rfc9632xml2.original.xml   rfc9632.xml 
<?xml version="1.0" encoding="US-ASCII"?> <?xml version='1.0' encoding='UTF-8'?>
<?rfc sortrefs="yes"?> <!DOCTYPE rfc [
<?rfc subcompact="no"?> <!ENTITY nbsp "&#160;">
<?rfc symrefs="yes"?> <!ENTITY zwsp "&#8203;">
<?rfc toc="yes"?> <!ENTITY nbhy "&#8209;">
<?rfc tocdepth="3"?> <!ENTITY wj "&#8288;">
<?rfc compact="yes"?> ]>
<?rfc subcompact="no"?>
<rfc category="std" docName="draft-ietf-opsawg-9092-update-11" <rfc xmlns:xi="http://www.w3.org/2001/XInclude" category="std" docName="draft-ie
submissionType="IETF" consensus="true" ipr="trust200902" tf-opsawg-9092-update-11" number="9632" submissionType="IETF" consensus="true" i
obsoletes="9092" version="2" > pr="trust200902" obsoletes="9092" updates="" version="3" sortRefs="true" symRefs
="true" tocInclude="true" tocDepth="3" xml:lang="en">
<front> <front>
<title abbrev="Finding and Using Geofeed Data">Finding and Using Geofeed Dat a</title> <title abbrev="Finding and Using Geofeed Data">Finding and Using Geofeed Dat a</title>
<seriesInfo name="RFC" value="9632"/>
<author fullname="Randy Bush" initials="R." surname="Bush"> <author fullname="Randy Bush" initials="R." surname="Bush">
<organization>IIJ Research &amp; Arrcus</organization> <organization>IIJ Research &amp; Arrcus</organization>
<address> <address>
<postal> <postal>
<street>5147 Crystal Springs</street> <street>5147 Crystal Springs</street>
<city>Bainbridge Island</city> <city>Bainbridge Island</city>
<region>Washington</region> <region>Washington</region>
<code>98110</code> <code>98110</code>
<country>United States of America</country> <country>United States of America</country>
</postal> </postal>
skipping to change at line 59 skipping to change at line 53
<postal> <postal>
<street>1600 Amphitheatre Parkway</street> <street>1600 Amphitheatre Parkway</street>
<city>Mountain View</city> <city>Mountain View</city>
<region>CA</region> <region>CA</region>
<code>94043</code> <code>94043</code>
<country>United States of America</country> <country>United States of America</country>
</postal> </postal>
<email>warren@kumari.net</email> <email>warren@kumari.net</email>
</address> </address>
</author> </author>
<author fullname="Russ Housley" initials="R" surname="Housley"> <author fullname="Russ Housley" initials="R" surname="Housley">
<organization abbrev="Vigil Security">Vigil Security, LLC</organization> <organization abbrev="Vigil Security">Vigil Security, LLC</organization>
<address> <address>
<postal> <postal>
<street>516 Dranesville Road</street> <street>516 Dranesville Road</street>
<city>Herndon</city> <city>Herndon</city>
<region>VA</region> <region>VA</region>
<code>20170</code> <code>20170</code>
<country>United States of America</country> <country>United States of America</country>
</postal> </postal>
<email>housley@vigilsec.com</email> <email>housley@vigilsec.com</email>
</address> </address>
</author> </author>
<date month="July" year="2024"/>
<date /> <area>OPS</area>
<workgroup>opsawg</workgroup>
<keyword>geolocation</keyword> <keyword>geolocation</keyword>
<keyword>geo-location</keyword> <keyword>geo-location</keyword>
<keyword>RPSL</keyword> <keyword>RPSL</keyword>
<keyword>inetnum</keyword> <keyword>inetnum</keyword>
<abstract> <abstract>
<t> <t>
This document specifies how to augment the Routing Policy This document specifies how to augment the Routing Policy
Specification Language inetnum: class to refer specifically to Specification Language (RPSL) inetnum: class to refer specifically to
geofeed comma-separated values (CSV) data files and describes an geofeed comma-separated values (CSV) data files and describes an
optional scheme that uses the Resource Public Key Infrastructure optional scheme that uses the Resource Public Key Infrastructure (RPKI)
to authenticate the geofeed data files. This document obsoletes to authenticate the geofeed data files. This document obsoletes
RFC 9092. RFC 9092.
