idnits 2.17.1 draft-ietf-sidr-publication-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 12, 2012) is 4418 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. Weiler 3 Internet-Draft A. Sonalker 4 Intended status: Standards Track SPARTA, Inc. 5 Expires: September 13, 2012 R. Austein 6 Dragon Research Labs 7 March 12, 2012 9 A Publication Protocol for the Resource Public Key Infrastructure (RPKI) 10 draft-ietf-sidr-publication-02 12 Abstract 14 This document defines a protocol for publishing Resource Public Key 15 Infrastructure (RPKI) objects. Even though the RPKI will have many 16 participants issuing certificates and creating other objects, it is 17 operationally useful to consolidate the publication of those objects. 18 This document provides the protocol for doing so. 20 Status of this Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at http://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on September 13, 2012. 37 Copyright Notice 39 Copyright (c) 2012 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 55 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 56 2. Context . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 57 3. Protocol Specification . . . . . . . . . . . . . . . . . . . . 4 58 3.1. Common Details . . . . . . . . . . . . . . . . . . . . . . 4 59 3.1.1. Common XML Message Format . . . . . . . . . . . . . . 4 60 3.2. Control Sub-Protocol . . . . . . . . . . . . . . . . . . . 5 61 3.2.1. Config Object . . . . . . . . . . . . . . . . . . . . 5 62 3.2.2. Client Object . . . . . . . . . . . . . . . . . . . . 5 63 3.3. Publication Sub-Protocol . . . . . . . . . . . . . . . . . 6 64 3.4. Error handling . . . . . . . . . . . . . . . . . . . . . . 7 65 3.5. XML Schema . . . . . . . . . . . . . . . . . . . . . . . . 7 66 4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 67 4.1. Config Set Query and Response . . . . . . . . . . . . . . 9 68 4.2. Config Get Query and Response . . . . . . . . . . . . . . 10 69 4.3. Example 3: Client Create Query and Reply . . . . . . . . . 11 70 4.4. Example 4: Client Set Query and Reply . . . . . . . . . . 12 71 4.5. Example 5: Client Get Query and Reply . . . . . . . . . . 13 72 4.6. Example 6: Client List Query and Reply . . . . . . . . . . 13 73 4.7. Example 7: Client Destroy Query and Reply . . . . . . . . 14 74 4.8. Example 8: Publish Query and Reply . . . . . . . . . . . . 14 75 4.9. Example 9: Withdraw Query and Reply . . . . . . . . . . . 15 76 4.10. Example 10: Report Error Reply . . . . . . . . . . . . . . 16 77 5. Operational Considerations . . . . . . . . . . . . . . . . . . 16 78 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 79 7. Security Considerations . . . . . . . . . . . . . . . . . . . 18 80 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19 81 8.1. Normative References . . . . . . . . . . . . . . . . . . . 19 82 8.2. Informative References . . . . . . . . . . . . . . . . . . 19 83 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 19 85 1. Introduction 87 This document assumes a working knowledge of the Resource Public Key 88 Infrastructure (RPKI), which is intended to support improved routing 89 security on the Internet. [RFC6480] 91 In order to make participation in the RPKI easier, it is helpful to 92 have a few consolidated repositories for RPKI objects, thus saving 93 every participant from the cost of maintaining a new service. 94 Similarly, relying parties using the RPKI objects will find it faster 95 and more reliable to retrieve the necessary set from a smaller number 96 of repositories. 98 These consolidated RPKI object repositories will in many cases be 99 outside the administrative scope of the organization issuing a given 100 RPKI object. Hence the need for a protocol to publish RPKI objects. 