rfc9092xml2.original.xml   rfc9092.xml 
<?xml version="1.0" encoding="US-ASCII"?> <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc sortrefs="yes"?>
<?rfc subcompact="no"?>
<?rfc symrefs="yes"?>
<?rfc toc="yes"?>
<?rfc tocdepth="3"?>
<?rfc compact="yes"?>
<?rfc subcompact="no"?>
<rfc category="std" docName="draft-ietf-opsawg-finding-geofeeds-17" ipr="trust20 0902"> <!DOCTYPE rfc SYSTEM "rfc2629-xhtml.ent">
<front> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" submissionType="IETF" category=" std" consensus="true" docName="draft-ietf-opsawg-finding-geofeeds-17" number="90 92" ipr="trust200902" obsoletes="" updates="" xml:lang="en" sortRefs="true" symR efs="true" tocInclude="true" tocDepth="3" version="3">
<front>
<title abbrev="Finding Geofeeds">Finding and Using Geofeed Data</title> <title abbrev="Finding Geofeeds">Finding and Using Geofeed Data</title>
<seriesInfo name="RFC" value="9092"/>
<author fullname="Randy Bush" initials="R." surname="Bush"> <author fullname="Randy Bush" initials="R." surname="Bush">
<organization>IIJ &amp; Arrcus</organization> <organization>IIJ &amp; Arrcus</organization>
<address> <address>
<postal> <postal>
<street>5147 Crystal Springs</street> <street>5147 Crystal Springs</street>
<city>Bainbridge Island</city> <city>Bainbridge Island</city>
<region>Washington</region> <region>Washington</region>
<code>98110</code> <code>98110</code>
<country>United States of America</country> <country>United States of America</country>
</postal> </postal>
skipping to change at line 43 skipping to change at line 35
<address> <address>
<postal> <postal>
<street>Siriusdreef 70-72</street> <street>Siriusdreef 70-72</street>
<city>Hoofddorp</city> <city>Hoofddorp</city>
<code>2132 WT</code> <code>2132 WT</code>
<country>Netherlands</country> <country>Netherlands</country>
</postal> </postal>
<email>massimo@ntt.net</email> <email>massimo@ntt.net</email>
</address> </address>
</author> </author>
<author fullname="Warren Kumari" initials="W." surname="Kumari"> <author fullname="Warren Kumari" initials="W." surname="Kumari">
<organization>Google</organization> <organization>Google</organization>
<address> <address>
<postal> <postal>
<street>1600 Amphitheatre Parkway</street> <street>1600 Amphitheatre Parkway</street>
<city>Mountain View, CA</city> <city>Mountain View</city>
<region>CA</region>
<code>94043</code> <code>94043</code>
<country>US</country> <country>United States of America</country>
</postal> </postal>
<email>warren@kumari.net</email> <email>warren@kumari.net</email>
</address> </address>
</author> </author>
<author fullname="Russ Housley" initials="R" surname="Housley"> <author fullname="Russ Housley" initials="R" surname="Housley">
<organization abbrev="Vigil Security">Vigil Security, LLC</organization> <organization abbrev="Vigil Security">Vigil Security, LLC</organization>
<address> <address>
<postal> <postal>
<street>516 Dranesville Road</street> <street>516 Dranesville Road</street>
<city>Herndon</city> <city>Herndon</city>
<region>VA</region> <region>VA</region>
<code>20170</code> <code>20170</code>
<country>USA</country> <country>United States of America</country>
</postal> </postal>
<email>housley@vigilsec.com</email> <email>housley@vigilsec.com</email>
</address> </address>
</author> </author>
<date year="2021" month="July" />
<date /> <keyword>geolocation</keyword>
<keyword>geo-location</keyword>
<abstract> <keyword>RPSL</keyword>
<abstract>
<t> <t>
This document specifies how to augment the Routing Policy This document specifies how to augment the Routing Policy
Specification Language inetnum: class to refer specifically to Specification Language inetnum: class to refer specifically to geofeed
geofeed data CSV files, and describes an optional scheme to use data comma-separated values (CSV) files and describes an optional scheme
the Routing Public Key Infrastructure to authenticate the that uses the Routing Public Key Infrastructure to authenticate the
geofeed data CSV files. geofeed data CSV files.
</t> </t>
</abstract> </abstract>
</front> </front>
<middle> <middle>
<section anchor="intro" numbered="true" toc="default">
<section title="Introduction" anchor="intro"> <name>Introduction</name>
<t> <t>
Providers of Internet content and other services may wish to Providers of Internet content and other services may wish to
customize those services based on the geographic location of the customize those services based on the geographic location of the
user of the service. This is often done using the source IP user of the service. This is often done using the source IP
address used to contact the service. Also, infrastructure and address used to contact the service. Also, infrastructure and
other services might wish to publish the locale of their other services might wish to publish the locale of their
services. <xref target="RFC8805"/> defines geofeed, a syntax to services. <xref target="RFC8805" format="default"/> defines geofeed, a
associate geographic locales with IP addresses. But it does not syntax to
associate geographic locales with IP addresses, but it does not
specify how to find the relevant geofeed data given an IP specify how to find the relevant geofeed data given an IP
address. address.
</t> </t>
<t> <t>
This document specifies how to augment the Routing Policy This document specifies how to augment the Routing Policy
Specification Language (RPSL) <xref target="RFC2725"/> inetnum: Specification Language (RPSL) <xref target="RFC2725" format="default"/>
class to refer specifically to geofeed data CSV files, and how inetnum:
class to refer specifically to geofeed data CSV files and how
to prudently use them. In all places inetnum: is used, to prudently use them. In all places inetnum: is used,
inet6num: should also be assumed <xref target="RFC4012"/>. inet6num: should also be assumed <xref target="RFC4012" format="default" />.
</t> </t>
<t> <t>
The reader may find <xref target="INETNUM"/> and <xref The reader may find <xref target="INETNUM" format="default"/> and <xref
target="INET6NUM"/> informative, and certainly more verbose, target="INET6NUM" format="default"/> informative, and certainly more verbose,
descriptions of the inetnum: database classes. descriptions of the inetnum: database classes.
</t> </t>
<t> <t>
An optional, utterly awesome but slightly complex means for An optional utterly awesome but slightly complex means for
authenticating geofeed data is also defined. authenticating geofeed data is also defined.
</t> </t>
<section numbered="true" toc="default">
<section title="Requirements Language"> <name>Requirements Language</name>
<t> <t>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>",
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
"MAY", and "OPTIONAL" in this document are to be interpreted as NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>",
described in BCP 14 <xref format="default" pageno="false" "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
target="RFC2119"/> <xref format="default" pageno="false" "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are
target="RFC8174"/> when, and only when, they appear in all to be interpreted as described in BCP&nbsp;14 <xref target="RFC2119"/>
capitals, as shown here. <xref target="RFC8174"/> when, and only when, they appear in all capitals,
as shown here.
</t> </t>
</section> </section>
</section> </section>
<section anchor="gf" numbered="true" toc="default">
<section title="Geofeed Files" anchor="gf"> <name>Geofeed Files</name>
<t> <t>
Geofeed files are described in <xref target="RFC8805"/>. They Geofeed files are described in <xref target="RFC8805" format="default"/>
provide a facility for an IP address resource 'owner' to . They
provide a facility for an IP address resource "owner" to
associate those IP addresses to geographic locales. associate those IP addresses to geographic locales.
</t> </t>
<t> <t>
Content providers and other parties who wish to locate an IP Content providers and other parties who wish to locate an IP address
address to a geographic locale need to find the relevant geofeed to a geographic locale need to find the relevant geofeed data. In
data. In <xref target="inetnum"/>, this document specifies how <xref target="inetnum" format="default"/>, this document specifies how
to find the relevant <xref target="RFC8805"/> geofeed file given to find the relevant geofeed <xref target="RFC8805" format="default"/>
an IP address. file given an IP address.
</t> </t>
<t> <t>
Geofeed data for large providers with significant horizontal Geofeed data for large providers with significant horizontal
scale and high granularity can be quite large. The size of a scale and high granularity can be quite large. The size of a
file can be even larger if an unsigned geofeed file combines file can be even larger if an unsigned geofeed file combines
data for many prefixes, dual IPv4/IPv6 spaces are represented, data for many prefixes, if dual IPv4/IPv6 spaces are represented,
etc. etc.
</t> </t>
<t> <t>
Geofeed data do have privacy considerations, see <xref Geofeed data do have privacy considerations (see <xref
target="privacy"/>; and this process makes bulk access to those target="privacy" format="default"/>); this process makes bulk access
data easier. to those data easier.
</t> </t>
<t> <t>
This document also suggests an optional signature to strongly This document also suggests an optional signature to strongly
authenticate the data in the geofeed files. authenticate the data in the geofeed files.
</t> </t>
</section> </section>
<section anchor="inetnum" numbered="true" toc="default">
<section title="inetnum: Class" anchor="inetnum"> <name>inetnum: Class</name>
<t> <t>
The original RPSL specifications starting with <xref The original RPSL specifications starting with <xref target="RIPE81" for
target="RIPE81"/>, <xref target="RIPE181"/>, and a trail of mat="default"/>, <xref target="RIPE181" format="default"/>, and a trail of
subsequent documents were done by the RIPE community. The IETF subsequent documents were written by the RIPE community. The IETF
standardized RPSL in <xref target="RFC2622"/> and <xref standardized RPSL in <xref target="RFC2622" format="default"/> and <xref
target="RFC4012"/>. Since then, it has been modified and target="RFC4012" format="default"/>. Since then, it has been modified and
extensively enhanced in the Regional Internet Registry (RIR) extensively enhanced in the Regional Internet Registry (RIR)
community, mostly by RIPE, <xref target="RIPE-DB"/>. Currently, community, mostly by RIPE <xref target="RIPE-DB" format="default"/>. Cu rrently,
change control effectively lies in the operator community. change control effectively lies in the operator community.
</t> </t>
<t> <t>
The Routing Policy Specification Language (RPSL), and <xref The RPSL, and <xref target="RFC2725" format="default"/> and <xref target
target="RFC2725"/> and <xref target="RFC4012"/> used by the ="RFC4012" format="default"/> used by the
Regional Internet Registries (RIRs) specifies the inetnum: Regional Internet Registries (RIRs), specify the inetnum:
database class. Each of these objects describes an IP address database class. Each of these objects describes an IP address
range and its attributes. The inetnum: objects form a hierarchy range and its attributes. The inetnum: objects form a hierarchy
ordered on the address space. ordered on the address space.
