SIDR OperationsInternet Engineering Task Force (IETF) O. MuravskiyInternet-DraftRequest for Comments: 8488 RIPE NCCIntended status:Category: Informational T. BruijnzeelsExpires: March 20, 2019ISSN: 2070-1721 NLNetLabsSeptember 16,November 2018RPKIRIPE NCC's Implementation of Resource Public Key Infrastructure (RPKI) Certificate Tree Validationby the RIPE NCC RPKI Validator draft-ietf-sidrops-rpki-tree-validation-03Abstract This document describesthean approach tovalidatevalidating the content of theRPKIResource Public Key Infrastructure (RPKI) certificate tree, as it is implemented in the RIPE NCC RPKI Validator. This approach is independent of a particular object retrievalmechanism. Thismechanism, which allows it to be used with repositories available over the rsync protocol, the RPKI Repository DeltaProtocol,Protocol (RRDP), and repositories that use a mix of both. Status of This Memo ThisInternet-Draftdocument issubmitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documentsnot an Internet Standards Track specification; it is published for informational purposes. This document is a product of the Internet Engineering Task Force (IETF).Note that other groups may also distribute working documents as Internet-Drafts. The listIt represents the consensus ofcurrent Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draftthe IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documentsvalidapproved by the IESG are candidates fora maximumany level ofsix monthsInternet Standard; see Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may beupdated, replaced, or obsoleted by other documentsobtained atany time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on March 20, 2019.https://www.rfc-editor.org/info/rfc8488. Copyright Notice Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1.Scope of this document . . . . . . . . . . . . . . . . . . . 3 2.Introduction . . . . . . . . . . . . . . . . . . . . . . . . 33.2. General Considerations . . . . . . . . . . . . . . . . . . .4 3.1.3 2.1. HashcomparisonsComparisons . . . . . . . . . . . . . . . . . . . .4 3.2.3 2.2. Discovery of RPKIobjects issuedObjects Issued by a CA . . . . . . . . 43.3.2.3. ManifestentriesEntries versusrepository contentRepository Content . . . . . . . 44. Top-down3. Top-Down Validation of a Single Trust Anchor Certificate Tree5 4.1.4 3.1. Fetching the Trust Anchor Certificate Using the Trust Anchor Locator . . . . . . . . . . . . . . . . . . . . . 54.2.3.2. CA Certificate Validation . . . . . . . . . . . . . . . . 64.2.1.3.2.1. Finding themost recent valid manifestMost Recent Valid Manifest and CRL . . . 74.2.2.3.2.2. Validating Manifestentries validationEntries . . . . . . . . . . . . . 84.3.3.3. Object Store Cleanup . . . . . . . . . . . . . . . . . . 95.4. Remote Objects Fetcher . . . . . . . . . . . . . . . . . . . 95.1.4.1. Fetcher Operations . . . . . . . . . . . . . . . . . . . 95.1.1.4.1.1. Fetchrepository objectsRepository Objects . . . . . . . . . . . . . . 105.1.2.4.1.2. Fetchsingle repository objectSingle Repository Object . . . . . . . . . . . 106.5. Local Object Store . . . . . . . . . . . . . . . . . . . . . 116.1.5.1. Store Operations . . . . . . . . . . . . . . . . . . . . 116.1.1.5.1.1. Store Repository Object . . . . . . . . . . . . . . . 116.1.2.5.1.2. GetobjectsObjects byhashHash . . . . . . . . . . . . . . . . . 116.1.3.5.1.3. Getcertificate objectsCertificate Objects by URI . . . . . . . . . . . 116.1.4.5.1.4. Getmanifest objectsManifest Objects by AKI . . . . . . . . . . . . . 116.1.5.5.1.5. DeleteobjectsObjects for a URI . . . . . . . . . . . . . . 126.1.6.5.1.6. Deleteoutdated objectsOutdated Objects . . . . . . . . . . . . . . . 126.1.7.5.1.7. Updateobject's validation time . . . . . . . . . . . 12 7. Acknowledgements . . . . . . . . . . .Object's Validation Time . . . . . . . . . . . 128.6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 129.7. Security Considerations . . . . . . . . . . . . . . . . . . . 129.1.7.1. HashcollisionsCollisions . . . . . . . . . . . . . . . . . . . . . 129.2.7.2. AlgorithmagilityAgility . . . . . . . . . . . . . . . . . . . . 129.3.7.3. Mismatch between theexpectedExpected andthe actual locationActual Location of anobjectObject in therepositoryRepository . . . . . . . . . . . . . . .13 9.4.. 12 7.4. ManifestcontentContent versuspublication point contentPublication Point Content . . . . 139.5.7.5. PossibledenialDenial ofserviceService . . . . . . . . . . . . . . .14 10.13 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 1410.1.8.1. Normative References . . . . . . . . . . . . . . . . . . 