<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
<!ENTITY I-D.ietf-sidrops-aspa-verification SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-sidrops-aspa-verification.xml">

<!ENTITY I-D.ietf-sidrops-aspa-profile SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-sidrops-aspa-profile.xml">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.6.39 (Ruby 3.0.2) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-zhang-sidrops-aspa-egress-05" category="std" consensus="true" submissionType="IETF" version="3">
  <!-- xml2rfc v2v3 conversion 3.18.0 -->
  <front>
    <title abbrev="ASPA-based AS_PATH Verification for BGP Export">ASPA-based AS_PATH Verification for BGP Export</title>
    <!--  [REPLACE/DELETE] abbrev. The abbreviated title is required if the full title is longer than 39 characters -->

    <seriesInfo name="Internet-Draft" value="draft-zhang-sidrops-aspa-egress-05"/>
   

    <author initials="J." surname="Zhang" fullname="Jia Zhang">
        <organization>Zhongguancun Laboratory</organization>
        <address>
          <postal>
            <city>Beijing</city>
            <country>China</country>
          </postal>
          <email>zhangj@mail.zgclab.edu.cn</email>
        </address>
      </author>

    <author initials="Y." surname="Wang" fullname="Yangyang Wang">
        <organization>Tsinghua University</organization>
        <address>
          <postal>
            <city>Beijing</city>
            <country>China</country>
          </postal>
          <email>wangyy@cernet.edu.cn</email>
        </address>
      </author>
    
    <author initials="M." surname="Matejka" fullname="Maria Matejka">
        <organization>CZ.NIC</organization>
        <address>
          <postal>
            <country>Czechia</country>
          </postal>
          <email>maria.matejka@nic.cz</email>
        </address>
      </author>
    
    <author initials="M." surname="Xu" fullname="Mingwei Xu">
        <organization>Tsinghua University</organization>
        <address>
          <postal>
            <city>Beijing</city>
            <country>China</country>
          </postal>
          <email>xmw@cernet.edu.cn</email>
        </address>
      </author>
    <author fullname="Kotikalapudi Sriram" initials="K." surname="Sriram">
      <organization abbrev="USA NIST">USA National Institute of Standards and Technology</organization>
      <address>
        <postal>
          <street>100 Bureau Drive</street>
          <city>Gaithersburg</city>
          <region>MD</region>
          <code>20899</code>
          <country>United States of America</country>
        </postal>
        <email>ksriram@nist.gov</email>
      </address>
    </author>
     <author initials="N." surname="Geng" fullname="Nan Geng">
        <organization>Huawei</organization>
        <address>
          <postal>
            <city>Beijing</city>
            <country>China</country>
          </postal>
          <email>gengnan@huawei.com</email>
        </address>
      </author>
  

    <date year="2026"/>
    <!-- On draft subbmission:
         * If only the current year is specified, the current day and month will be used.
         * If the month and year are both specified and are the current ones, the current day will
           be used
         * If the year is not the current one, it is necessary to specify at least a month and day="1" will be used.
    -->

    <area>Operations and Management Area (OPS)</area>
    <workgroup>SIDR Operations Working Group</workgroup>
    <!-- "Internet Engineering Task Force" is fine for individual submissions.  If this element is 
          not present, the default is "Network Working Group", which is used by the RFC Editor as 
          a nod to the history of the RFC Series. -->

    <keyword>BGP</keyword>
    <keyword>ASPA</keyword>
    <keyword>Route leak</keyword>
    <!-- [REPLACE/DELETE]. Multiple allowed.  Keywords are incorporated into HTML output files for 
         use by search engines. -->

    <abstract>
      <t>This document describes AS_PATH verification based on Autonomous System Provider Authorization (ASPA) for egress eBGP speakers.
      ASPA is a Resource Public Key Infrastructure (RPKI) object that allows an AS to register its transit provider ASes.
      Performing ASPA-based AS_PATH verification at egress can prevent inadvertent propagation of route leaks to external peers, check for local misconfigurations, and help detect potential ASPA registration errors.
      This approach complements ingress-side verification and BGP Roles/Only to Customer (OTC); it also provides operational assurance for partial deployment and for export-side configuration or registration problems.
      </t>
    </abstract>
 
