1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
|
Internet Engineering Task Force (IETF) S. Kent
Request for Comments: 8211 BBN Technologies
Category: Informational D. Ma
ISSN: 2070-1721 ZDNS
September 2017
Adverse Actions by a Certification Authority (CA) or Repository Manager
in the Resource Public Key Infrastructure (RPKI)
Abstract
This document analyzes actions by or against a Certification
Authority (CA) or an independent repository manager in the RPKI that
can adversely affect the Internet Number Resources (INRs) associated
with that CA or its subordinate CAs. The analysis is done from the
perspective of an affected INR holder. The analysis is based on
examination of the data items in the RPKI repository, as controlled
by a CA (or an independent repository manager) and fetched by Relying
Parties (RPs). The analysis does not purport to be comprehensive; it
does represent an orderly way to analyze a number of ways that errors
by or attacks against a CA or repository manager can affect the RPKI
and routing decisions based on RPKI data.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Engineering Task Force
(IETF). It has been approved for publication by the Internet
Engineering Steering Group (IESG). Not all documents approved by the
IESG are a candidate for any level of Internet Standard; see
Section 2 of RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc8211.
Kent & Ma Informational [Page 1]
^L
RFC 8211 RPKI Adverse CA Actions September 2017
Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Analysis of RPKI Repository Objects . . . . . . . . . . . . . 4
2.1. CA Certificates . . . . . . . . . . . . . . . . . . . . . 6
2.2. Manifest . . . . . . . . . . . . . . . . . . . . . . . . 9
2.3. Certificate Revocation List . . . . . . . . . . . . . . . 12
2.4. ROA . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.5. Ghostbusters Record . . . . . . . . . . . . . . . . . . . 17
2.6. Router Certificates . . . . . . . . . . . . . . . . . . . 18
3. Analysis of Actions Relative to Scenarios . . . . . . . . . . 19
3.1. Scenario A . . . . . . . . . . . . . . . . . . . . . . . 21
3.2. Scenario B . . . . . . . . . . . . . . . . . . . . . . . 21
3.3. Scenario C . . . . . . . . . . . . . . . . . . . . . . . 21
3.4. Scenario D . . . . . . . . . . . . . . . . . . . . . . . 22
4. Security Considerations . . . . . . . . . . . . . . . . . . . 22
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23
6. References . . . . . . . . . . . . . . . . . . . . . . . . . 23
6.1. Normative References . . . . . . . . . . . . . . . . . . 23
6.2. Informative References . . . . . . . . . . . . . . . . . 25
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 26
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 26
Kent & Ma Informational [Page 2]
^L
RFC 8211 RPKI Adverse CA Actions September 2017
1. Introduction
In the context of this document, any change to the Resource Public
Key Infrastructure (RPKI) [RFC6480] that diminishes the set of
Internet Number Resources (INRs) associated with an INR holder, and
that is contrary to the holder's wishes, is termed "adverse". This
analysis is done from the perspective of an affected INR holder. An
action that results in an adverse charge (as defined above) may be
the result of an attack on a CA [RFC7132], an error by a CA, or an
error by or an attack on a repository operator. Note that the CA
that allocated the affected INRs may be acting in accordance with
established policy; thus, the change may be contractually justified
even though viewed as adverse by the INR holder. This document
examines the implications of adverse actions within the RPKI with
respect to INRs, irrespective of the cause of the actions.
Additionally, when a Route Origin Authorization (ROA) or router
certificate is created that "competes" with an existing ROA or router
certificate (respectively), the creation of the new ROA or router
certificate may be adverse. (A newer ROA competes with an older ROA
if the newer ROA points to a different Autonomous System Number
(ASN), contains the same or a more specific prefix, and is issued by
a different CA. A newer router certificate competes with an older
router certificate if the newer one contains the same ASN, contains a
different public key, and is issued by a different CA.) Note that
transferring resources or changing of upstream providers may yield
competing ROAs and/or router certificates under some circumstances.
Thus, not all instances of competition are adverse actions.
As noted above, adverse changes to RPKI data may arise due to several
types of causes. A CA may make a mistake in managing the RPKI
objects it signs, or it may be subject to an attack. If an attack
allows an adversary to use the private key of that CA to sign RPKI
objects, then the effect is analogous to the CA making mistakes.
There is also the possibility that a CA or repository operator may be
subject to legal measures that compel them to make adverse changes to
RPKI data. In many cases, such actions may be hard to distinguish
from mistakes or attacks, other than with respect to the time
required to remedy the adverse action. (Presumably, the CA will take
remedial action when a mistake or an attack is detected, so the
effects are similar in these cases. If a CA has been legally
compelled to effect an adverse change, remediation will likely not be
swift.)
This document analyzes the various types of actions by a CA (or an
independent repository operator) that can adversely affect the INRs
associated with that CA, as well as the INRs of subordinate CAs. The
analysis is based on examination of the data items in the RPKI
Kent & Ma Informational [Page 3]
^L
RFC 8211 RPKI Adverse CA Actions September 2017
repository, as controlled by a CA (or an independent repository
operator) and fetched by RPs.
2. Analysis of RPKI Repository Objects
This section enumerates the RPKI repository system objects and
examines how changes to them affect Route Origin Authorizations
(ROAs) and router certificate validation. Identifiers are assigned
to errors for reference by later sections of this document. Note
that not all adverse actions may be encompassed by this taxonomy.
The RPKI repository [RFC6481] contains a number of (digitally signed)
objects that are fetched and processed by RPs. Until the deployment
of BGPsec [RFC8205], the principal goal of the RPKI is to enable an
RP to validate ROAs [RFC6482]. A ROA binds address space to an ASN.