</t> </t>
<t> <t>
Ideally, RPSL would be augmented to define a new RPSL geofeed: Ideally, RPSL would be augmented to define a new RPSL geofeed:
attribute in the inetnum: class. Until such time, this document attribute in the inetnum: class. Until such time, this document
defines the syntax of a Geofeed remarks: attribute which defines the syntax of a Geofeed remarks: attribute, which contains an
contains an HTTPS URL of a geofeed file. The format of the HTTPS URL of a geofeed file. The format of the inetnum: geofeed
inetnum: geofeed remarks: attribute MUST be as in this example, remarks: attribute <bcp14>MUST</bcp14> be as in this example,
"remarks: Geofeed ", where the token "Geofeed" MUST be "remarks: Geofeed ", where the token "Geofeed " <bcp14>MUST</bcp14> be
case-sensitive, followed by a URL which will vary, but MUST case sensitive, followed by a URL that will vary, but it
refer only to a single <xref target="RFC8805"/> geofeed file. <bcp14>MUST</bcp14> refer only to a single geofeed <xref
target="RFC8805" format="default"/> file.
</t> </t>
<figure> <sourcecode type="rpsl"> <![CDATA[
<artwork>
inetnum: 192.0.2.0/24 # example inetnum: 192.0.2.0/24 # example
remarks: Geofeed https://example.com/geofeed.csv remarks: Geofeed https://example.com/geofeed.csv
</artwork> ]]></sourcecode>
</figure>
<t> <t>
While we leave global agreement of RPSL modification to the While we leave global agreement of RPSL modification to the relevant
relevant parties, we specify that a proper geofeed: attribute in parties, we specify that a proper geofeed: attribute in the inetnum:
the inetnum: class MUST be "geofeed: ", and MUST be followed by class <bcp14>MUST</bcp14> be "geofeed:" and <bcp14>MUST</bcp14> be
a single URL which will vary, but MUST refer only to a single followed by a single URL that will vary, but it <bcp14>MUST</bcp14>
<xref target="RFC8805"/> geofeed file. refer only to a single geofeed <xref target="RFC8805"
format="default"/> file.
</t> </t>
<sourcecode type="rpsl"><![CDATA[
<figure>
<artwork>
inetnum: 192.0.2.0/24 # example inetnum: 192.0.2.0/24 # example
geofeed: https://example.com/geofeed.csv geofeed: https://example.com/geofeed.csv
</artwork> ]]></sourcecode>
</figure>
<t> <t>
Registries MAY, for the interim, provide a mix of the remarks: Registries <bcp14>MAY</bcp14>, for the interim, provide a mix of the rem arks:
attribute form and the geofeed: attribute form. attribute form and the geofeed: attribute form.
</t> </t>
<t> <t>
The URL uses HTTPS, so the WebPKI provides authentication, The URL uses HTTPS, so the WebPKI provides authentication, integrity,
integrity, and confidentiality for the fetched geofeed file. and confidentiality for the fetched geofeed file. However, the WebPKI
However, the WebPKI can not provide authentication of IP address can not provide authentication of IP address space assignment. In
space assignment. In contrast, the Resource Public Key contrast, the RPKI (see <xref target="RFC6481" format="default"/>) can
Infrastructure (RPKI, see <xref target="RFC6481"/>) can be used be used to authenticate IP space assignment; see optional
to authenticate IP space assignment; see optional authentication authentication in <xref target="auth" format="default"/>.
in <xref target="auth"/>.
</t> </t>
<t> <t>
Until all producers of inetnum:s, i.e. the RIRs, state that they Until all producers of inetnum: objects, i.e., the RIRs, state that they
have migrated to supporting a geofeed: attribute, consumers have migrated to supporting a geofeed: attribute, consumers
looking at inetnum:s to find geofeed URLs MUST be able to looking at inetnum: objects to find geofeed URLs <bcp14>MUST</bcp14> be
consume both the remarks: and geofeed: forms. The migration not able to
only implies that the RIRs support the geofeed: attribute, but consume both the remarks: and geofeed: forms.
that all registrants have migrated any inetnum:s from remarks:
use to geofeed:s. The migration not only implies that the RIRs support the geofeed:
</t> attribute, but that all registrants have migrated any inetnum: objects
from remarks: to geofeed: attributes.
</t>
<t> <t>
Any particular inetnum: object MUST have at most, one geofeed Any particular inetnum: object <bcp14>MUST</bcp14> have, at most, one ge ofeed
reference, whether a remarks: or a proper geofeed: attribute reference, whether a remarks: or a proper geofeed: attribute
when it is implemented. If there is more than one, all are when it is implemented. If there is more than one, all are
ignored. ignored.
</t> </t>
<t> <t>
If a geofeed CSV file describes multiple disjoint ranges of IP If a geofeed CSV file describes multiple disjoint ranges of IP
address space, there are likely to be geofeed references from address space, there are likely to be geofeed references from
multiple inetnum: objects. Files with geofeed references from multiple inetnum: objects. Files with geofeed references from
multiple inetnum: objects are not compatible with the signing multiple inetnum: objects are not compatible with the signing
procedure in <xref target="auth"/>. procedure in <xref target="auth" format="default"/>.
</t> </t>
<t> <t>
When geofeed references are provided by multiple inetnum: When geofeed references are provided by multiple inetnum:
objects which have identical address ranges, then the geofeed objects that have identical address ranges, then the geofeed
reference on the inetnum: with the most recent last-modified: reference on the inetnum: with the most recent last-modified:
attribute SHOULD be preferred. attribute <bcp14>SHOULD</bcp14> be preferred.
</t> </t>
<t> <t>
As inetnum: objects form a hierarchy, Geofeed references SHOULD As inetnum: objects form a hierarchy, geofeed references <bcp14>SHOULD</ bcp14>
be at the lowest applicable inetnum: object covering the be at the lowest applicable inetnum: object covering the
relevant address ranges in the referenced geofeed file. When relevant address ranges in the referenced geofeed file. When
fetching, the most specific inetnum: object with a geofeed fetching, the most specific inetnum: object with a geofeed
reference MUST be used. reference <bcp14>MUST</bcp14> be used.
</t> </t>
<t> <t>
It is significant that geofeed data may have finer granularity It is significant that geofeed data may have finer granularity
than the inetnum: which refers to them. For example an INETNUM than the inetnum: that refers to them. For example, an INETNUM
object for an address range P could refer to a geofeed file in object for an address range P could refer to a geofeed file in
which P has been sub-divided into one or more longer prefixes. which P has been subdivided into one or more longer prefixes.
</t> </t>
<t> <t>
Currently, the registry data published by ARIN is not the same Currently, the registry data published by ARIN are not the same RPSL as
RPSL as that of the other registries (see <xref that of the other registries (see <xref target="RFC7485"
target="RFC7485"/> for a survey of the whois Tower of Babel); format="default"/> for a survey of the WHOIS Tower of Babel);
therefore, when fetching from ARIN via FTP <xref therefore, when fetching from ARIN via FTP <xref target="RFC0959"
target="RFC0959"/>, whois <xref target="RFC3912"/>, RDAP <xref format="default"/>, WHOIS <xref target="RFC3912" format="default"/>,
target="RFC7482"/>, or whatever, the "NetRange" attribute/key the Registration Data Access Protocol (RDAP) <xref target="RFC9082"
MUST be treated as "inetnum" and the "Comment" attribute MUST be format="default"/>, etc., the "NetRange" attribute/key
treated as "remarks". <bcp14>MUST</bcp14> be treated as "inetnum", and the "Comment"
attribute <bcp14>MUST</bcp14> be treated as "remarks".
</t> </t>
</section> </section>
<section anchor="auth" numbered="true" toc="default">
<section title="Authenticating Geofeed Data" anchor="auth"> <name>Authenticating Geofeed Data</name>
<t> <t>
The question arises whether a particular <xref The question arises whether a particular geofeed <xref
target="RFC8805"/> geofeed data set is valid, i.e. is authorized target="RFC8805" format="default"/> data set is valid, i.e., is
by the 'owner' of the IP address space and is authoritative in authorized by the "owner" of the IP address space and is authoritative
some sense. The inetnum: which points to the <xref in some sense. The inetnum: that points to the geofeed <xref
target="RFC8805"/> geofeed file provides some assurance. target="RFC8805" format="default"/> file provides some assurance.
Unfortunately, the RPSL in many repositories is weakly Unfortunately, the RPSL in many repositories is weakly authenticated
authenticated at best. An approach where RPSL was signed a la at best. An approach where RPSL was signed per <xref target="RFC7909"
<xref target="RFC7909"/> would be good, except it would have to format="default"/> would be good, except it would have to be deployed
be deployed by all RPSL registries, and there is a fair number by all RPSL registries, and there is a fair number of them.
of them.
</t> </t>
<t> <t>
A single optional authenticator MAY be appended to a <xref A single optional authenticator <bcp14>MAY</bcp14> be appended to a
target="RFC8805"/> geofeed file. It is a digest of the main geofeed <xref target="RFC8805" format="default"/> file. It is a
body of the file signed by the private key of the relevant RPKI digest of the main body of the file signed by the private key of the
certificate for a covering address range. One needs a format relevant RPKI certificate for a covering address range. One needs a
that bundles the relevant RPKI certificate with the signature of format that bundles the relevant RPKI certificate with the signature
the geofeed text. of the geofeed text.
</t> </t>
<t> <t>
The canonicalization procedure converts the data from its The canonicalization procedure converts the data from their internal
internal character representation to the UTF-8 <xref character representation to the UTF-8 <xref target="RFC3629"
target="RFC3629"/> character encoding, and the &lt;CRLF&gt; format="default"/> character encoding, and the &lt;CRLF&gt; sequence
sequence MUST be used to denote the end of a line of text. A <bcp14>MUST</bcp14> be used to denote the end of a line of text. A
blank line is represented solely by the &lt;CRLF&gt; sequence. blank line is represented solely by the &lt;CRLF&gt; sequence. For
For robustness, any non-printable characters MUST NOT be changed robustness, any non-printable characters <bcp14>MUST NOT</bcp14> be
by canonicalization. Trailing blank lines MUST NOT appear at changed by canonicalization. Trailing blank lines <bcp14>MUST
the end of the file. That is, the file must not end with NOT</bcp14> appear at the end of the file. That is, the file must not
multiple consecutive &lt;CRLF&gt; sequences. Any end-of-file end with multiple consecutive &lt;CRLF&gt; sequences. Any end-of-file
marker used by an operating system is not considered to be part marker used by an operating system is not considered to be part of the
of the file content. When present, such end-of-file markers file content. When present, such end-of-file markers <bcp14>MUST
MUST NOT be processed by the digital signature algorithm. NOT</bcp14> be processed by the digital signature algorithm.
