One document matched: draft-ietf-sidr-publication-05.xml
<?xml version="1.0"?>
<!-- TODO
Define error codes
Access control discussion
Write security considerations
Access Control impacts of nesting
-->
<!-- See http://xml.resource.org/ for tools to convert this text -->
<?rfc compact="yes" ?><?rfc editing="no" ?><?rfc sortrefs="yes" ?><?rfc symrefs="yes" ?><?rfc toc="yes" ?><rfc category="std" ipr="trust200902" docName="draft-ietf-sidr-publication-05" obsoletes="" updates="" submissionType="IETF" xml:lang="en">
<front>
<title abbrev="RPKI Publication Protocol">
A Publication Protocol for the Resource Public Key Infrastructure (RPKI)
</title>
<author initials="S." surname="Weiler" fullname="Samuel Weiler">
<organization>SPARTA, Inc.</organization>
<address>
<postal>
<street>7110 Samuel Morse Drive</street>
<city>Columbia, Maryland</city>
<code>21046</code>
<country>US</country>
</postal>
<email>weiler@tislabs.com</email>
</address>
</author>
<author initials="A." surname="Sonalker" fullname="Anuja Sonalker">
<organization>Battelle Memorial Institute</organization>
<address>
<postal><street/></postal>
<email>sonalkera@battelle.org</email>
</address>
</author>
<author initials="R." surname="Austein" fullname="Rob Austein">
<organization>Dragon Research Labs</organization>
<address>
<email>sra@hactrn.net</email>
</address>
</author>
<date/>
<keyword>SIDR</keyword>
<abstract>
<t>
This document defines a protocol for publishing Resource
Public Key Infrastructure (RPKI) objects. Even though the
RPKI will have many participants issuing certificates and
creating other objects, it is operationally useful to
consolidate the publication of those objects. This document
provides the protocol for doing so.
</t>
</abstract>
</front>
<middle>
<section title="Introduction" toc="default">
<t>
This document assumes a working knowledge of the Resource
Public Key Infrastructure (RPKI), which is intended to support
improved routing security on the Internet.
<xref target="RFC6480" pageno="false" format="default"/>
</t>
<t>
In order to make participation in the RPKI easier, it is
helpful to have a few consolidated repositories for RPKI
objects, thus saving every participant from the cost of
maintaining a new service. Similarly, relying parties using
the RPKI objects will find it faster and more reliable to
retrieve the necessary set from a smaller number of
repositories.
</t>
<t>
These consolidated RPKI object repositories will in many cases
be outside the administrative scope of the organization
issuing a given RPKI object. In some cases, outsourcing
operation of the repository will be an explicit goal: some
resource holders who stringly wish to control their own RPKI
private keys may lack the resources to operate a 24x7
repository, or may simply not wish to do so.
</t>
<t>
The operator of an RPKI publication repository may well be an
Internet registry which issues certificates to its customers,
but it need not be; conceptually, operation of a an RPKI
publication repository is separate from operation of RPKI CA.
</t>
<t>
This document defines an RPKI publication protocol which
allows publication either within or across organizational
boundaries, and which makes fairly minimal demands on either
the CA engine or the publication service.
</t>
<section title="Terminology" toc="default">
<t>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
"SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described
in <xref target="RFC2119" pageno="false" format="default"/>.
</t>
<t>
"Publication engine" and "publication server" are used
interchangeably to refer to the server providing the service
described in this document.
</t>
<t>
"Business Public Key Infrastructure" ("Business PKI" or
"BPKI") refers to a PKI, separate from the RPKI, used to
authenticate clients to the publication engine. We use the
term "Business PKI" here because an internet registry might
already have a PKI for authenticating its clients and might
wish to reuse that PKI for this protocol. There is,
however, no requirement to reuse such a PKI.
</t>
</section>
</section>
<section title="Protocol Specification" toc="default">
<t>
The publication protocol uses XML messages wrapped in signed
CMS messages, carried over HTTP transport.
</t>
<t>
The publication protocol uses a simple request/response
interaction. The client passes a request to the server, and
the server generates a corresponding response.
</t>
<t>
A message exchange commences with the client initiating an
HTTP POST with content type of "application/rpki-publication",
with the message object as the body. The server's response
will similarly be the body of the response with a content type
of "application/rpki-publication".
