idnits 2.17.1 draft-ietf-sidr-publication-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (July 16, 2012) is 4295 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. Weiler 3 Internet-Draft SPARTA, Inc. 4 Intended status: Standards Track A. Sonalker 5 Expires: January 17, 2013 Battelle Memorial Institute 6 R. Austein 7 Dragon Research Labs 8 July 16, 2012 10 A Publication Protocol for the Resource Public Key Infrastructure (RPKI) 11 draft-ietf-sidr-publication-03 13 Abstract 15 This document defines a protocol for publishing Resource Public Key 16 Infrastructure (RPKI) objects. Even though the RPKI will have many 17 participants issuing certificates and creating other objects, it is 18 operationally useful to consolidate the publication of those objects. 19 This document provides the protocol for doing so. 21 Status of this Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at http://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on January 17, 2013. 38 Copyright Notice 40 Copyright (c) 2012 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (http://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 56 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 57 2. Context . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 58 3. Protocol Specification . . . . . . . . . . . . . . . . . . . . 4 59 3.1. Common Details . . . . . . . . . . . . . . . . . . . . . . 4 60 3.1.1. Common XML Message Format . . . . . . . . . . . . . . 4 61 3.2. Control Sub-Protocol . . . . . . . . . . . . . . . . . . . 5 62 3.2.1. Config Object . . . . . . . . . . . . . . . . . . . . 5 63 3.2.2. Client Object . . . . . . . . . . . . . . . . . . . . 5 64 3.3. Publication Sub-Protocol . . . . . . . . . . . . . . . . . 6 65 3.4. Error handling . . . . . . . . . . . . . . . . . . . . . . 7 66 3.5. XML Schema . . . . . . . . . . . . . . . . . . . . . . . . 7 67 4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 68 4.1. Config Set Query and Response . . . . . . . . . . . . . . 9 69 4.2. Config Get Query and Response . . . . . . . . . . . . . . 10 70 4.3. Example 3: Client Create Query and Reply . . . . . . . . . 11 71 4.4. Example 4: Client Set Query and Reply . . . . . . . . . . 12 72 4.5. Example 5: Client Get Query and Reply . . . . . . . . . . 13 73 4.6. Example 6: Client List Query and Reply . . . . . . . . . . 13 74 4.7. Example 7: Client Destroy Query and Reply . . . . . . . . 14 75 4.8. Example 8: Publish Query and Reply . . . . . . . . . . . . 14 76 4.9. Example 9: Withdraw Query and Reply . . . . . . . . . . . 15 77 4.10. Example 10: Report Error Reply . . . . . . . . . . . . . . 16 78 5. Operational Considerations . . . . . . . . . . . . . . . . . . 16 79 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 80 7. Security Considerations . . . . . . . . . . . . . . . . . . . 18 81 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19 82 8.1. Normative References . . . . . . . . . . . . . . . . . . . 19 83 8.2. Informative References . . . . . . . . . . . . . . . . . . 19 84 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 19 86 1. Introduction 88 This document assumes a working knowledge of the Resource Public Key 89 Infrastructure (RPKI), which is intended to support improved routing 90 security on the Internet. [RFC6480] 92 In order to make participation in the RPKI easier, it is helpful to 93 have a few consolidated repositories for RPKI objects, thus saving 94 every participant from the cost of maintaining a new service. 95 Similarly, relying parties using the RPKI objects will find it faster 96 and more reliable to retrieve the necessary set from a smaller number 97 of repositories. 99 These consolidated RPKI object repositories will in many cases be 100 outside the administrative scope of the organization issuing a given 101 RPKI object. Hence the need for a protocol to publish RPKI objects. 