A ROA can be used to verify BGP announcements with respect to route
origin [RFC6483]. The most important objects in the RPKI for origin
validation are ROAs; all of the other RPKI objects exist to enable
the validation of ROAs in a fashion consistent with the INR
allocation system. Thus, errors that result in changes to a ROA, or
to RPKI objects needed to validate a ROA, can cause RPs to reach
different (from what was intended) conclusions about the validity of
the bindings expressed in a ROA.
When BGPsec is deployed, router certificates [RFC8209] will be added
to repository publication points. These are end entity (EE)
certificates used to verify signatures applied to BGP update data and
to enable path validation [RFC8205]. Router certificates are as
important to path validation as ROAs are to origin validation.
The objects contained in the RPKI repository are of two types:
conventional PKI objects (certificates and Certificate Revocation
Lists (CRLs)) and RPKI-specific signed objects. The latter make use
of a common encapsulation format [RFC6488] based on the Cryptographic
Message Syntax (CMS) [RFC5652]. A syntax error in this common format
will cause an RP to reject the object, e.g., a ROA or manifest, as
invalid.
Adverse actions take several forms:
* Deletion (D) is defined as removing an object from a
publication point, without the permission of the INR holder.
* Suppression (S) is defined as not deleting an object, or not
publishing an object, as intended by an INR holder. This
action also includes retaining a prior version of an object in
a publication point when a newer version is available for
publication.
Kent & Ma Informational [Page 4]
^L
RFC 8211 RPKI Adverse CA Actions September 2017
* Corruption (C) is defined as modification of a signed object in
a fashion not requiring access to the private key used to sign
the object. Thus, a corrupted object will not carry a valid
signature. Implicitly, the corrupted object replaces the
legitimate version.
* Modification (M) is defined as publishing a syntactically
valid, verifiable version of an object that differs from the
(existing) version authorized by the INR holder. Implicitly,
the legitimate version of the affected object is deleted and
replaced by the modified object.
* Revocation (R) is defined as revoking a certificate (EE or CA)
by placing its Serial Number on the appropriate CRL, without
authorization of the INR holder.
* Injection (I) is defined as introducing an instance of a signed
object into a publication point (without authorization of the
INR holder). It assumes that the signature on the object will
be viewed as valid by RPs.
The first three of these actions (deletion, suppression, and
corruption) can be effected by any entity that manages the
publication point of the affected INR holder. Also, an entity with
the ability to act as a man-in-the-middle between an RP and a
repository can effect these actions with respect to the RP in
question.
The latter three actions (modification, revocation, and injection)
nominally require access to the private key of the INR holder.
All six of these actions also can be effected by a parent CA. A
parent CA could reissue the INR holder's CA certificate, but with a
different public key, matching a private key to which the parent CA
has access. The CA could generate new signed objects using the
private key associated with the reissued certificate and publish
these objects at a location of its choosing.
Most of these actions may be performed independently or in
combination with one another. For example, a ROA may be revoked and
deleted or revoked and replaced with a modified ROA. Where
appropriate, the analysis of adverse actions will distinguish between
individual actions, or combinations thereof, that yield different
outcomes for RPs. Recall that the focus of the analysis is the
impact on ROAs and router certificates, with respect to RP
processing.
Kent & Ma Informational [Page 5]
^L
RFC 8211 RPKI Adverse CA Actions September 2017
The following sections examine how the actions enumerated above
affect objects in the RPKI repository system. Each action is
addressed in order (deletion, suppression, corruption, modification,
revocation, and injection) for each object, making it easy to see how
each action has been considered with regard to each object. (For the
Ghostbusters Record [RFC6493], we condensed the discussion of the
actions because the impact is the same in each case.)
2.1. CA Certificates
Every INR holder is represented by one or more CA certificates. An
INR holder has multiple CA certificates if it holds resources
acquired from different sources. Also, every INR holder has more
than one CA certificate during key rollover [RFC6489] and algorithm
rollover [RFC6916].
If a publication point is not a "leaf" in the RPKI hierarchy, then
the publication point will contain one or more CA certificates, each
representing a subordinate CA. Each subordinate CA certificate
contains a Subject Information Access (SIA) pointer to the
publication point where the signed objects associated with that CA
can be found [RFC6487].
A CA certificate is a complex data structure; thus, errors in that
structure may have different implications for RPs depending on the
specific data that is in error.
Adverse actions against a CA certificate can cause the following
errors:
A-1.1 Deletion
A-1.1.1 Deletion of a CA certificate would cause an RP to
not be able to locate signed objects generated by
that CA, except those that have been cached by the
RP. Thus, an RP would be unaware of changed or
new (issued after the cached data) INR bindings
asserted in subordinate ROAs, and the RP would be
unable to validate new or changed router
certificates. If the missed objects were intended
to replace ROAs or router certificates prior to
expiration, then when those objects expire, RPs
may cease to view them as valid. As a result,
valid routes may be viewed as NotFound or Invalid.
Kent & Ma Informational [Page 6]
^L
RFC 8211 RPKI Adverse CA Actions September 2017
A-1.2 Suppression
A-1.2.1 If publication of a CA certificate is suppressed,
the impact depends on what changes appeared in the
suppressed certificate. If the SIA value changed,
the effect would be the same as in A-1.1 or
A-1.4.3. If the [RFC3779] extensions in the
suppressed certificate changed, the impact would
be the same as in A-1.4.1. If the Authority
Information Access (AIA) extension changed in the
suppressed certificate, the impact would be the
same as in A-1.4.4. Suppression of a renewed/
re-issued certificate may cause an old certificate
to expire and thus be rejected by RPs.