</t>
<t>
The content of the POST and the server's response will be a
well-formed Cryptographic Message Syntax (CMS)
<xref target="RFC5652" pageno="false" format="default"/> object with OID =
1.2.840.113549.1.7.2 as described in Section 3.1 of
<xref target="RFC6492" pageno="false" format="default"/>.
</t>
<section title="Common XML Message Format" toc="default">
<t>
The XML schema for this protocol is below in
<xref target="schema" pageno="false" format="default"/>. The basic XML message format looks
like this:
</t>
<!-- Begin inclusion: example.common-query.xml --><!-- Automatically generated, do not edit. --><figure><artwork>
<msg
type="query"
version="3"
xmlns="http://www.hactrn.net/uris/rpki/publication-spec/">
<!-- Zero or more PDUs -->
</msg>
</artwork></figure><!-- End inclusion: example.common-query.xml -->
<!-- Begin inclusion: example.common-reply.xml --><!-- Automatically generated, do not edit. --><figure><artwork>
<msg
type="reply"
version="3"
xmlns="http://www.hactrn.net/uris/rpki/publication-spec/">
<!-- Zero or more PDUs -->
</msg>
</artwork></figure><!-- End inclusion: example.common-reply.xml -->
<t>
Common attributes:
</t>
<t>
<list style="hanging">
<t hangText="version:">
The value of this attribute is the version of this protocol.
This document describes version 3.
</t>
<t hangText="type:">
The possible values of this attribute are "reply" and "query".
</t>
</list>
</t>
<t>
A query PDU may be one of two types: publish_query, or
withdraw_query.
</t>
<t>
A reply PDU may be one of three types: publish_reply,
withdraw_reply, or report_error_reply.
</t>
<t>
Each of these PDUs may include an optional tag to
facilitate bulk operation. If a tag is set in a query PDU,
the corresponding reply(s) MUST have the tag attribute set
to the same value.
</t>
</section>
<section title="Publication and Withdrawal" toc="default">
<t>
The publication protocol uses a common message format to
request publication of any RPKI object. This format was
chosen specifically to allow this protocol to accommodate
new types of RPKI objects without needing changes to this
protocol.
</t>
<t>
Both the <publish/> and <withdraw/> objects
have a payload of an optional tag and a URI. The
<publish/> query also contains the DER object to be
published, encoded in Base64.
</t>
<t>
Note that every publish and withdraw action requires a new
manifest, thus every publish or withdraw action will involve
at least two objects.
</t>
</section>
<section title="Error handling" anchor="errors" toc="default">
<t>
Errors are handled at two levels.
</t>
<t>
Since all messages in this protocol are conveyed over
HTTP connections, basic errors are indicated via the HTTP
response code. 4xx and 5xx responses indicate that something
bad happened. Errors that make it impossible to decode a
query or encode a response are handled in this way.
</t>
<t>
Where possible, errors will result in an XML
<report_error/> message which takes the place of
the expected protocol response message.
<report_error/> messages are CMS-signed XML messages
like the rest of this protocol, and thus can be archived to
provide an audit trail.
</t>
<t>
<report_error/> messages only appear in replies,
never in queries. The <report_error/> message can
appear in both the control and publication subprotocols.
</t>
<t>
Like all other messages in this protocol, the
<report_error/> message includes a "tag" attribute to
assist in matching the error with a particular query when
using batching. It is optional to set the tag on queries
but, if set on the query, it MUST be set on the reply or
error.
</t>
<t>
The error itself is conveyed in the error_code
attribute. The value of this attribute is a token indicating
the specific error that occurred.
</t>
<t>
The body of the <report_error/> element itself is an
optional text string; if present, this is debugging
information.
</t>
</section>
<section title="XML Schema" anchor="schema" toc="default">
<t>
The following is a RelaxNG compact form schema describing
the Publication Protocol.
