--- 1/draft-ietf-sidr-publication-04.txt 2014-02-12 07:14:33.506664534 -0800 +++ 2/draft-ietf-sidr-publication-05.txt 2014-02-12 07:14:33.530665123 -0800 @@ -1,21 +1,21 @@ Network Working Group S. Weiler Internet-Draft SPARTA, Inc. Intended status: Standards Track A. Sonalker -Expires: April 23, 2014 Battelle Memorial Institute +Expires: August 16, 2014 Battelle Memorial Institute R. Austein Dragon Research Labs - October 20, 2013 + February 12, 2014 A Publication Protocol for the Resource Public Key Infrastructure (RPKI) - draft-ietf-sidr-publication-04 + draft-ietf-sidr-publication-05 Abstract This document defines a protocol for publishing Resource Public Key Infrastructure (RPKI) objects. Even though the RPKI will have many participants issuing certificates and creating other objects, it is operationally useful to consolidate the publication of those objects. This document provides the protocol for doing so. Status of This Memo @@ -26,265 +26,181 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on April 23, 2014. + This Internet-Draft will expire on August 16, 2014. Copyright Notice - Copyright (c) 2013 IETF Trust and the persons identified as the + Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents - 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 + 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 - 2. Context . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 - 3. Protocol Specification . . . . . . . . . . . . . . . . . . . 3 - 3.1. Common Details . . . . . . . . . . . . . . . . . . . . . 4 - 3.1.1. Common XML Message Format . . . . . . . . . . . . . . 4 - 3.2. Control Sub-Protocol . . . . . . . . . . . . . . . . . . 5 - 3.2.1. Config Object . . . . . . . . . . . . . . . . . . . . 5 - 3.2.2. Client Object . . . . . . . . . . . . . . . . . . . . 5 - 3.3. Publication Sub-Protocol . . . . . . . . . . . . . . . . 6 - 3.4. Error handling . . . . . . . . . . . . . . . . . . . . . 7 - 3.5. XML Schema . . . . . . . . . . . . . . . . . . . . . . . 7 - 4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 11 - 4.1. Set Query . . . . . . . . . . . . . . . . . . . 11 - 4.2. Set Reply . . . . . . . . . . . . . . . . . . . 12 - 4.3. Get Query . . . . . . . . . . . . . . . . . . . 12 - 4.4. Get Reply . . . . . . . . . . . . . . . . . . . 13 - 4.5. Create Query . . . . . . . . . . . . . . . . . 13 - 4.6. Create Reply . . . . . . . . . . . . . . . . . 14 - 4.7. Set Query . . . . . . . . . . . . . . . . . . . 14 - 4.8. Set Reply . . . . . . . . . . . . . . . . . . . 15 - 4.9. Get Query . . . . . . . . . . . . . . . . . . . 15 - 4.10. Get Reply . . . . . . . . . . . . . . . . . . . 15 - 4.11. List Query . . . . . . . . . . . . . . . . . . 16 - 4.12. List Reply . . . . . . . . . . . . . . . . . . 16 - 4.13. Destroy Query . . . . . . . . . . . . . . . . . 17 - 4.14. Destroy Reply . . . . . . . . . . . . . . . . . 17 - 4.15. Query . . . . . . . . . . . . . . . . . . . . 17 - 4.16. Reply . . . . . . . . . . . . . . . . . . . . 18 - 4.17. Query . . . . . . . . . . . . . . . . . . . . 18 - 4.18. Reply . . . . . . . . . . . . . . . . . . . . 19 - 4.19. With Text . . . . . . . . . . . . . . . . 19 - 4.20. Without Text . . . . . . . . . . . . . . 19 - 5. Operational Considerations . . . . . . . . . . . . . . . . . 19 - 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20 - 7. Security Considerations . . . . . . . . . . . . . . . . . . . 21 - 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 21 - 8.1. Normative References . . . . . . . . . . . . . . . . . . 21 - 8.2. Informative References . . . . . . . . . . . . . . . . . 22 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 + 2. Protocol Specification . . . . . . . . . . . . . . . . . . . 3 + 2.1. Common XML Message Format . . . . . . . . . . . . . . . . 4 + 2.2. Publication and Withdrawal . . . . . . . . . . . . . . . 4 + 2.3. Error handling . . . . . . . . . . . . . . . . . . . . . 5 + 2.4. XML Schema . . . . . . . . . . . . . . . . . . . . . . . 5 + 3. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 7 + 3.1. Query . . . . . . . . . . . . . . . . . . . . 7 + 3.2. Reply . . . . . . . . . . . . . . . . . . . . 8 + 3.3. Query . . . . . . . . . . . . . . . . . . . . 9 + 3.4. Reply . . . . . . . . . . . . . . . . . . . . 9 + 3.5. With Text . . . . . . . . . . . . . . . . 9 + 3.6. Without Text . . . . . . . . . . . . . . 