1410.2.8.2. Informative References . . . . . . . . . . . . . . . . . 15 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 15 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 1.Scope of this documentIntroduction This document describes how the RIPE NCC RPKI Validator version2.232.25 has been implemented. Source codetofor this software can be found at[github].[rpki-validator]. The purpose of this document is to provide transparency to users of (and contributors to) this softwaretool, as well as serve to be subjected to scrutiny by the SIDR Operations Working Group. It is not intended as a document that describes a standard or best practices on how validation should be done in general. 2. Introductiontool. In order to use information published in RPKI repositories, Relying Parties(RP)(RPs) need to retrieve and validate the content of certificates,certificate revocation listsCertificate Revocation Lists (CRLs), and other RPKI signed objects. To validate a particular object, one must ensure that all certificates in the certificate chain up to the Trust Anchor (TA) are valid.ThereforeTherefore, the validation of a certificate tree is performed top-down, starting from the TA certificate and descendingdownthe certificate chain, validating every encountered certificate and its products. The result of this process is a list of all encountered RPKI objects with a validity status attached to each of them. These results may later be used bya Relying Partyan RP intakingmaking routing decisions, etc.TraditionallyTraditionally, RPKI data is made available to RPs through the repositories [RFC6481] accessible over[rsync] protocol. Relying partiesthe rsync protocol [rsync]. RPs are advised to keep a local copy of repositorydata,data and perform regular updates of this copy from the repository(Section(see Section 5 of [RFC6481]). TheRPKI Repository Delta ProtocolRRDP [RFC8182] introduces another method to fetch repository data and keep the local copy up to date with the repository. This document describes how the RIPE NCC RPKI Validator discovers RPKI objects to download, builds certificate paths, and validates RPKI objects, independentlyfromof what repository access protocol is used. To achieve this, it puts downloaded RPKI objects in an object store, where each RPKI object can be found by its URI, the hash of its content, the value of its Authority Key Identifier (AKI) extension, or a combination of these. It also keeps track of the download andthevalidation time for every object, to decide which locally stored objects are not used in the RPKI tree validation and could be removed.3.2. General Considerations3.1.2.1. HashcomparisonsComparisons This algorithm relies on the collision resistance properties of thefilehash algorithm (defined in [RFC7935]) to compute the hash of repository objects. It assumes that any two objects for which the hash value is thesame,same are identical. The hash comparison is used when matching objects in the repository with entries on the manifest (Section4.2.2),3.2.2) and when looking up objects in the object store (Section6). 3.2.5). 2.2. Discovery of RPKIobjects issuedObjects Issued by a CA There are several possible ways of discovering potential products of aCACertification Authority (CA) certificate: one could 1) use all objects located in a repository directory designated as a publication point for a CA,or2) only use objects mentioned on the manifest located at that publication point (see Section 6of[RFC6486]),of [RFC6486]), or 3) use all known repository objects whose AKI extension matches the Subject Key Identifier (SKI) extension (Section 4.2.1of[RFC5280])of [RFC5280]) of a CA certificate. For publication points whose content is consistent with the manifest and issuingcertificatecertificate, all of these approaches should produce the same result. For inconsistent publicationpointspoints, the results might be different. Section 6 of [RFC6486] leaves the decision on how to deal with inconsistencies to a local policy. The implementation described here does not rely on content of repositorydirectories,directories but uses the Authority Key Identifier (AKI) extension of a manifest and acertificate revocation list (CRL)CRL to find in an object store (Section6)5) a manifest and a CRL issued by a particularCertification Authority (CA)CA (see Section4.2.1).3.2.1). It further uses the hashes of the manifest's fileList entries (Section 4.2.1 of [RFC6486]) to find other objects issued by the CA, as described in Section4.2.2. 3.3.3.2.2. 