</t> </t>
</abstract> </abstract>
</front> </front>
<middle> <middle>
<section anchor="intro" numbered="true" toc="default"> <section anchor="intro" numbered="true" toc="default">
<name>Introduction</name> <name>Introduction</name>
<t> <t>
Providers of Internet content and other services may wish to Providers of Internet content and other services may wish to customize
customize those services based on the geographic location of the those services based on the geographic location of the user of the
user of the service. This is often done using the source IP service. This is often done using the source IP address used to
address used to contact the service, which may not point to a contact the service, which may not point to a user; see <xref
user, see <xref target ="RFC6269"/>, Section 14 in particular. target="RFC6269" sectionFormat="of" section="14"/> in particular.
Also, infrastructure and other services might wish to publish Also, administrators of infrastructure and other services might wish
the locale of their services. <xref target="RFC8805" to publish the locale of said infrastructure or services.
format="default"/> defines geofeed, a syntax to associate infrastructure and other services might wish to publish the locale of
geographic locales with IP addresses, but it does not specify their services. <xref target="RFC8805" format="default"/> defines
how to find the relevant geofeed data given an IP address. geofeed, a syntax to associate geographic locales with IP addresses,
but it does not specify how to find the relevant geofeed data given an
IP address.
</t> </t>
<t> <t>
This document specifies how to augment the Routing Policy This document specifies how to augment the Routing Policy
Specification Language (RPSL) <xref target="RFC2725" Specification Language (RPSL) <xref target="RFC2725"
format="default"/> inetnum: class to refer specifically to format="default"/> inetnum: class to refer specifically to geofeed
geofeed data files and how to prudently use them. In all places data files and how to prudently use them. In all places inetnum: is
inetnum: is used, inet6num: should also be assumed <xref used, inet6num: should also be assumed <xref target="RFC4012"
target="RFC4012" format="default"/>. format="default"/>.
</t> </t>
<t> <t>
The reader may find <xref target="INETNUM" format="default"/> The reader may find <xref target="INETNUM" format="default"/>
and <xref target="INET6NUM" format="default"/> informative, and and <xref target="INET6NUM" format="default"/> informative, and
certainly more verbose, descriptions of the inetnum: database certainly more verbose, descriptions of the inetnum: database
classes. classes.
</t> </t>
<t> <t>
An optional utterly awesome but slightly complex means for An optional utterly awesome but slightly complex means for
authenticating geofeed data is also defined in <xref authenticating geofeed data is also defined in <xref target="auth"/>.
target="auth"/>.
</t> </t>
<t>
This document obsoletes <xref target="RFC9092"/>. Changes from <t>This document obsoletes <xref target="RFC9092"/>. Changes from <xref
<xref target="RFC9092"/> include the following: target="RFC9092"/> include the following:
<ul spacing="compact"> </t>
<li> <ul spacing="normal">
<li>
RIPE has implemented the geofeed: attribute. RIPE has implemented the geofeed: attribute.
</li> </li>
<li> <li>
Allow, but discourage, an inetnum: to have both a geofeed This document allows, but discourages, an inetnum: to have both a ge
ofeed
remarks: attribute and a geofeed: attribute. remarks: attribute and a geofeed: attribute.
</li> </li>
<li> <li>
Rewrite Authentication <xref target="auth"/> to be more The Authentication section (<xref target="auth"/>) has been rewritten
to be more
formal. formal.
</li> </li>
<li> <li>
Geofeed file only UTF-8 CSV. Geofeed files are only UTF-8 CSV.
</li> </li>
<li> <li>
Stress that authenticating geofeed data is optional. This document stresses that authenticating geofeed data is optional.
</li> </li>
<li> <li>
IP Address Delegation extensions must not use "inherit". IP Address Delegation extensions must not use "inherit".
</li> </li>
<li> <li>
If geofeed data are present, ignore geographic location If geofeed data are present, geographic location
hints in other data. hints in other data should be ignored.