9 + 4. Operational Considerations . . . . . . . . . . . . . . . . . 9 + 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 + 6. Security Considerations . . . . . . . . . . . . . . . . . . . 11 + 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 + 7.1. Normative References . . . . . . . . . . . . . . . . . . 11 + 7.2. Informative References . . . . . . . . . . . . . . . . . 12 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 1. Introduction This document assumes a working knowledge of the Resource Public Key Infrastructure (RPKI), which is intended to support improved routing security on the Internet. [RFC6480] In order to make participation in the RPKI easier, it is helpful to have a few consolidated repositories for RPKI objects, thus saving every participant from the cost of maintaining a new service. Similarly, relying parties using the RPKI objects will find it faster and more reliable to retrieve the necessary set from a smaller number of repositories. These consolidated RPKI object repositories will in many cases be outside the administrative scope of the organization issuing a given - RPKI object. Hence the need for a protocol to publish RPKI objects. + RPKI object. In some cases, outsourcing operation of the repository + will be an explicit goal: some resource holders who stringly wish to + control their own RPKI private keys may lack the resources to operate + a 24x7 repository, or may simply not wish to do so. - This document defines the RPKI publication protocol, including a sub- - protocol for configuring the publication engine. + The operator of an RPKI publication repository may well be an + Internet registry which issues certificates to its customers, but it + need not be; conceptually, operation of a an RPKI publication + repository is separate from operation of RPKI CA. + + This document defines an RPKI publication protocol which allows + publication either within or across organizational boundaries, and + which makes fairly minimal demands on either the CA engine or the + publication service. 1.1. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. "Publication engine" and "publication server" are used interchangeably to refer to the server providing the service described in this document. "Business Public Key Infrastructure" ("Business PKI" or "BPKI") refers to a PKI, separate from the RPKI, used to authenticate clients - to the publication engine. - -2. Context - - This protocol was designed specifically for the case where an - internet registry, already issuing RPKI certificates to its children, - also wishes to run a publication service for its children. - - We use the term "Business PKI" here because an internet registry - might already have a PKI, separate from the RPKI, for authenticating - its clients and might wish to reuse that PKI for this protocol. Such - reuse is not a requirement. - -3. Protocol Specification - In summary, the publication protocol uses XML messages wrapped in - CMS, carried over HTTP transport. - - The publication procotol consists of two separate subprotocols. The - first is a control protocol used to configure a publication engine. - The second subprotocol, which we refer to by the overloaded term - "publication protocol", is used to request publication of specific - objects. The publication engine operates a single HTTP server on a - single port. It distinguishes between the two protocols by using - different URLs for them. + to the publication engine. We use the term "Business PKI" here + because an internet registry might already have a PKI for + authenticating its clients and might wish to reuse that PKI for this + protocol. There is, however, no requirement to reuse such a PKI. -3.1. Common Details +2. Protocol Specification - This section discusses details that the two subprotocols have in - common, including the transport and CMS wrappers. + The publication protocol uses XML messages wrapped in signed CMS + messages, carried over HTTP transport. - Both protocols use a simple request/response interaction. The client - passes a request to the server, and the server generates a + The publication protocol uses a simple request/response interaction. + The client passes a request to the server, and the server generates a corresponding response. A message exchange commences with the client initiating an HTTP POST with content type of "application/rpki-publication", with the message object