</t> </t>
<t> <t>
Should the authenticator be syntactically incorrect per the Should the authenticator be syntactically incorrect per the
above, the authenticator is invalid. above, the authenticator is invalid.
</t> </t>
<t> <t>
Borrowing detached signatures from <xref target="RFC5485"/>, Borrowing detached signatures from <xref target="RFC5485"
after file canonicalization, the Cryptographic Message Syntax format="default"/>, after file canonicalization, the Cryptographic
(CMS) <xref target="RFC5652"/> would be used to create a Message Syntax (CMS) <xref target="RFC5652" format="default"/> would
detached DER encoded signature which is then padded BASE64 be used to create a detached DER-encoded signature that is then padded
encoded (as per <xref target="RFC4648"/> Section 4), and line BASE64 encoded (as per <xref target="RFC4648" sectionFormat="of"
wrapped to 72 or fewer characters. The same digest algorithm section="4" format="default"/>) and line wrapped to 72 or fewer
MUST be used for calculating the message digest on content being characters. The same digest algorithm <bcp14>MUST</bcp14> be used for
signed, which is the geofeed file, and calculating the message calculating the message digest on content being signed, which is the
digest on the SignerInfo SignedAttributes <xref geofeed file, and for calculating the message digest on the SignerInfo
target="RFC8933"/>. The message digest algorithm identifier SignedAttributes <xref target="RFC8933" format="default"/>. The
MUST appear in both the SigenedData DigestAlgorithmIdentifiers message digest algorithm identifier <bcp14>MUST</bcp14> appear in both
and the SignerInfo DigestAlgorithmIdentifier <xref the SignedData DigestAlgorithmIdentifiers and the SignerInfo
target="RFC5652"/>. DigestAlgorithmIdentifier <xref target="RFC5652" format="default"/>.
</t> </t>
<t> <t>
The address range of the signing certificate MUST cover all The address range of the signing certificate <bcp14>MUST</bcp14> cover a ll
prefixes in the geofeed file it signs. prefixes in the geofeed file it signs.
</t> </t>
<t> <t>
An address range A 'covers' address range B if the range of B is An address range A "covers" address range B if the range of B is
identical to or a subset of A. 'Address range' is used here identical to or a subset of A. "Address range" is used here because
because inetnum: objects and RPKI certificates need not align on inetnum: objects and RPKI certificates need not align on Classless
CIDR prefix boundaries, while those of the CSV lines in a Inter-Domain Routing (CIDR) <xref target="RFC4632"/> prefix
geofeed file do. boundaries, while those of the CSV lines in a geofeed file do.
</t> </t>
<t> <t>
As the signer specifies the covered RPKI resources relevant to As the signer specifies the covered RPKI resources relevant to the
the signature, the RPKI certificate covering the inetnum: signature, the RPKI certificate covering the inetnum: object's address
object's address range is included in the <xref range is included in the <xref target="RFC5652" format="default"/> CMS
target="RFC5652"/> CMS SignedData certificates field. SignedData certificates field.
</t> </t>
<t> <t>
Identifying the private key associated with the certificate, and Identifying the private key associated with the certificate and
getting the department that controls the private key (which getting the department that controls the private key (which might be
might be trapped in a Hardware Security Module, HSM) to sign the trapped in a Hardware Security Module (HSM)) to sign the CMS blob is
CMS blob is left as an exercise for the implementor. On the left as an exercise for the implementor. On the other hand, verifying
other hand, verifying the signature requires no complexity; the the signature requires no complexity; the certificate, which can be
certificate, which can be validated in the public RPKI, has the validated in the public RPKI, has the needed public key.
needed public key.
The trust anchors for the RIRs are expected to already be The trust anchors for the RIRs are expected to already be
available to the party performing signature validation. available to the party performing signature validation.
Validation of the CMS signature on the geofeed file Validation of the CMS signature on the geofeed file
involves:<list style="numbers"> involves:</t>
<ol spacing="normal" type="1"><li>
<t> Obtaining the signer's certificate from the CMS SignedData
CertificateSet <xref target="RFC5652" format="default"/>. The certificate
SubjectKeyIdentifier extension <xref target="RFC5280" format="default"/>
<bcp14>MUST</bcp14> match the SubjectKeyIdentifier in the CMS SignerInfo
SignerIdentifier <xref target="RFC5652" format="default"/>. If the key
identifiers do not match, then validation <bcp14>MUST</bcp14> fail.</t>
<t>
Validation of the signer's certificate <bcp14>MUST</bcp14> ensure
that it is part of the current <xref target="RFC6486"
format="default"/> manifest and that the resources are covered by
the RPKI certificate.
</t>
<t> </li>
Obtain the signer's certificate from the CMS SignedData
CertificateSet <xref target="RFC5652"/>. The certificate
SubjectKeyIdentifier extension <xref target="RFC5280"/> MUST
match the SubjectKeyIdentifier in the CMS SignerInfo
SignerIdentifier <xref target="RFC5652"/>. If the key
identifiers do not match, then validation MUST fail.
</t>
<t> <li>
Construct the certification path for the signer's certificate. Constructing the certification path for the signer's certificate.
All of the needed certificates are expected to be readily All of the needed certificates are expected to be readily
available in the RPKI Repository. The certification path MUST available in the RPKI repository. The certification path <bcp14>MUST<
be valid according to the validation algorithm in <xref /bcp14>
target="RFC5280"/> and the additional checks specified in be valid according to the validation algorithm in <xref target="RFC528
<xref target="RFC3779"/> associated with the IP Address 0" format="default"/> and the additional checks specified in
<xref target="RFC3779" format="default"/> associated with the IP Addre
ss
Delegation certificate extension and the Autonomous System Delegation certificate extension and the Autonomous System
Identifier Delegation certificate extension. If certification Identifier Delegation certificate extension. If certification
path validation is unsuccessful, then validation MUST fail. path validation is unsuccessful, then validation <bcp14>MUST</bcp14> f
</t> ail.
</li>
<t> <li>
Validate the CMS SignedData as specified in <xref Validating the CMS SignedData as specified in <xref target="RFC5652" f
target="RFC5652"/> using the public key from the validated ormat="default"/> using the public key from the validated
signer's certificate. If the signature validation is signer's certificate. If the signature validation is
unsuccessful, then validation MUST fail. unsuccessful, then validation <bcp14>MUST</bcp14> fail.
</t> </li>
<li>
<t> Verifying that the IP Address Delegation certificate extension
Verify that the IP Address Delegation certificate extension <xref target="RFC3779" format="default"/> covers all of the address ra
<xref target="RFC3779"/> covers all of the address ranges of nges of
the geofeed file. If all of the address ranges are not the geofeed file. If all of the address ranges are not
covered, then validation MUST fail. covered, then validation <bcp14>MUST</bcp14> fail.
</t> </li>
<t>
Validation of the signer's certificate MUST ensure that it is
part of the current <xref target="RFC6486"/> manifest and that
the resources are covered by the RPKI certificate.
</t>
</list></t>
</ol>
<t> <t>
All of these steps MUST be successful to consider the geofeed All of these steps <bcp14>MUST</bcp14> be successful to consider the geo feed
file signature as valid. file signature as valid.
</t> </t>
<t> <t>
As the signer specifies the covered RPKI resources relevant to As the signer specifies the covered RPKI resources relevant to the
the signature, the RPKI certificate covering the inetnum: signature, the RPKI certificate covering the inetnum: object's address
object's address range is included in the <xref range is included in the CMS SignedData certificates field <xref
target="RFC5652"/> CMS SignedData certificates field. target="RFC5652" format="default"/>.
</t> </t>
<t> <t>
Identifying the private key associated with the certificate, and Identifying the private key associated with the certificate and
getting the department with the Hardware Security Module (HSM) getting the department with the Hardware Security Module (HSM) to sign
to sign the CMS blob is left as an exercise for the implementor. the CMS blob is left as an exercise for the implementor. On the other
On the other hand, verifying the signature requires no hand, verifying the signature requires no complexity; the certificate,
complexity; the certificate, which can be validated in the which can be validated in the public RPKI, has the needed public key.
public RPKI, has the needed public key.
</t> </t>
<t> <t>
The appendix MUST be 'hidden' as a series of "#" comments at the The appendix <bcp14>MUST</bcp14> be hidden as a series of "#" comments a t the
end of the geofeed file. The following is a cryptographically end of the geofeed file. The following is a cryptographically
incorrect, albeit simple example. A correct and full example is incorrect, albeit simple, example. A correct and full example is
in <xref target="example"/>. in <xref target="example" format="default"/>.
</t> </t>
<sourcecode type=""><![CDATA[
<figure>
<artwork>
# RPKI Signature: 192.0.2.0 - 192.0.2.255 # RPKI Signature: 192.0.2.0 - 192.0.2.255
# MIIGlwYJKoZIhvcNAQcCoIIGiDCCBoQCAQMxDTALBglghkgBZQMEAgEwDQYLKoZ # MIIGlwYJKoZIhvcNAQcCoIIGiDCCBoQCAQMxDTALBglghkgBZQMEAgEwDQYLKoZ
# IhvcNAQkQAS+gggSxMIIErTCCA5WgAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZu # IhvcNAQkQAS+gggSxMIIErTCCA5WgAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZu
... ...
# imwYkXpiMxw44EZqDjl36MiWsRDLdgoijBBcGbibwyAfGeR46k5raZCGvxG+4xa # imwYkXpiMxw44EZqDjl36MiWsRDLdgoijBBcGbibwyAfGeR46k5raZCGvxG+4xa
# O8PDTxTfIYwAnBjRBKAqAZ7yX5xHfm58jUXsZJ7Ileq1S7G6Kk= # O8PDTxTfIYwAnBjRBKAqAZ7yX5xHfm58jUXsZJ7Ileq1S7G6Kk=
# End Signature: 192.0.2.0 - 192.0.2.255 # End Signature: 192.0.2.0 - 192.0.2.255
</artwork> ]]></sourcecode>
</figure>
<t> <t>
The signature does not cover the signature lines. The signature does not cover the signature lines.
</t> </t>
<t> <t>
The bracketing "# RPKI Signature:" and "# End Signature:" MUST The bracketing "# RPKI Signature:" and "# End Signature:" <bcp14>MUST</b cp14>
be present following the model as shown. Their IP address range be present following the model as shown. Their IP address range
MUST match that of the inetnum: URL followed to the file. <bcp14>MUST</bcp14> match that of the inetnum: URL followed to the file.
