The Use of maxLength in the Resource Public Key Infrastructure (RPKI)
draft-ietf-sidrops-rpkimaxlen-15

[Ballot comment]
Hi,

I considered balloting this as a discuss (for a discussion), but this is outside my area of knowledge expertise.

Although the document indicates that the number of published ROAs should remain the same, since each ROA can list multiple prefixes, was any consideration to the potential increase in VRPs (if that is the right term) that this change will cause and whether this may negatively affect routers that are consuming the ROAs/VRPs?

Am I right in assuming that the number of valid ROAs that can be announced should effectively be bound by the number of BGP prefixes advertised for an AS and hence this shouldn't be a problem?

But other that the question above, I found this document to be very easy and pleasant to read.

Regards,
Rob

[Ballot discuss]
Thanks for the solid work on this document, for the most part, I found it clear and easy to parse.

In Section 1, I see the following:

Each ROA contains a set of IP prefixes, and an AS number of
  an AS authorized to originate all the IP prefixes in the set
  [RFC6482].

While I have some idea of what this means - it's confusing and I believe will cause confusion on the part of other readers.  It's confusing to the point where I'm not even sure exactly what the wording should be, but reading that, an AS number of an AS doesn't seem right at all.

Let's discuss and see if we can find a way to come to text on this section that is less confusing.

Thanks

Andrew

[Ballot comment]
Thank you to Sean Turner for the SECDIR review.

** Section 5.

  In general, except in some special cases, operators SHOULD avoid
  using the maxLength attribute in their ROAs, since its inclusion will
  usually make the ROA non-minimal.

The clause “except in some special cases” seems unneeded as its implied by the use of the SHOULD (rather than a MUST).

[Ballot comment]
Thanks for this. Clearly there’s more work to be done given the significant issues you identify with respect to, e.g., scrubbing services, but your document provides a good map and motivation for that future work.

One minor suggestion, in

  As discussed in [LSG16], this means that the hijacker will attract
  less traffic than he

Perhaps consider a non-gendered pronoun, as in “they” or “it”, or some other rewording?

[Ballot comment]
Thanks to Jean Mahoney for her ARTART review.

I agree with Alvaro's point about updating RFC 7115.  Also, should it become part of BCP 185 when published?  Also if you're extending what RFC 7115 says, shouldn't it be a normative reference?

It seems to me like RFC 8205 should also be normative rather than informative, but about that I'm less certain.

The last SHOULD in Section 1 seems a little out of place since it's just an introduction.  The real normative stuff is specified later in the document.

I'm not sure how or if the first two SHOULDs in Section 5 are related.  If they are related, are they not redundant?  If so, I suggest lower-casing the first one as the second one seems more direct.  Thanks for including some prose right below that describing when one might legitimately decide not to do what the SHOULD says.

In the last paragraph of Section 5, the triple SHOULD makes the whole paragraph feel mushy.  I would at least consider lower-casing the second one; it doesn't seem like wiggle room is appropriate there.

NITS
----

In Section 5.1:

OLD:

  Operational requirements may require that [...]

NEW:

  Operational requirements may stipulate that [...]

[Ballot comment]

(1) The running example makes the text clear -- but by being a minimal example (only a couple of prefixes are involved) it may oversimplify the potential operational complexity of maintaining a set of minimal ROAs. 

In particular, operators with short prefixes and many advertisements of both IPv4 and IPv6 may have a harder time keeping up with changes.  I would love to see some text around the challenges that applying the recommendations at scale may bring, which may also "result in a self-inflicted denial of service" (to use the description in §7).



(2) This text in §5 talks about the maintenance steps (review, replace, repeat):

  Operators that have existing ROAs published in the RPKI system SHOULD
  perform a review of such objects, especially where they make use of
  the maxLength attribute, to ensure that the set of included prefixes
  is "minimal" with respect to the current BGP origination and routing
  policies.  Published ROAs SHOULD be replaced as necessary.  Such an
  exercise SHOULD be repeated whenever the operator makes changes to
  either policy.

