Network Working Group S. Weiler Internet-Draft W3C / MIT Intended status: Standards Track A. Sonalker Expires: July 14, 2017 TowerSec R. Austein Dragon Research Labs January 10, 2017 A Publication Protocol for the Resource Public Key Infrastructure (RPKI) draft-ietf-sidr-publication-10 Abstract This document defines a protocol for publishing Resource Public Key Infrastructure (RPKI) objects. Even though the RPKI will have many participants issuing certificates and creating other objects, it is operationally useful to consolidate the publication of those objects. Even in cases where a certificate issuer runs their own publication repository, it can be useful to run the certificate engine itself on a different machine from the publication repository. This document defines a protocol which addresses these needs. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on July 14, 2017. Copyright Notice Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of Weiler, et al. Expires July 14, 2017 [Page 1] Internet-Draft RPKI Publication Protocol January 2017 publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Historical Note . . . . . . . . . . . . . . . . . . . . . 4 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 2. Protocol Specification . . . . . . . . . . . . . . . . . . . 5 2.1. Common XML Message Format . . . . . . . . . . . . . . . . 5 2.2. Publication and Withdrawal . . . . . . . . . . . . . . . 6 2.3. Listing the repository . . . . . . . . . . . . . . . . . 7 2.4. Error handling . . . . . . . . . . . . . . . . . . . . . 8 2.5. Error Codes . . . . . . . . . . . . . . . . . . . . . . . 8 2.6. XML Schema . . . . . . . . . . . . . . . . . . . . . . . 9 3. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 11 3.1. Query, No Existing Object . . . . . . . . . . 11 3.2. Query, Overwriting Existing Object . . . . . . 11 3.3. Query . . . . . . . . . . . . . . . . . . . . 12 3.4. Reply . . . . . . . . . . . . . . . . . . . . 12 3.5. With Optional Elements . . . . . . . . . 12 3.6. Without Optional Elements . . . . . . . . 13 3.7. Error Handling With Multi-Element Queries . . . . . . . . 13 3.7.1. Multi-Element Query . . . . . . . . . . . . . . . . . 13 3.7.2. Successful Multi-Element Response . . . . . . . . . . 14 3.7.3. Failure Multi-Element Response, First Error Only . . 14 3.7.4. Failure Multi-Element Response, All Errors . . . . . 15 3.8. Query . . . . . . . . . . . . . . . . . . . . . . 16 3.9. Reply . . . . . . . . . . . . . . . . . . . . . . 16 4. Operational Considerations . . . . . . . . . . . . . . . . . 16 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 6. Security Considerations . . . . . . . . . . . . . . . . . . . 18 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 19 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 8.1. Normative References . . . . . . . . . . . . . . . . . . 19 8.2. Informative References . . . . . . . . . . . . . . . . . 19 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 20 1. Introduction This document assumes a working knowledge of the Resource Public Key Infrastructure (RPKI), which is intended to support improved routing security on the Internet. See [RFC6480] for an overview of the RPKI. Weiler, et al. Expires July 14, 2017 [Page 2] Internet-Draft RPKI Publication Protocol January 2017 In order to make participation in the RPKI easier, it is helpful to have a few consolidated repositories for RPKI objects, thus saving every participant from the cost of maintaining a new service. Similarly, relying parties using the RPKI objects will find it faster and more reliable to retrieve the necessary set from a smaller number of repositories. These consolidated RPKI object repositories will in many cases be outside the administrative scope of the organization issuing a given RPKI object. In some cases, outsourcing operation of the repository will be an explicit goal: some resource holders who strongly wish to control their own RPKI private keys may lack the resources to operate a 24x7 repository, or may simply not wish to do so. The operator of an RPKI publication repository may well be an Internet registry which issues certificates to its customers, but it need not be; conceptually, operation of a an RPKI publication repository is separate from operation of RPKI CA. Even in cases where a resource holder operates both a certificate engine and a publication repository, it can be useful to separate the two functions, as they have somewhat different operational and security requirements. This document defines an RPKI publication protocol which allows publication either within or across organizational boundaries, and which makes fairly minimal demands on either the CA engine or the publication service. The authentication and message integrity architecture of the publication protocol is essentially identical to the architecture used in [RFC6492], because the participants in this protocol are the same CA engines as in RFC 6492; this allows reuse of the same "Business PKI" ("BPKI", see Section 1.2) infrastructure used to support RFC 6492. As in RCC 