103 This document defines the RPKI publication protocol, including a sub- 104 protocol for configuring the publication engine. 106 1.1. Terminology 108 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 109 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 110 document are to be interpreted as described in [RFC2119]. 112 "Publication engine" and "publication server" are used 113 interchangeably to refer to the server providing the service 114 described in this document. 116 "Business Public Key Infrastructure" ("Business PKI" or "BPKI") 117 refers to a PKI, separate from the RPKI, used to authenticate clients 118 to the publication engine. 120 2. Context 122 This protocol was designed specifically for the case where an 123 internet registry, already issuing RPKI certificates to its children, 124 also wishes to run a publication service for its children. 126 We use the term "Business PKI" here because an internet registry 127 might already have a PKI, separate from the RPKI, for authenticating 128 its clients and might wish to reuse that PKI for this protocol. Such 129 reuse is not a requirement. 131 3. Protocol Specification 133 In summary, the publication protocol uses XML messages wrapped in 134 CMS, carried over HTTP transport. 136 The publication procotol consists of two separate subprotocols. The 137 first is a control protocol used to configure a publication engine. 138 The second subprotocol, which we refer to by the overloaded term 139 "publication protocol", is used to request publication of specific 140 objects. The publication engine operates a single HTTP server on a 141 single port. It distinguishes between the two protocols by using 142 different URLs for them. 144 3.1. Common Details 146 This section discusses details that the two subprotocols have in 147 common, including the transport and CMS wrappers. 149 Both protocols use a simple request/response interaction. The client 150 passes a request to the server, and the server generates a 151 corresponding response. 153 A message exchange commences with the client initiating an HTTP POST 154 with content type of "application/rpki-publication", with the message 155 object as the body. The server's response will similarly be the body 156 of the response with a content type of "application/ 157 rpki-publication". 159 The content of the POST and the server's response will be a well- 160 formed Cryptographic Message Syntax (CMS) [RFC5652] object with OID = 161 1.2.840.113549.1.7.2 as described in Section 3.1 of [RFC6492]. 163 3.1.1. Common XML Message Format 165 The XML schema for this protocol (including both subprotocols) is 166 below in Section 3.5. Both subprotocols use the same basic XML 167 message format, which looks like: 169 170 173 [one or more PDUs] 174 176 version: 177 The value of this attribute is the version of this protocol. 178 This document describes version 2. 180 type: 181 The possible values of this attribute are "reply" and "query". 183 A query PDU may be one of four types: config_query, client_query, 184 publish_query, or withdraw_query. The first two are used by the 185 control sub-protocol, the latter two by the publication sub-protocol. 187 A reply PDU may be one of five types: config_reply, client_reply, 188 publish_reply, withdraw_reply, or report_error_reply. 190 Each of these PDUs may include an optional tag to facilitate bulk 191 operation. If a tag is set in a query PDU, the corresponding 192 reply(s) MUST have the tag attribute set to the same value. 194 3.2. Control Sub-Protocol 196 The control sub-protocol is used to configure a publication server. 197 It can set global variables (at the moment, limited to a BPKI CRL) 198 and manage clients who are allowed to publish data on the server. 