<?xml version="1.0"encoding="US-ASCII"?>encoding="UTF-8"?> <!DOCTYPE rfc SYSTEM"rfc2629.dtd"> <?rfc sortrefs="yes"?> <?rfc subcompact="no"?> <?rfc symrefs="yes"?> <?rfc toc="yes"?> <?rfc tocdepth="3"?> <?rfc compact="yes"?> <?rfc subcompact="no"?>"rfc2629-xhtml.ent"> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" submissionType="IETF" category="std" consensus="true" docName="draft-ietf-opsawg-finding-geofeeds-17"ipr="trust200902">number="9092" ipr="trust200902" obsoletes="" updates="" xml:lang="en" sortRefs="true" symRefs="true" tocInclude="true" tocDepth="3" version="3"> <front> <title abbrev="Finding Geofeeds">Finding and Using Geofeed Data</title> <seriesInfo name="RFC" value="9092"/> <author fullname="Randy Bush" initials="R." surname="Bush"> <organization>IIJ & Arrcus</organization> <address> <postal> <street>5147 Crystal Springs</street> <city>Bainbridge Island</city> <region>Washington</region> <code>98110</code> <country>United States of America</country> </postal> <email>randy@psg.com</email> </address> </author> <author fullname="Massimo Candela" initials="M." surname="Candela"> <organization>NTT</organization> <address> <postal> <street>Siriusdreef 70-72</street> <city>Hoofddorp</city> <code>2132 WT</code> <country>Netherlands</country> </postal> <email>massimo@ntt.net</email> </address> </author> <author fullname="Warren Kumari" initials="W." surname="Kumari"> <organization>Google</organization> <address> <postal> <street>1600 Amphitheatre Parkway</street> <city>MountainView, CA</city>View</city> <region>CA</region> <code>94043</code><country>US</country><country>United States of America</country> </postal> <email>warren@kumari.net</email> </address> </author> <author fullname="Russ Housley" initials="R" surname="Housley"> <organization abbrev="Vigil Security">Vigil Security, LLC</organization> <address> <postal> <street>516 Dranesville Road</street> <city>Herndon</city> <region>VA</region> <code>20170</code><country>USA</country><country>United States of America</country> </postal> <email>housley@vigilsec.com</email> </address> </author> <date year="2021" month="July" /> <keyword>geolocation</keyword> <keyword>geo-location</keyword> <keyword>RPSL</keyword> <abstract> <t> This document specifies how to augment the Routing Policy Specification Language inetnum: class to refer specifically to geofeed dataCSV files,comma-separated values (CSV) files and describes an optional schemeto usethat uses the Routing Public Key Infrastructure to authenticate the geofeed data CSV files. </t> </abstract> </front> <middle> <sectiontitle="Introduction" anchor="intro">anchor="intro" numbered="true" toc="default"> <name>Introduction</name> <t> Providers of Internet content and other services may wish to customize those services based on the geographic location of the user of the service. This is often done using the source IP address used to contact the service. Also, infrastructure and other services might wish to publish the locale of their services. <xreftarget="RFC8805"/>target="RFC8805" format="default"/> defines geofeed, a syntax to associate geographic locales with IPaddresses. Butaddresses, but it does not specify how to find the relevant geofeed data given an IP address. </t> <t> This document specifies how to augment the Routing Policy Specification Language (RPSL) <xreftarget="RFC2725"/>target="RFC2725" format="default"/> inetnum: class to refer specifically to geofeed data CSVfiles,files and how to prudently use them. In all places inetnum: is used, inet6num: should also be assumed <xreftarget="RFC4012"/>.target="RFC4012" format="default"/>. </t> <t> The reader may find <xreftarget="INETNUM"/>target="INETNUM" format="default"/> and <xreftarget="INET6NUM"/>target="INET6NUM" format="default"/> informative, and certainly more verbose, descriptions of the inetnum: database classes. </t> <t> Anoptional,optional utterly awesome but slightly complex means for authenticating geofeed data is also defined. </t> <sectiontitle="Requirements Language">numbered="true" toc="default"> <name>Requirements Language</name> <t> The key words"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY","<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and"OPTIONAL""<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described inBCP 14BCP 14 <xrefformat="default" pageno="false"target="RFC2119"/> <xrefformat="default" pageno="false"target="RFC8174"/> when, and only when, they appear in all capitals, as shown here. </t> </section> </section> <sectiontitle="Geofeed Files" anchor="gf">anchor="gf" numbered="true" toc="default"> <name>Geofeed Files</name> <t> Geofeed files are described in <xreftarget="RFC8805"/>.target="RFC8805" format="default"/>. They provide a facility for an IP address resource'owner'"owner" to associate those IP addresses to geographic locales. </t> <t> Content providers and other parties who wish to locate an IP address to a geographic locale need to find the relevant geofeed data. In <xreftarget="inetnum"/>,target="inetnum" format="default"/>, this document specifies how to find the relevant<xref target="RFC8805"/>geofeed <xref target="RFC8805" format="default"/> file given an IP address. </t> <t> Geofeed data for large providers with significant horizontal scale and high granularity can be quite large. The size of a file can be even larger if an unsigned geofeed file combines data for many prefixes, if dual IPv4/IPv6 spaces are represented, etc. </t> <t> Geofeed data do have privacyconsiderations, seeconsiderations (see <xreftarget="privacy"/>; andtarget="privacy" format="default"/>); this process makes bulk access to those data easier. </t> <t> This document also suggests an optional signature to strongly authenticate the data in the geofeed files. </t> </section> <sectiontitle="inetnum: Class" anchor="inetnum">anchor="inetnum" numbered="true" toc="default"> <name>inetnum: Class</name> <t> The original RPSL specifications starting with <xreftarget="RIPE81"/>,target="RIPE81" format="default"/>, <xreftarget="RIPE181"/>,target="RIPE181" format="default"/>, and a trail of subsequent documents weredonewritten by the RIPE community. The IETF standardized RPSL in <xreftarget="RFC2622"/>target="RFC2622" format="default"/> and <xreftarget="RFC4012"/>.target="RFC4012" format="default"/>. Since then, it has been modified and extensively enhanced in the Regional Internet Registry (RIR) community, mostly