2.3. ManifestentriesEntries versusrepository contentRepository Content Since the current set of RPKI standards (see [RFC6481], [RFC6486], and [RFC6487]) requires use of the manifest [RFC6486] to describe the content of a publication point, this implementation requires strict consistency between the publication point content and manifest content. (This is a more stringent requirement than established in [RFC6486].)ThereforeTherefore, it will not process objects that are found in the publication point but do not match any of the entries of that publication point's manifest (see Section4.2.2).3.2.2). It will also issue warnings for all found mismatches, so that the responsible operators could be made aware of inconsistencies and fix them.4. Top-down3. Top-Down Validation of a Single Trust Anchor Certificate Tree When several Trust Anchors are configured, validation of their corresponding certificate trees is performed concurrently and independently from each other. For every configured Trust Anchor, the following steps are performed: 1. The validation of aTrust Anchor (TA)TA certificate tree starts from its TA certificate. To retrieve the TA certificate, a Trust Anchor Locator (TAL) object is used, as described in Section4.1.3.1. 2. If the TA certificate is retrieved, it is validated according to Section 7 of [RFC6487] and Section 2.2 of [RFC7730].OtherwiseOtherwise, the validation of the certificate tree is aborted and an error is issued. 3. If the TA certificate is valid, then all its subordinate objects are validated as described in Section4.2. Otherwise3.2. Otherwise, the validation of the certificate tree is aborted and an error is issued. 4. For each repository object that was validated during this validation run,itsthe validation timestamp is updated in the object store (see Section6.1.7).5.1.7). 5. Outdated objects are removed from the store as described in Section4.3.3.3. This completes the validation of the TA certificate tree.4.1.3.1. Fetching the Trust Anchor Certificate Using the Trust Anchor Locator The following steps are performed in order to fetch a Trust AnchorCertificate:certificate: 1. (Optional) If theTrust Anchor LocatorTAL contains a"prefetch.uris"prefetch.uris field, pass the URIs contained in that field to the fetcher (see Section5.1.1).4.1.1). (This field is a non-standard addition to the TAL format. It helps with fetching non-hierarchical rsync repositories more efficiently.) 2. Extract the first TA certificate URI from the TAL's URI section (see Section 2.1 of [RFC7730]) and pass it to the object fetcher (Section5.1.2).4.1.2). If the fetcher returns an error, repeat this step for every URI in the URIsection,section until no error isencountered,encountered or no more URIs are left. 3.Retrieve fromFrom the object store (see Section6.1.3)5.1.3), retrieve all certificateobjects,objects for which the URI matches the URI extracted from the TAL in the previousstep,step and the public key matches the subjectPublicKeyInfo extension of the TAL (see Section 2.1 of [RFC7730]). 4. Ifno,no such objects are found or if more than one such objects are found, issue an error and abort the certificate tree validation process with an error. Otherwise, use the single found object as theTrust AnchorTA certificate.4.2.3.2. CA Certificate Validation The following steps describe the validation of a single CAResourceresource certificate: 1. If both the caRepository (Section 4.8.8.1 of[RFC6487]),[RFC6487]) and the id-ad-rpkiNotify (Section 3.2 of [RFC8182])SubjectInfoAccess (SIA) pointersinstances of an accessMethod are present in the Subject Information Access extension of the CA certificate, use a local policy to determine which pointer to use. Extract the URI from the selected pointer and pass it to the object fetcher (that will then fetch all objects available from thatrepository,repository; see Section5.1.1).4.1.1). 2. For the CA certificate, find the current manifest and certificate revocation list(CRL),(CRL) using the procedure described in Section4.2.1.3.2.1. If no such manifest and CRL could be found, stop validation of this certificate, consider it invalid, and issue an error. 3. Compare the URI found in the id-ad-rpkiManifest field (Section 4.8.8.1 of [RFC6487]) of the SIA extension of the certificate with the URI of the manifest found in the previous step. If they are different, issue awarning,warning but continue the validation process using the manifest found in the previous step. (This warning indicates that there is a mismatch between the expected and the actual location of an object in a repository. See Section97.3 for the explanation of this mismatch and the decisiontaken.)made.) 4. Performmanifest entriesdiscovery and validation of manifest entries as described in Section4.2.2.3.2.2. 