi
      MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCycTQrOb/qB2W3i3Ki8PhA/DEW
      yii2TgGo9pgCwO9lsIRI6Zb/k+aSiWWP9kSczlcQgtPCVwr62hTQZCIowBN0BL0c
      K0/5k1imJdi5qdM3nvKswM8CnoR11vB8pQFwruZmr5xphXRvE+mzuJVLgu2V1upm
      BXuWloeymudh6WWJ+GDjwPXO3RiXBejBrOFNXhaFLe08y4DPfr/S/tXJOBm7QzQp
      tmbPLYtGfprYu45liFFqqP94UeLpISfXd36AKGzqTFCcc3EW9l5UFE1MFLlnoEog
      qtoLoKABt0IkOFGKeC/EgeaBdWLe469ddC9rQft5w6g6cmxG+aYDdIEB34zrAgMB
      AAGjggFgMIIBXDAdBgNVHQ4EFgQUkUZSo71RwUQmAZiIn1xFq/BToYcwHwYDVR0j
      BBgwFoAUOs4s70+yG30R4+GE78Hil7N3hkIwDgYDVR0PAQH/BAQDAgeAMBgGA1Ud
      IAEB/wQOMAwwCgYIKwYBBQUHDgIwYQYDVR0fBFowWDBWoFSgUoZQcnN5bmM6Ly9y
      cGtpLmV4YW1wbGUubmV0L3JlcG9zaXRvcnkvM0FDRTJDRUY0RkIyMUI3RDExRTNF
      MTg0RUZDMUUyOTdCMzc3ODY0Mi5jcmwwbAYIKwYBBQUHAQEEYDBeMFwGCCsGAQUF
      BzAChlByc3luYzovL3Jwa2kuZXhhbXBsZS5uZXQvcmVwb3NpdG9yeS8zQUNFMkNF
      RjRGQjIxQjdEMTFFM0UxODRFRkMxRTI5N0IzNzc4NjQyLmNlcjAfBggrBgEFBQcB
      BwEB/wQQMA4wDAQCAAEwBgMEAMAAAjANBgkqhkiG9w0BAQsFAAOCAQEAlxt25FUe
      e0+uCidTH+4p7At3u2ncgHcGTsag3UcoPjcE/I1JgQJRu9TiM4iNB1C7Lbdd131g
      MdliL5GQ3P4QfKnfkuPR6S1V8suq6ZT1KQRyLJx+EPgDN2rb/iji0TOK6RKPNBdG
      lXVLjth4x/uu1O4V54GLEhDAPQC8IUm5intL/Hx1M1x2ptN/+j5HD3XUXd3x13yi
      s6u758nbA7ND40JNhGG5JNGQgDchL4IQzIhylMNC+bKUiyyMHz3MqoVAklIB86IW
      Ucv72Mekq+i46T/w3RnaGn4x7RAJctVJWw3e5YMrFnQcuuaGOs0QcoxW7Bi4W7Eg
      8fK1fd/f6fjZ9w==
      -----END CERTIFICATE-----

   The end-entity certificate is displayed below in detail.  For
   brevity, the other two certificates are not.

         0 1110: SEQUENCE {
         4  830:  SEQUENCE {
         8    3:   [0] {
        10    1:    INTEGER 2
               :     }
        13   20:   INTEGER
               :    27 AD 39 40 83 D7 F2 B5 B9 9B 86 70 C7 75 B2 B9
               :    6E E1 66 F0
        35   13:   SEQUENCE {
        37    9:    OBJECT IDENTIFIER
               :     sha256WithRSAEncryption (1 2 840 113549 1 1 11)
        48    0:    NULL

Gasser, et al.             Expires 8 May 2025                  [Page 21]
Internet-Draft     Publishing End-Site Prefix Lengths      November 2024

