< draft-ietf-opsawg-finding-geofeeds-03.txt   draft-ietf-opsawg-finding-geofeeds-04.txt >
Network Working Group R. Bush Network Working Group R. Bush
Internet-Draft IIJ & Arrcus Internet-Draft IIJ & Arrcus
Intended status: Standards Track M. Candela Intended status: Standards Track M. Candela
Expires: August 20, 2021 NTT Expires: August 23, 2021 NTT
W. Kumari W. Kumari
Google Google
R. Housley R. Housley
Vigil Security Vigil Security
February 16, 2021 February 19, 2021
Finding and Using Geofeed Data Finding and Using Geofeed Data
draft-ietf-opsawg-finding-geofeeds-03 draft-ietf-opsawg-finding-geofeeds-04
Abstract Abstract
This document describes how to find and authenticate geofeed data. This document describes how to find and authenticate geofeed data.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 20, 2021. This Internet-Draft will expire on August 23, 2021.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 21 skipping to change at page 2, line 21
2. Geofeed Files . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Geofeed Files . . . . . . . . . . . . . . . . . . . . . . . . 3
3. inetnum: Class . . . . . . . . . . . . . . . . . . . . . . . 3 3. inetnum: Class . . . . . . . . . . . . . . . . . . . . . . . 3
4. Authenticating Geofeed Data . . . . . . . . . . . . . . . . . 4 4. Authenticating Geofeed Data . . . . . . . . . . . . . . . . . 4
5. Operational Considerations . . . . . . . . . . . . . . . . . 6 5. Operational Considerations . . . . . . . . . . . . . . . . . 6
6. Security Considerations . . . . . . . . . . . . . . . . . . . 7 6. Security Considerations . . . . . . . . . . . . . . . . . . . 7
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 7 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 7
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 8
9.1. Normative References . . . . . . . . . . . . . . . . . . 8 9.1. Normative References . . . . . . . . . . . . . . . . . . 8
9.2. Informative References . . . . . . . . . . . . . . . . . 8 9.2. Informative References . . . . . . . . . . . . . . . . . 8
Appendix A. Example . . . . . . . . . . . . . . . . . . . . . . 9 Appendix A. Example . . . . . . . . . . . . . . . . . . . . . . 10
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18
1. Introduction 1. Introduction
Providers of Internet content and other services may wish to Providers of Internet content and other services may wish to
customize those services based on the geographic location of the user customize those services based on the geographic location of the user
of the service. This is often done using the source IP address used of the service. This is often done using the source IP address used
to contact the service. Also, infrastructure and other services to contact the service. Also, infrastructure and other services
might wish to publish the locale of their services. [RFC8805] might wish to publish the locale of their services. [RFC8805]
defines geofeed, a syntax to associate geographic locales with IP defines geofeed, a syntax to associate geographic locales with IP
skipping to change at page 5, line 11 skipping to change at page 5, line 11
repositories is weakly authenticated at best. An approach where RPSL repositories is weakly authenticated at best. An approach where RPSL
was signed a la [RFC7909] would be good, except it would have to be was signed a la [RFC7909] would be good, except it would have to be
deployed by all RPSL registries, and there is a fair number of them. deployed by all RPSL registries, and there is a fair number of them.
An optional authenticator MAY be appended to a geofeed file. It An optional authenticator MAY be appended to a geofeed file. It
would be essentially a digest of the main body of the file signed by would be essentially a digest of the main body of the file signed by
the private key of the relevant RPKI certificate for the covering the private key of the relevant RPKI certificate for the covering
address range. One needs a format that bundles the relevant RPKI address range. One needs a format that bundles the relevant RPKI
certificate with the signature and the digest of the geofeed text. certificate with the signature and the digest of the geofeed text.
[I-D.michaelson-rpki-rta] describes a Cryptographic Message Syntax
(CMS) profile for a general purpose Resource Tagged Attestation (RTA)
based on the RPKI. While this is expected to become applicable in
the long run, for the purposes of this document, a self-signed root
trust anchor is used.
