< draft-ietf-opsawg-finding-geofeeds-12.txt   draft-ietf-opsawg-finding-geofeeds-13.txt >
Network Working Group R. Bush Network Working Group R. Bush
Internet-Draft IIJ & Arrcus Internet-Draft IIJ & Arrcus
Intended status: Standards Track M. Candela Intended status: Standards Track M. Candela
Expires: November 20, 2021 NTT Expires: November 21, 2021 NTT
W. Kumari W. Kumari
Google Google
R. Housley R. Housley
Vigil Security Vigil Security
May 19, 2021 May 20, 2021
Finding and Using Geofeed Data Finding and Using Geofeed Data
draft-ietf-opsawg-finding-geofeeds-12 draft-ietf-opsawg-finding-geofeeds-13
Abstract Abstract
This document specifies how to augment the Routing Policy This document specifies how to augment the Routing Policy
Specification Language inetnum: class to refer specifically to Specification Language inetnum: class to refer specifically to
geofeed data CSV files, and describes an optional scheme to use the geofeed data CSV files, and describes an optional scheme to use the
Routing Public Key Infrastructure to authenticate the geofeed data Routing Public Key Infrastructure to authenticate the geofeed data
CSV files. CSV files.
Status of This Memo Status of This Memo
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 20, 2021. This Internet-Draft will expire on November 21, 2021.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 24 skipping to change at page 2, line 24
2. Geofeed Files . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Geofeed Files . . . . . . . . . . . . . . . . . . . . . . . . 3
3. inetnum: Class . . . . . . . . . . . . . . . . . . . . . . . 3 3. inetnum: Class . . . . . . . . . . . . . . . . . . . . . . . 3
4. Authenticating Geofeed Data . . . . . . . . . . . . . . . . . 5 4. Authenticating Geofeed Data . . . . . . . . . . . . . . . . . 5
5. Operational Considerations . . . . . . . . . . . . . . . . . 8 5. Operational Considerations . . . . . . . . . . . . . . . . . 8
6. Privacy Considerations . . . . . . . . . . . . . . . . . . . 9 6. Privacy Considerations . . . . . . . . . . . . . . . . . . . 9
7. Security Considerations . . . . . . . . . . . . . . . . . . . 9 7. Security Considerations . . . . . . . . . . . . . . . . . . . 9
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 10 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 10
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 10
10.1. Normative References . . . . . . . . . . . . . . . . . . 10 10.1. Normative References . . . . . . . . . . . . . . . . . . 10
10.2. Informative References . . . . . . . . . . . . . . . . . 11 10.2. Informative References . . . . . . . . . . . . . . . . . 12
Appendix A. Example . . . . . . . . . . . . . . . . . . . . . . 13 Appendix A. Example . . . . . . . . . . . . . . . . . . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22
1. Introduction 1. Introduction
Providers of Internet content and other services may wish to Providers of Internet content and other services may wish to
customize those services based on the geographic location of the user customize those services based on the geographic location of the user
of the service. This is often done using the source IP address used of the service. This is often done using the source IP address used
to contact the service. Also, infrastructure and other services to contact the service. Also, infrastructure and other services
might wish to publish the locale of their services. [RFC8805] might wish to publish the locale of their services. [RFC8805]
defines geofeed, a syntax to associate geographic locales with IP defines geofeed, a syntax to associate geographic locales with IP
addresses. But it does not specify how to find the relevant geofeed addresses. But it does not specify how to find the relevant geofeed
data given an IP address. data given an IP address.
This document specifies how to augment the Routing Policy This document specifies how to augment the Routing Policy
Specification Language (RPSL) [RFC2622] inetnum: class to refer Specification Language (RPSL) [RFC2725] inetnum: class to refer
specifically to geofeed data CSV files, and how to prudently use specifically to geofeed data CSV files, and how to prudently use
them. In all places inetnum: is used, inet6num: should also be them. In all places inetnum: is used, inet6num: should also be
assumed [RFC4012]. assumed [RFC4012].
The reader may find [INETNUM] and [INET6NUM] informative, and The reader may find [INETNUM] and [INET6NUM] informative, and
certainly more verbose, descriptions of the inetnum: database certainly more verbose, descriptions of the inetnum: database
classes. classes.
An optional, utterly awesome but slightly complex means for An optional, utterly awesome but slightly complex means for
authenticating geofeed data is also defined. authenticating geofeed data is also defined.
skipping to change at page 3, line 39 skipping to change at page 3, line 39
Geofeed data do have privacy considerations, see Section 6; and this Geofeed data do have privacy considerations, see Section 6; and this
process makes bulk access to those data easier. process makes bulk access to those data easier.
This document also suggests an optional signature to strongly This document also suggests an optional signature to strongly
authenticate the data in the geofeed files. authenticate the data in the geofeed files.
3. inetnum: Class 3. inetnum: Class
The original RPSL specifications starting with [RIPE81], [RIPE181], The original RPSL specifications starting with [RIPE81], [RIPE181],
and a trail of subsequent documents were done by the RIPE community. and a trail of subsequent documents were done by the RIPE community.
The IETF standardized RPSL in [RFC2622] and [RFC4012]. Since then, The IETF standardized RPSL in [RFC2725] and [RFC4012]. Since then,
it has been modified and extensively enhanced in the Regional it has been modified and extensively enhanced in the Regional
Internet Registry (RIR) community, mostly by RIPE, [RIPE-DB]. Internet Registry (RIR) community, mostly by RIPE, [RIPE-DB].
Currently, change control effectively lies in the operator community. Currently, change control effectively lies in the operator community.
The Routing Policy Specification Language (RPSL), and [RFC2622] and The Routing Policy Specification Language (RPSL), and [RFC2725] and
[RFC4012] used by the Regional Internet Registries (RIRs) specifies [RFC4012] used by the Regional Internet Registries (RIRs) specifies
the inetnum: database class. Each of these objects describes an IP the inetnum: database class. Each of these objects describes an IP
address range and its attributes. The inetnum: objects form a address range and its attributes. The inetnum: objects form a
hierarchy ordered on the address space. hierarchy ordered on the address space.
Ideally, RPSL would be augmented to define a new RPSL geofeed: Ideally, RPSL would be augmented to define a new RPSL geofeed:
attribute in the inetnum: class. Until such time, this document attribute in the inetnum: class. Until such time, this document
defines the syntax of a Geofeed remarks: attribute which contains an defines the syntax of a Geofeed remarks: attribute which contains an
HTTPS URL of a geofeed file. The format of the inetnum: geofeed HTTPS URL of a geofeed file. The format of the inetnum: geofeed
remarks: attribute MUST be as in this example, "remarks: Geofeed ", remarks: attribute MUST be as in this example, "remarks: Geofeed ",
skipping to change at page 4, line 24 skipping to change at page 4, line 24
parties, we specify that a proper geofeed: attribute in the inetnum: parties, we specify that a proper geofeed: attribute in the inetnum:
class MUST be "geofeed: ", and MUST be followed by a single URL which class MUST be "geofeed: ", and MUST be followed by a single URL which
will vary, but MUST refer only to a single [RFC8805] geofeed file. will vary, but MUST refer only to a single [RFC8805] geofeed file.
inetnum: 192.0.2.0/24 # example inetnum: 192.0.2.0/24 # example
geofeed: https://example.com/geofeed.csv geofeed: https://example.com/geofeed.csv
Registries MAY, for the interim, provide a mix of the remarks: Registries MAY, for the interim, provide a mix of the remarks:
attribute form and the geofeed: attribute form. attribute form and the geofeed: attribute form.
The URL's use of the web PKI can not provide authentication of IP The URL uses HTTPS, so the WebPKI provides authentication, integrity,
address space ownership. It is only used to authenticate a pointer and confidentiality for the fetched geofeed file. However, the
to the geofeed file, authenticate the domain name in the URL, and WebPKI can not provide authentication of IP address space assignment.
provide confidentiality and integrity for the geofeed file in In contrast, the Resource Public Key Infrastructure (RPKI, see
transit. In contrast, the Resource Public Key Infrastructure (RPKI, [RFC6481]) can be used to authenticate IP space assignment; see
see [RFC6481]) can be used to authenticate IP space ownership; see
optional authentication in Section 4. optional authentication in Section 4.
Until all producers of inetnum:s, i.e. the RIRs, state that they have Until all producers of inetnum:s, i.e. the RIRs, state that they have
migrated to supporting a geofeed: attribute, consumers looking at migrated to supporting a geofeed: attribute, consumers looking at
inetnum:s to find geofeed URLs MUST be able to consume both the inetnum:s to find geofeed URLs MUST be able to consume both the
remarks: and geofeed: forms. The migration not only implies that the remarks: and geofeed: forms. The migration not only implies that the
RIRs support the geofeed: attribute, but that all registrants have RIRs support the geofeed: attribute, but that all registrants have
migrated any inetnum:s from remarks: use to geofeed:s. migrated any inetnum:s from remarks: use to geofeed:s.
Any particular inetnum: object MUST have at most, one geofeed Any particular inetnum: object MUST have at most, one geofeed
reference, whether a remarks: or a proper geofeed: attribute when it reference, whether a remarks: or a proper geofeed: attribute when it
is implemented. If there is more than one, all are ignored. is implemented. If there is more than one, all are ignored.
If a geofeed CSV file describes multiple disjoint ranges of IP If a geofeed CSV file describes multiple disjoint ranges of IP
address space, there are likely to be geofeed references from address space, there are likely to be geofeed references from
multiple inetnum: objects. multiple inetnum: objects. Files with geofeed references from
multiple inetnum: objects are not compatible with the signing
As inetnum: objects form a hierarchy, Geofeed references SHOULD be at procedure in Section 4.
the lowest applicable inetnum: object covering the relevant prefixes
in the referenced geofeed file. When fetching, the most specific
inetnum: object with a geofeed reference MUST be used.
