--- 1/draft-ietf-sidr-publication-10.txt 2017-02-17 20:13:08.775275797 -0800
+++ 2/draft-ietf-sidr-publication-11.txt 2017-02-17 20:13:08.811276646 -0800
@@ -1,21 +1,21 @@
Network Working Group S. Weiler
Internet-Draft W3C / MIT
Intended status: Standards Track A. Sonalker
-Expires: July 14, 2017 TowerSec
+Expires: August 21, 2017 TowerSec
R. Austein
Dragon Research Labs
- January 10, 2017
+ February 17, 2017
A Publication Protocol for the Resource Public Key Infrastructure (RPKI)
- draft-ietf-sidr-publication-10
+ draft-ietf-sidr-publication-11
Abstract
This document defines a protocol for publishing Resource Public Key
Infrastructure (RPKI) objects. Even though the RPKI will have many
participants issuing certificates and creating other objects, it is
operationally useful to consolidate the publication of those objects.
Even in cases where a certificate issuer runs their own publication
repository, it can be useful to run the certificate engine itself on
a different machine from the publication repository. This document
@@ -29,21 +29,21 @@
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
- This Internet-Draft will expire on July 14, 2017.
+ This Internet-Draft will expire on August 21, 2017.
Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
@@ -53,47 +53,46 @@
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Historical Note . . . . . . . . . . . . . . . . . . . . . 4
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
2. Protocol Specification . . . . . . . . . . . . . . . . . . . 5
2.1. Common XML Message Format . . . . . . . . . . . . . . . . 5
- 2.2. Publication and Withdrawal . . . . . . . . . . . . . . . 6
- 2.3. Listing the repository . . . . . . . . . . . . . . . . . 7
+ 2.2. Publication and Withdrawal . . . . . . . . . . . . . . . 7
+ 2.3. Listing the repository . . . . . . . . . . . . . . . . . 8
2.4. Error handling . . . . . . . . . . . . . . . . . . . . . 8
- 2.5. Error Codes . . . . . . . . . . . . . . . . . . . . . . . 8
- 2.6. XML Schema . . . . . . . . . . . . . . . . . . . . . . . 9
+ 2.5. Error Codes . . . . . . . . . . . . . . . . . . . . . . . 9
+ 2.6. XML Schema . . . . . . . . . . . . . . . . . . . . . . . 10
3. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 11
- 3.1. Query, No Existing Object . . . . . . . . . . 11
- 3.2. Query, Overwriting Existing Object . . . . . . 11
+ 3.1. Query, No Existing Object . . . . . . . . . . 12
+ 3.2. Query, Overwriting Existing Object . . . . . . 12
3.3. Query . . . . . . . . . . . . . . . . . . . . 12
3.4. Reply . . . . . . . . . . . . . . . . . . . . 12
- 3.5. With Optional Elements . . . . . . . . . 12
+ 3.5. With Optional Elements . . . . . . . . . 13
3.6. Without Optional Elements . . . . . . . . 13
3.7. Error Handling With Multi-Element Queries . . . . . . . . 13
3.7.1. Multi-Element Query . . . . . . . . . . . . . . . . . 13
3.7.2. Successful Multi-Element Response . . . . . . . . . . 14
3.7.3. Failure Multi-Element Response, First Error Only . . 14
3.7.4. Failure Multi-Element Response, All Errors . . . . . 15
3.8.
Query . . . . . . . . . . . . . . . . . . . . . . 16
3.9.
Reply . . . . . . . . . . . . . . . . . . . . . . 16
- 4. Operational Considerations . . . . . . . . . . . . . . . . . 16
- 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17
- 6. Security Considerations . . . . . . . . . . . . . . . . . . . 18
- 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 19
- 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 19
- 8.1. Normative References . . . . . . . . . . . . . . . . . . 19
- 8.2. Informative References . . . . . . . . . . . . . . . . . 19
- Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 20
+ 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16
+ 5. Security Considerations . . . . . . . . . . . . . . . . . . . 17
+ 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 18
+ 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 18
+ 7.1. Normative References . . . . . . . . . . . . . . . . . . 18
+ 7.2. Informative References . . . . . . . . . . . . . . . . . 19
+ Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19
1. Introduction
This document assumes a working knowledge of the Resource Public Key
Infrastructure (RPKI), which is intended to support improved routing
security on the Internet. See [RFC6480] for an overview of the RPKI.
In order to make participation in the RPKI easier, it is helpful to
have a few consolidated repositories for RPKI objects, thus saving
every participant from the cost of maintaining a new service.