byRIPE,RIPE <xreftarget="RIPE-DB"/>.target="RIPE-DB" format="default"/>. Currently, change control effectively lies in the operator community. </t> <t> TheRouting Policy Specification Language (RPSL),RPSL, and <xreftarget="RFC2725"/>target="RFC2725" format="default"/> and <xreftarget="RFC4012"/>target="RFC4012" format="default"/> used by the Regional Internet Registries(RIRs) specifies(RIRs), specify the inetnum: database class. Each of these objects describes an IP address range and its attributes. The inetnum: objects form a hierarchy ordered on the address space. </t> <t> Ideally, RPSL would be augmented to define a new RPSL geofeed: attribute in the inetnum: class. Until such time, this document defines the syntax of a Geofeed remarks:attributeattribute, which contains an HTTPS URL of a geofeed file. The format of the inetnum: geofeed remarks: attributeMUST<bcp14>MUST</bcp14> be as in this example, "remarks: Geofeed ", where the token"Geofeed" MUST"Geofeed " <bcp14>MUST</bcp14> becase-sensitive,case sensitive, followed by a URLwhichthat will vary, butMUSTit <bcp14>MUST</bcp14> refer only to a single<xref target="RFC8805"/>geofeed <xref target="RFC8805" format="default"/> file. </t><figure> <artwork><sourcecode type="rpsl"> <![CDATA[ inetnum: 192.0.2.0/24 # example remarks: Geofeed https://example.com/geofeed.csv</artwork> </figure>]]></sourcecode> <t> While we leave global agreement of RPSL modification to the relevant parties, we specify that a proper geofeed: attribute in the inetnum: classMUST<bcp14>MUST</bcp14> be"geofeed: ","geofeed:" andMUST<bcp14>MUST</bcp14> be followed by a single URLwhichthat will vary, butMUSTit <bcp14>MUST</bcp14> refer only to a single<xref target="RFC8805"/>geofeed <xref target="RFC8805" format="default"/> file. </t><figure> <artwork><sourcecode type="rpsl"><![CDATA[ inetnum: 192.0.2.0/24 # example geofeed: https://example.com/geofeed.csv</artwork> </figure>]]></sourcecode> <t> RegistriesMAY,<bcp14>MAY</bcp14>, for the interim, provide a mix of the remarks: attribute form and the geofeed: attribute form. </t> <t> The URL uses HTTPS, so the WebPKI provides authentication, integrity, and confidentiality for the fetched geofeed file. However, the WebPKI can not provide authentication of IP address space assignment. In contrast, theResource Public Key Infrastructure (RPKI, seeRPKI (see <xreftarget="RFC6481"/>)target="RFC6481" format="default"/>) can be used to authenticate IP space assignment; see optional authentication in <xreftarget="auth"/>.target="auth" format="default"/>. </t> <t> Until all producers ofinetnum:s, i.e.inetnum: objects, i.e., the RIRs, state that they have migrated to supporting a geofeed: attribute, consumers looking atinetnum:sinetnum: objects to find geofeed URLsMUST<bcp14>MUST</bcp14> be able to consume both the remarks: and geofeed: forms. The migration not only implies that the RIRs support the geofeed: attribute, but that all registrants have migrated anyinetnum:sinetnum: objects from remarks:usetogeofeed:s.geofeed: attributes. </t> <t> Any particular inetnum: objectMUST have<bcp14>MUST</bcp14> have, at most, one geofeed reference, whether a remarks: or a proper geofeed: attribute when it is implemented. If there is more than one, all are ignored. </t> <t> If a geofeed CSV file describes multiple disjoint ranges of IP address space, there are likely to be geofeed references from multiple inetnum: objects. Files with geofeed references from multiple inetnum: objects are not compatible with the signing procedure in <xreftarget="auth"/>.target="auth" format="default"/>. </t> <t> When geofeed references are provided by multiple inetnum: objectswhichthat have identical address ranges, then the geofeed reference on the inetnum: with the most recent last-modified: attributeSHOULD<bcp14>SHOULD</bcp14> be preferred. </t> <t> As inetnum: objects form a hierarchy,Geofeedgeofeed referencesSHOULD<bcp14>SHOULD</bcp14> be at the lowest applicable inetnum: object covering the relevant address ranges in the referenced geofeed file. When fetching, the most specific inetnum: object with a geofeed referenceMUST<bcp14>MUST</bcp14> be used. </t> <t> It is significant that geofeed data may have finer granularity than the inetnum:whichthat refers to them. Forexampleexample, an INETNUM object for an address range P could refer to a geofeed file in which P has beensub-dividedsubdivided into one or more longer prefixes. </t> <t> Currently, the registry data published by ARINisare not the same RPSL as that of the other registries (see <xreftarget="RFC7485"/>target="RFC7485" format="default"/> for a survey of thewhoisWHOIS Tower of Babel); therefore, when fetching from ARIN via FTP <xreftarget="RFC0959"/>, whois <xref target="RFC3912"/>, RDAPtarget="RFC0959" format="default"/>, WHOIS <xref target="RFC3912" format="default"/>, the Registration Data Access Protocol (RDAP) <xreftarget="RFC7482"/>, or whatever,target="RFC9082" format="default"/>, etc., the "NetRange" attribute/keyMUST<bcp14>MUST</bcp14> be treated as"inetnum""inetnum", and the "Comment" attributeMUST<bcp14>MUST</bcp14> be treated as "remarks". </t> </section> <sectiontitle="Authenticatinganchor="auth" numbered="true" toc="default"> <name>Authenticating GeofeedData" anchor="auth">Data</name> <t> The question arises whether a particular<xref target="RFC8805"/>geofeed <xref target="RFC8805" format="default"/> data set is valid,i.e.i.e., is authorized by the'owner'"owner" of the IP address space and is authoritative in some sense. The inetnum:whichthat points to the<xref target="RFC8805"/>geofeed <xref target="RFC8805" format="default"/> file provides some assurance. Unfortunately, the RPSL in many repositories is weakly authenticated at best. An approach where RPSL was signeda laper <xreftarget="RFC7909"/>target="RFC7909" format="default"/> would be good, except it would have to be deployed by all RPSL registries, and there is a fair number of them. </t> <t> A single optional authenticatorMAY<bcp14>MAY</bcp14> be appended to a<xref target="RFC8805"/>geofeed <xref target="RFC8805" format="default"/> file. It is a digest of the main body of the file signed by the private key of the relevant RPKI certificate for a covering address range. One needs a format that bundles the relevant RPKI certificate with the signature of the geofeed text. </t> <t> The canonicalization procedure converts the data