</li> </li>
</ul> </ul>
</t>
<section numbered="true" toc="default"> <section numbered="true" toc="default">
<name>Requirements Language</name> <name>Requirements Language</name>
<t> <t>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>",
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>
"MAY", and "OPTIONAL" in this document are to be interpreted as ",
described in BCP 14 <xref format="default" pageno="false" "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>",
target="RFC2119"/> <xref format="default" pageno="false" "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
target="RFC8174"/> when, and only when, they appear in all "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to
capitals, as shown here. be
interpreted as described in BCP&nbsp;14 <xref target="RFC2119"/> <xref
target="RFC8174"/> when, and only when, they appear in all capitals, as
shown here.
</t> </t>
</section> </section>
</section> </section>
<section anchor="gf" numbered="true" toc="default"> <section anchor="gf" numbered="true" toc="default">
<name>Geofeed Files</name> <name>Geofeed Files</name>
<t> <t>
Geofeed files are described in <xref target="RFC8805" Geofeed files are described in <xref target="RFC8805" format="default"/>
format="default"/>. They provide a facility for an IP address . They provide a facility for an IP address
resource "owner" to associate those IP addresses to geographic resource "owner" to associate those IP addresses to geographic
locales. locales.
</t> </t>
<t> <t>
Per <xref target="RFC8805"/>, geofeed files consist of CSVs Per <xref target="RFC8805"/>, geofeed files consist of comma-separated
(Comma Separated Values) in UTF-8 text format; not HTML, values (CSV) in UTF-8 text format, not HTML, richtext, or other
richtext, or other formats. formats.
</t> </t>
<t> <t>
Content providers and other parties who wish to locate an IP Content providers and other parties who wish to locate an IP
address to a geographic locale need to find the relevant geofeed address to a geographic locale need to find the relevant geofeed
data. In <xref target="inetnum" format="default"/>, this data. In <xref target="inetnum" format="default"/>, this
document specifies how to find the relevant geofeed <xref document specifies how to find the relevant geofeed <xref target="RFC880
target="RFC8805" format="default"/> file given an IP address. 5" format="default"/> file given an IP address.
</t> </t>
<t> <t>
Geofeed data for large providers with significant horizontal Geofeed data for large providers with significant horizontal
scale and high granularity can be quite large. The size of a scale and high granularity can be quite large. The size of a
file can be even larger if an unsigned geofeed file combines file can be even larger if an unsigned geofeed file combines
data for many prefixes, if dual IPv4/IPv6 spaces are data for many prefixes, if dual IPv4/IPv6 spaces are
represented, etc. represented, etc.
</t> </t>
<t> <t>
Geofeed data do have privacy considerations (see <xref Geofeed data do have privacy considerations (see <xref target="privacy"
target="privacy" format="default"/>); this process makes bulk format="default"/>); this process makes bulk
access to those data easier. access to those data easier.
</t> </t>
<t> <t>
This document also suggests an optional signature to strongly This document also suggests an optional signature to strongly
authenticate the data in the geofeed files. authenticate the data in the geofeed files.
</t> </t>
</section> </section>
<section anchor="inetnum" numbered="true" toc="default"> <section anchor="inetnum" numbered="true" toc="default">
<name>inetnum: Class</name> <name>inetnum: Class</name>
<t> <t>
The original RPSL specifications starting with <xref The original RPSL specifications starting with <xref target="RIPE81"
target="RIPE81" format="default"/>, <xref target="RIPE181" format="default"/>, <xref target="RIPE181" format="default"/>, and a
format="default"/>, and a trail of subsequent documents were trail of subsequent documents were written by the RIPE community. The
written by the RIPE community. The IETF standardized RPSL in IETF standardized RPSL in <xref target="RFC2622"
<xref target="RFC2622" format="default"/> and <xref format="default"/> and <xref target="RFC4012" format="default"/>.
target="RFC4012" format="default"/>. Since then, it has been Since then, it has been modified and extensively enhanced in the
modified and extensively enhanced in the Regional Internet Regional Internet Registry (RIR) community, mostly by RIPE <xref
Registry (RIR) community, mostly by RIPE <xref target="RIPE-DB" target="RIPE-DB" format="default"/>. At the time of publishing this
format="default"/>. At the time of publishing this document, document, change control of the RPSL effectively lies in the operator
change control of RPSL effectively lies in the operator
community. community.