When geofeed references are provided by multiple inetnum: objects When geofeed references are provided by multiple inetnum: objects
which have identical address ranges, then the geofeed reference on which have identical address ranges, then the geofeed reference on
the inetnum: with the most recent last-modified: attribute SHOULD be the inetnum: with the most recent last-modified: attribute SHOULD be
preferred. preferred.
As inetnum: objects form a hierarchy, Geofeed references SHOULD be at
the lowest applicable inetnum: object covering the relevant prefixes
in the referenced geofeed file. When fetching, the most specific
inetnum: object with a geofeed reference MUST be used.
It is significant that geofeed data may have finer granularity than It is significant that geofeed data may have finer granularity than
the inetnum: which refers to them. For example an INETNUM object for the inetnum: which refers to them. For example an INETNUM object for
a prefix P could refer to a geofeed file in which P has been sub- a prefix P could refer to a geofeed file in which P has been sub-
divided into one or more longer prefixes. divided into one or more longer prefixes.
Currently, the registry data published by ARIN is not the same RPSL Currently, the registry data published by ARIN is not the same RPSL
as that of the other registries (see [RFC7485] for a survey of the as that of the other registries (see [RFC7485] for a survey of the
whois Tower of Babel); therefore, when fetching from ARIN via FTP whois Tower of Babel); therefore, when fetching from ARIN via FTP
[RFC0959], whois [RFC3912], RDAP [RFC7482], or whatever, the [RFC0959], whois [RFC3912], RDAP [RFC7482], or whatever, the
"NetRange" attribute/key MUST be treated as "inetnum" and the "NetRange" attribute/key MUST be treated as "inetnum" and the
skipping to change at page 5, line 37 skipping to change at page 5, line 37
[RFC8805] geofeed file provides some assurance. Unfortunately, the [RFC8805] geofeed file provides some assurance. Unfortunately, the
RPSL in many repositories is weakly authenticated at best. An RPSL in many repositories is weakly authenticated at best. An
approach where RPSL was signed a la [RFC7909] would be good, except approach where RPSL was signed a la [RFC7909] would be good, except
it would have to be deployed by all RPSL registries, and there is a it would have to be deployed by all RPSL registries, and there is a
fair number of them. fair number of them.
A single optional authenticator MAY be appended to a [RFC8805] A single optional authenticator MAY be appended to a [RFC8805]
geofeed file. It is a digest of the main body of the file signed by geofeed file. It is a digest of the main body of the file signed by
the private key of the relevant RPKI certificate for the covering the private key of the relevant RPKI certificate for the covering
address range. One needs a format that bundles the relevant RPKI address range. One needs a format that bundles the relevant RPKI
certificate with the signature and the digest of the geofeed text. certificate with the signature of the geofeed text.
The canonicalization procedure converts the data from its internal The canonicalization procedure converts the data from its internal
character representation to the UTF-8 [RFC3629] character encoding, character representation to the UTF-8 [RFC3629] character encoding,
and the <CRLF> sequence MUST be used to denote the end of a line of and the <CRLF> sequence MUST be used to denote the end of a line of
text. Trailing space characters MUST NOT appear on a line of text. text. Trailing space characters MUST NOT appear on a line of text.
That is, the space or tab characters must not be followed by the That is, space or tab characters must not immediately preceed a
<CRLF> sequence. Thus, a blank line is represented solely by the <CRLF> sequence. Thus, a blank line is represented solely by the
<CRLF> sequence. Other non-printable characters, such as backspace, <CRLF> sequence. Other non-printable characters, such as backspace,
are not expected. For robustness, any non-printable characters MUST are not expected. For robustness, any non-printable characters MUST
NOT be changed by canonicalization. Trailing blank lines MUST NOT NOT be changed by canonicalization. Trailing blank lines MUST NOT
appear at the end of the file. That is, the file must not end with appear at the end of the file. That is, the file must not end with
multiple consecutive <CRLF> sequences. Any end-of-file marker used multiple consecutive <CRLF> sequences. Any end-of-file marker used
by an operating system is not considered to be part of the file by an operating system is not considered to be part of the file
content. When present, such end-of-file markers MUST NOT be content. When present, such end-of-file markers MUST NOT be
processed by the digital signature algorithm. processed by the digital signature algorithm.
Should the authenticator be syntactically incorrect per the above, Should the authenticator be syntactically incorrect per the above,
the authenticator is invalid. the authenticator is invalid.
Borrowing detached signatures from [RFC5485], after file Borrowing detached signatures from [RFC5485], after file
canonicalization, the Cryptographic Message Syntax (CMS) [RFC5652] canonicalization, the Cryptographic Message Syntax (CMS) [RFC5652]
would be used to create a detached DER encoded signature which is would be used to create a detached DER encoded signature which is
then padded BASE64 encoded (as per [RFC4648]) and line wrapped to 72 then padded BASE64 encoded (as per [RFC4648]) Section 4, and line
or fewer characters. wrapped to 72 or fewer characters. The same digest algorithm MUST be
used for calculating the message digest on content being signed,
which is the geofeed file, and calculating the message digest on the
SignerInfo SignedAttributes [RFC8933]. The message digest algorithm
identifier MUST appear in both the SigenedData
DigestAlgorithmIdentifiers and the SignerInfo
DigestAlgorithmIdentifier [RFC5652].
The address range of the signing certificate MUST cover all prefixes The address range of the signing certificate MUST cover all prefixes
in the geofeed file it signs; and therefore must be covered by the in the geofeed file it signs; and therefore must be covered by the
range of the inetnum:. range of the inetnum:.
An address range A 'covers' address range B if the range of B is An address range A 'covers' address range B if the range of B is
identical to or a subset of A. 'Address range' is used here because identical to or a subset of A. 'Address range' is used here because
inetnum: objects and RPKI certificates need not align on CIDR prefix inetnum: objects and RPKI certificates need not align on CIDR prefix
boundaries, while those of the CSV lines in the geofeed file do. boundaries, while those of the CSV lines in the geofeed file do.
As the signer specifies the covered RPKI resources relevant to the As the signer specifies the covered RPKI resources relevant to the
signature, the RPKI certificate covering the inetnum: object's signature, the RPKI certificate covering the inetnum: object's
address range is included in the [RFC5652] CMS SignedData address range is included in the [RFC5652] CMS SignedData
certificates field. certificates field.
Identifying the private key associated with the certificate, and Identifying the private key associated with the certificate, and
getting the department with the Hardware Security Module (HSM) to getting the department that controls the private key (which might be
sign the CMS blob is left as an exercise for the implementor. On the trapped in a Hardware Security Module, HSM) to sign the CMS blob is
other hand, verifying the signature requires no complexity; the left as an exercise for the implementor. On the other hand,
certificate, which can be validated in the public RPKI, has the verifying the signature requires no complexity; the certificate,
needed public key. The trust anchors for the RIRs are expected to which can be validated in the public RPKI, has the needed public key.
already be available to the party performing signature validation. The trust anchors for the RIRs are expected to already be available
Validation of the CMS signature on the geofeed file involves: to the party performing signature validation. Validation of the CMS
signature on the geofeed file involves:
1. Obtain the signer's certificate from an RPKI Repository. The 1. Obtain the signer's certificate from the CMS SignedData
certificate SubjectKeyIdentifier extension [RFC5280] MUST match CertificateSet [RFC5652]. The certificate SubjectKeyIdentifier
the SubjectKeyIdentifier in the CMS SignerInfo SignerIdentifier extension [RFC5280] MUST match the SubjectKeyIdentifier in the
[RFC5286]. If the key identifiers do not match, then validation CMS SignerInfo SignerIdentifier [RFC5652]. If the key
MUST fail. identifiers do not match, then validation MUST fail.
2. Construct the certification path for the signer's certificate. 2. Construct the certification path for the signer's certificate.
All of the needed certificates are expected to be readily All of the needed certificates are expected to be readily
available in the RPKI Repository. The certification path MUST be available in the RPKI Repository. The certification path MUST be
valid according to the validation algorithm in [RFC5280] and the valid according to the validation algorithm in [RFC5280] and the
additional checks specified in [RFC3779] associated with the IP additional checks specified in [RFC3779] associated with the IP
Address Delegation certificate extension and the Autonomous Address Delegation certificate extension and the Autonomous
System Identifier Delegation certificate extension. If System Identifier Delegation certificate extension. If
certification path validation is unsuccessful, then validation certification path validation is unsuccessful, then validation
MUST fail. MUST fail.
3. Validate the CMS SignedData as specified in [RFC5652] using the 3. Validate the CMS SignedData as specified in [RFC5652] using the
public key from the validated signer's certificate. If the public key from the validated signer's certificate. If the
signature validation is unsuccessful, then validation MUST fail. signature validation is unsuccessful, then validation MUST fail.
4. Verify that the IP Address Delegation certificate extension 4. Verify that the IP Address Delegation certificate extension
[RFC3779] covers the address range of the geofeed file. If the [RFC3779] covers all of the address ranges of the geofeed file.
address range is not covered, then validation MUST fail. If all of the address ranges are not covered, then validation
MUST fail.
5. Validation of the signing certificate MUST ensure that it is part 5. Validation of the signer's certificate MUST ensure that it is
of the current manifest and that the resources are covered by the part of the current [RFC6486] manifest and that the resources are
RPKI certificate. covered by the RPKI certificate.
All of these steps MUST be successful to consider the geofeed file All of these steps MUST be successful to consider the geofeed file
signature as valid. signature as valid.
As the signer specifies the covered RPKI resources relevant to the As the signer specifies the covered RPKI resources relevant to the
signature, the RPKI certificate covering the inetnum: object's signature, the RPKI certificate covering the inetnum: object's
address range is included in the [RFC5652] CMS SignedData address range is included in the [RFC5652] CMS SignedData
certificates field. certificates field.
