Internet-Draft RPKI Manifest Number Handling January 2024
Harrison & Michaelson Expires 2 August 2024 [Page]
Workgroup:
Internet Engineering Task Force
Internet-Draft:
draft-harrison-sidrops-manifest-numbers-00
Updates:
RFC9286 (if approved)
Published:
Intended Status:
Standards Track
Expires:
Authors:
T. Harrison
APNIC
G. Michaelson
APNIC

RPKI Manifest Number Handling

Abstract

The Resource Public Key Infrastructure (RPKI) makes use of signed objects called manifests. A manifest lists each file that a publisher intends to include within an RPKI repository, and can be used to detect certain forms of attack against a repository. Manifests include a "manifest number" (manifestNumber), which the publisher must increment whenever it issues a new manifest, and Relying Parties (RPs) are required to verify that a newly-retrieved manifest for a given Certification Authority (CA) has a higher manifestNumber than the previously-validated manifest. However, the manifestNumber field is 20 octets in length (i.e. not unbounded), and no behaviour is specified for when a manifestNumber reaches the largest possible value. This document specifies publisher and RP behaviour for this scenario.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 2 August 2024.

Table of Contents

1. Introduction

The Resource Public Key Infrastructure (RPKI) [RFC6480] makes use of signed objects [RFC6488] called manifests [RFC9286]. A manifest lists each file that a publisher intends to include within an RPKI repository [RFC6481], and can be used to detect certain forms of attack against a repository. Manifests include a "manifest number" (manifestNumber), which the publisher must increment whenever it issues a new manifest, and Relying Parties (RPs) are required to verify that a newly-retrieved manifest for a given Certification Authority (CA) has a higher manifestNumber than the previously-validated manifest (see section 4.2.1 of [RFC9286]).

However, the manifestNumber field is 20 octets in length (i.e. not unbounded), and no behaviour is specified for when a manifestNumber reaches the largest possible value, which means that a publisher can no longer make use of a given CA certificate when that value is reached. (For the purposes of [RFC9286], a "CA" is represented by a CA certificate with a stable location and a stable private key. Reissuing a CA certificate with changed resources or a changed expiry date does not change the identity of the CA such that the stored manifestNumber for the CA is reset, for example.)

While it is practically impossible for a publisher to reach the largest possible value under normal operating conditions (it would require that the publisher issue one manifest per second for 46,343,912,903,694,283,301,740 quintillion years), there are scenarios in which it might occur:

These scenarios might also arise in combination and be more severe as a result: for example, a large manifest number increment bug in conjunction with a manifest reissuance loop problem.

For a subordinate CA, the risks associated with repository invalidation due to this problem are low, since the publisher can simply use the key rollover process ([RFC6489]) to get a new Certification Authority (CA) certificate. RPs will treat this new certificate as though it represents a distinct CA, and the manifestNumber can be reset at that point.

However, this option is not available for RPKI Trust Anchors (TAs). If a TA publishes a manifest with the largest-possible manifestNumber value, then it is not possible to make use of the TA after that point, because the certificate location (stored in the associated Trust Anchor Locator (TAL) [RFC8630]) and its private key cannot be changed. Issuing a new TA and distributing the associated TAL to clients would involve a large amount of work for TA operators and RPs, and there would be a limited degree of RPKI protection by way of that TA for the time between the issuance of the problematic manifest and the installation of the new TAL for a given client.

In order to avoid these problems, this document defines how publishers and RPs can handle this scenario in order to facilitate ongoing use of an affected repository.

1.1. Requirements Language

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119] [RFC8174].

2. Manifest Number Handling

For a given CA, an RP MUST NOT reject a new manifest issued by that CA on the grounds of it not having a higher manifestNumber than a previously validated manifest if the new manifest has a different filename from that of the previously validated manifest. In other words, an RP MUST reset its stored manifestNumber for a given CA if the CA changes the filename of its manifest.

With this behaviour, it is possible for a CA to be configured such that any time it issues a new manifest, it uses a new filename for that manifest. If a CA were configured in this way, the manifestNumber validation set out in section 4.2.1 of [RFC9286] would have no purpose. To avoid this outcome, CAs SHOULD NOT use new filenames for manifests except in situations where it is necessary to ensure the ongoing validity of the CA or its repository. Similarly, RP software SHOULD alert its operators when a manifest filename changes for a given CA.

3. Serial Number Arithmetic

Serial number arithmetic [RFC1982] is an approach that has been used in the DNS context (among others) to permit the indefinite use of a finite number space. At least in theory, it would be possible to use a similar approach with the manifestNumber field as well.

However, unlike the corresponding DNS context with SOA resource records, an RPKI CA does not have visibility into or control over RPKI RPs generally. This means that it is not possible to select updated manifestNumber values or to manage the relevant state transitions so as to definitively ensure that all RPs will have valid state at the end of the process. The approach proposed in the previous section does not have this problem.

4. Operational Considerations

CA software may opt to support this functionality in various ways. For example, it could change the manifest filename when the manifestNumber reaches a certain threshold, or it could alert the operator in this scenario and request confirmation that the filename should be changed.

5. IANA Considerations

N/A

6. Acknowledgements

N/A

7. References

7.1. Normative References

[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/info/rfc2119>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/info/rfc8174>.
[RFC9286]
Austein, R., Huston, G., Kent, S., and M. Lepinski, "Manifests for the Resource Public Key Infrastructure (RPKI)", RFC 9286, DOI 10.17487/RFC9286, , <https://www.rfc-editor.org/info/rfc9286>.

7.2. Informative References

[RFC1982]
Elz, R. and R. Bush, "Serial Number Arithmetic", RFC 1982, DOI 10.17487/RFC1982, , <https://www.rfc-editor.org/info/rfc1982>.
[RFC6480]
Lepinski, M. and S. Kent, "An Infrastructure to Support Secure Internet Routing", RFC 6480, DOI 10.17487/RFC6480, , <https://www.rfc-editor.org/info/rfc6480>.
[RFC6481]
Huston, G., Loomans, R., and G. Michaelson, "A Profile for Resource Certificate Repository Structure", RFC 6481, DOI 10.17487/RFC6481, , <https://www.rfc-editor.org/info/rfc6481>.
[RFC6488]
Lepinski, M., Chi, A., and S. Kent, "Signed Object Template for the Resource Public Key Infrastructure (RPKI)", RFC 6488, DOI 10.17487/RFC6488, , <https://www.rfc-editor.org/info/rfc6488>.
[RFC6489]
Huston, G., Michaelson, G., and S. Kent, "Certification Authority (CA) Key Rollover in the Resource Public Key Infrastructure (RPKI)", BCP 174, RFC 6489, DOI 10.17487/RFC6489, , <https://www.rfc-editor.org/info/rfc6489>.
[RFC8630]
Huston, G., Weiler, S., Michaelson, G., Kent, S., and T. Bruijnzeels, "Resource Public Key Infrastructure (RPKI) Trust Anchor Locator", RFC 8630, DOI 10.17487/RFC8630, , <https://www.rfc-editor.org/info/rfc8630>.

Authors' Addresses

Tom Harrison
Asia Pacific Network Information Centre
6 Cordelia St
South Brisbane QLD 4101
Australia
George G. Michaelson
Asia-Pacific Network Information Centre
6 Cordelia St
South Brisbane QLD 4101
Australia