</t> </t>
<t> <t>
<xref target="I-D.spaghetti-sidrops-rpki-rsc"/> describes and <xref target="I-D.ietf-sidrops-rpki-rsc" format="default"/> describes
provides code for a Cryptographic Message Syntax (CMS) profile and provides code for a CMS profile for
for a general purpose listing of checksums (a 'checklist'), for a general purpose listing of checksums (a "checklist") for use with
use with the Resource Public Key Infrastructure (RPKI). It the Resource Public Key Infrastructure (RPKI). It provides usable,
provides usable, albeit complex, code to sign geofeed files. albeit complex, code to sign geofeed files.
</t> </t>
<t> <t>
<xref target="I-D.ietf-sidrops-rpki-rta"/> describes a <xref target="I-D.ietf-sidrops-rpki-rta" format="default"/> describes
Cryptographic Message Syntax (CMS) profile for a general purpose a CMS profile for a general purpose Resource Tagged Attestation (RTA)
Resource Tagged Attestation (RTA) based on the RPKI. While this based on the RPKI. While this is expected to become applicable in the
is expected to become applicable in the long run, for the long run, for the purposes of this document, a self-signed root trust
purposes of this document, a self-signed root trust anchor is anchor is used.
used.
</t> </t>
</section> </section>
<section anchor="ops" numbered="true" toc="default">
<section title="Operational Considerations" anchor="ops"> <name>Operational Considerations</name>
<t> <t>
To create the needed inetnum: objects, an operator wishing to To create the needed inetnum: objects, an operator wishing to register
register the location of their geofeed file needs to coordinate the location of their geofeed file needs to coordinate with their
with their RIR/NIR and/or any provider LIR which has assigned Regional Internet Registry (RIR) or National Internet Registry (NIR)
address ranges to them. RIRs/NIRs provide means for assignees and/or any provider Local Internet Registry (LIR) that has assigned
to create and maintain inetnum: objects. They also provide address ranges to them. RIRs/NIRs provide means for assignees to
means of [sub-]assigning IP address resources and allowing the create and maintain inetnum: objects. They also provide means of
assignee to create whois data, including inetnum: objects, and assigning or sub-assigning IP address resources and allowing the
thereby referring to geofeed files. assignee to create WHOIS data, including inetnum: objects, thereby
referring to geofeed files.
</t> </t>
<t> <t>
The geofeed files MUST be published via and fetched using The geofeed files <bcp14>MUST</bcp14> be published via and fetched using
HTTPS <xref target="RFC2818"/>. HTTPS <xref target="RFC2818" format="default"/>.
</t> </t>
<t> <t>
When using data from a geofeed file, one MUST ignore data When using data from a geofeed file, one <bcp14>MUST</bcp14> ignore data
outside the referring inetnum: object's inetnum: attribute outside the referring inetnum: object's inetnum: attribute
address range. address range.
</t> </t>
<t> <t>
If and only if the geofeed file is not signed per <xref If and only if the geofeed file is not signed per <xref target="auth"
target="auth"/>, then multiple inetnum: objects MAY refer to the format="default"/>, then multiple inetnum: objects <bcp14>MAY</bcp14>
same geofeed file, and the consumer MUST use only lines in the refer to the same geofeed file, and the consumer <bcp14>MUST</bcp14>
geofeed file where the prefix is covered by the address range of use only lines in the geofeed file where the prefix is covered by the
the inetnum: object's URL it has followed. address range of the inetnum: object's URL it has followed.
</t> </t>
<t> <t>
If the geofeed file is signed, and the signer's certificate If the geofeed file is signed, and the signer's certificate
changes, the signature in the geofeed file MUST be updated. changes, the signature in the geofeed file <bcp14>MUST</bcp14> be update d.
</t> </t>
<t> <t>
It is good key hygiene to use a given key for only one purpose. It is good key hygiene to use a given key for only one purpose.
To dedicate a signing private key for signing a geofeed file, an To dedicate a signing private key for signing a geofeed file, an
RPKI CA may issue a subordinate certificate exclusively for RPKI Certification Authority (CA) may issue a subordinate certificate ex
the purpose as shown in <xref target="example"/>. clusively for
the purpose shown in <xref target="example" format="default"/>.
</t> </t>
<t> <t>
To minimize the load on RIR whois <xref target="RFC3912"/> To minimize the load on RIR WHOIS <xref target="RFC3912"
services, use of the RIR's FTP <xref target="RFC0959"/> services format="default"/> services, use of the RIR's FTP <xref
SHOULD be used for large scale access to gather geofeed URLs. target="RFC0959" format="default"/> services <bcp14>SHOULD</bcp14> be
This also provides bulk access instead of fetching by brute used for large-scale access to gather geofeed URLs. This also
force search through the IP space. provides bulk access instead of fetching by brute-force search
through the IP space.
</t> </t>
<t> <t>
Currently, geolocation providers have bulk whois data access at Currently, geolocation providers have bulk WHOIS data access at
all the RIRs. An anonymized version of such data is openly all the RIRs. An anonymized version of such data is openly
available for all RIRs except ARIN, which requires an available for all RIRs except ARIN, which requires an
authorization. However, for users without such authorization, authorization. However, for users without such authorization,
the same result can be achieved with extra RDAP effort. There is the same result can be achieved with extra RDAP effort. There is
open source code to pass over such data across all RIRs, collect open-source code to pass over such data across all RIRs, collect
all geofeed references, and process them <xref all geofeed references, and process them <xref target="GEOFEED-FINDER" f
target="geofeed-finder"/>. ormat="default"/>.
</t> </t>
<t> <t>
To prevent undue load on RPSL and geofeed servers, an entity To prevent undue load on RPSL and geofeed servers, entity-fetching
fetching geofeed data using these mechanisms MUST NOT do geofeed data using these mechanisms <bcp14>MUST NOT</bcp14> do
frequent real-time look-ups. <xref target="RFC8805"/> Section frequent real-time lookups. <xref target="RFC8805" sectionFormat="of"
3.4 suggests use of the <xref target="RFC7234"/> HTTP Expires section="3.4" format="default"/> suggests use of the HTTP Expires
Caching Header to signal when geofeed data should be header <xref target="RFC7234" format="default"/> to signal when
refetched. As the data change very infrequently, in the absence geofeed data should be refetched. As the data change very
of such an HTTP Header signal, collectors SHOULD NOT fetch more infrequently, in the absence of such an HTTP Header signal, collectors
frequently than weekly. It would be polite not to fetch at <bcp14>SHOULD NOT</bcp14> fetch more frequently than weekly. It would
magic times such as midnight UTC, the first of the month, etc., be polite not to fetch at magic times such as midnight UTC, the first
because too many others are likely to do the same. of the month, etc., because too many others are likely to do the same.
</t> </t>
</section> </section>
<section anchor="privacy" numbered="true" toc="default">
<section title="Privacy Considerations" anchor="privacy"> <name>Privacy Considerations</name>
<t> <t>
<xref target="RFC8805"/> geofeed data may reveal the approximate <xref target="RFC8805" format="default"/> geofeed data may reveal the
location of an IP address, which might in turn reveal the approximate location of an IP address, which might in turn reveal the
approximate location of an individual user. Unfortunately, approximate location of an individual user. Unfortunately, <xref
<xref target="RFC8805"/> provides no privacy guidance on target="RFC8805" format="default"/> provides no privacy guidance on
avoiding or ameliorating possible damage due to this exposure of avoiding or ameliorating possible damage due to this exposure of the
the user. In publishing pointers to geofeed files as described user. In publishing pointers to geofeed files as described in this
in this document, the operator should be aware of this exposure document, the operator should be aware of this exposure in geofeed
in geofeed data and be cautious. All the privacy considerations data and be cautious. All the privacy considerations of <xref
of <xref target="RFC8805"/> Section 4 apply to this document. target="RFC8805" sectionFormat="of" section="4" format="default"/>
apply to this document.
</t> </t>
<t> <t>
Where <xref target="RFC8805"/> provided the ability to publish Where <xref target="RFC8805" format="default"/> provided the ability
location data, this document makes bulk access to those data to publish location data, this document makes bulk access to those data
readily available. This is a goal, not an accident. readily available. This is a goal, not an accident.
</t> </t>
</section> </section>
<section anchor="seccons" numbered="true" toc="default">
<section title="Security Considerations" anchor="seccons"> <name>Security Considerations</name>
<t> <t>
It is generally prudent for a consumer of geofeed data to also It is generally prudent for a consumer of geofeed data to also
use other sources to cross-validate the data. All the Security use other sources to cross validate the data. All the security
Considerations of <xref target="RFC8805"/> apply here as well. considerations of <xref target="RFC8805" format="default"/> apply here a
s well.
</t> </t>
<t> <t>
As mentioned in <xref target="auth"/>, many RPSL repositories As mentioned in <xref target="auth" format="default"/>, many RPSL
have weak if any authentication. This allows spoofing of repositories have weak, if any, authentication. This allows spoofing
inetnum: objects pointing to malicious geofeed files. <xref of inetnum: objects pointing to malicious geofeed files. <xref
target="auth"/> suggests an unfortunately complex method for target="auth" format="default"/> suggests an unfortunately complex
stronger authentication based on the RPKI. method for stronger authentication based on the RPKI.
</t> </t>
<t> <t>
For example, if an inetnum: for a wide address range (e.g. a For example, if an inetnum: for a wide address range (e.g., a
/16) points to an RPKI-signed geofeed file, a customer or /16) points to an RPKI-signed geofeed file, a customer or
attacker could publish an unsigned equal or narrower (e.g. a attacker could publish an unsigned equal or narrower (e.g., a
/24) inetnum: in a whois registry which has weak authorization, /24) inetnum: in a WHOIS registry that has weak authorization,
abusing the rule that the most-specific inetnum: object with a abusing the rule that the most-specific inetnum: object with a
geofeed reference MUST be used. geofeed reference <bcp14>MUST</bcp14> be used.
</t> </t>
<t> <t>
If signatures were mandatory, the above attack would be stymied. If signatures were mandatory, the above attack would be stymied, but
But of course that is not happening anytime soon. of course that is not happening anytime soon.
</t> </t>
<t> <t>
The RPSL providers have had to throttle fetching from their The RPSL providers have had to throttle fetching from their
servers due to too-frequent queries. Usually they throttle by servers due to too-frequent queries. Usually, they throttle by
the querying IP address or block. Similar defenses will likely the querying IP address or block. Similar defenses will likely
need to be deployed by geofeed file servers. need to be deployed by geofeed file servers.