I assume that throughout the document "SHOULD" is used because, even though this is a BCP, the practice is only recommended.  That is not an issue for me, except for the last recommendation above: the "exercise SHOULD be repeated whenever the operator makes changes to either policy".  If the recommendations in this document are followed, a review of the system should be required, not just recommended.



(3) I find the Security Considerations misleading because none of the potential issues (even ones that could "result in a self-inflicted denial of service") are listed there.  I realize that previous versions had text that was moved elsewhere -- I won't insist on changing it back; this comment is here just for the record.



(4) "The recommendations complement and extend those in [RFC7115]."

It seems to me that this document should formally Update rfc7115 as there are related considerations mentioned there.  I checked the archive but couldn't find a related discussion.  Was an Update considered?



(5) [For the Responsible AD.]  I expect that this document will become part of BCP 185 (with rfc7115).  If so, please indicate that somewhere.

[Ballot comment]
# Éric Vyncke, INT AD, comments for draft-ietf-sidrops-rpkimaxlen-12
CC @evyncke

Thank you for the work put into this document. It is clear, detailed, with several explanations.

Please find below some non-blocking COMMENT points (but replies would be appreciated even if only for my own education *especially* for one about the use of IPv4-only RFC 1918).

Special thanks to Chris Morrow for the shepherd's detailed write-up including the WG consensus, even if I would have appreciated the justification of the intended status.

I hope that this review helps to improve the document,

Regards,

-éric


## COMMENTS

### Abstract

Comment to be ignored, it is only to signal that this is smart:
```
  ... context of destination-based Remotely Triggered
  Discard Route (RTDR) (elsewhere referred to as "Remotely Triggered
  Black Hole") ...
```
Only regret is that the acronym does not match the RTBH, which is so well known. Again, this comment to be ignored.


### Section 1, freshness of the I-D

`measurements taken in June 2017`, it is 5 years ago. Is the situation still identical ? or has there been some progress ?

### Section 1, reference to detailed explanations

As section 3 provides a description of the hijack attack, it would be nice to put a forward internal reference to it in section 1 (after the external reference).

### Use of IPv4-only RFC 1918

Rather than using RFC 1918 network prefixes instead of the documentation ones, why not using the IPv6 documentation prefix ? After all, we are in 2022 ;-) BTW, I will really appreciate a reply on this (was about to raise a DISCUSS to ensure getting an explanation).

## Notes

This review is in the ["IETF Comments" Markdown format][ICMF], You can use the
[`ietf-comments` tool][ICT] to automatically convert this review into
individual GitHub issues.

[ICMF]: https://github.com/mnot/ietf-comments/blob/main/format.md
[ICT]: https://github.com/mnot/ietf-comments

(Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs:

The IANA Functions Operator has reviewed draft-ietf-sidrops-rpkimaxlen-11, which is currently in Last Call, and has the following comments:

We understand that this document doesn't require any registry actions.

While it's often helpful for a document's IANA Considerations section to remain in place upon publication even if there are no actions, if the authors strongly prefer to remove it, we do not object.

If this assessment is not accurate, please respond as soon as possible.

For definitions of IANA review states, please see:

https://datatracker.ietf.org/help/state/draft/iana-review

Thank you,

Sabrina Tanamal
Lead IANA Services Specialist

The following Last Call announcement was sent out (ends 2022-07-20):

From: The IESG
To: IETF-Announce
CC: draft-ietf-sidrops-rpkimaxlen@ietf.org, morrowc@ops-netman.net, sidrops-chairs@ietf.org, sidrops@ietf.org, warren@kumari.net
Reply-To: last-call@ietf.org
Sender:
Subject: Last Call:  (The Use of maxLength in the RPKI) to Best Current Practice


The IESG has received a request from the SIDR Operations WG (sidrops) to
consider the following document: - 'The Use of maxLength in the RPKI'
  as Best Current Practice

The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the
last-call@ietf.org mailing lists by 2022-07-20. Exceptionally, comments may
be sent to iesg@ietf.org instead. In either case, please retain the beginning
of the Subject line to allow automated sorting.