A-1.3 Corruption
A-1.3.1 Corruption of a CA certificate will cause it to be
rejected by RPs. In turn, this may cause
subordinate signed objects to become invalid. An
RP that has cached the subtree under the affected
CA certificate may continue to view it as valid,
until objects expire. But changed or new objects
might not be retrieved, depending on details of
the design of the RP software. Thus, this action
may be equivalent to suppressing changes to the
affected subtree.
A-1.4 Modification
A-1.4.1 If a CA certificate is modified but still conforms
to the RPKI certificate profile [RFC7935], it will
be accepted by RPs. If an [RFC3779] extension in
this certificate is changed to exclude INRs that
were previously present, then subordinate signed
objects will become invalid if they rely on the
excised INRs. If these objects are CA
certificates, their subordinate signed objects
will be treated as invalid. If the objects are
ROAs, the binding expressed by the affected ROAs
will be ignored by RPs. If the objects are router
certificates, BGPsec_PATH attributes [RFC8205]
verifiable under these certificates will be
considered invalid.
Kent & Ma Informational [Page 7]
^L
RFC 8211 RPKI Adverse CA Actions September 2017
A-1.4.2 If the SIA extension of a CA certificate is
modified to refer to another publication point,
this will cause an RP to look at another location
for subordinate objects. This could cause RPs to
not acquire the objects that the INR holder
intended to be retrieved -- manifests, ROAs,
router certificates, Ghostbuster Records, or any
subordinate CA certificates associated with that
CA. If the objects at this new location contain
invalid signatures or appear to be corrupted, they
may be rejected. In this case, cached versions of
the objects may be viewed as valid by an RP, until
they expire. If the objects at the new location
have valid signatures and pass path validation
checks, they will replace the cached objects,
effectively replacing the INR holder's objects.
A-1.4.3 If the AIA extension in a CA certificate is
modified, it would point to a different CA
certificate, not the parent CA certificate. This
extension is used only for path discovery, not
path validation. Path discovery in the RPKI is
usually performed on a top-down basis, starting
with trust anchors (TAs) and recursively
descending the RPKI hierarchy. Thus, there may be
no impact on the ability of clients to acquire and
validate certificates if the AIA is modified.
A-1.4.4 If the Subject Public Key Info (and Subject Key
Identifier extension) in a CA certificate is
modified to contain a public key corresponding to
a private key held by the parent, the parent could
sign objects as children of the affected CA
certificate. With this capability, the parent
could replace the INR holder, issuing new signed
objects that would be accepted by RPs (as long as
they do not violate the path validation criteria).
This would enable the parent to effect
modification, revocation, and injection actions
against all of the objects under the affected CA
certificate, including subordinate CA
certificates. (Note that key rollover also yields
a new CA certificate. However, the new
certificate will coexist with the old one for a
while, which may help distinguish this legitimate
activity from an adverse action.)
Kent & Ma Informational [Page 8]
^L
RFC 8211 RPKI Adverse CA Actions September 2017
A-1.5 Revocation
A-1.5.1 If a CA certificate is revoked, an RP will treat
as invalid all subordinate signed objects, both
immediate and transitive. The effects are
essentially the same as described in A-3.4.2.
A-1.6 Injection
A-1.6.1 If a CA certificate is injected, the impact will
depend on the data contained in the injected
certificate. Changes will generally be equivalent
to modification actions as described in A-1.4.
2.2. Manifest
Each repository publication point contains a manifest [RFC6486]. The
RPKI incorporates manifests to enable RPs to detect suppression and/
or substitution of (more recent) publication point objects, as the
result of a mistake or attack. A manifest enumerates (by filename)
all of the other signed objects at the publication point. The
manifest also contains a hash of each enumerated file to enable an RP
to determine if the named file content matches what the INR holder
identified in the manifest.
A manifest is an RPKI signed object, so it is validated as per
[RFC6488]. If a manifest is modified in a way that causes any of
these checks to fail, the manifest will be considered invalid.
Suppression of a manifest itself (indicated by a stale manifest) can
also cause an RP to not detect suppression of other signed objects at
the publication point. (Note that if a manifest's EE certificate
expires at the time that the manifest is scheduled to be replaced, a
delay in publication will cause the manifest to become invalid, not
merely stale. This very serious outcome should be avoided, e.g., by
making the manifest EE certificate's notAfter value the same as that
of the CA certificate under which it was issued). If a signed object
at a publication point can be validated (using the rules applicable
for that object type), then an RP may accept that object, even if
there is no matching entry for it on the manifest. However, it
appears that most RP software ignores publication point data that
fails to match manifest entries (at the time this document was
written).
Corruption, suppression, modification, or deletion of a manifest
might not affect RP processing of other publication point objects, as
specified in [RFC6486]. However, as noted above, many RP
Kent & Ma Informational [Page 9]
^L
RFC 8211 RPKI Adverse CA Actions September 2017
implementations ignore objects that are present at a publication
point but not listed in a valid manifest. Thus, the following
actions against a manifest can impact RP processing:
A-2.1 Deletion
A-2.1.1 A manifest may be deleted from the indicated
publication point. In this circumstance, an RP
may elect to use the previous manifest (if
available) and may ignore any new/changed objects
at the publication point. The implications of
this action are equivalent to suppression of
publication of the objects that are not recognized
by RPs because the new objects are not present in
the old manifest. For example, a new ROA could be
ignored (A-1.2). A newly issued CA certificate
might be ignored (A-1.1). A subordinate CA
certificate that was revoked might still be viewed
as valid by RPs (A-4.1). A new or changed router
certificate might be ignored (A-6.2) as would a
revised Ghostbusters Record (A-4.1).
A-2.2 Suppression
A-2.2.1 Publication of a newer manifest may be suppressed.