200 3.2.1. Config Object 202 The object allows configuration of data that apply to the 203 entire publication server rather than a particular client. There is 204 exactly one object in the publication server, and it only 205 supports the "set" and "get" actions -- it cannot be created or 206 destroyed. Its use is typically restricted to the repository 207 operator. 209 The object only has one data element that can be set: the 210 bpki_crl. This is used by the publication server when authenticating 211 clients. 213 3.2.2. Client Object 215 Unlike the object, the object represents one 216 client authorized to use the publication server. There may be more 217 than one object on each publication server. Again, its use 218 is typically restricted to the respository operator. 220 The object supports five actions: "create", "set", "get", 221 "list", and "destroy". Each client has a "client_handle" attribute, 222 which is used in responses and must be specified in "create", "set", 223 "get", or "destroy" actions. The "create" and "set" actions take 224 optional boolean attributes. The only attribute currently defined is 225 used to clear CMS-timestamp-based replay protection, to allow 226 recovery from misconfigured clocks. 228 Payload data which can be configured in a object include: 230 o base_uri (attribute): This attribute represents the base URI below 231 which the client will be allowed to publish data. Additional 232 constraints may be imposed by the publication server in certain 233 cases, for e.g., a child publishing directly under its parent. 235 o bpki_cert (element): This represents the X.509 BPKI CA certificate 236 for this client. This should be used as part of the certificate 237 chain when validating incoming CMS messages. Two valid approaches 238 exist. If the optional bpki_glue certificate is being used, then 239 the bpki_cert certificate should be issued by the bpki_glue 240 certificate; otherwise, the bpki_cert certificate should be issued 241 by the publication engine's bpki_ta certificate. 243 o bpki_glue (element): This is an additional (optional) X.509 244 certificate for this client. It may be used in certain 245 pathological cross-certification cases which require a two- 246 certificate chain due to issuer name conflicts. When being used, 247 issuing order is that the bpki_glue certificate should be the 248 issuer of the bpki_cert certificate. Otherwise, it should be 249 issued by the publication engine's bpki_ta certificate. Since 250 this is an optional use certificate, it may be left unset if not 251 needed. 253 3.3. Publication Sub-Protocol 255 The publication sub-protocol requests publication or withdrawal from 256 publication of RPKI objects. 258 The publication protocol uses a common message format to request 259 publication of any RPKI object. This format was chosen specifically 260 to allow this protocol to accommodate new types of RPKI objects 261 without needing changes to this protocol. 263 Both the and objects have a payload of an 264 optional tag and a URI. The query also contains the DER 265 object to be published, encoded in Base64. 267 Note that every publish and withdraw action requires a new manifest, 268 thus every publish or withdraw action will involve at least two 269 objects. 271 3.4. Error handling 273 Errors are handled similarly in both subprotocols, and they're 274 handled at two levels. 276 Since all messages in this protocol are conveyed over HTTP 277 connections, basic errors are indicated via the HTTP response code. 278 4xx and 5xx responses indicate that something bad happened. Errors 279 that make it impossible to decode a query or encode a response are 280 handled in this way. 282 Where possible, errors will result in an XML message 283 which takes the place of the expected protocol response message. 