Abstract


  This document recommends ways to reduce the forged-origin hijack
  attack surface by prudently limiting the set of IP prefixes that are
  included in a Route Origin Authorization (ROA).  One recommendation
  is to avoid using the maxLength attribute in ROAs except in some
  specific cases.  The recommendations complement and extend those in
  RFC 7115.  The document also discusses the creation of ROAs for
  facilitating the use of Distributed Denial of Service (DDoS)
  mitigation services.  Considerations related to ROAs and origin
  validation in the context of destination-based Remote Triggered Black
  Hole (RTBH) filtering are also highlighted.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-sidrops-rpkimaxlen/



No IPR declarations have been submitted directly on this I-D.


The document contains these normative downward references.
See RFC 3967 for additional information:
    rfc6811: BGP Prefix Origin Validation (Proposed Standard - Internet Engineering Task Force (IETF))
    rfc6482: A Profile for Route Origin Authorizations (ROAs) (Proposed Standard - Internet Engineering Task Force (IETF))
    rfc4271: A Border Gateway Protocol 4 (BGP-4) (Draft Standard - Internet Engineering Task Force (IETF))

# Document Shepherd Writeup

*This version is dated 8 April 2023.*

Thank you for your service as a document shepherd. Among the responsibilities is
answering the questions in this writeup to give helpful context to Last Call and
Internet Engineering Steering Group ([IESG][1]) reviewers, and your diligence in
completing it, is appreciated. The full role of the shepherd is further
described in [RFC 4858][2], and informally. You will need the cooperation of
authors to complete these checks.

Note that some numbered items contain multiple related questions; please be sure
to answer all of them.

## Document History

1. Does the working group (WG) consensus represent the strong concurrence of a
  few individuals, with others being silent, or did it reach broad agreement?

The document went through 9 revisions in the WG, had good conversation during
meetings and on-list.

2. Was there controversy about particular points, or were there decisions where
  the consensus was particularly rough?

No controversy was raised.

3. Has anyone threatened an appeal or otherwise indicated extreme discontent? If
  so, please summarize the areas of conflict in separate email messages to the
  responsible Area Director. (It should be in a separate email because this
  questionnaire is publicly available.)

no appeal/etc.

4. For protocol documents, are there existing implementations of the contents of
  the document? Have a significant number of potential implementers indicated
  plans to implement? Are any existing implementations reported somewhere,
  either in the document itself (as [RFC 7942][3] recommends) or elsewhere
  (where)?

not a protocol document.


### Additional Reviews

5. Does this document need review from other IETF working groups or external
  organizations? Have those reviews occurred?

No external reviews were required.


6. Describe how the document meets any required formal expert review criteria,
  such as the MIB Doctor, YANG Doctor, media type, and URI type reviews.


There are no applicable criteria.

7. If the document contains a YANG module, has the final version of the module
  been checked with any of the [recommended validation tools][4] for syntax and
  formatting validation? If there are any resulting errors or warnings, what is
  the justification for not fixing them at this time? Does the YANG module
  comply with the Network Management Datastore Architecture (NMDA) as specified
  in [RFC 8342][5]?

no yang

8. Describe reviews and automated checks performed to validate sections of the
  final version of the document written in a formal language, such as XML code,
  BNF rules, MIB definitions, CBOR's CDDL, etc.


These were not required.

### Document Shepherd Checks

9. Based on the shepherd's review of the document, is it their opinion that this
  document is needed, clearly written, complete, correctly designed, and ready
  to be handed off to the responsible Area Director?

The document is clearly written, and ready to be handed off to the Area Director.

10. Several IETF Areas have assembled [lists of common issues that their
    reviewers encounter][6]. Do any such issues remain that would merit specific
    attention from subsequent reviews?

No issues remain.

11. What type of RFC publication is being requested on the IETF stream (Best
    Current Practice, Proposed Standard, Internet Standard, Informational,
    Experimental, or Historic)? Why is this the proper type of RFC? Do all
    Datatracker state attributes correctly reflect this intent?

Best Current Practice.