fromitstheir internal character representation to the UTF-8 <xreftarget="RFC3629"/>target="RFC3629" format="default"/> character encoding, and the <CRLF> sequenceMUST<bcp14>MUST</bcp14> be used to denote the end of a line of text. A blank line is represented solely by the <CRLF> sequence. For robustness, any non-printable charactersMUST NOT<bcp14>MUST NOT</bcp14> be changed by canonicalization. Trailing blank linesMUST NOT<bcp14>MUST NOT</bcp14> appear at the end of the file. That is, the file must not end with multiple consecutive <CRLF> sequences. Any end-of-file marker used by an operating system is not considered to be part of the file content. When present, such end-of-file markersMUST NOT<bcp14>MUST NOT</bcp14> be processed by the digital signature algorithm. </t> <t> Should the authenticator be syntactically incorrect per the above, the authenticator is invalid. </t> <t> Borrowing detached signatures from <xreftarget="RFC5485"/>,target="RFC5485" format="default"/>, after file canonicalization, the Cryptographic Message Syntax (CMS) <xreftarget="RFC5652"/>target="RFC5652" format="default"/> would be used to create a detachedDER encodedDER-encoded signaturewhichthat is then padded BASE64 encoded (as per <xreftarget="RFC4648"/> Section 4),target="RFC4648" sectionFormat="of" section="4" format="default"/>) and line wrapped to 72 or fewer characters. The same digest algorithmMUST<bcp14>MUST</bcp14> be used for calculating the message digest on content being signed, which is the geofeed file, and for calculating the message digest on the SignerInfo SignedAttributes <xreftarget="RFC8933"/>.target="RFC8933" format="default"/>. The message digest algorithm identifierMUST<bcp14>MUST</bcp14> appear in both theSigenedDataSignedData DigestAlgorithmIdentifiers and the SignerInfo DigestAlgorithmIdentifier <xreftarget="RFC5652"/>.target="RFC5652" format="default"/>. </t> <t> The address range of the signing certificateMUST<bcp14>MUST</bcp14> cover all prefixes in the geofeed file it signs. </t> <t> An address range A'covers'"covers" address range B if the range of B is identical to or a subset of A.'Address range'"Address range" is used here because inetnum: objects and RPKI certificates need not align onCIDRClassless Inter-Domain Routing (CIDR) <xref target="RFC4632"/> prefix boundaries, while those of the CSV lines in a geofeed file do. </t> <t> As the signer specifies the covered RPKI resources relevant to the signature, the RPKI certificate covering the inetnum: object's address range is included in the <xreftarget="RFC5652"/>target="RFC5652" format="default"/> CMS SignedData certificates field. </t> <t> Identifying the private key associated with thecertificate,certificate and getting the department that controls the private key (which might be trapped in a Hardware SecurityModule, HSM)Module (HSM)) to sign the CMS blob is left as an exercise for the implementor. On the other hand, verifying the signature requires no complexity; the certificate, which can be validated in the public RPKI, has the needed public key. The trust anchors for the RIRs are expected to already be available to the party performing signature validation. Validation of the CMS signature on the geofeed fileinvolves:<list style="numbers">involves:</t> <ol spacing="normal" type="1"><li> <t>ObtainObtaining the signer's certificate from the CMS SignedData CertificateSet <xreftarget="RFC5652"/>.target="RFC5652" format="default"/>. The certificate SubjectKeyIdentifier extension <xreftarget="RFC5280"/> MUSTtarget="RFC5280" format="default"/> <bcp14>MUST</bcp14> match the SubjectKeyIdentifier in the CMS SignerInfo SignerIdentifier <xreftarget="RFC5652"/>.target="RFC5652" format="default"/>. If the key identifiers do not match, then validationMUST fail. </t><bcp14>MUST</bcp14> fail.</t> <t>ConstructValidation of the signer's certificate <bcp14>MUST</bcp14> ensure that it is part of the current <xref target="RFC6486" format="default"/> manifest and that the resources are covered by the RPKI certificate. </t> </li> <li> Constructing the certification path for the signer's certificate. All of the needed certificates are expected to be readily available in the RPKIRepository.repository. The certification pathMUST<bcp14>MUST</bcp14> be valid according to the validation algorithm in <xreftarget="RFC5280"/>target="RFC5280" format="default"/> and the additional checks specified in <xreftarget="RFC3779"/>target="RFC3779" format="default"/> associated with the IP Address Delegation certificate extension and the Autonomous System Identifier Delegation certificate extension. If certification path validation is unsuccessful, then validationMUST<bcp14>MUST</bcp14> fail.</t> <t> Validate</li> <li> Validating the CMS SignedData as specified in <xreftarget="RFC5652"/>target="RFC5652" format="default"/> using the public key from the validated signer's certificate. If the signature validation is unsuccessful, then validationMUST<bcp14>MUST</bcp14> fail.</t> <t> Verify</li> <li> Verifying that the IP Address Delegation certificate extension <xreftarget="RFC3779"/>target="RFC3779" format="default"/> covers all of the address ranges of the geofeed file. If all of the address ranges are not covered, then validationMUST<bcp14>MUST</bcp14> fail.</t> <t> Validation of the signer's certificate MUST ensure that it is part of the current <xref target="RFC6486"/> manifest and that the resources are covered by the RPKI certificate. </t> </list></t></li> </ol> <t> All of these stepsMUST<bcp14>MUST</bcp14> be successful to consider the geofeed file signature as valid. </t> <t> As the signer specifies the covered RPKI resources relevant to the signature, the RPKI certificate covering the inetnum: object's address range is included in the<xref target="RFC5652"/>CMS SignedData certificatesfield.field <xref target="RFC5652" format="default"/>. </t> <t> Identifying the private key associated with thecertificate,certificate and getting the department with the Hardware Security Module (HSM) to sign the CMS blob is left as an exercise for the implementor. On the other hand, verifying the signature requires no complexity; the certificate, which can be validated in the public RPKI, has the needed public key. </t> <t> The appendixMUST<bcp14>MUST</bcp14> be'hidden'hidden as a series of "#" comments at the end of the geofeed file. The following is a cryptographically