5. Validate all resource certificate objects found on themanifest,manifest using the CRLobject found on the manifest:object: *ifIf the strict validation option is enabled by the operator, the validation is performed according to Section 7 of[RFC6487],[RFC6487]. *otherwise,Otherwise, the validation is performed according to Section 7 of[RFC6487],[RFC6487] but with the exception of the resource certification path validation,thatwhich is performed according to Section 4.2.4.4 of [RFC8360]. (Note that this implementation uses the operator configuration to decide which algorithm to use for path validation. It applies the selected algorithm to all resource certificates, rather than applying an appropriate algorithm per resourcecertificate,certificate based on the object identifier (OID) for the Certificate Policy found in that certificate, as specified in [RFC8360].) 6. Validate all Route Origin Authorization (ROA) objects found on themanifest,manifest using the CRL object found on the manifest, according to Section 4 of [RFC6482]. 7. Validate all Ghostbusters Record objects found on themanifest,manifest using the CRL object found on the manifest, according to Section 7 of [RFC6493]. 8. For every valid CA certificate object found on the manifest, apply the procedure described in thissection (Section 4.2),section, recursively, provided that this CA certificate (identified by its SKI) has not yet been validated during current tree validation run.4.2.1.3.2.1. Finding the Most Recent Valid Manifest and CRL To find the most recentvalidissued manifest and CRL objects of a particular CA certificate, the following steps are performed: 1.Fetch fromFrom the store (see Section6.1.4)5.1.4), fetch all objects of typemanifest,manifest whose certificate's AKI extension matches the SKI of the current CA certificate. If no such objects are found, stop processing the current CA certificate and issue an error. 2.Find amongAmong foundobjectsobjects, find the manifest object with the highest manifestNumber field (Section 4.2.1 of[RFC6486]),[RFC6486]) for which all following conditions are met: * There is only one entry in the manifest for which the store contains exactly one object of type CRL, the hash of which matches the hash of the entry. * The manifest's certificate AKI equals the above CRL's AKI. * The above CRL is a valid object according to Section 6.3 of [RFC5280]. * The manifest is a valid object according to Section 4.4 of [RFC6486], and its EEcertificatescertificate is not in the CRL found above. 3. If there is an object that matches the above criteria, consider this object to be the valid manifest, and consider the CRL found at the previous step-to be the valid CRL for the current CA certificate's publication point. 4. Report an error for every other manifest with a number higher than the number of the valid manifest.4.2.2.3.2.2. Validating Manifestentries validationEntries For every entry in the manifest object: 1. Construct an entry's URI by appending the entry name to the current CA's publication point URI. 2. Get all objects from the store whose hash attribute equals the entry's hash (see Section6.1.2).5.1.2). 3. If no such objects are found, issue an error for this manifest entry and progress to the next entry. This case indicates that the repository does not have an object at the location listed in themanifest,manifest or that the object's hash does not match the hash listed in the manifest. 4. For every found object, compare its URI with the URI of the manifest entry. * For every object with a non-matchingURIURI, issue a warning. This case indicates that the object from the manifest entry is (also) found at a different location in a (possibly different) repository. * If no objects with a matching URI are found, issue a warning. This case indicates that there is no object found in the repository at the location listed in the manifest entry (but there is at least one matching object found at a different location). 5. Use all found objects for further validation as per Section4.2.3.2. Please note that the above steps will not reject objects whose hash matches the hash listed in themanifest,manifest butthewhose URI does not. See Section9.37.3 for additional information.4.3.3.3. Object Store Cleanup At the end of every TA treevalidationvalidation, some objects are removed from the store using the following rules: 1. Given all objects that were encountered during the current validation run, remove from the store (Section6.1.6)5.1.6) all objects whose URI attribute matches the URI of one of the encounteredobjects,objects butthewhose content's hashis different.does not match the hash of any of the encountered objects. This removes from the store objects that were replaced in the repository by their newer versions with the same URIs. 2. Remove from the store all objects that were last encountered during validation a long time ago (as specified by the local policy). This removes objects that do not appear on any valid manifest anymore (but possibly are still published in a repository). 