6492, authorization is a matter of external configuration: we assume that any given publication repository has some kind of policy controlling which certificate engines are allowed to publish, modify, or withdraw particular RPKI objects, most likely following the recommendation in [RFC6480] Section 4.4, the details of this policy are a private matter between the operator of a certificate engine and the operator of the chosen publication repository. The following diagram attempts to convey where this publication protocol fits into the overall data flow between the certificate issuers and relying parties: Weiler, et al. Expires July 14, 2017 [Page 3] Internet-Draft RPKI Publication Protocol January 2017 +------+ +------+ +------+ | CA | | CA | | CA | +------+ +------+ +------+ | | | Publication Protocol | | | Business relationship +-------+ | +--------+ perhaps set up by | | | draft-ietf-sidr-rpki-oob-setup +----v---v--v-----+ | | | Publication | | Repository | | | +-----------------+ Distribution protocols | rsync or RRDP +--------------+----------------+ | | | +-------v-----+ +------v------+ +------v------+ | Relying | | Relying | | Relying | | Party | | Party | | Party | +-------------+ +-------------+ +-------------+ The publication protocol itself is not visible to relying parties: a relying party sees the public interface of the publication server, which is an rsync or RRDP ([I-D.ietf-sidr-delta-protocol]) server. Operators of certificate engines and publication repositories may find [I-D.ietf-sidr-rpki-oob-setup] a useful tool in setting up the pairwise relationships between these servers, but are not required to use it. 1.1. Historical Note This protocol started out as an informal collaboration between several of the early RPKI implementers, and while it was always the designers' intention that the resulting protocol end up on the IETF standards track, it took a few years to get there, because standardization of other pieces of the overall RPKI protocol space was more urgent. The standards track version of this publication protocol preserves the original XML namespace and protocol version scheme in order to maintain backwards compatibility with running code implemented against older versions of the specification. 1.2. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. Weiler, et al. Expires July 14, 2017 [Page 4] Internet-Draft RPKI Publication Protocol January 2017 "Publication engine" and "publication server" are used interchangeably to refer to the server providing the service described in this document. "Business Public Key Infrastructure" ("Business PKI" or "BPKI") refers to a PKI, separate from the RPKI, used to authenticate clients to the publication engine. We use the term "Business PKI" here because an Internet registry might already have a PKI for authenticating its clients and might wish to reuse that PKI for this protocol. There is, however, no requirement to reuse such a PKI. 2. Protocol Specification The publication protocol uses XML ([XML]) messages wrapped in signed CMS messages, carried over HTTP transport. The publication protocol uses a simple request/response interaction. The client passes a request to the server, and the server generates a corresponding response. A message exchange commences with the client initiating an HTTP POST with content type of "application/rpki-publication", with the message object as the body. The server's response will similarly be the body of the response with a content type of "application/rpki- publication". The content of the POST and the server's response will be a well- formed Cryptographic Message Syntax (CMS) [RFC5652] object with OID = 1.2.840.113549.1.7.2 as described in Section 3.1 of [RFC6492]. The CMS signatures are used to protect the integrity of the protocol messages and to authenticate the client and server to each other. Authorization to perform particular operations is a local matter, perhaps determined by contractual agreements between the operators of any particular client-server pair, but in any case is beyond the scope of this specification. 2.1. Common XML Message Format The XML schema for this protocol is below in Section 2.6. The basic XML message format looks like this: Weiler, et al. Expires July 14, 2017 [Page 5] Internet-Draft RPKI Publication Protocol January 2017 Common attributes: version: The value of this attribute is the version of this protocol. This document describes version 4. type: The possible values of this attribute are "reply" and "query". A query PDU may be one of three types: , , or . A reply PDU may be one of three types: , , or . The and PDUs include a "tag" attribute to facilitate bulk operation. When performing bulk operations, a CA engine will probably find it useful to specify a distinct tag value for each or PDU, to simplify matching an error with the PDU which triggered it. The tag attribute is mandatory, to simplify parsing, but a CA engine which has no particular use for tagging MAY use any syntactically legal value, including simply using the empty string for all tag fields. 