@@ -121,21 +120,21 @@
This document defines an RPKI publication protocol which allows
publication either within or across organizational boundaries, and
which makes fairly minimal demands on either the CA engine or the
publication service.
The authentication and message integrity architecture of the
publication protocol is essentially identical to the architecture
used in [RFC6492], because the participants in this protocol are the
same CA engines as in RFC 6492; this allows reuse of the same
"Business PKI" ("BPKI", see Section 1.2) infrastructure used to
- support RFC 6492. As in RCC 6492, authorization is a matter of
+ support RFC 6492. As in RFC 6492, authorization is a matter of
external configuration: we assume that any given publication
repository has some kind of policy controlling which certificate
engines are allowed to publish, modify, or withdraw particular RPKI
objects, most likely following the recommendation in [RFC6480]
Section 4.4, the details of this policy are a private matter between
the operator of a certificate engine and the operator of the chosen
publication repository.
The following diagram attempts to convey where this publication
protocol fits into the overall data flow between the certificate
@@ -196,21 +195,23 @@
"Business Public Key Infrastructure" ("Business PKI" or "BPKI")
refers to a PKI, separate from the RPKI, used to authenticate clients
to the publication engine. We use the term "Business PKI" here
because an Internet registry might already have a PKI for
authenticating its clients and might wish to reuse that PKI for this
protocol. There is, however, no requirement to reuse such a PKI.
2. Protocol Specification
The publication protocol uses XML ([XML]) messages wrapped in signed
- CMS messages, carried over HTTP transport.
+ CMS messages, carried over HTTP transport ([RFC2616]). The CMS
+ encapsulation is identical to that used in [RFC6492], section 3.1 and
+ subsections.
The publication protocol uses a simple request/response interaction.
The client passes a request to the server, and the server generates a
corresponding response.
A message exchange commences with the client initiating an HTTP POST
with content type of "application/rpki-publication", with the message
object as the body. The server's response will similarly be the body
of the response with a content type of "application/rpki-
publication".
@@ -230,27 +231,32 @@
The XML schema for this protocol is below in Section 2.6. The basic
XML message format looks like this:
+
+ As noted above, the outermost XML element is encapsulated in in a
+ signed CMS message. Query messages are signed by the client, reply
+ messages are signed by the server.
+
Common attributes:
version: The value of this attribute is the version of this
protocol. This document describes version 4.
type: The possible values of this attribute are "reply" and "query".
A query PDU may be one of three types: , , or
.
@@ -259,37 +265,48 @@
The and PDUs include a "tag" attribute to
facilitate bulk operation. When performing bulk operations, a CA
engine will probably find it useful to specify a distinct tag value
for each or PDU, to simplify matching an error
with the PDU which triggered it. The tag attribute is mandatory, to
simplify parsing, but a CA engine which has no particular use for
tagging MAY use any syntactically legal value, including simply using
the empty string for all tag fields.
+ This document describes version 4 of this protocol. An
+ implementation which understands only this version of the protocol
+ MUST reject messages with a different protocol version attribute,
+ signalling the error as described in Section 2.4. Since "4" is
+ currently the only value allowed for the version attribute in the
+ schema (Section 2.6), an incorrect protocol version can be detected
+ either by checking the version attribute directly or as a schema
+ validation error.
+
2.2. Publication and Withdrawal
The publication protocol uses a common message format to request
publication of any RPKI object. This format was chosen specifically
to allow this protocol to accommodate new types of RPKI objects
without needing changes to this protocol.
Both the and PDUs have a payload of a tag and
- a URI. The query also contains the DER object to be
- published, encoded in Base64.
+ an rsync URI ([RFC3986], [RFC5781]). The query also
+ contains the DER object to be published, encoded in Base64 ([RFC4648]
+ section 4, with line breaks within the Base64 text permitted but not
+ required).
Both the and PDUs also have a "hash"
attribute, which carries a hash of an existing object at the
specified repository URI, encoded as a hexadecimal string. For
PDUs, the hash MUST be present, as this operation makes
no sense if there is no existing object to withdraw. For
- PDUs, the hash is MUST be present if the publication operation is
+ PDUs, the hash MUST be present if the publication operation is
overwriting an existing object, and MUST NOT be present if this
publication operation is writing to a new URI where no prior object
exists. Presence of an object when no "hash" attribute has been
specified is an error, as is absence of an object or an incorrect
hash value when a "hash" attribute has been specified. Any such
errors MUST be reported using the PDU.