Suppression of a newer manifest probably will
cause an RP to rely on a cached manifest (if
available). The older manifest would not
enumerate newly added objects; thus, those objects
might be ignored by an RP, which is equivalent to
deletion of those objects (A-1.1, A-3.1, A-4.1,
A-5.1, and A-6.1).
A-2.3 Corruption
A-2.3.1 A manifest may be corrupted. A corrupted manifest
will be rejected by RPs. This may cause RPs to
rely on a previous manifest, with the same impact
as A-2.2. If an RP does not revert to using a
cached manifest, the impact of this action is very
severe, i.e., all publication point objects will
probably be viewed as invalid, including
subordinate tree objects. This is equivalent to
revoking or deleting an entire subtree (see
A-4.4.2).
Kent & Ma Informational [Page 10]
^L
RFC 8211 RPKI Adverse CA Actions September 2017
A-2.4 Modification
A-2.4.1 A manifest may be modified to remove one or more
objects. Because the modified manifest is viewed
as valid by RPs, any objects that were removed may
be ignored by RPs. This is equivalent to deleting
these objects from the repository. The impact of
this action will vary, depending on which objects
are (effectively) removed. However, the impact is
equivalent to deletion of the object in question,
(A-1.1, A-3.1, A-4.1, A-5.1, and A-6.1).
A-2.4.2 A manifest may be modified to add one or more
objects. If an added object has a valid signature
(and is not expired), it will be accepted by RPs
and processed accordingly. If the added object
was previously deleted by the INR holder, this
action is equivalent to suppressing deletion of
that object. If the object is newly created or
modified, it is equivalent to a modification or
injection action for the type of object in
question and is thus discussed in the relevant
section for those actions for the object type.
A-2.4.3 A manifest may be modified to list an incorrect
hash for one or more objects. An object with an
incorrect hash may be ignored by an RP. Thus, the
effect may be equivalent to corrupting the object
in question, although the error reported by RP
software would differ from that reported for a
corrupted object. (The manifest specifications do
not require an RP to ignore an object that has a
valid signature and that is not revoked or
expired, but for which the hash doesn't match the
object. However, an RP may elect to do so.)
A-2.5 Revocation
A-2.5.1 A manifest may be revoked (by including its EE
certificate on the CRL for the publication point).
A revoked manifest will be ignored by an RP, which
probably would revert to an older (cached)
manifest. The implications for RPs are equivalent
to A-2.1 with regard to new/changed objects.
Kent & Ma Informational [Page 11]
^L
RFC 8211 RPKI Adverse CA Actions September 2017
A-2.6 Injection
A-2.6.1 A manifest representing different objects may be
injected into a publication point. The effects
are the same as for a modified manifest (see
above). The impact will depend on the type of the
affected object(s) and is thus discussed in the
relevant section(s) for each object type.
2.3. Certificate Revocation List
Each publication point contains a CRL that enumerates revoked (not
yet expired) certificates issued by the CA associated with the
publication point [RFC6481].
Adverse actions against a CRL can cause the following errors:
A-3.1 Deletion
A-3.1.1 If a CRL is deleted, RPs will continue to use an
older, previously fetched Certificate Revocation
List. As a result, they will not be informed of
any changes in revocation status of subordinate CA
or router certificates or the EE certificates of
signed objects, e.g., ROAs. This action is
equivalent to corruption of a CRL, since a
corrupted CRL will not be accepted by an RP.
A-3.1.2 Deletion of a CRL could cause an RP to continue to
accept a ROA that no longer expresses the intent
of an INR holder. As a result, an announcement
for the affected prefixes would be viewed as
Valid, instead of NotFound or Invalid. In this
case, the effect is analogous to A-5.2.
A-3.1.3 If a router certificate were revoked and the CRL
were deleted, RPs would not be aware of the
revocation. They might continue to accept the
old, revoked router certificate. If the
certificate had been revoked due to a compromise
of the router's private key, RPs would be
vulnerable to accepting routes signed by an
unauthorized entity.
Kent & Ma Informational [Page 12]
^L
RFC 8211 RPKI Adverse CA Actions September 2017
A-3.1.4 If a subordinate CA certificate were revoked on
the deleted CRL, the revocation would not take
effect. This could interfere with a transfer of
address space from the subordinate CA, adversely
affecting routing to the new holder of the space.
A-3.2 Suppression
A-3.2.1 If publication of the most recent CRL is
suppressed, an RP will not be informed of the most
recent revocation status of a subordinate CA or
router certificates or the EE certificates of
signed objects. If an EE certificate has been
revoked and the associated signed object is still
present in the publication point, an RP might
mistakenly treat that object as valid. (This
would happen if the object is still in the
manifest or if the RP is configured to process
valid objects that are not on the manifest.) This
type of action is of special concern if the
affected object is a ROA, a router certificate, or
a subordinate CA certificate. The effects here
are equivalent to CRL deletion (A-3.1), but
suppression of a new CRL may not even be reported
as an error, i.e., if the suppressed CRL were
issued before the NextUpdate time (of the previous
CRL).
A-3.3 Corruption
A-3.3.1 If a CRL is corrupted, an RP will reject it. If a
prior CRL has not yet exceeded its NextUpdate
time, an RP will continue to use the prior CRL.
Even if the prior CRL has passed the NextUpdate
time, an RP may choose to continue to rely on the
prior CRL. The effects are essentially equivalent
to suppression or deletion of a CRL (A-3.1 and
A-3.2).
Kent & Ma Informational [Page 13]
^L
RFC 8211 RPKI Adverse CA Actions September 2017
A-3.4 Modification
A-3.4.1 If a CRL is modified to erroneously list a signed
object's EE certificate as revoked, the
corresponding object will be treated as invalid by
RPs, even if it is present in a publication point.
