A Publication Protocol for the Resource Public Key Infrastructure (RPKI)
W3C / MITweiler@csail.mit.eduSTEER Techanuja@steer-tech.comDragon Research Labssra@hactrn.netSIDR
This document defines a protocol for publishing Resource
Public Key Infrastructure (RPKI) objects. Even though the
RPKI will have many participants issuing certificates and
creating other objects, it is operationally useful to
consolidate the publication of those objects. Even in cases
where a certificate issuer runs its own publication
repository, it can be useful to run the certificate engine
itself on a different machine from the publication repository.
This document defines a protocol which addresses these needs.
This document assumes a working knowledge of the Resource
Public Key Infrastructure (RPKI), which is intended to support
improved routing security on the Internet.
See for an overview of the RPKI.
In order to make participation in the RPKI easier, it is
helpful to have a few consolidated repositories for RPKI
objects, thus saving every participant from the cost of
maintaining a new service. Similarly, relying parties using
the RPKI objects will find it faster and more reliable to
retrieve the necessary set from a smaller number of
repositories.
These consolidated RPKI object repositories will in many cases
be outside the administrative scope of the organization
issuing a given RPKI object. In some cases, outsourcing
operation of the repository will be an explicit goal: some
resource holders who strongly wish to control their own RPKI
private keys may lack the resources to operate a 24x7
repository or may simply not wish to do so.
The operator of an RPKI publication repository may well be an
Internet registry which issues certificates to its customers,
but it need not be; conceptually, operation of an RPKI
publication repository is separate from operation of an RPKI Certification Authority (CA).
Even in cases where a resource holder operates both a
certificate engine and a publication repository, it can be
useful to separate the two functions, as they have somewhat
different operational and security requirements.
This document defines an RPKI publication protocol which
allows publication either within or across organizational
boundaries and which makes fairly minimal demands on both
the CA engine and the publication service.
The authentication and message integrity architecture of the
publication protocol is essentially identical to the
architecture used in because the
participants in this protocol are the same CA engines as in
RFC 6492; this allows reuse of the same "Business PKI"
(BPKI) (see ) infrastructure
used to support RFC 6492. As in RFC 6492, authorization is a
matter of external configuration: we assume that any given
publication repository has some kind of policy controlling
which certificate engines are allowed to publish, modify, or
withdraw particular RPKI objects, most likely following the
recommendation in , Section 4.4; the
details of this policy are a private matter between the
operator of a certificate engine and the operator of the
chosen publication repository.
The following diagram attempts to convey where this
publication protocol fits into the overall data flow between
the certificate issuers and relying parties:
The publication protocol itself is not visible to relying
parties: a relying party sees the public interface of the
publication server, which is an rsync or RPKI Repository Delta Protocol (RRDP)
server.
Operators of certificate engines and publication repositories
may find a
useful tool in setting up the pairwise relationships between
these servers, but they are not required to use it.
This protocol started out as an informal collaboration
between several of the early RPKI implementers, and while it
was always the designers' intention that the resulting
protocol end up on the IETF Standards Track, it took a few
years to get there because standardization of other pieces
of the overall RPKI protocol space was more urgent. The
Standards Track version of this publication protocol
preserves the original XML namespace and protocol version
scheme in order to maintain backwards compatibility with
running code implemented against older versions of the
specification.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted as
described in BCP 14
when, and only when, they appear in all capitals, as shown here.
"Publication engine" and "publication server" are used
interchangeably to refer to the server providing the service
described in this document.
"Business Public Key Infrastructure" ("Business PKI" or
"BPKI") refers to a PKI, separate from the RPKI, used to
authenticate clients to the publication engine. We use the
term "Business PKI" here because an Internet registry might
already have a PKI for authenticating its clients and might
wish to reuse that PKI for this protocol. There is,
however, no requirement to reuse such a PKI.
The publication protocol uses XML
messages wrapped in signed Cryptographic Message Syntax (CMS) messages, carried over HTTP
transport . The CMS encapsulation
is identical to that used in Section 3.1 (and subsections) of RFC 6492 .
The publication protocol uses a simple request/response
interaction. The client passes a request to the server, and
the server generates a corresponding response.
A message exchange commences with the client initiating an
HTTP POST with a content type of "application/rpki&nbhy;publication",
with the message object as the body. The server's response
will similarly be the body of the response with a content type
of "application/rpki&nbhy;publication".
The content of the POST and the server's response will be a
well-formed CMS
object with OID =
1.2.840.113549.1.7.2 as described in Section 3.1 of
.
The CMS signatures are used to protect the integrity of the
protocol messages and to authenticate the client and server to
each other. Authorization to perform particular operations is
a local matter, perhaps determined by contractual agreements
between the operators of any particular client-server pair,
but in any case is beyond the scope of this specification.