2.2. Publication and Withdrawal The publication protocol uses a common message format to request publication of any RPKI object. This format was chosen specifically to allow this protocol to accommodate new types of RPKI objects without needing changes to this protocol. Both the and PDUs have a payload of a tag and a URI. The query also contains the DER object to be published, encoded in Base64. Both the and PDUs also have a "hash" attribute, which carries a hash of an existing object at the specified repository URI, encoded as a hexadecimal string. For PDUs, the hash MUST be present, as this operation makes no sense if there is no existing object to withdraw. For PDUs, the hash is MUST be present if the publication operation is overwriting an existing object, and MUST NOT be present if this publication operation is writing to a new URI where no prior object Weiler, et al. Expires July 14, 2017 [Page 6] Internet-Draft RPKI Publication Protocol January 2017 exists. Presence of an object when no "hash" attribute has been specified is an error, as is absence of an object or an incorrect hash value when a "hash" attribute has been specified. Any such errors MUST be reported using the PDU. The hash algorithm is SHA-256 [SHS], to simplify comparison of publication protocol hashes with RPKI manifest hashes. The intent behind the "hash" attribute is to allow the client and server to detect any disagreements about the effect that a or PDU will have on the repository. Note that every publish and withdraw action requires a new manifest, thus every publish or withdraw action will involve at least two objects. Processing of a query message is handled atomically: either the entire query succeeds or none of it does. When a query message contains multiple PDUs, failure of any PDU may require the server to roll back actions triggered by earlier PDUs. When a query messages containing or PDUs succeeds, the server returns a single reply. When a query fails, the server returns one or more reply PDUs. Typically, a server will only generate one corresponding to the first query PDU that failed, but servers MAY return multiple PDUs at the implementor's discretion. 2.3. Listing the repository The operation allows the client to ask the server for a complete listing of objects which the server believes the client has published. This is intended primarily to allow the client to recover upon detecting (probably via use of the "hash" attribute, see Section 2.2) that they have somehow lost synchronization. The query consists of a single PDU. A query MUST be the only PDU in a query - it may not be combined with any or queries. The reply consists of zero or more PDUs, one per object published in this repository by this client, each PDU conveying the URI and hash of one published object. Weiler, et al. Expires July 14, 2017 [Page 7] Internet-Draft RPKI Publication Protocol January 2017 2.4. Error handling Errors are handled at two levels. Errors that make it impossible to decode a query or encode a response are handled at the HTTP layer. 4xx and 5xx HTTP response codes indicate that something bad happened. In all other cases, errors result in an XML PDU. Like the rest of this protocol, PDUs are CMS-signed XML messages and thus can be archived to provide an audit trail. PDUs only appear in replies, never in queries. The "tag" attribute of the PDU associated with a or PDU MUST be set to the same value as the "tag" attribute in the PDU which generated the error. A client can use the "tag" attribute to determine which PDU caused processing of an update to fail. The error itself is conveyed in the "error_code" attribute. The value of this attribute is a token indicating the specific error that occurred. The body of the element contains two sub-elements: 1. An optional text element , which if present, contains a text string with debugging information intended for human consumption. 2. An optional element , which, if present, contains a verbatim copy of the query PDU whose failure triggered the PDU. The quoted element must be syntactically valid. See Section 3.7 for examples of a multi-element query and responses. 2.5. Error Codes These are the defined error codes as well as some discussion of each. Text similar to these descriptions may be sent in an element to help explain the error encountered. xml_error: Encountered an XML problem. Note that some XML errors may be severe enough to require error reporting at the HTTP layer, instead. Implementations MAY choose to report any or all XML errors at the HTTP layer. Weiler, et al. Expires July 14, 2017 [Page 8] Internet-Draft RPKI Publication Protocol January 2017 permission_failure: Client does not have permission to update this URI. bad_cms_signature: Bad CMS signature. object_already_present: An object is already present at this URI, yet a "hash" attribute was not specified. A "hash" attribute must be specified when overwriting or deleting an object. Perhaps client and server are out of sync? no_object_present: There is no object present at this URI, yet a "hash" attribute was specified. Perhaps client and server are out of sync? no_object_matching_hash The "hash" attribute supplied does not match the "hash" attribute of the object at this URI. Perhaps client and server are out of sync? consistency_problem: Server detected an update that looks like it will cause a consistency problem (e.g. an object was deleted, but the manifest was not updated). Note that a server is not required to make such checks. Indeed, it may be unwise for a server to do so. This error code just provides a way for the server to explain its (in-)action. other_error: A meteor fell on the server. 