If this object is a ROA, the (legitimate) binding
expressed by the ROA will be ignored by an RP (see
A-5.5). If a CRL is modified to erroneously list
a router certificate as revoked, a path signature
associated with that certificate will be treated
as Not Valid by RPs (see A-6.5).
A-3.4.2 If a CRL is modified to erroneously list a CA
certificate as revoked, that CA and all
subordinate signed objects will be treated as
invalid by RPs. Depending on the location of the
affected CA in the hierarchy, these effects could
be very substantial, causing routes that should be
Valid to be treated as NotFound.
A-3.4.3 If a CRL is modified to omit a revoked EE, router,
or CA certificate, RPs will likely continue to
accept the revoked, signed object as valid. This
contravenes the intent of the INR holder. If an
RP continues to accept a revoked ROA, it may make
routing decisions on now-invalid data. This could
cause valid routes to be de-preferenced and
invalid routes to continue to be accepted.
A-3.5 Revocation
A-3.5.1 A CRL cannot be revoked per se, but it will fail
validation if the CA certificate under which it
was issued is revoked. See A-1.5 for a discussion
of that action.
A-3.6 Injection
A-3.6.1 Insertion of a bogus CRL can have the same effects
as listed above for a modified CRL, depending on
how the inserted CRL differs from the correct CRL.
Kent & Ma Informational [Page 14]
^L
RFC 8211 RPKI Adverse CA Actions September 2017
2.4. ROA
In addition to the generic RPKI object syntax checks, ROA validation
requires that the signature on the ROA can be validated using the
public key from the EE certificate embedded in the ROA [RFC6482]. It
also requires that the EE certificate be validated consistently with
the procedures described in [RFC6482] and [RFC6487]. Adverse actions
against a ROA can cause the following errors:
A-4.1 Deletion
A-4.1.1 A ROA may be deleted from the indicated
publication point. The result is to void the
binding between the prefix(es) and the Autonomous
System (AS) number in the ROA. An RP that
previously viewed this binding as authentic will
now not have any evidence about its validity. For
origin validation, this means that a legitimate
route will be treated as NotFound (if there are no
other ROAs for the same prefix) or Invalid (if
there is another ROA for the same prefix, but with
a different AS number).
A-4.2 Suppression
A-4.2.1 Publication of a newer ROA may be suppressed. If
the INR holder intended to change the binding
between the prefix(es) and the AS number in the
ROA, this change will not be effected. As a
result, RPs may continue to believe an old prefix/
ASN binding that is no longer what the INR holder
intended.
A-4.2.2 If an INR holder intends to issue and publish two
(or more) new ROAs for the same address space, one
(or more) of the new ROAs may be suppressed while
the other is published. In this case, RPs will
de-preference the suppressed prefix/ASN binding.
Suppression of the new ROA might cause traffic to
flow to an ASN other than the one(s) intended by
the INR holder.
Kent & Ma Informational [Page 15]
^L
RFC 8211 RPKI Adverse CA Actions September 2017
A-4.2.3 If an INR holder intends to delete all ROAs for
the same address space, some of them may be
retained while the others are deleted. Preventing
the deletion of some ROAs can cause traffic to
continue to be delivered to the ASNs that were
advertised by these ROAs. Deletion of all ROAs is
consistent with a transfer of address space to a
different INR holder in a phased fashion. Thus,
this sort of attack could interfere with the
successful transfer of the affected address space
(until such time as the prefixes are removed from
the previous INR holder's CA certificate).
A-4.3 Corruption
A-4.3.1 A ROA may be corrupted. A corrupted ROA will be
ignored by an RP, so the effect is essentially the
same as for A-4.1 and A-4.5. A possible
difference is that an RP may be alerted to the
fact that the ROA was corrupted, which might
attract attention to the attack.
A-4.4 Modification
A-4.4.1 A ROA may be modified so that the Autonomous
System Number (ASN) or one or more of the address
blocks in a ROA is different from the values the
INR holder intended for this ROA. (This action
assumes that the modified ROA's ASN and address
ranges are authorized for use by the INR holder.)
This attack will cause RPs to de-preference the
legitimate prefix/ASN binding intended by the INR
holder.
A-4.5 Revocation
A-4.5.1 A ROA may be revoked (by placing its EE
certificate on the CRL for the publication point).
This has the same effect as A-4.1.
Kent & Ma Informational [Page 16]
^L
RFC 8211 RPKI Adverse CA Actions September 2017
A-4.6 Injection
A-4.6.1 A ROA expressing different bindings than those
published by the INR holder may be injected into a
publication point. This action could authorize an
additional ASN to advertise the specified prefix,
allowing that ASN to originate routes for the
prefix, thus enabling route origin spoofing. In
this case, the injected ROA is considered to be in
competition with any existing authorized ROAs for
the specified prefix.
A-4.6.2 An injected ROA might express a different prefix
for an ASN already authorized to originate a
route, e.g., a longer prefix, which could enable
that ASN to override other advertisements using
shorter prefixes. If there are other ROAs that
authorize different ASNs to advertise routes to
the injected ROA's prefix, then the injected ROA
is in competition with these ROAs.
2.5. Ghostbusters Record
The Ghostbusters Record [RFC6493] is a signed object that may be
included at a publication point, at the discretion of the INR holder
or publication point operator. The record is validated according to
[RFC6488]. Additionally, the syntax of the record is verified based
on the vCard profile from Section 5 of [RFC6493]. Errors in this
record do not affect RP processing. However, if an RP encounters a
problem with objects at a publication point, the RP may use
information from the record to contact the publication point
operator.