Identifying the private key associated with the certificate, and Identifying the private key associated with the certificate, and
skipping to change at page 7, line 47 skipping to change at page 8, line 6
# MIIGlwYJKoZIhvcNAQcCoIIGiDCCBoQCAQMxDTALBglghkgBZQMEAgEwDQYLKoZ # MIIGlwYJKoZIhvcNAQcCoIIGiDCCBoQCAQMxDTALBglghkgBZQMEAgEwDQYLKoZ
# IhvcNAQkQAS+gggSxMIIErTCCA5WgAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZu # IhvcNAQkQAS+gggSxMIIErTCCA5WgAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZu
... ...
# imwYkXpiMxw44EZqDjl36MiWsRDLdgoijBBcGbibwyAfGeR46k5raZCGvxG+4xa # imwYkXpiMxw44EZqDjl36MiWsRDLdgoijBBcGbibwyAfGeR46k5raZCGvxG+4xa
# O8PDTxTfIYwAnBjRBKAqAZ7yX5xHfm58jUXsZJ7Ileq1S7G6Kk= # O8PDTxTfIYwAnBjRBKAqAZ7yX5xHfm58jUXsZJ7Ileq1S7G6Kk=
# End Signature: 192.0.2.0/24 # End Signature: 192.0.2.0/24
The signature does not cover the signature lines. The signature does not cover the signature lines.
The bracketing "# RPKI Signature:" and "# End Signature:" MUST be The bracketing "# RPKI Signature:" and "# End Signature:" MUST be
present exactly as shown. present following the model as shown. The IP address range MUST
match that of the signer's certificate.
[I-D.spaghetti-sidrops-rpki-rsc] describes and provides code for a [I-D.spaghetti-sidrops-rpki-rsc] describes and provides code for a
Cryptographic Message Syntax (CMS) profile for a general purpose Cryptographic Message Syntax (CMS) profile for a general purpose
listing of checksums (a 'checklist'), for use with the Resource listing of checksums (a 'checklist'), for use with the Resource
Public Key Infrastructure (RPKI). It provides usable, albeit Public Key Infrastructure (RPKI). It provides usable, albeit
complex, code to sign geofeed files. complex, code to sign geofeed files.
[I-D.ietf-sidrops-rpki-rta] describes a Cryptographic Message Syntax [I-D.ietf-sidrops-rpki-rta] describes a Cryptographic Message Syntax
(CMS) profile for a general purpose Resource Tagged Attestation (RTA) (CMS) profile for a general purpose Resource Tagged Attestation (RTA)
based on the RPKI. While this is expected to become applicable in based on the RPKI. While this is expected to become applicable in
skipping to change at page 8, line 23 skipping to change at page 8, line 31
5. Operational Considerations 5. Operational Considerations
To create the needed inetnum: objects, an operator wishing to To create the needed inetnum: objects, an operator wishing to
register the location of their geofeed file needs to coordinate with register the location of their geofeed file needs to coordinate with
their RIR/NIR and/or any provider LIR which has assigned prefixes to their RIR/NIR and/or any provider LIR which has assigned prefixes to
them. RIRs/NIRs provide means for assignees to create and maintain them. RIRs/NIRs provide means for assignees to create and maintain
inetnum: objects. They also provide means of [sub-]assigning IP inetnum: objects. They also provide means of [sub-]assigning IP
address resources and allowing the assignee to create whois data, address resources and allowing the assignee to create whois data,
including inetnum: objects, and thereby referring to geofeed files. including inetnum: objects, and thereby referring to geofeed files.
The geofeed files MUST be published via and fetched using https The geofeed files MUST be published via and fetched using HTTPS
[RFC2818]. [RFC2818].
When using data from a geofeed file, one MUST ignore data outside the When using data from a geofeed file, one MUST ignore data outside the
referring inetnum: object's inetnum: attribute address range. referring inetnum: object's inetnum: attribute address range.
If and only if the geofeed file is not signed per Section 4, then If and only if the geofeed file is not signed per Section 4, then
multiple inetnum: objects MAY refer to the same geofeed file, and the multiple inetnum: objects MAY refer to the same geofeed file, and the
consumer MUST use only geofeed lines where the prefix is covered by consumer MUST use only lines in the geofeed file where the prefix is
the address range of the inetnum: object they have followed. covered by the address range of the inetnum: object they have
followed.
If the geofeed file is signed, and the signer's certificate changes, If the geofeed file is signed, and the signer's certificate changes,
the signature in the geofeed file MUST be updated. the signature in the geofeed file MUST be updated.
It is good key hygiene to use a given key for only one purpose. To It is good key hygiene to use a given key for only one purpose. To
dedicate a signing private key for signing a geofeed file, an RPKI CA dedicate a signing private key for signing a geofeed file, an RPKI CA
may issue a subordinate certificate exclusively for the purpose as may issue a subordinate certificate exclusively for the purpose as
shown in Appendix A. shown in Appendix A.
To minimize the load on RIR whois [RFC3912] services, use of the To minimize the load on RIR whois [RFC3912] services, use of the
RIR's FTP [RFC0959] services SHOULD be the preferred access. This RIR's FTP [RFC0959] services SHOULD be used for large scale access to
also provides bulk access instead of fetching by brute force search gather geofeed URLs. This also provides bulk access instead of
through the IP space. fetching by brute force search through the IP space.
Currently, geolocation providers have bulk whois data access at all Currently, geolocation providers have bulk whois data access at all
the RIRs. An anonymized version of such data is openly available for the RIRs. An anonymized version of such data is openly available for
all RIRs except ARIN, which requires an authorization. However, for all RIRs except ARIN, which requires an authorization. However, for
users without such authorization, the same result can be achieved users without such authorization, the same result can be achieved
with extra RDAP effort. There is open source code to pass over such with extra RDAP effort. There is open source code to pass over such
data across all RIRs, collect all geofeed references, and process data across all RIRs, collect all geofeed references, and process
them [geofeed-finder]. them [geofeed-finder].
To prevent undue load on RPSL and geofeed servers, an entity fetching To prevent undue load on RPSL and geofeed servers, an entity fetching
skipping to change at page 9, line 42 skipping to change at page 9, line 50
It is generally prudent for a consumer of geofeed data to also use It is generally prudent for a consumer of geofeed data to also use
other sources to cross-validate the data. All the Security other sources to cross-validate the data. All the Security
Considerations of [RFC8805] apply here as well. Considerations of [RFC8805] apply here as well.
As mentioned in Section 4, many RPSL repositories have weak if any As mentioned in Section 4, many RPSL repositories have weak if any
authentication. This allows spoofing of inetnum: objects pointing to authentication. This allows spoofing of inetnum: objects pointing to
malicious geofeed files. Section 4 suggests an unfortunately complex malicious geofeed files. Section 4 suggests an unfortunately complex
method for stronger authentication based on the RPKI. method for stronger authentication based on the RPKI.
If an inetnum: for a wide prefix (e.g. a /16) points to an RPKI- For example, if an inetnum: for a wide prefix (e.g. a /16) points to
signed geofeed file, a customer or attacker could publish an unsigned an RPKI-signed geofeed file, a customer or attacker could publish an
equal or narrower (e.g. a /24) inetnum: in a whois registry which has unsigned equal or narrower (e.g. a /24) inetnum: in a whois registry
weak authorization. which has weak authorization abusing the rule that the most-specific
inetnum: object with a geofeed reference MUST be used.
If signatures were mandatory, the above attack would be stymied. But
of course that is not happening anytime soon.
The RPSL providers have had to throttle fetching from their servers The RPSL providers have had to throttle fetching from their servers
due to too-frequent queries. Usually they throttle by the querying due to too-frequent queries. Usually they throttle by the querying
IP address or block. Similar defenses will likely need to be IP address or block. Similar defenses will likely need to be
deployed by geofeed file servers. deployed by geofeed file servers.
8. IANA Considerations 8. IANA Considerations
IANA is asked to register object identifiers for one content type in IANA is asked to register object identifiers for one content type in
the "SMI Security for S/MIME CMS Content Type the "SMI Security for S/MIME CMS Content Type
skipping to change at page 10, line 27 skipping to change at page 10, line 38
Thanks to Rob Austein for CMS and detached signature clue. George Thanks to Rob Austein for CMS and detached signature clue. George
Michaelson for the first and substantial external review, Erik Kline Michaelson for the first and substantial external review, Erik Kline
who was too shy to agree to co-authorship. Additionally, we express who was too shy to agree to co-authorship. Additionally, we express
our gratitude to early implementors, including Menno Schepers, Flavio our gratitude to early implementors, including Menno Schepers, Flavio
Luciani, Eric Dugas, Job Snijders who provided running code, and Luciani, Eric Dugas, Job Snijders who provided running code, and
Kevin Pack. Also, to geolocation providers that are consuming Kevin Pack. Also, to geolocation providers that are consuming
geofeeds with this described solution, Jonathan Kosgei (ipdata.co), geofeeds with this described solution, Jonathan Kosgei (ipdata.co),
Ben Dowling (ipinfo.io), and Pol Nisenblat (bigdatacloud.com). For Ben Dowling (ipinfo.io), and Pol Nisenblat (bigdatacloud.com). For
an amazing number of helpful reviews we thank Adrian Farrel, Antonio an amazing number of helpful reviews we thank Adrian Farrel, Antonio
Prado, Francesca Palombini, Jean-Michel Combes (INTDIR), John Prado, Francesca Palombini, Jean-Michel Combes (INTDIR), John
Scudder, Kyle Rose (SECDIR), Martin Duke, Paul Kyzivat (GENART), Rob Scudder, Kyle Rose (SECDIR), Martin Duke, Murray Kucherawy, Paul
Wilton, and Roman Danyliw. The authors also thank George Michaelson, Kyzivat (GENART), Rob Wilton, and Roman Danyliw. The authors also
the awesome document shepherd. thank George Michaelson, the awesome document shepherd.