The XML schema for this protocol is below in
. The basic XML message format looks
like this:
As noted above, the outermost XML element is encapsulated in
a signed CMS message. Query messages are signed by the
client, and reply messages are signed by the server.
Common attributes:
The value of this attribute is the version of this protocol.
This document describes version 4.
The possible values of this attribute are "reply" and "query".
A query PDU may be one of three types: <publish/>,
<withdraw/>, or <list/>.
A reply PDU may be one of three types: <success/>,
<list/>, or <report_error/>.
The <publish/> and <withdraw/> PDUs include a
"tag" attribute to facilitate bulk operation.
When performing bulk operations, a CA engine will probably
find it useful to specify a distinct tag value for each
<publish/> or <withdraw/> PDU, to simplify
matching an error with the PDU which triggered it. The tag
attribute is mandatory, to simplify parsing, but a CA engine
which has no particular use for tagging MAY use any
syntactically legal value, including simply using the empty
string for all tag fields.
This document describes version 4 of this protocol. An
implementation which understands only this version of the
protocol MUST reject messages with a different protocol
version attribute, signaling the error as described in
. Since "4" is currently the only
value allowed for the version attribute in the schema
(), an incorrect protocol version can
be detected either by checking the version attribute
directly or as a schema validation error. Any future update
to this protocol which is either syntactically or
semantically incompatible with the current version will need
to increment the protocol version number.
The publication protocol uses a common message format to
request publication of any RPKI object. This format was
chosen specifically to allow this protocol to accommodate
new types of RPKI objects without needing changes to this
protocol.
Both the <publish/> and <withdraw/> PDUs have a
payload of a tag and an rsync URI . The <publish/> query also
contains the DER object to be published, encoded in Base64
(, Section 4, with line breaks within
the Base64 text permitted but not required).
Both the <publish/> and <withdraw/> PDUs also
have a "hash" attribute, which carries a hash of an existing
object at the specified repository URI, encoded as a
hexadecimal string. For
<withdraw/> PDUs, the hash MUST be present, as this
operation makes no sense if there is no existing object to
withdraw. For <publish/> PDUs, the hash MUST be
present if the publication operation is overwriting an
existing object, and it MUST NOT be present if this publication
operation is writing to a new URI where no prior object
exists. Presence of an object when no "hash" attribute has
been specified is an error, as is absence of an object or an
incorrect hash value when a "hash" attribute has been
specified. Any such errors MUST be reported using the
<report_error/> PDU.
The hash algorithm is SHA-256 , to
simplify comparison of publication protocol hashes with RPKI
manifest hashes.
The intent behind the "hash" attribute is to allow the client
and server to detect any disagreements about the effect that
a <publish/> or <withdraw/> PDU will have on
the repository.
Note that every publish and withdraw action requires a new
manifest, thus every publish or withdraw action will involve
at least two objects.
Processing of a query message is handled atomically: either
the entire query succeeds or none of it does. When a query
message contains multiple PDUs, failure of any PDU may
require the server to roll back actions triggered by earlier
PDUs.
When a query message containing <publish/> or
<withdraw/> PDUs succeeds, the server returns a single
<success/> reply.
When a query fails, the server returns one or more
<report_error/> reply PDUs. Typically, a server will
only generate one <report_error/> corresponding to the
first query PDU that failed, but servers MAY
return multiple <report_error/> PDUs at the
implementer's discretion.
The <list/> operation allows the client to ask the server
for a complete listing of objects which the server believes
the client has published. This is intended primarily to
allow the client to recover upon detecting (probably via use
of the "hash" attribute; see
) that they have
somehow lost synchronization.
The <list/> query consists of a single PDU. A
<list/> query MUST be the only PDU in a query -- it may
not be combined with any <publish/> or
<withdraw/> queries.
The <list/> reply consists of zero or more PDUs,
one per object published in this repository by this client,
each PDU conveying the URI and hash of one published object.
Errors are handled at two levels.
Errors that make it impossible to decode a query or encode a
response are handled at the HTTP layer. 4xx and 5xx HTTP
response codes indicate that something bad happened.
In all other cases, errors result in an XML
<report_error/> PDU. Like the rest of this
protocol, <report_error/> PDUs are CMS-signed XML
messages and thus can be archived to provide an audit trail.
<report_error/> PDUs only appear in replies,
never in queries.
The "tag" attribute of the <report_error/> PDU associated
with a <publish/> or <withdraw/> PDU MUST be
set to the same value as the "tag" attribute in the PDU
which generated the error. A client can use the "tag"
attribute to determine which PDU caused processing of an
update to fail.