incorrect, albeitsimplesimple, example. A correct and full example is in <xreftarget="example"/>.target="example" format="default"/>. </t><figure> <artwork><sourcecode type=""><![CDATA[ # RPKI Signature: 192.0.2.0 - 192.0.2.255 # MIIGlwYJKoZIhvcNAQcCoIIGiDCCBoQCAQMxDTALBglghkgBZQMEAgEwDQYLKoZ # IhvcNAQkQAS+gggSxMIIErTCCA5WgAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZu ... # imwYkXpiMxw44EZqDjl36MiWsRDLdgoijBBcGbibwyAfGeR46k5raZCGvxG+4xa # O8PDTxTfIYwAnBjRBKAqAZ7yX5xHfm58jUXsZJ7Ileq1S7G6Kk= # End Signature: 192.0.2.0 - 192.0.2.255</artwork> </figure>]]></sourcecode> <t> The signature does not cover the signature lines. </t> <t> The bracketing "# RPKI Signature:" and "# End Signature:"MUST<bcp14>MUST</bcp14> be present following the model as shown. Their IP address rangeMUST<bcp14>MUST</bcp14> match that of the inetnum: URL followed to the file. </t> <t> <xreftarget="I-D.spaghetti-sidrops-rpki-rsc"/>target="I-D.ietf-sidrops-rpki-rsc" format="default"/> describes and provides code for aCryptographic Message Syntax (CMS)CMS profile for a general purpose listing of checksums (a'checklist'),"checklist") for use with the Resource Public Key Infrastructure (RPKI). It provides usable, albeit complex, code to sign geofeed files. </t> <t> <xreftarget="I-D.ietf-sidrops-rpki-rta"/>target="I-D.ietf-sidrops-rpki-rta" format="default"/> describes aCryptographic Message Syntax (CMS)CMS profile for a general purpose Resource Tagged Attestation (RTA) based on the RPKI. While this is expected to become applicable in the long run, for the purposes of this document, a self-signed root trust anchor is used. </t> </section> <sectiontitle="Operational Considerations" anchor="ops">anchor="ops" numbered="true" toc="default"> <name>Operational Considerations</name> <t> To create the needed inetnum: objects, an operator wishing to register the location of their geofeed file needs to coordinate with theirRIR/NIRRegional Internet Registry (RIR) or National Internet Registry (NIR) and/or any providerLIR whichLocal Internet Registry (LIR) that has assigned address ranges to them. RIRs/NIRs provide means for assignees to create and maintain inetnum: objects. They also provide means of[sub-]assigningassigning or sub-assigning IP address resources and allowing the assignee to createwhoisWHOIS data, including inetnum: objects,andthereby referring to geofeed files. </t> <t> The geofeed filesMUST<bcp14>MUST</bcp14> be published via and fetched using HTTPS <xreftarget="RFC2818"/>.target="RFC2818" format="default"/>. </t> <t> When using data from a geofeed file, oneMUST<bcp14>MUST</bcp14> ignore data outside the referring inetnum: object's inetnum: attribute address range. </t> <t> If and only if the geofeed file is not signed per <xreftarget="auth"/>,target="auth" format="default"/>, then multiple inetnum: objectsMAY<bcp14>MAY</bcp14> refer to the same geofeed file, and the consumerMUST<bcp14>MUST</bcp14> use only lines in the geofeed file where the prefix is covered by the address range of the inetnum: object's URL it has followed. </t> <t> If the geofeed file is signed, and the signer's certificate changes, the signature in the geofeed fileMUST<bcp14>MUST</bcp14> be updated. </t> <t> It is good key hygiene to use a given key for only one purpose. To dedicate a signing private key for signing a geofeed file, an RPKICACertification Authority (CA) may issue a subordinate certificate exclusively for the purposeasshown in <xreftarget="example"/>.target="example" format="default"/>. </t> <t> To minimize the load on RIRwhoisWHOIS <xreftarget="RFC3912"/>target="RFC3912" format="default"/> services, use of the RIR's FTP <xreftarget="RFC0959"/>target="RFC0959" format="default"/> servicesSHOULD<bcp14>SHOULD</bcp14> be used forlarge scalelarge-scale access to gather geofeed URLs. This also provides bulk access instead of fetching bybrute forcebrute-force search through the IP space. </t> <t> Currently, geolocation providers have bulkwhoisWHOIS data access at all the RIRs. An anonymized version of such data is openly available for all RIRs except ARIN, which requires an authorization. However, for users without such authorization, the same result can be achieved with extra RDAP effort. There isopen sourceopen-source code to pass over such data across all RIRs, collect all geofeed references, and process them <xreftarget="geofeed-finder"/>.target="GEOFEED-FINDER" format="default"/>. </t> <t> To prevent undue load on RPSL and geofeed servers,an entity fetchingentity-fetching geofeed data using these mechanismsMUST NOT<bcp14>MUST NOT</bcp14> do frequent real-timelook-ups.lookups. <xreftarget="RFC8805"/> Section 3.4target="RFC8805" sectionFormat="of" section="3.4" format="default"/> suggests use of the<xref target="RFC7234"/>HTTP ExpiresCaching Headerheader <xref target="RFC7234" format="default"/> to signal when geofeed data should be refetched. As the data change very infrequently, in the absence of such an HTTP Header signal, collectorsSHOULD NOT<bcp14>SHOULD NOT</bcp14> fetch more frequently than weekly. It would be polite not to fetch at magic times such as midnight UTC, the first of the month, etc., because too many others are likely to do the same. </t> </section> <sectiontitle="Privacy Considerations" anchor="privacy">anchor="privacy" numbered="true" toc="default"> <name>Privacy Considerations</name> <t> <xreftarget="RFC8805"/>target="RFC8805" format="default"/> geofeed data may reveal the approximate location of an IP address, which might in turn reveal the approximate location of an individual user. Unfortunately, <xreftarget="RFC8805"/>target="RFC8805" format="default"/> provides no privacy guidance on avoiding or ameliorating possible damage due to this exposure of the user. In publishing pointers to geofeed files as described in this document, the operator should be aware of this exposure in geofeed data and be cautious. All the privacy considerations of <xreftarget="RFC8805"/> Section 4target="RFC8805" sectionFormat="of" section="4" format="default"/> apply to this document. </t> <t> Where <xreftarget="RFC8805"/>target="RFC8805" format="default"/> provided the ability to publish location data, this document makes bulk access to those data readily available. This is a goal, not an accident. </t> </section> <sectiontitle="Security Considerations" anchor="seccons">anchor="seccons" numbered="true" toc="default"> <name>Security Considerations</name> <t> It is generally prudent for a consumer of geofeed data to also use other sources tocross-validatecross validate the data. All theSecurity Considerationssecurity considerations of <xreftarget="RFC8805"/>target="RFC8805" format="default"/> apply here as well. </t> <t> As mentioned in <xreftarget="auth"/>,target="auth" format="default"/>, many RPSL repositories haveweakweak, ifanyany, authentication. This allows spoofing of inetnum: objects pointing to malicious geofeed files. <xreftarget="auth"/>target="auth" format="default"/> suggests an unfortunately complex method for stronger authentication based on the RPKI. </t> <t> For example, if an inetnum: for a wide address range(e.g.