randy/draft-9092update
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
draft-9092update/draft-ietf-opsawg-9092-update.xml
Job Snijders c5c279fdb1 create examples compliant with rpki specs
2023-09-21 08:13:06 +00:00

1353 lines
57 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="US-ASCII"?>
<?rfc sortrefs="yes"?>
<?rfc subcompact="no"?>
<?rfc symrefs="yes"?>
<?rfc toc="yes"?>
<?rfc tocdepth="3"?>
<?rfc compact="yes"?>
<?rfc subcompact="no"?>
<rfc category="std" docName="draft-ietf-opsawg-9092-update-03"
submissionType="IETF" consensus="true" ipr="trust200902"
obsoletes="9092" version="2" >
<front>
<title abbrev="Finding and Using Geofeed Data">Finding and Using Geofeed Data</title>
<author fullname="Randy Bush" initials="R." surname="Bush">
<organization>IIJ &amp; Arrcus</organization>
<address>
<postal>
<street>5147 Crystal Springs</street>
<city>Bainbridge Island</city>
<region>Washington</region>
<code>98110</code>
<country>United States of America</country>
</postal>
<email>randy@psg.com</email>
</address>
</author>
<author fullname="Massimo Candela" initials="M." surname="Candela">
<organization>NTT</organization>
<address>
<postal>
<street>Veemweg 23</street>
<city>Barneveld</city>
<code>3771 MT</code>
<country>Netherlands</country>
</postal>
<email>massimo@ntt.net</email>
</address>
</author>
<author fullname="Warren Kumari" initials="W." surname="Kumari">
<organization>Google</organization>
<address>
<postal>
<street>1600 Amphitheatre Parkway</street>
<city>Mountain View</city>
<region>CA</region>
<code>94043</code>
<country>United States of America</country>
</postal>
<email>warren@kumari.net</email>
</address>
</author>
<author fullname="Russ Housley" initials="R" surname="Housley">
<organization abbrev="Vigil Security">Vigil Security, LLC</organization>
<address>
<postal>
<street>516 Dranesville Road</street>
<city>Herndon</city>
<region>VA</region>
<code>20170</code>
<country>United States of America</country>
</postal>
<email>housley@vigilsec.com</email>
</address>
</author>
<date />
<keyword>geolocation</keyword>
<keyword>geo-location</keyword>
<keyword>RPSL</keyword>
<keyword>inetnum</keyword>
<abstract>
<t>
This document specifies how to augment the Routing Policy
Specification Language inetnum: class to refer specifically to
geofeed data files and describes an optional scheme that uses
the Resource Public Key Infrastructure to authenticate the
geofeed datafiles.
</t>
</abstract>
</front>
<middle>
<section anchor="intro" numbered="true" toc="default">
<name>Introduction</name>
<t>
Providers of Internet content and other services may wish to
customize those services based on the geographic location of the
user of the service. This is often done using the source IP
address used to contact the service, which may not point to a
user, see <xref target ="RFC6269"/>, Section 14 in particular.
Also, infrastructure and other services might wish to publish
the locale of their services. <xref target="RFC8805"
format="default"/> defines geofeed, a syntax to associate
geographic locales with IP addresses, but it does not specify
how to find the relevant geofeed data given an IP address.
</t>
<t>
This document specifies how to augment the Routing Policy
Specification Language (RPSL) <xref target="RFC2725"
format="default"/> inetnum: class to refer specifically to
geofeed data files and how to prudently use them. In all places
inetnum: is used, inet6num: should also be assumed <xref
target="RFC4012" format="default"/>.
</t>
<t>
The reader may find <xref target="INETNUM" format="default"/>
and <xref target="INET6NUM" format="default"/> informative, and
certainly more verbose, descriptions of the inetnum: database
classes.
</t>
<t>
An optional utterly awesome but slightly complex means for
authenticating geofeed data is also defined in <xref
target="auth"/>.
</t>
<t>
This document obsoletes <xref target="RFC9092"/>. Changes from
<xref target="RFC9092"/> include the following:
<ul spacing="compact">
<li>
RIPE has implemented the geofeed: attribute.
</li>
<li>
Allow, but discourage, an inetnum: to have both a geofeed
remarks: attribute and a geofeed: attribute.
</li>
<li>
Geofeed file only UTF-8 CSV.
</li>
<li>
Stress that authenticating geofeed data is optional.
</li>
<li>
IP Address Delegation extensions must not use "inherit".
</li>
<li>
If geofeed data are present, ignore geographic location
hints in other data.
</li>
</ul>
</t>
<section numbered="true" toc="default">
<name>Requirements Language</name>
<t>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted as
described in BCP 14 <xref format="default" pageno="false"
target="RFC2119"/> <xref format="default" pageno="false"
target="RFC8174"/> when, and only when, they appear in all
capitals, as shown here.
</t>
</section>
</section>
<section anchor="gf" numbered="true" toc="default">
<name>Geofeed Files</name>
<t>
Geofeed files are described in <xref target="RFC8805"
format="default"/>. They provide a facility for an IP address
resource "owner" to associate those IP addresses to geographic
locales.
</t>
<t>
Per <xref target="RFC8805"/>, geofeed files consist of CSVs
(Comma Separated Values) in UTF-8 text format; not HTML,
richtext, or other formats.
</t>
<t>
Content providers and other parties who wish to locate an IP
address to a geographic locale need to find the relevant geofeed
data. In <xref target="inetnum" format="default"/>, this
document specifies how to find the relevant geofeed <xref
target="RFC8805" format="default"/> file given an IP address.
</t>
<t>
Geofeed data for large providers with significant horizontal
scale and high granularity can be quite large. The size of a
file can be even larger if an unsigned geofeed file combines
data for many prefixes, if dual IPv4/IPv6 spaces are
represented, etc.
</t>
<t>
Geofeed data do have privacy considerations (see <xref
target="privacy" format="default"/>); this process makes bulk
access to those data easier.
</t>
<t>
This document also suggests an optional signature to strongly
authenticate the data in the geofeed files.
</t>
</section>
<section anchor="inetnum" numbered="true" toc="default">
<name>inetnum: Class</name>
<t>
The original RPSL specifications starting with <xref
target="RIPE81" format="default"/>, <xref target="RIPE181"
format="default"/>, and a trail of subsequent documents were
written by the RIPE community. The IETF standardized RPSL in
<xref target="RFC2622" format="default"/> and <xref
target="RFC4012" format="default"/>. Since then, it has been
modified and extensively enhanced in the Regional Internet
Registry (RIR) community, mostly by RIPE <xref target="RIPE-DB"
format="default"/>. Currently, change control effectively lies
in the operator community.
</t>
<t>
The RPSL, and <xref target="RFC2725" format="default"/> and
<xref target="RFC4012" format="default"/> used by the Regional
Internet Registries (RIRs), specify the inetnum: database class.
Each of these objects describes an IP address range and its
attributes. The inetnum: objects form a hierarchy ordered on
the address space.
</t>
<t>
Ideally, RPSL would be augmented to define a new RPSL geofeed:
attribute in the inetnum: class. Absent implementation of the
geofeed: attribute in a particular RIR database, this document
defines the syntax of a Geofeed remarks: attribute, which
contains an HTTPS URL of a geofeed file. The format of the
inetnum: geofeed remarks: attribute MUST be as in this example,
"remarks: Geofeed ", where the token "Geofeed " MUST be case
sensitive, followed by a URL that will vary, but it MUST refer
only to a single geofeed <xref target="RFC8805"
format="default"/> file.
</t>
<sourcecode type="rpsl"> <![CDATA[
inetnum: 192.0.2.0/24 # example
remarks: Geofeed https://example.com/geofeed
]]></sourcecode>
<t>
While we leave global agreement of RPSL modification to the
relevant parties, we specify that a proper geofeed: attribute in
the inetnum: class MUST be "geofeed:" and
MUST be followed by a single URL that will vary,
but it MUST refer only to a single geofeed <xref
target="RFC8805" format="default"/> file.