10. References 10. References
10.1. Normative References 10.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC2622] Alaettinoglu, C., Villamizar, C., Gerich, E., Kessens, D., [RFC2725] Villamizar, C., Alaettinoglu, C., Meyer, D., and S.
Meyer, D., Bates, T., Karrenberg, D., and M. Terpstra, Murphy, "Routing Policy System Security", RFC 2725,
"Routing Policy Specification Language (RPSL)", RFC 2622, DOI 10.17487/RFC2725, December 1999,
DOI 10.17487/RFC2622, June 1999, <https://www.rfc-editor.org/info/rfc2725>.
<https://www.rfc-editor.org/info/rfc2622>.
[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818,
DOI 10.17487/RFC2818, May 2000, DOI 10.17487/RFC2818, May 2000,
<https://www.rfc-editor.org/info/rfc2818>. <https://www.rfc-editor.org/info/rfc2818>.
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November
2003, <https://www.rfc-editor.org/info/rfc3629>. 2003, <https://www.rfc-editor.org/info/rfc3629>.
[RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP [RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP
skipping to change at page 11, line 25 skipping to change at page 11, line 38
[RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006,
<https://www.rfc-editor.org/info/rfc4648>. <https://www.rfc-editor.org/info/rfc4648>.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
<https://www.rfc-editor.org/info/rfc5280>. <https://www.rfc-editor.org/info/rfc5280>.
[RFC5286] Atlas, A., Ed. and A. Zinin, Ed., "Basic Specification for
IP Fast Reroute: Loop-Free Alternates", RFC 5286,
DOI 10.17487/RFC5286, September 2008,
<https://www.rfc-editor.org/info/rfc5286>.
[RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70,
RFC 5652, DOI 10.17487/RFC5652, September 2009, RFC 5652, DOI 10.17487/RFC5652, September 2009,
<https://www.rfc-editor.org/info/rfc5652>. <https://www.rfc-editor.org/info/rfc5652>.
[RFC6481] Huston, G., Loomans, R., and G. Michaelson, "A Profile for [RFC6481] Huston, G., Loomans, R., and G. Michaelson, "A Profile for
Resource Certificate Repository Structure", RFC 6481, Resource Certificate Repository Structure", RFC 6481,
DOI 10.17487/RFC6481, February 2012, DOI 10.17487/RFC6481, February 2012,
<https://www.rfc-editor.org/info/rfc6481>. <https://www.rfc-editor.org/info/rfc6481>.
[RFC6486] Austein, R., Huston, G., Kent, S., and M. Lepinski,
"Manifests for the Resource Public Key Infrastructure
(RPKI)", RFC 6486, DOI 10.17487/RFC6486, February 2012,
<https://www.rfc-editor.org/info/rfc6486>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8805] Kline, E., Duleba, K., Szamonek, Z., Moser, S., and W. [RFC8805] Kline, E., Duleba, K., Szamonek, Z., Moser, S., and W.
Kumari, "A Format for Self-Published IP Geolocation Kumari, "A Format for Self-Published IP Geolocation
Feeds", RFC 8805, DOI 10.17487/RFC8805, August 2020, Feeds", RFC 8805, DOI 10.17487/RFC8805, August 2020,
<https://www.rfc-editor.org/info/rfc8805>. <https://www.rfc-editor.org/info/rfc8805>.
[RFC8933] Housley, R., "Update to the Cryptographic Message Syntax
(CMS) for Algorithm Identifier Protection", RFC 8933,
DOI 10.17487/RFC8933, October 2020,
<https://www.rfc-editor.org/info/rfc8933>.
10.2. Informative References 10.2. Informative References
[geofeed-finder] [geofeed-finder]
Massimo Candela, "geofeed-finder", Massimo Candela, "geofeed-finder",
<https://github.com/massimocandela/geofeed-finder>. <https://github.com/massimocandela/geofeed-finder>.
[I-D.ietf-sidrops-rpki-rta] [I-D.ietf-sidrops-rpki-rta]
Michaelson, G. G., Huston, G., Harrison, T., Bruijnzeels, Michaelson, G. G., Huston, G., Harrison, T., Bruijnzeels,
T., and M. Hoffmann, "A profile for Resource Tagged T., and M. Hoffmann, "A profile for Resource Tagged
Attestations (RTAs)", draft-ietf-sidrops-rpki-rta-00 (work Attestations (RTAs)", draft-ietf-sidrops-rpki-rta-00 (work
skipping to change at page 16, line 6 skipping to change at page 16, line 6
V/dBdCFdEOwTfVl2n2XqhoJl/oEBdC4uu2G0qRk3+WVs+uwVHP0Ttsbt7TzFgZfY V/dBdCFdEOwTfVl2n2XqhoJl/oEBdC4uu2G0qRk3+WVs+uwVHP0Ttsbt7TzFgZfY
yxqvOg6QoldxZVZmHHncKmETu/BqCDGJot9may31ukrx34Bu+XFMVihm0w== yxqvOg6QoldxZVZmHHncKmETu/BqCDGJot9may31ukrx34Bu+XFMVihm0w==
-----END CERTIFICATE----- -----END CERTIFICATE-----
The end-entity certificate is issued by the CA. This certificate The end-entity certificate is issued by the CA. This certificate
grants signature authority for one IPv4 address block (192.0.2.0/24). grants signature authority for one IPv4 address block (192.0.2.0/24).
Signature authority for AS numbers is not needed for geofeed data Signature authority for AS numbers is not needed for geofeed data
signatures, so no AS numbers are included in the certificate. signatures, so no AS numbers are included in the certificate.
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIErTCCA5WgAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZuMwDQYJKoZIhvcNAQEL MIIEpTCCA42gAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZuQwDQYJKoZIhvcNAQEL
BQAwMzExMC8GA1UEAxMoM0FDRTJDRUY0RkIyMUI3RDExRTNFMTg0RUZDMUUyOTdC BQAwMzExMC8GA1UEAxMoM0FDRTJDRUY0RkIyMUI3RDExRTNFMTg0RUZDMUUyOTdC
Mzc3ODY0MjAeFw0yMDA5MDMxOTA1MTdaFw0yMTA2MzAxOTA1MTdaMDMxMTAvBgNV Mzc3ODY0MjAeFw0yMTA1MjAxNjA1NDVaFw0yMjAzMTYxNjA1NDVaMDMxMTAvBgNV
BAMTKDkxNDY1MkEzQkQ1MUMxNDQyNjAxOTg4ODlGNUM0NUFCRjA1M0ExODcwggEi BAMTKDkxNDY1MkEzQkQ1MUMxNDQyNjAxOTg4ODlGNUM0NUFCRjA1M0ExODcwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCycTQrOb/qB2W3i3Ki8PhA/DEW MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCycTQrOb/qB2W3i3Ki8PhA/DEW
yii2TgGo9pgCwO9lsIRI6Zb/k+aSiWWP9kSczlcQgtPCVwr62hTQZCIowBN0BL0c yii2TgGo9pgCwO9lsIRI6Zb/k+aSiWWP9kSczlcQgtPCVwr62hTQZCIowBN0BL0c
K0/5k1imJdi5qdM3nvKswM8CnoR11vB8pQFwruZmr5xphXRvE+mzuJVLgu2V1upm K0/5k1imJdi5qdM3nvKswM8CnoR11vB8pQFwruZmr5xphXRvE+mzuJVLgu2V1upm
BXuWloeymudh6WWJ+GDjwPXO3RiXBejBrOFNXhaFLe08y4DPfr/S/tXJOBm7QzQp BXuWloeymudh6WWJ+GDjwPXO3RiXBejBrOFNXhaFLe08y4DPfr/S/tXJOBm7QzQp
tmbPLYtGfprYu45liFFqqP94UeLpISfXd36AKGzqTFCcc3EW9l5UFE1MFLlnoEog tmbPLYtGfprYu45liFFqqP94UeLpISfXd36AKGzqTFCcc3EW9l5UFE1MFLlnoEog
qtoLoKABt0IkOFGKeC/EgeaBdWLe469ddC9rQft5w6g6cmxG+aYDdIEB34zrAgMB qtoLoKABt0IkOFGKeC/EgeaBdWLe469ddC9rQft5w6g6cmxG+aYDdIEB34zrAgMB