</t> </t>
</section> </section>
<section anchor="iana" numbered="true" toc="default">
<section title="IANA Considerations" anchor="iana"> <name>IANA Considerations</name>
<t> <t>
IANA is asked to register object identifiers for one content IANA has registered object identifiers for one content
type in the "SMI Security for S/MIME CMS Content Type type in the "SMI Security for S/MIME CMS Content Type
(1.2.840.113549.1.9.16.1)" registry as follows: (1.2.840.113549.1.9.16.1)" registry as follows:
</t> </t>
<figure> <table anchor="iana_table">
<artwork><![CDATA[ <thead>
Description OID Specification <tr>
id-ct-geofeedCSVwithCRLF 1.2.840.113549.1.9.16.1.47 [RFC-TBD] <th>Decimal</th>
]]></artwork> <th>Description</th>
</figure> <th>References</th>
</tr>
</section> </thead>
<tbody>
<section title="Acknowledgments" anchor="ack"> <tr>
<td>47</td>
<t> <td>id-ct-geofeedCSVwithCRLF</td>
Thanks to Rob Austein for CMS and detached signature clue. <td>RFC 9092</td>
George Michaelson for the first and substantial external review, </tr>
Erik Kline who was too shy to agree to co-authorship. </tbody>
Additionally, we express our gratitude to early implementors, </table>
including Menno Schepers, Flavio Luciani, Eric Dugas, Job
Snijders who provided running code, and Kevin Pack. Also, to
geolocation providers that are consuming geofeeds with this
described solution, Jonathan Kosgei (ipdata.co), Ben Dowling
(ipinfo.io), and Pol Nisenblat (bigdatacloud.com). For an
amazing number of helpful reviews we thank Adrian Farrel,
Antonio Prado, Francesca Palombini, Jean-Michel Combes (INTDIR),
John Scudder, Kyle Rose (SECDIR), Martin Duke, Murray Kucherawy,
Paul Kyzivat (GENART), Rob Wilton, and Roman Danyliw. The
authors also thank George Michaelson, the awesome document
shepherd.
</t>
</section> </section>
</middle> </middle>
<back> <back>
<references title="Normative References"> <displayreference target="I-D.ietf-sidrops-rpki-rsc" to="RPKI-RSC"/>
<?rfc include="reference.RFC.2119"?> <displayreference target="I-D.ietf-sidrops-rpki-rta" to="RPKI-RTA"/>
<?rfc include="reference.RFC.2622"?>
<?rfc include="reference.RFC.2725"?>
<?rfc include="reference.RFC.2818"?>
<?rfc include="reference.RFC.3629"?>
<?rfc include="reference.RFC.3779"?>
<?rfc include="reference.RFC.4012"?>
<?rfc include="reference.RFC.4648"?>
<?rfc include="reference.RFC.5280"?>
<?rfc include="reference.RFC.5652"?>
<?rfc include="reference.RFC.8174"?>
<?rfc include="reference.RFC.6481"?>
<?rfc include="reference.RFC.6486"?>
<?rfc include="reference.RFC.8805"?>
<?rfc include="reference.RFC.8933"?>
</references>
<references title="Informative References"> <references>
<?rfc include="reference.RFC.0959"?> <name>References</name>
<?rfc include="reference.RFC.3912"?> <references>
<?rfc include="reference.RFC.5485"?> <name>Normative References</name>
<?rfc include="reference.RFC.7234"?> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
<?rfc include="reference.RFC.7482"?> FC.2119.xml"/>
<?rfc include="reference.RFC.7485"?> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
<?rfc include="reference.RFC.7909"?> FC.2622.xml"/>
<?rfc include="reference.I-D.spaghetti-sidrops-rpki-rsc"?> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
<?rfc include="reference.I-D.ietf-sidrops-rpki-rta"?> FC.2725.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.2818.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.3629.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.3779.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.4012.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.4648.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.5280.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.5652.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.8174.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.6481.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.6486.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.8805.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.8933.xml"/>
</references>
<references>
<name>Informative References</name>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.0959.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.3912.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.5485.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.7234.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.9082.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.7485.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.7909.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.4632.xml"/>
<reference anchor="RIPE81" target="https://www.ripe.net/publications/docs/ <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D
ripe-081"> .ietf-sidrops-rpki-rsc.xml"/>
<front>
<title>Representation Of IP Routing Policies In The RIPE Database</tit
le>
<author><organization>RIPE</organization></author>
<date/>
</front>
</reference>
<reference anchor="RIPE181" target="https://www.ripe.net/publications/docs <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D
/ripe-181"> .ietf-sidrops-rpki-rta.xml"/>
<front>
<title>Representation Of IP Routing Policies In A Routing Registry</ti
tle>
<author><organization>RIPE</organization></author>
<date/>
</front>
</reference>
<reference anchor="RIPE-DB" target="https://www.ripe.net/manage-ips-and-as <reference anchor="RIPE81" target="https://www.ripe.net/publications/doc
ns/db/support/documentation/ripe-database-documentation"> s/ripe-081">
<front> <front>
<title>RIPE Database Documentation</title> <title>Representation Of IP Routing Policies In The RIPE Database</t
<author><organization>RIPE</organization></author> itle>
<date/> <author>
</front> <organization>RIPE NCC</organization>
</reference> </author>
<date month="February" year="1993"/>
</front>
</reference>
<reference anchor="INETNUM" target="https://www.ripe.net/manage-ips-and-as <reference anchor="RIPE181" target="https://www.ripe.net/publications/do
ns/db/support/documentation/ripe-database-documentation/rpsl-object-types/4-2-de cs/ripe-181">
scriptions-of-primary-objects/4-2-4-description-of-the-inetnum-object"> <front>
<front> <title>Representation Of IP Routing Policies In A Routing Registry</
<title>Description of the INETNUM Object</title> title>
<author><organization>RIPE</organization></author> <author>
<date/> <organization>RIPE NCC</organization>
</front> </author>
</reference> <date month="October" year="1994"/>
</front>
</reference>
<reference anchor="INET6NUM" target="https://www.ripe.net/manage-ips-and-a <reference anchor="RIPE-DB" target="https://www.ripe.net/manage-ips-and-
sns/db/support/documentation/ripe-database-documentation/rpsl-object-types/4-2-d asns/db/support/documentation/ripe-database-documentation">
escriptions-of-primary-objects/4-2-3-description-of-the-inet6num-object"> <front>
<front> <title>RIPE Database Documentation</title>
<title>Description of the INET6NUM Object</title> <author>
<author><organization>RIPE</organization></author> <organization>RIPE NCC</organization>
<date/> </author>
</front> <date/>
</reference> </front>
</reference>
<reference anchor="geofeed-finder" target="https://github.com/massimocande <reference anchor="INETNUM" target="https://www.ripe.net/manage-ips-and-
la/geofeed-finder"> asns/db/support/documentation/ripe-database-documentation/rpsl-object-types/4-2-
<front> descriptions-of-primary-objects/4-2-4-description-of-the-inetnum-object">
<title>geofeed-finder</title> <front>
<author><organization>Massimo Candela</organization></author> <title>Description of the INETNUM Object</title>
<date/> <author>
</front> <organization>RIPE NCC</organization>
</reference> </author>
<date month="June" year="2020"/>
</front>
</reference>
</references> <reference anchor="INET6NUM" target="https://www.ripe.net/manage-ips-and
-asns/db/support/documentation/ripe-database-documentation/rpsl-object-types/4-2
-descriptions-of-primary-objects/4-2-3-description-of-the-inet6num-object">
<front>
<title>Description of the INET6NUM Object</title>
<author>
<organization>RIPE NCC</organization>
</author>
<date month="October" year="2019"/>
</front>
</reference>
<section title="Example" anchor="example"> <reference anchor="GEOFEED-FINDER" target="https://github.com/massimocan
dela/geofeed-finder">
<front>
<title>geofeed-finder</title>
<author>
<organization></organization>
</author>
<date month="June" year="2021"/>
</front>
<refcontent>commit 5f557a4</refcontent>
</reference>
<t> </references>
This appendix provides an example, including a trust anchor, a CA </references>
<section anchor="example" numbered="true" toc="default">
<name>Example</name>
<t>
This appendix provides an example that includes a trust anchor, a CA
certificate subordinate to the trust anchor, an end-entity certificate subordinate to the trust anchor, an end-entity
certificate subordinate to the CA for signing the geofeed, and a certificate subordinate to the CA for signing the geofeed, and a
detached signature. detached signature.
</t> </t>
<t> <t>
The trust anchor is represented by a self-signed certificate. As The trust anchor is represented by a self-signed certificate. As
usual in the RPKI, the trust anchor has authority over all IPv4 usual in the RPKI, the trust anchor has authority over all IPv4
address blocks, all IPv6 address blocks, and all AS numbers. address blocks, all IPv6 address blocks, and all Autonomous System (AS) nu
</t> mbers.