</t>
<sourcecode type="rpsl"><![CDATA[
inetnum: 192.0.2.0/24 # example
geofeed: https://example.com/geofeed
]]></sourcecode>
<t>
The URL uses HTTPS, so the WebPKI provides authentication,
integrity, and confidentiality for the fetched geofeed file.
However, the WebPKI can not provide authentication of IP address
space assignment. In contrast, the RPKI (see <xref
target="RFC6481" format="default"/>) can be used to authenticate
IP space assignment; see optional authentication in <xref
target="auth" format="default"/>.
</t>
<t>
Until all producers of inetnum: objects, i.e., the RIRs, state
that they have migrated to supporting a geofeed: attribute,
consumers looking at inetnum: objects to find geofeed URLs
MUST be able to consume both the remarks: and
geofeed: forms.
</t>
<t>
The migration not only implies that the RIRs support the
geofeed: attribute, but that all registrants have migrated any
inetnum: objects from remarks: to geofeed: attributes.
</t>
<t>
Any particular inetnum: object SHOULD have, at
most, one geofeed reference, whether a remarks: or a proper
geofeed: attribute when it is implemented. If there is more
than one, the geofeed: attribute SHOULD be used.
</t>
<t>
For inetnum:s covering the same address range, or an inetnum:
with both remarks: and geofeed: attributes, a signed geofeed
file SHOULD be preferred over an unsigned file.
</t>
<t>
If a geofeed file describes multiple disjoint ranges of IP
address space, there are likely to be geofeed references from
multiple inetnum: objects. Files with geofeed references from
multiple inetnum: objects are not compatible with the signing
procedure in <xref target="auth" format="default"/>.
</t>
<t>
An unsigned, and only an unsigned, geofeed file MAY be
referenced by multiple inetnum:s and MAY contain prefixes from
more than one registry.
</t>
<t>
When geofeed references are provided by multiple inetnum:
objects that have identical address ranges, then the geofeed
reference on the inetnum: with the most recent last-modified:
attribute SHOULD be preferred.
</t>
<t>
As inetnum: objects form a hierarchy, geofeed references
SHOULD be at the lowest applicable inetnum:
object covering the relevant address ranges in the referenced
geofeed file. When fetching, the most specific inetnum: object
with a geofeed reference MUST be used.
</t>
<t>
It is significant that geofeed data may have finer granularity
than the inetnum: that refers to them. For example, an INETNUM
object for an address range P could refer to a geofeed file in
which P has been subdivided into one or more longer prefixes.
</t>
</section>
<section anchor="fetch" numbered="true" toc="default">
<name>Fetching Geofeed Data</name>
<t>
This document is to provides a guideline for how interested
parties should fetch and read geofeed files.
</t>
<t>
Historically, before geofeed files, this was done in varied
ways, at the discretion of the implementer, often without
consistent authentication, where data were mostly imported from
email without formal authorisation or validation.
</t>
<t>
To minimize the load on RIRs' WHOIS <xref target="RFC3912"/>
services, the RIR's FTP <xref target="RFC0959"/> services SHOULD
be used for large-scale access to gather geofeed URLs. This
uses efficient bulk access instead of fetching via brute-force
search through the IP space.
</t>
<t>
When an inetnum: with a geofeed file reference is identified,
the file MUST be downloaded using HTTPS.
</t>
<t>
When reading data from the geofeed file, one MUST ignore data
outside the referring inetnum: object's address range. This is
to avoid importing data about ranges not under the control of
the operator. If geofeed files are fetched, other location
information from the inetnum: MUST be ignored.
</t>
<t>
Given an address range of interest, the most specific inetnum:
object with a geofeed reference MUST be used to fetch the
geofeed file. For example, if the fetching party finds
the following inetnum: objects:
<sourcecode type="rpsl"> <![CDATA[
inetnum: 192.0.2.0/12 # example
remarks: Geofeed https://example.com/geofeed_1
inetnum: 192.0.2.0/24 # example
remarks: Geofeed https://example.com/geofeed_2
]]></sourcecode>
and the file geofeed_1 contains geolocation data about
192.0.2.0/29, this MUST be discarded because 192.0.2.0/24 is
within the more specific inetnum: covering the address range and
that inetnum: has a geofeed reference.
</t>
<t>
If an inetnum: object has both remarks: with geofeed data and
also has a geofeed: attribute, the geofeed: attribute SHOULD be
used and the remarks: ignored.
</t>
<t>
Hints in inetnum:s such as country:, geoloc:, etc. tend to be
administrative, and not deployment specific. Consider large,
possibly global, providers with headquarters very far from most
of their deployments. Therefore, if geofeed data are specified,
either as a geofeed: attribute or in a geofeed remarks:
attribute, other geographic hints such as country:, geoloc:, DNS
geoloc RRsets, etc., for that address range MUST be ignored.
</t>
<t>
There is open-source code to traverse the RPSL data across all
of the RIRs, collect all geofeed references, and process them
<xref target="GEOFEED-FINDER"/>. It implements the steps above
and of all the Operational Considerations described in <xref
target="ops"/>, including caching. It produces a single geofeed
file, merging all the geofeed files found. This open-source
code can be run daily by a cronjob, and the output file can be
directly used.
</t>
</section>
<section anchor="auth" numbered="true" toc="default">
<name>Authenticating Geofeed Data (Optional)</name>
<t>
The question arises whether a particular geofeed <xref
target="RFC8805" format="default"/> data set is valid, i.e., is
authorized by the "owner" of the IP address space and is
authoritative in some sense. The inetnum: that points to the
geofeed <xref target="RFC8805" format="default"/> file provides
some assurance. Unfortunately, the RPSL in some repositories is
weakly authenticated at best. An approach where RPSL was signed
per <xref target="RFC7909" format="default"/> would be good,
except it would have to be deployed by all RPSL registries, and
there is a fair number of them.
</t>
<t>
A single optional authenticator MAY be appended
to a geofeed <xref target="RFC8805" format="default"/> file. It
is a digest of the main body of the file signed by the private
key of the relevant RPKI certificate for a covering address
range. One needs a format that bundles the relevant RPKI
certificate with the signature of the geofeed text.
</t>
<t>
The canonicalization procedure converts the data from their
internal character representation to the UTF-8 <xref
target="RFC3629" format="default"/> character encoding, and the
&lt;CRLF&gt; sequence MUST be used to denote the
end of a line of text. A blank line is represented solely by
the &lt;CRLF&gt; sequence. For robustness, any non-printable
characters MUST NOT be changed by
canonicalization. Trailing blank lines MUST NOT
appear at the end of the file. That is, the file must not end
with multiple consecutive &lt;CRLF&gt; sequences. Any
end-of-file marker used by an operating system is not considered
to be part of the file content. When present, such end-of-file
markers MUST NOT be processed by the digital
signature algorithm.
</t>
<t>
Should the authenticator be syntactically incorrect per the
above, the authenticator is invalid.
</t>
<t>
Borrowing detached signatures from <xref target="RFC5485"
format="default"/>, after file canonicalization, the
Cryptographic Message Syntax (CMS) <xref target="RFC5652"
format="default"/> would be used to create a detached
DER-encoded signature that is then padded BASE64 encoded (as per
<xref target="RFC4648" sectionFormat="of" section="4"
format="default"/>) and line wrapped to 72 or fewer characters.
The same digest algorithm MUST be used for
calculating the message digest on content being signed, which is
the geofeed file, and for calculating the message digest on the
SignerInfo SignedAttributes <xref target="RFC8933"
format="default"/>. The message digest algorithm identifier
MUST appear in both the SignedData
DigestAlgorithmIdentifiers and the SignerInfo
DigestAlgorithmIdentifier <xref target="RFC5652"
format="default"/>.
</t>
<t>
The address range of the signing certificate MUST cover all
prefixes on the geofeed file it signs. The certificate MUST NOT
include the Autonomous System Identifier Delegation certificate
extension <xref target="RFC3779"/>.
</t>
<t>
An address range A "covers" address range B if the range of B is
identical to or a subset of A. "Address range" is used here
because inetnum: objects and RPKI certificates need not align on
Classless Inter-Domain Routing (CIDR) <xref target="RFC4632"/>
prefix boundaries, while those of the lines in a geofeed file
do.