</t>
<!-- Begin inclusion: rpki-publication.xml --><figure><artwork># $Id: rpki-publication.rnc 2698 2013-12-13 23:33:07Z sra $
# RelaxNG schema for RPKI publication protocol.
default namespace =
"http://www.hactrn.net/uris/rpki/publication-spec/"
# This is version 3 of the protocol.
version = "3"
# Top level PDU is either a query or a reply.
start = element msg {
attribute version { version } ,
( ( attribute type { "query" }, query_elt* ) |
( attribute type { "reply" }, reply_elt* ) )
}
# PDUs allowed in queries and replies.
query_elt = publish_query | withdraw_query
reply_elt = publish_reply | withdraw_reply | report_error_reply
# Tag attributes for bulk operations.
tag = attribute tag { xsd:token { maxLength="1024" } }
# Base64 encoded DER stuff.
base64 = xsd:base64Binary
# Publication URIs.
uri = attribute uri { xsd:anyURI { maxLength="4096" } }
# Handles on remote objects (replaces passing raw SQL IDs).
object_handle = xsd:string {
maxLength = "255"
pattern="[\-_A-Za-z0-9/]*"
}
# Error codes.
error = xsd:token { maxLength="1024" }
# <publish/> element
publish_query |= element publish { tag?, uri, base64 }
publish_reply |= element publish { tag?, uri }
# <withdraw/> element
withdraw_query |= element withdraw { tag?, uri }
withdraw_reply |= element withdraw { tag?, uri }
# <report_error/> element
report_error_reply = element report_error {
tag?,
attribute error_code { error },
xsd:string { maxLength="512000" }?
}
</artwork></figure><!-- End inclusion: rpki-publication.xml -->
</section>
</section>
<section title="Examples" toc="default">
<t>
Following are examples of various queries and the
corresponding replies for the RPKI publication protocol
</t>
<section title="<publish/> Query" toc="default">
<!-- Begin inclusion: example.publish-query.xml --><!-- Automatically generated, do not edit. --><figure><artwork>
<msg
type="query"
version="3"
xmlns="http://www.hactrn.net/uris/rpki/publication-spec/">
<publish
uri="rsync://wombat.example/Alice/blCrcCp9ltyPDNzYKPfxc.cer">
MIIE+jCCA+KgAwIBAgIBDTANBgkqhkiG9w0BAQsFADAzMTEwLwYDVQQDEyhE
RjRBODAxN0U2NkE5RTkxNzJFNDYxMkQ4Q0Y0QzgzRjIzOERFMkEzMB4XDTA4
MDUyMjE4MDUxMloXDTA4MDUyNDE3NTQ1M1owMzExMC8GA1UEAxMoOEZCODIx
OEYwNkU1MEFCNzAyQTdEOTZEQzhGMENEQ0Q4MjhGN0YxNzCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAMeziKp0k5nP7v6SZoNsXIMQYRgNtC6F
r/9Xm/1yQHomiPqHUk47rHhGojYiK5AhkrwoYhkH4UjJl2iwklDYczXuaBU3
F5qrKlZ4aZnjIxdlP7+hktVpeApL6yuJTUAYeC3UIxnLDVdD6phydZ/FOQlu
ffiNDjzteCCvoyOUatqt8WB+oND6LToHp028g1YUYLHG6mur0dPdcHOVXLSm
UDuZ1HDz1nDuYvIVKjB/MpH9aW9XeaQ6ZFIlZVPwuuvI2brR+ThH7Gv27GL/
o8qFdC300VQfoTZ+rKPGDE8K1cI906BL4kiwx9z0oiDcE96QCz+B0vsjc9mG
aA1jgAxlXWsCAwEAAaOCAhcwggITMB0GA1UdDgQWBBSPuCGPBuUKtwKn2W3I
8M3Ngo9/FzAfBgNVHSMEGDAWgBTfSoAX5mqekXLkYS2M9Mg/I43iozBVBgNV
HR8ETjBMMEqgSKBGhkRyc3luYzovL2xvY2FsaG9zdDo0NDAwL3Rlc3RiZWQv
UklSLzEvMzBxQUYtWnFucEZ5NUdFdGpQVElQeU9ONHFNLmNybDBFBggrBgEF
BQcBAQQ5MDcwNQYIKwYBBQUHMAKGKXJzeW5jOi8vbG9jYWxob3N0OjQ0MDAv
dGVzdGJlZC9XT01CQVQuY2VyMBgGA1UdIAEB/wQOMAwwCgYIKwYBBQUHDgIw
DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwgZsGCCsGAQUFBwEL
BIGOMIGLMDQGCCsGAQUFBzAFhihyc3luYzovL2xvY2FsaG9zdDo0NDAwL3Rl
c3RiZWQvUklSL1IwLzEvMFMGCCsGAQUFBzAKhkdyc3luYzovL2xvY2FsaG9z
dDo0NDAwL3Rlc3RiZWQvUklSL1IwLzEvajdnaGp3YmxDcmNDcDlsdHlQRE56
WUtQZnhjLm1uZjAaBggrBgEFBQcBCAEB/wQLMAmgBzAFAgMA/BUwPgYIKwYB
BQUHAQcBAf8ELzAtMCsEAgABMCUDAwAKAzAOAwUAwAACAQMFAcAAAiAwDgMF