</t> </t>
<t> <t>
The RPSL, and <xref target="RFC2725" format="default"/> and The inetnum: database class is specified by the RPSL, as well as
<xref target="RFC4012" format="default"/> used by the Regional Routing Policy System Security <xref target="RFC2725" format="default"/> and R
Internet Registries (RIRs), specify the inetnum: database class. PSLng <xref target="RFC4012" format="default"/>,
Each of these objects describes an IP address range and its which are used by the Regional Internet Registries (RIRs).
attributes. The inetnum: objects form a hierarchy ordered on Each of these
the address space. objects describes an IP address range and its attributes. The
</t> inetnum: objects form a hierarchy ordered on the address space. </t>
<t> Ideally, the RPSL would be augmented to define a new RPSL geofeed:
<t>
Ideally, RPSL would be augmented to define a new RPSL geofeed:
attribute in the inetnum: class. Absent implementation of the attribute in the inetnum: class. Absent implementation of the
geofeed: attribute in a particular RIR database, this document geofeed: attribute in a particular RIR database, this document defines
defines the syntax of a Geofeed remarks: attribute, which the syntax of a Geofeed remarks: attribute, which contains an HTTPS
contains an HTTPS URL of a geofeed file. The format of the URL of a geofeed file. The format of the inetnum: geofeed remarks:
inetnum: geofeed remarks: attribute MUST be as in this example, attribute <bcp14>MUST</bcp14> be as in this example, "remarks: Geofeed
"remarks: Geofeed ", where the token "Geofeed " MUST be case ", where the token "Geofeed " <bcp14>MUST</bcp14> be case sensitive,
sensitive, followed by a URL that will vary, but it MUST refer followed by a URL that will vary, but it <bcp14>MUST</bcp14> refer
only to a single geofeed <xref target="RFC8805" only to a single geofeed <xref target="RFC8805" format="default"/>
format="default"/> file. file.
</t> </t>
<sourcecode type="rpsl"><![CDATA[
<sourcecode type="rpsl"> <![CDATA[
inetnum: 192.0.2.0/24 # example inetnum: 192.0.2.0/24 # example
remarks: Geofeed https://example.com/geofeed remarks: Geofeed https://example.com/geofeed
]]></sourcecode> ]]></sourcecode>
<t> <t>
While we leave global agreement of RPSL modification to the While we leave global agreement of RPSL modification to the relevant
relevant parties, we specify that a proper geofeed: attribute in parties, we specify that a proper geofeed: attribute in the inetnum:
the inetnum: class MUST be "geofeed:" and class <bcp14>MUST</bcp14> be "geofeed:" and <bcp14>MUST</bcp14>
MUST be followed by a single URL that will vary, be followed by a single URL that will vary, but it <bcp14>MUST</bcp14>
but it MUST refer only to a single geofeed <xref refer only to a single geofeed <xref target="RFC8805"
target="RFC8805" format="default"/> file. format="default"/> file.
</t> </t>
<sourcecode type="rpsl"><![CDATA[ <sourcecode type="rpsl"><![CDATA[
inetnum: 192.0.2.0/24 # example inetnum: 192.0.2.0/24 # example
geofeed: https://example.com/geofeed geofeed: https://example.com/geofeed
]]></sourcecode> ]]></sourcecode>
<t> <t>
The URL uses HTTPS, so the WebPKI provides authentication, The URL uses HTTPS, so the WebPKI provides authentication,
integrity, and confidentiality for the fetched geofeed file. integrity, and confidentiality for the fetched geofeed file.
However, the WebPKI can not provide authentication of IP address However, the WebPKI cannot provide authentication of IP address
space assignment. In contrast, the RPKI (see <xref space assignment. In contrast, the RPKI (see <xref target="RFC6481" for
target="RFC6481" format="default"/>) can be used to authenticate mat="default"/>) can be used to authenticate
IP space assignment; see optional authentication in <xref IP space assignment; see optional authentication in <xref target="auth"
target="auth" format="default"/>. format="default"/>.