</t>
<t>
As the signer specifies the covered RPKI resources relevant to
the signature, the RPKI certificate covering the inetnum:
object's address range is included in the <xref target="RFC5652"
format="default"/> CMS SignedData certificates field.
</t>
<t>
The CA MUST sign only one Geofeed with each generated private
key and MUST generate a new key pair for each new version of the
Geofeed. An associated EE certificate used in this fashion is
termed a "one-time-use" EE certificate (see Section 3 of
<xref target="RFC6487"/>).
</t>
<t>
Identifying the private key associated with the certificate and
getting the department that controls the private key (which
might be trapped in a Hardware Security Module (HSM)) to sign
the CMS blob is left as an exercise for the implementor. On the
other hand, verifying the signature requires no complexity; the
certificate, which can be validated in the public RPKI, has the
needed public key.
The trust anchors for the RIRs are expected to already be
available to the party performing signature validation.
Validation of the CMS signature on the geofeed file
involves:</t>
<ol spacing="normal" type="1"><li>
<t>
Obtaining the signer's certificate from the CMS SignedData
CertificateSet <xref target="RFC5652" format="default"/>. The
certificate SubjectKeyIdentifier extension <xref
target="RFC5280" format="default"/> MUST match
the SubjectKeyIdentifier in the CMS SignerInfo
SignerIdentifier <xref target="RFC5652" format="default"/>.
If the key identifiers do not match, then validation
MUST fail.</t>
<t>
Validation of the signer's certificate MUST
ensure that it is part of the current <xref target="RFC6486"
format="default"/> manifest and that the resources are covered
by the RPKI certificate.
</t>
</li>
<li>
Constructing the certification path for the signer's
certificate. All of the needed certificates are expected to
be readily available in the RPKI repository. The
certification path MUST be valid according to
the validation algorithm in <xref target="RFC5280"
format="default"/> and the additional checks specified in
<xref target="RFC3779" format="default"/> associated with the
IP Address Delegation certificate extension and the Autonomous
System Identifier Delegation certificate extension. If
certification path validation is unsuccessful, then validation
MUST fail.
</li>
<li>
Validating the CMS SignedData as specified in <xref
target="RFC5652" format="default"/> using the public key from
the validated signer's certificate. If the signature
validation is unsuccessful, then validation
MUST fail.
</li>
<li>
Verifying that the IP Address Delegation certificate extension
<xref target="RFC3779" format="default"/> covers all of the
address ranges of the geofeed file. If all of the address
ranges are not covered, then validation MUST
fail.
</li>
</ol>
<t>
All of these steps MUST be successful to consider
the geofeed file signature as valid.
</t>
<t>
As the signer specifies the covered RPKI resources relevant to the
signature, the RPKI certificate covering the inetnum: object's address
range is included in the CMS SignedData certificates field <xref
target="RFC5652" format="default"/>.
</t>
<t>
An IP Address Delegation extension using "inherit" would
complicate processing. The implementation would have to build
the certification path from the end-entity to the trust anchor,
then validate the path from the trust anchor to the end-entity,
and then the parameter would have to be remembered when the
validated public key was used to validate a signature on a CMS
object. Having to remember things from certification path
validation for use with CMS object processing is too hard. And,
the certificates do not get that much bigger by repeating the
information.
</t>
<t>
Therefore an extension using "inherit" MUST NOT be used. This
is consistent with other RPKI signed objects.
</t>
<t>
Identifying the private key associated with the certificate and
getting the department with the Hardware Security Module (HSM)
to sign the CMS blob is left as an exercise for the implementor.
On the other hand, verifying the signature requires no
complexity; the certificate, which can be validated in the
public RPKI, has the needed public key.
</t>
<t>
The appendix MUST be hidden as a series of "#" comments at the
end of the geofeed file. The following is a cryptographically
incorrect, albeit simple, example. A correct and full example is
in <xref target="example" format="default"/>.
</t>
<sourcecode type=""><![CDATA[
# RPKI Signature: 192.0.2.0/24
# MIIGLQYJKoZIhvcNAQcCoIIGHjCCBhoCAQMxDTALBglghkgBZQMEAgEwDQYLKoZI
# hvcNAQkQAS+gggRHMIIEQzCCAyugAwIBAgIBADANBgkqhkiG9w0BAQsFADAzMTEw
...
# mGETZvuMLZiKYd7RNFt5ij/DmKEjKhfj3jnxr36q0doX5N781I6oSG3kxS03kEEz
# xA==
# End Signature: 192.0.2.0/24
]]></sourcecode>
<t>
The signature does not cover the signature lines.
</t>
<t>
The bracketing "# RPKI Signature:" and "# End Signature:"
MUST be present following the model as shown.
Their IP address range MUST match that of the
inetnum: URL followed to the file.
</t>
<t>
<xref target="RFC9323" format="default"/> describes
and provides code for a CMS profile for
a general purpose listing of checksums (a "checklist") for use with
the Resource Public Key Infrastructure (RPKI). It provides usable,
albeit complex, code to sign geofeed files.
</t>
<t>
<xref target="I-D.ietf-sidrops-rpki-rta" format="default"/> describes
a CMS profile for a general purpose Resource Tagged Attestation (RTA)
based on the RPKI. While this is expected to become applicable in the
long run, for the purposes of this document, a self-signed root trust
anchor is used.
</t>
</section>
<section anchor="ops" numbered="true" toc="default">
<name>Operational Considerations</name>
<t>
To create the needed inetnum: objects, an operator wishing to register
the location of their geofeed file needs to coordinate with their
Regional Internet Registry (RIR) or National Internet Registry (NIR)
and/or any provider Local Internet Registry (LIR) that has assigned
address ranges to them. RIRs/NIRs provide means for assignees to
create and maintain inetnum: objects. They also provide means of
assigning or sub-assigning IP address resources and allowing the
assignee to create WHOIS data, including inetnum: objects, thereby
referring to geofeed files.
</t>
<t>
The geofeed files MUST be published via and fetched using
HTTPS <xref target="RFC2818" format="default"/>.
</t>
<t>
When using data from a geofeed file, one MUST ignore data
outside the referring inetnum: object's inetnum: attribute
address range.
</t>
<t>
If and only if the geofeed file is not signed per <xref target="auth"
format="default"/>, then multiple inetnum: objects MAY
refer to the same geofeed file, and the consumer MUST
use only lines in the geofeed file where the prefix is covered by the
address range of the inetnum: object's URL it has followed.
</t>
<t>
If the geofeed file is signed, and the signer's certificate
changes, the signature in the geofeed file MUST
be updated.
</t>
<t>
It is good key hygiene to use a given key for only one purpose.
To dedicate a signing private key for signing a geofeed file, an
RPKI Certification Authority (CA) may issue a subordinate
certificate exclusively for the purpose shown in <xref
target="example" format="default"/>.
</t>
<t>
Harvesting and publishing aggregated geofeed data outside of
the RPSL model should be avoided as it can have the effect
that more specifics from one aggregatee could undesirably
affect the less specifics of a different aggregatee. The
validation model in Section <xref target="auth"/> handles this
issue within the RPSL model.
</t>
<t>
Currently, geolocation providers have bulk WHOIS data access at
all the RIRs. An anonymized version of such data is openly
available for all RIRs except ARIN, which requires an
authorization. However, for users without such authorization,
the same result can be achieved with extra RDAP effort. There is
open-source code to pass over such data across all RIRs, collect
all geofeed references, and process them <xref
target="GEOFEED-FINDER" format="default"/>.
</t>
<t>
To prevent undue load on RPSL and geofeed servers,
entity-fetching geofeed data using these mechanisms MUST
NOT do frequent real-time lookups. <xref
target="RFC8805" sectionFormat="of" section="3.4"
format="default"/> suggests use of the HTTP Expires header <xref
target="RFC7234" format="default"/> to signal when geofeed data
should be refetched. As the data change very infrequently, in
the absence of such an HTTP Header signal, collectors
SHOULD NOT fetch more frequently than weekly. It
would be polite not to fetch at magic times such as midnight
UTC, the first of the month, etc., because too many others are
likely to do the same.
