This document defines a Cryptographic Message Syntax (CMS) protected content type for use with the Resource Public Key Infrastructure (RPKI) to carry a general-purpose listing of Autonomous System Numbers (ASNs) and/or pointers to other groupings of ASNs, called an ASGroup.
Additionally, the document specifies a mechanism for ASN holders to opt-out of being listed in a given ASGroup.
The objective is to offer a RPKI-based successor to plain-text RFC 2622 'as-set' class objects.
When validated, an ASGroup confirms that the respective ASN holder produced the ASGroup object.¶
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task
Force (IETF). Note that other groups may also distribute working
documents as Internet-Drafts. The list of current Internet-Drafts is
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."¶
Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this
document must include Revised BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Revised BSD License.¶
This document defines a Cryptographic Message Syntax (CMS) [RFC5652][RFC6268] protected content type for a general-purpose listing of Autonomous System Numbers (ASNs) and/or pointers to other groupings of ASNs (an 'ASGroup'), for use with the Resource Public Key Infrastructure (RPKI) [RFC6480].
The CMS protected content type is intended to provide for the creation and validation of an RPKI ASGroup, a listing signed by the holder of the private key associated with a particular ASN.¶
RPKI ASGroups are expected to facilitate inter-domain business use cases that depend on an ability to exchange listings of ASNs.
Through the use of RPKI ASGroup Opt-Out Listings, resource holders have a degree of control over what Relying Party (RP) implementations emit in relationship to their AS Identifier resources and ASGroups when expanding ASGroups.¶
The objective is to offer a RPKI-based successor to plain-text RFC 2622 'as-set' class objects.
The main differences between IRR 'as-set' objects and RPKI ASGroups is the robust cryptographically verifiable authorization and the notion of being able to 'opt-out' of an listing (a feature that in the IRR context is not possible).¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119][RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The Certification Authority (CA) MUST only sign one ASGroup or ASGroup Opt-Out Listing with each EE certificate and MUST generate a new key pair for each new ASGroup or ASGroup Opt-Out Listing.
This type of EE certificate is termed a "one-time-use" EE certificate (see Section 3 of [RFC6487]).¶
A guideline for naming ASGroup and ASGroup Opt-Out objects is that the file name chosen in the repository be a value derived from the public key of the EE certificate.
One such method of generating a publication name is described in Section 2.1 of [RFC4387]; convert the 160-bit hash of a EE's public key value into a 27-character string using a modified form of Base64 encoding, with an additional modification as proposed in Section 5, table 2, of [RFC4648].¶
The content of an ASGroup indicates a listing of arbitrary ASNs and pointers to other ASGroups which has been signed with a specific Autonomous System identifier.
An ASGroup is formally defined as follows:¶
This field contains type GroupingLabel, a IA5String which MUST consist of at least one and no more than a hundred characters chosen from the set A-Z (UPPERCASE ALPHABET), 0-9, - (HYPHEN), _ (UNDERSCORE), or : (COLON).
The label field serves as a differentiator to allow a resource holder to produce multiple different ASGroup objects carrying the same ASN in the asID field for different purposes.
The value of the label field MUST adhere to the same naming conventions and constraints as hierarchical 'as-set' set names described in Section 5 of [RFC2622]; noting the first component of the set name is the value of the above asID field.¶
This field is a BOOLEAN.
If the referenceable boolean is set to FALSE, a Relying Party (RP) which encounters a GroupingPointer in an ASGroup which matches the asID and label of this ASGroup MUST ignore the GroupingPointer.
If multiple ASGroup objects exist in the RPKI repositories with the same asID and label, but the referenceable boolean set to different values; the TRUE value takes precedence.¶
This field contains a SEQUENCE which contains an ASID (a reference to an Autonomous System Number) and a GroupingLabel (a IA5String).
The asID value and label in a GroupingPointer SHOULD NOT match the asID and label in the RpkiSignedGrouping; e.g. an ASGroup SHOULD NOT point to itself.¶
The content of an ASGroup Opt-Out Listing indicates an opt-out listing of arbitrary ASNs and pointers to other ASGroups which has been signed with a specific Autonomous System identifier.
The purpose of ASGroup Opt-Out Listings is to provide a means to negate references in ASGroup objects (not under control of the resource holder) towards resources held by the resource holder.
An ASGroup Opt-Out Listing is formally defined as follows:¶
This optional field contains type GroupingLabel, a IA5String which MUST consist of at least one and no more than a hundred characters chosen from the set A-Z (UPPERCASE ALPHABET), 0-9, - (HYPHEN), _ (UNDERSCORE), or : (COLON).