AAGjggG3MIIBszAdBgNVHQ4EFgQUkUZSo71RwUQmAZiIn1xFq/BToYcwHwYDVR0j AAGjggGvMIIBqzAdBgNVHQ4EFgQUkUZSo71RwUQmAZiIn1xFq/BToYcwHwYDVR0j
BBgwFoAUOs4s70+yG30R4+GE78Hil7N3hkIwDAYDVR0TAQH/BAIwADAOBgNVHQ8B BBgwFoAUOs4s70+yG30R4+GE78Hil7N3hkIwDAYDVR0TAQH/BAIwADAOBgNVHQ8B
Af8EBAMCB4AwGAYDVR0gAQH/BA4wDDAKBggrBgEFBQcOAjBhBgNVHR8EWjBYMFag Af8EBAMCB4AwGAYDVR0gAQH/BA4wDDAKBggrBgEFBQcOAjBhBgNVHR8EWjBYMFag
VKBShlByc3luYzovL3Jwa2kuZXhhbXBsZS5uZXQvcmVwb3NpdG9yeS8zQUNFMkNF VKBShlByc3luYzovL3Jwa2kuZXhhbXBsZS5uZXQvcmVwb3NpdG9yeS8zQUNFMkNF
RjRGQjIxQjdEMTFFM0UxODRFRkMxRTI5N0IzNzc4NjQyLmNybDBsBggrBgEFBQcB RjRGQjIxQjdEMTFFM0UxODRFRkMxRTI5N0IzNzc4NjQyLmNybDBsBggrBgEFBQcB
AQRgMF4wXAYIKwYBBQUHMAKGUHJzeW5jOi8vcnBraS5leGFtcGxlLm5ldC9yZXBv AQRgMF4wXAYIKwYBBQUHMAKGUHJzeW5jOi8vcnBraS5leGFtcGxlLm5ldC9yZXBv
c2l0b3J5LzNBQ0UyQ0VGNEZCMjFCN0QxMUUzRTE4NEVGQzFFMjk3QjM3Nzg2NDIu c2l0b3J5LzNBQ0UyQ0VGNEZCMjFCN0QxMUUzRTE4NEVGQzFFMjk3QjM3Nzg2NDIu
Y2VyMCEGCCsGAQUFBwEHAQH/BBIwEDAGBAIAAQUAMAYEAgACBQAwRQYIKwYBBQUH Y2VyMBkGCCsGAQUFBwEHAQH/BAowCDAGBAIAAQUAMEUGCCsGAQUFBwELBDkwNzA1
AQsEOTA3MDUGCCsGAQUFBzANhilodHRwczovL3JyZHAuZXhhbXBsZS5uZXQvbm90 BggrBgEFBQcwDYYpaHR0cHM6Ly9ycmRwLmV4YW1wbGUubmV0L25vdGlmaWNhdGlv
aWZpY2F0aW9uLnhtbDANBgkqhkiG9w0BAQsFAAOCAQEABR2T0qT2V1ZlsZjj+yHP bi54bWwwDQYJKoZIhvcNAQELBQADggEBAEjC98gVp0Mb7uiKaHylP0453mtJ+AkN
TArIVBECZFSCdP+bJTse85TqYiblMsNS9yEu2SNbaZMNLuSSiAffYooh4nIYq/Rh 07fsK/qGw/e90DJv7cp1hvjj4uy3sgf7PJQ7cKNGrgybq/lE0jce+ARgVjbi2Brz
6+xGs1n427JZUokoeLtY0UUb2fIsua9JFo8YGTnpqDMGe+xnpbJ0SCSoBlJCIj+b ZsWAnB846Snwsktw6cenaif6Aww6q00NspAepMBd2Vg/9sKFvOwJFVOgNcqiQiXP
+YS8WXjEHt2KW6wyA/BcNS8adS2pEUwC2cs/WcwzgbttnkcnG7/wkrQ3oqzpC1ar 5rGJPWBcOMv52a/7adjfXwpnOijiTOgMloQGmC2TPZpydZKjlxEATdFEQssa33xD
Kelyz7PGIIXJGy9nF8C3/aaaEpHd7UgIyvXYuCY/lqWTm97jDxgGIYGC7660mtfO nlpp+/r9xuNVYRtRcC36oWraVA3jzN6F6rDE8r8xs3ylISVz6JeCQ4YRYwbMsjjc
MkB8YF6kUU+td2dDQsMztcOxbzqiGnicmeJfBwG2li6O0vorW4d5iIOTKpQyqfh4 /tiJLM7ZYxIe5IrYz1ZtN6n/SEssJAswRIgps2EhCt/HS2xAmGCOhgU=
5Q==
-----END CERTIFICATE----- -----END CERTIFICATE-----
The end-entity certificate is displayed below in detail. For The end-entity certificate is displayed below in detail. For
brevity, the other two certificates are not. brevity, the other two certificates are not.
0 1197: SEQUENCE { 0 1189: SEQUENCE {
4 917: SEQUENCE { 4 909: SEQUENCE {
8 3: [0] { 8 3: [0] {
10 1: INTEGER 2 10 1: INTEGER 2
: } : }
13 20: INTEGER 27AD394083D7F2B5B99B8670C775B2B96EE166E3 13 20: INTEGER 27AD394083D7F2B5B99B8670C775B2B96EE166E4
35 13: SEQUENCE { 35 13: SEQUENCE {
37 9: OBJECT IDENTIFIER 37 9: OBJECT IDENTIFIER
: sha256WithRSAEncryption (1 2 840 113549 1 1 11) : sha256WithRSAEncryption (1 2 840 113549 1 1 11)
48 0: NULL 48 0: NULL
: } : }
50 51: SEQUENCE { 50 51: SEQUENCE {
52 49: SET { 52 49: SET {
54 47: SEQUENCE { 54 47: SEQUENCE {
56 3: OBJECT IDENTIFIER commonName (2 5 4 3) 56 3: OBJECT IDENTIFIER commonName (2 5 4 3)
61 40: PrintableString 61 40: PrintableString
: '3ACE2CEF4FB21B7D11E3E184EFC1E297B3778642' : '3ACE2CEF4FB21B7D11E3E184EFC1E297B3778642'
: } : }
: } : }
: } : }
103 30: SEQUENCE { 103 30: SEQUENCE {
105 13: UTCTime 03/09/2020 19:05:17 GMT 105 13: UTCTime 20/05/2021 16:05:45 GMT
120 13: UTCTime 30/06/2021 19:05:17 GMT 120 13: UTCTime 16/03/2022 16:05:45 GMT
: } : }
135 51: SEQUENCE { 135 51: SEQUENCE {
137 49: SET { 137 49: SET {
139 47: SEQUENCE { 139 47: SEQUENCE {
141 3: OBJECT IDENTIFIER commonName (2 5 4 3) 141 3: OBJECT IDENTIFIER commonName (2 5 4 3)
146 40: PrintableString 146 40: PrintableString
: '914652A3BD51C144260198889F5C45ABF053A187' : '914652A3BD51C144260198889F5C45ABF053A187'
: } : }
: } : }
: } : }
188 290: SEQUENCE { 188 290: SEQUENCE {
192 13: SEQUENCE { 192 13: SEQUENCE {
194 9: OBJECT IDENTIFIER rsaEncryption 194 9: OBJECT IDENTIFIER rsaEncryption
: (1 2 840 113549 1 1 1) : (1 2 840 113549 1 1 1)
205 0: NULL 205 0: NULL
: } : }
207 271: BIT STRING, encapsulates { 207 271: BIT STRING, encapsulates {
212 266: SEQUENCE { 212 266: SEQUENCE {
216 257: INTEGER 216 257: INTEGER
: 00 B2 71 34 2B 39 BF EA 07 65 B7 8B 72 A2 F0 F8 : 00 B2 71 34 2B 39 BF EA 07 65 B7 8B 72 A2 F0 F8
: 40 FC 31 16 CA 28 B6 4E 01 A8 F6 98 02 C0 EF 65 : 40 FC 31 16 CA 28 B6 4E 01 A8 F6 98 02 C0 EF 65
: B0 84 48 E9 96 FF 93 E6 92 89 65 8F F6 44 9C CE : B0 84 48 E9 96 FF 93 E6 92 89 65 8F F6 44 9C CE
: 57 10 82 D3 C2 57 0A FA DA 14 D0 64 22 28 C0 13 : 57 10 82 D3 C2 57 0A FA DA 14 D0 64 22 28 C0 13
: 74 04 BD 1C 2B 4F F9 93 58 A6 25 D8 B9 A9 D3 37 : 74 04 BD 1C 2B 4F F9 93 58 A6 25 D8 B9 A9 D3 37
: 9E F2 AC C0 CF 02 9E 84 75 D6 F0 7C A5 01 70 AE : 9E F2 AC C0 CF 02 9E 84 75 D6 F0 7C A5 01 70 AE
: E6 66 AF 9C 69 85 74 6F 13 E9 B3 B8 95 4B 82 ED : E6 66 AF 9C 69 85 74 6F 13 E9 B3 B8 95 4B 82 ED
: 95 D6 EA 66 05 7B 96 96 87 B2 9A E7 61 E9 65 89 : 95 D6 EA 66 05 7B 96 96 87 B2 9A E7 61 E9 65 89
: F8 60 E3 C0 F5 CE DD 18 97 05 E8 C1 AC E1 4D 5E : F8 60 E3 C0 F5 CE DD 18 97 05 E8 C1 AC E1 4D 5E
: 16 85 2D ED 3C CB 80 CF 7E BF D2 FE D5 C9 38 19 : 16 85 2D ED 3C CB 80 CF 7E BF D2 FE D5 C9 38 19
: BB 43 34 29 B6 66 CF 2D 8B 46 7E 9A D8 BB 8E 65 : BB 43 34 29 B6 66 CF 2D 8B 46 7E 9A D8 BB 8E 65
: 88 51 6A A8 FF 78 51 E2 E9 21 27 D7 77 7E 80 28 : 88 51 6A A8 FF 78 51 E2 E9 21 27 D7 77 7E 80 28
: 6C EA 4C 50 9C 73 71 16 F6 5E 54 14 4D 4C 14 B9 : 6C EA 4C 50 9C 73 71 16 F6 5E 54 14 4D 4C 14 B9
: 67 A0 4A 20 AA DA 0B A0 A0 01 B7 42 24 38 51 8A : 67 A0 4A 20 AA DA 0B A0 A0 01 B7 42 24 38 51 8A
: 78 2F C4 81 E6 81 75 62 DE E3 AF 5D 74 2F 6B 41 : 78 2F C4 81 E6 81 75 62 DE E3 AF 5D 74 2F 6B 41
: FB 79 C3 A8 3A 72 6C 46 F9 A6 03 74 81 01 DF 8C : FB 79 C3 A8 3A 72 6C 46 F9 A6 03 74 81 01 DF 8C
: EB : EB
477 3: INTEGER 65537 477 3: INTEGER 65537
: } : }
: } : }
: } : }
482 439: [3] { 482 431: [3] {
486 435: SEQUENCE { 486 427: SEQUENCE {
490 29: SEQUENCE { 490 29: SEQUENCE {
492 3: OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14) 492 3: OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14)
497 22: OCTET STRING, encapsulates { 497 22: OCTET STRING, encapsulates {
499 20: OCTET STRING 499 20: OCTET STRING
: 91 46 52 A3 BD 51 C1 44 26 01 98 88 9F 5C 45 AB : 91 46 52 A3 BD 51 C1 44 26 01 98 88 9F 5C 45 AB
: F0 53 A1 87 : F0 53 A1 87
: } : }
: } : }
521 31: SEQUENCE { 521 31: SEQUENCE {