102 This document defines the RPKI publication protocol, including a sub- 103 protocol for configuring the publication engine. 105 1.1. Terminology 107 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 108 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 109 document are to be interpreted as described in [RFC2119]. 111 "Publication engine" and "publication server" are used 112 interchangeably to refer to the server providing the service 113 described in this document. 115 "Business Public Key Infrastructure" ("Business PKI" or "BPKI") 116 refers to a PKI, separate from the RPKI, used to authenticate clients 117 to the publication engine. 119 2. Context 121 This protocol was designed specifically for the case where an 122 internet registry, already issuing RPKI certificates to its children, 123 also wishes to run a publication service for its children. 125 We use the term "Business PKI" here because an internet registry 126 might already have a PKI, separate from the RPKI, for authenticating 127 its clients and might wish to reuse that PKI for this protocol. Such 128 reuse is not a requirement. 130 3. Protocol Specification 132 In summary, the publication protocol uses XML messages wrapped in 133 CMS, carried over HTTP transport. 135 The publication procotol consists of two separate subprotocols. The 136 first is a control protocol used to configure a publication engine. 137 The second subprotocol, which we refer to by the overloaded term 138 "publication protocol", is used to request publication of specific 139 objects. The publication engine operates a single HTTP server on a 140 single port. It distinguishes between the two protocols by using 141 different URLs for them. 143 3.1. Common Details 145 This section discusses details that the two subprotocols have in 146 common, including the transport and CMS wrappers. 148 Both protocols use a simple request/response interaction. The client 149 passes a request to the server, and the server generates a 150 corresponding response. 152 A message exchange commences with the client initiating an HTTP POST 153 with content type of "application/rpki-publication", with the message 154 object as the body. The server's response will similarly be the body 155 of the response with a content type of "application/ 156 rpki-publication". 158 The content of the POST and the server's response will be a well- 159 formed Cryptographic Message Syntax (CMS) [RFC5652] object with OID = 160 1.2.840.113549.1.7.2 as described in Section 3.1 of [RFC6492]. 162 3.1.1. Common XML Message Format 164 The XML schema for this protocol (including both subprotocols) is 165 below in Section 3.5. Both subprotocols use the same basic XML 166 message format, which looks like: 168 169 172 [one or more PDUs] 173 175 version: 176 The value of this attribute is the version of this protocol. 177 This document describes version 2. 179 type: 180 The possible values of this attribute are "reply" and "query". 182 A query PDU may be one of four types: config_query, client_query, 183 publish_query, or withdraw_query. The first two are used by the 184 control sub-protocol, the latter two by the publication sub-protocol. 186 A reply PDU may be one of five types: config_reply, client_reply, 187 publish_reply, withdraw_reply, or report_error_reply. 189 Each of these PDUs may include an optional tag to facilitate bulk 190 operation. If a tag is set in a query PDU, the corresponding 191 reply(s) MUST have the tag attribute set to the same value. 193 3.2. Control Sub-Protocol 195 The control sub-protocol is used to configure a publication server. 196 It can set global variables (at the moment, limited to a BPKI CRL) 197 and manage clients who are allowed to publish data on the server. 