284 messages are CMS-signed XML messages like the rest of 285 this protocol, and thus can be archived to provide an audit trail. 287 messages only appear in replies, never in queries. 288 The message can appear in both the control and 289 publication subprotocols. 291 Like all other messages in this protocol, the message 292 includes a "tag" attribute to assist in matching the error with a 293 particular query when using batching. It is optional to set the tag 294 on queries but, if set on the query, it MUST be set on the reply or 295 error. 297 The error itself is conveyed in the error_code (attribute). The 298 value of this attribute is a token indicating the specific error that 299 occurred. 301 The body of the element itself is an optional text 302 string; if present, this is debugging information. 304 3.5. XML Schema 306 The following is a RelaxNG compact form schema describing the 307 Publication Protocol. 309 default namespace = "http://www.hactrn.net/uris/rpki/publication-spec/" 311 # Top level PDU 312 start = element msg { 313 attribute version { "2" } , 314 ( ( attribute type { "query" }, query_elt*) | 315 (attribute type { "reply" }, reply_elt*)) 316 } 318 # PDUs allowed in a query 319 query_elt = ( config_query | client_query | publish_query | 320 withdraw_query ) 322 # PDUs allowed in a reply 323 reply_elt = ( config_reply | client_reply | publish_reply | 324 withdraw_reply | report_error_reply ) 326 # Tag attributes for bulk operations 327 tag = attribute tag { xsd:token {maxLength="1024" } } 329 # Base64 encoded DER stuff 330 base64 = xsd:base64Binary 332 # Publication URLs 333 uri_t = xsd:anyURI { maxLength="4096" } 334 uri = attribute uri { uri_t } 336 # Handles on remote objects (replaces passing raw SQL IDs). NB: 337 # Unlike the up-down protocol, handles in this protocol allow 338 # "/" as a hierarchy delimiter. 339 object_handle = xsd:string { 340 maxLength="255" pattern="[\-_A-Za-z0-9/]*" } 342 # element (use restricted to repository operator) 343 # config_handle attribute: create, list, and destroy commands 344 # omitted deliberately. 345 config_payload = (element bpki_crl { base64 }?) 346 config_query |= element config { attribute action { "set" }, tag?, 347 config_payload } 348 config_reply |= element config { attribute action { "set" }, tag? } 349 config_query |= element config { attribute action { "get" }, tag? } 350 config_reply |= element config { attribute action { "get" }, tag?, 351 config_payload } 353 # element (use restricted to repository operator) 354 client_handle = attribute client_handle { object_handle } 355 client_payload = (attribute base_uri { uri_t }?, element bpki_cert { 356 base64 }?, element bpki_glue { base64 }?) 357 client_bool = attribute clear_replay_protection { "yes" }? 359 client_query |= element client { attribute action { "create" }, 360 tag?, client_handle, client_bool, client_payload } 361 client_reply |= element client { attribute action { "create" }, 362 tag?, client_handle } 363 client_query |= element client { attribute action { "set" }, tag?, 364 client_handle, client_bool, client_payload } 365 client_reply |= element client { attribute action { "set" }, tag?, 366 client_handle } 367 client_query |= element client { attribute action { "get" }, tag?, 368 client_handle } 369 client_reply |= element client { attribute action { "get" }, tag?, 370 client_handle, client_payload } 371 client_query |= element client { attribute action { "list" }, tag? } 372 client_reply |= element client { attribute action { "list" }, tag?, 373 client_handle, client_payload } 374 client_query |= element client { attribute action { "destroy" }, 375 tag?, client_handle } 376 client_reply |= element client { attribute action { "destroy" }, 377 tag?, client_handle } 379 # element 380 publish_query |= element publish { tag?, uri, base64 } 381 publish_reply |= element publish { tag?, uri } 383 # element 384 withdraw_query |= element withdraw { tag?, uri } 385 withdraw_reply |= element withdraw { tag?, uri } 387 # element 388 error = xsd:token { maxLength="1024" } 389 report_error_reply = element report_error { 390 tag?, 391 attribute error_code { error }, 392 xsd:string { maxLength="512000" }? 