  </front>

  <middle>
    
    <section>
      <name>Introduction</name>
        <t>Autonomous System Provider Authorization (ASPA) objects in the Resource Public Key Infrastructure (RPKI) can be used to verify BGP AS_PATH for detection and mitigation of route leaks 
            and certain prefix hijacks involving forged origins or forged path-segments <xref target="I-D.ietf-sidrops-aspa-verification"/>. The ASPA object profile is defined in <xref target="I-D.ietf-sidrops-aspa-profile"/>. </t>

	  <t>Section 5 of <xref target="I-D.ietf-sidrops-aspa-verification"/> describes the procedures to perform ASPA-based BGP AS_PATH verification at eBGP ingress.
	    This document additionally explains the reasons, use cases, scenarios, variants and specifics
	  of ASPA-based BGP AS_PATH verification at eBGP egress and in detached or monitoring configurations,
	    in a similar way as <xref target="RFC8893"/> did with RPKI route origin validation (RPKI-ROV) for BGP export.</t>
        <t>This document does not change the semantics or procedures of ASPA-based BGP AS_PATH verification defined in <xref target="I-D.ietf-sidrops-aspa-verification"/>.
        It is not intended to question the adequacy of ingress ASPA verification. Egress verification is an additional local assurance mechanism for export behavior, partial deployment, and operational error detection.
        </t>      
      <section>
        <name>Requirements Language</name>
        <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
          "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT
          RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be
          interpreted as described in BCP 14 <xref target="RFC2119"/>
          <xref target="RFC8174"/> when, and only when, they appear in
          all capitals, as shown here.</t>
      </section>
      <!-- [CHECK] The 'Requirements Language' section is optional -->
    </section>
    
  <section>
    <name>Suggested Reading</name>
    <t>
      It is assumed that the reader understands BGP<xref target="RFC4271"/>, RPKI<xref target="RFC6480"/>,  
      ASPA object profile<xref target="I-D.ietf-sidrops-aspa-profile"/>, 
      ASPA-based BGP AS_PATH verification<xref target="I-D.ietf-sidrops-aspa-verification"/>, RPKI-ROV for BGP export<xref target="RFC8893"/>,
      and BGP Roles<xref target="RFC9234"/>.
    </t>

    <t>The definitions of Customer, Provider, Route Server, Route Server Client and Peer,
      used in this document, are the same as in BGP Roles<xref target="RFC9234"/>.</t>
  </section>

    <section anchor="problem-statement">
      <name>Problem Statement</name>
      <t>ASPA-based AS_PATH verification at eBGP egress is motivated by multiple operational scenarios.
      In partial deployment, some ingress ASBRs may not yet support ASPA verification or BGP Roles while
      some egress ASBRs or detached verification systems do. Egress verification may then provide useful
      coverage for routes that would otherwise leave the AS without ASPA-based export checks.
      Operational assurance is another motivation: locally originated routes, ASPA registration mistakes,
      local AS number mistakes, AS migration, and export policy or AS_PATH manipulation may cause a route
      that was valid on ingress, or was never checked on ingress, to become invalid once exported to neighbors.</t>

      <t>The AS_PATH verification errors may happen in a subtle way, e.g. on routes propagated
      only to one neighbor, or even routes intended as backup, ordinarily not selected as best.
      This is a difference compared to Route Origin Verification where errors are
	often seen nicely in public BGP analysis tools.</t>

      <section anchor="partial-deployment">
	<name>Partial ASPA ingress and BGP Roles deployment</name>
	<t>ASPA and BGP Roles may be deployed incrementally inside a network. In
	large networks, it is common for ASBRs to be upgraded in stages, for older
	routers to remain in service for some time, or for different border routers
	to support different sets of features. As a result, an ingress ASBR may be
	unable to perform ASPA-based AS_PATH verification or to attach the intended
	BGP Role or OTC-derived intra-AS signal, while an egress ASBR or a detached
	verification system may already have the necessary capability.</t>

