RIPE NCC's Implementation of Resource Public Key Infrastructure (RPKI) Certificate Tree Validation
RFC 8488
Internet Engineering Task Force (IETF) O. Muravskiy
Request for Comments: 8488 RIPE NCC
Category: Informational T. Bruijnzeels
ISSN: 2070-1721 NLnet Labs
December 2018
RIPE NCC's Implementation of Resource Public Key Infrastructure (RPKI)
Certificate Tree Validation
Abstract
This document describes an approach to validating the content of the
Resource Public Key Infrastructure (RPKI) certificate tree, as it is
implemented in the RIPE NCC RPKI Validator. This approach is
independent of a particular object retrieval mechanism, which allows
it to be used with repositories available over the rsync protocol,
the RPKI Repository Delta Protocol (RRDP), and repositories that use
a mix of both.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are candidates for any level of Internet
Standard; see Section 2 of RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc8488.
Muravskiy & Bruijnzeels Informational [Page 1]
RFC 8488 RPKI Tree Validation December 2018
Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Muravskiy & Bruijnzeels Informational [Page 2]
RFC 8488 RPKI Tree Validation December 2018
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
2. General Considerations . . . . . . . . . . . . . . . . . . . 4
2.1. Hash Comparisons . . . . . . . . . . . . . . . . . . . . 4
2.2. Discovery of RPKI Objects Issued by a CA . . . . . . . . 5
2.3. Manifest Entries versus Repository Content . . . . . . . 5
3. Top-Down Validation of a Single Trust Anchor Certificate Tree 6
3.1. Fetching the Trust Anchor Certificate Using the Trust
Anchor Locator . . . . . . . . . . . . . . . . . . . . . 6
3.2. CA Certificate Validation . . . . . . . . . . . . . . . . 7
3.2.1. Finding the Most Recent Valid Manifest and CRL . . . 8
3.2.2. Validating Manifest Entries . . . . . . . . . . . . . 9
3.3. Object Store Cleanup . . . . . . . . . . . . . . . . . . 10
4. Remote Objects Fetcher . . . . . . . . . . . . . . . . . . . 11
4.1. Fetcher Operations . . . . . . . . . . . . . . . . . . . 11
4.1.1. Fetch Repository Objects . . . . . . . . . . . . . . 12
4.1.2. Fetch Single Repository Object . . . . . . . . . . . 12
5. Local Object Store . . . . . . . . . . . . . . . . . . . . . 12
5.1. Store Operations . . . . . . . . . . . . . . . . . . . . 12
5.1.1. Store Repository Object . . . . . . . . . . . . . . . 12
5.1.2. Get Objects by Hash . . . . . . . . . . . . . . . . . 12
5.1.3. Get Certificate Objects by URI . . . . . . . . . . . 13
5.1.4. Get Manifest Objects by AKI . . . . . . . . . . . . . 13
5.1.5. Delete Objects for a URI . . . . . . . . . . . . . . 13
5.1.6. Delete Outdated Objects . . . . . . . . . . . . . . . 13
5.1.7. Update Object's Validation Time . . . . . . . . . . . 13
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13
7. Security Considerations . . . . . . . . . . . . . . . . . . . 13
7.1. Hash Collisions . . . . . . . . . . . . . . . . . . . . . 13
7.2. Algorithm Agility . . . . . . . . . . . . . . . . . . . . 13
7.3. Mismatch between the Expected and Actual Location of an
Object in the Repository . . . . . . . . . . . . . . . . 14
7.4. Manifest Content versus Publication Point Content . . . . 14
Show full document text