393 } 395 4. Examples 397 Following are various queries and the corresponding replies for the 398 RPKI publication protocol 400 4.1. Config Set Query and Response 402 A. Config "Set" Query 403 405 406 407 MIIBezBlAgEBMA0GCSqGSIb3DQEBCwUAMCMxITAfBgNVBAMTGFRlc3QgQ2Vyd 408 GlmaWNhdGUgcHViZCBUQRcNMDgwNjAyMjE0OTQ1WhcNMDgwNzAyMjE0OTQ1Wq 409 AOMAwwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQELBQADggEBAFWCWgBl4ljVqX/ 410 CHo+RpqYtvmKMnjPVflMXUB7i28RGP4DAq4l7deDU7Q82xEJyE4TXMWDWAV6U 411 G6uUGum0VHWOcj9ohqyiZUGfOsKg2hbwkETm8sAENOsi1yNdyKGk6jZ16aF5f 412 ubxQqZa1pdGCSac1/ZYC5sLLhEz3kmz+B9z9mXFVc5TgAh4dN3Gy5ftF8zZAF 413 pDGnS4biCnRVqhGv6R0Lh/5xmii+ZU6kNDhbeMsjJg+ZOmtN+wMeHSIbjiy0W 414 uuaZ3k2xSh0C94anrHBZAvvCRhbazjR0Ef5OMZ5lcllw3uO8IHuoisHKkehy4 415 Y0GySdj98fV+OuiRTH9vt/M= 416 417 418 420 B. Config "Set" Reply 422 424 425 427 4.2. Config Get Query and Response 429 A. Config "Get" Query 431 433 434 436 B. Config "Get" Reply 437 439 440 441 MIIBezBlAgEBMA0GCSqGSIb3DQEBCwUAMCMxITAfBgNVBAMTGFRlc3QgQ2Vyd 442 GlmaWNhdGUgcHViZCBUQRcNMDgwNjAyMjE0OTQ1WhcNMDgwNzAyMjE0OTQ1Wq 443 AOMAwwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQELBQADggEBAFWCWgBl4ljVqX/ 444 CHo+RpqYtvmKMnjPVflMXUB7i28RGP4DAq4l7deDU7Q82xEJyE4TXMWDWAV6U 445 G6uUGum0VHWOcj9ohqyiZUGfOsKg2hbwkETm8sAENOsi1yNdyKGk6jZ16aF5f 446 ubxQqZa1pdGCSac1/ZYC5sLLhEz3kmz+B9z9mXFVc5TgAh4dN3Gy5ftF8zZAF 447 pDGnS4biCnRVqhGv6R0Lh/5xmii+ZU6kNDhbeMsjJg+ZOmtN+wMeHSIbjiy0W 448 uuaZ3k2xSh0C94anrHBZAvvCRhbazjR0Ef5OMZ5lcllw3uO8IHuoisHKkehy4 449 Y0GySdj98fV+OuiRTH9vt/M= 450 451 452 454 4.3. Example 3: Client Create Query and Reply 456 A. Client "Create" Query 458 460 462 463 MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgB 464 gNVBAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1Mz 465 EwWhcNMDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXR 466 lIEJvYiBSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYU 467 tJaM5PH5917SG2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GI 468 dnoupzMnoZVtY3GUx2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8U 469 N17mUKKgujrch6ZvgCDO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVd 470 qb/rW/6GTg0Xb/zLT6WWMuT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tb 471 a0xyBGAUII0GfREY6t4/+NAP2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/h 472 kZxxip+Na9xDpE+oQRV+DRukCRJdiqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQ 473 H/MB0GA1UdDgQWBBTDEsXJe6pjAQD4ULlB7+GMDBlimTAfBgNVHSMEGDAWgBT 474 DEsXJe6pjAQD4ULlB7+GMDBlimTANBgkqhkiG9w0BAQUFAAOCAQEAWWkNcW6S 475 1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acgcum1YieNdtT0n96P7CUHOWP8Q 476 Bb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4XY39EZHhMW+Dv0PhIKu2Cg 477 D4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Smsqep6LAlFj62qqaIJzN 478 eQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdHYyMNrG2xMOtIC7T4 479 +IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq3ORv7RZMJNYqv 480 1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ== 481 482 483 485 B. Client "Create" Reply 487 489 490 492 4.4. Example 4: Client Set Query and Reply 494 A. Client "Set" Query 496 498 499 500 MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgB 501 gNVBAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1Mz 502 EwWhcNMDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXR 503 lIEJvYiBSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYU 504 