	<t>In such partial-deployment environments, egress verification can provide
	additional coverage for routes that would otherwise leave the AS without
	ASPA-based export checks. This is especially useful when full-table routes
	received at an unupgraded ingress router are later propagated toward
	customer-facing, peer-facing, or provider-facing egress points that do
	support ASPA validation.</t>

	<t>Egress verification in this scenario is a staged-deployment aid and a
	local assurance mechanism. It does not replace BGP Roles, OTC, or an
	equivalent intra-AS leak-prevention signal when such marking is available.
	Instead, it allows an operator to gain useful verification coverage before
	all ingress ASBRs have been upgraded, and to detect export-side problems
	closer to the point where routes leave the AS.</t>
      </section>

      <section anchor="missing-provider">
	<name>Missing Provider in ASPA record</name>
	<t>When a network (AS N) fails to publish a complete ASPA record and omits a certain provider (AS P),
	all routes sent through this BGP session become invalid when their AS_PATHs are checked later by
	  a peer (AS Q) or provider (AS Y) of AS P, or any other AS later on the path.</t>

	<t>Let's assume that AS N is otherwise configured well and announces only its own routes and its customers'
	routes to its providers. Also, all customers of N have either well configured ASPA or no ASPA at all.
	Then, all routes announced to AS P by AS N have AS_PATH which begins with AS N and possibly continues with other AS numbers.
	  Such an AS_PATH is evaluated as ASPA Valid or Unknown by the Upstream algorithm as specified in <xref target="I-D.ietf-sidrops-aspa-verification"/>, section 5.4, based on the published customers' ASPA.</t>

	<t>AS P then redistributes these routes to its providers (AS Y) and peers (AS Q).
	On egress eBGP, AS P is prepended to AS_PATH as specified in <xref target="RFC4271"/>, section 5.1.2. In turn, this path
	is evaluated at AS Y and AS Q by the Upstream algorithm again, but as P is NotProvider+ of N, all the routes
	  suddenly appear ASPA Invalid.</t>

	<t>In the early adoption days, this scenario may happen even farther from the mistaken network,
	possibly leading to mysterious misrouting. It is also possible that the mistakenly omitted network
	is a backup provider, and the invalid routes get propagated only in case of a primary link failure,
	  which may act as an additional deterrent for early ASPA adoption.</t>

	<figure>
	  <name>Missing Provider illustration</name>
	  <artwork align="left">
	    <![CDATA[
      +-----------------+
      |      AS Y       |
      +-----------------+
              |
      +---------------+      +-------------+
      |      AS P     |------|     AS Q    |
      | Providers: Y  |      |  Peer of P  |
      +---------------+      +-------------+
              |
      +---------------------+
      |          AS N       |
      | Providers missing P |
      +---------------------+
      ]]>
	  </artwork>
	</figure>   
      </section>

      <section anchor="network-merging">
	<name>Network merging and splitting</name>
	<t>When a single entity controls multiple autonomous systems, they may decide to merge them, or in reverse,
	they may decide to split one AS to multiple AS's, or they simply decide to renumber their
	AS. This process almost never happens atomically, and while there are multiple approaches,
	  almost always there are transitional periods when a single AS uses multiple AS numbers.</t>

	<t>These cases include situations when one BGP speaker receives a route via eBGP,
	acting as AS M, but that route is then sent over e.g. confederated eBGP
	to another BGP speaker which announces the route via eBGP,
	acting as a different AS N.
	Generally, all mentioned problems should be mitigated by first extending all
	ASPA records by the new AS number, and removing the old one only after it's been disused,
	but ASPA-based AS_PATH verification on BGP egress ensures that all needed ASPA records
	  have indeed been updated accordingly.</t>
      </section>

      <section anchor="path-manipulation">
	<name>Advanced AS_PATH Manipulation</name>
	<t>There are various common AS_PATH manipulation techniques. The most common one is
	AS_PATH Stuffing where the local AS number is prepended multiple times before exporting
	to a neighboring network, so that the resulting route is depreferenced, and possibly
	  used as a backup link should the main link fail.</t>