</t>
</section>
<section anchor="privacy" numbered="true" toc="default">
<name>Privacy Considerations</name>
<t>
<xref target="RFC8805" format="default"/> geofeed data may reveal the
approximate location of an IP address, which might in turn reveal the
approximate location of an individual user. Unfortunately, <xref
target="RFC8805" format="default"/> provides no privacy guidance on
avoiding or ameliorating possible damage due to this exposure of the
user. In publishing pointers to geofeed files as described in this
document, the operator should be aware of this exposure in geofeed
data and be cautious. All the privacy considerations of <xref
target="RFC8805" sectionFormat="of" section="4" format="default"/>
apply to this document.
</t>
<t>
Where <xref target="RFC8805" format="default"/> provided the ability
to publish location data, this document makes bulk access to those data
readily available. This is a goal, not an accident.
</t>
</section>
<section anchor="impl" numbered="true" toc="default">
<name>Implementation Status</name>
<t>
Currently, the geofeed: attribute in inetnum objects has
been implemented in the RIPE and APNIC databases.
</t>
<t>
Registrants in databases which do not yet support the geofeed:
attribute are using the remarks:, or equivalent, attribute.
</t>
<t>
Currently, the registry data published by ARIN are not the same
RPSL as that of the other registries (see <xref target="RFC7485"
format="default"/> for a survey of the WHOIS Tower of Babel);
therefore, when fetching from ARIN via FTP <xref
target="RFC0959" format="default"/>, WHOIS <xref
target="RFC3912" format="default"/>, the Registration Data
Access Protocol (RDAP) <xref target="RFC9082"
format="default"/>, etc., the "NetRange" attribute/key must be
treated as "inetnum", and the "Comment" attribute must be
treated as "remarks".
</t>
<t>
<xref target="rpki-client"/> can be used to authenticate a
signed geofeed file.
</t>
</section>
<section anchor="seccons" numbered="true" toc="default">
<name>Security Considerations</name>
<t>
It is generally prudent for a consumer of geofeed data to also
use other sources to cross-validate the data. All the security
considerations of <xref target="RFC8805" format="default"/>
apply here as well.
</t>
<t>
The consumer of geofeed data SHOULD fetch and process the data
themselves. Importing datasets produced and/or processed by a
third-party places ill-advised trust in the third-party.
</t>
<t>
As mentioned in <xref target="auth" format="default"/>, some
RPSL repositories have weak, if any, authentication. This
allows spoofing of inetnum: objects pointing to malicious
geofeed files. <xref target="auth" format="default"/> suggests
an unfortunately complex method for stronger authentication
based on the RPKI.
</t>
<t>
For example, if an inetnum: for a wide address range (e.g., a
/16) points to an RPKI-signed geofeed file, a customer or
attacker could publish an unsigned equal or narrower (e.g., a
/24) inetnum: in a WHOIS registry that has weak authorization,
abusing the rule that the most-specific inetnum: object with a
geofeed reference MUST be used.
</t>
<t>
If signatures were mandatory, the above attack would be stymied, but
of course that is not happening anytime soon.
</t>
<t>
The RPSL providers have had to throttle fetching from their
servers due to too-frequent queries. Usually, they throttle by
the querying IP address or block. Similar defenses will likely
need to be deployed by geofeed file servers.
</t>
</section>
<section anchor="iana" numbered="true" toc="default">
<name>IANA Considerations</name>
<t>
There are no new actions needed by the IANA.
</t>
</section>
<section title="Acknowledgments" anchor="acks">
<t>Thanks to Rob Austein for CMS and detached signature clue,
George Michaelson for the first and substantial external review,
and Erik Kline who was too shy to agree to coauthorship.
Additionally, we express our gratitude to early implementors,
including Menno Schepers; Flavio Luciani; Eric Dugas; and Kevin
Pack. Also, thanks to the following geolocation providers who
are consuming geofeeds with this described solution: Jonathan
Kosgei (ipdata.co), Ben Dowling (ipinfo.io), and Pol Nisenblat
(bigdatacloud.com). For an amazing number of helpful reviews,
we thank Job Snijders, who also found an ASN.1 'inherit' issue;
Adrian Farrel; Antonio Prado; Francesca Palombini; Jean-Michel
Combes (INTDIR); John Scudder; Kyle Rose (SECDIR); Martin Duke;
Murray Kucherawy; Paul Kyzivat (GENART); Rob Wilton; Roman
Danyliw; and Ties de Kock.</t>
</section>
</middle>
<back>
<displayreference target="I-D.ietf-sidrops-rpki-rta" to="RPKI-RTA"/>
<references title="Normative References">
<?rfc include="reference.RFC.2119.xml"?>
<?rfc include="reference.RFC.2622.xml"?>
<?rfc include="reference.RFC.2725.xml"?>
<?rfc include="reference.RFC.2818.xml"?>
<?rfc include="reference.RFC.3629.xml"?>