2.6. XML Schema The following is a [RelaxNG] compact form schema describing the Publication Protocol. This schema is normative: in the event of a disagreement between this schema and the document text above, this schema is authoritative. # RelaxNG schema for RPKI publication protocol. default namespace = "http://www.hactrn.net/uris/rpki/publication-spec/" # This is version 4 of the protocol. version = "4" # Top level PDU is either a query or a reply. start |= element msg { attribute version { version }, Weiler, et al. Expires July 14, 2017 [Page 9] Internet-Draft RPKI Publication Protocol January 2017 attribute type { "query" }, query_elt } start |= element msg { attribute version { version }, attribute type { "reply" }, reply_elt } # Tag attributes for bulk operations. tag = attribute tag { xsd:token { maxLength="1024" } } # Base64 encoded DER stuff. base64 = xsd:base64Binary # Publication URIs. uri = attribute uri { xsd:anyURI { maxLength="4096" } } # Digest of an existing object (hexadecimal). hash = attribute hash { xsd:string { pattern = "[0-9a-fA-F]+" } } # Error codes. error |= "xml_error" error |= "permission_failure" error |= "bad_cms_signature" error |= "object_already_present" error |= "no_object_present" error |= "no_object_matching_hash" error |= "consistency_problem" error |= "other_error" # and query elements query_elt |= ( element publish { tag, uri, hash?, base64 } | element withdraw { tag, uri, hash } )* # reply reply_elt |= element success { empty } Weiler, et al. Expires July 14, 2017 [Page 10] Internet-Draft RPKI Publication Protocol January 2017 # query and reply query_elt |= element list { empty } reply_elt |= element list { uri, hash }* # reply reply_elt |= element report_error { tag?, attribute error_code { error }, element error_text { xsd:string { maxLength="512000" }}?, element failed_pdu { query_elt }? }* 3. Examples Following are examples of various queries and the corresponding replies for the RPKI publication protocol. Note the authors have taken liberties with the Base64, hash, and URI text in these examples in the interest of making the examples fit nicely into RFC text format. 3.1. Query, No Existing Object SGVsbG8sIG15IG5hbWUgaXMgQWxpY2U= 3.2. Query, Overwriting Existing Object Weiler, et al. Expires July 14, 2017 [Page 11] Internet-Draft RPKI Publication Protocol January 2017 SGVsbG8sIG15IG5hbWUgaXMgQWxpY2U= 3.3. Query 3.4. Reply 3.5. With Optional Elements Weiler, et al. Expires July 14, 2017 [Page 12] Internet-Draft RPKI Publication Protocol January 2017 Can't delete an object I don't have SGVsbG8sIG15IG5hbWUgaXMgQWxpY2U= 3.6. Without Optional Elements 3.7. Error Handling With Multi-Element Queries 3.7.1. Multi-Element Query Weiler, et al. Expires July 14, 2017 [Page 13] Internet-Draft RPKI Publication Protocol January 2017 SGVsbG8sIG15IG5hbWUgaXMgQWxpY2U= SGVsbG8sIG15IG5hbWUgaXMgQ2Fyb2w= SGVsbG8sIG15IG5hbWUgaXMgRXZl 3.7.2. Successful Multi-Element Response 3.7.3. Failure Multi-Element Response, First Error Only Weiler, et al. Expires July 14, 2017 [Page 14] Internet-Draft RPKI Publication Protocol January 2017 3.7.4. Failure Multi-Element Response, All Errors SGVsbG8sIG15IG5hbWUgaXMgRXZl Weiler, et al. Expires July 14, 2017 [Page 15] Internet-Draft RPKI Publication Protocol January 2017 3.8. Query 3.9. Reply 4. Operational Considerations There are two basic options open to the repository operator as to how the publication tree is laid out. The first option is simple: each publication client is given its own directory one level below the top of the rsync module, and there is no overlap between the publication spaces used by different clients. For example: rsync://example.org/rpki/Alice/ rsync://example.org/rpki/Bob/ rsync://example.org/rpki/Carol/ This has the advantage of being very easy for the publication operator to manage, but has the drawback of making it difficult for relying parties to fetch published objects efficiently, particularly for relying party implementations which follow the safety rule of never retrieving anything from a URI which didn't come directly from either a signed object or a trust anchor locator. Weiler, et al. Expires July 14, 2017 [Page 16] Internet-Draft RPKI Publication Protocol January 2017 Given that the mandatory-to-implement retrieval protocol for relying parties is rsync, a more efficient repository structure would be one which minimized the number of rsync fetches required. One such structure would be one in which the publication