</t>
<figure><artwork><![CDATA[ <sourcecode type=""><![CDATA[
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIEPjCCAyagAwIBAgIUPsUFJ4e/7pKZ6E14aBdkbYzms1gwDQYJKoZIhvcNAQEL MIIEPjCCAyagAwIBAgIUPsUFJ4e/7pKZ6E14aBdkbYzms1gwDQYJKoZIhvcNAQEL
BQAwFTETMBEGA1UEAxMKZXhhbXBsZS10YTAeFw0yMDA5MDMxODU0NTRaFw0zMDA5 BQAwFTETMBEGA1UEAxMKZXhhbXBsZS10YTAeFw0yMDA5MDMxODU0NTRaFw0zMDA5
MDExODU0NTRaMBUxEzARBgNVBAMTCmV4YW1wbGUtdGEwggEiMA0GCSqGSIb3DQEB MDExODU0NTRaMBUxEzARBgNVBAMTCmV4YW1wbGUtdGEwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQCelMmMDCGBhqn/a3VrNAoKMr1HVLKxGoG7VF/13HZJ AQUAA4IBDwAwggEKAoIBAQCelMmMDCGBhqn/a3VrNAoKMr1HVLKxGoG7VF/13HZJ
0twObUZlh3Jz+XeD+kNAURhELWTrsgdTkQQfqinqOuRemxTl55+x7nLpe5nmwaBH 0twObUZlh3Jz+XeD+kNAURhELWTrsgdTkQQfqinqOuRemxTl55+x7nLpe5nmwaBH
XqqDOHubmkbAGanGcm6T/rD9KNk1Z46Uc2p7UYu0fwNO0mo0aqFL2FSyvzZwziNe XqqDOHubmkbAGanGcm6T/rD9KNk1Z46Uc2p7UYu0fwNO0mo0aqFL2FSyvzZwziNe
g7ELYZ4a3LvGn81JfP/JvM6pgtoMNuee5RV6TWaz7LV304ICj8Bhphy/HFpOA1rb g7ELYZ4a3LvGn81JfP/JvM6pgtoMNuee5RV6TWaz7LV304ICj8Bhphy/HFpOA1rb
O9gs8CUMgqz+RroAIa8cV8gbF/fPCz9Ofl7Gdmib679JxxFrW4wRJ0nMJgJmsZXq O9gs8CUMgqz+RroAIa8cV8gbF/fPCz9Ofl7Gdmib679JxxFrW4wRJ0nMJgJmsZXq
jaVc0g7ORc+eIAcHw7Uroc6h7Y7lGjOkDZF75j0mLQa3AgMBAAGjggGEMIIBgDAd jaVc0g7ORc+eIAcHw7Uroc6h7Y7lGjOkDZF75j0mLQa3AgMBAAGjggGEMIIBgDAd
skipping to change at line 813 skipping to change at line 746
ZXQvbm90aWZpY2F0aW9uLnhtbDAwBggrBgEFBQcwBYYkcnN5bmM6Ly9ycGtpLmV4 ZXQvbm90aWZpY2F0aW9uLnhtbDAwBggrBgEFBQcwBYYkcnN5bmM6Ly9ycGtpLmV4
YW1wbGUubmV0L3JlcG9zaXRvcnkvMCcGCCsGAQUFBwEHAQH/BBgwFjAJBAIAATAD YW1wbGUubmV0L3JlcG9zaXRvcnkvMCcGCCsGAQUFBwEHAQH/BBgwFjAJBAIAATAD
AwEAMAkEAgACMAMDAQAwHgYIKwYBBQUHAQgEEjAQoA4wDDAKAgEAAgUA/////zAN AwEAMAkEAgACMAMDAQAwHgYIKwYBBQUHAQgEEjAQoA4wDDAKAgEAAgUA/////zAN
BgkqhkiG9w0BAQsFAAOCAQEAgZFQ0Sf3CI5Hwev61AUWHYOFniy69PuDTq+WnhDe BgkqhkiG9w0BAQsFAAOCAQEAgZFQ0Sf3CI5Hwev61AUWHYOFniy69PuDTq+WnhDe
xX5rpjSDRrs5L756KSKJcaOJ36lzO45lfOPSY9fH6x30pnipaqRA7t5rApky24jH xX5rpjSDRrs5L756KSKJcaOJ36lzO45lfOPSY9fH6x30pnipaqRA7t5rApky24jH
cSUA9iRednzxhVyGjWKnfAKyNo2MYfaOAT0db1GjyLKbOADI9FowtHBUu+60ykcM cSUA9iRednzxhVyGjWKnfAKyNo2MYfaOAT0db1GjyLKbOADI9FowtHBUu+60ykcM
Quz66XrzxtmxlrRcAnbv/HtV17qOd4my6q5yjTPR1dmYN9oR/2ChlXtGE6uQVguA Quz66XrzxtmxlrRcAnbv/HtV17qOd4my6q5yjTPR1dmYN9oR/2ChlXtGE6uQVguA
rvNZ5CwiJ1TgGGTB7T8ORHwWU6dGTc0jk2rESAaikmLi1roZSNC21fckhapEit1a rvNZ5CwiJ1TgGGTB7T8ORHwWU6dGTc0jk2rESAaikmLi1roZSNC21fckhapEit1a
x8CyiVxjcVc5e0AmS1rJfL6LIfwmtive/N/eBtIM92HkBA== x8CyiVxjcVc5e0AmS1rJfL6LIfwmtive/N/eBtIM92HkBA==
-----END CERTIFICATE----- -----END CERTIFICATE-----
]]></artwork></figure> ]]></sourcecode>
<t> <t>
The CA certificate is issued by the trust anchor. This The CA certificate is issued by the trust anchor. This
certificate grants authority over one IPv4 address block certificate grants authority over one IPv4 address block
(192.0.2.0/24) and two AS numbers (64496 and 64497).</t> (192.0.2.0/24) and two AS numbers (64496 and 64497).</t>
<sourcecode type=""><![CDATA[
<figure><artwork><![CDATA[
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIFBzCCA++gAwIBAgIUcyCzS10hdfG65kbRq7toQAvRDKowDQYJKoZIhvcNAQEL MIIFBzCCA++gAwIBAgIUcyCzS10hdfG65kbRq7toQAvRDKowDQYJKoZIhvcNAQEL
BQAwFTETMBEGA1UEAxMKZXhhbXBsZS10YTAeFw0yMDA5MDMxOTAyMTlaFw0yMTA5 BQAwFTETMBEGA1UEAxMKZXhhbXBsZS10YTAeFw0yMDA5MDMxOTAyMTlaFw0yMTA5
MDMxOTAyMTlaMDMxMTAvBgNVBAMTKDNBQ0UyQ0VGNEZCMjFCN0QxMUUzRTE4NEVG MDMxOTAyMTlaMDMxMTAvBgNVBAMTKDNBQ0UyQ0VGNEZCMjFCN0QxMUUzRTE4NEVG
QzFFMjk3QjM3Nzg2NDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDc QzFFMjk3QjM3Nzg2NDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDc
zz1qwTxC2ocw5rqp8ktm2XyYkl8riBVuqlXwfefTxsR2YFpgz9vkYUd5Az9EVEG7 zz1qwTxC2ocw5rqp8ktm2XyYkl8riBVuqlXwfefTxsR2YFpgz9vkYUd5Az9EVEG7
6wGIyZbtmhK63eEeaqbKz2GHub467498BXeVrYysO+YuIGgCEYKznNDZ4j5aaDbo 6wGIyZbtmhK63eEeaqbKz2GHub467498BXeVrYysO+YuIGgCEYKznNDZ4j5aaDbo
j5+4/z0Qvv6HEsxQd0f8br6lKJwgeRM6+fm7796HNPB0aqD7Zj9NRCLXjbB0DCgJ j5+4/z0Qvv6HEsxQd0f8br6lKJwgeRM6+fm7796HNPB0aqD7Zj9NRCLXjbB0DCgJ
liH6rXMKR86ofgll9V2mRjesvhdKYgkGbOif9rvxVpLJ/6zdru5CE9yeuJZ59l+n liH6rXMKR86ofgll9V2mRjesvhdKYgkGbOif9rvxVpLJ/6zdru5CE9yeuJZ59l+n
YH/r6PzdJ4Q7yKrJX8qD6A60j4+biaU4MQ72KpsjhQNTTqF/HRwi0N54GDaknEwE YH/r6PzdJ4Q7yKrJX8qD6A60j4+biaU4MQ72KpsjhQNTTqF/HRwi0N54GDaknEwE
skipping to change at line 850 skipping to change at line 782
Oi8vcnJkcC5leGFtcGxlLm5ldC9ub3RpZmljYXRpb24ueG1sMDAGCCsGAQUFBzAF Oi8vcnJkcC5leGFtcGxlLm5ldC9ub3RpZmljYXRpb24ueG1sMDAGCCsGAQUFBzAF
hiRyc3luYzovL3Jwa2kuZXhhbXBsZS5uZXQvcmVwb3NpdG9yeS8wHwYIKwYBBQUH hiRyc3luYzovL3Jwa2kuZXhhbXBsZS5uZXQvcmVwb3NpdG9yeS8wHwYIKwYBBQUH
AQcBAf8EEDAOMAwEAgABMAYDBADAAAIwHgYIKwYBBQUHAQgEEjAQoA4wDDAKAgMA AQcBAf8EEDAOMAwEAgABMAYDBADAAAIwHgYIKwYBBQUHAQgEEjAQoA4wDDAKAgMA
+/ACAwD78TANBgkqhkiG9w0BAQsFAAOCAQEAnLu+d1ZsUTiX3YWGueTHIalW4ad0 +/ACAwD78TANBgkqhkiG9w0BAQsFAAOCAQEAnLu+d1ZsUTiX3YWGueTHIalW4ad0
Kupi7pYMV2nXbxNGmdJMol9BkzVz9tj55ReMghUU4YLm/ICYe4fz5e0T8o9s/vIm Kupi7pYMV2nXbxNGmdJMol9BkzVz9tj55ReMghUU4YLm/ICYe4fz5e0T8o9s/vIm
cGS29+WoGuiznMitpvbS/379gaMezk6KpqjH6Brw6meMqy09phmcmvm3x3WTmx09 cGS29+WoGuiznMitpvbS/379gaMezk6KpqjH6Brw6meMqy09phmcmvm3x3WTmx09
mLlQneMptwk8qSYcnMUmGLJs+cVqmkOa3sWRdw8WrGu6QqYtQz3HFZQojF06YzEq mLlQneMptwk8qSYcnMUmGLJs+cVqmkOa3sWRdw8WrGu6QqYtQz3HFZQojF06YzEq
V/dBdCFdEOwTfVl2n2XqhoJl/oEBdC4uu2G0qRk3+WVs+uwVHP0Ttsbt7TzFgZfY V/dBdCFdEOwTfVl2n2XqhoJl/oEBdC4uu2G0qRk3+WVs+uwVHP0Ttsbt7TzFgZfY
yxqvOg6QoldxZVZmHHncKmETu/BqCDGJot9may31ukrx34Bu+XFMVihm0w== yxqvOg6QoldxZVZmHHncKmETu/BqCDGJot9may31ukrx34Bu+XFMVihm0w==
-----END CERTIFICATE----- -----END CERTIFICATE-----
]]></artwork></figure> ]]></sourcecode>
<t>
<t>
The end-entity certificate is issued by the CA. This The end-entity certificate is issued by the CA. This
certificate grants signature authority for one IPv4 address block certificate grants signature authority for one IPv4 address block
(192.0.2.0/24). Signature authority for AS numbers is not needed for (192.0.2.0/24). Signature authority for AS numbers is not needed for
geofeed data signatures, so no AS numbers are included in the geofeed data signatures, so no AS numbers are included in the