<?rfc include="reference.RFC.3779.xml"?>
<?rfc include="reference.RFC.4012.xml"?>
<?rfc include="reference.RFC.4648.xml"?>
<?rfc include="reference.RFC.5280.xml"?>
<?rfc include="reference.RFC.5652.xml"?>
<?rfc include="reference.RFC.8174.xml"?>
<?rfc include="reference.RFC.6481.xml"?>
<?rfc include="reference.RFC.6486.xml"?>
<?rfc include="reference.RFC.6487.xml"?>
<?rfc include="reference.RFC.8805.xml"?>
<?rfc include="reference.RFC.8933.xml"?>
</references>
<references title="Informative References">
<?rfc include="reference.RFC.0959.xml"?>
<?rfc include="reference.RFC.3912.xml"?>
<?rfc include="reference.RFC.4632.xml"?>
<?rfc include="reference.RFC.5485.xml"?>
<?rfc include="reference.RFC.6269.xml"?>
<?rfc include="reference.RFC.7234.xml"?>
<?rfc include="reference.RFC.7485.xml"?>
<?rfc include="reference.RFC.7909.xml"?>
<?rfc include="reference.RFC.9082.xml"?>
<?rfc include="reference.RFC.9092.xml"?>
<?rfc include="reference.RFC.9323.xml"?>
<?rfc include="reference.I-D.ietf-sidrops-rpki-rta.xml"?>
<reference anchor="RIPE81" target="https://www.ripe.net/publications/docs/ripe-081">
<front>
<title>Representation Of IP Routing Policies In The RIPE Database</title>
<author>
<organization>RIPE NCC</organization>
</author>
<date month="February" year="1993"/>
</front>
</reference>
<reference anchor="RIPE181" target="https://www.ripe.net/publications/docs/ripe-181">
<front>
<title>Representation Of IP Routing Policies In A Routing Registry</title>
<author>
<organization>RIPE NCC</organization>
</author>
<date month="October" year="1994"/>
</front>
</reference>
<reference anchor="RIPE-DB" target="https://www.ripe.net/manage-ips-and-asns/db/support/documentation/ripe-database-documentation">
<front>
<title>RIPE Database Documentation</title>
<author>
<organization>RIPE NCC</organization>
</author>
<date/>
</front>
</reference>
<reference anchor="INETNUM" target="https://www.ripe.net/manage-ips-and-asns/db/support/documentation/ripe-database-documentation/rpsl-object-types/4-2-descriptions-of-primary-objects/4-2-4-description-of-the-inetnum-object">
<front>
<title>Description of the INETNUM Object</title>
<author>
<organization>RIPE NCC</organization>
</author>
<date month="June" year="2020"/>
</front>
</reference>
<reference anchor="INET6NUM" target="https://www.ripe.net/manage-ips-and-asns/db/support/documentation/ripe-database-documentation/rpsl-object-types/4-2-descriptions-of-primary-objects/4-2-3-description-of-the-inet6num-object">
<front>
<title>Description of the INET6NUM Object</title>
<author>
<organization>RIPE NCC</organization>
</author>
<date month="October" year="2019"/>
</front>
</reference>
<reference anchor="GEOFEED-FINDER" target="https://github.com/massimocandela/geofeed-finder">
<front>
<title>geofeed-finder</title>
<author>
<organization></organization>
</author>
<date month="June" year="2021"/>
</front>
<refcontent>commit 5f557a4</refcontent>
</reference>
<reference anchor="rpki-client" target="https://sobornost.net/~job/using_geofeed_authenticators.txt">
<front>
<title>Example on how to use rpki-client to authenticate a signed Geofeed</title>
<author fullname="Job Snijders"/>
<date month="September" year="2023" />
</front>
</reference>
</references>
<section title="Example" anchor="example">
<t>
This appendix provides an example, including a trust anchor, a
CRL signed by the trust anchor, a CA certificate subordinate to
the trust anchor, a CRL signed by the CA, an end-entity
certificate subordinate to the CA for signing the geofeed, and a
detached signature.</t>
<t>
The trust anchor is represented by a self-signed certificate. As
usual in the RPKI, the trust anchor has authority over all IPv4
address blocks, all IPv6 address blocks, and all AS numbers.</t>
<figure><artwork><![CDATA[
-----BEGIN CERTIFICATE-----
MIID1DCCArygAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwpleGFt
cGxlLXRhMB4XDTIzMDkyMTA3NTY0M1oXDTMzMDkxODA3NTY0M1owFTETMBEGA1UE
AxMKZXhhbXBsZS10YTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKts
PlpSQwidhRo0O9xuDRchGE/FLgzL+90JXK02GaCR7wrXM72rIS0EmMuHQkDbqO5C
hwD6IA2k2mTQifMfW51EuVwlU5x1v/v+VwgDlJnINzEucxKFc1QlmZSSKNCynTzK
omzdRGh8YePBrwSwb0C1C4nomq7HKVy13baJvaa0UPKFrLYMddSzgITyOcC+Pnto
FMzVCQdtlbi7eMHQn9iyJZubld7nnN+OJ+47knOnV8taSrplkOz1QFZ+yuE3zCti
V9ZZeRpze4QC5lOkk3BOPZ1sOkTgrxd1vepnBBjYFbbFM2cvWiBwekRRScts67fB
HZknOlhhD45My5pOX60CAwEAAaOCAS0wggEpMA8GA1UdEwEB/wQFMAMBAf8wHQYD
VR0OBBYEFI/SMUWLf73IsRqm5+du6MCRp3dWMA4GA1UdDwEB/wQEAwIBBjCBgAYI
KwYBBQUHAQsEdDByMDAGCCsGAQUFBzAFhiRyc3luYzovL3Jwa2kuZXhhbXBsZS5u
ZXQvcmVwb3NpdG9yeS8wPgYIKwYBBQUHMAqGMnJzeW5jOi8vcnBraS5leGFtcGxl
Lm5ldC9yZXBvc2l0b3J5L2V4YW1wbGUtdGEubWZ0MBgGA1UdIAEB/wQOMAwwCgYI
KwYBBQUHDgIwIQYIKwYBBQUHAQgBAf8EEjAQoA4wDDAKAgEAAgUA/////zAnBggr
BgEFBQcBBwEB/wQYMBYwCQQCAAEwAwMBADAJBAIAAjADAwEAMA0GCSqGSIb3DQEB
CwUAA4IBAQAc+ZAxM6OwaGFKwhfz2orkU1DfMT3XyeuIybth4bkvqOq/MHXMdIyZ