</t> </t>
<t> <t>
Until all producers of inetnum: objects, i.e., the RIRs, state Until all producers of inetnum: objects, i.e., the RIRs, state
that they have migrated to supporting a geofeed: attribute, that they have migrated to supporting a geofeed: attribute,
consumers looking at inetnum: objects to find geofeed URLs MUST consumers looking at inetnum: objects to find geofeed URLs <bcp14>MUST</ bcp14>
be able to consume both the remarks: and geofeed: forms. be able to consume both the remarks: and geofeed: forms.
</t> </t>
<t> <t>
The migration not only implies that the RIRs support the The migration not only implies that the RIRs support the
geofeed: attribute, but that all registrants have migrated any geofeed: attribute, but that all registrants have migrated any
inetnum: objects from remarks: to geofeed: attributes. inetnum: objects from remarks: to geofeed: attributes.
</t> </t>
<t> <t>
Any particular inetnum: object SHOULD have, at most, one geofeed Any particular inetnum: object <bcp14>SHOULD</bcp14> have, at most, one geofeed
reference, whether a remarks: or a proper geofeed: attribute reference, whether a remarks: or a proper geofeed: attribute
when it is implemented. As the remarks: form can not be when it is implemented. As the remarks: form cannot be
formally checked by the RIR, this can not be formally enforced. formally checked by the RIR, this cannot be formally enforced.
A geofeed: attribute is preferred, of course, if the RIR A geofeed: attribute is preferred, of course, if the RIR
supports it. If there is more than one type of attribute in the supports it. If there is more than one type of attribute in the
intetnum: object, the geofeed: attribute MUST be used. intetnum: object, the geofeed: attribute <bcp14>MUST</bcp14> be used.
</t> </t>
<t> <t>
For inetnum:s covering the same address range, a signed geofeed For inetnum: objects covering the same address range, a signed geofeed
file MUST be preferred over an unsigned file. If none are file <bcp14>MUST</bcp14> be preferred over an unsigned file. If none are
signed, or more than one is signed, the (signed) inetnum: with signed, or more than one is signed, the (signed) inetnum: with
the most recent last-modified: attribute MUST be preferred. the most recent last-modified: attribute <bcp14>MUST</bcp14> be preferred .
</t> </t>
<t> <t>
If a geofeed file describes multiple disjoint ranges of IP If a geofeed file describes multiple disjoint ranges of IP
address space, there are likely to be geofeed references from address space, there are likely to be geofeed references from
multiple inetnum: objects. Files with geofeed references from multiple inetnum: objects. Files with geofeed references from
multiple inetnum: objects are not compatible with the signing multiple inetnum: objects are not compatible with the signing
procedure in <xref target="auth" format="default"/>. procedure in <xref target="auth" format="default"/>.
</t> </t>
<t> <t>
An unsigned, and only an unsigned, geofeed file MAY be An unsigned, and only an unsigned, geofeed file <bcp14>MAY</bcp14> be
referenced by multiple inetnum:s and MAY contain prefixes from referenced by multiple inetnum: objects and <bcp14>MAY</bcp14> contain p
refixes from
more than one registry. more than one registry.
</t> </t>
<t> <t>
When fetching, the most specific inetnum: object with a geofeed When fetching, the most specific inetnum: object with a geofeed
reference MUST be used. reference <bcp14>MUST</bcp14> be used.
</t> </t>
<t> <t>
It is significant that geofeed data may have finer granularity It is significant that geofeed data may have finer granularity
than the inetnum: that refers to them. For example, an INETNUM than the inetnum: that refers to them. For example, an INETNUM
object for an address range P could refer to a geofeed file in object for an address range P could refer to a geofeed file in
which P has been subdivided into one or more longer prefixes. which P has been subdivided into one or more longer prefixes.