523 3: OBJECT IDENTIFIER authorityKeyIdentifier (2 5 29 35) 523 3: OBJECT IDENTIFIER authorityKeyIdentifier (2 5 29 35)
528 24: OCTET STRING, encapsulates { 528 24: OCTET STRING, encapsulates {
530 22: SEQUENCE { 530 22: SEQUENCE {
532 20: [0] 532 20: [0]
: 3A CE 2C EF 4F B2 1B 7D 11 E3 E1 84 EF C1 E2 97 : 3A CE 2C EF 4F B2 1B 7D 11 E3 E1 84 EF C1 E2 97
: B3 77 86 42 : B3 77 86 42
: } : }
: } : }
: } : }
554 12: SEQUENCE { 554 12: SEQUENCE {
556 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19) 556 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19)
561 1: BOOLEAN TRUE 561 1: BOOLEAN TRUE
564 2: OCTET STRING, encapsulates { 564 2: OCTET STRING, encapsulates {
566 0: SEQUENCE {} 566 0: SEQUENCE {}
: } : }
: } : }
568 14: SEQUENCE { 568 14: SEQUENCE {
570 3: OBJECT IDENTIFIER keyUsage (2 5 29 15) 570 3: OBJECT IDENTIFIER keyUsage (2 5 29 15)
575 1: BOOLEAN TRUE 575 1: BOOLEAN TRUE
578 4: OCTET STRING, encapsulates { 578 4: OCTET STRING, encapsulates {
580 2: BIT STRING 7 unused bits 580 2: BIT STRING 7 unused bits
: '1'B (bit 0) : '1'B (bit 0)
: } : }
: } : }
584 24: SEQUENCE { 584 24: SEQUENCE {
586 3: OBJECT IDENTIFIER certificatePolicies (2 5 29 32) 586 3: OBJECT IDENTIFIER certificatePolicies (2 5 29 32)
591 1: BOOLEAN TRUE 591 1: BOOLEAN TRUE
594 14: OCTET STRING, encapsulates { 594 14: OCTET STRING, encapsulates {
596 12: SEQUENCE { 596 12: SEQUENCE {
598 10: SEQUENCE { 598 10: SEQUENCE {
600 8: OBJECT IDENTIFIER 600 8: OBJECT IDENTIFIER
: resourceCertificatePolicy (1 3 6 1 5 5 7 14 2) : resourceCertificatePolicy (1 3 6 1 5 5 7 14 2)
: } : }
: } : }
: } : }
: } : }
610 97: SEQUENCE { 610 97: SEQUENCE {
612 3: OBJECT IDENTIFIER cRLDistributionPoints (2 5 29 31) 612 3: OBJECT IDENTIFIER cRLDistributionPoints (2 5 29 31)
617 90: OCTET STRING, encapsulates { 617 90: OCTET STRING, encapsulates {
619 88: SEQUENCE { 619 88: SEQUENCE {
621 86: SEQUENCE { 621 86: SEQUENCE {
623 84: [0] { 623 84: [0] {
625 82: [0] { 625 82: [0] {
627 80: [6] 627 80: [6]
: 'rsync://rpki.example.net/repository/3ACE2CEF4F' : 'rsync://rpki.example.net/repository/3ACE2CEF4F'
: 'B21B7D11E3E184EFC1E297B3778642.crl' : 'B21B7D11E3E184EFC1E297B3778642.crl'
: } : }
: } : }
: } : }
: } : }
: } : }
: } : }
709 108: SEQUENCE { 709 108: SEQUENCE {
711 8: OBJECT IDENTIFIER authorityInfoAccess 711 8: OBJECT IDENTIFIER authorityInfoAccess
: (1 3 6 1 5 5 7 1 1) : (1 3 6 1 5 5 7 1 1)
721 96: OCTET STRING, encapsulates { 721 96: OCTET STRING, encapsulates {
723 94: SEQUENCE { 723 94: SEQUENCE {
725 92: SEQUENCE { 725 92: SEQUENCE {
727 8: OBJECT IDENTIFIER caIssuers (1 3 6 1 5 5 7 48 2) 727 8: OBJECT IDENTIFIER caIssuers (1 3 6 1 5 5 7 48 2)
737 80: [6] 737 80: [6]
: 'rsync://rpki.example.net/repository/3ACE2CEF4F' : 'rsync://rpki.example.net/repository/3ACE2CEF4F'
: 'B21B7D11E3E184EFC1E297B3778642.cer' : 'B21B7D11E3E184EFC1E297B3778642.cer'
: } : }
: } : }
: } : }
: } : }
819 33: SEQUENCE { 819 25: SEQUENCE {
821 8: OBJECT IDENTIFIER ipAddrBlocks (1 3 6 1 5 5 7 1 7) 821 8: OBJECT IDENTIFIER ipAddrBlocks (1 3 6 1 5 5 7 1 7)
831 1: BOOLEAN TRUE 831 1: BOOLEAN TRUE
834 18: OCTET STRING, encapsulates { 834 10: OCTET STRING, encapsulates {
836 16: SEQUENCE { 836 8: SEQUENCE {
838 6: SEQUENCE { 838 6: SEQUENCE {
840 2: OCTET STRING 00 01 840 2: OCTET STRING 00 01
844 0: NULL 844 0: NULL
: } : }
846 6: SEQUENCE { : }
848 2: OCTET STRING 00 02 : }
852 0: NULL : }
: } 846 69: SEQUENCE {
: } 848 8: OBJECT IDENTIFIER subjectInfoAccess
: } : (1 3 6 1 5 5 7 1 11)
: } 858 57: OCTET STRING, encapsulates {
854 69: SEQUENCE { 860 55: SEQUENCE {
856 8: OBJECT IDENTIFIER subjectInfoAccess 862 53: SEQUENCE {
: (1 3 6 1 5 5 7 1 11) 864 8: OBJECT IDENTIFIER '1 3 6 1 5 5 7 48 13'
866 57: OCTET STRING, encapsulates { 874 41: [6]
868 55: SEQUENCE { : 'https://rrdp.example.net/notification.xml'
870 53: SEQUENCE { : }
872 8: OBJECT IDENTIFIER '1 3 6 1 5 5 7 48 13' : }
882 41: [6] : }
: 'https://rrdp.example.net/notification.xml' : }
: } : }
: } : }
: } : }
: } 917 13: SEQUENCE {
: } 919 9: OBJECT IDENTIFIER sha256WithRSAEncryption
: } : (1 2 840 113549 1 1 11)
: } 930 0: NULL
925 13: SEQUENCE { : }
927 9: OBJECT IDENTIFIER sha256WithRSAEncryption 932 257: BIT STRING
: (1 2 840 113549 1 1 11) : 48 C2 F7 C8 15 A7 43 1B EE E8 8A 68 7C A5 3F 4E
938 0: NULL : 39 DE 6B 49 F8 09 0D D3 B7 EC 2B FA 86 C3 F7 BD
: } : D0 32 6F ED CA 75 86 F8 E3 E2 EC B7 B2 07 FB 3C
940 257: BIT STRING : 94 3B 70 A3 46 AE 0C 9B AB F9 44 D2 37 1E F8 04
: 05 1D 93 D2 A4 F6 57 56 65 B1 98 E3 FB 21 CF 4C : 60 56 36 E2 D8 1A F3 66 C5 80 9C 1F 38 E9 29 F0
: 0A C8 54 11 02 64 54 82 74 FF 9B 25 3B 1E F3 94 : B2 4B 70 E9 C7 A7 6A 27 FA 03 0C 3A AB 4D 0D B2
: EA 62 26 E5 32 C3 52 F7 21 2E D9 23 5B 69 93 0D : 90 1E A4 C0 5D D9 58 3F F6 C2 85 BC EC 09 15 53
: 2E E4 92 88 07 DF 62 8A 21 E2 72 18 AB F4 61 EB : A0 35 CA A2 42 25 CF E6 B1 89 3D 60 5C 38 CB F9
: EC 46 B3 59 F8 DB B2 59 52 89 28 78 BB 58 D1 45 : D9 AF FB 69 D8 DF 5F 0A 67 3A 28 E2 4C E8 0C 96
: 1B D9 F2 2C B9 AF 49 16 8F 18 19 39 E9 A8 33 06 : 84 06 98 2D 93 3D 9A 72 75 92 A3 97 11 00 4D D1
: 7B EC 67 A5 B2 74 48 24 A8 06 52 42 22 3F 9B F9 : 44 42 CB 1A DF 7C 43 9E 5A 69 FB FA FD C6 E3 55
: 84 BC 59 78 C4 1E DD 8A 5B AC 32 03 F0 5C 35 2F : 61 1B 51 70 2D FA A1 6A DA 54 0D E3 CC DE 85 EA
: 1A 75 2D A9 11 4C 02 D9 CB 3F 59 CC 33 81 BB 6D : B0 C4 F2 BF 31 B3 7C A5 21 25 73 E8 97 82 43 86
: 9E 47 27 1B BF F0 92 B4 37 A2 AC E9 0B 56 AB 29 : 11 63 06 CC B2 38 DC FE D8 89 2C CE D9 63 12 1E
: E9 72 CF B3 C6 20 85 C9 1B 2F 67 17 C0 B7 FD A6 : E4 8A D8 CF 56 6D 37 A9 FF 48 4B 2C 24 0B 30 44
: 9A 12 91 DD ED 48 08 CA F5 D8 B8 26 3F 96 A5 93 : 88 29 B3 61 21 0A DF C7 4B 6C 40 98 60 8E 86 05
: 9B DE E3 0F 18 06 21 81 82 EF AE B4 9A D7 CE 32 : }
: 40 7C 60 5E A4 51 4F AD 77 67 43 42 C3 33 B5 C3
: B1 6F 3A A2 1A 78 9C 99 E2 5F 07 01 B6 96 2E 8E
: D2 FA 2B 5B 87 79 88 83 93 2A 94 32 A9 F8 78 E5
: }
To allow reproduction of the signature results, the end-entity To allow reproduction of the signature results, the end-entity
private key is provided. For brevity, the other two private keys are private key is provided. For brevity, the other two private keys are
not. not.