tJaM5PH5917SG2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GI 505 dnoupzMnoZVtY3GUx2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8U 506 N17mUKKgujrch6ZvgCDO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVd 507 qb/rW/6GTg0Xb/zLT6WWMuT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tb 508 a0xyBGAUII0GfREY6t4/+NAP2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/h 509 kZxxip+Na9xDpE+oQRV+DRukCRJdiqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQ 510 H/MB0GA1UdDgQWBBTDEsXJe6pjAQD4ULlB7+GMDBlimTAfBgNVHSMEGDAWgBT 511 DEsXJe6pjAQD4ULlB7+GMDBlimTANBgkqhkiG9w0BAQUFAAOCAQEAWWkNcW6S 512 1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acgcum1YieNdtT0n96P7CUHOWP8Q 513 Bb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4XY39EZHhMW+Dv0PhIKu2Cg 514 D4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Smsqep6LAlFj62qqaIJzN 515 eQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdHYyMNrG2xMOtIC7T4 516 +IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq3ORv7RZMJNYqv 517 1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ== 518 519 520 522 B. Client "Set" Reply 524 526 527 529 4.5. Example 5: Client Get Query and Reply 531 A. Client "Get" Query 533 535 536 538 B. Client "Get" Reply 540 542 544 545 MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgB 546 gNVBAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1Mz 547 EwWhcNMDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXR 548 lIEJvYiBSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYU 549 tJaM5PH5917SG2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GI 550 dnoupzMnoZVtY3GUx2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8U 551 N17mUKKgujrch6ZvgCDO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVd 552 qb/rW/6GTg0Xb/zLT6WWMuT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tb 553 a0xyBGAUII0GfREY6t4/+NAP2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/h 554 kZxxip+Na9xDpE+oQRV+DRukCRJdiqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQ 555 H/MB0GA1UdDgQWBBTDEsXJe6pjAQD4ULlB7+GMDBlimTAfBgNVHSMEGDAWgBT 556 DEsXJe6pjAQD4ULlB7+GMDBlimTANBgkqhkiG9w0BAQUFAAOCAQEAWWkNcW6S 557 1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acgcum1YieNdtT0n96P7CUHOWP8Q 558 Bb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4XY39EZHhMW+Dv0PhIKu2Cg 559 D4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Smsqep6LAlFj62qqaIJzN 560 eQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdHYyMNrG2xMOtIC7T4 561 +IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq3ORv7RZMJNYqv 562 1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ== 563 564 565 567 4.6. Example 6: Client List Query and Reply 569 A. Client "List" Query 571 573 574 576 B. Client "List" Reply 577 579 580 581 MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgB 582 gNVBAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1Mz 583 EwWhcNMDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXR 584 lIEJvYiBSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYU 585 tJaM5PH5917SG2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GI 586 dnoupzMnoZVtY3GUx2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8U 587 N17mUKKgujrch6ZvgCDO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVd 588 qb/rW/6GTg0Xb/zLT6WWMuT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tb 589 a0xyBGAUII0GfREY6t4/+NAP2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/h 590 kZxxip+Na9xDpE+oQRV+DRukCRJdiqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQ 591 H/MB0GA1UdDgQWBBTDEsXJe6pjAQD4ULlB7+GMDBlimTAfBgNVHSMEGDAWgBT 592 DEsXJe6pjAQD4ULlB7+GMDBlimTANBgkqhkiG9w0BAQUFAAOCAQEAWWkNcW6S 593 1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acgcum1YieNdtT0n96P7CUHOWP8Q 594 Bb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4XY39EZHhMW+Dv0PhIKu2Cg 595 