(e.g., a /16) points to an RPKI-signed geofeed file, a customer or attacker could publish an unsigned equal or narrower(e.g.(e.g., a /24) inetnum: in awhoisWHOIS registrywhichthat has weak authorization, abusing the rule that the most-specific inetnum: object with a geofeed referenceMUST<bcp14>MUST</bcp14> be used. </t> <t> If signatures were mandatory, the above attack would bestymied. Butstymied, but of course that is not happening anytime soon. </t> <t> The RPSL providers have had to throttle fetching from their servers due to too-frequent queries.UsuallyUsually, they throttle by the querying IP address or block. Similar defenses will likely need to be deployed by geofeed file servers. </t> </section> <sectiontitle="IANA Considerations" anchor="iana">anchor="iana" numbered="true" toc="default"> <name>IANA Considerations</name> <t> IANAis asked to registerhas registered object identifiers for one content type in the "SMI Security for S/MIME CMS Content Type (1.2.840.113549.1.9.16.1)" registry as follows: </t><figure> <artwork><![CDATA[ Description OID Specification ----------------------------------------------------------------- id-ct-geofeedCSVwithCRLF 1.2.840.113549.1.9.16.1.47 [RFC-TBD] ]]></artwork> </figure> </section> <section title="Acknowledgments" anchor="ack"> <t> Thanks to Rob Austein for CMS and detached signature clue. George Michaelson for the first and substantial external review, Erik Kline who was too shy to agree to co-authorship. Additionally, we express our gratitude to early implementors, including Menno Schepers, Flavio Luciani, Eric Dugas, Job Snijders who provided running code, and Kevin Pack. Also, to geolocation providers that are consuming geofeeds with this described solution, Jonathan Kosgei (ipdata.co), Ben Dowling (ipinfo.io), and Pol Nisenblat (bigdatacloud.com). For an amazing number of helpful reviews we thank Adrian Farrel, Antonio Prado, Francesca Palombini, Jean-Michel Combes (INTDIR), John Scudder, Kyle Rose (SECDIR), Martin Duke, Murray Kucherawy, Paul Kyzivat (GENART), Rob Wilton, and Roman Danyliw. The authors also thank George Michaelson, the awesome document shepherd. </t><table anchor="iana_table"> <thead> <tr> <th>Decimal</th> <th>Description</th> <th>References</th> </tr> </thead> <tbody> <tr> <td>47</td> <td>id-ct-geofeedCSVwithCRLF</td> <td>RFC 9092</td> </tr> </tbody> </table> </section> </middle> <back><references title="Normative References"> <?rfc include="reference.RFC.2119"?> <?rfc include="reference.RFC.2622"?> <?rfc include="reference.RFC.2725"?> <?rfc include="reference.RFC.2818"?> <?rfc include="reference.RFC.3629"?> <?rfc include="reference.RFC.3779"?> <?rfc include="reference.RFC.4012"?> <?rfc include="reference.RFC.4648"?> <?rfc include="reference.RFC.5280"?> <?rfc include="reference.RFC.5652"?> <?rfc include="reference.RFC.8174"?> <?rfc include="reference.RFC.6481"?> <?rfc include="reference.RFC.6486"?> <?rfc include="reference.RFC.8805"?> <?rfc include="reference.RFC.8933"?><displayreference target="I-D.ietf-sidrops-rpki-rsc" to="RPKI-RSC"/> <displayreference target="I-D.ietf-sidrops-rpki-rta" to="RPKI-RTA"/> <references> <name>References</name> <references> <name>Normative References</name> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2622.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2725.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2818.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3629.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3779.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4012.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4648.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5280.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5652.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6481.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6486.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8805.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8933.xml"/> </references><references title="Informative References"> <?rfc include="reference.RFC.0959"?> <?rfc include="reference.RFC.3912"?> <?rfc include="reference.RFC.5485"?> <?rfc include="reference.RFC.7234"?> <?rfc include="reference.RFC.7482"?> <?rfc include="reference.RFC.7485"?> <?rfc include="reference.RFC.7909"?> <?rfc include="reference.I-D.spaghetti-sidrops-rpki-rsc"?> <?rfc include="reference.I-D.ietf-sidrops-rpki-rta"?><references> <name>Informative References</name> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.0959.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3912.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5485.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7234.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.9082.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7485.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7909.