The hash algorithm is SHA-256 [SHS], to simplify comparison of
publication protocol hashes with RPKI manifest hashes.
@@ -299,21 +316,21 @@
Note that every publish and withdraw action requires a new manifest,
thus every publish or withdraw action will involve at least two
objects.
Processing of a query message is handled atomically: either the
entire query succeeds or none of it does. When a query message
contains multiple PDUs, failure of any PDU may require the server to
roll back actions triggered by earlier PDUs.
- When a query messages containing or PDUs
+ When a query message containing or PDUs
succeeds, the server returns a single reply.
When a query fails, the server returns one or more
reply PDUs. Typically, a server will only generate one
corresponding to the first query PDU that failed, but
servers MAY return multiple PDUs at the implementor's
discretion.
2.3. Listing the repository
@@ -488,21 +506,22 @@
element failed_pdu { query_elt }?
}*
3. Examples
Following are examples of various queries and the corresponding
replies for the RPKI publication protocol.
Note the authors have taken liberties with the Base64, hash, and URI
text in these examples in the interest of making the examples fit
- nicely into RFC text format.
+ nicely into RFC text format. Similarly, these examples do not show
+ the CMS signature wrapper around the XML, just the XML payload.
3.1. Query, No Existing Object
-4. Operational Considerations
-
- There are two basic options open to the repository operator as to how
- the publication tree is laid out. The first option is simple: each
- publication client is given its own directory one level below the top
- of the rsync module, and there is no overlap between the publication
- spaces used by different clients. For example:
-
- rsync://example.org/rpki/Alice/
- rsync://example.org/rpki/Bob/
- rsync://example.org/rpki/Carol/
-
- This has the advantage of being very easy for the publication
- operator to manage, but has the drawback of making it difficult for
- relying parties to fetch published objects efficiently, particularly
- for relying party implementations which follow the safety rule of
- never retrieving anything from a URI which didn't come directly from
- either a signed object or a trust anchor locator.
-
- Given that the mandatory-to-implement retrieval protocol for relying
- parties is rsync, a more efficient repository structure would be one
- which minimized the number of rsync fetches required. One such
- structure would be one in which the publication directories for
- subjects were placed underneath the publication directories of their
- issuers: since the normal synchronization tree walk is top-down, this
- can significantly reduce the total number of rsync connections
- required to synchronize. For example:
-
- rsync://example.org/rpki/Alice/
- rsync://example.org/rpki/Alice/Bob/
- rsync://example.org/rpki/Alice/Bob/Carol/
-
- Preliminary measurement suggests that, in the case of large numbers
- of small publication directories, the time needed to set up and tear
- down individual rsync connections becomes significant, and that a
- properly optimized tree structure can reduce synchronization time by
- an order of magnitude.
-
- The more complex tree structure does require careful attention when
- setting up clients. In the example above, assuming that Alice issues
- to Bob who in turn issues to Carol, Alice has ceded control of a
- portion of her publication space to Bob, who has in turn ceded a
- portion of that to Carol.
-
- The details of how the repository operator determines that Alice has
- given Bob permission to nest Bob's publication directory under
- Alice's is outside the scope of this protocol.
-
-5. IANA Considerations
+4. IANA Considerations
IANA is asked to register the application/rpki-publication MIME media
type as follows:
MIME media type name: application
MIME subtype name: rpki-publication
Required parameters: None
Optional parameters: None
Encoding considerations: binary
Security considerations: Carries an RPKI Publication Protocol
Message, as defined in this document.
Interoperability considerations: None
- Published specification: This document
+ Published specification: [[RFCxxxx]]
Applications which use this media type: HTTP
Additional information:
Magic number(s): None
File extension(s):
Macintosh File Type Code(s):
Person & email address to contact for further information:
Rob Austein
Intended usage: COMMON
Author/Change controller: IETF
-6. Security Considerations
+5. Security Considerations
The RPKI publication protocol and the data it publishes use entirely
separate PKIs for authentication. The published data is
authenticated within the RPKI, and this protocol has nothing to do
with that authentication, nor does it require that the published
objects be valid in the RPKI. The publication protocol uses a
separate Business PKI (BPKI) to authenticate its messages.
- Each RPKI publication protocol message is CMS-signed. Because of
- that protection at the application layer, this protocol does not
- require the use of HTTPS or other transport security mechanisms.