D4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Smsqep6LAlFj62qqaIJzN 596 eQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdHYyMNrG2xMOtIC7T4 597 +IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq3ORv7RZMJNYqv 598 1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ== 599 600 601 603 4.7. Example 7: Client Destroy Query and Reply 605 A. Client "Destroy" Query 607 609 610 612 B. Client "Destroy" Reply 614 616 617 619 4.8. Example 8: Publish Query and Reply 621 A. Publish Query 622 624 626 MIIE+jCCA+KgAwIBAgIBDTANBgkqhkiG9w0BAQsFADAzMTEwLwYDVQQDEyhER 627 jRBODAxN0U2NkE5RTkxNzJFNDYxMkQ4Q0Y0QzgzRjIzOERFMkEzMB4XDTA4MD 628 UyMjE4MDUxMloXDTA4MDUyNDE3NTQ1M1owMzExMC8GA1UEAxMoOEZCODIxOEY 629 wNkU1MEFCNzAyQTdEOTZEQzhGMENEQ0Q4MjhGN0YxNzCCASIwDQYJKoZIhvcN 630 AQEBBQADggEPADCCAQoCggEBAMeziKp0k5nP7v6SZoNsXIMQYRgNtC6Fr/9Xm 631 /1yQHomiPqHUk47rHhGojYiK5AhkrwoYhkH4UjJl2iwklDYczXuaBU3F5qrKl 632 Z4aZnjIxdlP7+hktVpeApL6yuJTUAYeC3UIxnLDVdD6phydZ/FOQluffiNDjz 633 teCCvoyOUatqt8WB+oND6LToHp028g1YUYLHG6mur0dPdcHOVXLSmUDuZ1HDz 634 1nDuYvIVKjB/MpH9aW9XeaQ6ZFIlZVPwuuvI2brR+ThH7Gv27GL/o8qFdC300 635 VQfoTZ+rKPGDE8K1cI906BL4kiwx9z0oiDcE96QCz+B0vsjc9mGaA1jgAxlXW 636 sCAwEAAaOCAhcwggITMB0GA1UdDgQWBBSPuCGPBuUKtwKn2W3I8M3Ngo9/FzA 637 fBgNVHSMEGDAWgBTfSoAX5mqekXLkYS2M9Mg/I43iozBVBgNVHR8ETjBMMEqg 638 SKBGhkRyc3luYzovL2xvY2FsaG9zdDo0NDAwL3Rlc3RiZWQvUklSLzEvMzBxQ 639 UYtWnFucEZ5NUdFdGpQVElQeU9ONHFNLmNybDBFBggrBgEFBQcBAQQ5MDcwNQ 640 YIKwYBBQUHMAKGKXJzeW5jOi8vbG9jYWxob3N0OjQ0MDAvdGVzdGJlZC9XT01 641 CQVQuY2VyMBgGA1UdIAEB/wQOMAwwCgYIKwYBBQUHDgIwDwYDVR0TAQH/BAUw 642 AwEB/zAOBgNVHQ8BAf8EBAMCAQYwgZsGCCsGAQUFBwELBIGOMIGLMDQGCCsGA 643 QUFBzAFhihyc3luYzovL2xvY2FsaG9zdDo0NDAwL3Rlc3RiZWQvUklSL1IwLz 644 EvMFMGCCsGAQUFBzAKhkdyc3luYzovL2xvY2FsaG9zdDo0NDAwL3Rlc3RiZWQ 645 vUklSL1IwLzEvajdnaGp3YmxDcmNDcDlsdHlQRE56WUtQZnhjLm1uZjAaBggr 646 BgEFBQcBCAEB/wQLMAmgBzAFAgMA/BUwPgYIKwYBBQUHAQcBAf8ELzAtMCsEA 647 gABMCUDAwAKAzAOAwUAwAACAQMFAcAAAiAwDgMFAsAAAiwDBQDAAAJkMA0GCS 648 qGSIb3DQEBCwUAA4IBAQCEhuH7jtI2PJY6+zwv306vmCuXhtu9Lr2mmRw2ZEr 649 B8EMcb5xypMrNqMoKeu14K2x4a4RPJkK4yAThM81FPNRsU5mM0acIRnAPtxjH 650 vPME7PHN2w2nGLASRsZmaa+b8A7SSOxVcFURazENztppsolHeTpm0cpLItK7m 651 NpudUg1JGuFo94VLf1MnE2EqARG1vTsNhel/SM/UvOArCCOBvf0Gz7kSuupDS 652 Z7qx+LiDmtEsLdbGNQBiYPbLrDk41PHrxdx28qIj7ejZkRzNFw/3pi8/XK281 653 h8zeHoFVu6ghRPy5dbOA4akX/KG6b8XIx0iwPYdLiDbdWFbtTdPcXBauY 654 655 657 B. Publish Reply 659 661 663 665 4.9. Example 9: Withdraw Query and Reply 667 A. Withdraw Query 668 670 672 674 B. Withdraw Reply 676 678 680 682 4.10. Example 10: Report Error Reply 684 A. Report Error Reply 1 686 688 text string 690 692 B. Report Error Reply 2 694 696 697 699 5. Operational Considerations 701 There are two basic options open to the repository operator as to how 702 the publication tree is laid out. The first option is simple: each 703 publication client is given its own directory one level below the top 704 of the rcynic module, and there is no overlap between the publication 705 spaces used by different clients. For example: 707 rsync://example.org/rpki/Alice/ 708 rsync://example.org/rpki/Bob/ 709 rsync://example.org/rpki/Carol/ 711 This has the advantage of being very easy for the publication 712 operator to manage, but has the drawback of making it difficult for 713 relying parties to fetch published objects both safely and as 714 efficiently as possible. 716 Given that the mandatory-to-implement retrieval protocol for relying 717 parties is rsync, a more efficient repository structure would be one 718 which minimized the number of rsync fetches required. One such 719 structure would be one in which the publication directories for 720 subjects were placed underneath the publication directories of their 721 issuers: since the normal synchronization tree walk is top-down, this 722 can significantly reduce the total number of rsync connections 723 required to synchronize. For example: 725 rsync://example.org/rpki/Alice/ 726 rsync://example.org/rpki/Alice/Bob/ 727 rsync://example.org/rpki/Alice/Bob/Carol/ 729 Preliminary measurement suggests that, in the case of large numbers 730 of small publication directories, the time needed to set up and tear 731 down individual rsync connections becomes significant, and that a 732 properly optimized tree structure can reduce synchronization time by 733 an order of magnitude. 