	<t>If the network operator happens to make a typo in their own AS number
	<xref target="bgp-typo"/> or any other configuration mistake involving their
	AS_PATH manipulation, they may accidentally introduce a path invalidity.
	Running ASPA-based AS_PATH verification on BGP egress catches these mistakes
	  early on, possibly before actually propagating the route.</t>

	<t>These cases generally include scenarios when a neighboring network thinks that their neighbor
	is AS M, while their routes are later announced with AS N prepended instead. In such scenarios,
	if the neighboring network includes only AS M as their provider, the route becomes invalid later on
	  in a similar way as described in the previous section.</t>
      </section>
    </section>

    <section anchor="method">
      <name>Procedure of ASPA-based AS_PATH Verification at eBGP Egress</name>

      <section anchor="basic-egress-verification">
	<name>Basic Egress Verification</name>

      <t>Any BGP speaker advertising routes to other autonomous systems via eBGP (egress)
      SHOULD run ASPA-based AS_PATH Verification to avoid sending routes with invalid AS_PATHs.
      The procedure is modified so that it simulates what may be the outcome of
	the ASPA-based AS_PATH Verification done later by other networks.</t>

      <t>The egress AS_PATH Verification SHOULD be performed on all routes possibly
      eligible for being propagated at egress, not just the current best route.
      This would help detecting misconfiguration in early stages of deployment,
	and generally prevent the case of unexpected backup link failure.</t>

      <t>The egress AS_PATH Verification MUST be performed on the AS_PATH
      already updated according to <xref target="RFC4271"/>, section 5.1.2.
      That ensures that the route looks like what the neighboring
      AS would receive from the egress speaker.</t>

      <t>If the neighboring AS is a Provider or a Peer, or a (transparent or non-transparent) Route Server (RS) while the egress speaker is an RS-client, the egress speaker runs
      the Upstream Verification Procedure, as specified in
      <xref target="I-D.ietf-sidrops-aspa-verification"/>, section 5.4. If the neighboring
	AS is a Customer, the egress speaker runs the Downstream Verification Procedure.</t>

      <t>To select the appropriate verification procedure, the egress speaker needs
      reliable information about the relationship between the local AS and the
      egress neighbor AS. This information may be obtained from BGP Role
      capabilities exchanged in the BGP OPEN message, ASPA objects registered by
      the local AS and the external neighbor AS, or local BGP peering and
      export-policy configuration.</t>

      <t>If the relationship is Complex, the egress speaker SHOULD logically segregate
      the single eBGP session into regular BGP Roles, and then apply the verification
      procedures accordingly. If such a segregation is not feasible, the egress
      speaker SHOULD determine the appropriate verification procedure on a
      per-prefix basis. If this determination is not feasible as well, then an
      operator MAY apply the algorithm for downstream paths to
	avoid false positive outcomes.</t>

      <t>In all cases, if the AS_PATH Verification result is Invalid,
      the egress speaker SHOULD NOT propagate the affected route to that
      specific neighbor, and a notification SHOULD be sent to the human operators
	of the network.</t>
      </section>

      <section anchor="neighbor-as-augmented-verification">
	<name>Neighbor-AS-Augmented Verification</name>
	<t>For operational assurance, especially to detect missing Provider ASes
	in ASPA records, an implementation or detached verification system
	(see <xref target="centralized-verification"/>) SHOULD support a
	verification mode that, for the process of verification only, also prepends
	the neighboring AS number when the neighboring AS is a Provider or a
	Customer. Otherwise, if the provider-customer relationship is not properly
	reflected in the published ASPA, the route may fail AS_PATH Verification
	later, as described in <xref target="missing-provider"/>.</t>

	<t>This neighbor-AS-augmented verification is most naturally used in
	detached, offline, or monitoring configurations. Use of this mode for
	inline egress enforcement is a matter of local policy and should consider
	router processing cost, deployment maturity, and the operator's intended
	treatment of Invalid results.</t>
      </section>
    </section>

    <section anchor="optimization">
      <name>Optimizations</name>
      <t>Running AS_PATH Verification for all routes at all eBGP egress
      may hamper routing performance and cause unnecessary propagation delays.
      In order to make the verification possible on larger scales, there
	are several approaches to optimize the verification process.</t>