as the body. The server's response will similarly be the body of the response with a content type of "application/rpki- publication". The content of the POST and the server's response will be a well- formed Cryptographic Message Syntax (CMS) [RFC5652] object with OID = 1.2.840.113549.1.7.2 as described in Section 3.1 of [RFC6492]. -3.1.1. Common XML Message Format +2.1. Common XML Message Format - The XML schema for this protocol (including both subprotocols) is - below in Section 3.5. Both subprotocols use the same basic XML - message format, which looks like: + The XML schema for this protocol is below in Section 2.4. The basic + XML message format looks like this: - - - [one or more PDUs] + + + + + + + Common attributes: + version: The value of this attribute is the version of this - protocol. This document describes version 2. + protocol. This document describes version 3. type: The possible values of this attribute are "reply" and "query". - A query PDU may be one of four types: config_query, client_query, - publish_query, or withdraw_query. The first two are used by the - control sub-protocol, the latter two by the publication sub-protocol. + A query PDU may be one of two types: publish_query, or + withdraw_query. - A reply PDU may be one of five types: config_reply, client_reply, - publish_reply, withdraw_reply, or report_error_reply. + A reply PDU may be one of three types: publish_reply, withdraw_reply, + or report_error_reply. Each of these PDUs may include an optional tag to facilitate bulk operation. If a tag is set in a query PDU, the corresponding reply(s) MUST have the tag attribute set to the same value. -3.2. Control Sub-Protocol - - The control sub-protocol is used to configure a publication server. - It can set global variables (at the moment, limited to a BPKI CRL) - and manage clients who are allowed to publish data on the server. - -3.2.1. Config Object - - The object allows configuration of data that apply to the - entire publication server rather than a particular client. There is - exactly one object in the publication server, and it only - supports the "set" and "get" actions -- it cannot be created or - destroyed. Its use is typically restricted to the repository - operator. - - The object only has one data element that can be set: the - bpki_crl. This is used by the publication server when authenticating - clients. - -3.2.2. Client Object - - Unlike the object, the object represents one - client authorized to use the publication server. There may be more - than one object on each publication server. Again, its use - is typically restricted to the respository operator. - - The object supports five actions: "create", "set", "get", - "list", and "destroy". Each client has a "client_handle" attribute, - which is used in responses and must be specified in "create", "set", - "get", or "destroy" actions. The "create" and "set" actions have an - optional flag to clear CMS-timestamp-based replay protection, to - allow recovery from misconfigured clocks. - - Payload data which can be configured in a object include: - - o base_uri (attribute): This attribute represents the base URI below - which the client will be allowed to publish data. Additional - constraints may be imposed by the publication server in certain - cases, for e.g., a child publishing directly under its parent. - - o bpki_cert (element): This represents the X.509 BPKI CA certificate - for this client. This should be used as part of the certificate - chain when validating incoming CMS messages. Two valid approaches - exist. If the optional bpki_glue certificate is being used, then - the bpki_cert certificate should be issued by the bpki_glue - certificate; otherwise, the bpki_cert certificate should be issued - by the publication engine's bpki_ta certificate. - - o bpki_glue (element): This is an additional (optional) type of - X.509 certificate for this client. It may be used in certain - pathological cross-certification cases which require a two- - certificate chain due to issuer name conflicts. When being used, - issuing order is that the bpki_glue certificate should be the - issuer of the bpki_cert certificate. Otherwise, it should be - issued by the publication engine's bpki_ta certificate. Since - this is an optional use certificate, it may be left unset if not - needed. - -3.3. Publication Sub-Protocol - - The publication sub-protocol