RIPE NCC's Implementation of Resource Public Key Infrastructure (RPKI) Certificate Tree Validation
RFC 8488

Document Type RFC - Informational (December 2018; No errata)
Last updated 2018-12-18
Replaces draft-ietf-sidr-rpki-tree-validation
Stream IETF
Formats plain text pdf htmlized bibtex
Reviews
Stream WG state Submitted to IESG for Publication
Document shepherd Chris Morrow
Shepherd write-up Show (last changed 2018-07-27)
IESG IESG state RFC 8488 (Informational)
Consensus Boilerplate Yes
Telechat date
Responsible AD Warren Kumari
Send notices to Chris Morrow <morrowc@ops-netman.net>
IANA IANA review state IANA OK - No Actions Needed
IANA action state No IANA Actions
Internet Engineering Task Force (IETF)                      O. Muravskiy
Request for Comments: 8488                                      RIPE NCC
Category: Informational                                   T. Bruijnzeels
ISSN: 2070-1721                                               NLnet Labs
                                                           December 2018

 RIPE NCC's Implementation of Resource Public Key Infrastructure (RPKI)
                      Certificate Tree Validation

Abstract

   This document describes an approach to validating the content of the
   Resource Public Key Infrastructure (RPKI) certificate tree, as it is
   implemented in the RIPE NCC RPKI Validator.  This approach is
   independent of a particular object retrieval mechanism, which allows
   it to be used with repositories available over the rsync protocol,
   the RPKI Repository Delta Protocol (RRDP), and repositories that use
   a mix of both.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Not all documents
   approved by the IESG are candidates for any level of Internet
   Standard; see Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   https://www.rfc-editor.org/info/rfc8488.

Muravskiy & Bruijnzeels       Informational                     [Page 1]
RFC 8488                  RPKI Tree Validation             December 2018

Copyright Notice

   Copyright (c) 2018 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Muravskiy & Bruijnzeels       Informational                     [Page 2]
RFC 8488                  RPKI Tree Validation             December 2018

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   4
   2.  General Considerations  . . . . . . . . . . . . . . . . . . .   4
     2.1.  Hash Comparisons  . . . . . . . . . . . . . . . . . . . .   4
     2.2.  Discovery of RPKI Objects Issued by a CA  . . . . . . . .   5
     2.3.  Manifest Entries versus Repository Content  . . . . . . .   5
   3.  Top-Down Validation of a Single Trust Anchor Certificate Tree   6
     3.1.  Fetching the Trust Anchor Certificate Using the Trust
           Anchor Locator  . . . . . . . . . . . . . . . . . . . . .   6
     3.2.  CA Certificate Validation . . . . . . . . . . . . . . . .   7
       3.2.1.  Finding the Most Recent Valid Manifest and CRL  . . .   8
       3.2.2.  Validating Manifest Entries . . . . . . . . . . . . .   9
     3.3.  Object Store Cleanup  . . . . . . . . . . . . . . . . . .  10
   4.  Remote Objects Fetcher  . . . . . . . . . . . . . . . . . . .  11
     4.1.  Fetcher Operations  . . . . . . . . . . . . . . . . . . .  11
       4.1.1.  Fetch Repository Objects  . . . . . . . . . . . . . .  12
       4.1.2.  Fetch Single Repository Object  . . . . . . . . . . .  12
   5.  Local Object Store  . . . . . . . . . . . . . . . . . . . . .  12
     5.1.  Store Operations  . . . . . . . . . . . . . . . . . . . .  12
       5.1.1.  Store Repository Object . . . . . . . . . . . . . . .  12
       5.1.2.  Get Objects by Hash . . . . . . . . . . . . . . . . .  12
       5.1.3.  Get Certificate Objects by URI  . . . . . . . . . . .  13
       5.1.4.  Get Manifest Objects by AKI . . . . . . . . . . . . .  13
       5.1.5.  Delete Objects for a URI  . . . . . . . . . . . . . .  13
       5.1.6.  Delete Outdated Objects . . . . . . . . . . . . . . .  13
       5.1.7.  Update Object's Validation Time . . . . . . . . . . .  13
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  13
   7.  Security Considerations . . . . . . . . . . . . . . . . . . .  13
     7.1.  Hash Collisions . . . . . . . . . . . . . . . . . . . . .  13
     7.2.  Algorithm Agility . . . . . . . . . . . . . . . . . . . .  13
     7.3.  Mismatch between the Expected and Actual Location of an
           Object in the Repository  . . . . . . . . . . . . . . . .  14
     7.4.  Manifest Content versus Publication Point Content . . . .  14
Show full document text