Borrowing detached signatures from [RFC5485], after text file Borrowing detached signatures from [RFC5485], after text file
canonicalization (Sec 2.2), the Cryptographic Message Syntax (CMS) canonicalization (Sec 2.2), the Cryptographic Message Syntax (CMS)
[RFC5652] would be used to create a detached DER encoded signature [RFC5652] would be used to create a detached DER encoded signature
which is then BASE64 encoded and line wrapped to 72 or fewer which is then BASE64 encoded and line wrapped to 72 or fewer
characters. characters.
Both the address ranges of the signing certificate and of the Both the address ranges of the signing certificate and of the
inetnum: MUST cover all prefixes in the geofeed file; and the address inetnum: MUST cover all prefixes in the geofeed file; and the address
range of the signing certificate must cover that of the inetnum:. range of the signing certificate must cover that of the inetnum:.
skipping to change at page 6, line 13 skipping to change at page 5, line 50
example. A correct and full example is in Appendix A. example. A correct and full example is in Appendix A.
# RPKI Signature: 192.0.2.0/24 # RPKI Signature: 192.0.2.0/24
# MIIGlwYJKoZIhvcNAQcCoIIGiDCCBoQCAQMxDTALBglghkgBZQMEAgEwDQYLKoZ # MIIGlwYJKoZIhvcNAQcCoIIGiDCCBoQCAQMxDTALBglghkgBZQMEAgEwDQYLKoZ
# IhvcNAQkQAS+gggSxMIIErTCCA5WgAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZu # IhvcNAQkQAS+gggSxMIIErTCCA5WgAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZu
... ...
# imwYkXpiMxw44EZqDjl36MiWsRDLdgoijBBcGbibwyAfGeR46k5raZCGvxG+4xa # imwYkXpiMxw44EZqDjl36MiWsRDLdgoijBBcGbibwyAfGeR46k5raZCGvxG+4xa
# O8PDTxTfIYwAnBjRBKAqAZ7yX5xHfm58jUXsZJ7Ileq1S7G6Kk= # O8PDTxTfIYwAnBjRBKAqAZ7yX5xHfm58jUXsZJ7Ileq1S7G6Kk=
# End Signature: 192.0.2.0/24 # End Signature: 192.0.2.0/24
[I-D.spaghetti-sidrops-rpki-rsc] describes and provides code for a
Cryptographic Message Syntax (CMS) profile for a general purpose
listing of checksums (a 'checklist'), for use with the Resource
Public Key Infrastructure (RPKI). It provides usable, albeit
complex, code to sign geofeed files.
[I-D.ietf-sidrops-rpki-rta] describes a Cryptographic Message Syntax
(CMS) profile for a general purpose Resource Tagged Attestation (RTA)
based on the RPKI. While this is expected to become applicable in
the long run, for the purposes of this document, a self-signed root
trust anchor is used.
5. Operational Considerations 5. Operational Considerations
To create the needed inetnum: objects, an operator wishing to To create the needed inetnum: objects, an operator wishing to
register the location of their geofeed file needs to coordinate with register the location of their geofeed file needs to coordinate with
their RIR/NIR and/or any provider LIR which has assigned prefixes to their RIR/NIR and/or any provider LIR which has assigned prefixes to
them. RIRs/NIRs provide means for assignees to create and maintain them. RIRs/NIRs provide means for assignees to create and maintain
inetnum: objects. They also provide means of [sub-]assigning IP inetnum: objects. They also provide means of [sub-]assigning IP
address resources and allowing the assignee to create whois data, address resources and allowing the assignee to create whois data,
including inetnum: objects, and thereby referring to geofeed files. including inetnum: objects, and thereby referring to geofeed files.