WdP3GJfbK1brPJjDtG5cmFULPvDmRCXcZEvSQInebRySlgkUP3vMheFBbxNoAdEx
69EDuYtnexhy+PsqfV6ZTBbRFvSgF0QdSMm6AFh1FCfZ0X9gCKM8BfgkJVfjRlDG
V66yifpMMwQ2pvU7WdwpqDHGxAjmVhWl0uXw4PNtZfVA9UxTlKRMAX8N9kfl5kkm
kAs4thzpIVPFbDERtSRVeRY4FF3DXlOtor9gq6NB7zqFysdO+s+MBckqlDC6RDI2
rldoYAzYjJgdXVSdBx8EXdMag24OQ5fV
-----END CERTIFICATE-----
]]></artwork></figure>
<t>
The CRL issued by the trust anchor.</t>
<figure><artwork><![CDATA[
-----BEGIN X509 CRL-----
MIIBgjBsAgEBMA0GCSqGSIb3DQEBCwUAMBUxEzARBgNVBAMTCmV4YW1wbGUtdGEX
DTIzMDkyMTA3NTY0M1oXDTIzMDkyMzA3NTY0M1qgIzAhMB8GA1UdIwQYMBaAFI/S
MUWLf73IsRqm5+du6MCRp3dWMA0GCSqGSIb3DQEBCwUAA4IBAQBPCpbAqrBUUDIa
zAkxW6C8LCbSeFmme/WFeNysvGBlWYDGQR9EiCmwpxtpOpwVvNMNEPCbM30k5sFH
pTWQGyPR5Ad1hGSm5ijYQkDL5+lDbjHrPQ2cWSaAdA5ElAbpBkX9YGNNX0zKZHI5
HgGvx2QmwbtYeCpvYahk33hX1vB2ZLkJSDCfiVROZopV/cEGmLsX1WMaySlIFdVh
JG3TYXBxMZ/4wIX+1Th+7vBfKvnf8Q9HkQMgEIvGrNW7UaaLBVWshXX715c11boK
ov2unIfTYre2q9QtN7DM8FA/BfTwY+TmrnbfNN3GstaL9zRybMb1q9fEvpBXtAz0
7/0v5eQ1
-----END X509 CRL-----
]]></artwork></figure>
<t>
The CA certificate is issued by the trust anchor. This
certificate grants authority over one IPv4 address block
(192.0.2.0/24) and two AS numbers (64496 and 64497).</t>
<figure><artwork><![CDATA[
-----BEGIN CERTIFICATE-----
MIIEqDCCA5CgAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwpleGFt
cGxlLXRhMB4XDTIzMDkyMTA3NTY0M1oXDTI1MDkyMDA3NTY0M1owMzExMC8GA1UE
AxMoM0M2QjMzRTU3MDlDMDczQTg2OEM5NUQ5NTVCMEY1NkUzNzgyMUQ3QjCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL8+L6XxP5x3U+6/y+8ebiXiHMXS
fRRvXg3a7uKJQ9wq37RwELbx57Ie0dfI0NH6jf9lwh71Y0oCp8bzbTByPrDQXBSI
INQg2xWOCcjIESNFVpTNQ3eYUefxmUnEhsp1g0LuTg6eKsILCOm00Eyn8q8s9wIN
f3VIGcMM7Xd/KOvUkrmtmPXzqFKIduei1KSqu6O+dzdPRFVyIr+5xSuV62uVoEhc
zaRvGDxIQ2wPluOqxq20l5DKOgQTCTLXkqFl4Vr08RmiLnz8lNKAJ0DwXHiB8S5R
Huybn7fpVwE5mJGW0PBvdIdSqRNGICXlaPNbrQuXW85s35ofsxagz7AQ2JcCAwEA
AaOCAeMwggHfMB0GA1UdDgQWBBQfsSAWFbopAgPXhxvRXjAndGyKXTAfBgNVHSME
GDAWgBSP0jFFi3+9yLEapufnbujAkad3VjAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud
DwEB/wQEAwIBBjBOBggrBgEFBQcBAQRCMEAwPgYIKwYBBQUHMAKGMnJzeW5jOi8v
cnBraS5leGFtcGxlLm5ldC9yZXBvc2l0b3J5L2V4YW1wbGUtdGEuY2VyMIGABggr
BgEFBQcBCwR0MHIwMAYIKwYBBQUHMAWGJHJzeW5jOi8vcnBraS5leGFtcGxlLm5l
dC9yZXBvc2l0b3J5LzA+BggrBgEFBQcwCoYycnN5bmM6Ly9ycGtpLmV4YW1wbGUu
bmV0L3JlcG9zaXRvcnkvZXhhbXBsZS1jYS5tZnQwQwYDVR0fBDwwOjA4oDagNIYy
cnN5bmM6Ly9ycGtpLmV4YW1wbGUubmV0L3JlcG9zaXRvcnkvZXhhbXBsZS10YS5j
cmwwGAYDVR0gAQH/BA4wDDAKBggrBgEFBQcOAjAaBggrBgEFBQcBCAEB/wQLMAmg
BzAFAgMA+/AwLgYIKwYBBQUHAQcBAf8EHzAdMAwEAgABMAYDBADAAAIwDQQCAAIw
BwMFACABDbgwDQYJKoZIhvcNAQELBQADggEBAGupRFCMv4RSQR/ewy3VV7FRBdDR
cLiydWRiFnDSoRWZUVWqPf6MgllZmkfippZuj+2U/2q9iJir8dwqJ1wEEHUpl0pu
Nh19lNk/nPytcTbR0dV96Vd5hoOv1y8Pitoa83NKAtEEsFDXGWPjtXwXaFb4AzTL
e+9tMCrbluTu2j98V7ZvUWxDTavKiW8IPRjnR1Jc75+gH9Yli5y/uzVZgdJ8boXE
SYLzNLmavAhXCbZ7TcN1p8cQsXEqDYjbYL+mKHOawt2YOWionYvBC4h9qagO91FM
is7J9fxOHu62D1OyW9H33KzXsKrCG3YMUPuliio8dS33FWetHnU28CCEdNo=
-----END CERTIFICATE-----
]]></artwork></figure>
<t>
The CRL issued by the CA.</t>
<figure><artwork><![CDATA[
-----BEGIN X509 CRL-----
MIIBoTCBigIBATANBgkqhkiG9w0BAQsFADAzMTEwLwYDVQQDEygzQzZCMzNFNTcw
OUMwNzNBODY4Qzk1RDk1NUIwRjU2RTM3ODIxRDdCFw0yMzA5MjEwNzU2NDNaFw0y
MzA5MjMwNzU2NDNaoCMwITAfBgNVHSMEGDAWgBQfsSAWFbopAgPXhxvRXjAndGyK
XTANBgkqhkiG9w0BAQsFAAOCAQEAqMVENT0Ni+BOtLmM43TEm2nJE0erGnTaNcNs
iEsslyngjxbZcprh8vem0epWL322vdBH33CFvqlej8Lp2OJvYTG5ZEPVv15Qe531
lz9xBdoN2pl09XK+6MsYTakdKeG66Tkk0JTqkBDHaDOgbra0K42UhWXtaZmpUWpL
b4rM3vcAVavWHdofd/IZUbszComxTKOKwa/gemsNUDrXQs7RM6m5ZJcsQuDBPttD
qLIvg2H4jp5UQHPsv0uMP9yKGgIWLBLylWf/U4UlSGmf8A922S25IvlNd+Z9JvPk
IRfqzv9GlJifpqw6Kgg6r4B4anCUvviEg85Epy/B/XCGleM4iw==
-----END X509 CRL-----
]]></artwork></figure>
<t>
The end-entity certificate is issued by the CA. This
certificate grants signature authority for one IPv4 address block
(192.0.2.0/24). Signature authority for AS numbers is not needed
for geofeed data signatures, so no AS numbers are included in the
end-entity certificate.</t>
<figure><artwork><![CDATA[
-----BEGIN CERTIFICATE-----
MIIEQzCCAyugAwIBAgIBADANBgkqhkiG9w0BAQsFADAzMTEwLwYDVQQDEygzQzZC
MzNFNTcwOUMwNzNBODY4Qzk1RDk1NUIwRjU2RTM3ODIxRDdCMB4XDTIzMDkyMTA3
NTY0M1oXDTI0MDkyMDA3NTY0M1owMzExMC8GA1UEAxMoQkFCOTA2ODdFQjhDQzZC
QTREOUY0NTVEM0ZENEZBMzdDMEMzNzJDNjCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAMh2ptZvaIbPuljWLoUGZ8nERgehiWhmhbUVPUrqF4SetSzhapMW
MJ90NYq5vcmUmO2/oVjLUESU6orbDtoUihj5zE7hOjFn4+G4YPtsl2SfOjs5O+oh
CrIRWIhqstW4GDnn8R+Ih0ARBUF/KI5vsN4/50faudkeNHu3jrRV9MUfUvFK+htg
nCTUI3gDX0Hanvz9WSBfsQTZMoRrXKQu1e1Yq5sQdPtlQD4fREPTBnzoQOWwjU8d
CwX/anFux014fLf4umrmoPaCvP5lm4lBYHQZW2Pzm3RH+y4iBVuzB/atBfrVEVuS
reQpCS5yE+SKo11WGPIQXa4dQo4W0ZcY0tcCAwEAAaOCAWAwggFcMB0GA1UdDgQW
BBTnWBnEF4xD+yWW6lfBzb4P+XgcCzAfBgNVHSMEGDAWgBQfsSAWFbopAgPXhxvR
XjAndGyKXTAYBgNVHSABAf8EDjAMMAoGCCsGAQUFBw4CMGEGA1UdHwRaMFgwVqBU
oFKGUHJzeW5jOi8vcnBraS5leGFtcGxlLm5ldC9yZXBvc2l0b3J5LzNDNkIzM0U1