12. Has the interested community confirmed that any and all appropriate IPR
    disclosures required by [BCP 78][7] and [BCP 79][8] have been filed? If not,
    explain why. If yes, summarize any discussion and conclusion regarding the
    intellectual property rights (IPR) disclosures, including links to relevant
    emails.


Yes, all editors/authors confirmed no IPR claims.

13. Has each Author or Contributor confirmed their willingness to be listed as
    such? If the number of Authors/Editors on the front page is greater than 5,
    please provide a justification.

All editors/authors maintain willingness to be listed as such.

14. Identify any remaining I-D nits in this document. (See [the idnits tool][9]
    and the checkbox items found in Guidelines to Authors of Internet-Drafts).
    Simply running the idnits tool is not enough; please review the entire
    guidelines document.

There exist some check-nits warnings:
  1) use of private address space instead of documentation space
  2) 2119 boilerplate missing
  3) An extra reference (nist-800-189)
  4) Down-ref toward 6480 (judged not important to change)

These will be cleaned up as part of the next edit/push of the document.

15. Should any informative references be normative or vice-versa?

nope.

16. List any normative references that are not freely available to anyone. Did
    the community have sufficient access to review any such normative
    references?

n/a

17. Are there any normative downward references (see [RFC 3967][10],
    [BCP 97][11])? If so, list them.

Downref to RFC6480 - "An Infrastructure to Support Secure Internet Routing"

18. Are there normative references to documents that are not ready for
    advancement or are otherwise in an unclear state? If they exist, what is the
    plan for their completion?

None.

19. Will publication of this document change the status of any existing RFCs? If
    so, does the Datatracker metadata correctly reflect this and are those RFCs
    listed on the title page, in the abstract, and discussed in the
    introduction? If not, explain why and point to the part of the document
    where the relationship of this document to these other RFCs is discussed.

no

20. Describe the document shepherd's review of the IANA considerations section,
    especially with regard to its consistency with the body of the document.
    Confirm that all aspects of the document requiring IANA assignments are
    associated with the appropriate reservations in IANA registries. Confirm
    that any referenced IANA registries have been clearly identified. Confirm
    that each newly created IANA registry specifies its initial contents,
    allocations procedures, and a reasonable name (see [RFC 8126][12]).

There's not an IANA Considerations for this document, which seems to be fine.
The document discusses operational considerations in using/not-using the
'max length' field in a Route Origin Authorization (ROA) record.

21. List any new IANA registries that require Designated Expert Review for
    future allocations. Are the instructions to the Designated Expert clear?
    Please include suggestions of designated experts, if appropriate.

none.

[1]: https://www.ietf.org/about/groups/iesg/
[2]: https://www.rfc-editor.org/rfc/rfc4858.html
[3]: https://www.rfc-editor.org/rfc/rfc7942.html
[4]: https://trac.ietf.org/trac/ops/wiki/yang-review-tools
[5]: https://www.rfc-editor.org/rfc/rfc8342.html
[6]: https://trac.ietf.org/trac/iesg/wiki/ExpertTopics
[7]: https://www.rfc-editor.org/info/bcp78
[8]: https://www.rfc-editor.org/info/bcp79
[9]: https://www.ietf.org/tools/idnits/
[10]: https://www.rfc-editor.org/rfc/rfc3967.html
[11]: https://www.rfc-editor.org/info/bcp97
[12]: https://www.rfc-editor.org/rfc/rfc8126.html

# Document Shepherd Writeup

*This version is dated 8 April 2023.*

Thank you for your service as a document shepherd. Among the responsibilities is
answering the questions in this writeup to give helpful context to Last Call and
Internet Engineering Steering Group ([IESG][1]) reviewers, and your diligence in
completing it, is appreciated. The full role of the shepherd is further
described in [RFC 4858][2], and informally. You will need the cooperation of
authors to complete these checks.

Note that some numbered items contain multiple related questions; please be sure
to answer all of them.

## Document History

1. Does the working group (WG) consensus represent the strong concurrence of a
  few individuals, with others being silent, or did it reach broad agreement?