AsAAAiwDBQDAAAJkMA0GCSqGSIb3DQEBCwUAA4IBAQCEhuH7jtI2PJY6+zwv
306vmCuXhtu9Lr2mmRw2ZErB8EMcb5xypMrNqMoKeu14K2x4a4RPJkK4yATh
M81FPNRsU5mM0acIRnAPtxjHvPME7PHN2w2nGLASRsZmaa+b8A7SSOxVcFUR
azENztppsolHeTpm0cpLItK7mNpudUg1JGuFo94VLf1MnE2EqARG1vTsNhel
/SM/UvOArCCOBvf0Gz7kSuupDSZ7qx+LiDmtEsLdbGNQBiYPbLrDk41PHrxd
x28qIj7ejZkRzNFw/3pi8/XK281h8zeHoFVu6ghRPy5dbOA4akX/KG6b8XIx
0iwPYdLiDbdWFbtTdPcXBauY
</publish>
</msg>
</artwork></figure><!-- End inclusion: example.publish-query.xml -->
</section>
<section title="<publish/> Reply" toc="default">
<!-- Begin inclusion: example.publish-reply.xml --><!-- Automatically generated, do not edit. --><figure><artwork>
<msg
type="reply"
version="3"
xmlns="http://www.hactrn.net/uris/rpki/publication-spec/">
<publish
uri="rsync://wombat.example/Alice/blCrcCp9ltyPDNzYKPfxc.cer"/>
</msg>
</artwork></figure><!-- End inclusion: example.publish-reply.xml -->
</section>
<section title="<withdraw/> Query" toc="default">
<!-- Begin inclusion: example.withdraw-query.xml --><!-- Automatically generated, do not edit. --><figure><artwork>
<msg
type="query"
version="3"
xmlns="http://www.hactrn.net/uris/rpki/publication-spec/">
<withdraw
uri="rsync://wombat.example/Alice/blCrcCp9ltyPDNzYKPfxc.cer"/>
</msg>
</artwork></figure><!-- End inclusion: example.withdraw-query.xml -->
</section>
<section title="<withdraw/> Reply" toc="default">
<!-- Begin inclusion: example.withdraw-reply.xml --><!-- Automatically generated, do not edit. --><figure><artwork>
<msg
type="reply"
version="3"
xmlns="http://www.hactrn.net/uris/rpki/publication-spec/">
<withdraw
uri="rsync://wombat.example/Alice/blCrcCp9ltyPDNzYKPfxc.cer"/>
</msg>
</artwork></figure><!-- End inclusion: example.withdraw-reply.xml -->
</section>
<section title="<report_error/> With Text" toc="default">
<!-- Begin inclusion: example.report-error-1-reply.xml --><!-- Automatically generated, do not edit. --><figure><artwork>
<msg
type="reply"
version="3"
xmlns="http://www.hactrn.net/uris/rpki/publication-spec/">
<report_error
error_code="your_hair_is_on_fire">
Shampooing with sterno again, are we?
</report_error>
</msg>
</artwork></figure><!-- End inclusion: example.report-error-1-reply.xml -->
</section>
<section title="<report_error/> Without Text" toc="default">
<!-- Begin inclusion: example.report-error-2-reply.xml --><!-- Automatically generated, do not edit. --><figure><artwork>
<msg
type="reply"
version="3"
xmlns="http://www.hactrn.net/uris/rpki/publication-spec/">
<report_error
error_code="your_hair_is_on_fire"/>
</msg>
</artwork></figure><!-- End inclusion: example.report-error-2-reply.xml -->
</section>
</section>
<section title="Operational Considerations" toc="default">
<t>
There are two basic options open to the repository operator as to how
the publication tree is laid out. The first option is simple: each
publication client is given its own directory one level below the top
of the rcynic module, and there is no overlap between the publication
spaces used by different clients. For example:
</t>
<t>
rsync://example.org/rpki/Alice/ <vspace blankLines="0"/>
rsync://example.org/rpki/Bob/ <vspace blankLines="0"/>
rsync://example.org/rpki/Carol/
</t>
<t>
This has the advantage of being very easy for the publication operator
to manage, but has the drawback of making it difficult for relying
parties to fetch published objects both safely and as efficiently as
possible.