requests publication or withdrawal from - publication of RPKI objects. +2.2. Publication and Withdrawal The publication protocol uses a common message format to request publication of any RPKI object. This format was chosen specifically to allow this protocol to accommodate new types of RPKI objects without needing changes to this protocol. Both the and objects have a payload of an optional tag and a URI. The query also contains the DER object to be published, encoded in Base64. Note that every publish and withdraw action requires a new manifest, thus every publish or withdraw action will involve at least two objects. -3.4. Error handling +2.3. Error handling - Errors are handled similarly in both subprotocols, and they're - handled at two levels. + Errors are handled at two levels. Since all messages in this protocol are conveyed over HTTP connections, basic errors are indicated via the HTTP response code. 4xx and 5xx responses indicate that something bad happened. Errors that make it impossible to decode a query or encode a response are handled in this way. Where possible, errors will result in an XML message which takes the place of the expected protocol response message. messages are CMS-signed XML messages like the rest of @@ -293,495 +209,107 @@ messages only appear in replies, never in queries. The message can appear in both the control and publication subprotocols. Like all other messages in this protocol, the message includes a "tag" attribute to assist in matching the error with a particular query when using batching. It is optional to set the tag on queries but, if set on the query, it MUST be set on the reply or error. - The error itself is conveyed in the error_code (attribute). The - value of this attribute is a token indicating the specific error that + The error itself is conveyed in the error_code attribute. The value + of this attribute is a token indicating the specific error that occurred. The body of the element itself is an optional text string; if present, this is debugging information. -3.5. XML Schema +2.4. XML Schema The following is a RelaxNG compact form schema describing the Publication Protocol. - # $Id: rpki-publication.rnc 2601 2013-10-18 19:21:28Z sra $ + # $Id: rpki-publication.rnc 2698 2013-12-13 23:33:07Z sra $ # RelaxNG schema for RPKI publication protocol. default namespace = "http://www.hactrn.net/uris/rpki/publication-spec/" - # This is version 2 of the protocol. + # This is version 3 of the protocol. + + version = "3" - version = "2" # Top level PDU is either a query or a reply. start = element msg { attribute version { version } , ( ( attribute type { "query" }, query_elt* ) | ( attribute type { "reply" }, reply_elt* ) ) } - # PDUs allowed in a query. - - query_elt |= config_query - query_elt |= client_query - query_elt |= publish_query - query_elt |= withdraw_query - - # PDUs allowed in a reply. + # PDUs allowed in queries and replies. - reply_elt |= config_reply - reply_elt |= client_reply - reply_elt |= publish_reply - reply_elt |= withdraw_reply - reply_elt |= report_error_reply + query_elt = publish_query | withdraw_query + reply_elt = publish_reply | withdraw_reply | report_error_reply # Tag attributes for bulk operations. tag = attribute tag { xsd:token { maxLength="1024" } } # Base64 encoded DER stuff. base64 = xsd:base64Binary - # Publication URLs. + # Publication URIs. - uri_t = xsd:anyURI { maxLength="4096" } - uri = attribute uri { uri_t } + uri = attribute uri { xsd:anyURI { maxLength="4096" } } # Handles on remote objects (replaces passing raw SQL IDs). object_handle = xsd:string { maxLength = "255" pattern="[\-_A-Za-z0-9/]*" } # Error codes. error = xsd:token { maxLength="1024" } - # element (use restricted to repository operator) - config_payload = (element bpki_crl { base64 }?) - - config_query |= element config { - attribute action { "set" }, - tag?, - config_payload - } - - config_reply |= element config { - attribute action { "set" }, - tag? - } - - config_query |= element config { - attribute action { "get" }, - tag? - } - - config_reply |= element config { - attribute action { "get" }, - tag?, - config_payload - } - - # element (use restricted to repository operator) - - client_handle = attribute client_handle { object_handle } - - client_payload = ( - attribute base_uri { uri_t }?, - element bpki_cert { base64 }?, - element bpki_glue { base64 }? - ) - - client_clear_replay = ( - attribute clear_replay_protection { "yes" }? - ) - - client_query |= element client { - attribute action { "create" }, - tag?, - client_handle, - client_clear_replay, - client_payload - } - - client_reply |= element client { - attribute action { "create" }, - tag?, - client_handle - } - - client_query |= element client { - attribute action { "set" }, - tag?, - client_handle, - client_clear_replay, - client_payload - } - - client_reply |= element client { - attribute action { "set" }, - tag?, - client_handle - } - - client_query |= element client { - attribute action { "get" }, - tag?, - client_handle - } - - client_reply |= element client { - attribute action { "get" }, - tag?, - client_handle, - client_payload - } - - client_query |= element client { - attribute action { "list" }, - tag? - } - - client_reply |= element client { - attribute action { "list" }, - tag?, - client_handle, - client_payload - } - - client_query |= element client { - attribute action { "destroy" }, - tag?, - client_handle - } - client_reply |= element client { - attribute action { "destroy" }, - tag?, - client_handle - } - # element - publish_query |= element publish { - tag?, - uri, - base64 - } - - publish_reply |= element publish { - tag?, - uri - } + publish_query |= element publish { tag?, uri, base64 } + publish_reply |= element publish { tag?, uri } # element - withdraw_query |= element withdraw { - tag?, - uri - } - - withdraw_reply |= element withdraw { - tag?, - uri - } - + withdraw_query |= element withdraw { tag?, uri } + withdraw_reply |= element withdraw { tag?, uri } # element report_error_reply = element report_error { tag?, attribute error_code { error }, xsd:string { maxLength="512000" }? } -4. Examples +3. Examples Following are examples of various queries and the corresponding replies for the RPKI publication protocol -4.1. Set Query - - - - MIIBezBlAgEBMA0GCSqGSIb3DQEBCwUAMCMxITAfBgNVBAMTGFRlc3QgQ2Vy - dGlmaWNhdGUgcHViZCBUQRcNMDgwNjAyMjE0OTQ1WhcNMDgwNzAyMjE0OTQ1 - WqAOMAwwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQELBQADggEBAFWCWgBl4ljV - qX/CHo+RpqYtvmKMnjPVflMXUB7i28RGP4DAq4l7deDU7Q82xEJyE4TXMWDW - AV6UG6uUGum0VHWOcj9ohqyiZUGfOsKg2hbwkETm8sAENOsi1yNdyKGk6jZ1 - 6aF5fubxQqZa1pdGCSac1/ZYC5sLLhEz3kmz+B9z9mXFVc5TgAh4dN3Gy5ft - F8zZAFpDGnS4biCnRVqhGv6R0Lh/5xmii+ZU6kNDhbeMsjJg+ZOmtN+wMeHS - Ibjiy0WuuaZ3k2xSh0C94anrHBZAvvCRhbazjR0Ef5OMZ5lcllw3uO8IHuoi - sHKkehy4Y0GySdj98fV+OuiRTH9vt/M= - - - - -4.2. Set Reply - - - - - -4.3. Get Query - - - - - -4.4. Get Reply - - - - - MIIBezBlAgEBMA0GCSqGSIb3DQEBCwUAMCMxITAfBgNVBAMTGFRlc3QgQ2Vy - dGlmaWNhdGUgcHViZCBUQRcNMDgwNjAyMjE0OTQ1WhcNMDgwNzAyMjE0OTQ1 - WqAOMAwwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQELBQADggEBAFWCWgBl4ljV - qX/CHo+RpqYtvmKMnjPVflMXUB7i28RGP4DAq4l7deDU7Q82xEJyE4TXMWDW - AV6UG6uUGum0VHWOcj9ohqyiZUGfOsKg2hbwkETm8sAENOsi1yNdyKGk6jZ1 - 6aF5fubxQqZa1pdGCSac1/ZYC5sLLhEz3kmz+B9z9mXFVc5TgAh4dN3Gy5ft - F8zZAFpDGnS4biCnRVqhGv6R0Lh/5xmii+ZU6kNDhbeMsjJg+ZOmtN+wMeHS - Ibjiy0WuuaZ3k2xSh0C94anrHBZAvvCRhbazjR0Ef5OMZ5lcllw3uO8IHuoi - sHKkehy4Y0GySdj98fV+OuiRTH9vt/M= - - - - -4.5. Create Query - - - - - MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAg - BgNVBAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1 - MzEwWhcNMDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmlj - YXRlIEJvYiBSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA - rKYUtJaM5PH5917SG2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79p - Wf3GIdnoupzMnoZVtY3GUx2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuE - PPOG8UN17mUKKgujrch6ZvgCDO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShL - i8GKgVdqb/rW/6GTg0Xb/zLT6WWMuT++6sXTlztJdQYkRamJvKfQDU1naC8m - AkGf79Tba0xyBGAUII0GfREY6t4/+NAP2Yyb3xNlBqcJoTov0JfNKHZcCZeP - r79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJdiqg+wIDAQABo1AwTjAMBgNV - HRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4ULlB7+GMDBlimTAfBgNV - HSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkqhkiG9w0BAQUFAAOC - AQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acgcum1YieNdtT0 - n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4XY39EZHh - MW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Smsqep - 6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH - YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6 - hdEq3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ== - - - - -4.6. Create