+ Each RPKI publication protocol message is wrapped in a signed CMS
+ message, which provides message integrity protection and an auditable
+ form of message authentication. Because of these protections at the
+ application layer, and because all the data being published are
+ intended to be public information in any case, this protocol does
+ not, strictly speaking, require the use of HTTPS or other transport
+ security mechanisms. There may, however, be circumstances in which a
+ particular publication operator may prefer HTTPS over HTTP anyway, as
+ a matter of (BPKI) CA policy. Use of HTTP versus HTTPS here is,
+ essentially, a private matter between the repository operator and its
+ clients. Note, however, that even if a client/server pair uses HTTPS
+ for this protocol, message authentication for this protocol is still
+ based on the CMS signatures, not HTTPS.
Although the hashes used in the and PDUs are
cryptographically strong, the digest algorithm was selected for
convenience in comparing these hashes with the hashes that appear in
RPKI manifests. The hashes used in the and
PDUs are not particularly security-sensitive, because these PDUs are
- protected by the CMS signatures.
+ protected by the CMS signatures. Because of this, the most likely
+ reason for a change to this digest algorithm would be to track a
+ corresponding change in the digest algorithm used in RPKI manifests.
+ If and when such a change happens, it will require incrementing the
+ version number of this publication protocol, but given that the most
+ likely implementation of a publication server uses these hashes as
+ lookup keys in a database, bumping the protocol version number would
+ be a relatively minor portion of the effort of changing the
+ algorithm.
Compromise of a publication server, perhaps through mismanagement of
BPKI private keys, could lead to a denial-of-service attack on the
RPKI. An attacker gaining access to BPKI private keys could use this
protocol to delete (withdraw) RPKI objects, leading to routing
changes or failures. Accordingly, as in most PKIs, good key
management practices are important.
-7. Acknowledgements
+6. Acknowledgements
The authors would like to thank: Geoff Huston, George Michaelson,
Oleg Muravskiy, Paul Wouters, Randy Bush, Rob Loomans, Robert
Kisteleki, Tim Bruijnzeels, Tom Petch, and anybody else who helped
along the way but whose name(s) the authors have temporarily
forgotten.
-8. References
+7. References
-8.1. Normative References
+7.1. Normative References
+
+ [RelaxNG] Clark, J., "RELAX NG Compact Syntax", OASIS , November
+ 2002, .
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, BCP 14, March 1997.
+ [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
+ Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
+ Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
+
+ [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
+ Resource Identifier (URI): Generic Syntax", RFC 3986,
+ STD 66, January 2005.
+
+ [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
+ Encodings", RFC 4648, October 2006.
+
[RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)",
RFC 5652, STD 70, September 2009.
+ [RFC5781] Weiler, S., Ward, D., and R. Housley, "The rsync URI
+ Scheme", RFC 5781, February 2010.
+
[RFC6492] Huston, G., Loomans, R., Ellacott, B., and R. Austein, "A
Protocol for Provisioning Resource Certificates",
RFC 6492, February 2012.
[SHS] National Institute of Standards and Technology, "Secure
Hash Standard", FIPS PUB 180-4, March 2012,
.
-8.2. Informative References
+ [XML] Cowan, J., "Extensible Markup Language (XML) 1.1", W3C CR
+ CR-xml11-20021015, October 2002.
+
+7.2. Informative References
[I-D.ietf-sidr-delta-protocol]
Bruijnzeels, T., Muravskiy, O., Weber, B., and R. Austein,
"RPKI Repository Delta Protocol", draft-ietf-sidr-delta-
- protocol-04 (work in progress), September 2016.
+ protocol-07 (work in progress), February 2017.
[I-D.ietf-sidr-rpki-oob-setup]
Austein, R., "An Out-Of-Band Setup Protocol For RPKI
- Production Services", draft-ietf-sidr-rpki-oob-setup-05
- (work in progress), December 2016.
-
- [RelaxNG] Clark, J., "RELAX NG Compact Syntax", OASIS , November
- 2002, .
+ Production Services", draft-ietf-sidr-rpki-oob-setup-06
+ (work in progress), January 2017.
[RFC6480] Lepinski, M. and S. Kent, "An Infrastructure to Support
Secure Internet Routing", RFC 6480, February 2012.
- [XML] Cowan, J., "Extensible Markup Language (XML) 1.1", W3C CR
- CR-xml11-20021015, October 2002.
-
Authors' Addresses
Samuel Weiler
W3C / MIT
Email: weiler@csail.mit.edu
Anuja Sonalker
TowerSec Automotive Cyber Security