      <t>Optimized egress verifications, if deployed properly, are sufficient
	to detect both ASPA misconfigurations and AS Path manipulation errors.</t>

      <section anchor="centralized-verification">
	<name>Centralized or Detached Verification</name>
	<t>If the network has a BGP Route Reflector (<xref target="RFC4456"/>)
	or another centralized control-plane node, the egress ASPA processing
	may be offloaded to that node. This is feasible only when the verifying
	node has sufficient per-egress context, including the egress ASBR, the
	local AS number used at that egress point, the neighboring AS number, the
	applicable BGP Role or local relationship, and any export-policy context
	needed to simulate the egress AS_PATH. Without this metadata, centralized
	verification may be incomplete or inefficient, and is primarily useful
	for monitoring and operational assurance unless it can affect the actual
	egress ASBR's export decision.</t>

	<t>It is also possible to collect routes by other means, e.g. by the
	BGP Monitoring Protocol<xref target="RFC7854"/>, and run the verification
	in a completely detached configuration. While this configuration doesn't
	allow for immediate route withdrawal in case of the verification result
	being Invalid, it keeps the optimization advantages and allows for easy
	  notifications.</t>
      </section>

      <section anchor="deployment-controls">
	<name>Deployment Controls</name>
	<t>Operators may need controls to enable, disable, or change the enforcement
	mode of egress verification as deployment evolves. Such controls are
	deployment controls, not a replacement for the verification procedure.
	For example, an operator may choose alert-only or detached verification
	when the goal is operational assurance, or may disable inline egress
	verification for a class of routes once the relevant ingress ASPA
	verification and OTC or equivalent intra-AS leak-prevention marking are
	deployed and the remaining motivation is already covered by local policy.</t>

	<t>Such controls only affect how this document's egress verification is
	enforced for selected routes or sessions. They do not disable ASPA, OTC, or
	ingress ASPA verification, and they do not imply that ASPA-based
	verification is unnecessary. They are not appropriate for scenarios where
	the operator still wants egress verification to detect AS migration
	mistakes, AS_PATH manipulation mistakes, ASPA registration omissions, or
	other export-side operational errors.</t>
      </section>

      <section anchor="partial-verification">
	<name>Partial Verification</name>
	<t>For routes received by the local AS from outside, part of the AS_PATH
	should have been already validated by the ingress BGP speaker.
	If the verifying node can determine which prefix of the AS PATH
	is not yet verified, it MAY skip re-verifying the received part of the path,
	and compose the ingress result with the local part. Otherwise, the verifier
	should perform full AS_PATH verification. Partial verification is a scoped
	optimization, not a relaxation of ASPA-based AS_PATH verification.</t>

	<t>For the simple case as described in <xref target="method"/>,
	the egress verification procedure would check the local AS number and,
	when neighbor-AS-augmented verification is used, the neighbor's AS number
	against the local ASPA database. This procedure SHOULD be automated based
	on the BGP Role setting for that specific neighbor, even if the other side
	  doesn't support the BGP Role capability.</t>

	<ol>
	  <li>If the local AS is a Customer of the neighbor AS, which is a Provider,
	  then all the routes sent by local AS to the neighbor will end up
	  having an AS_PATH (… P, C, …) where at least the maximum up ramp extends
	  at least to P. Therefore, the simple partial verification SHOULD
	    periodically check whether P is indeed not NotProvider+ of C.</li>

	  <li>If the local AS is a Provider of the neighbor AS, which is a Customer,
	  then all the routes sent by local AS to the neighbor will end up
	  having an AS_PATH (… C, P, …), where at least the maximum down ramp extends
	  at least to P. Therefore, the simple partial verification SHOULD
	    periodically check whether P is indeed not NotProvider+ of C.</li>

	  <li>If the local AS is a lateral Peer of the neighbor AS, which is therefore
	  also a Peer, there is no need for any check, as well as if the local AS is
	    a Route Server Client.</li>
	</ol>