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4632.xml"/> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-sidrops-rpki-rsc.xml"/> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-sidrops-rpki-rta.xml"/> <reference anchor="RIPE81" target="https://www.ripe.net/publications/docs/ripe-081"> <front> <title>Representation Of IP Routing Policies In The RIPE Database</title><author><organization>RIPE</organization></author> <date/><author> <organization>RIPE NCC</organization> </author> <date month="February" year="1993"/> </front> </reference> <reference anchor="RIPE181" target="https://www.ripe.net/publications/docs/ripe-181"> <front> <title>Representation Of IP Routing Policies In A Routing Registry</title><author><organization>RIPE</organization></author> <date/><author> <organization>RIPE NCC</organization> </author> <date month="October" year="1994"/> </front> </reference> <reference anchor="RIPE-DB" target="https://www.ripe.net/manage-ips-and-asns/db/support/documentation/ripe-database-documentation"> <front> <title>RIPE Database Documentation</title><author><organization>RIPE</organization></author><author> <organization>RIPE NCC</organization> </author> <date/> </front> </reference> <reference anchor="INETNUM" target="https://www.ripe.net/manage-ips-and-asns/db/support/documentation/ripe-database-documentation/rpsl-object-types/4-2-descriptions-of-primary-objects/4-2-4-description-of-the-inetnum-object"> <front> <title>Description of the INETNUM Object</title><author><organization>RIPE</organization></author> <date/><author> <organization>RIPE NCC</organization> </author> <date month="June" year="2020"/> </front> </reference> <reference anchor="INET6NUM" target="https://www.ripe.net/manage-ips-and-asns/db/support/documentation/ripe-database-documentation/rpsl-object-types/4-2-descriptions-of-primary-objects/4-2-3-description-of-the-inet6num-object"> <front> <title>Description of the INET6NUM Object</title><author><organization>RIPE</organization></author> <date/><author> <organization>RIPE NCC</organization> </author> <date month="October" year="2019"/> </front> </reference> <referenceanchor="geofeed-finder"anchor="GEOFEED-FINDER" target="https://github.com/massimocandela/geofeed-finder"> <front> <title>geofeed-finder</title><author><organization>Massimo Candela</organization></author> <date/><author> <organization></organization> </author> <date month="June" year="2021"/> </front> <refcontent>commit 5f557a4</refcontent> </reference> </references> </references> <sectiontitle="Example" anchor="example">anchor="example" numbered="true" toc="default"> <name>Example</name> <t> This appendix provides anexample, includingexample that includes a trust anchor, a CA certificate subordinate to the trust anchor, an end-entity certificate subordinate to the CA for signing the geofeed, and a detached signature. </t> <t> The trust anchor is represented by a self-signed certificate. As usual in the RPKI, the trust anchor has authority over all IPv4 address blocks, all IPv6 address blocks, and allASAutonomous System (AS) numbers. </t><figure><artwork><![CDATA[<sourcecode type=""><![CDATA[ -----BEGIN CERTIFICATE----- MIIEPjCCAyagAwIBAgIUPsUFJ4e/7pKZ6E14aBdkbYzms1gwDQYJKoZIhvcNAQEL BQAwFTETMBEGA1UEAxMKZXhhbXBsZS10YTAeFw0yMDA5MDMxODU0NTRaFw0zMDA5 MDExODU0NTRaMBUxEzARBgNVBAMTCmV4YW1wbGUtdGEwggEiMA0GCSqGSIb3DQEB AQUAA4IBDwAwggEKAoIBAQCelMmMDCGBhqn/a3VrNAoKMr1HVLKxGoG7VF/13HZJ 0twObUZlh3Jz+XeD+kNAURhELWTrsgdTkQQfqinqOuRemxTl55+x7nLpe5nmwaBH XqqDOHubmkbAGanGcm6T/rD9KNk1Z46Uc2p7UYu0fwNO0mo0aqFL2FSyvzZwziNe g7ELYZ4a3LvGn81JfP/JvM6pgtoMNuee5RV6TWaz7LV304ICj8Bhphy/HFpOA1rb O9gs8CUMgqz+RroAIa8cV8gbF/fPCz9Ofl7Gdmib679JxxFrW4wRJ0nMJgJmsZXq jaVc0g7ORc+eIAcHw7Uroc6h7Y7lGjOkDZF75j0mLQa3AgMBAAGjggGEMIIBgDAd BgNVHQ4EFgQU3hNEuwvUGNCHY1TBatcUR03pNdYwHwYDVR0jBBgwFoAU3hNEuwvU GNCHY1TBatcUR03pNdYwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw GAYDVR0gAQH/BA4wDDAKBggrBgEFBQcOAjCBuQYIKwYBBQUHAQsEgawwgakwPgYI KwYBBQUHMAqGMnJzeW5jOi8vcnBraS5leGFtcGxlLm5ldC9yZXBvc2l0b3J5L2V4 YW1wbGUtdGEubWZ0MDUGCCsGAQUFBzANhilodHRwczovL3JyZHAuZXhhbXBsZS5u ZXQvbm90aWZpY2F0aW9uLnhtbDAwBggrBgEFBQcwBYYkcnN5bmM6Ly9ycGtpLmV4 YW1wbGUubmV0L3JlcG9zaXRvcnkvMCcGCCsGAQUFBwEHAQH/BBgwFjAJBAIAATAD AwEAMAkEAgACMAMDAQAwHgYIKwYBBQUHAQgEEjAQoA4wDDAKAgEAAgUA/////zAN BgkqhkiG9w0BAQsFAAOCAQEAgZFQ0Sf3CI5Hwev61AUWHYOFniy69PuDTq+WnhDe xX5rpjSDRrs5L756KSKJcaOJ36lzO45lfOPSY9fH6x30pnipaqRA7t5rApky24jH cSUA9iRednzxhVyGjWKnfAKyNo2MYfaOAT0db1GjyLKbOADI9FowtHBUu+60ykcM Quz66XrzxtmxlrRcAnbv/HtV17qOd4my6q5yjTPR1dmYN9oR/2ChlXtGE6uQVguA rvNZ5CwiJ1TgGGTB7T8ORHwWU6dGTc0jk2rESAaikmLi1roZSNC21fckhapEit1a x8CyiVxjcVc5e0AmS1rJfL6LIfwmtive/N/eBtIM92HkBA== -----END CERTIFICATE-----]]></artwork></figure>]]></sourcecode> <t> The CA certificate is issued by the trust anchor. This certificate grants authority over one IPv4 address block (192.0.2.0/24) and two AS numbers (64496 and 64497).</t><figure><artwork><![CDATA[<sourcecode type=""><![CDATA[ -----BEGIN CERTIFICATE----- MIIFBzCCA++gAwIBAgIUcyCzS10hdfG65kbRq7toQAvRDKowDQYJKoZIhvcNAQEL BQAwFTETMBEGA1UEAxMKZXhhbXBsZS10YTAeFw0yMDA5MDMxOTAyMTlaFw0yMTA5 MDMxOTAyMTlaMDMxMTAvBgNVBAMTKDNBQ0UyQ0VGNEZCMjFCN0QxMUUzRTE4NEVG QzFFMjk3QjM3Nzg2NDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDc zz1qwTxC2ocw5rqp8ktm2XyYkl8riBVuqlXwfefTxsR2YFpgz9vkYUd5Az9EVEG7 6wGIyZbtmhK63eEeaqbKz2GHub467498BXeVrYysO+YuIGgCEYKznNDZ4j5aaDbo j5+4/z0Qvv6HEsxQd0f8br6lKJwgeRM6+fm7796HNPB0aqD7Zj9NRCLXjbB0DCgJ liH6rXMKR86ofgll9V2mRjesvhdKYgkGbOif9rvxVpLJ/6zdru5CE9yeuJZ59l+n YH/r6PzdJ4Q7yKrJX8qD6A60j4+biaU4MQ72KpsjhQNTTqF/HRwi0N54GDaknEwE TnJQHgLJDYqww9yKWtjjAgMBAAGjggIvMIICKzAdBgNVHQ4EFgQUOs4s70+yG30R 4+GE78Hil7N3hkIwHwYDVR0jBBgwFoAU3hNEuwvUGNCHY1TBatcUR03pNdYwDwYD VR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwGAYDVR0gAQH/BA4wDDAKBggr BgEFBQcOAjBhBgNVHR8EWjBYMFagVKBShlByc3luYzovL3Jwa2kuZXhhbXBsZS5u ZXQvcmVwb3NpdG9yeS8zQUNFMkNFRjRGQjIxQjdEMTFFM0UxODRFRkMxRTI5N0Iz Nzc4NjQyLmNybDBOBggrBgEFBQcBAQRCMEAwPgYIKwYBBQUHMAKGMnJzeW5jOi8v cnBraS5leGFtcGxlLm5ldC9yZXBvc2l0b3J5L2V4YW1wbGUtdGEuY2VyMIG5Bggr BgEFBQcBCwSBrDCBqTA+BggrBgEFBQcwCoYycnN5bmM6Ly9ycGtpLmV4YW1wbGUu bmV0L3JlcG9zaXRvcnkvZXhhbXBsZS1jYS5tZnQwNQYIKwYBBQUHMA2GKWh0dHBz Oi8vcnJkcC5leGFtcGxlLm5ldC9ub3RpZmljYXRpb24ueG1sMDAGCCsGAQUFBzAF hiRyc3luYzovL3Jwa2kuZXhhbXBsZS5uZXQvcmVwb3NpdG9yeS8wHwYIKwYBBQUH AQcBAf8EEDAOMAwEAgABMAYDBADAAAIwHgYIKwYBBQUHAQgEEjAQoA4wDDAKAgMA +/ACAwD78TANBgkqhkiG9w0BAQsFAAOCAQEAnLu+d1ZsUTiX3YWGueTHIalW4ad0 Kupi7pYMV2nXbxNGmdJMol9BkzVz9tj55ReMghUU4YLm/ICYe4fz5e0T8o9s/vIm cGS29+WoGuiznMitpvbS/379gaMezk6KpqjH6Brw6meMqy09phmcmvm3x3WTmx09 mLlQneMptwk8qSYcnMUmGLJs+cVqmkOa3sWRdw8WrGu6QqYtQz3HFZQojF06YzEq V/dBdCFdEOwTfVl2n2XqhoJl/oEBdC4uu2G0qRk3+WVs+uwVHP0Ttsbt7TzFgZfY yxqvOg6QoldxZVZmHHncKmETu/BqCDGJot9may31ukrx34Bu+XFMVihm0w== -----END CERTIFICATE-----]]></artwork></figure>]]></sourcecode> <t> The end-entity certificate is issued by the CA. This certificate grants signature authority for one IPv4 address block (192.0.2.0/24). Signature authority for AS numbers is not needed for geofeed data signatures, so no AS numbers are included in the certificate.