NzA5QzA3M0E4NjhDOTVEOTU1QjBGNTZFMzc4MjFEN0IuY3JsMGwGCCsGAQUFBwEB
BGAwXjBcBggrBgEFBQcwAoZQcnN5bmM6Ly9ycGtpLmV4YW1wbGUubmV0L3JlcG9z
aXRvcnkvM0M2QjMzRTU3MDlDMDczQTg2OEM5NUQ5NTVCMEY1NkUzNzgyMUQ3Qi5j
ZXIwDgYDVR0PAQH/BAQDAgeAMB8GCCsGAQUFBwEHAQH/BBAwDjAMBAIAATAGAwQA
wAACMA0GCSqGSIb3DQEBCwUAA4IBAQBtM8qEb7txbWt03XuZdTCyXg1C4A+7xMlJ
mFifu53RXEu1BpWmNwuRGXRVGlfpXmuj3dJWkYATRIQlR4Md38R1ybavXNFkHxkr
cg1zELPoVcPcw5ZRT8jWiNxiCneJ9ZYf5TfwR4EM9sTlvvyvB6ADzJX1uenVx6dM
NqFu0clER+OpEyOz0B4i2hmwNPZqjpSDz3xcWnoxxqq/1zvvmiVd2urlQROPQrcO
KD/Jm471ol0KHpC80f69XyakHpwFkpCMycCK7muNkgh8LAtZiQboVfeTUXor/AMq
WlzVuj4bJDexE2yMd1eM4UT4hJIRnqOUoT0eC4+6wGti2tI2mwqh
-----END CERTIFICATE-----
]]></artwork></figure>
<t>
The end-entity certificate is displayed below in detail. For
brevity, the other two certificates are not.</t>
<figure><artwork><![CDATA[
0 1091: SEQUENCE {
4 811: SEQUENCE {
8 3: [0] {
10 1: INTEGER 2
: }
13 1: INTEGER 0
16 13: SEQUENCE {
18 9: OBJECT IDENTIFIER
: sha256WithRSAEncryption (1 2 840 113549 1 1 11)
29 0: NULL
: }
31 51: SEQUENCE {
33 49: SET {
35 47: SEQUENCE {
37 3: OBJECT IDENTIFIER commonName (2 5 4 3)
42 40: PrintableString
: '3C6B33E5709C073A868C95D955B0F56E37821D7B'
: }
: }
: }
84 30: SEQUENCE {
86 13: UTCTime 21/09/2023 07:56:43 GMT
101 13: UTCTime 20/09/2024 07:56:43 GMT
: }
116 51: SEQUENCE {
118 49: SET {
120 47: SEQUENCE {
122 3: OBJECT IDENTIFIER commonName (2 5 4 3)
127 40: PrintableString
: 'BAB90687EB8CC6BA4D9F455D3FD4FA37C0C372C6'
: }
: }
: }
169 290: SEQUENCE {
173 13: SEQUENCE {
175 9: OBJECT IDENTIFIER
: rsaEncryption (1 2 840 113549 1 1 1)
186 0: NULL
: }
188 271: BIT STRING, encapsulates {
193 266: SEQUENCE {
197 257: INTEGER
: 00 C8 76 A6 D6 6F 68 86 CF BA 58 D6 2E 85 06 67
: C9 C4 46 07 A1 89 68 66 85 B5 15 3D 4A EA 17 84
: 9E B5 2C E1 6A 93 16 30 9F 74 35 8A B9 BD C9 94
: 98 ED BF A1 58 CB 50 44 94 EA 8A DB 0E DA 14 8A
: 18 F9 CC 4E E1 3A 31 67 E3 E1 B8 60 FB 6C 97 64
: 9F 3A 3B 39 3B EA 21 0A B2 11 58 88 6A B2 D5 B8
: 18 39 E7 F1 1F 88 87 40 11 05 41 7F 28 8E 6F B0
: DE 3F E7 47 DA B9 D9 1E 34 7B B7 8E B4 55 F4 C5
: 1F 52 F1 4A FA 1B 60 9C 24 D4 23 78 03 5F 41 DA
: 9E FC FD 59 20 5F B1 04 D9 32 84 6B 5C A4 2E D5
: ED 58 AB 9B 10 74 FB 65 40 3E 1F 44 43 D3 06 7C
: E8 40 E5 B0 8D 4F 1D 0B 05 FF 6A 71 6E C7 4D 78
: 7C B7 F8 BA 6A E6 A0 F6 82 BC FE 65 9B 89 41 60
: 74 19 5B 63 F3 9B 74 47 FB 2E 22 05 5B B3 07 F6
: AD 05 FA D5 11 5B 92 AD E4 29 09 2E 72 13 E4 8A
: A3 5D 56 18 F2 10 5D AE 1D 42 8E 16 D1 97 18 D2
: D7
458 3: INTEGER 65537
: }
: }
: }
463 352: [3] {
467 348: SEQUENCE {
471 29: SEQUENCE {
473 3: OBJECT IDENTIFIER
: subjectKeyIdentifier (2 5 29 14)
478 22: OCTET STRING, encapsulates {
480 20: OCTET STRING
: E7 58 19 C4 17 8C 43 FB 25 96 EA 57 C1 CD BE 0F
: F9 78 1C 0B
: }
: }
502 31: SEQUENCE {
504 3: OBJECT IDENTIFIER
: authorityKeyIdentifier (2 5 29 35)
509 24: OCTET STRING, encapsulates {
511 22: SEQUENCE {
513 20: [0]
: 1F B1 20 16 15 BA 29 02 03 D7 87 1B D1 5E 30 27
: 74 6C 8A 5D
: }
: }
: }
535 24: SEQUENCE {
537 3: OBJECT IDENTIFIER
: certificatePolicies (2 5 29 32)
542 1: BOOLEAN TRUE
545 14: OCTET STRING, encapsulates {
547 12: SEQUENCE {
549 10: SEQUENCE {
551 8: OBJECT IDENTIFIER
: resourceCertificatePolicy (1 3 6 1 5 5 7 14 2)
: }
: }
: }
: }
561 97: SEQUENCE {
563 3: OBJECT IDENTIFIER
: cRLDistributionPoints (2 5 29 31)
568 90: OCTET STRING, encapsulates {
570 88: SEQUENCE {
572 86: SEQUENCE {
574 84: [0] {
576 82: [0] {
578 80: [6]
: 'rsync://rpki.example.net/repository/3C6B33E5709C'
: '073A868C95D955B0F56E37821D7B.crl'
: }
: }
: }
: }
: }
: }
660 108: SEQUENCE {
662 8: OBJECT IDENTIFIER
: authorityInfoAccess (1 3 6 1 5 5 7 1 1)
672 96: OCTET STRING, encapsulates {
674 94: SEQUENCE {
676 92: SEQUENCE {
678 8: OBJECT IDENTIFIER
: caIssuers (1 3 6 1 5 5 7 48 2)
688 80: [6]
: 'rsync://rpki.example.net/repository/3C6B33E5709C'
: '073A868C95D955B0F56E37821D7B.cer'
: }
: }
: }
: }
770 14: SEQUENCE {
772 3: OBJECT IDENTIFIER keyUsage (2 5 29 15)
777 1: BOOLEAN TRUE
780 4: OCTET STRING, encapsulates {
782 2: BIT STRING 7 unused bits
: '1'B (bit 0)
: }
: }
786 31: SEQUENCE {
788 8: OBJECT IDENTIFIER
: ipAddrBlocks (1 3 6 1 5 5 7 1 7)
798 1: BOOLEAN TRUE
801 16: OCTET STRING, encapsulates {
803 14: SEQUENCE {
805 12: SEQUENCE {
807 2: OCTET STRING 00 01
811 6: SEQUENCE {
813 4: BIT STRING
: '010000000000000000000011'B
: }
: }
: }
: }
: }
: }
: }
: }
819 13: SEQUENCE {
821 9: OBJECT IDENTIFIER
: sha256WithRSAEncryption (1 2 840 113549 1 1 11)
832 0: NULL
: }
834 257: BIT STRING
: 6D 33 CA 84 6F BB 71 6D 6B 74 DD 7B 99 75 30 B2
: 5E 0D 42 E0 0F BB C4 C9 49 98 58 9F BB 9D D1 5C
: 4B B5 06 95 A6 37 0B 91 19 74 55 1A 57 E9 5E 6B
: A3 DD D2 56 91 80 13 44 84 25 47 83 1D DF C4 75
: C9 B6 AF 5C D1 64 1F 19 2B 72 0D 73 10 B3 E8 55
: C3 DC C3 96 51 4F C8 D6 88 DC 62 0A 77 89 F5 96
: 1F E5 37 F0 47 81 0C F6 C4 E5 BE FC AF 07 A0 03