	<t>In case of failure of the simple periodic check, described in previous paragraphs,
	the affected node SHOULD NOT propagate any route over the affected eBGP session.
	The verifying node (which may be a different node) SHOULD notify both the affected
	  node and the human operators of the network.</t>

	<t>If the network does some complex AS_PATH modification (e.g., during AS merges, 
  splits, or renumbering transitions), the operator should do a proper assessment of 
  possible partial verification approaches, which may include the aforementioned pair 
  verifications, and maybe other verifications as well. In such cases, it is recommended to verify 
  the full AS_PATH, since registration errors or omissions frequently occur during 
  these transitions.
  The full extent of possible verifications is out of scope of this document.</t>

      </section>
    </section>

    <section anchor="otc">
      <name>Using the Only to Customer (OTC) Attribute</name>
      <t>This document does not replace BGP Roles and the Only to Customer (OTC) BGP Attribute<xref target="RFC9234"/>.
      It is expected that the ingress BGP speaker marks the routes received on ingress accordingly,
      either by OTC, or by some other means (e.g. Large Communities<xref target="RFC8092"/>).
      If the routes are not marked, the egress verification procedure described
	above may produce incorrect results.</t>

      <figure anchor="fig-egress-otc-context" align="left" suppress-title="false">
	<name>Illustration of eBGP ingress, iBGP propagation, and eBGP egress.</name>
	<artwork align="left">
	  <![CDATA[
                        +------------------------+
                        |          AS X          |
                        |                        |
        +-------+  eBGP |  +----+  iBGP  +----+  | eBGP  +--------+
        | AS(N) |------->>| R1 |------->>| R2 |-------->>|  AS Y  |
        +-------+       |  +----+        +----+  |       +--------+
                        |                        |
                        +------------------------+
           eBGP ingress                            eBGP egress
	  ]]>
	</artwork>
      </figure>

      <t>In <xref target="fig-egress-otc-context"/>, R1 has direct local
      knowledge of the relationship between AS X and AS(N), while R2 may only
      have the route as propagated inside AS X. If the route is marked by OTC
      or by an equivalent intra-AS leak-prevention signal, that marking MUST
      take precedence over the outcome of egress ASPA verification. In
      particular, if the marking says that the route MUST NOT be exported to
      the egress neighbor, the egress speaker MUST NOT export the route based
      on a Valid egress ASPA result.</t>

      <t>Specifically, while providers are easily distinguishable from the local network's
      ASPA record, it is impossible to tell whether a specific neighboring network
      is a customer or a peer, if they have not signed their ASPA. With that,
      it's impossible and undesirable to replace OTC by ASPA-based AS_PATH Verification
	on BGP egress.</t>
    </section>


    <section anchor="operation">
      <name>Operational Considerations</name>
      <t>The ASPA-based AS_PATH verification on eBGP egress is not a complete solution
      on its own. There may be both false positive and false negative results arising
      from e.g. outdated ASPA database, or superfluous providers in an ASPA record.
	The records also do change over time and the verification results with them.</t>

      <t>It is expected that the operators will closely monitor all Invalid ASPA verification
      results, and act accordingly. In most cases, these results are caused by human errors,
      either local, or by a neighboring network. If the operators determine that the Invalid
      result is caused by a neighboring network, they SHOULD notify the operators of that
	network in a timely manner.</t>

      <t>If it is necessary to have an eBGP session with Complex relationship,
      including mutual-transit arrangements, the operators should take extra care
      properly documenting and designing the appropriate local modifications of
      the ASPA and OTC procedures. ASPA objects can represent mutual provider
      authorization at the AS level, while OTC and BGP Roles are session
      oriented and may require segregating the relationship into non-Complex
      sessions where feasible. This document does not define additional BGP
      Roles or OTC behavior for these cases. It is generally not recommended to
      switch ASPA and OTC off for these links without having a proper
      alternative.</t>

      <t>Notably, route server BGP sessions may easily become a Complex
      relationship if any of the peers there becomes a provider, while others
	stay as peers <xref target="RIPE92-ASPA-LAST-RESORT"/>.</t>