</t><figure><artwork><![CDATA[<sourcecode type=""><![CDATA[ -----BEGIN CERTIFICATE----- MIIEpTCCA42gAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZuQwDQYJKoZIhvcNAQEL BQAwMzExMC8GA1UEAxMoM0FDRTJDRUY0RkIyMUI3RDExRTNFMTg0RUZDMUUyOTdC Mzc3ODY0MjAeFw0yMTA1MjAxNjA1NDVaFw0yMjAzMTYxNjA1NDVaMDMxMTAvBgNV BAMTKDkxNDY1MkEzQkQ1MUMxNDQyNjAxOTg4ODlGNUM0NUFCRjA1M0ExODcwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCycTQrOb/qB2W3i3Ki8PhA/DEW yii2TgGo9pgCwO9lsIRI6Zb/k+aSiWWP9kSczlcQgtPCVwr62hTQZCIowBN0BL0c K0/5k1imJdi5qdM3nvKswM8CnoR11vB8pQFwruZmr5xphXRvE+mzuJVLgu2V1upm BXuWloeymudh6WWJ+GDjwPXO3RiXBejBrOFNXhaFLe08y4DPfr/S/tXJOBm7QzQp tmbPLYtGfprYu45liFFqqP94UeLpISfXd36AKGzqTFCcc3EW9l5UFE1MFLlnoEog qtoLoKABt0IkOFGKeC/EgeaBdWLe469ddC9rQft5w6g6cmxG+aYDdIEB34zrAgMB AAGjggGvMIIBqzAdBgNVHQ4EFgQUkUZSo71RwUQmAZiIn1xFq/BToYcwHwYDVR0j BBgwFoAUOs4s70+yG30R4+GE78Hil7N3hkIwDAYDVR0TAQH/BAIwADAOBgNVHQ8B Af8EBAMCB4AwGAYDVR0gAQH/BA4wDDAKBggrBgEFBQcOAjBhBgNVHR8EWjBYMFag VKBShlByc3luYzovL3Jwa2kuZXhhbXBsZS5uZXQvcmVwb3NpdG9yeS8zQUNFMkNF RjRGQjIxQjdEMTFFM0UxODRFRkMxRTI5N0IzNzc4NjQyLmNybDBsBggrBgEFBQcB AQRgMF4wXAYIKwYBBQUHMAKGUHJzeW5jOi8vcnBraS5leGFtcGxlLm5ldC9yZXBv c2l0b3J5LzNBQ0UyQ0VGNEZCMjFCN0QxMUUzRTE4NEVGQzFFMjk3QjM3Nzg2NDIu Y2VyMBkGCCsGAQUFBwEHAQH/BAowCDAGBAIAAQUAMEUGCCsGAQUFBwELBDkwNzA1 BggrBgEFBQcwDYYpaHR0cHM6Ly9ycmRwLmV4YW1wbGUubmV0L25vdGlmaWNhdGlv bi54bWwwDQYJKoZIhvcNAQELBQADggEBAEjC98gVp0Mb7uiKaHylP0453mtJ+AkN 07fsK/qGw/e90DJv7cp1hvjj4uy3sgf7PJQ7cKNGrgybq/lE0jce+ARgVjbi2Brz ZsWAnB846Snwsktw6cenaif6Aww6q00NspAepMBd2Vg/9sKFvOwJFVOgNcqiQiXP 5rGJPWBcOMv52a/7adjfXwpnOijiTOgMloQGmC2TPZpydZKjlxEATdFEQssa33xD nlpp+/r9xuNVYRtRcC36oWraVA3jzN6F6rDE8r8xs3ylISVz6JeCQ4YRYwbMsjjc /tiJLM7ZYxIe5IrYz1ZtN6n/SEssJAswRIgps2EhCt/HS2xAmGCOhgU= -----END CERTIFICATE-----]]></artwork></figure>]]></sourcecode> <t> The end-entity certificate is displayed below in detail. For brevity, the other two certificates are not. </t><figure><artwork><![CDATA[<sourcecode type=""><![CDATA[ 0 1189: SEQUENCE { 4 909: SEQUENCE { 8 3: [0] { 10 1: INTEGER 2 : } 13 20: INTEGER 27AD394083D7F2B5B99B8670C775B2B96EE166E4 35 13: SEQUENCE { 37 9: OBJECT IDENTIFIER : sha256WithRSAEncryption (1 2 840 113549 1 1 11) 48 0: NULL : } 50 51: SEQUENCE { 52 49: SET { 54 47: SEQUENCE { 56 3: OBJECT IDENTIFIER commonName (2 5 4 3) 61 40: PrintableString : '3ACE2CEF4FB21B7D11E3E184EFC1E297B3778642' : } : } : } 103 30: SEQUENCE { 105 13: UTCTime 20/05/2021 16:05:45 GMT 120 13: UTCTime 16/03/2022 16:05:45 GMT : } 135 51: SEQUENCE { 137 49: SET { 139 47: SEQUENCE { 141 3: OBJECT IDENTIFIER commonName (2 5 4 3) 146 40: PrintableString : '914652A3BD51C144260198889F5C45ABF053A187' : } : } : } 188 290: SEQUENCE { 192 13: SEQUENCE { 194 9: OBJECT IDENTIFIER rsaEncryption : (1 2 840 113549 1 1 1) 205 0: NULL : } 207 271: BIT STRING, encapsulates { 212 266: SEQUENCE { 216 257: INTEGER : 00 B2 71 34 2B 39 BF EA 07 65 B7 8B 72 A2 F0 F8 : 40 FC 31 16 CA 28 B6 4E 01 A8 F6 98 02 C0 EF 65 : B0 84 48 E9 96 FF 93 E6 92 89 65 8F F6 44 9C CE : 57 10 82 D3 C2 57 0A FA DA 14 D0 64 22 28 C0 13 : 74 04 BD 1C 2B 4F F9 93 58 A6 25 D8 B9 A9 D3 37 : 9E F2 AC C0 CF 02 9E 84 75 D6 F0 7C A5 01 70 AE : E6 66 AF 9C 69 85 74 6F 13 E9 B3 B8 95 4B 82 ED : 95 D6 EA 66 05 7B 96 96 87 B2 9A E7 61 E9 65 89 : F8 60 E3 C0 F5 CE DD 18 97 05 E8 C1 AC E1 4D 5E : 16 85 2D ED 3C CB 80 CF 7E BF D2 FE D5 C9 38 19 : BB 43 34 29 B6 66 CF 2D 8B 46 7E 9A D8 BB 8E 65 : 88 51 6A A8 FF 78 51 E2 E9 21 27 D7 77 7E 80 28 : 6C EA 4C 50 9C 73 71 16 F6 5E 54 14 4D 4C 14 B9 : 67 A0 4A 20 AA DA 0B A0 A0 01 B7 42 24 38 51 8A : 78 2F C4 81 E6 81 75 62 DE E3 AF 5D 74 2F 6B 41 : FB 79 C3 A8 3A 72 6C 46 F9 A6 03 74 81 01 DF 8C : EB 477 3: INTEGER 65537 : } : } : } 482 431: [3] { 486 427: SEQUENCE { 490 29: SEQUENCE { 492 3: OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14) 497 22: OCTET STRING, encapsulates { 499 20: OCTET STRING : 91 46 52 A3 BD 51 C1 44 26 01 98 88 9F 5C 45 AB : F0 53 A1 87 : } : } 521 31: SEQUENCE { 523 3: OBJECT IDENTIFIER authorityKeyIdentifier (2 5 29 35) 528 24: OCTET STRING, encapsulates { 530 22: SEQUENCE { 532 20: [0] : 3A CE 2C EF 4F B2 1B 7D 11 E3 E1 84 EF C1 E2 97 : B3 77 86 42 : } : } : } 554 12: SEQUENCE { 556 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19) 561 1: BOOLEAN TRUE 564 2: OCTET STRING, encapsulates { 566 0: SEQUENCE {} : } : } 568 14: SEQUENCE { 570 3: OBJECT IDENTIFIER keyUsage (2 5 29 15) 575 1: BOOLEAN TRUE 578 4: OCTET STRING, encapsulates { 580 2: BIT STRING 7 unused bits : '1'B (bit 0) : } : } 584 24: SEQUENCE { 586 3: OBJECT IDENTIFIER certificatePolicies (2 5 29 32) 591 1: BOOLEAN TRUE 594 14: OCTET STRING, encapsulates { 596 12: SEQUENCE { 598 10: SEQUENCE { 600 8: OBJECT IDENTIFIER : resourceCertificatePolicy (1 3 6 1 5 5 7 14 2) : } : } : } : } 610 97: SEQUENCE { 612 3: OBJECT IDENTIFIER cRLDistributionPoints (2 5 29 31) 617 90: OCTET STRING, encapsulates { 619 88: SEQUENCE { 621 86: SEQUENCE { 623 84: [0] { 625 82: [0] { 627 80: [6] : 'rsync://rpki.example.net/repository/3ACE2CEF4F' : 'B21B7D11E3E184EFC1E297B3778642.crl' : } : } : } : } : } : } 709 108: SEQUENCE { 711 8: OBJECT IDENTIFIER authorityInfoAccess : (1 3 6 1 5 5 7 1 1) 721 96: OCTET STRING, encapsulates { 723 94: SEQUENCE { 725 92: SEQUENCE { 727 8: OBJECT IDENTIFIER caIssuers (1 3 6 1 5 5 7 48 2) 737 80: [6] : 'rsync://rpki.example.net/repository/3ACE2CEF4F' : 'B21B7D11E3E184EFC1E297B3778642.cer' : } : } : } : } 819 25: SEQUENCE { 821 8: OBJECT IDENTIFIER ipAddrBlocks (1 3 6 1 5 5 7 1 7) 831 1: BOOLEAN TRUE 834 10: OCTET STRING, encapsulates { 836 8: SEQUENCE { 838 6: SEQUENCE { 840 2: OCTET STRING 00 01 844 0: NULL : } : } : } : } 846 69: SEQUENCE { 848 8: OBJECT IDENTIFIER subjectInfoAccess : (1 3 6 1 5 5 7 1 11) 858 57: OCTET STRING, encapsulates { 860 55: SEQUENCE { 862 53: SEQUENCE { 864 8: OBJECT IDENTIFIER '1 3 6 1 5 5 7 48 13' 874 41: [6] : 'https://rrdp.example.net/notification.xml' : } : } : } : } : } : } : } 917 13: SEQUENCE { 919 9: OBJECT IDENTIFIER sha256WithRSAEncryption : (1 2 840 113549 1 1 11) 930 0: NULL : } 932 257: BIT STRING : 48 C2 F7 C8 15 A7 43 1B EE E8 8A 68 7C A5 3F 4E : 39 DE 6B 49 F8 09 0D D3 B7 EC 2B FA 86 C3 F7 BD : D0 32 6F ED CA 75 86 F8 E3 E2 EC B7 B2 07 FB 3C : 94 3B 70 A3 46 AE 0C 9B AB F9 44 D2 37 1E F8 04 : 60 56 36 E2 D8 1A F3 66 C5 80 9C 1F 38 E9 29 F0 : B2 4B 70 E9 C7 A7 6A 27 FA 03 0C 3A AB 4D 0D B2 : 90 1E A4 C0 5D D9 58 3F F6 C2 85 BC EC 09 15 53 : A0 35 CA A2 42 25 CF E6 B1 89 3D 60 5C 38 CB F9 : D9 AF FB 69 D8 DF 5F 0A 67 3A 28 E2 4C E8 0C 96 : 84 06 98 2D 93 3D 9A 72 75 92 A3 97 11 00 4D D1 : 44 42 CB 1A DF 7C 43 9E 5A 69 FB FA FD C6 E3 55 : 61 1B 51 70 2D FA A1 6A DA 54 0D E3 CC DE 85 EA : B0 C4 F2 BF 31 B3 7C A5 21 25 73 E8 97 82 43 86 : 11 63 06 CC B2 38 DC FE D8 89 2C CE D9 63 12 1E : E4 8A D8 CF 56 6D 37 A9 FF 48 4B 2C 24 0B 30 44 : 88 29 B3 61 21 0A DF C7 4B 6C 40 98 60 8E 86 05 : }]]></artwork></figure>]]></sourcecode> <t> To allow reproduction of the signature results, the end-entity private key is provided. For brevity, the other two private keys are not.