The document went through 9 revisions in the WG, had good conversation during
meetings and on-list.

2. Was there controversy about particular points, or were there decisions where
  the consensus was particularly rough?

No controversy was raised.

3. Has anyone threatened an appeal or otherwise indicated extreme discontent? If
  so, please summarize the areas of conflict in separate email messages to the
  responsible Area Director. (It should be in a separate email because this
  questionnaire is publicly available.)

no appeal/etc.

4. For protocol documents, are there existing implementations of the contents of
  the document? Have a significant number of potential implementers indicated
  plans to implement? Are any existing implementations reported somewhere,
  either in the document itself (as [RFC 7942][3] recommends) or elsewhere
  (where)?

not a protocol document.


### Additional Reviews

5. Does this document need review from other IETF working groups or external
  organizations? Have those reviews occurred?

No external reviews were required.


6. Describe how the document meets any required formal expert review criteria,
  such as the MIB Doctor, YANG Doctor, media type, and URI type reviews.


There are no applicable criteria.

7. If the document contains a YANG module, has the final version of the module
  been checked with any of the [recommended validation tools][4] for syntax and
  formatting validation? If there are any resulting errors or warnings, what is
  the justification for not fixing them at this time? Does the YANG module
  comply with the Network Management Datastore Architecture (NMDA) as specified
  in [RFC 8342][5]?

no yang

8. Describe reviews and automated checks performed to validate sections of the
  final version of the document written in a formal language, such as XML code,
  BNF rules, MIB definitions, CBOR's CDDL, etc.


These were not required.

### Document Shepherd Checks

9. Based on the shepherd's review of the document, is it their opinion that this
  document is needed, clearly written, complete, correctly designed, and ready
  to be handed off to the responsible Area Director?

The document is clearly written, and ready to be handed off to the Area Director.

10. Several IETF Areas have assembled [lists of common issues that their
    reviewers encounter][6]. Do any such issues remain that would merit specific
    attention from subsequent reviews?

No issues remain.

11. What type of RFC publication is being requested on the IETF stream (Best
    Current Practice, Proposed Standard, Internet Standard, Informational,
    Experimental, or Historic)? Why is this the proper type of RFC? Do all
    Datatracker state attributes correctly reflect this intent?

Best Current Practice.

12. Has the interested community confirmed that any and all appropriate IPR
    disclosures required by [BCP 78][7] and [BCP 79][8] have been filed? If not,
    explain why. If yes, summarize any discussion and conclusion regarding the
    intellectual property rights (IPR) disclosures, including links to relevant
    emails.


Yes, all editors/authors confirmed no IPR claims.

13. Has each Author or Contributor confirmed their willingness to be listed as
    such? If the number of Authors/Editors on the front page is greater than 5,
    please provide a justification.

All editors/authors maintain willingness to be listed as such.

14. Identify any remaining I-D nits in this document. (See [the idnits tool][9]
    and the checkbox items found in Guidelines to Authors of Internet-Drafts).
    Simply running the idnits tool is not enough; please review the entire
    guidelines document.

There exist some check-nits warnings:
  1) use of private address space instead of documentation space
  2) 2119 boilerplate missing
  3) An extra reference (nist-800-189)
  4) Down-ref toward 6480 (judged not important to change)

These will be cleaned up as part of the next edit/push of the document.

15. Should any informative references be normative or vice-versa?

nope.

16. List any normative references that are not freely available to anyone. Did
    the community have sufficient access to review any such normative
    references?

n/a

17. Are there any normative downward references (see [RFC 3967][10],
    [BCP 97][11])? If so, list them.

Downref to RFC6480 - "An Infrastructure to Support Secure Internet Routing"

18. Are there normative references to documents that are not ready for
    advancement or are otherwise in an unclear state? If they exist, what is the
    plan for their completion?

None.