               :     }
        50   51:   SEQUENCE {
        52   49:    SET {
        54   47:     SEQUENCE {
        56    3:      OBJECT IDENTIFIER commonName (2 5 4 3)
        61   40:      PrintableString
               :       '3ACE2CEF4FB21B7D11E3E184EFC1E297B3778642'
               :       }
               :      }
               :     }
       103   30:   SEQUENCE {
       105   13:    UTCTime 23/09/2023 15:55:38 GMT
       120   13:    UTCTime 19/07/2024 15:55:38 GMT
               :     }
       135   51:   SEQUENCE {
       137   49:    SET {
       139   47:     SEQUENCE {
       141    3:      OBJECT IDENTIFIER commonName (2 5 4 3)
       146   40:      PrintableString
               :       '914652A3BD51C144260198889F5C45ABF053A187'
               :       }
               :      }
               :     }
       188  290:   SEQUENCE {
       192   13:    SEQUENCE {
       194    9:     OBJECT IDENTIFIER
               :      rsaEncryption (1 2 840 113549 1 1 1)
       205    0:     NULL
               :      }
       207  271:    BIT STRING, encapsulates {
       212  266:     SEQUENCE {
       216  257:      INTEGER
               :      00 B2 71 34 2B 39 BF EA 07 65 B7 8B 72 A2 F0 F8
               :      40 FC 31 16 CA 28 B6 4E 01 A8 F6 98 02 C0 EF 65
               :      B0 84 48 E9 96 FF 93 E6 92 89 65 8F F6 44 9C CE
               :      57 10 82 D3 C2 57 0A FA DA 14 D0 64 22 28 C0 13
               :      74 04 BD 1C 2B 4F F9 93 58 A6 25 D8 B9 A9 D3 37
               :      9E F2 AC C0 CF 02 9E 84 75 D6 F0 7C A5 01 70 AE
               :      E6 66 AF 9C 69 85 74 6F 13 E9 B3 B8 95 4B 82 ED
               :      95 D6 EA 66 05 7B 96 96 87 B2 9A E7 61 E9 65 89
               :      F8 60 E3 C0 F5 CE DD 18 97 05 E8 C1 AC E1 4D 5E
               :      16 85 2D ED 3C CB 80 CF 7E BF D2 FE D5 C9 38 19
               :      BB 43 34 29 B6 66 CF 2D 8B 46 7E 9A D8 BB 8E 65
               :      88 51 6A A8 FF 78 51 E2 E9 21 27 D7 77 7E 80 28
               :      6C EA 4C 50 9C 73 71 16 F6 5E 54 14 4D 4C 14 B9
               :      67 A0 4A 20 AA DA 0B A0 A0 01 B7 42 24 38 51 8A
               :      78 2F C4 81 E6 81 75 62 DE E3 AF 5D 74 2F 6B 41
               :      FB 79 C3 A8 3A 72 6C 46 F9 A6 03 74 81 01 DF 8C

Gasser, et al.             Expires 8 May 2025                  [Page 22]
Internet-Draft     Publishing End-Site Prefix Lengths      November 2024

               :      EB
       477    3:      INTEGER 65537
               :       }
               :      }
               :     }
       482  352:   [3] {
       486  348:    SEQUENCE {
       490   29:     SEQUENCE {
       492    3:      OBJECT IDENTIFIER
               :       subjectKeyIdentifier (2 5 29 14)
       497   22:      OCTET STRING, encapsulates {
       499   20:       OCTET STRING
               :      91 46 52 A3 BD 51 C1 44 26 01 98 88 9F 5C 45 AB
               :      F0 53 A1 87
               :        }
               :       }
       521   31:     SEQUENCE {
       523    3:      OBJECT IDENTIFIER
               :       authorityKeyIdentifier (2 5 29 35)
       528   24:      OCTET STRING, encapsulates {
       530   22:       SEQUENCE {
       532   20:        [0]
               :      3A CE 2C EF 4F B2 1B 7D 11 E3 E1 84 EF C1 E2 97
               :      B3 77 86 42
               :         }
               :        }
               :       }
       554   14:     SEQUENCE {
       556    3:      OBJECT IDENTIFIER keyUsage (2 5 29 15)
       561    1:      BOOLEAN TRUE
       564    4:      OCTET STRING, encapsulates {
       566    2:       BIT STRING 7 unused bits
               :        '1'B (bit 0)
               :        }
               :       }
       570   24:     SEQUENCE {
       572    3:      OBJECT IDENTIFIER certificatePolicies (2 5 29 32)
       577    1:      BOOLEAN TRUE
       580   14:      OCTET STRING, encapsulates {
       582   12:       SEQUENCE {
       584   10:        SEQUENCE {
       586    8:         OBJECT IDENTIFIER
               :          resourceCertificatePolicy (1 3 6 1 5 5 7 14 2)
               :          }
               :         }
               :        }
               :       }
       596   97:     SEQUENCE {