: CC 95 F5 B9 E9 D5 C7 A7 4C 36 A1 6E D1 C9 44 47
: E3 A9 13 23 B3 D0 1E 22 DA 19 B0 34 F6 6A 8E 94
: 83 CF 7C 5C 5A 7A 31 C6 AA BF D7 3B EF 9A 25 5D
: DA EA E5 41 13 8F 42 B7 0E 28 3F C9 9B 8E F5 A2
: 5D 0A 1E 90 BC D1 FE BD 5F 26 A4 1E 9C 05 92 90
: 8C C9 C0 8A EE 6B 8D 92 08 7C 2C 0B 59 89 06 E8
: 55 F7 93 51 7A 2B FC 03 2A 5A 5C D5 BA 3E 1B 24
: 37 B1 13 6C 8C 77 57 8C E1 44 F8 84 92 11 9E A3
: 94 A1 3D 1E 0B 8F BA C0 6B 62 DA D2 36 9B 0A A1
: }
]]></artwork></figure>
<t>
To allow reproduction of the signature results, the end-entity
private key is provided. For brevity, the other two private
keys are not.</t>
<figure><artwork><![CDATA[
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAyHam1m9ohs+6WNYuhQZnycRGB6GJaGaFtRU9SuoXhJ61LOFq
kxYwn3Q1irm9yZSY7b+hWMtQRJTqitsO2hSKGPnMTuE6MWfj4bhg+2yXZJ86Ozk7
6iEKshFYiGqy1bgYOefxH4iHQBEFQX8ojm+w3j/nR9q52R40e7eOtFX0xR9S8Ur6
G2CcJNQjeANfQdqe/P1ZIF+xBNkyhGtcpC7V7VirmxB0+2VAPh9EQ9MGfOhA5bCN
Tx0LBf9qcW7HTXh8t/i6auag9oK8/mWbiUFgdBlbY/ObdEf7LiIFW7MH9q0F+tUR
W5Kt5CkJLnIT5IqjXVYY8hBdrh1CjhbRlxjS1wIDAQABAoIBAG1uWCU3LBhrzY4x
XbPAi2fZfWEtDZWwYc04iv0aTTxYZw7Y/xTMSD7DcXcJblFcjR88PRf75RWLNX4X
l0P1cm2v75gf22SdEglmXYri/MIxKdiqpcppvyz1yx6tIHMKzC7QLxDHtw2CPRxE
Dh+zWRn6SIcxH8MmegAPdBd91ODGAPHjGbJRpxHmH10A/G8CecBrOWoW7lavzsUO
hdTGeSNlb5ZxVgOc+oOH8nmqvus6ETC+/gCI8i3XEAR+Vy0Z2RjvfB9VyMkq5mcQ
+uAH8562ML1I+7bcWbR2Gx//M5o3CAf9rIJpeYRV/sAUn6fwwABRAOiowyiWhG81
stL6zAECgYEA8RIQ/P+Xw1GfqOY7z4yN9QGbP8rcJPKQvUt+Y+9icmb2toVjEeHP
ZJn6q96LCeLHkIZEV2eZjegoQF96CxuJzU8IiaqBgQp63udl8oRSqc+fFv/xt4dq
443pCpiCwhR42YRoWqSR6N0MWq9OjkatAOuhClsUUwyfCCx5IYHnulkCgYEA1ODM
6UNRIzfcp+KbakUbXtsPtc3XLdzxoqPg/JNHewoOeQG/2Gq8zEu9Ku511fnkQ4eb
gQNmRjoq/IjsSznTKcesuDOsR4sH/C/KSz6dg4g+Kesmk8iDNqWa3yBslWMLK429
Zae7pY8D7f7FabSlekAgNgUOC+FsgN3D6blF8K8CgYEAsk5kll0OiX9kEm9IqfkS
PrgTdpm7PvDTMdAXCh/Ttz6FGPeMEXvuBEEH8fvG52b/qNxGzEdqglXG/+YexPx3
bo4YiIq/Aw0XWKva8ggBhGx3BXIF/XOCEhGy3w1zGc4+nNScwv6alZx6ONEVz5Jj
AB1InfpEDDF3p3oNlkUZevECgYAkeWQCr6sOSrr+9P/GBJM8/HHDp8IvtISeZk/d
VurPdRinuRoC3b79jhiaa4M7J3bp7ylAwLFcZQkKffdmqEC7DuBUK15gX7z9g764
h8D7UXO9QPI6Lgf1bAiOJIMWUYMPcli6OzQWmNuGgrmWdAJKYQRj3RfcB0LNDbJM
sJcANwKBgHSTukvWlVYkzLy6Xwvl5TMzm97hA7RTBiuUR9WO+QvJFsBdKdCj1yfy
d75rgf8fS3kd9+BREJsB21geCsPbm+I5U4+TzB2cca0t/d5gsWknosy/DwGup0uq
uwx5wPWT6fdRwQxJj2vGJy3cxf4KxhGaouSZra9xhAI8wxGrIDs4
-----END RSA PRIVATE KEY-----
]]></artwork></figure>
<t>
Signing of "192.0.2.0/24,US,WA,Seattle," (terminated by CR and LF),
yields the following detached CMS signature.</t>
<figure><artwork><![CDATA[
# RPKI Signature: 192.0.2.0/24
# MIIGLQYJKoZIhvcNAQcCoIIGHjCCBhoCAQMxDTALBglghkgBZQMEAgEwDQYLKoZI
# hvcNAQkQAS+gggRHMIIEQzCCAyugAwIBAgIBADANBgkqhkiG9w0BAQsFADAzMTEw
# LwYDVQQDEygzQzZCMzNFNTcwOUMwNzNBODY4Qzk1RDk1NUIwRjU2RTM3ODIxRDdC
# MB4XDTIzMDkyMTA3NTY0M1oXDTI0MDkyMDA3NTY0M1owMzExMC8GA1UEAxMoQkFC
# OTA2ODdFQjhDQzZCQTREOUY0NTVEM0ZENEZBMzdDMEMzNzJDNjCCASIwDQYJKoZI
# hvcNAQEBBQADggEPADCCAQoCggEBAMh2ptZvaIbPuljWLoUGZ8nERgehiWhmhbUV
# PUrqF4SetSzhapMWMJ90NYq5vcmUmO2/oVjLUESU6orbDtoUihj5zE7hOjFn4+G4
# YPtsl2SfOjs5O+ohCrIRWIhqstW4GDnn8R+Ih0ARBUF/KI5vsN4/50faudkeNHu3
# jrRV9MUfUvFK+htgnCTUI3gDX0Hanvz9WSBfsQTZMoRrXKQu1e1Yq5sQdPtlQD4f
# REPTBnzoQOWwjU8dCwX/anFux014fLf4umrmoPaCvP5lm4lBYHQZW2Pzm3RH+y4i
# BVuzB/atBfrVEVuSreQpCS5yE+SKo11WGPIQXa4dQo4W0ZcY0tcCAwEAAaOCAWAw
# ggFcMB0GA1UdDgQWBBTnWBnEF4xD+yWW6lfBzb4P+XgcCzAfBgNVHSMEGDAWgBQf
# sSAWFbopAgPXhxvRXjAndGyKXTAYBgNVHSABAf8EDjAMMAoGCCsGAQUFBw4CMGEG
# A1UdHwRaMFgwVqBUoFKGUHJzeW5jOi8vcnBraS5leGFtcGxlLm5ldC9yZXBvc2l0
# b3J5LzNDNkIzM0U1NzA5QzA3M0E4NjhDOTVEOTU1QjBGNTZFMzc4MjFEN0IuY3Js
# MGwGCCsGAQUFBwEBBGAwXjBcBggrBgEFBQcwAoZQcnN5bmM6Ly9ycGtpLmV4YW1w
# bGUubmV0L3JlcG9zaXRvcnkvM0M2QjMzRTU3MDlDMDczQTg2OEM5NUQ5NTVCMEY1
# NkUzNzgyMUQ3Qi5jZXIwDgYDVR0PAQH/BAQDAgeAMB8GCCsGAQUFBwEHAQH/BBAw
# DjAMBAIAATAGAwQAwAACMA0GCSqGSIb3DQEBCwUAA4IBAQBtM8qEb7txbWt03XuZ
# dTCyXg1C4A+7xMlJmFifu53RXEu1BpWmNwuRGXRVGlfpXmuj3dJWkYATRIQlR4Md
# 38R1ybavXNFkHxkrcg1zELPoVcPcw5ZRT8jWiNxiCneJ9ZYf5TfwR4EM9sTlvvyv
# B6ADzJX1uenVx6dMNqFu0clER+OpEyOz0B4i2hmwNPZqjpSDz3xcWnoxxqq/1zvv
# miVd2urlQROPQrcOKD/Jm471ol0KHpC80f69XyakHpwFkpCMycCK7muNkgh8LAtZ
# iQboVfeTUXor/AMqWlzVuj4bJDexE2yMd1eM4UT4hJIRnqOUoT0eC4+6wGti2tI2
# mwqhMYIBqjCCAaYCAQOAFOdYGcQXjEP7JZbqV8HNvg/5eBwLMAsGCWCGSAFlAwQC
# AaBrMBoGCSqGSIb3DQEJAzENBgsqhkiG9w0BCRABLzAcBgkqhkiG9w0BCQUxDxcN
# MjMwOTIxMDc1NjQ0WjAvBgkqhkiG9w0BCQQxIgQgK+LynlLxySDbBNGEMFDMaKOP
# KqzlPoj7hW0EfKl9wRYwDQYJKoZIhvcNAQEBBQAEggEAueahIqkJaOlE7EcphLUZ
# mL1B3aimsS6LVTF0pF3gH7dmWrIxYw3s/wjXkj84Y8phzoWxscuMBaPmturnlvnJ
# kzmJnK72cPLtxE+mUMNksFdw7ZnipFlzFhTDaH3LnWCcfe8Vf0JQzK6y7CJah9PD
# nJFqRev7PWbd03ZXxcEdMbejZA7O07OWpXjMEyinXxNGFjNenWZmc87elCRq13CW
# FiJPZvWjukVzn5N9Y/i+cgtc/i2urlF9JywUHRn8PstoXg5mNgsFrxBizYUuflJy
# mGETZvuMLZiKYd7RNFt5ij/DmKEjKhfj3jnxr36q0doX5N781I6oSG3kxS03kEEz
# xA==
# End Signature: 192.0.2.0/24
]]></artwork></figure>
</section>
</back>
</rfc>
Reference in a new issue View git blame Copy permalink