19. Will publication of this document change the status of any existing RFCs? If
    so, does the Datatracker metadata correctly reflect this and are those RFCs
    listed on the title page, in the abstract, and discussed in the
    introduction? If not, explain why and point to the part of the document
    where the relationship of this document to these other RFCs is discussed.

no

20. Describe the document shepherd's review of the IANA considerations section,
    especially with regard to its consistency with the body of the document.
    Confirm that all aspects of the document requiring IANA assignments are
    associated with the appropriate reservations in IANA registries. Confirm
    that any referenced IANA registries have been clearly identified. Confirm
    that each newly created IANA registry specifies its initial contents,
    allocations procedures, and a reasonable name (see [RFC 8126][12]).

There's not an IANA Considerations for this document, which seems to be fine.
The document discusses operational considerations in using/not-using the
'max length' field in a Route Origin Authorization (ROA) record.

21. List any new IANA registries that require Designated Expert Review for
    future allocations. Are the instructions to the Designated Expert clear?
    Please include suggestions of designated experts, if appropriate.

none.

[1]: https://www.ietf.org/about/groups/iesg/
[2]: https://www.rfc-editor.org/rfc/rfc4858.html
[3]: https://www.rfc-editor.org/rfc/rfc7942.html
[4]: https://trac.ietf.org/trac/ops/wiki/yang-review-tools
[5]: https://www.rfc-editor.org/rfc/rfc8342.html
[6]: https://trac.ietf.org/trac/iesg/wiki/ExpertTopics
[7]: https://www.rfc-editor.org/info/bcp78
[8]: https://www.rfc-editor.org/info/bcp79
[9]: https://www.ietf.org/tools/idnits/
[10]: https://www.rfc-editor.org/rfc/rfc3967.html
[11]: https://www.rfc-editor.org/info/bcp97
[12]: https://www.rfc-editor.org/rfc/rfc8126.html

# Document Shepherd Writeup

*This version is dated 8 April 2023.*

Thank you for your service as a document shepherd. Among the responsibilities is
answering the questions in this writeup to give helpful context to Last Call and
Internet Engineering Steering Group ([IESG][1]) reviewers, and your diligence in
completing it, is appreciated. The full role of the shepherd is further
described in [RFC 4858][2], and informally. You will need the cooperation of
authors to complete these checks.

Note that some numbered items contain multiple related questions; please be sure
to answer all of them.

## Document History

1. Does the working group (WG) consensus represent the strong concurrence of a
  few individuals, with others being silent, or did it reach broad agreement?

The document went through 9 revisions in the WG, had good conversation during
meetings and on-list.

2. Was there controversy about particular points, or were there decisions where
  the consensus was particularly rough?

No controversy was raised.

3. Has anyone threatened an appeal or otherwise indicated extreme discontent? If
  so, please summarize the areas of conflict in separate email messages to the
  responsible Area Director. (It should be in a separate email because this
  questionnaire is publicly available.)

no appeal/etc.

4. For protocol documents, are there existing implementations of the contents of
  the document? Have a significant number of potential implementers indicated
  plans to implement? Are any existing implementations reported somewhere,
  either in the document itself (as [RFC 7942][3] recommends) or elsewhere
  (where)?

not a protocol document.


### Additional Reviews

5. Does this document need review from other IETF working groups or external
  organizations? Have those reviews occurred?

No external reviews were required.


6. Describe how the document meets any required formal expert review criteria,
  such as the MIB Doctor, YANG Doctor, media type, and URI type reviews.


There are no applicable criteria.

7. If the document contains a YANG module, has the final version of the module
  been checked with any of the [recommended validation tools][4] for syntax and
  formatting validation? If there are any resulting errors or warnings, what is
  the justification for not fixing them at this time? Does the YANG module
  comply with the Network Management Datastore Architecture (NMDA) as specified
  in [RFC 8342][5]?

no yang

8. Describe reviews and automated checks performed to validate sections of the
  final version of the document written in a formal language, such as XML code,
  BNF rules, MIB definitions, CBOR's CDDL, etc.


These were not required.

### Document Shepherd Checks

9. Based on the shepherd's review of the document, is it their opinion that this
  document is needed, clearly written, complete, correctly designed, and ready
  to be handed off to the responsible Area Director?

