SIDROPS Z. Yan Internet-Draft CNNIC Intended status: Informational T. Bruijnzeels Expires: 4 September 2025 RIPE NCC T. Harrison APNIC 3 March 2025 RPKI Terminology draft-yan-sidrops-rpki-terminology-00 Abstract The Resource Public Key Infrastructure (RPKI) is defined in dozens of different RFCs. The terminology used by implementers and developers of RPKI protocols, and by operators of RPKI systems, can at times be inconsistent, leading to confusion. This document gives current definitions for many of the terms used in the RPKI in a single document. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 4 September 2025. Copyright Notice Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components Yan, et al. Expires 4 September 2025 [Page 1] Internet-Draft RPKI Terminology March 2025 extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Module . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 3. Signed Objects . . . . . . . . . . . . . . . . . . . . . . . 3 4. RPKI Repository . . . . . . . . . . . . . . . . . . . . . . . 4 5. CA and Publication Repository Communication . . . . . . . . . 5 6. RPKI Repository and the Relying Party Communication . . . . . 5 7. RPKI and Router Protocol Communication . . . . . . . . . . . 6 8. ROV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 9. Certificate Management . . . . . . . . . . . . . . . . . . . 7 10. Others . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 11. Acknowledgment . . . . . . . . . . . . . . . . . . . . . . . 8 12. Normative References . . . . . . . . . . . . . . . . . . . . 8 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 1. Introduction To do. 2. Module Regional Internet Registry (RIR):Any of the bodies recognized by IANA as the regional authorities for management of IP addresses and AS identifiers. At the time of writing, these include AfriNIC, APNIC, ARIN, LACNIC, and RIPE NCC. National Internet Registry (NIR): Local Internet Registry (LIR): Internet Service Provider (ISP/registry): An entity which has an IP address space and/or AS number allocation that it is permitted to sub-allocate. Autonomous System Number(ASN): Origin ASN: The ASN supposed to originate the BGP Announcement. Yan, et al. Expires 4 September 2025 [Page 2] Internet-Draft RPKI Terminology March 2025 Certification Authority (CA): Certification Authorities in the RPKI are entities that a receive an RPKI CA certififcate from an issuer. RPKI CA certificates bind a public key to internet number resources (INRs). CAs can use the corresponding private keys to sign validatable statements pertaining to those INRs, such as CA certificates issued to a subordinate CA with INRs that are a sub-set of the INRs held by the CA, or ROAs, etc. Repository: The repository is the component responsible for storing and distributing RPKI-signed objects, such as Route Origin Authorizations (ROAs), Certificates, Certificate Revocation Lists (CRLs), and Manifest files. It acts as a centralized or distributed database that enables RPKI validators (relying parties) to fetch and validate routing security data. The key functions include storing RPKI objects issued by CAs, using protocols like RRDP (RPKI Repository Delta Protocol) or rsync to synchronize data with RPKI validators, and ensuring validators globally access the same authoritative data. Relying Party(RP): A Relying Party (RP) is an entity that utilizes validated RPKI data to enhance the security of Border Gateway Protocol (BGP) routing decisions. The key responsibilities include: retrieving RPKI objects (e.g., certificates, ROAs, CRLs, manifests) from RPKI repositories using protocols like RRDP or rsync. validating the trust chain of certificates from end-entity certificates up to trusted root CAs. ensuring ROAs are signed by authorized CAs and match the allocated IP address blocks and AS numbers. verifing that all repository objects are listed in the manifest and their cryptographic hashes match. generating validation results and route status tags. using protocols like RPKI-to-Router (RTR) to feed VRPs to routers in order to enable real-time filtering of invalid routes. Address space holder: It refers to an entity that has been allocated a specific range of IP addresses or AS numbers by a RIR or another authorized body. 3. Signed Objects RPKI signed object: A signed object refers to a cryptographically secured data structure that binds routing authorization information to a specific entity (e.g., an ASN or IP address holder). These objects are digitally signed by a trusted CA to ensure authenticity, integrity, and non-repudiation. They form the foundational ability of RPKI to validate BGP route origins securely. Yan, et al. Expires 4 September 2025 [Page 3] Internet-Draft RPKI Terminology March 2025 Route Origination Authorization(ROA): A ROA is a digitally signed object that provides a means of verifying that an IP address block holder has authorized an AS to originate routes to one or more prefixes within the address block. Manifest: A signed object that provide a complete list of all the signed objects that an authority has published, along with their hashes, helping to detect unauthorized changes or deletions. Ghostbusters: RPKI Ghostbusters Record. Autonomous System Provider Authorization: Trust Anchor Key (TAK): An RPKI signed object. A TAK object can be used by a TA to signal to RPs the location(s) of the accompanying CA certificate for the current public key, as well as the successor public key and the location(s) of its CA certificate (RFC 9691). Signed Checklist: 4. RPKI Repository Hosted Model: The RIRs manage the repository on behalf of the resource holders. Resource holders use an interface provided by the RIR to create and manage their RPKI objects, which are then hosted by the RIR. Delegated Model: Resource holders manage their own repositories independently. They generate their own certificates and RPKI objects and publish them in a repository they control, requiring more technical expertise and infrastructure but offering greater control over the data. Repository Publication Point: A RPKI Repository Publication Point is a designated location (URL or directory) where a CA publishes its RPKI-signed objects (e.g., X.509/PKIX Resource Certificates, Certificate Revocation Lists and other signed objects). It acts as the specific access endpoint (e.g., URL, or directory) within an RPKI repository where RPKI objects are published and made available for retrieval. Repository Object (or Object): A terminal object in a repository publication point. Repository Directory: Repository Instance: Yan, et al. Expires 4 September 2025 [Page 4] Internet-Draft RPKI Terminology March 2025 Repository synchronization: 5. CA and Publication Repository Communication Publication: The Publication Protocol, which applies to RPKI certificate engines and publication repositories. Business PKI (BPKI ): Publication engine/publication server: It refers to the server providing the the publication protocol. Publisher: An entity acting in the client role of the publication protocol. The Out-of-Band Setup Protocol: The basic function of this protocol is an exchange of public keys to be used as BPKI trust anchors (RFC 8183). 