Gasser, et al.             Expires 8 May 2025                  [Page 23]
Internet-Draft     Publishing End-Site Prefix Lengths      November 2024

       598    3:      OBJECT IDENTIFIER
               :       cRLDistributionPoints (2 5 29 31)
       603   90:      OCTET STRING, encapsulates {
       605   88:       SEQUENCE {
       607   86:        SEQUENCE {
       609   84:         [0] {
       611   82:          [0] {
       613   80:           [6]
               :          'rsync://rpki.example.net/repository/3ACE'
               :          '2CEF4FB21B7D11E3E184EFC1E297B3778642.crl'
               :            }
               :           }
               :          }
               :         }
               :        }
               :       }
       695  108:     SEQUENCE {
       697    8:      OBJECT IDENTIFIER
               :       authorityInfoAccess (1 3 6 1 5 5 7 1 1)
       707   96:      OCTET STRING, encapsulates {
       709   94:       SEQUENCE {
       711   92:        SEQUENCE {
       713    8:         OBJECT IDENTIFIER
               :          caIssuers (1 3 6 1 5 5 7 48 2)
       723   80:         [6]
               :          'rsync://rpki.example.net/repository/3ACE'
               :          '2CEF4FB21B7D11E3E184EFC1E297B3778642.cer'
               :          }
               :         }
               :        }
               :       }
       805   31:     SEQUENCE {
       807    8:      OBJECT IDENTIFIER
               :       ipAddrBlocks (1 3 6 1 5 5 7 1 7)
       817    1:      BOOLEAN TRUE
       820   16:      OCTET STRING, encapsulates {
       822   14:       SEQUENCE {
       824   12:        SEQUENCE {
       826    2:         OCTET STRING 00 01
       830    6:         SEQUENCE {
       832    4:          BIT STRING
               :           '010000000000000000000011'B
               :           }
               :          }
               :         }
               :        }
               :       }
               :      }

Gasser, et al.             Expires 8 May 2025                  [Page 24]
Internet-Draft     Publishing End-Site Prefix Lengths      November 2024