199 3.2.1. Config Object 201 The object allows configuration of data that apply to the 202 entire publication server rather than a particular client. There is 203 exactly one object in the publication server, and it only 204 supports the "set" and "get" actions -- it cannot be created or 205 destroyed. Its use is typically restricted to the repository 206 operator. 208 The object only has one data element that can be set: the 209 bpki_crl. This is used by the publication server when authenticating 210 clients. 212 3.2.2. Client Object 214 Unlike the object, the object represents one 215 client authorized to use the publication server. There may be more 216 than one object on each publication server. Again, its use 217 is typically restricted to the respository operator. 219 The object supports five actions: "create", "set", "get", 220 "list", and "destroy". Each client has a "client_handle" attribute, 221 which is used in responses and must be specified in "create", "set", 222 "get", or "destroy" actions. 224 Payload data which can be configured in a object include: 226 o base_uri (attribute): This attribute represents the base URI below 227 which the client will be allowed to publish data. Additional 228 constraints may be imposed by the publication server in certain 229 cases, for e.g., a child publishing directly under its parent. 231 o bpki_cert (element): This represents the X.509 BPKI CA certificate 232 for this client. This should be used as part of the certificate 233 chain when validating incoming CMS messages. Two valid approaches 234 exist. If the optional bpki_glue certificate is being used, then 235 the bpki_cert certificate should be issued by the bpki_glue 236 certificate; otherwise, the bpki_cert certificate should be issued 237 by the publication engine's bpki_ta certificate. 239 o bpki_glue (element): This is an additional (optional) type of 240 X.509 certificate for this client. It may be used in certain 241 pathological cross-certification cases which require a two- 242 certificate chain due to issuer name conflicts. When being used, 243 issuing order is that the bpki_glue certificate should be the 244 issuer of the bpki_cert certificate. Otherwise, it should be 245 issued by the publication engine's bpki_ta certificate. Since 246 this is an optional use certificate, it may be left unset if not 247 needed. 249 3.3. Publication Sub-Protocol 251 The publication sub-protocol requests publication or withdrawal from 252 publication of RPKI objects. 254 The publication protocol uses a common message format to request 255 publication of any RPKI object. This format was chosen specifically 256 to allow this protocol to accommodate new types of RPKI objects 257 without needing changes to this protocol. 259 Both the and objects have a payload of an 260 optional tag and a URI. The query also contains the DER 261 object to be published, encoded in Base64. 263 Note that every publish and withdraw action requires a new manifest, 264 thus every publish or withdraw action will involve at least two 265 objects. 267 3.4. Error handling 269 Errors are handled similarly in both subprotocols, and they're 270 handled at two levels. 272 Since all messages in this protocol are conveyed over HTTP 273 connections, basic errors are indicated via the HTTP response code. 274 4xx and 5xx responses indicate that something bad happened. Errors 275 that make it impossible to decode a query or encode a response are 276 handled in this way. 278 Where possible, errors will result in an XML message 279 which takes the place of the expected protocol response message. 280 messages are CMS-signed XML messages like the rest of 281 this protocol, and thus can be archived to provide an audit trail. 