6. RPKI Repository and the Relying Party Communication Rsync: Rsync is a file synchronization and transfer tool designed to minimize data transfer time and bandwidth usage by copying only the differences between source and destination files. It allows relying parties to synchronize a local copy of the RPKI repository used for validation with the remote repositories. RPKI Repository Delta Protocol: Data synchronization protocol between repositories and the relying parties. It aims to replace the traditional rsync protocol, provide a more reliable, scalable, and HTTPS based incremental data synchronization mechanism, and ensure that RPKI validators can quickly obtain the latest routing authorization information. Update Notification File: The Notification File acts as a directory pointing to the latest snapshot and delta files. allowing relying parties to discover any changes between the repository state and relying parties cache. Snapshot File: A snapshot file provides a complete copy of all RPKI objects (ROAs, certificates, CRLs) in a repository at a specific moment. Delta File: A delta file contains incremental changes (additions, modifications, deletions) to RPKI data since the last synchronization. It is organized as an XML structured file, which contains a sorted list of changes (publish, update, revoke). Yan, et al. Expires 4 September 2025 [Page 5] Internet-Draft RPKI Terminology March 2025 Same-Origin Policy (SOP) (RFC 9674): The Same-Origin Policy is a foundational web security mechanism that restricts how resources (e.g., scripts, data) from one origin (domain, protocol, port) can interact with resources from another origin. Its principles are relevant to RPKI RRDP in ensuring secure and trusted synchronization of RPKI data. 7. RPKI and Router Protocol Communication RPKI-Router Protocol: It is a standardized communication protocol designed to securely distribute validated routing information from RPKI validators to BGP routers. It enables routers to enforce Route Origin Validation (ROV) by dynamically receiving and applying authorized prefix-to-AS mappings. RPKI to Router Protocol Version 1 and RPKI to Router Protocol Version 2. Payload Protocol Data Unit: ASPA: Autonomous System Provider Authorization. rpkiRtrMIB: RPKI to Router Management information Base. 8. ROV RPKI-based Route Origin Validation or Prefix Origin Validation: RPKI- based Route Origin Validation (ROV), also known as Prefix Origin Validation, is a security mechanism designed to prevent route hijacking and misorigination in the BGP by verifying whether an AS is authorized to announce specific IP address prefixes. Validated ROA Payload (VRP): A VRP represents the validated result of a ROA after it has been verified by an RPKI validator. Key components of a validated ROA payload are IP address, prefix length, maximum length, origin AS number. Route Data: Route Prefix: The Prefix derived from a route. Route Origin ASN: The origin AS number derived from a Route as follows, the rightmost AS in the final segment of the AS_PATH attribute in the Route if that segment is of type AS_SEQUENCE, or the BGP speaker's own AS number if that segment is of type AS_CONFED_SEQUENCE or AS_CONFED_SET or if the AS_PATH is empty, or the distinguished value "NONE" if the final segment of the AS_PATH attribute is of any other type (RFC 6811). Covered: Yan, et al. Expires 4 September 2025 [Page 6] Internet-Draft RPKI Terminology March 2025 Matched: Validation states: NotFound, Valid, Invalid. 9. Certificate Management RPKI Resource certificate: EE: RPKI certificate provisioning protocol: It defines the standardized mechanisms for issuing, renewing, and managing RPKI certificates, which bind IP address blocks and AS numbers to cryptographic keys. These certificates form the foundation of the Resource Public Key Infrastructure (RPKI), enabling secure validation of BGP routing announcements. Internet Number Resource issuer(issuer): Internet Number Resource recipient (subject): Resource class: Chain of Trust: Object Identifier: CRL (Certificate Revocation List): Trust anchor (TA): Trust Anchor Locator (TAL): IP Address Delegation or AS Identifier Delegation: Certificate Policy (CP): Subject Information Access (SIA): Authority Information Access (AIA): CRL Distribution Points (CRLDP): CRL issuer: Cryptographic Message Syntax: Public-Key Infrastructure using X.509 (PKIX): Yan, et al. Expires 4 September 2025 [Page 7] Internet-Draft RPKI Terminology March 2025 Certificate Request Message Format (CRMF): Key rollover: Subordinate certificates: Distinguished encoding rules (DER) format: SubjectPublicKeyInfo: Signature algorithm: Hashing algorithm: Reissuance: Certificate Revocation: Certificate Renewal: Certificate Modification: Resource Certificate Validation: RA (registration authority): 10. Others SLURM: Simplified Local Internet Number Resource Management with the RPKI. 11. Acknowledgment To be determined. 12. Normative References [RFC6480] Lepinski, M. and S. Kent, "An Infrastructure to Support Secure Internet Routing", RFC 6480, DOI 10.17487/RFC6480, February 2012, . Authors' Addresses Zhiwei Yan CNNIC Email: yanzhiwei@cnnic.cn Yan, et al. Expires 4 September 2025 [Page 8] Internet-Draft RPKI Terminology March 2025 Tim Bruijnzeels RIPE NCC Email: tim@ripe.net Tom Harrison APNIC Email: tomh@apnic.net Yan, et al. Expires 4 September 2025 [Page 9]