directories for subjects were placed underneath the publication directories of their issuers: since the normal synchronization tree walk is top-down, this can significantly reduce the total number of rsync connections required to synchronize. For example: rsync://example.org/rpki/Alice/ rsync://example.org/rpki/Alice/Bob/ rsync://example.org/rpki/Alice/Bob/Carol/ Preliminary measurement suggests that, in the case of large numbers of small publication directories, the time needed to set up and tear down individual rsync connections becomes significant, and that a properly optimized tree structure can reduce synchronization time by an order of magnitude. The more complex tree structure does require careful attention when setting up clients. In the example above, assuming that Alice issues to Bob who in turn issues to Carol, Alice has ceded control of a portion of her publication space to Bob, who has in turn ceded a portion of that to Carol. The details of how the repository operator determines that Alice has given Bob permission to nest Bob's publication directory under Alice's is outside the scope of this protocol. 5. IANA Considerations IANA is asked to register the application/rpki-publication MIME media type as follows: Weiler, et al. Expires July 14, 2017 [Page 17] Internet-Draft RPKI Publication Protocol January 2017 MIME media type name: application MIME subtype name: rpki-publication Required parameters: None Optional parameters: None Encoding considerations: binary Security considerations: Carries an RPKI Publication Protocol Message, as defined in this document. Interoperability considerations: None Published specification: This document Applications which use this media type: HTTP Additional information: Magic number(s): None File extension(s): Macintosh File Type Code(s): Person & email address to contact for further information: Rob Austein Intended usage: COMMON Author/Change controller: IETF 6. Security Considerations The RPKI publication protocol and the data it publishes use entirely separate PKIs for authentication. The published data is authenticated within the RPKI, and this protocol has nothing to do with that authentication, nor does it require that the published objects be valid in the RPKI. The publication protocol uses a separate Business PKI (BPKI) to authenticate its messages. Each RPKI publication protocol message is CMS-signed. Because of that protection at the application layer, this protocol does not require the use of HTTPS or other transport security mechanisms. Although the hashes used in the and PDUs are cryptographically strong, the digest algorithm was selected for convenience in comparing these hashes with the hashes that appear in RPKI manifests. The hashes used in the and PDUs are not particularly security-sensitive, because these PDUs are protected by the CMS signatures. Compromise of a publication server, perhaps through mismanagement of BPKI private keys, could lead to a denial-of-service attack on the RPKI. An attacker gaining access to BPKI private keys could use this protocol to delete (withdraw) RPKI objects, leading to routing changes or failures. Accordingly, as in most PKIs, good key management practices are important. Weiler, et al. Expires July 14, 2017 [Page 18] Internet-Draft RPKI Publication Protocol January 2017 7. Acknowledgements The authors would like to thank: Geoff Huston, George Michaelson, Oleg Muravskiy, Paul Wouters, Randy Bush, Rob Loomans, Robert Kisteleki, Tim Bruijnzeels, Tom Petch, and anybody else who helped along the way but whose name(s) the authors have temporarily forgotten. 8. References 8.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119, BCP 14, March 1997. [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", RFC 5652, STD 70, September 2009. [RFC6492] Huston, G., Loomans, R., Ellacott, B., and R. Austein, "A Protocol for Provisioning Resource Certificates", RFC 6492, February 2012. [SHS] National Institute of Standards and Technology, "Secure Hash Standard", FIPS PUB 180-4, March 2012, . 8.2. Informative References [I-D.ietf-sidr-delta-protocol] Bruijnzeels, T., Muravskiy, O., Weber, B., and R. Austein, "RPKI Repository Delta Protocol", draft-ietf-sidr-delta- protocol-04 (work in progress), September 2016. [I-D.ietf-sidr-rpki-oob-setup] Austein, R., "An Out-Of-Band Setup Protocol For RPKI Production Services", draft-ietf-sidr-rpki-oob-setup-05 (work in progress), December 2016. [RelaxNG] Clark, J., "RELAX NG Compact Syntax", OASIS , November 2002, . [RFC6480] Lepinski, M. and S. Kent, "An Infrastructure to Support Secure Internet Routing", RFC 6480, February 2012. [XML] Cowan, J., "Extensible Markup Language (XML) 1.1", W3C CR CR-xml11-20021015, October 2002. Weiler, et al. Expires July 14, 2017 [Page 19] Internet-Draft RPKI Publication Protocol January 2017 Authors' Addresses Samuel Weiler W3C / MIT Email: weiler@csail.mit.edu Anuja Sonalker TowerSec Automotive Cyber Security Email: asonalker@tower-sec.com Rob Austein Dragon Research Labs Email: sra@hactrn.net Weiler, et al. Expires July 14, 2017 [Page 20]