    </section>



    <section anchor="Security">
      <!-- All drafts are required to have a security considerations section. See RFC 3552 for a guide. -->
      <name>Security Considerations</name>
      <t>
        The security considerations that apply to ASPA-based AS_PATH verification (see <xref target="I-D.ietf-sidrops-aspa-verification"/>) also apply to 
        the procedure described in this document.
      </t>
    </section>

    <section anchor="IANA">
    <!-- All drafts are required to have an IANA considerations section. See RFC 8126 for a guide.-->
      <name>IANA Considerations</name>
      <t>This document has no IANA actions</t>
    </section>
    

    
    <!-- NOTE: The Acknowledgements and Contributors sections are at the end of this template -->
  </middle>

  <back>
    <references>
      <name>References</name>
      <references>
        <name>Normative References</name>
        
        
        <xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.2119.xml"/>
        <xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.4271.xml"/>
        <xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.4456.xml"/>
        <xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.6480.xml"/>
        <xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.7854.xml"/>
        <xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.8092.xml"/>
        <xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.8174.xml"/>
        <xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.8481.xml"/>
        <xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.8893.xml"/>
        <xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.9234.xml"/>

        &I-D.ietf-sidrops-aspa-profile;
        &I-D.ietf-sidrops-aspa-verification;

        
        <!-- The recommended and simplest way to include a well known reference -->

      </references>

      <references anchor="sec-informative-referencs">
	<name>Informative References</name>
	<reference anchor="bgp-typo">
	  <front>
	    <title>BGP Typo: A Longitudinal Study and Remedies</title>
	    <author fullname="Liron David" initials="L.D." surname="David"/>
	    <author fullname="Yuval Shavitt" initials="Y.S." surname="Shavitt"/>
	    <date month="November" year="2023"/>
	    <abstract>
	      <t>BGP is the protocol that keeps Internet connected.
	      Operators use it by announcing Address Prefixes (APs), namely
	      IP address blocks, that they own or that they agree to serve
	      as transit for. BGP enables ISPs to devise complex policies to
	      control what AP announcements to accept (import policy), the
	      route selection, and what AP to announce and to whom (export
	      policy). In addition, BGP is also used to coarse traffic engineering
		for incoming traffic via the prepend mechanism.</t>
	      <t>However, there are no wide-spread good tools for managing
	      BGP and much of the complex configuration is done by home-
	      brewed scripts or simply by manually configuring router with
	      bare-bone terminal interface. This process generates many con-
		figuration mistakes.</t>
	      <t>In this study, we examine typos that propagates in BGP an-
	      nouncements and can be found in many of the public databases.
	      We classify them and quantify their presence, and surprisingly
	      found tens of ASNs and hundreds of APs affected by typos on any
	      given time. In addition, we suggest a simple algorithm that can
		detect (and clean) most of them with almost no false positives.</t>
	    </abstract>
	  </front>
	  <seriesInfo name="DOI" value="arXiv:2311.00335v1"/>
	</reference>

	<reference anchor="RIPE92-ASPA-LAST-RESORT" target="https://ripe92.ripe.net/programme/meeting-plan/sessions/109/ZT9NYU/">
	  <front>
	    <title>Do not drop ASPA invalids of the last resort</title>
	    <author fullname="Ondrej Caletka"/>
	    <date day="22" month="May" year="2026"/>
	  </front>
	</reference>
      </references>

 
    </references>
    
    
    <!--
    <section>
      <name>Appendix 1 [REPLACE/DELETE]</name>
      <t>This becomes an Appendix [REPLACE]</t>
    </section>
    -->

    <section anchor="Acknowledgements" numbered="false"> 
      <!-- [REPLACE/DELETE] an Acknowledgements section is optional -->
      <name>Acknowledgements</name>
      <t>The authors thank Randy Bush for his valuable suggestions and comments.</t>
    </section>

 <!--     <section anchor="Contributors" numbered="false">-->
      <!-- [REPLACE/DELETE] a Contributors section is optional -->
 <!--     <name>Contributors</name>
      <t>Thanks to all of the contributors. [REPLACE]</t>-->
      <!-- [CHECK] it is optional to add a <contact> record for some or all contributors -->
  <!--   </section>
-->


 </back>
</rfc>