Reply - - - - - -4.7. Set Query - - - - - MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAg - BgNVBAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1 - MzEwWhcNMDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmlj - YXRlIEJvYiBSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA - rKYUtJaM5PH5917SG2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79p - Wf3GIdnoupzMnoZVtY3GUx2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuE - PPOG8UN17mUKKgujrch6ZvgCDO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShL - i8GKgVdqb/rW/6GTg0Xb/zLT6WWMuT++6sXTlztJdQYkRamJvKfQDU1naC8m - AkGf79Tba0xyBGAUII0GfREY6t4/+NAP2Yyb3xNlBqcJoTov0JfNKHZcCZeP - r79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJdiqg+wIDAQABo1AwTjAMBgNV - HRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4ULlB7+GMDBlimTAfBgNV - HSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkqhkiG9w0BAQUFAAOC - AQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acgcum1YieNdtT0 - n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4XY39EZHh - MW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Smsqep - 6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH - YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6 - hdEq3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ== - - - - -4.8. Set Reply - - - - - -4.9. Get Query - - - - - -4.10. Get Reply - - - - - MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAg - BgNVBAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1 - MzEwWhcNMDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmlj - YXRlIEJvYiBSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA - rKYUtJaM5PH5917SG2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79p - Wf3GIdnoupzMnoZVtY3GUx2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuE - PPOG8UN17mUKKgujrch6ZvgCDO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShL - i8GKgVdqb/rW/6GTg0Xb/zLT6WWMuT++6sXTlztJdQYkRamJvKfQDU1naC8m - AkGf79Tba0xyBGAUII0GfREY6t4/+NAP2Yyb3xNlBqcJoTov0JfNKHZcCZeP - r79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJdiqg+wIDAQABo1AwTjAMBgNV - HRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4ULlB7+GMDBlimTAfBgNV - HSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkqhkiG9w0BAQUFAAOC - AQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acgcum1YieNdtT0 - n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4XY39EZHh - MW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Smsqep - 6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH - YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6 - hdEq3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ== - - - - -4.11. List Query - - - - - -4.12. List Reply - - - - - MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAg - BgNVBAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1 - MzEwWhcNMDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmlj - YXRlIEJvYiBSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA - rKYUtJaM5PH5917SG2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79p - Wf3GIdnoupzMnoZVtY3GUx2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuE - PPOG8UN17mUKKgujrch6ZvgCDO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShL - i8GKgVdqb/rW/6GTg0Xb/zLT6WWMuT++6sXTlztJdQYkRamJvKfQDU1naC8m - AkGf79Tba0xyBGAUII0GfREY6t4/+NAP2Yyb3xNlBqcJoTov0JfNKHZcCZeP - r79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJdiqg+wIDAQABo1AwTjAMBgNV - HRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4ULlB7+GMDBlimTAfBgNV - HSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkqhkiG9w0BAQUFAAOC - AQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acgcum1YieNdtT0 - n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4XY39EZHh - MW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Smsqep - 6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH - YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6 - hdEq3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ== - - - - -4.13. Destroy Query - - - - - -4.14. Destroy Reply - - - - - -4.15. Query - +3.1. Query + uri="rsync://wombat.example/Alice/blCrcCp9ltyPDNzYKPfxc.cer"> MIIE+jCCA+KgAwIBAgIBDTANBgkqhkiG9w0BAQsFADAzMTEwLwYDVQQDEyhE RjRBODAxN0U2NkE5RTkxNzJFNDYxMkQ4Q0Y0QzgzRjIzOERFMkEzMB4XDTA4 MDUyMjE4MDUxMloXDTA4MDUyNDE3NTQ1M1owMzExMC8GA1UEAxMoOEZCODIx OEYwNkU1MEFCNzAyQTdEOTZEQzhGMENEQ0Q4MjhGN0YxNzCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBAMeziKp0k5nP7v6SZoNsXIMQYRgNtC6F