Adverse actions against a Ghostbusters Record can cause the following
error:
A-5.1 Deletion, suppression, corruption, or revocation of a
Ghostbusters Record could prevent an RP from contacting the
appropriate entity when a problem is detected by the RP.
Modification or injection of a Ghostbusters Record could
cause an RP to contact the wrong entity, thus delaying
remediation of a detected anomaly. All of these actions
are viewed as equivalent from an RP processing perspective;
they do not alter RP validation of ROAs or router
certificates. However, these actions can interfere with
remediation of a problem when detected by an RP.
Kent & Ma Informational [Page 17]
^L
RFC 8211 RPKI Adverse CA Actions September 2017
2.6. Router Certificates
Router certificates are used by RPs to verify signatures on
BGPsec_PATH attributes carried in UPDATE messages.
Each AS is free to determine the granularity at which router
certificates are managed [RFC8209]. Each participating AS is
represented by one or more router certificates. During key or
algorithm rollover, multiple router certificates will be present in a
publication point, even if the AS is normally represented by just one
such certificate.
Adverse actions against router certificates can cause the following
errors:
A-6.1 Deletion
A-6.1.1 Deletion of a router certificate would cause an RP
to be unable to verify signatures applied to
BGPsec_PATH attributes on behalf of the AS in
question. In turn, this would cause the route to
be treated with lower preference than competing
routes that have valid BGPsec_PATH attribute
signatures. (However, if another router
certificate for the affected AS is valid and
contains the same AS number and public key, and it
is in use by that AS, there would be no effect on
routing. This scenario will arise if a router
certificate is renewed, i.e., issued with a new
validity interval.)
A-6.2 Suppression
A-6.2.1 Suppression of a router certificate could have the
same impact as deletion of a certificate of this
type, i.e., if no router certificate was
available, BGPsec attributes that should be
verified using the certificate would fail
validation. If an older certificate existed and
has not expired, it would be used by RPs. If the
older certificate contained a different ASN, the
impact would be the same as in A-6.4.
Kent & Ma Informational [Page 18]
^L
RFC 8211 RPKI Adverse CA Actions September 2017
A-6.3 Corruption
A-6.3.1 Corruption of a router certificate will result in
the certificate being rejected by RPs. Absent a
valid router certificate, BGPsec_PATH attributes
associated with that certificate will be
unverifiable. In turn, this would cause the route
to be treated with lower preference than competing
routes that have valid BGPsec_PATH attribute
signatures.
A-6.4 Modification
A-6.4.1 If a router certificate is modified to represent a
different ASN, but it still passes syntax checks,
then this action could cause signatures on
BGPsec_PATH attributes to be associated with the
wrong AS. This could cause signed routes to be
inconsistent with the intent of the INR holder,
e.g., traffic might be routed via a different AS
than intended.
A-6.5 Revocation
A-6.5.1 If a router certificate were revoked, BGPsec_PATH
attributes verifiable using that certificate would
no longer be considered valid. The impact would
be the same as for a deleted certificate, as
described in A-6.1.
A-6.6 Injection
A-6.6.1 Insertion of a router certificate could authorize
additional routers to sign BGPsec traffic for the
targeted ASN, and thus undermine fundamental
BGPsec security guarantees. If there are
existing, authorized router certificates for the
same ASN, then the injected router certificate is
in competition with these existing certificates.
3. Analysis of Actions Relative to Scenarios
This section examines the types of problems that can arise in four
scenarios described below. We consider mistakes, (successful)
attacks against a CA or a publication point, and situations in which
a CA or publication point manager is compelled to take action by a
law enforcement authority.
Kent & Ma Informational [Page 19]
^L
RFC 8211 RPKI Adverse CA Actions September 2017
We explore the following four scenarios:
A. An INR holder operates its own CA and manages its own
repository publication point.
B. An INR holder operates its own CA, but outsources management
of its repository publication point to its parent or another
entity.
C. An INR holder outsources management of its CA to its parent,
but manages its own repository publication point.
D. An INR holder outsources management of its CA and its
publication point to its parent.
Note that these scenarios focus on the affected INR holder as the
party directly affected by an adverse action. The most serious cases
arise when the INR holder appears as a high-tier CA in the RPKI
hierarchy; in such situations, subordinate INR holders may be
affected as a result of an action. A mistake by or an attack against
a "leaf" has more limited impact because all of the affected INRs
belong to the INR holder itself.
In Scenario A, actions by the INR holder can adversely affect all of
its resources and, transitively, resources of any subordinate CAs.
(If the CA is a "leaf" in the RPKI, then it has no subordinate CAs
and the damage is limited to its own INRs.)
In Scenario B, actions by the (outsourced) repository operator can
also adversely affect the resources of the INR holder and those of
any subordinates CAs. (If the CA is a "leaf" in the RPKI, then it
has no subordinate CAs and the damage is limited, as in Scenario A.)
The range of adverse effects here includes those in Scenario A and
adds a new potential source of adverse actions, i.e., the outsourced
repository operator.
In Scenario C, all signed objects associated with the INR holder are
generated by the parent CA but are self-hosted. (We expect this
scenario to be rare, because an INR holder that elects to outsource
CA operation seems unlikely to manage its own repository publication
point.) Because that CA has the private key used to sign them, it
can generate alternative signed objects -- ones not authorized by the
INR holder. However, erroneous objects created by the parent CA will
not be published by the INR holder IF the holder checks them first.
Because the parent CA is acting on behalf of the INR holder, mistakes
by or attacks against that entity are equivalent to ones effected by
the INR holder in Scenario A.