735 The more complex tree structure does require careful attention to the 736 base_uri attribute values when setting up clients. In the example 737 above, assuming that Alice issues to Bob who in turn issues to Carol, 738 Alice has ceded control of a portion of her publication space to Bob, 739 who has in turn ceded a portion of that to Carol, and the base_uri 740 attributes in the setup messages should reflect this. 742 The details of how the repository operator determines that Alice has 743 given Bob permission to nest Bob's publication directory under 744 Alice's is outside the scope of this protocol. 746 6. IANA Considerations 748 IANA is asked to register the application/rpki-publication MIME media 749 type as follows: 751 MIME media type name: application 752 MIME subtype name: rpki-publication 753 Required parameters: None 754 Optional parameters: None 755 Encoding considerations: binary 756 Security considerations: Carries an RPKI Publication Protocol 757 Message, as defined in this document. 758 Interoperability considerations: None 759 Published specification: This document 760 Applications which use this media type: HTTP 761 Additional information: 762 Magic number(s): None 763 File extension(s): 764 Macintosh File Type Code(s): 765 Person & email address to contact for further information: 766 Rob Austein 767 Intended usage: COMMON 768 Author/Change controller: Rob Austein 770 7. Security Considerations 772 The RPKI publication protocol and the data it publishes use entirely 773 separate PKIs for authentication. The published data is 774 authenticated within the RPKI, and this protocol has nothing to do 775 with that authentication, nor does it require that the published 776 objects be valid in the RPKI. The publication protocol uses a 777 separate Business PKI (BPKI) to authenticate its messages. 779 Each of the RPKI publication protocol messages is CMS-signed. 780 Because of that protection at the application layer, this protocol 781 does not require the use of HTTPS or other transport security 782 mechanisms. 784 Compromise of a publication server, perhaps through mismanagement of 785 BPKI keys, could lead to a denial-of-service attack on the RPKI. An 786 attacker gaining access to BPKI keys could use this protocol delete 787 (withdraw) RPKI objects, leading to routing changes or failures. 788 Accordingly, as in most PKIs, good key management practices are 789 important. 791 8. References 792 8.1. Normative References 794 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 795 Requirement Levels", BCP 14, RFC 2119, March 1997. 797 [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, 798 RFC 5652, September 2009. 800 [RFC6492] Huston, G., Loomans, R., Ellacott, B., and R. Austein, "A 801 Protocol for Provisioning Resource Certificates", 802 RFC 6492, February 2012. 804 8.2. Informative References 806 [RFC6480] Lepinski, M. and S. Kent, "An Infrastructure to Support 807 Secure Internet Routing", RFC 6480, February 2012. 809 Authors' Addresses 811 Samuel Weiler 812 SPARTA, Inc. 813 7110 Samuel Morse Drive 814 Columbia, Maryland 21046 815 US 817 Email: weiler@tislabs.com 819 Anuja Sonalker 820 Battelle Memorial Institute 821 Columbia, Maryland 21046 822 US 824 Email: sonalkera@battelle.org 826 Rob Austein 827 Dragon Research Labs 829 Email: sra@hactrn.net