If the field is absent, the ASGroup Opt-Out Listing entry is considered to mean that any ASGroup objects referenced in the optOut SEQUENCE containing members entries which reference this object's asID value MUST be negated by the RP.
if the field is present, any ASGroup objects matching the an entry in the optOut SEQUENCE containing a GroupingPointer which match this ASGroup Opt-Out Listing's asID and label MUST be negated.¶
Before a Relying Party (RP) can expand an ASGroup into a listing of Autonomous System Numbers, the RP MUST first validate all ASGroup Opt-Out Listings to be able to honor opt-Out attestations.¶
To validate an ASGroup or ASGroup Opt-Out Listings, the RP MUST perform all the validation checks specified in [RFC6488].
In addition, the RP MUST perform the following validation steps:¶
The contents of the CMS eContent field MUST conform to all of the constraints described in Section 4.¶
The Autonomous System Identifier Delegation extension [RFC3779]MUST be present in the EE certificate contained in the CMS certificates field.¶
The AS identifier present in the RpkiSignedGrouping eContent 'asID' field respectively RpkiSignedGroupingOptOut eContent 'asID' field MUST be a subset of those present in the certificate extension.¶
The EE certificate's Autonomous System Identifier Delegation extension MUST NOT contain "inherit" elements.¶
The IP Address Delegation Extension described in [RFC3779] is not used in ASGroup or ASGroup Opt-Out Listings and MUST NOT be present.¶
A list of Validated ASGroup Listings (VALs) is produced by applying a recursive descent to each ASGroup, noting members which are ASIDs and following GroupingPointers.
GroupingPointers which point to an ASGroup which has the 'referenceable' boolean set to false MUST be ignored.
Members of an ASGroup which match an ASGroup Opt-Out Listing entry MUST be ignored.¶
Multiple ASGroup objects could exist which contain the same asID and label.
In such cases the union of members forms the set of members.
It is highly RECOMMENDED that a compliant CA maintains a single ASGroup for a given (asID, label) tuple.¶
Multiple ASGroup Opt-Out Listing objects could exist which contain the same asID and label.
In such cases the union of optOut entries forms the set of optOut entries.
It is highly RECOMMENDED that a compliant CA maintains a single ASGroup Opt-Out Listing for a given (asID, label) tuple.¶
If a CA becomes aware of a match in a valid ASGroup Opt-Out Listing for one of its subordinate ASGroup products; the CA SHOULD remove the offending asID or GroupingPointer from the members of the ASGroup and reissue the object.¶
RPs are hereby warned that the data in an ASGroup is self-asserted.
When determining the meaning of any data contained in an ASGroup, RPs MUST NOT make any assumptions about the signer beyond the fact that it had sufficient control of the issuing CA to create the object.¶
While a one-time-use EE certificate must only be used to generate and sign a single ASGroup object, CAs technically are not restricted from generating and signing multiple different ASGroup objects with a single key pair.
Any ASGroup objects sharing the same EE certificate cannot be revoked individually.¶
Alaettinoglu, C., Villamizar, C., Gerich, E., Kessens, D., Meyer, D., Bates, T., Karrenberg, D., Terpstra, M., and RFC Publisher, "Routing Policy Specification Language (RPSL)", RFC 2622, DOI 10.17487/RFC2622, , <https://www.rfc-editor.org/info/rfc2622>.
Schaad, J. and S. Turner, "Additional New ASN.1 Modules for the Cryptographic Message Syntax (CMS) and the Public Key Infrastructure Using X.509 (PKIX)", RFC 6268, DOI 10.17487/RFC6268, , <https://www.rfc-editor.org/info/rfc6268>.
Below an example of a DER encoded ASGroup eContent is provided with annotation following the '#' character.
The example is fairly simple; the resource holder managing AS 16509 produced a ASGroup called "AS16509:AS-AMAZON" (asID + ':' + label), which cannot be referenced by other ASGroups, and which has 2 members: AS 16509 and 'AS16509:AS-CUSTOMERS' (the latter being a GroupingPointer).¶
Below an example of a DER encoded ASGroup Opt-Out Listing eContent is provided with annotation following the '#' character.
The example is as following: the resource holder managing AS 15562 produced a ASGroup Opt-Out Listing and which has 1 optOut: 'AS16509:AS-CUSTOMERS'.
Should ASGroup 'AS16509:AS-CUSTOMERS' (directly or indirectly) contain a reference to AS 15562; a Relying Party should omit 15562 from its output.¶
This section is to be removed before publishing as an RFC.¶
This section records the status of known implementations of the protocol defined by this specification at the time of posting of this Internet-Draft, and is based on a proposal described in RFC 7942.
The description of implementations in this section is intended to assist the IETF in its decision processes in progressing drafts to RFCs.
Please note that the listing of any individual implementation here does not imply endorsement by the IETF.
Furthermore, no effort has been spent to verify the information presented here that was supplied by IETF contributors.
This is not intended as, and must not be construed to be, a catalog of available implementations or their features.
Readers are advised to note that other implementations may exist.¶
According to RFC 7942, "this will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature.
It is up to the individual working groups to use this information as they see fit".¶
Example .grp and .ool files were created by Job Snijders with the use of asn1c and OpenSSL.¶