skipping to change at page 7, line 45 skipping to change at page 7, line 46
Description OID Specification Description OID Specification
----------------------------------------------------------------- -----------------------------------------------------------------
id-ct-geofeedCSVwithCRLF 1.2.840.113549.1.9.16.1.47 [RFC-TBD] id-ct-geofeedCSVwithCRLF 1.2.840.113549.1.9.16.1.47 [RFC-TBD]
8. Acknowledgments 8. Acknowledgments
Thanks to Rob Austein for CMS and detached signature clue. George Thanks to Rob Austein for CMS and detached signature clue. George
Michaelson for the first, and a substantial, external review. Erik Michaelson for the first, and a substantial, external review. Erik
Kline who was too shy to agree to co-authorship. Additionally, we Kline who was too shy to agree to co-authorship. Additionally, we
express our gratitude to early implementors, including Menno express our gratitude to early implementors, including Menno
Schepers, Flavio Luciani, Eric Dugas, Job Snijders who provided a CLI Schepers, Flavio Luciani, Eric Dugas, Job Snijders who provided
demo, and Kevin Pack. Also to geolocation providers that are running code, and Kevin Pack. Also to geolocation providers that are
consuming geofeeds with this described solution, Jonathan Kosgei consuming geofeeds with this described solution, Jonathan Kosgei
(ipdata.co), Ben Dowling (ipinfo.io), and Pol Nisenblat (ipdata.co), Ben Dowling (ipinfo.io), and Pol Nisenblat
(bigdatacloud.com). For reviews, we thank Adrian Farrel Antonio (bigdatacloud.com). For reviews, we thank Adrian Farrel, Antonio
Prado, and George Michaelson, the document shepherd. Prado, and George Michaelson, the document shepherd.
9. References 9. References
9.1. Normative References 9.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
skipping to change at page 9, line 5 skipping to change at page 9, line 5
Kumari, "A Format for Self-Published IP Geolocation Kumari, "A Format for Self-Published IP Geolocation
Feeds", RFC 8805, DOI 10.17487/RFC8805, August 2020, Feeds", RFC 8805, DOI 10.17487/RFC8805, August 2020,
<https://www.rfc-editor.org/info/rfc8805>. <https://www.rfc-editor.org/info/rfc8805>.
9.2. Informative References 9.2. Informative References
[geofeed-finder] [geofeed-finder]
Massimo Candela, "geofeed-finder", Massimo Candela, "geofeed-finder",
<https://github.com/massimocandela/geofeed-finder>. <https://github.com/massimocandela/geofeed-finder>.
[I-D.michaelson-rpki-rta] [I-D.ietf-sidrops-rpki-rta]
Michaelson, G., Huston, G., Harrison, T., Bruijnzeels, T., Michaelson, G., Huston, G., Harrison, T., Bruijnzeels, T.,
and M. Hoffmann, "A profile for Resource Tagged and M. Hoffmann, "A profile for Resource Tagged
Attestations (RTAs)", draft-michaelson-rpki-rta-02 (work Attestations (RTAs)", draft-ietf-sidrops-rpki-rta-00 (work
in progress), November 2020. in progress), January 2021.
[I-D.spaghetti-sidrops-rpki-rsc]
Snijders, J., "RPKI Signed Checklists", draft-spaghetti-
sidrops-rpki-rsc-02 (work in progress), February 2021.
[INET6NUM] [INET6NUM]
RIPE, "Description of the INET6NUM Object", RIPE, "Description of the INET6NUM Object",
<https://www.ripe.net/manage-ips-and- <https://www.ripe.net/manage-ips-and-
asns/db/support/documentation/ripe-database-documentation/ asns/db/support/documentation/ripe-database-documentation/
rpsl-object-types/4-2-descriptions-of-primary- rpsl-object-types/4-2-descriptions-of-primary-
objects/4-2-3-description-of-the-inet6num-object>. objects/4-2-3-description-of-the-inet6num-object>.
[INETNUM] RIPE, "Description of the INETNUM Object", [INETNUM] RIPE, "Description of the INETNUM Object",
<https://www.ripe.net/manage-ips-and- <https://www.ripe.net/manage-ips-and-
 End of changes. 11 change blocks. 
17 lines changed or deleted 27 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/