Kent & Ma Informational [Page 20]
^L
RFC 8211 RPKI Adverse CA Actions September 2017
The INR holder is most vulnerable in Scenario D. Actions by the
parent CA, acting on behalf of the INR holder, can adversely affect
all signed objects associated with that INR holder, including any
subordinate CA certificates. These actions will presumably translate
directly into publication point changes because the parent CA is
managing the publication point for the INR holder. The range of
adverse effects here includes those in Scenarios A, B, and C.
3.1. Scenario A
In this scenario, the INR holder acts as its own CA and it manages
its own publication point. Actions by the INR holder can adversely
affect all of its resources and, transitively, resources of any
subordinate CAs. (If the CA is a "leaf" in the RPKI, then it has no
subordinate CAs and the damage is limited to its own INRs.) Mistakes
by the INR holder can cause any of the actions noted in Section 2. A
successful attack against this CA can effect all of the modification,
revocation, or injection actions noted in that section. (We assume
that objects generated by the CA are automatically published). An
attack against the publication point can effect all of the deletion,
suppression, or corruption actions noted in that section.
3.2. Scenario B
In this scenario, the INR holder acts as its own CA but it delegates
management of it own publication point to a third party. Mistakes by
the INR holder can cause any of the modification, revocation, or
injection actions described in Section 2. Actions by the repository
operator can adversely affect the resources of the INR holder, and
those of any subordinate CAs. (If the CA is a "leaf" in the RPKI,
then it has no subordinate CAs and the damage is limited, as in
Scenario A.) The range of adverse effects here includes those in
Scenario A, and adds a new potential source of adverse actions, i.e.,
the third party repository operator. A successful attack against the
CA can effect all of the modification, revocation, or injection
actions noted in that section (assuming that objects generated by the
CA are automatically published). Here, actions by the publication
point manager (or attacks against that entity) can effect all of the
deletion, suppression, or corruption actions noted in Section 2.
3.3. Scenario C
In this scenario, the INR holder outsources management of its CA to
its parent, but manages its own repository publication point. All
signed objects associated with the INR holder are generated by the
parent CA but are self-hosted. (We expect this scenario to be rare,
because an INR holder that elects to outsource CA operation seems
unlikely to manage its own repository publication point.) Because
Kent & Ma Informational [Page 21]
^L
RFC 8211 RPKI Adverse CA Actions September 2017
that CA has the private key used to sign them, it can generate
alternative signed objects -- ones not authorized by the INR holder.
However, erroneous objects created by the parent CA will not be
published by the INR holder IF the holder checks them first. Because
the parent CA is acting on behalf of the INR holder, mistakes by or
attacks against that entity are equivalent to ones effected by the
INR holder in Scenario A. Mistakes by the INR holder, acted upon by
the parent CA, can cause any of the actions noted in Section 2.
Actions unilaterally undertaken by the parent CA also can have the
same effect, unless the INR holder checks the signed objects before
publishing them. A successful attack against the parent CA can
effect all of the modification, revocation, or injection actions
noted in Section 2, unless the INR holder checks the signed objects
before publishing them. An attack against the INR holder (in its
role as repository operator) can effect all of the deletion,
suppression, or corruption actions noted in Section 2 (because the
INR holder is managing its publication point), unless the INR holder
checks the signed objects before publishing them. (An attack against
the INR holder implies that the path it uses to direct the parent CA
to issue and publish objects has been compromised.)
3.4. Scenario D
In this scenario, an INR holder outsources management of both its CA
and its publication point to its parent. The INR holder is most
vulnerable in this scenario. Actions by the parent CA, acting on
behalf of the INR holder, can adversely affect all signed objects
associated with that INR holder, including any subordinate CA
certificates. These actions will presumably translate directly into
publication point changes, because the parent CA is managing the
publication point for the INR holder. The range of adverse effects
here includes those in Scenarios A, B, and C. Mistakes by the INR
holder, acted upon by the parent CA, can cause any of the actions
noted in Section 2. Actions unilaterally undertaken by the parent CA
also can have the same effect. A successful attack against the
parent CA can effect all of the modification, revocation, or
injection actions noted in Section 2. An attack against the parent
CA can also effect all of the deletion, suppression, or corruption
actions noted in Section 2 (because the parent CA is managing the INR
holder's publication point).
4. Security Considerations
This informational document describes a threat model for the RPKI,
focusing on mistakes by or attacks against CAs and independent
repository managers. It is intended to provide a basis for the
design of future RPKI security mechanisms that seek to address the
concerns associated with such actions.
Kent & Ma Informational [Page 22]
^L
RFC 8211 RPKI Adverse CA Actions September 2017
The analysis in this document identifies a number of circumstances in
which attacks or errors can have significant impacts on routing. One
ought not interpret this as a condemnation of the RPKI. It is only
an attempt to document the implications of a wide range of attacks
and errors in the context of the RPKI. The primary alternative
mechanism for disseminating routing information is Internet Routing
Registry (IRR) technology [RFC2650] [RFC2725], which uses the Routing
Policy Specification Language (RPSL) [RFC2622]. IRR technology
exhibits its own set of security problems, which are discussed in
[RFC7682].
5. IANA Considerations
This document does not require any IANA actions.
6. References
6.1. Normative References
[RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP
Addresses and AS Identifiers", RFC 3779,
DOI 10.17487/RFC3779, June 2004,
<https://www.rfc-editor.org/info/rfc3779>.
[RFC6480] Lepinski, M. and S. Kent, "An Infrastructure to Support
Secure Internet Routing", RFC 6480, DOI 10.17487/RFC6480,
February 2012, <https://www.rfc-editor.org/info/rfc6480>.
[RFC6481] Huston, G., Loomans, R., and G. Michaelson, "A Profile for
Resource Certificate Repository Structure", RFC 6481,
DOI 10.17487/RFC6481, February 2012,
<https://www.rfc-editor.org/info/rfc6481>.