</t><figure><artwork><![CDATA[<sourcecode type=""><![CDATA[ -----BEGIN RSA PRIVATE KEY----- MIIEpQIBAAKCAQEAsnE0Kzm/6gdlt4tyovD4QPwxFsootk4BqPaYAsDvZbCESOmW /5Pmkollj/ZEnM5XEILTwlcK+toU0GQiKMATdAS9HCtP+ZNYpiXYuanTN57yrMDP Ap6EddbwfKUBcK7mZq+caYV0bxPps7iVS4LtldbqZgV7lpaHsprnYellifhg48D1 zt0YlwXowazhTV4WhS3tPMuAz36/0v7VyTgZu0M0KbZmzy2LRn6a2LuOZYhRaqj/ eFHi6SEn13d+gChs6kxQnHNxFvZeVBRNTBS5Z6BKIKraC6CgAbdCJDhRingvxIHm gXVi3uOvXXQva0H7ecOoOnJsRvmmA3SBAd+M6wIDAQABAoIBAQCyB0FeMuKm8bRo 18aKjFGSPEoZi53srIz5bvUgIi92TBLez7ZnzL6Iym26oJ+5th+lCHGO/dqlhXio pI50C5Yc9TFbblb/ECOsuCuuqKFjZ8CD3GVsHozXKJeMM+/o5YZXQrORj6UnwT0z ol/JE5pIGUCIgsXX6tz9s5BP3lUAvVQHsv6+vEVKLxQ3wj/1vIL8O/CN036EV0GJ mpkwmygPjfECT9wbWo0yn3jxJb36+M/QjjUP28oNIVn/IKoPZRXnqchEbuuCJ651 IsaFSqtiThm4WZtvCH/IDq+6/dcMucmTjIRcYwW7fdHfjplllVPve9c/OmpWEQvF t3ArWUt5AoGBANs4764yHxo4mctLIE7G7l/tf9bP4KKUiYw4R4ByEocuqMC4yhmt MPCfOFLOQet71OWCkjP2L/7EKUe9yx7G5KmxAHY6jOjvcRkvGsl6lWFOsQ8p126M Y9hmGzMOjtsdhAiMmOWKzjvm4WqfMgghQe+PnjjSVkgTt+7BxpIuGBAvAoGBANBg 26FF5cDLpixOd3Za1YXsOgguwCaw3Plvi7vUZRpa/zBMELEtyOebfakkIRWNm07l nE+lAZwxm+29PTD0nqCFE91teyzjnQaLO5kkAdJiFuVV3icLOGo399FrnJbKensm FGSli+3KxQhCNIJJfgWzq4bE0ioAMjdGbYXzIYQFAoGBAM6tuDJ36KDU+hIS6wu6 O2TPSfZhF/zPo3pCWQ78/QDb+Zdw4IEiqoBA7F4NPVLg9Y/H8UTx9r/veqe7hPOo Ok7NpIzSmKTHkc5XfZ60Zn9OLFoKbaQ40a1kXoJdWEu2YROaUlAe9F6/Rog6PHYz vLE5qscRbu0XQhLkN+z7bg5bAoGBAKDsbDEb/dbqbyaAYpmwhH2sdRSkphg7Niwc DNm9qWa1J6Zw1+M87I6Q8naRREuU1IAVqqWHVLr/ROBQ6NTJ1Uc5/qFeT2XXUgkf taMKv61tuyjZK3sTmznMh0HfzUpWjEhWnCEuB+ZYVdmO52ZGw2A75RdrILL2+9Dc PvDXVubRAoGAdqXeSWoLxuzZXzl8rsaKrQsTYaXnOWaZieU1SL5vVe8nK257UDqZ E3ng2j5XPTUWli+aNGFEJGRoNtcQvO60O/sFZUhu52sqq9mWVYZNh1TB5aP8X+pV iFcZOLUvQEcN6PA+YQK5FU11rAI1M0Gm5RDnVnUl0L2xfCYxb7FzV6Y= -----END RSA PRIVATE KEY-----]]></artwork></figure>]]></sourcecode> <t> Signing of "192.0.2.0/24,US,WA,Seattle," (terminated by CR andLF),LF) yields the following detached CMS signature.</t><figure><artwork><![CDATA[<sourcecode type=""><![CDATA[ # RPKI Signature: 192.0.2.0 - 192.0.2.255 # MIIGjwYJKoZIhvcNAQcCoIIGgDCCBnwCAQMxDTALBglghkgBZQMEAgEwDQYLKoZ # IhvcNAQkQAS+gggSpMIIEpTCCA42gAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZu # QwDQYJKoZIhvcNAQELBQAwMzExMC8GA1UEAxMoM0FDRTJDRUY0RkIyMUI3RDExR # TNFMTg0RUZDMUUyOTdCMzc3ODY0MjAeFw0yMTA1MjAxNjA1NDVaFw0yMjAzMTYx # NjA1NDVaMDMxMTAvBgNVBAMTKDkxNDY1MkEzQkQ1MUMxNDQyNjAxOTg4ODlGNUM # 0NUFCRjA1M0ExODcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCycT # QrOb/qB2W3i3Ki8PhA/DEWyii2TgGo9pgCwO9lsIRI6Zb/k+aSiWWP9kSczlcQg # tPCVwr62hTQZCIowBN0BL0cK0/5k1imJdi5qdM3nvKswM8CnoR11vB8pQFwruZm # r5xphXRvE+mzuJVLgu2V1upmBXuWloeymudh6WWJ+GDjwPXO3RiXBejBrOFNXha # FLe08y4DPfr/S/tXJOBm7QzQptmbPLYtGfprYu45liFFqqP94UeLpISfXd36AKG # zqTFCcc3EW9l5UFE1MFLlnoEogqtoLoKABt0IkOFGKeC/EgeaBdWLe469ddC9rQ # ft5w6g6cmxG+aYDdIEB34zrAgMBAAGjggGvMIIBqzAdBgNVHQ4EFgQUkUZSo71R # wUQmAZiIn1xFq/BToYcwHwYDVR0jBBgwFoAUOs4s70+yG30R4+GE78Hil7N3hkI # wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCB4AwGAYDVR0gAQH/BA4wDDAKBg # grBgEFBQcOAjBhBgNVHR8EWjBYMFagVKBShlByc3luYzovL3Jwa2kuZXhhbXBsZ # S5uZXQvcmVwb3NpdG9yeS8zQUNFMkNFRjRGQjIxQjdEMTFFM0UxODRFRkMxRTI5 # N0IzNzc4NjQyLmNybDBsBggrBgEFBQcBAQRgMF4wXAYIKwYBBQUHMAKGUHJzeW5 # jOi8vcnBraS5leGFtcGxlLm5ldC9yZXBvc2l0b3J5LzNBQ0UyQ0VGNEZCMjFCN0 # QxMUUzRTE4NEVGQzFFMjk3QjM3Nzg2NDIuY2VyMBkGCCsGAQUFBwEHAQH/BAowC # DAGBAIAAQUAMEUGCCsGAQUFBwELBDkwNzA1BggrBgEFBQcwDYYpaHR0cHM6Ly9y # cmRwLmV4YW1wbGUubmV0L25vdGlmaWNhdGlvbi54bWwwDQYJKoZIhvcNAQELBQA # DggEBAEjC98gVp0Mb7uiKaHylP0453mtJ+AkN07fsK/qGw/e90DJv7cp1hvjj4u # y3sgf7PJQ7cKNGrgybq/lE0jce+ARgVjbi2BrzZsWAnB846Snwsktw6cenaif6A # ww6q00NspAepMBd2Vg/9sKFvOwJFVOgNcqiQiXP5rGJPWBcOMv52a/7adjfXwpn # OijiTOgMloQGmC2TPZpydZKjlxEATdFEQssa33xDnlpp+/r9xuNVYRtRcC36oWr # aVA3jzN6F6rDE8r8xs3ylISVz6JeCQ4YRYwbMsjjc/tiJLM7ZYxIe5IrYz1ZtN6 # n/SEssJAswRIgps2EhCt/HS2xAmGCOhgUxggGqMIIBpgIBA4AUkUZSo71RwUQmA # ZiIn1xFq/BToYcwCwYJYIZIAWUDBAIBoGswGgYJKoZIhvcNAQkDMQ0GCyqGSIb3 # DQEJEAEvMBwGCSqGSIb3DQEJBTEPFw0yMTA1MjAxNjI4MzlaMC8GCSqGSIb3DQE # JBDEiBCAr4vKeUvHJINsE0YQwUMxoo48qrOU+iPuFbQR8qX3BFjANBgkqhkiG9w # 0BAQEFAASCAQB85HsCBrU3EcVOcf4nC6Z3jrOjT+fVlyTDAObF6GTNWgrxe7jSA # Inyf51UzuIGqhVY3sQiiXbdWcVYtPb4118KvyeXh8A/HLp4eeAJntl9D3igt38M # o84q5pf9pTQXx3hbsm51ilpOip/TKVMqzE42s6OPox3M0+6eKH3/vBKnw1s1ayM # 0MUnPDTBfZL3JJEGPWfIZHEcrypevbqR7Jjsz5vp0qyF2D9v+w+nyhZOPmuePm7 # YqLyOw/E99PVBs9uI+hmBiCz/BK2Z3VRjrrlrUU+49eldSTkZ2sJyhCbbV2Ufgi # S2FOquAgJzjilyN3BDQLV8Rp9cGh0PpVslKH2na # End Signature: 192.0.2.0 - 192.0.2.255]]></artwork></figure>]]></sourcecode> </section> <section anchor="ack" numbered="false" toc="default"> <name>Acknowledgments</name> <t> Thanks to <contact fullname="Rob Austein"/> for CMS and detached signature clue, <contact fullname="George Michaelson"/> for the first and substantial external review, and <contact fullname="Erik Kline"/> who was too shy to agree to coauthorship. Additionally, we express our gratitude to early implementors, including <contact fullname="Menno Schepers"/>; <contact fullname="Flavio Luciani"/>; <contact fullname="Eric Dugas"/>; <contact fullname="Job Snijders"/>, who provided running code; and <contact fullname="Kevin Pack"/>. Also, thanks to the following geolocation providers who are consuming geofeeds with this described solution: <contact fullname="Jonathan Kosgei"/> (ipdata.co), <contact fullname="Ben Dowling"/> (ipinfo.io), and <contact fullname="Pol Nisenblat"/> (bigdatacloud.com). For an amazing number of helpful reviews, we thank <contact fullname="Adrian Farrel"/>, <contact fullname="Antonio Prado"/>, <contact fullname="Francesca Palombini"/>, <contact fullname="Jean-Michel Combes"/> (INTDIR), <contact fullname="John Scudder"/>, <contact fullname="Kyle Rose"/> (SECDIR), <contact fullname="Martin Duke"/>, <contact fullname="Murray Kucherawy"/>, <contact fullname="Paul Kyzivat"/> (GENART), <contact fullname="Rob Wilton"/>, and <contact fullname="Roman Danyliw"/>. The authors also thank <contact fullname="George Michaelson"/>, the awesome document shepherd. </t> </section> </back> </rfc>