3. Remove from the store all objects that were downloaded recently (as specified by the localpolicy),policy) but that have never been used in the validation process. This removes objects that have never appeared on any valid manifest. Shortening the time interval used in step 2 will free more disk space used by the store, at the expense of downloading removed objects again if they are still published in the repository. Extending the time interval used in step 3 will prevent repeated downloads of unused repositoryobjects, withobjects. However, it will also extend the interval at which unused objects are removed. This creates a risk that suchobjects, if created massively by mistake or by an adversary,objects will fill uplocalall available diskspace,space ifthey are not cleaned up promptly. 5.a large enough amount of such objects is published in the repository (either by mistake or with a malicious intent). 4. Remote Objects Fetcher The fetcher is responsible for downloading objects from remote repositories (described in Section 3 of [RFC6481]) using the rsync protocol([rsync]),[rsync] orRPKI Repository Delta Protocol (RRDP) ([RFC8182]). 5.1.RRDP [RFC8182]. 4.1. Fetcher Operations For every visitedURIURI, the fetcher keeps track of the last time a successful fetch occurred.5.1.1.4.1.1. Fetchrepository objectsRepository Objects This operation receives one parameter--- a URI. For an rsyncrepositoryrepository, this URI points to a directory. For an RRDPrepositoryrepository, it points to the repository's notification file. The fetcherperforms followingfollows these steps: 1. If data associated with the URI has been downloaded recently (as specified by the local policy), skip the following steps. 2. Download remote objects using the URI provided (for an rsyncrepositoryrepository, use recursive mode). If the URI containsschemathe "https" schema and download has failed, issue a warning, replace the "https" schema in the URIbywith "http", and try to download objectsagain,again using the resulting URI. 3. If remote objectscan notcannot be downloaded, issue an error and skip the following steps. 4. Perform syntactic verification of fetched objects. The type of every object (certificate, manifest, CRL, ROA, or Ghostbustersrecord),Record) is determined based on the object's filename extension (.cer, .mft, .crl, .roa, and .gbr, respectively). The syntax of the object is described in Section 4 of [RFC6487] for resource certificates, step 1 of Section 3 of [RFC6488] for signed objects,and specifically,Section 4 of [RFC6486] for manifests, [RFC5280] for CRLs, Section 3 of [RFC6482] for ROAs, and Section 5 of [RFC6493] for Ghostbustersrecords.Records. 5. Put every downloaded and syntactically correct object in the object store (Section6.1.1).5.1.1). The time interval used inthestep 1 should be chosen based on the acceptable delay in receiving repository updates.5.1.2.4.1.2. Fetchsingle repository objectSingle Repository Object This operation receives one parameter--- a URI that points to an object in a repository. The fetcherperforms following operations:follows these steps: 1. Download a remote object using the URI provided. If the URI contains the "https" schema and download failed, issue a warning, replace the "https" schema in the URIbywith "http", and try to download the object using the resulting URI. 2. If the remote objectcan notcannot be downloaded, issue an error and skip the following steps. 3. Perform syntactic verification of the fetched object. The type of object (certificate, manifest, CRL, ROA, or Ghostbustersrecord),Record) is determined based on the object's filename extension (.cer, .mft, .crl, .roa, and .gbr, respectively). The syntax of the object is described in Section 4 of [RFC6487] for resource certificates, step 1 of Section 3 of [RFC6488] for signed objects,and specifically,Section 4 of [RFC6486] for manifests, [RFC5280] for CRLs, Section 3 of [RFC6482] for ROAs, and Section 5 of [RFC6493] for Ghostbustersrecords.Records. 4. If the downloaded object is not syntactically correct, issue an error and skip further steps. 