               :     }
               :    }
       838   13:  SEQUENCE {
       840    9:   OBJECT IDENTIFIER
               :    sha256WithRSAEncryption (1 2 840 113549 1 1 11)
       851    0:   NULL
               :    }
       853  257:  BIT STRING
               :   97 1B 76 E4 55 1E 7B 4F AE 0A 27 53 1F EE 29 EC
               :   0B 77 BB 69 DC 80 77 06 4E C6 A0 DD 47 28 3E 37
               :   04 FC 8D 49 81 02 51 BB D4 E2 33 88 8D 07 50 BB
               :   2D B7 5D D7 7D 60 31 D9 62 2F 91 90 DC FE 10 7C
               :   A9 DF 92 E3 D1 E9 2D 55 F2 CB AA E9 94 F5 29 04
               :   72 2C 9C 7E 10 F8 03 37 6A DB FE 28 E2 D1 33 8A
               :   E9 12 8F 34 17 46 95 75 4B 8E D8 78 C7 FB AE D4
               :   EE 15 E7 81 8B 12 10 C0 3D 00 BC 21 49 B9 8A 7B
               :   4B FC 7C 75 33 5C 76 A6 D3 7F FA 3E 47 0F 75 D4
               :   5D DD F1 D7 7C A2 B3 AB BB E7 C9 DB 03 B3 43 E3
               :   42 4D 84 61 B9 24 D1 90 80 37 21 2F 82 10 CC 88
               :   72 94 C3 42 F9 B2 94 8B 2C 8C 1F 3D CC AA 85 40
               :   92 52 01 F3 A2 16 51 CB FB D8 C7 A4 AB E8 B8 E9
               :   3F F0 DD 19 DA 1A 7E 31 ED 10 09 72 D5 49 5B 0D
               :   DE E5 83 2B 16 74 1C BA E6 86 3A CD 10 72 8C 56
               :   EC 18 B8 5B B1 20 F1 F2 B5 7D DF DF E9 F8 D9 F7
               :   }

   To allow reproduction of the signature results, the end-entity
   private key is provided.  For brevity, the other two private keys are
   not.

Gasser, et al.             Expires 8 May 2025                  [Page 25]
Internet-Draft     Publishing End-Site Prefix Lengths      November 2024

      -----BEGIN RSA PRIVATE KEY-----
      MIIEpQIBAAKCAQEAsnE0Kzm/6gdlt4tyovD4QPwxFsootk4BqPaYAsDvZbCESOmW
      /5Pmkollj/ZEnM5XEILTwlcK+toU0GQiKMATdAS9HCtP+ZNYpiXYuanTN57yrMDP
      Ap6EddbwfKUBcK7mZq+caYV0bxPps7iVS4LtldbqZgV7lpaHsprnYellifhg48D1
      zt0YlwXowazhTV4WhS3tPMuAz36/0v7VyTgZu0M0KbZmzy2LRn6a2LuOZYhRaqj/
      eFHi6SEn13d+gChs6kxQnHNxFvZeVBRNTBS5Z6BKIKraC6CgAbdCJDhRingvxIHm
      gXVi3uOvXXQva0H7ecOoOnJsRvmmA3SBAd+M6wIDAQABAoIBAQCyB0FeMuKm8bRo
      18aKjFGSPEoZi53srIz5bvUgIi92TBLez7ZnzL6Iym26oJ+5th+lCHGO/dqlhXio
      pI50C5Yc9TFbblb/ECOsuCuuqKFjZ8CD3GVsHozXKJeMM+/o5YZXQrORj6UnwT0z
      ol/JE5pIGUCIgsXX6tz9s5BP3lUAvVQHsv6+vEVKLxQ3wj/1vIL8O/CN036EV0GJ
      mpkwmygPjfECT9wbWo0yn3jxJb36+M/QjjUP28oNIVn/IKoPZRXnqchEbuuCJ651
      IsaFSqtiThm4WZtvCH/IDq+6/dcMucmTjIRcYwW7fdHfjplllVPve9c/OmpWEQvF
      t3ArWUt5AoGBANs4764yHxo4mctLIE7G7l/tf9bP4KKUiYw4R4ByEocuqMC4yhmt
      MPCfOFLOQet71OWCkjP2L/7EKUe9yx7G5KmxAHY6jOjvcRkvGsl6lWFOsQ8p126M
      Y9hmGzMOjtsdhAiMmOWKzjvm4WqfMgghQe+PnjjSVkgTt+7BxpIuGBAvAoGBANBg
      26FF5cDLpixOd3Za1YXsOgguwCaw3Plvi7vUZRpa/zBMELEtyOebfakkIRWNm07l
      nE+lAZwxm+29PTD0nqCFE91teyzjnQaLO5kkAdJiFuVV3icLOGo399FrnJbKensm
      FGSli+3KxQhCNIJJfgWzq4bE0ioAMjdGbYXzIYQFAoGBAM6tuDJ36KDU+hIS6wu6
      O2TPSfZhF/zPo3pCWQ78/QDb+Zdw4IEiqoBA7F4NPVLg9Y/H8UTx9r/veqe7hPOo
      Ok7NpIzSmKTHkc5XfZ60Zn9OLFoKbaQ40a1kXoJdWEu2YROaUlAe9F6/Rog6PHYz
      vLE5qscRbu0XQhLkN+z7bg5bAoGBAKDsbDEb/dbqbyaAYpmwhH2sdRSkphg7Niwc
      DNm9qWa1J6Zw1+M87I6Q8naRREuU1IAVqqWHVLr/ROBQ6NTJ1Uc5/qFeT2XXUgkf
      taMKv61tuyjZK3sTmznMh0HfzUpWjEhWnCEuB+ZYVdmO52ZGw2A75RdrILL2+9Dc
      PvDXVubRAoGAdqXeSWoLxuzZXzl8rsaKrQsTYaXnOWaZieU1SL5vVe8nK257UDqZ
      E3ng2j5XPTUWli+aNGFEJGRoNtcQvO60O/sFZUhu52sqq9mWVYZNh1TB5aP8X+pV
      iFcZOLUvQEcN6PA+YQK5FU11rAI1M0Gm5RDnVnUl0L2xfCYxb7FzV6Y=
      -----END RSA PRIVATE KEY-----