283 messages only appear in replies, never in queries. 284 The message can appear in both the control and 285 publication subprotocols. 287 Like all other messages in this protocol, the message 288 includes a "tag" attribute to assist in matching the error with a 289 particular query when using batching. It is optional to set the tag 290 on queries but, if set on the query, it MUST be set on the reply or 291 error. 293 The error itself is conveyed in the error_code (attribute). The 294 value of this attribute is a token indicating the specific error that 295 occurred. 297 The body of the element itself is an optional text 298 string; if present, this is debugging information. 300 3.5. XML Schema 302 The following is a RelaxNG compact form schema describing the 303 Publication Protocol. 305 default namespace = "http://www.hactrn.net/uris/rpki/publication-spec/" 307 # Top level PDU 308 start = element msg { 309 attribute version { "2" } , 310 ( ( attribute type { "query" }, query_elt*) | 311 (attribute type { "reply" }, reply_elt*)) 312 } 314 # PDUs allowed in a query 315 query_elt = ( config_query | client_query | publish_query | 316 withdraw_query ) 318 # PDUs allowed in a reply 319 reply_elt = ( config_reply | client_reply | publish_reply | 320 withdraw_reply | report_error_reply ) 322 # Tag attributes for bulk operations 323 tag = attribute tag { xsd:token {maxLength="1024" } } 325 # Base64 encoded DER stuff 326 base64 = xsd:base64Binary 328 # Publication URLs 329 uri_t = xsd:anyURI { maxLength="4096" } 330 uri = attribute uri { uri_t } 332 # Handles on remote objects (replaces passing raw SQL IDs). NB: 333 # Unlike the up-down protocol, handles in this protocol allow 334 # "/" as a hierarchy delimiter. 335 object_handle = xsd:string { 336 maxLength="255" pattern="[\-_A-Za-z0-9/]*" } 338 # element (use restricted to repository operator) 339 # config_handle attribute: create, list, and destroy commands 340 # omitted deliberately. 341 config_payload = (element bpki_crl { base64 }?) 342 config_query |= element config { attribute action { "set" }, tag?, 343 config_payload } 344 config_reply |= element config { attribute action { "set" }, tag? } 345 config_query |= element config { attribute action { "get" }, tag? } 346 config_reply |= element config { attribute action { "get" }, tag?, 347 config_payload } 349 # element (use restricted to repository operator) 350 client_handle = attribute client_handle { object_handle } 351 client_payload = (attribute base_uri { uri_t }?, element bpki_cert { 352 base64 }?, element bpki_glue { base64 }?) 353 client_query |= element client { attribute action { "create" }, 354 tag?, client_handle, client_payload } 355 client_reply |= element client { attribute action { "create" }, 356 tag?, client_handle } 357 client_query |= element client { attribute action { "set" }, tag?, 358 client_handle, client_payload } 360 client_reply |= element client { attribute action { "set" }, tag?, 361 client_handle } 362 client_query |= element client { attribute action { "get" }, tag?, 363 client_handle } 364 client_reply |= element client { attribute action { "get" }, tag?, 365 client_handle, client_payload } 366 client_query |= element client { attribute action { "list" }, tag? } 367 client_reply |= element client { attribute action { "list" }, tag?, 368 client_handle, client_payload } 369 client_query |= element client { attribute action { "destroy" }, 370 tag?, client_handle } 371 client_reply |= element client { attribute action { "destroy" }, 372 tag?, client_handle } 374 # element 375 publish_query |= element publish { tag?, uri, base64 } 376 publish_reply |= element publish { tag?, uri } 378 # element 379 withdraw_query |= element withdraw { tag?, uri } 380 withdraw_reply |= element withdraw { tag?, uri } 382 # element 383 error = xsd:token { maxLength="1024" } 384 report_error_reply = element report_error { 385 tag?, 386 attribute error_code { error }, 387 xsd:string { maxLength="512000" }? 