The error itself is conveyed in the "error_code"
attribute. The value of this attribute is a token indicating
the specific error that occurred.
The body of the <report_error/> element contains two
sub-elements:
An optional text element <error_text/>, which, if
present, contains a text string with debugging
information intended for human consumption.
An optional element <failed_pdu/>, which, if
present, contains a verbatim copy of the query PDU whose
failure triggered the <report_error/> PDU. The
quoted element must be syntactically valid.
See for examples of a
multi-element query and responses.
These are the defined error codes as well as some discussion
of each. Text similar to these descriptions may be sent in an
<error_text/> element to help explain the error encountered.
Encountered an XML problem. Note that some XML errors may
be severe enough to require error reporting at the HTTP
layer, instead. Implementations MAY choose to report
any or all XML errors at the HTTP layer.
Client does not have permission to update this URI.
Bad CMS signature.
An object is already present at this URI, yet a "hash"
attribute was not specified. A "hash" attribute must be
specified when overwriting or deleting an object.
Perhaps client and server are out of sync?
There is no object present at this URI, yet a "hash"
attribute was specified. Perhaps client and server are
out of sync?
The "hash" attribute supplied does not match the "hash"
attribute of the object at this URI. Perhaps client and
server are out of sync?
Server detected an update that looks like it will cause
a consistency problem (e.g., an object was deleted, but
the manifest was not updated). Note that a server is not
required to make such checks. Indeed, it may be unwise for
a server to do so. This error code just provides a way for
the server to explain its (in-)action.
A meteor fell on the server.
The following is a compact form
schema describing the publication protocol.
This schema is normative: in the event of a disagreement
between this schema and the document text above, this schema
is authoritative.
Following are examples of various queries and the
corresponding replies for the RPKI publication protocol.
Note that the authors have taken liberties with the Base64, hash,
and URI text in these examples in the interest of making the
examples fit nicely into RFC text format. Similarly, these
examples do not show the CMS signature wrapper around the XML,
just the XML payload.
IANA has registered the "application/rpki-publication"
MIME media type as follows:
The RPKI publication protocol and the data it publishes use
entirely separate PKIs for authentication. The published data
is authenticated within the RPKI, and this protocol has
nothing to do with that authentication, nor does it require
that the published objects be valid in the RPKI. The
publication protocol uses a separate BPKI to
authenticate its messages.
Each RPKI publication protocol message is wrapped in a signed
CMS message, which provides message integrity protection and
an auditable form of message authentication. Because of these
protections at the application layer, and because all the data
being published are intended to be public information in any
case, this protocol does not, strictly speaking, require the
use of HTTPS or other transport security mechanisms. There
may, however, be circumstances in which a particular
publication operator may prefer HTTPS over HTTP anyway, as a
matter of (BPKI) CA policy. Use of HTTP versus HTTPS here is,
essentially, a private matter between the repository operator
and its clients. Note, however, that even if a client/server
pair uses HTTPS for this protocol, message authentication for
this protocol is still based on the CMS signatures, not HTTPS.
Although the hashes used in the <publish/> and
<withdraw/> PDUs are cryptographically strong, the
digest algorithm was selected for convenience in comparing
these hashes with the hashes that appear in RPKI manifests.
The hashes used in the <publish/> and <withdraw/>
PDUs are not particularly security sensitive because these
PDUs are protected by the CMS signatures. Because of this,
the most likely reason for a change to this digest algorithm
would be to track a corresponding change in the digest
algorithm used in RPKI manifests. If and when such a change
happens, it will require incrementing the version number of
this publication protocol, but given that the most likely
implementation of a publication server uses these hashes as
lookup keys in a database, bumping the protocol version number
would be a relatively minor portion of the effort of changing
the algorithm.
Compromise of a publication server, perhaps through
mismanagement of BPKI private keys, could lead to a
denial-of-service attack on the RPKI. An attacker gaining
access to BPKI private keys could use this protocol to delete
(withdraw) RPKI objects, leading to routing changes or
failures. Accordingly, as in most PKIs, good key management
practices are important.
Secure Hash Standard (SHS)National Institute of Standards and TechnologyRELAX NG Compact Syntaxjjc@jclark.comExtensible Markup Language (XML) 1.1The RPKI Repository Delta Protocol (RRDP)An Out-Of-Band Setup Protocol for Resource Public Key Infrastracture (RPKI) Production Services
The authors would like to thank:
Geoff Huston,
George Michaelson,
Oleg Muravskiy,
Paul Wouters,
Randy Bush,
Rob Loomans,
Robert Kisteleki,
Tim Bruijnzeels,
Tom Petch,
and anybody else who helped along the way but whose name(s)
the authors have temporarily forgotten.