-----BEGIN RSA PRIVATE KEY----- -----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAsnE0Kzm/6gdlt4tyovD4QPwxFsootk4BqPaYAsDvZbCESOmW MIIEpQIBAAKCAQEAsnE0Kzm/6gdlt4tyovD4QPwxFsootk4BqPaYAsDvZbCESOmW
/5Pmkollj/ZEnM5XEILTwlcK+toU0GQiKMATdAS9HCtP+ZNYpiXYuanTN57yrMDP /5Pmkollj/ZEnM5XEILTwlcK+toU0GQiKMATdAS9HCtP+ZNYpiXYuanTN57yrMDP
Ap6EddbwfKUBcK7mZq+caYV0bxPps7iVS4LtldbqZgV7lpaHsprnYellifhg48D1 Ap6EddbwfKUBcK7mZq+caYV0bxPps7iVS4LtldbqZgV7lpaHsprnYellifhg48D1
zt0YlwXowazhTV4WhS3tPMuAz36/0v7VyTgZu0M0KbZmzy2LRn6a2LuOZYhRaqj/ zt0YlwXowazhTV4WhS3tPMuAz36/0v7VyTgZu0M0KbZmzy2LRn6a2LuOZYhRaqj/
eFHi6SEn13d+gChs6kxQnHNxFvZeVBRNTBS5Z6BKIKraC6CgAbdCJDhRingvxIHm eFHi6SEn13d+gChs6kxQnHNxFvZeVBRNTBS5Z6BKIKraC6CgAbdCJDhRingvxIHm
gXVi3uOvXXQva0H7ecOoOnJsRvmmA3SBAd+M6wIDAQABAoIBAQCyB0FeMuKm8bRo gXVi3uOvXXQva0H7ecOoOnJsRvmmA3SBAd+M6wIDAQABAoIBAQCyB0FeMuKm8bRo
18aKjFGSPEoZi53srIz5bvUgIi92TBLez7ZnzL6Iym26oJ+5th+lCHGO/dqlhXio 18aKjFGSPEoZi53srIz5bvUgIi92TBLez7ZnzL6Iym26oJ+5th+lCHGO/dqlhXio
pI50C5Yc9TFbblb/ECOsuCuuqKFjZ8CD3GVsHozXKJeMM+/o5YZXQrORj6UnwT0z pI50C5Yc9TFbblb/ECOsuCuuqKFjZ8CD3GVsHozXKJeMM+/o5YZXQrORj6UnwT0z
ol/JE5pIGUCIgsXX6tz9s5BP3lUAvVQHsv6+vEVKLxQ3wj/1vIL8O/CN036EV0GJ ol/JE5pIGUCIgsXX6tz9s5BP3lUAvVQHsv6+vEVKLxQ3wj/1vIL8O/CN036EV0GJ
mpkwmygPjfECT9wbWo0yn3jxJb36+M/QjjUP28oNIVn/IKoPZRXnqchEbuuCJ651 mpkwmygPjfECT9wbWo0yn3jxJb36+M/QjjUP28oNIVn/IKoPZRXnqchEbuuCJ651
IsaFSqtiThm4WZtvCH/IDq+6/dcMucmTjIRcYwW7fdHfjplllVPve9c/OmpWEQvF IsaFSqtiThm4WZtvCH/IDq+6/dcMucmTjIRcYwW7fdHfjplllVPve9c/OmpWEQvF
t3ArWUt5AoGBANs4764yHxo4mctLIE7G7l/tf9bP4KKUiYw4R4ByEocuqMC4yhmt t3ArWUt5AoGBANs4764yHxo4mctLIE7G7l/tf9bP4KKUiYw4R4ByEocuqMC4yhmt
MPCfOFLOQet71OWCkjP2L/7EKUe9yx7G5KmxAHY6jOjvcRkvGsl6lWFOsQ8p126M MPCfOFLOQet71OWCkjP2L/7EKUe9yx7G5KmxAHY6jOjvcRkvGsl6lWFOsQ8p126M
Y9hmGzMOjtsdhAiMmOWKzjvm4WqfMgghQe+PnjjSVkgTt+7BxpIuGBAvAoGBANBg Y9hmGzMOjtsdhAiMmOWKzjvm4WqfMgghQe+PnjjSVkgTt+7BxpIuGBAvAoGBANBg
26FF5cDLpixOd3Za1YXsOgguwCaw3Plvi7vUZRpa/zBMELEtyOebfakkIRWNm07l 26FF5cDLpixOd3Za1YXsOgguwCaw3Plvi7vUZRpa/zBMELEtyOebfakkIRWNm07l
nE+lAZwxm+29PTD0nqCFE91teyzjnQaLO5kkAdJiFuVV3icLOGo399FrnJbKensm nE+lAZwxm+29PTD0nqCFE91teyzjnQaLO5kkAdJiFuVV3icLOGo399FrnJbKensm
FGSli+3KxQhCNIJJfgWzq4bE0ioAMjdGbYXzIYQFAoGBAM6tuDJ36KDU+hIS6wu6 FGSli+3KxQhCNIJJfgWzq4bE0ioAMjdGbYXzIYQFAoGBAM6tuDJ36KDU+hIS6wu6
O2TPSfZhF/zPo3pCWQ78/QDb+Zdw4IEiqoBA7F4NPVLg9Y/H8UTx9r/veqe7hPOo O2TPSfZhF/zPo3pCWQ78/QDb+Zdw4IEiqoBA7F4NPVLg9Y/H8UTx9r/veqe7hPOo
Ok7NpIzSmKTHkc5XfZ60Zn9OLFoKbaQ40a1kXoJdWEu2YROaUlAe9F6/Rog6PHYz Ok7NpIzSmKTHkc5XfZ60Zn9OLFoKbaQ40a1kXoJdWEu2YROaUlAe9F6/Rog6PHYz
vLE5qscRbu0XQhLkN+z7bg5bAoGBAKDsbDEb/dbqbyaAYpmwhH2sdRSkphg7Niwc vLE5qscRbu0XQhLkN+z7bg5bAoGBAKDsbDEb/dbqbyaAYpmwhH2sdRSkphg7Niwc
DNm9qWa1J6Zw1+M87I6Q8naRREuU1IAVqqWHVLr/ROBQ6NTJ1Uc5/qFeT2XXUgkf DNm9qWa1J6Zw1+M87I6Q8naRREuU1IAVqqWHVLr/ROBQ6NTJ1Uc5/qFeT2XXUgkf
taMKv61tuyjZK3sTmznMh0HfzUpWjEhWnCEuB+ZYVdmO52ZGw2A75RdrILL2+9Dc taMKv61tuyjZK3sTmznMh0HfzUpWjEhWnCEuB+ZYVdmO52ZGw2A75RdrILL2+9Dc
PvDXVubRAoGAdqXeSWoLxuzZXzl8rsaKrQsTYaXnOWaZieU1SL5vVe8nK257UDqZ PvDXVubRAoGAdqXeSWoLxuzZXzl8rsaKrQsTYaXnOWaZieU1SL5vVe8nK257UDqZ
E3ng2j5XPTUWli+aNGFEJGRoNtcQvO60O/sFZUhu52sqq9mWVYZNh1TB5aP8X+pV E3ng2j5XPTUWli+aNGFEJGRoNtcQvO60O/sFZUhu52sqq9mWVYZNh1TB5aP8X+pV
iFcZOLUvQEcN6PA+YQK5FU11rAI1M0Gm5RDnVnUl0L2xfCYxb7FzV6Y= iFcZOLUvQEcN6PA+YQK5FU11rAI1M0Gm5RDnVnUl0L2xfCYxb7FzV6Y=
-----END RSA PRIVATE KEY----- -----END RSA PRIVATE KEY-----
Signing of "192.0.2.0/24,US,WA,Seattle," (terminated by CR and LF), Signing of "192.0.2.0/24,US,WA,Seattle," (terminated by CR and LF),
yields the following detached CMS signature. yields the following detached CMS signature.