388 } 390 4. Examples 392 Following are various queries and the corresponding replies for the 393 RPKI publication protocol 395 4.1. Config Set Query and Response 397 A. Config "Set" Query 398 400 401 402 MIIBezBlAgEBMA0GCSqGSIb3DQEBCwUAMCMxITAfBgNVBAMTGFRlc3QgQ2Vyd 403 GlmaWNhdGUgcHViZCBUQRcNMDgwNjAyMjE0OTQ1WhcNMDgwNzAyMjE0OTQ1Wq 404 AOMAwwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQELBQADggEBAFWCWgBl4ljVqX/ 405 CHo+RpqYtvmKMnjPVflMXUB7i28RGP4DAq4l7deDU7Q82xEJyE4TXMWDWAV6U 406 G6uUGum0VHWOcj9ohqyiZUGfOsKg2hbwkETm8sAENOsi1yNdyKGk6jZ16aF5f 407 ubxQqZa1pdGCSac1/ZYC5sLLhEz3kmz+B9z9mXFVc5TgAh4dN3Gy5ftF8zZAF 408 pDGnS4biCnRVqhGv6R0Lh/5xmii+ZU6kNDhbeMsjJg+ZOmtN+wMeHSIbjiy0W 409 uuaZ3k2xSh0C94anrHBZAvvCRhbazjR0Ef5OMZ5lcllw3uO8IHuoisHKkehy4 410 Y0GySdj98fV+OuiRTH9vt/M= 411 412 413 415 B. Config "Set" Reply 417 419 420 422 4.2. Config Get Query and Response 424 A. Config "Get" Query 426 428 429 431 B. Config "Get" Reply 432 434 435 436 MIIBezBlAgEBMA0GCSqGSIb3DQEBCwUAMCMxITAfBgNVBAMTGFRlc3QgQ2Vyd 437 GlmaWNhdGUgcHViZCBUQRcNMDgwNjAyMjE0OTQ1WhcNMDgwNzAyMjE0OTQ1Wq 438 AOMAwwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQELBQADggEBAFWCWgBl4ljVqX/ 439 CHo+RpqYtvmKMnjPVflMXUB7i28RGP4DAq4l7deDU7Q82xEJyE4TXMWDWAV6U 440 G6uUGum0VHWOcj9ohqyiZUGfOsKg2hbwkETm8sAENOsi1yNdyKGk6jZ16aF5f 441 ubxQqZa1pdGCSac1/ZYC5sLLhEz3kmz+B9z9mXFVc5TgAh4dN3Gy5ftF8zZAF 442 pDGnS4biCnRVqhGv6R0Lh/5xmii+ZU6kNDhbeMsjJg+ZOmtN+wMeHSIbjiy0W 443 uuaZ3k2xSh0C94anrHBZAvvCRhbazjR0Ef5OMZ5lcllw3uO8IHuoisHKkehy4 444 Y0GySdj98fV+OuiRTH9vt/M= 445 446 447 449 4.3. Example 3: Client Create Query and Reply 451 A. Client "Create" Query 453 455 457 458 MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgB 459 gNVBAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1Mz 460 EwWhcNMDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXR 461 lIEJvYiBSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYU 462 tJaM5PH5917SG2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GI 463 dnoupzMnoZVtY3GUx2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8U 464 N17mUKKgujrch6ZvgCDO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVd 465 qb/rW/6GTg0Xb/zLT6WWMuT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tb 466 a0xyBGAUII0GfREY6t4/+NAP2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/h 467 kZxxip+Na9xDpE+oQRV+DRukCRJdiqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQ 468 H/MB0GA1UdDgQWBBTDEsXJe6pjAQD4ULlB7+GMDBlimTAfBgNVHSMEGDAWgBT 469 DEsXJe6pjAQD4ULlB7+GMDBlimTANBgkqhkiG9w0BAQUFAAOCAQEAWWkNcW6S 470 1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acgcum1YieNdtT0n96P7CUHOWP8Q 471 Bb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4XY39EZHhMW+Dv0PhIKu2Cg 472 D4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Smsqep6LAlFj62qqaIJzN 473 eQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdHYyMNrG2xMOtIC7T4 474 +IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq3ORv7RZMJNYqv 475 1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ== 476 477 478 480 B. Client "Create" Reply 482 484 485 487 4.4. Example 4: Client Set Query and Reply 489 A. Client "Set" Query 491 493 494 495 MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgB 496 gNVBAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1Mz 497 EwWhcNMDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXR 498 lIEJvYiBSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYU 499 tJaM5PH5917SG2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GI 500 dnoupzMnoZVtY3GUx2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8U 501 