certificate.</t> certificate.</t>
<sourcecode type=""><![CDATA[
<figure><artwork><![CDATA[
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIEpTCCA42gAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZuQwDQYJKoZIhvcNAQEL MIIEpTCCA42gAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZuQwDQYJKoZIhvcNAQEL
BQAwMzExMC8GA1UEAxMoM0FDRTJDRUY0RkIyMUI3RDExRTNFMTg0RUZDMUUyOTdC BQAwMzExMC8GA1UEAxMoM0FDRTJDRUY0RkIyMUI3RDExRTNFMTg0RUZDMUUyOTdC
Mzc3ODY0MjAeFw0yMTA1MjAxNjA1NDVaFw0yMjAzMTYxNjA1NDVaMDMxMTAvBgNV Mzc3ODY0MjAeFw0yMTA1MjAxNjA1NDVaFw0yMjAzMTYxNjA1NDVaMDMxMTAvBgNV
BAMTKDkxNDY1MkEzQkQ1MUMxNDQyNjAxOTg4ODlGNUM0NUFCRjA1M0ExODcwggEi BAMTKDkxNDY1MkEzQkQ1MUMxNDQyNjAxOTg4ODlGNUM0NUFCRjA1M0ExODcwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCycTQrOb/qB2W3i3Ki8PhA/DEW MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCycTQrOb/qB2W3i3Ki8PhA/DEW
yii2TgGo9pgCwO9lsIRI6Zb/k+aSiWWP9kSczlcQgtPCVwr62hTQZCIowBN0BL0c yii2TgGo9pgCwO9lsIRI6Zb/k+aSiWWP9kSczlcQgtPCVwr62hTQZCIowBN0BL0c
K0/5k1imJdi5qdM3nvKswM8CnoR11vB8pQFwruZmr5xphXRvE+mzuJVLgu2V1upm K0/5k1imJdi5qdM3nvKswM8CnoR11vB8pQFwruZmr5xphXRvE+mzuJVLgu2V1upm
BXuWloeymudh6WWJ+GDjwPXO3RiXBejBrOFNXhaFLe08y4DPfr/S/tXJOBm7QzQp BXuWloeymudh6WWJ+GDjwPXO3RiXBejBrOFNXhaFLe08y4DPfr/S/tXJOBm7QzQp
tmbPLYtGfprYu45liFFqqP94UeLpISfXd36AKGzqTFCcc3EW9l5UFE1MFLlnoEog tmbPLYtGfprYu45liFFqqP94UeLpISfXd36AKGzqTFCcc3EW9l5UFE1MFLlnoEog
skipping to change at line 887 skipping to change at line 817
c2l0b3J5LzNBQ0UyQ0VGNEZCMjFCN0QxMUUzRTE4NEVGQzFFMjk3QjM3Nzg2NDIu c2l0b3J5LzNBQ0UyQ0VGNEZCMjFCN0QxMUUzRTE4NEVGQzFFMjk3QjM3Nzg2NDIu
Y2VyMBkGCCsGAQUFBwEHAQH/BAowCDAGBAIAAQUAMEUGCCsGAQUFBwELBDkwNzA1 Y2VyMBkGCCsGAQUFBwEHAQH/BAowCDAGBAIAAQUAMEUGCCsGAQUFBwELBDkwNzA1
BggrBgEFBQcwDYYpaHR0cHM6Ly9ycmRwLmV4YW1wbGUubmV0L25vdGlmaWNhdGlv BggrBgEFBQcwDYYpaHR0cHM6Ly9ycmRwLmV4YW1wbGUubmV0L25vdGlmaWNhdGlv
bi54bWwwDQYJKoZIhvcNAQELBQADggEBAEjC98gVp0Mb7uiKaHylP0453mtJ+AkN bi54bWwwDQYJKoZIhvcNAQELBQADggEBAEjC98gVp0Mb7uiKaHylP0453mtJ+AkN
07fsK/qGw/e90DJv7cp1hvjj4uy3sgf7PJQ7cKNGrgybq/lE0jce+ARgVjbi2Brz 07fsK/qGw/e90DJv7cp1hvjj4uy3sgf7PJQ7cKNGrgybq/lE0jce+ARgVjbi2Brz
ZsWAnB846Snwsktw6cenaif6Aww6q00NspAepMBd2Vg/9sKFvOwJFVOgNcqiQiXP ZsWAnB846Snwsktw6cenaif6Aww6q00NspAepMBd2Vg/9sKFvOwJFVOgNcqiQiXP
5rGJPWBcOMv52a/7adjfXwpnOijiTOgMloQGmC2TPZpydZKjlxEATdFEQssa33xD 5rGJPWBcOMv52a/7adjfXwpnOijiTOgMloQGmC2TPZpydZKjlxEATdFEQssa33xD
nlpp+/r9xuNVYRtRcC36oWraVA3jzN6F6rDE8r8xs3ylISVz6JeCQ4YRYwbMsjjc nlpp+/r9xuNVYRtRcC36oWraVA3jzN6F6rDE8r8xs3ylISVz6JeCQ4YRYwbMsjjc
/tiJLM7ZYxIe5IrYz1ZtN6n/SEssJAswRIgps2EhCt/HS2xAmGCOhgU= /tiJLM7ZYxIe5IrYz1ZtN6n/SEssJAswRIgps2EhCt/HS2xAmGCOhgU=
-----END CERTIFICATE----- -----END CERTIFICATE-----
]]></artwork></figure> ]]></sourcecode>
<t>
<t>
The end-entity certificate is displayed below in detail. For The end-entity certificate is displayed below in detail. For
brevity, the other two certificates are not. brevity, the other two certificates are not.
</t> </t>
<sourcecode type=""><![CDATA[
<figure><artwork><![CDATA[
0 1189: SEQUENCE { 0 1189: SEQUENCE {
4 909: SEQUENCE { 4 909: SEQUENCE {
8 3: [0] { 8 3: [0] {
10 1: INTEGER 2 10 1: INTEGER 2
: } : }
13 20: INTEGER 27AD394083D7F2B5B99B8670C775B2B96EE166E4 13 20: INTEGER 27AD394083D7F2B5B99B8670C775B2B96EE166E4
35 13: SEQUENCE { 35 13: SEQUENCE {
37 9: OBJECT IDENTIFIER 37 9: OBJECT IDENTIFIER
: sha256WithRSAEncryption (1 2 840 113549 1 1 11) : sha256WithRSAEncryption (1 2 840 113549 1 1 11)
48 0: NULL 48 0: NULL
skipping to change at line 1086 skipping to change at line 1014
: A0 35 CA A2 42 25 CF E6 B1 89 3D 60 5C 38 CB F9 : A0 35 CA A2 42 25 CF E6 B1 89 3D 60 5C 38 CB F9
: D9 AF FB 69 D8 DF 5F 0A 67 3A 28 E2 4C E8 0C 96 : D9 AF FB 69 D8 DF 5F 0A 67 3A 28 E2 4C E8 0C 96
: 84 06 98 2D 93 3D 9A 72 75 92 A3 97 11 00 4D D1 : 84 06 98 2D 93 3D 9A 72 75 92 A3 97 11 00 4D D1
: 44 42 CB 1A DF 7C 43 9E 5A 69 FB FA FD C6 E3 55 : 44 42 CB 1A DF 7C 43 9E 5A 69 FB FA FD C6 E3 55
: 61 1B 51 70 2D FA A1 6A DA 54 0D E3 CC DE 85 EA : 61 1B 51 70 2D FA A1 6A DA 54 0D E3 CC DE 85 EA
: B0 C4 F2 BF 31 B3 7C A5 21 25 73 E8 97 82 43 86 : B0 C4 F2 BF 31 B3 7C A5 21 25 73 E8 97 82 43 86
: 11 63 06 CC B2 38 DC FE D8 89 2C CE D9 63 12 1E : 11 63 06 CC B2 38 DC FE D8 89 2C CE D9 63 12 1E
: E4 8A D8 CF 56 6D 37 A9 FF 48 4B 2C 24 0B 30 44 : E4 8A D8 CF 56 6D 37 A9 FF 48 4B 2C 24 0B 30 44
: 88 29 B3 61 21 0A DF C7 4B 6C 40 98 60 8E 86 05 : 88 29 B3 61 21 0A DF C7 4B 6C 40 98 60 8E 86 05
: } : }
]]></artwork></figure> ]]></sourcecode>
<t>
<t>
To allow reproduction of the signature results, the end-entity To allow reproduction of the signature results, the end-entity
private key is provided. For brevity, the other two private private key is provided. For brevity, the other two private
keys are not.</t> keys are not.</t>
<sourcecode type=""><![CDATA[
<figure><artwork><![CDATA[
-----BEGIN RSA PRIVATE KEY----- -----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAsnE0Kzm/6gdlt4tyovD4QPwxFsootk4BqPaYAsDvZbCESOmW MIIEpQIBAAKCAQEAsnE0Kzm/6gdlt4tyovD4QPwxFsootk4BqPaYAsDvZbCESOmW
/5Pmkollj/ZEnM5XEILTwlcK+toU0GQiKMATdAS9HCtP+ZNYpiXYuanTN57yrMDP /5Pmkollj/ZEnM5XEILTwlcK+toU0GQiKMATdAS9HCtP+ZNYpiXYuanTN57yrMDP
Ap6EddbwfKUBcK7mZq+caYV0bxPps7iVS4LtldbqZgV7lpaHsprnYellifhg48D1 Ap6EddbwfKUBcK7mZq+caYV0bxPps7iVS4LtldbqZgV7lpaHsprnYellifhg48D1
zt0YlwXowazhTV4WhS3tPMuAz36/0v7VyTgZu0M0KbZmzy2LRn6a2LuOZYhRaqj/ zt0YlwXowazhTV4WhS3tPMuAz36/0v7VyTgZu0M0KbZmzy2LRn6a2LuOZYhRaqj/
eFHi6SEn13d+gChs6kxQnHNxFvZeVBRNTBS5Z6BKIKraC6CgAbdCJDhRingvxIHm eFHi6SEn13d+gChs6kxQnHNxFvZeVBRNTBS5Z6BKIKraC6CgAbdCJDhRingvxIHm
gXVi3uOvXXQva0H7ecOoOnJsRvmmA3SBAd+M6wIDAQABAoIBAQCyB0FeMuKm8bRo gXVi3uOvXXQva0H7ecOoOnJsRvmmA3SBAd+M6wIDAQABAoIBAQCyB0FeMuKm8bRo
18aKjFGSPEoZi53srIz5bvUgIi92TBLez7ZnzL6Iym26oJ+5th+lCHGO/dqlhXio 18aKjFGSPEoZi53srIz5bvUgIi92TBLez7ZnzL6Iym26oJ+5th+lCHGO/dqlhXio
pI50C5Yc9TFbblb/ECOsuCuuqKFjZ8CD3GVsHozXKJeMM+/o5YZXQrORj6UnwT0z pI50C5Yc9TFbblb/ECOsuCuuqKFjZ8CD3GVsHozXKJeMM+/o5YZXQrORj6UnwT0z