   Signing of "192.0.2.0/24,US,WA,Seattle," (terminated by CR and LF),
   yields the following detached CMS signature.

Gasser, et al.             Expires 8 May 2025                  [Page 26]
Internet-Draft     Publishing End-Site Prefix Lengths      November 2024

      # RPKI Signature: 192.0.2.0/24
      # MIIGQAYJKoZIhvcNAQcCoIIGMTCCBi0CAQMxDTALBglghkgBZQMEAgEwDQYLKoZ
      # IhvcNAQkQAS+gggRaMIIEVjCCAz6gAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZv
      # AwDQYJKoZIhvcNAQELBQAwMzExMC8GA1UEAxMoM0FDRTJDRUY0RkIyMUI3RDExR
      # TNFMTg0RUZDMUUyOTdCMzc3ODY0MjAeFw0yMzA5MjMxNTU1MzhaFw0yNDA3MTkx
      # NTU1MzhaMDMxMTAvBgNVBAMTKDkxNDY1MkEzQkQ1MUMxNDQyNjAxOTg4ODlGNUM
      # 0NUFCRjA1M0ExODcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCycT
      # QrOb/qB2W3i3Ki8PhA/DEWyii2TgGo9pgCwO9lsIRI6Zb/k+aSiWWP9kSczlcQg
      # tPCVwr62hTQZCIowBN0BL0cK0/5k1imJdi5qdM3nvKswM8CnoR11vB8pQFwruZm
      # r5xphXRvE+mzuJVLgu2V1upmBXuWloeymudh6WWJ+GDjwPXO3RiXBejBrOFNXha
      # FLe08y4DPfr/S/tXJOBm7QzQptmbPLYtGfprYu45liFFqqP94UeLpISfXd36AKG
      # zqTFCcc3EW9l5UFE1MFLlnoEogqtoLoKABt0IkOFGKeC/EgeaBdWLe469ddC9rQ
      # ft5w6g6cmxG+aYDdIEB34zrAgMBAAGjggFgMIIBXDAdBgNVHQ4EFgQUkUZSo71R
      # wUQmAZiIn1xFq/BToYcwHwYDVR0jBBgwFoAUOs4s70+yG30R4+GE78Hil7N3hkI
      # wDgYDVR0PAQH/BAQDAgeAMBgGA1UdIAEB/wQOMAwwCgYIKwYBBQUHDgIwYQYDVR
      # 0fBFowWDBWoFSgUoZQcnN5bmM6Ly9ycGtpLmV4YW1wbGUubmV0L3JlcG9zaXRvc
      # nkvM0FDRTJDRUY0RkIyMUI3RDExRTNFMTg0RUZDMUUyOTdCMzc3ODY0Mi5jcmww
      # bAYIKwYBBQUHAQEEYDBeMFwGCCsGAQUFBzAChlByc3luYzovL3Jwa2kuZXhhbXB
      # sZS5uZXQvcmVwb3NpdG9yeS8zQUNFMkNFRjRGQjIxQjdEMTFFM0UxODRFRkMxRT
      # I5N0IzNzc4NjQyLmNlcjAfBggrBgEFBQcBBwEB/wQQMA4wDAQCAAEwBgMEAMAAA
      # jANBgkqhkiG9w0BAQsFAAOCAQEAlxt25FUee0+uCidTH+4p7At3u2ncgHcGTsag