</t>
<t>
Given that the mandatory-to-implement retrieval protocol for relying
parties is rsync, a more efficient repository structure would be one
which minimized the number of rsync fetches required. One such
structure would be one in which the publication directories for
subjects were placed underneath the publication directories of their
issuers: since the normal synchronization tree walk is top-down, this
can significantly reduce the total number of rsync connections
required to synchronize. For example:
</t>
<t>
rsync://example.org/rpki/Alice/ <vspace blankLines="0"/>
rsync://example.org/rpki/Alice/Bob/ <vspace blankLines="0"/>
rsync://example.org/rpki/Alice/Bob/Carol/
</t>
<t>
Preliminary measurement suggests that, in the case of large numbers of
small publication directories, the time needed to set up and tear down
individual rsync connections becomes significant, and that a properly
optimized tree structure can reduce synchronization time by an order
of magnitude.
</t>
<t>
The more complex tree structure does require careful attention to the
base_uri attribute values when setting up clients. In the example
above, assuming that Alice issues to Bob who in turn issues to Carol,
Alice has ceded control of a portion of her publication space to Bob,
who has in turn ceded a portion of that to Carol, and the base_uri
attributes in the <client/> setup messages should reflect this.
</t>
<t>
The details of how the repository operator determines that Alice has
given Bob permission to nest Bob's publication directory under Alice's
is outside the scope of this protocol.
</t>
</section>
<section title="IANA Considerations" toc="default">
<t>
IANA is asked to register the application/rpki-publication
MIME media type as follows:
</t>
<!-- Begin inclusion: mime-type.xml --><figure><artwork>
MIME media type name: application
MIME subtype name: rpki-publication
Required parameters: None
Optional parameters: None
Encoding considerations: binary
Security considerations: Carries an RPKI Publication Protocol
Message, as defined in this document.
Interoperability considerations: None
Published specification: This document
Applications which use this media type: HTTP
Additional information:
Magic number(s): None
File extension(s):
Macintosh File Type Code(s):
Person & email address to contact for further information:
Rob Austein <sra@hactrn.net>
Intended usage: COMMON
Author/Change controller: Rob Austein <sra@hactrn.net>
</artwork></figure><!-- End inclusion: mime-type.xml -->
</section>
<section title="Security Considerations" anchor="security" toc="default">
<t>
The RPKI publication protocol and the data it publishes use
entirely separate PKIs for authentication. The published data
is authenticated within the RPKI, and this protocol has
nothing to do with that authentication, nor does it require
that the published objects be valid in the RPKI. The
publication protocol uses a separate Business PKI (BPKI) to
authenticate its messages.
</t>
<t>
Each of the RPKI publication protocol messages is CMS-signed.
Because of that protection at the application layer, this
protocol does not require the use of HTTPS or other transport
security mechanisms.
</t>
<t>
Compromise of a publication server, perhaps through
mismanagement of BPKI keys, could lead to a denial-of-service
attack on the RPKI. An attacker gaining access to BPKI keys
could use this protocol delete (withdraw) RPKI objects,
leading to routing changes or failures. Accordingly, as in
most PKIs, good key management practices are important.