5. Delete all objects from the object store (Section6.1.5)5.1.5) whose URI matches the URI given. 6. Put the downloaded object in the object store (Section6.1.1). 6.5.1.1). 5. Local Object Store6.1.5.1. Store Operations6.1.1.5.1.1. Store Repository Object Put the given object in thestore, along with its type, URI, hash, and AKI,store if there is no record with the same hash and URI fields. Note that in the (unlikely) event of hashcollisioncollision, the given object will not replace the object in the store.6.1.2.5.1.2. GetobjectsObjects byhashHash Retrieve all objects from the store whose hash attribute matches the given hash.6.1.3.5.1.3. Getcertificate objectsCertificate Objects by URI Retrieve from the store all objects of typecertificate,certificate whose URI attribute matches the given URI.6.1.4.5.1.4. Getmanifest objectsManifest Objects by AKI Retrieve from the store all objects of typemanifest,manifest whose AKI attribute matches the given AKI.6.1.5.5.1.5. DeleteobjectsObjects for a URI For a given URI, delete all objects in the store with a matching URI attribute.6.1.6.5.1.6. Deleteoutdated objectsOutdated Objects For a given URI and a list of hashes, delete all objects in the store with a matchingURI,URI whose hash attribute is not in the given list of hashes.6.1.7.5.1.7. Updateobject's validation timeObject's Validation Time For all objects in the store whose hash attribute matches the given hash, set the last validation time attribute to the given timestamp.7. Acknowledgements This document describes the algorithm as it is implemented by the software development team at the RIPE NCC, which included over time: Mikhail Puzanov, Erik Rozendaal, Miklos Juhasz, Misja Alma, Thiago da Cruz Pereira, Yannis Gonianakis, Andrew Snare, Varesh Tapadia, Paolo Milani, Thies Edeling, Hans Westerbeek, Rudi Angela, and Constantijn Visinescu. The authors would also like to acknowledge contributions by Carlos Martinez, Andy Newton, Rob Austein, and Stephen Kent. 8.6. IANA Considerations This document has noactions for IANA. 9.IANA actions. 7. Security Considerations9.1.7.1. HashcollisionsCollisions This implementation will not detect possible hash collisions in the hashes of repository objects (calculated using the file hash algorithm specified in [RFC7935]). It considers objects with same hash valuesasto be identical.9.2.7.2. AlgorithmagilityAgility This implementation only supports hash algorithms and key sizes specified in[RFC7935]).[RFC7935]. Algorithm agility described in [RFC6916] is not supported.9.3.7.3. Mismatch between theexpectedExpected andthe actual locationActual Location of anobjectObject in therepositoryRepository According to Section 2 of [RFC6481], all objects issued by a particular CA certificate are expected to be located in one repository publication point, specified in the SIA extension of that CA certificate. The manifest object issued by that CA certificate enumerates all other issued objects, listing theirfile namesfilenames and content hashes. However, it is possible that an object whose content hash matches the hash listed in themanifest, hasmanifest either has a differentfile name,filename or is located at a different publication point in a repository. On the other hand, all RPKI objects, either explicitly or within their embedded EE certificate, have anAuthority Key IdentifierAKI extension that contains the key identifier of their issuing CA certificate.ThereforeTherefore, it is always possible to perform an RPKI validation of the object whose expected location does not match its actual location, provided that the certificate that matches the AKI of the object in question is known to the system that performs validation. In the case of a mismatch as describedaboveabove, this implementation will not exclude an object from further validation merely because its actual location orfile namefilename does not match the expected location orfile name.filename. This decision waschosenmade because the actual location of a file in a repository is taken from the repository retrieval mechanism, which, in the case of an rsync repository, does not provide any cryptographic security, and in the case of an RRDP repository, provides only atransport layer security,transport-layer security with the fallback to unsecured transport. On the other hand, the manifest is an RPKI signed object, and its content could be verified in the context of the RPKI validation.9.4.7.4. ManifestcontentContent versuspublication point contentPublication Point Content This algorithm uses the content of a manifest object to determine other