      # 3UcoPjcE/I1JgQJRu9TiM4iNB1C7Lbdd131gMdliL5GQ3P4QfKnfkuPR6S1V8su
      # q6ZT1KQRyLJx+EPgDN2rb/iji0TOK6RKPNBdGlXVLjth4x/uu1O4V54GLEhDAPQ
      # C8IUm5intL/Hx1M1x2ptN/+j5HD3XUXd3x13yis6u758nbA7ND40JNhGG5JNGQg
      # DchL4IQzIhylMNC+bKUiyyMHz3MqoVAklIB86IWUcv72Mekq+i46T/w3RnaGn4x
      # 7RAJctVJWw3e5YMrFnQcuuaGOs0QcoxW7Bi4W7Eg8fK1fd/f6fjZ9zGCAaowggG
      # mAgEDgBSRRlKjvVHBRCYBmIifXEWr8FOhhzALBglghkgBZQMEAgGgazAaBgkqhk
      # iG9w0BCQMxDQYLKoZIhvcNAQkQAS8wHAYJKoZIhvcNAQkFMQ8XDTIzMDkyMzE1N
      # TUzOFowLwYJKoZIhvcNAQkEMSIEICvi8p5S8ckg2wTRhDBQzGijjyqs5T6I+4Vt
      # BHypfcEWMA0GCSqGSIb3DQEBAQUABIIBAKZND7pKdVdfpB6zaJN89wTt+sXd0io
      # 0WULMc+o6gRJFt3wmKNW2nYPrDbocJ+Q/rDMGxbp4QetJ0MQtn1+AYAS8v5jPDO
      # 4a63U4/mJ2D3wSnQsDP0lUVknqRzfnS66HgHqiOVdHB0U+OnMEJuqHNTLx0dknb
      # L3zwxyDJTHdo+dMB0U9xdcjwpsPM3xqg57EXj5EIQK5JbardXCjrsysAnEdktUY
      # oyayGNbbQelANYJcOmuHhSXArR+qqzvNP2MDRqqKEcpd65YW6FSnqlVMIBH2M3P
      # D2F0p3sdm4IeGAZWaERVB4AXO1PUFDNdhamr4XpIwqIoAig7xiLm7j8qu5Oc=
      # End Signature: 192.0.2.0/24

Authors' Addresses

   Oliver Gasser
   IPinfo
   Email: oliver@ipinfo.io

Gasser, et al.             Expires 8 May 2025                  [Page 27]
Internet-Draft     Publishing End-Site Prefix Lengths      November 2024

   Randy Bush
   IIJ Research & Arrcus
   5147 Crystal Springs
   Bainbridge Island, Washington 98110
   United States of America
   Email: randy@psg.com

   Massimo Candela
   NTT
   Siriusdreef 70-72
   2132 WT Hoofddorp
   Netherlands
   Email: massimo@ntt.net

   Russ Housley
   Vigil Security, LLC
   516 Dranesville Road
   Herndon, VA 20170
   United States of America
   Email: housley@vigilsec.com

Gasser, et al.             Expires 8 May 2025                  [Page 28]