[RFC6482] Lepinski, M., Kent, S., and D. Kong, "A Profile for Route
Origin Authorizations (ROAs)", RFC 6482,
DOI 10.17487/RFC6482, February 2012,
<https://www.rfc-editor.org/info/rfc6482>.
[RFC6483] Huston, G. and G. Michaelson, "Validation of Route
Origination Using the Resource Certificate Public Key
Infrastructure (PKI) and Route Origin Authorizations
(ROAs)", RFC 6483, DOI 10.17487/RFC6483, February 2012,
<https://www.rfc-editor.org/info/rfc6483>.
[RFC6486] Austein, R., Huston, G., Kent, S., and M. Lepinski,
"Manifests for the Resource Public Key Infrastructure
(RPKI)", RFC 6486, DOI 10.17487/RFC6486, February 2012,
<https://www.rfc-editor.org/info/rfc6486>.
Kent & Ma Informational [Page 23]
^L
RFC 8211 RPKI Adverse CA Actions September 2017
[RFC6487] Huston, G., Michaelson, G., and R. Loomans, "A Profile for
X.509 PKIX Resource Certificates", RFC 6487,
DOI 10.17487/RFC6487, February 2012,
<https://www.rfc-editor.org/info/rfc6487>.
[RFC6488] Lepinski, M., Chi, A., and S. Kent, "Signed Object
Template for the Resource Public Key Infrastructure
(RPKI)", RFC 6488, DOI 10.17487/RFC6488, February 2012,
<https://www.rfc-editor.org/info/rfc6488>.
[RFC6489] Huston, G., Michaelson, G., and S. Kent, "Certification
Authority (CA) Key Rollover in the Resource Public Key
Infrastructure (RPKI)", BCP 174, RFC 6489,
DOI 10.17487/RFC6489, February 2012,
<https://www.rfc-editor.org/info/rfc6489>.
[RFC6493] Bush, R., "The Resource Public Key Infrastructure (RPKI)
Ghostbusters Record", RFC 6493, DOI 10.17487/RFC6493,
February 2012, <https://www.rfc-editor.org/info/rfc6493>.
[RFC6916] Gagliano, R., Kent, S., and S. Turner, "Algorithm Agility
Procedure for the Resource Public Key Infrastructure
(RPKI)", BCP 182, RFC 6916, DOI 10.17487/RFC6916, April
2013, <https://www.rfc-editor.org/info/rfc6916>.
[RFC7935] Huston, G. and G. Michaelson, Ed., "The Profile for
Algorithms and Key Sizes for Use in the Resource Public
Key Infrastructure", RFC 7935, DOI 10.17487/RFC7935,
August 2016, <https://www.rfc-editor.org/info/rfc7935>.
[RFC8205] Lepinski, M., Ed. and K. Sriram, Ed., "BGPsec Protocol
Specification", RFC 8205, DOI 10.17487/RFC8205, September
2017, <https://www.rfc-editor.org/info/rfc8205>.
[RFC8209] Reynolds, M., Turner, S., and S. Kent, "A Profile for
BGPsec Router Certificates, Certificate Revocation Lists,
and Certification Requests", RFC 8209,
DOI 10.17487/RFC8209, September 2017,
<https://www.rfc-editor.org/info/rfc8209>.
Kent & Ma Informational [Page 24]
^L
RFC 8211 RPKI Adverse CA Actions September 2017
6.2. Informative References
[RFC2622] Alaettinoglu, C., Villamizar, C., Gerich, E., Kessens, D.,
Meyer, D., Bates, T., Karrenberg, D., and M. Terpstra,
"Routing Policy Specification Language (RPSL)", RFC 2622,
DOI 10.17487/RFC2622, June 1999,
<https://www.rfc-editor.org/info/rfc2622>.
[RFC2650] Meyer, D., Schmitz, J., Orange, C., Prior, M., and C.
Alaettinoglu, "Using RPSL in Practice", RFC 2650,
DOI 10.17487/RFC2650, August 1999,
<https://www.rfc-editor.org/info/rfc2650>.
[RFC2725] Villamizar, C., Alaettinoglu, C., Meyer, D., and S.
Murphy, "Routing Policy System Security", RFC 2725,
DOI 10.17487/RFC2725, December 1999,
<https://www.rfc-editor.org/info/rfc2725>.
[RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70,
RFC 5652, DOI 10.17487/RFC5652, September 2009,
<https://www.rfc-editor.org/info/rfc5652>.
[RFC7132] Kent, S. and A. Chi, "Threat Model for BGP Path Security",
RFC 7132, DOI 10.17487/RFC7132, February 2014,
<https://www.rfc-editor.org/info/rfc7132>.
[RFC7682] McPherson, D., Amante, S., Osterweil, E., Blunk, L., and
D. Mitchell, "Considerations for Internet Routing
Registries (IRRs) and Routing Policy Configuration",
RFC 7682, DOI 10.17487/RFC7682, December 2015,
<https://www.rfc-editor.org/info/rfc7682>.
Kent & Ma Informational [Page 25]
^L
RFC 8211 RPKI Adverse CA Actions September 2017
Acknowledgements
The authors thank Richard Hansen and David Mandelberg for their
extensive review, feedback, and editorial assistance. Thanks also go
to Daiming Li for her editorial assistance.
Authors' Addresses
Stephen Kent
BBN Technologies
10 Moulton St
Cambridge, MA 02138-1119
United States of America
Email: kent@alum.mit.edu
Di Ma
ZDNS
4 South 4th St. Zhongguancun
Haidian, Beijing 100190
China
Email: madi@zdns.cn
Kent & Ma Informational [Page 26]
^L
|