N17mUKKgujrch6ZvgCDO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVd 502 qb/rW/6GTg0Xb/zLT6WWMuT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tb 503 a0xyBGAUII0GfREY6t4/+NAP2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/h 504 kZxxip+Na9xDpE+oQRV+DRukCRJdiqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQ 505 H/MB0GA1UdDgQWBBTDEsXJe6pjAQD4ULlB7+GMDBlimTAfBgNVHSMEGDAWgBT 506 DEsXJe6pjAQD4ULlB7+GMDBlimTANBgkqhkiG9w0BAQUFAAOCAQEAWWkNcW6S 507 1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acgcum1YieNdtT0n96P7CUHOWP8Q 508 Bb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4XY39EZHhMW+Dv0PhIKu2Cg 509 D4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Smsqep6LAlFj62qqaIJzN 510 eQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdHYyMNrG2xMOtIC7T4 511 +IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq3ORv7RZMJNYqv 512 1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ== 513 514 515 517 B. Client "Set" Reply 519 521 522 524 4.5. Example 5: Client Get Query and Reply 526 A. Client "Get" Query 528 530 531 533 B. Client "Get" Reply 535 537 539 540 MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgB 541 gNVBAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1Mz 542 EwWhcNMDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXR 543 lIEJvYiBSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYU 544 tJaM5PH5917SG2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GI 545 dnoupzMnoZVtY3GUx2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8U 546 N17mUKKgujrch6ZvgCDO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVd 547 qb/rW/6GTg0Xb/zLT6WWMuT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tb 548 a0xyBGAUII0GfREY6t4/+NAP2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/h 549 kZxxip+Na9xDpE+oQRV+DRukCRJdiqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQ 550 H/MB0GA1UdDgQWBBTDEsXJe6pjAQD4ULlB7+GMDBlimTAfBgNVHSMEGDAWgBT 551 DEsXJe6pjAQD4ULlB7+GMDBlimTANBgkqhkiG9w0BAQUFAAOCAQEAWWkNcW6S 552 1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acgcum1YieNdtT0n96P7CUHOWP8Q 553 Bb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4XY39EZHhMW+Dv0PhIKu2Cg 554 D4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Smsqep6LAlFj62qqaIJzN 555 eQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdHYyMNrG2xMOtIC7T4 556 +IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq3ORv7RZMJNYqv 557 1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ== 558 559 560 562 4.6. Example 6: Client List Query and Reply 564 A. Client "List" Query 566 568 569 571 B. Client "List" Reply 572 574 575 576 MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgB 577 gNVBAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1Mz 578 EwWhcNMDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXR 579 lIEJvYiBSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYU 580 tJaM5PH5917SG2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GI 581 dnoupzMnoZVtY3GUx2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8U 582 N17mUKKgujrch6ZvgCDO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVd 583 qb/rW/6GTg0Xb/zLT6WWMuT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tb 584 a0xyBGAUII0GfREY6t4/+NAP2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/h 585 kZxxip+Na9xDpE+oQRV+DRukCRJdiqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQ 586 H/MB0GA1UdDgQWBBTDEsXJe6pjAQD4ULlB7+GMDBlimTAfBgNVHSMEGDAWgBT 587 DEsXJe6pjAQD4ULlB7+GMDBlimTANBgkqhkiG9w0BAQUFAAOCAQEAWWkNcW6S 588 1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acgcum1YieNdtT0n96P7CUHOWP8Q 589 Bb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4XY39EZHhMW+Dv0PhIKu2Cg 590 D4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Smsqep6LAlFj62qqaIJzN 591 eQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdHYyMNrG2xMOtIC7T4 