objects issued by a CA certificate. It verifies that the manifest is located in the publication point designated in the CACertificate'scertificate's SIA extension. However, if there are other (not listed in the manifest) objects located in the same publication point directory, they areignored,ignored even if they might be valid and issued by the same CA as the manifest. (This RP behavior is allowed, but not required, by [RFC6486].)9.5.7.5. PossibledenialDenial ofserviceService The store cleanup procedure described in Section4.33.3 tries tominimiseminimize removal and subsequent re-fetch of objects that are published in arepository,repository but not used in the validation. Once such objects are removed from the remote repository, they will be discarded from the local object store after a period of time specified by a local policy. By generating an excessive amount of syntactically valid RPKI objects, a man-in-the-middle attack between a validating tool and a repository could force an implementation to fetch and store those objects in the object store (see Section5.1.1)4.1.1) before they are validated and discarded, leading toanout-of-memory or out-of-disk-spaceconditions,conditions and, subsequently, a denial of service.10.8. References10.1.8.1. Normative References [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, <https://www.rfc-editor.org/info/rfc5280>. [RFC6481] Huston, G., Loomans, R., and G. Michaelson, "A Profile for Resource Certificate Repository Structure", RFC 6481, DOI 10.17487/RFC6481, February 2012, <https://www.rfc-editor.org/info/rfc6481>. [RFC6482] Lepinski, M., Kent, S., and D. Kong, "A Profile for Route Origin Authorizations (ROAs)", RFC 6482, DOI 10.17487/RFC6482, February 2012, <https://www.rfc-editor.org/info/rfc6482>. [RFC6486] Austein, R., Huston, G., Kent, S., and M. Lepinski, "Manifests for the Resource Public Key Infrastructure (RPKI)", RFC 6486, DOI 10.17487/RFC6486, February 2012, <https://www.rfc-editor.org/info/rfc6486>. [RFC6487] Huston, G., Michaelson, G., and R. Loomans, "A Profile for X.509 PKIX Resource Certificates", RFC 6487, DOI 10.17487/RFC6487, February 2012, <https://www.rfc-editor.org/info/rfc6487>. [RFC6488] Lepinski, M., Chi, A., and S. Kent, "Signed Object Template for the Resource Public Key Infrastructure (RPKI)", RFC 6488, DOI 10.17487/RFC6488, February 2012, <https://www.rfc-editor.org/info/rfc6488>. [RFC6493] Bush, R., "The Resource Public Key Infrastructure (RPKI) Ghostbusters Record", RFC 6493, DOI 10.17487/RFC6493, February 2012, <https://www.rfc-editor.org/info/rfc6493>. [RFC6916] Gagliano, R., Kent, S., and S. Turner, "Algorithm Agility Procedure for the Resource Public Key Infrastructure (RPKI)", BCP 182, RFC 6916, DOI 10.17487/RFC6916, April 2013, <https://www.rfc-editor.org/info/rfc6916>. [RFC7730] Huston, G., Weiler, S., Michaelson, G., and S. Kent, "Resource Public Key Infrastructure (RPKI) Trust Anchor Locator", RFC 7730, DOI 10.17487/RFC7730, January 2016, <https://www.rfc-editor.org/info/rfc7730>. [RFC7935] Huston, G. and G. Michaelson, Ed., "The Profile for Algorithms and Key Sizes for Use in the Resource Public Key Infrastructure", RFC 7935, DOI 10.17487/RFC7935, August 2016, <https://www.rfc-editor.org/info/rfc7935>. [RFC8182] Bruijnzeels, T., Muravskiy, O., Weber, B., and R. Austein, "The RPKI Repository Delta Protocol (RRDP)", RFC 8182, DOI 10.17487/RFC8182, July 2017, <https://www.rfc-editor.org/info/rfc8182>. [RFC8360] Huston, G., Michaelson, G., Martinez, C., Bruijnzeels, T., Newton, A., and D. Shaw, "Resource Public Key Infrastructure (RPKI) Validation Reconsidered", RFC 8360, DOI 10.17487/RFC8360, April 2018, <https://www.rfc-editor.org/info/rfc8360>.10.2.8.2. Informative References[github] "RIPE NCC RPKI Validator on GitHub",[rpki-validator] "RIPE-NCC/rpki-validator source code", <https://github.com/RIPE-NCC/rpki-validator>. [rsync]"Rsync home page","rsync", October 2018, <https://rsync.samba.org>. Acknowledgements This document describes the algorithm as it is implemented by the software development team at the RIPE NCC, which, over time, included Mikhail Puzanov, Erik Rozendaal, Miklos Juhasz, Misja Alma, Thiago da Cruz Pereira, Yannis Gonianakis, Andrew Snare, Varesh Tapadia, Paolo Milani, Thies Edeling, Hans Westerbeek, Rudi Angela, and Constantijn Visinescu. The authors would also like to acknowledge contributions by Carlos Martinez, Andy Newton, Rob Austein, and Stephen Kent. Authors' Addresses Oleg Muravskiy RIPE NCC Email: oleg@ripe.net URI: https://www.ripe.net/ Tim Bruijnzeels NLNetLabs Email: tim@nlnetlabs.nl URI: https://www.nlnetlabs.nl/