r/9Xm/1yQHomiPqHUk47rHhGojYiK5AhkrwoYhkH4UjJl2iwklDYczXuaBU3 F5qrKlZ4aZnjIxdlP7+hktVpeApL6yuJTUAYeC3UIxnLDVdD6phydZ/FOQlu ffiNDjzteCCvoyOUatqt8WB+oND6LToHp028g1YUYLHG6mur0dPdcHOVXLSm UDuZ1HDz1nDuYvIVKjB/MpH9aW9XeaQ6ZFIlZVPwuuvI2brR+ThH7Gv27GL/ o8qFdC300VQfoTZ+rKPGDE8K1cI906BL4kiwx9z0oiDcE96QCz+B0vsjc9mG @@ -800,74 +328,73 @@ AsAAAiwDBQDAAAJkMA0GCSqGSIb3DQEBCwUAA4IBAQCEhuH7jtI2PJY6+zwv 306vmCuXhtu9Lr2mmRw2ZErB8EMcb5xypMrNqMoKeu14K2x4a4RPJkK4yATh M81FPNRsU5mM0acIRnAPtxjHvPME7PHN2w2nGLASRsZmaa+b8A7SSOxVcFUR azENztppsolHeTpm0cpLItK7mNpudUg1JGuFo94VLf1MnE2EqARG1vTsNhel /SM/UvOArCCOBvf0Gz7kSuupDSZ7qx+LiDmtEsLdbGNQBiYPbLrDk41PHrxd x28qIj7ejZkRzNFw/3pi8/XK281h8zeHoFVu6ghRPy5dbOA4akX/KG6b8XIx 0iwPYdLiDbdWFbtTdPcXBauY -4.16. Reply +3.2. Reply + uri="rsync://wombat.example/Alice/blCrcCp9ltyPDNzYKPfxc.cer"/> -4.17. Query +3.3. Query - + uri="rsync://wombat.example/Alice/blCrcCp9ltyPDNzYKPfxc.cer"/> -4.18. Reply +3.4. Reply + uri="rsync://wombat.example/Alice/blCrcCp9ltyPDNzYKPfxc.cer"/> -4.19. With Text +3.5. With Text Shampooing with sterno again, are we? -4.20. Without Text +3.6. Without Text -5. Operational Considerations +4. Operational Considerations There are two basic options open to the repository operator as to how the publication tree is laid out. The first option is simple: each publication client is given its own directory one level below the top of the rcynic module, and there is no overlap between the publication spaces used by different clients. For example: rsync://example.org/rpki/Alice/ rsync://example.org/rpki/Bob/ rsync://example.org/rpki/Carol/ @@ -900,21 +427,21 @@ base_uri attribute values when setting up clients. In the example above, assuming that Alice issues to Bob who in turn issues to Carol, Alice has ceded control of a portion of her publication space to Bob, who has in turn ceded a portion of that to Carol, and the base_uri attributes in the setup messages should reflect this. The details of how the repository operator determines that Alice has given Bob permission to nest Bob's publication directory under Alice's is outside the scope of this protocol. -6. IANA Considerations +5. IANA Considerations IANA is asked to register the application/rpki-publication MIME media type as follows: MIME media type name: application MIME subtype name: rpki-publication Required parameters: None Optional parameters: None Encoding considerations: binary Security considerations: Carries an RPKI Publication Protocol @@ -924,56 +451,56 @@ Applications which use this media type: HTTP Additional information: Magic number(s): None File extension(s): Macintosh File Type Code(s): Person & email address to contact for further information: Rob Austein Intended usage: COMMON Author/Change controller: Rob Austein -7. Security Considerations +6. Security Considerations The RPKI publication protocol and the data it publishes use entirely separate PKIs for authentication. The published data is authenticated within the RPKI, and this protocol has nothing to do with that authentication, nor does it require that the published objects be valid in the RPKI. The publication protocol uses a separate Business PKI (BPKI) to authenticate its messages. Each of the RPKI publication protocol messages is CMS-signed. Because of that protection at the application layer, this protocol does not require the use of HTTPS or other transport security mechanisms. Compromise of a publication server, perhaps through mismanagement of BPKI keys, could lead to a denial-of-service attack on the RPKI. An attacker gaining access to BPKI keys could use this protocol delete (withdraw) RPKI objects, leading to routing changes or failures. Accordingly, as in most PKIs, good key management practices are important. -8. References +7. References -8.1. Normative References +7.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119, BCP 14, March 1997. [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", RFC 5652, STD 70, September 2009. [RFC6492] Huston, G., Loomans, R., Ellacott, B., and R. Austein, "A Protocol for Provisioning Resource Certificates", RFC 6492, February 2012. -8.2. Informative References +7.2. Informative References [RFC6480] Lepinski, M. and S. Kent, "An Infrastructure to Support Secure Internet Routing", RFC 6480, February 2012. Authors' Addresses Samuel Weiler SPARTA, Inc. 7110 Samuel Morse Drive Columbia, Maryland 21046