592 +IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq3ORv7RZMJNYqv 593 1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ== 594 595 596 598 4.7. Example 7: Client Destroy Query and Reply 600 A. Client "Destroy" Query 602 604 605 607 B. Client "Destroy" Reply 609 611 612 614 4.8. Example 8: Publish Query and Reply 616 A. Publish Query 617 619 621 MIIE+jCCA+KgAwIBAgIBDTANBgkqhkiG9w0BAQsFADAzMTEwLwYDVQQDEyhER 622 jRBODAxN0U2NkE5RTkxNzJFNDYxMkQ4Q0Y0QzgzRjIzOERFMkEzMB4XDTA4MD 623 UyMjE4MDUxMloXDTA4MDUyNDE3NTQ1M1owMzExMC8GA1UEAxMoOEZCODIxOEY 624 wNkU1MEFCNzAyQTdEOTZEQzhGMENEQ0Q4MjhGN0YxNzCCASIwDQYJKoZIhvcN 625 AQEBBQADggEPADCCAQoCggEBAMeziKp0k5nP7v6SZoNsXIMQYRgNtC6Fr/9Xm 626 /1yQHomiPqHUk47rHhGojYiK5AhkrwoYhkH4UjJl2iwklDYczXuaBU3F5qrKl 627 Z4aZnjIxdlP7+hktVpeApL6yuJTUAYeC3UIxnLDVdD6phydZ/FOQluffiNDjz 628 teCCvoyOUatqt8WB+oND6LToHp028g1YUYLHG6mur0dPdcHOVXLSmUDuZ1HDz 629 1nDuYvIVKjB/MpH9aW9XeaQ6ZFIlZVPwuuvI2brR+ThH7Gv27GL/o8qFdC300 630 VQfoTZ+rKPGDE8K1cI906BL4kiwx9z0oiDcE96QCz+B0vsjc9mGaA1jgAxlXW 631 sCAwEAAaOCAhcwggITMB0GA1UdDgQWBBSPuCGPBuUKtwKn2W3I8M3Ngo9/FzA 632 fBgNVHSMEGDAWgBTfSoAX5mqekXLkYS2M9Mg/I43iozBVBgNVHR8ETjBMMEqg 633 SKBGhkRyc3luYzovL2xvY2FsaG9zdDo0NDAwL3Rlc3RiZWQvUklSLzEvMzBxQ 634 UYtWnFucEZ5NUdFdGpQVElQeU9ONHFNLmNybDBFBggrBgEFBQcBAQQ5MDcwNQ 635 YIKwYBBQUHMAKGKXJzeW5jOi8vbG9jYWxob3N0OjQ0MDAvdGVzdGJlZC9XT01 636 CQVQuY2VyMBgGA1UdIAEB/wQOMAwwCgYIKwYBBQUHDgIwDwYDVR0TAQH/BAUw 637 AwEB/zAOBgNVHQ8BAf8EBAMCAQYwgZsGCCsGAQUFBwELBIGOMIGLMDQGCCsGA 638 QUFBzAFhihyc3luYzovL2xvY2FsaG9zdDo0NDAwL3Rlc3RiZWQvUklSL1IwLz 639 EvMFMGCCsGAQUFBzAKhkdyc3luYzovL2xvY2FsaG9zdDo0NDAwL3Rlc3RiZWQ 640 vUklSL1IwLzEvajdnaGp3YmxDcmNDcDlsdHlQRE56WUtQZnhjLm1uZjAaBggr 641 BgEFBQcBCAEB/wQLMAmgBzAFAgMA/BUwPgYIKwYBBQUHAQcBAf8ELzAtMCsEA 642 gABMCUDAwAKAzAOAwUAwAACAQMFAcAAAiAwDgMFAsAAAiwDBQDAAAJkMA0GCS 643 qGSIb3DQEBCwUAA4IBAQCEhuH7jtI2PJY6+zwv306vmCuXhtu9Lr2mmRw2ZEr 644 B8EMcb5xypMrNqMoKeu14K2x4a4RPJkK4yAThM81FPNRsU5mM0acIRnAPtxjH 645 vPME7PHN2w2nGLASRsZmaa+b8A7SSOxVcFURazENztppsolHeTpm0cpLItK7m 646 NpudUg1JGuFo94VLf1MnE2EqARG1vTsNhel/SM/UvOArCCOBvf0Gz7kSuupDS 647 Z7qx+LiDmtEsLdbGNQBiYPbLrDk41PHrxdx28qIj7ejZkRzNFw/3pi8/XK281 648 h8zeHoFVu6ghRPy5dbOA4akX/KG6b8XIx0iwPYdLiDbdWFbtTdPcXBauY 649 650 652 B. Publish Reply 654 656 658 660 4.9. Example 9: Withdraw Query and Reply 662 A. Withdraw Query 663 665 667 669 B. Withdraw Reply 671 673 675 677 4.10. Example 10: Report Error Reply 679 A. Report Error Reply 1 681 683 text string 685 687 B. Report Error Reply 2 689 691 692 694 5. Operational Considerations 696 There are two basic options open to the repository operator as to how 697 the publication tree is laid out. The first option is simple: each 698 publication client is given its own directory one level below the top 699 of the rcynic module, and there is no overlap between the publication 700 spaces used by different clients. For example: 702 rsync://example.org/rpki/Alice/ 703 rsync://example.org/rpki/Bob/ 704 rsync://example.org/rpki/Carol/ 706 This has the advantage of being very easy for the publication 707 operator to manage, but has the drawback of making it difficult for 708 relying parties to fetch published objects both safely and as 709 efficiently as possible. 711 Given that the mandatory-to-implement retrieval protocol for relying 712 parties is rsync, a more efficient repository structure would be one 713 which minimized the number of rsync fetches required. One such 714 structure would be one in which the publication directories for 715 subjects were placed underneath the publication directories of their 716 issuers: since the normal synchronization tree walk is top-down, this 717 can significantly reduce the total number of rsync connections 718 required to synchronize. For example: 720 rsync://example.org/rpki/Alice/ 721 rsync://example.org/rpki/Alice/Bob/ 722 rsync://example.org/rpki/Alice/Bob/Carol/ 724 Preliminary measurement suggests that, in the case of large numbers 725 of small publication directories, the time needed to set up and tear 726 down individual rsync connections becomes significant, and that a 727 properly optimized tree structure can reduce synchronization time by 728 an order of magnitude. 