ol/JE5pIGUCIgsXX6tz9s5BP3lUAvVQHsv6+vEVKLxQ3wj/1vIL8O/CN036EV0GJ ol/JE5pIGUCIgsXX6tz9s5BP3lUAvVQHsv6+vEVKLxQ3wj/1vIL8O/CN036EV0GJ
skipping to change at line 1121 skipping to change at line 1047
FGSli+3KxQhCNIJJfgWzq4bE0ioAMjdGbYXzIYQFAoGBAM6tuDJ36KDU+hIS6wu6 FGSli+3KxQhCNIJJfgWzq4bE0ioAMjdGbYXzIYQFAoGBAM6tuDJ36KDU+hIS6wu6
O2TPSfZhF/zPo3pCWQ78/QDb+Zdw4IEiqoBA7F4NPVLg9Y/H8UTx9r/veqe7hPOo O2TPSfZhF/zPo3pCWQ78/QDb+Zdw4IEiqoBA7F4NPVLg9Y/H8UTx9r/veqe7hPOo
Ok7NpIzSmKTHkc5XfZ60Zn9OLFoKbaQ40a1kXoJdWEu2YROaUlAe9F6/Rog6PHYz Ok7NpIzSmKTHkc5XfZ60Zn9OLFoKbaQ40a1kXoJdWEu2YROaUlAe9F6/Rog6PHYz
vLE5qscRbu0XQhLkN+z7bg5bAoGBAKDsbDEb/dbqbyaAYpmwhH2sdRSkphg7Niwc vLE5qscRbu0XQhLkN+z7bg5bAoGBAKDsbDEb/dbqbyaAYpmwhH2sdRSkphg7Niwc
DNm9qWa1J6Zw1+M87I6Q8naRREuU1IAVqqWHVLr/ROBQ6NTJ1Uc5/qFeT2XXUgkf DNm9qWa1J6Zw1+M87I6Q8naRREuU1IAVqqWHVLr/ROBQ6NTJ1Uc5/qFeT2XXUgkf
taMKv61tuyjZK3sTmznMh0HfzUpWjEhWnCEuB+ZYVdmO52ZGw2A75RdrILL2+9Dc taMKv61tuyjZK3sTmznMh0HfzUpWjEhWnCEuB+ZYVdmO52ZGw2A75RdrILL2+9Dc
PvDXVubRAoGAdqXeSWoLxuzZXzl8rsaKrQsTYaXnOWaZieU1SL5vVe8nK257UDqZ PvDXVubRAoGAdqXeSWoLxuzZXzl8rsaKrQsTYaXnOWaZieU1SL5vVe8nK257UDqZ
E3ng2j5XPTUWli+aNGFEJGRoNtcQvO60O/sFZUhu52sqq9mWVYZNh1TB5aP8X+pV E3ng2j5XPTUWli+aNGFEJGRoNtcQvO60O/sFZUhu52sqq9mWVYZNh1TB5aP8X+pV
iFcZOLUvQEcN6PA+YQK5FU11rAI1M0Gm5RDnVnUl0L2xfCYxb7FzV6Y= iFcZOLUvQEcN6PA+YQK5FU11rAI1M0Gm5RDnVnUl0L2xfCYxb7FzV6Y=
-----END RSA PRIVATE KEY----- -----END RSA PRIVATE KEY-----
]]></artwork></figure> ]]></sourcecode>
<t>
<t> Signing of "192.0.2.0/24,US,WA,Seattle," (terminated by CR and LF) yields the
Signing of "192.0.2.0/24,US,WA,Seattle," (terminated by CR and LF), following detached CMS signature.</t>
yields the following detached CMS signature.</t> <sourcecode type=""><![CDATA[
<figure><artwork><![CDATA[
# RPKI Signature: 192.0.2.0 - 192.0.2.255 # RPKI Signature: 192.0.2.0 - 192.0.2.255
# MIIGjwYJKoZIhvcNAQcCoIIGgDCCBnwCAQMxDTALBglghkgBZQMEAgEwDQYLKoZ # MIIGjwYJKoZIhvcNAQcCoIIGgDCCBnwCAQMxDTALBglghkgBZQMEAgEwDQYLKoZ
# IhvcNAQkQAS+gggSpMIIEpTCCA42gAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZu # IhvcNAQkQAS+gggSpMIIEpTCCA42gAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZu
# QwDQYJKoZIhvcNAQELBQAwMzExMC8GA1UEAxMoM0FDRTJDRUY0RkIyMUI3RDExR # QwDQYJKoZIhvcNAQELBQAwMzExMC8GA1UEAxMoM0FDRTJDRUY0RkIyMUI3RDExR
# TNFMTg0RUZDMUUyOTdCMzc3ODY0MjAeFw0yMTA1MjAxNjA1NDVaFw0yMjAzMTYx # TNFMTg0RUZDMUUyOTdCMzc3ODY0MjAeFw0yMTA1MjAxNjA1NDVaFw0yMjAzMTYx
# NjA1NDVaMDMxMTAvBgNVBAMTKDkxNDY1MkEzQkQ1MUMxNDQyNjAxOTg4ODlGNUM # NjA1NDVaMDMxMTAvBgNVBAMTKDkxNDY1MkEzQkQ1MUMxNDQyNjAxOTg4ODlGNUM
# 0NUFCRjA1M0ExODcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCycT # 0NUFCRjA1M0ExODcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCycT
# QrOb/qB2W3i3Ki8PhA/DEWyii2TgGo9pgCwO9lsIRI6Zb/k+aSiWWP9kSczlcQg # QrOb/qB2W3i3Ki8PhA/DEWyii2TgGo9pgCwO9lsIRI6Zb/k+aSiWWP9kSczlcQg
# tPCVwr62hTQZCIowBN0BL0cK0/5k1imJdi5qdM3nvKswM8CnoR11vB8pQFwruZm # tPCVwr62hTQZCIowBN0BL0cK0/5k1imJdi5qdM3nvKswM8CnoR11vB8pQFwruZm
# r5xphXRvE+mzuJVLgu2V1upmBXuWloeymudh6WWJ+GDjwPXO3RiXBejBrOFNXha # r5xphXRvE+mzuJVLgu2V1upmBXuWloeymudh6WWJ+GDjwPXO3RiXBejBrOFNXha
skipping to change at line 1166 skipping to change at line 1090
# ZiIn1xFq/BToYcwCwYJYIZIAWUDBAIBoGswGgYJKoZIhvcNAQkDMQ0GCyqGSIb3 # ZiIn1xFq/BToYcwCwYJYIZIAWUDBAIBoGswGgYJKoZIhvcNAQkDMQ0GCyqGSIb3
# DQEJEAEvMBwGCSqGSIb3DQEJBTEPFw0yMTA1MjAxNjI4MzlaMC8GCSqGSIb3DQE # DQEJEAEvMBwGCSqGSIb3DQEJBTEPFw0yMTA1MjAxNjI4MzlaMC8GCSqGSIb3DQE
# JBDEiBCAr4vKeUvHJINsE0YQwUMxoo48qrOU+iPuFbQR8qX3BFjANBgkqhkiG9w # JBDEiBCAr4vKeUvHJINsE0YQwUMxoo48qrOU+iPuFbQR8qX3BFjANBgkqhkiG9w
# 0BAQEFAASCAQB85HsCBrU3EcVOcf4nC6Z3jrOjT+fVlyTDAObF6GTNWgrxe7jSA # 0BAQEFAASCAQB85HsCBrU3EcVOcf4nC6Z3jrOjT+fVlyTDAObF6GTNWgrxe7jSA
# Inyf51UzuIGqhVY3sQiiXbdWcVYtPb4118KvyeXh8A/HLp4eeAJntl9D3igt38M # Inyf51UzuIGqhVY3sQiiXbdWcVYtPb4118KvyeXh8A/HLp4eeAJntl9D3igt38M
# o84q5pf9pTQXx3hbsm51ilpOip/TKVMqzE42s6OPox3M0+6eKH3/vBKnw1s1ayM # o84q5pf9pTQXx3hbsm51ilpOip/TKVMqzE42s6OPox3M0+6eKH3/vBKnw1s1ayM
# 0MUnPDTBfZL3JJEGPWfIZHEcrypevbqR7Jjsz5vp0qyF2D9v+w+nyhZOPmuePm7 # 0MUnPDTBfZL3JJEGPWfIZHEcrypevbqR7Jjsz5vp0qyF2D9v+w+nyhZOPmuePm7
# YqLyOw/E99PVBs9uI+hmBiCz/BK2Z3VRjrrlrUU+49eldSTkZ2sJyhCbbV2Ufgi # YqLyOw/E99PVBs9uI+hmBiCz/BK2Z3VRjrrlrUU+49eldSTkZ2sJyhCbbV2Ufgi
# S2FOquAgJzjilyN3BDQLV8Rp9cGh0PpVslKH2na # S2FOquAgJzjilyN3BDQLV8Rp9cGh0PpVslKH2na
# End Signature: 192.0.2.0 - 192.0.2.255 # End Signature: 192.0.2.0 - 192.0.2.255
]]></artwork></figure> ]]></sourcecode>
</section> </section>
</back>
<section anchor="ack" numbered="false" toc="default">
<name>Acknowledgments</name>
<t>
Thanks to <contact fullname="Rob Austein"/> for CMS and detached
signature clue, <contact fullname="George Michaelson"/> for the first
and substantial external review, and <contact fullname="Erik Kline"/>
who was too shy to agree to coauthorship. Additionally, we express
our gratitude to early implementors, including <contact fullname="Menno
Schepers"/>; <contact fullname="Flavio Luciani"/>; <contact
fullname="Eric Dugas"/>; <contact fullname="Job Snijders"/>, who
provided running code; and <contact fullname="Kevin Pack"/>. Also,
thanks to the following geolocation providers who are consuming geofeeds
with this
described solution: <contact fullname="Jonathan Kosgei"/> (ipdata.co),
<contact fullname="Ben Dowling"/> (ipinfo.io), and <contact
fullname="Pol Nisenblat"/> (bigdatacloud.com). For an amazing number
of helpful reviews, we thank <contact fullname="Adrian Farrel"/>,
<contact fullname="Antonio Prado"/>, <contact fullname="Francesca
Palombini"/>, <contact fullname="Jean-Michel Combes"/> (INTDIR),
<contact fullname="John Scudder"/>, <contact fullname="Kyle Rose"/>
(SECDIR), <contact fullname="Martin Duke"/>, <contact fullname="Murray
Kucherawy"/>, <contact fullname="Paul Kyzivat"/> (GENART), <contact
fullname="Rob Wilton"/>, and <contact fullname="Roman Danyliw"/>. The
authors also thank <contact fullname="George Michaelson"/>, the
awesome document shepherd.
</t>
</section>
</back>
</rfc> </rfc>
 End of changes. 176 change blocks. 
519 lines changed or deleted 515 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/