# RPKI Signature: 192.0.2.0/24 # RPKI Signature: 192.0.2.0/24
# MIIGlwYJKoZIhvcNAQcCoIIGiDCCBoQCAQMxDTALBglghkgBZQMEAgEwDQYLKoZ # MIIGjwYJKoZIhvcNAQcCoIIGgDCCBnwCAQMxDTALBglghkgBZQMEAgEwDQYLKoZ
# IhvcNAQkQAS+gggSxMIIErTCCA5WgAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZu # IhvcNAQkQAS+gggSpMIIEpTCCA42gAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZu
# MwDQYJKoZIhvcNAQELBQAwMzExMC8GA1UEAxMoM0FDRTJDRUY0RkIyMUI3RDExR # QwDQYJKoZIhvcNAQELBQAwMzExMC8GA1UEAxMoM0FDRTJDRUY0RkIyMUI3RDExR
# TNFMTg0RUZDMUUyOTdCMzc3ODY0MjAeFw0yMDA5MDMxOTA1MTdaFw0yMTA2MzAx # TNFMTg0RUZDMUUyOTdCMzc3ODY0MjAeFw0yMTA1MjAxNjA1NDVaFw0yMjAzMTYx
# OTA1MTdaMDMxMTAvBgNVBAMTKDkxNDY1MkEzQkQ1MUMxNDQyNjAxOTg4ODlGNUM # NjA1NDVaMDMxMTAvBgNVBAMTKDkxNDY1MkEzQkQ1MUMxNDQyNjAxOTg4ODlGNUM
# 0NUFCRjA1M0ExODcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCycT # 0NUFCRjA1M0ExODcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCycT
# QrOb/qB2W3i3Ki8PhA/DEWyii2TgGo9pgCwO9lsIRI6Zb/k+aSiWWP9kSczlcQg # QrOb/qB2W3i3Ki8PhA/DEWyii2TgGo9pgCwO9lsIRI6Zb/k+aSiWWP9kSczlcQg
# tPCVwr62hTQZCIowBN0BL0cK0/5k1imJdi5qdM3nvKswM8CnoR11vB8pQFwruZm # tPCVwr62hTQZCIowBN0BL0cK0/5k1imJdi5qdM3nvKswM8CnoR11vB8pQFwruZm
# r5xphXRvE+mzuJVLgu2V1upmBXuWloeymudh6WWJ+GDjwPXO3RiXBejBrOFNXha # r5xphXRvE+mzuJVLgu2V1upmBXuWloeymudh6WWJ+GDjwPXO3RiXBejBrOFNXha
# FLe08y4DPfr/S/tXJOBm7QzQptmbPLYtGfprYu45liFFqqP94UeLpISfXd36AKG # FLe08y4DPfr/S/tXJOBm7QzQptmbPLYtGfprYu45liFFqqP94UeLpISfXd36AKG
# zqTFCcc3EW9l5UFE1MFLlnoEogqtoLoKABt0IkOFGKeC/EgeaBdWLe469ddC9rQ # zqTFCcc3EW9l5UFE1MFLlnoEogqtoLoKABt0IkOFGKeC/EgeaBdWLe469ddC9rQ
# ft5w6g6cmxG+aYDdIEB34zrAgMBAAGjggG3MIIBszAdBgNVHQ4EFgQUkUZSo71R # ft5w6g6cmxG+aYDdIEB34zrAgMBAAGjggGvMIIBqzAdBgNVHQ4EFgQUkUZSo71R
# wUQmAZiIn1xFq/BToYcwHwYDVR0jBBgwFoAUOs4s70+yG30R4+GE78Hil7N3hkI # wUQmAZiIn1xFq/BToYcwHwYDVR0jBBgwFoAUOs4s70+yG30R4+GE78Hil7N3hkI
# wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCB4AwGAYDVR0gAQH/BA4wDDAKBg # wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCB4AwGAYDVR0gAQH/BA4wDDAKBg
# grBgEFBQcOAjBhBgNVHR8EWjBYMFagVKBShlByc3luYzovL3Jwa2kuZXhhbXBsZ # grBgEFBQcOAjBhBgNVHR8EWjBYMFagVKBShlByc3luYzovL3Jwa2kuZXhhbXBsZ
# S5uZXQvcmVwb3NpdG9yeS8zQUNFMkNFRjRGQjIxQjdEMTFFM0UxODRFRkMxRTI5 # S5uZXQvcmVwb3NpdG9yeS8zQUNFMkNFRjRGQjIxQjdEMTFFM0UxODRFRkMxRTI5
# N0IzNzc4NjQyLmNybDBsBggrBgEFBQcBAQRgMF4wXAYIKwYBBQUHMAKGUHJzeW5 # N0IzNzc4NjQyLmNybDBsBggrBgEFBQcBAQRgMF4wXAYIKwYBBQUHMAKGUHJzeW5
# jOi8vcnBraS5leGFtcGxlLm5ldC9yZXBvc2l0b3J5LzNBQ0UyQ0VGNEZCMjFCN0 # jOi8vcnBraS5leGFtcGxlLm5ldC9yZXBvc2l0b3J5LzNBQ0UyQ0VGNEZCMjFCN0
# QxMUUzRTE4NEVGQzFFMjk3QjM3Nzg2NDIuY2VyMCEGCCsGAQUFBwEHAQH/BBIwE # QxMUUzRTE4NEVGQzFFMjk3QjM3Nzg2NDIuY2VyMBkGCCsGAQUFBwEHAQH/BAowC
# DAGBAIAAQUAMAYEAgACBQAwRQYIKwYBBQUHAQsEOTA3MDUGCCsGAQUFBzANhilo # DAGBAIAAQUAMEUGCCsGAQUFBwELBDkwNzA1BggrBgEFBQcwDYYpaHR0cHM6Ly9y
# dHRwczovL3JyZHAuZXhhbXBsZS5uZXQvbm90aWZpY2F0aW9uLnhtbDANBgkqhki # cmRwLmV4YW1wbGUubmV0L25vdGlmaWNhdGlvbi54bWwwDQYJKoZIhvcNAQELBQA
# G9w0BAQsFAAOCAQEABR2T0qT2V1ZlsZjj+yHPTArIVBECZFSCdP+bJTse85TqYi # DggEBAEjC98gVp0Mb7uiKaHylP0453mtJ+AkN07fsK/qGw/e90DJv7cp1hvjj4u
# blMsNS9yEu2SNbaZMNLuSSiAffYooh4nIYq/Rh6+xGs1n427JZUokoeLtY0UUb2 # y3sgf7PJQ7cKNGrgybq/lE0jce+ARgVjbi2BrzZsWAnB846Snwsktw6cenaif6A
# fIsua9JFo8YGTnpqDMGe+xnpbJ0SCSoBlJCIj+b+YS8WXjEHt2KW6wyA/BcNS8a # ww6q00NspAepMBd2Vg/9sKFvOwJFVOgNcqiQiXP5rGJPWBcOMv52a/7adjfXwpn
# dS2pEUwC2cs/WcwzgbttnkcnG7/wkrQ3oqzpC1arKelyz7PGIIXJGy9nF8C3/aa # OijiTOgMloQGmC2TPZpydZKjlxEATdFEQssa33xDnlpp+/r9xuNVYRtRcC36oWr
# aEpHd7UgIyvXYuCY/lqWTm97jDxgGIYGC7660mtfOMkB8YF6kUU+td2dDQsMztc # aVA3jzN6F6rDE8r8xs3ylISVz6JeCQ4YRYwbMsjjc/tiJLM7ZYxIe5IrYz1ZtN6
# OxbzqiGnicmeJfBwG2li6O0vorW4d5iIOTKpQyqfh45TGCAaowggGmAgEDgBSRR # n/SEssJAswRIgps2EhCt/HS2xAmGCOhgUxggGqMIIBpgIBA4AUkUZSo71RwUQmA
# lKjvVHBRCYBmIifXEWr8FOhhzALBglghkgBZQMEAgGgazAaBgkqhkiG9w0BCQMx # ZiIn1xFq/BToYcwCwYJYIZIAWUDBAIBoGswGgYJKoZIhvcNAQkDMQ0GCyqGSIb3
# DQYLKoZIhvcNAQkQAS8wHAYJKoZIhvcNAQkFMQ8XDTIwMDkxMzE4NDUxMFowLwY # DQEJEAEvMBwGCSqGSIb3DQEJBTEPFw0yMTA1MjAxNjI4MzlaMC8GCSqGSIb3DQE
# JKoZIhvcNAQkEMSIEICvi8p5S8ckg2wTRhDBQzGijjyqs5T6I+4VtBHypfcEWMA # JBDEiBCAr4vKeUvHJINsE0YQwUMxoo48qrOU+iPuFbQR8qX3BFjANBgkqhkiG9w
# 0GCSqGSIb3DQEBAQUABIIBAHUrA4PaJG42BD3hpF8U0usnV3Dg5NQh97SfyKTk7 # 0BAQEFAASCAQB85HsCBrU3EcVOcf4nC6Z3jrOjT+fVlyTDAObF6GTNWgrxe7jSA
# YHhhwu/936gkmAew8ODRTCddMvMObWkjj7/XeR+WKffaTF1EAdZ1L6REV+GlV91 # Inyf51UzuIGqhVY3sQiiXbdWcVYtPb4118KvyeXh8A/HLp4eeAJntl9D3igt38M
# cYnFkT9ldn4wHQnNNncfAehk5PClYUUQ0gqjdJT1hdaolT83b3ttekyYIiwPmHE # o84q5pf9pTQXx3hbsm51ilpOip/TKVMqzE42s6OPox3M0+6eKH3/vBKnw1s1ayM
# xRaNkSvKenlNqcriaaf3rbQy9dc2d1KxrL2429n134ICqjKeRnHkXXrCWDmyv/3 # 0MUnPDTBfZL3JJEGPWfIZHEcrypevbqR7Jjsz5vp0qyF2D9v+w+nyhZOPmuePm7
# imwYkXpiMxw44EZqDjl36MiWsRDLdgoijBBcGbibwyAfGeR46k5raZCGvxG+4xa # YqLyOw/E99PVBs9uI+hmBiCz/BK2Z3VRjrrlrUU+49eldSTkZ2sJyhCbbV2Ufgi
# O8PDTxTfIYwAnBjRBKAqAZ7yX5xHfm58jUXsZJ7Ileq1S7G6Kk= # S2FOquAgJzjilyN3BDQLV8Rp9cGh0PpVslKH2na
# End Signature: 192.0.2.0/24 # End Signature: 192.0.2.0/24
Authors' Addresses Authors' Addresses
Randy Bush Randy Bush
IIJ & Arrcus IIJ & Arrcus
5147 Crystal Springs 5147 Crystal Springs
Bainbridge Island, Washington 98110 Bainbridge Island, Washington 98110
United States of America United States of America
Email: randy@psg.com Email: randy@psg.com
 End of changes. 35 change blocks. 
337 lines changed or deleted 351 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/