730 The more complex tree structure does require careful attention to the 731 base_uri attribute values when setting up clients. In the example 732 above, assuming that Alice issues to Bob who in turn issues to Carol, 733 Alice has ceded control of a portion of her publication space to Bob, 734 who has in turn ceded a portion of that to Carol, and the base_uri 735 attributes in the setup messages should reflect this. 737 The details of how the repository operator determines that Alice has 738 given Bob permission to nest Bob's publication directory under 739 Alice's is outside the scope of this protocol. 741 6. IANA Considerations 743 IANA is asked to register the application/rpki-publication MIME media 744 type as follows: 746 MIME media type name: application 747 MIME subtype name: rpki-publication 748 Required parameters: None 749 Optional parameters: None 750 Encoding considerations: binary 751 Security considerations: Carries an RPKI Publication Protocol 752 Message, as defined in this document. 753 Interoperability considerations: None 754 Published specification: This document 755 Applications which use this media type: HTTP 756 Additional information: 757 Magic number(s): None 758 File extension(s): 759 Macintosh File Type Code(s): 760 Person & email address to contact for further information: 761 Rob Austein 762 Intended usage: COMMON 763 Author/Change controller: Rob Austein 765 7. Security Considerations 767 The RPKI publication protocol and the data it publishes use entirely 768 separate PKIs for authentication. The published data is 769 authenticated within the RPKI, and this protocol has nothing to do 770 with that authentication, nor does it require that the published 771 objects be valid in the RPKI. The publication protocol uses a 772 separate Business PKI (BPKI) to authenticate its messages. 774 Each of the RPKI publication protocol messages is CMS-signed. 775 Because of that protection at the application layer, this protocol 776 does not require the use of HTTPS or other transport security 777 mechanisms. 779 Compromise of a publication server, perhaps through mismanagement of 780 BPKI keys, could lead to a denial-of-service attack on the RPKI. An 781 attacker gaining access to BPKI keys could use this protocol delete 782 (withdraw) RPKI objects, leading to routing changes or failures. 783 Accordingly, as in most PKIs, good key management practices are 784 important. 786 8. References 787 8.1. Normative References 789 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 790 Requirement Levels", BCP 14, RFC 2119, March 1997. 792 [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, 793 RFC 5652, September 2009. 795 [RFC6492] Huston, G., Loomans, R., Ellacott, B., and R. Austein, "A 796 Protocol for Provisioning Resource Certificates", 797 RFC 6492, February 2012. 799 8.2. Informative References 801 [RFC6480] Lepinski, M. and S. Kent, "An Infrastructure to Support 802 Secure Internet Routing", RFC 6480, February 2012. 804 Authors' Addresses 806 Samuel Weiler 807 SPARTA, Inc. 808 7110 Samuel Morse Drive 809 Columbia, Maryland 21046 810 US 812 Email: weiler@tislabs.com 814 Anuja Sonalker 815 SPARTA, Inc. 816 7110 Samuel Morse Drive 817 Columbia, Maryland 21046 818 US 820 Email: Anuja.Sonalker@sparta.com 822 Rob Austein 823 Dragon Research Labs 825 Email: sra@hactrn.net