</t>
</section>
</middle>
<back>
<references title="Normative References">
<!-- Begin inclusion: reference.RFC.6492.xml --><reference anchor="RFC6492">
<front>
<title>A Protocol for Provisioning Resource Certificates</title>
<author fullname="G. Huston" initials="G." surname="Huston">
<organization/>
</author>
<author fullname="R. Loomans" initials="R." surname="Loomans">
<organization/>
</author>
<author fullname="B. Ellacott" initials="B." surname="Ellacott">
<organization/>
</author>
<author fullname="R. Austein" initials="R." surname="Austein">
<organization/>
</author>
<date month="February" year="2012"/>
<keyword>RPKI</keyword>
<abstract>
<t>This document defines a framework for certificate management interactions between an Internet Number Resource issuer ("issuer") and an Internet Number Resource recipient ("subject") through the specification of a protocol for interaction between the two parties. The protocol supports the transmission of requests from the subject, and corresponding responses from the issuer encompassing the actions of certificate issuance, certificate revocation, and certificate status information reports. This protocol is intended to be limited to the application of Internet Number Resource Certificate management and is not intended to be used as part of a more general certificate management framework. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="6492"/>
<format type="TXT" octets="65896" target="http://www.rfc-editor.org/rfc/rfc6492.txt"/>
<!-- current-status PROPOSED STANDARD -->
<!-- publication-status PROPOSED STANDARD -->
</reference><!-- End inclusion: reference.RFC.6492.xml -->
<!-- Begin inclusion: reference.RFC.2119.xml --><reference anchor="RFC2119">
<front>
<title>Key words for use in RFCs to Indicate Requirement Levels</title>
<author fullname="S. Bradner" initials="S." surname="Bradner">
<organization/>
</author>
<date month="March" year="1997"/>
<keyword>Standards</keyword>
<keyword>Track</keyword>
<keyword>Documents</keyword>
<abstract>
<t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="2119"/>
<seriesInfo name="BCP" value="14"/>
<format type="TXT" octets="4723" target="http://www.rfc-editor.org/rfc/rfc2119.txt"/>
<!-- current-status BEST CURRENT PRACTICE -->
<!-- publication-status BEST CURRENT PRACTICE -->
</reference><!-- End inclusion: reference.RFC.2119.xml -->
<!-- Begin inclusion: reference.RFC.5652.xml --><reference anchor="RFC5652">
<front>
<title>Cryptographic Message Syntax (CMS)</title>
<author fullname="R. Housley" initials="R." surname="Housley">
<organization/>
</author>
<date month="September" year="2009"/>
<keyword>digital signature</keyword>
<keyword>message content</keyword>
<abstract>
<t>This document describes the Cryptographic Message Syntax (CMS). This syntax is used to digitally sign, digest, authenticate, or encrypt arbitrary message content. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="5652"/>
<seriesInfo name="STD" value="70"/>
<format type="TXT" octets="126813" target="http://www.rfc-editor.org/rfc/rfc5652.txt"/>
<!-- obsoletes RFC3852 -->
<!-- current-status INTERNET STANDARD -->
<!-- publication-status DRAFT STANDARD -->
</reference><!-- End inclusion: reference.RFC.5652.xml -->
</references>
<references title="Informative References">
<!-- Begin inclusion: reference.RFC.6480.xml --><reference anchor="RFC6480">
<front>
<title>An Infrastructure to Support Secure Internet Routing</title>
<author fullname="M. Lepinski" initials="M." surname="Lepinski">
<organization/>
</author>
<author fullname="S. Kent" initials="S." surname="Kent">
<organization/>
</author>
<date month="February" year="2012"/>
<keyword>RPKI</keyword>
<keyword>BGP</keyword>
<keyword>ROA</keyword>
<abstract>
<t>This document describes an architecture for an infrastructure to support improved security of Internet routing. The foundation of this architecture is a Resource Public Key Infrastructure (RPKI) that represents the allocation hierarchy of IP address space and Autonomous System (AS) numbers; and a distributed repository system for storing and disseminating the data objects that comprise the RPKI, as well as other signed objects necessary for improved routing security. As an initial application of this architecture, the document describes how a legitimate holder of IP address space can explicitly and verifiably authorize one or more ASes to originate routes to that address space. Such verifiable authorizations could be used, for example, to more securely construct BGP route filters. This document is not an Internet Standards Track specification; it is published for informational purposes.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="6480"/>
<format type="TXT" octets="62127" target="http://www.rfc-editor.org/rfc/rfc6480.txt"/>
<!-- current-status INFORMATIONAL -->
<!-- publication-status INFORMATIONAL -->
</reference><!-- End inclusion: reference.RFC.6480.xml -->
</references>
</back>
</rfc><!--
- Local Variables:
- mode:sgml
- End:
-->
| PAFTECH AB 2003-2026 | 2026-04-23 05:01:20 |