The document is clearly written, and ready to be handed off to the Area Director.

10. Several IETF Areas have assembled [lists of common issues that their
    reviewers encounter][6]. Do any such issues remain that would merit specific
    attention from subsequent reviews?

No issues remain.

11. What type of RFC publication is being requested on the IETF stream (Best
    Current Practice, Proposed Standard, Internet Standard, Informational,
    Experimental, or Historic)? Why is this the proper type of RFC? Do all
    Datatracker state attributes correctly reflect this intent?

Best Current Practice.

12. Has the interested community confirmed that any and all appropriate IPR
    disclosures required by [BCP 78][7] and [BCP 79][8] have been filed? If not,
    explain why. If yes, summarize any discussion and conclusion regarding the
    intellectual property rights (IPR) disclosures, including links to relevant
    emails.


Yes, all editors/authors confirmed no IPR claims.

13. Has each Author or Contributor confirmed their willingness to be listed as
    such? If the number of Authors/Editors on the front page is greater than 5,
    please provide a justification.

All editors/authors maintain willingness to be listed as such.

14. Identify any remaining I-D nits in this document. (See [the idnits tool][9]
    and the checkbox items found in Guidelines to Authors of Internet-Drafts).
    Simply running the idnits tool is not enough; please review the entire
    guidelines document.

There exist some check-nits warnings:
  1) use of private address space instead of documentation space
  2) 2119 boilerplate missing
  3) An extra reference (nist-800-189)
  4) Down-ref toward 6480 (judged not important to change)

These will be cleaned up as part of the next edit/push of the document.

15. Should any informative references be normative or vice-versa?

nope.

16. List any normative references that are not freely available to anyone. Did
    the community have sufficient access to review any such normative
    references?

n/a

17. Are there any normative downward references (see [RFC 3967][10],
    [BCP 97][11])? If so, list them.

Downref to RFC6480 - "An Infrastructure to Support Secure Internet Routing"

18. Are there normative references to documents that are not ready for
    advancement or are otherwise in an unclear state? If they exist, what is the
    plan for their completion?

There is a reference to draft:8210biz which is currently in the IESG queue.
There is a reference to draft-aspa-verification which is still progressing through the WG.

19. Will publication of this document change the status of any existing RFCs? If
    so, does the Datatracker metadata correctly reflect this and are those RFCs
    listed on the title page, in the abstract, and discussed in the
    introduction? If not, explain why and point to the part of the document
    where the relationship of this document to these other RFCs is discussed.

no

20. Describe the document shepherd's review of the IANA considerations section,
    especially with regard to its consistency with the body of the document.
    Confirm that all aspects of the document requiring IANA assignments are
    associated with the appropriate reservations in IANA registries. Confirm
    that any referenced IANA registries have been clearly identified. Confirm
    that each newly created IANA registry specifies its initial contents,
    allocations procedures, and a reasonable name (see [RFC 8126][12]).

There's not an IANA Considerations for this document, which seems to be fine.
The document discusses operational considerations in using/not-using the
'max length' field in a Route Origin Authorization (ROA) record.

21. List any new IANA registries that require Designated Expert Review for
    future allocations. Are the instructions to the Designated Expert clear?
    Please include suggestions of designated experts, if appropriate.

none.

[1]: https://www.ietf.org/about/groups/iesg/
[2]: https://www.rfc-editor.org/rfc/rfc4858.html
[3]: https://www.rfc-editor.org/rfc/rfc7942.html
[4]: https://trac.ietf.org/trac/ops/wiki/yang-review-tools
[5]: https://www.rfc-editor.org/rfc/rfc8342.html
[6]: https://trac.ietf.org/trac/iesg/wiki/ExpertTopics
[7]: https://www.rfc-editor.org/info/bcp78
[8]: https://www.rfc-editor.org/info/bcp79
[9]: https://www.ietf.org/tools/idnits/
[10]: https://www.rfc-editor.org/rfc/rfc3967.html
[11]: https://www.rfc-editor.org/info/bcp97
[12]: https://www.rfc-editor.org/rfc/rfc8126.html