</t> </t>
</section> </section>
<section anchor="fetch" numbered="true" toc="default"> <section anchor="fetch" numbered="true" toc="default">
<name>Fetching Geofeed Data</name> <name>Fetching Geofeed Data</name>
<t> <t>
This document is to provides a guideline for how interested This document provides a guideline for how interested
parties should fetch and read geofeed files. parties should fetch and read geofeed files.
</t> </t>
<t> <t>
Historically, before <xref target="RFC9092"/>, this was done in Historically, before <xref target="RFC9092"/>, this was done in
varied ways, at the discretion of the implementer, often without varied ways, at the discretion of the implementor, often without
consistent authentication, where data were mostly imported from consistent authentication, where data were mostly imported from
email without formal authorisation or validation. email without formal authorization or validation.
</t> </t>
<t> <t>
To minimize the load on RIRs' WHOIS <xref target="RFC3912"/> To minimize the load on RIRs' WHOIS <xref target="RFC3912"/>
services, the RIR's FTP <xref target="RFC0959"/> services SHOULD services, the RIR's FTP <xref target="RFC0959"/> services <bcp14>SHOULD<
be used for large-scale access to gather inetnum:s with geofeed /bcp14>
be used for large-scale access to gather inetnum: objects with geofeed
references. This uses efficient bulk access instead of fetching references. This uses efficient bulk access instead of fetching
via brute-force search through the IP space. via brute-force search through the IP space.
</t> </t>
<t> <t>
When reading data from an unsigned geofeed file, one MUST ignore When reading data from an unsigned geofeed file, one <bcp14>MUST</bcp14> ignore
data outside the referring inetnum: object's address range. data outside the referring inetnum: object's address range.
This is to avoid importing data about ranges not under the This is to avoid importing data about ranges not under the
control of the operator. Note that signed files MUST only control of the operator. Note that signed files <bcp14>MUST</bcp14> onl y
contain prefixes within the referring inetnum:'s range as contain prefixes within the referring inetnum:'s range as
mandated in <xref target="auth"/>. mandated in <xref target="auth"/>.
</t> </t>
<t> <t>
If geofeed files are fetched, other location information from If geofeed files are fetched, other location information from
the inetnum: MUST be ignored. the inetnum: <bcp14>MUST</bcp14> be ignored.
</t> </t>
<t> <t>
Given an address range of interest, the most specific inetnum: Given an address range of interest, the most specific inetnum:
object with a geofeed reference MUST be used to fetch the object with a geofeed reference <bcp14>MUST</bcp14> be used to fetch the
geofeed file. For example, if the fetching party finds geofeed file. For example, if the fetching party finds
the following inetnum: objects: the following inetnum: objects:
<sourcecode type="rpsl"> <![CDATA[ </t>
<sourcecode type="rpsl"><![CDATA[
inetnum: 192.0.0.0/22 # example inetnum: 192.0.0.0/22 # example
remarks: Geofeed https://example.com/geofeed_1 remarks: Geofeed https://example.com/geofeed_1
inetnum: 192.0.2.0/24 # example inetnum: 192.0.2.0/24 # example
remarks: Geofeed https://example.com/geofeed_2 remarks: Geofeed https://example.com/geofeed_2
]]></sourcecode> ]]></sourcecode>
An application looking for geofeed data for 192.0.2.0/29, MUST <t>
An application looking for geofeed data for 192.0.2.0/29 <bcp14>MUST</b
cp14>
ignore data in geofeed_1 because 192.0.2.0/29 is within the ignore data in geofeed_1 because 192.0.2.0/29 is within the
more specific 192.0.2.0/24 inetnum: covering that address range more specific 192.0.2.0/24 inetnum: covering that address range
and that inetnum: does have a geofeed reference. and that inetnum: does have a geofeed reference.
</t> </t>
<t> <t>
Hints in inetnum:s such as country:, geoloc:, etc. tend to be Hints in inetnum: objects such as country:, geoloc:, etc. tend to be
administrative, and not deployment specific. Consider large, administrative, and not deployment specific. Consider large,
possibly global, providers with headquarters very far from most possibly global, providers with headquarters very far from most
of their deployments. Therefore, if geofeed data are specified, of their deployments. Therefore, if geofeed data are specified,
either as a geofeed: attribute or in a geofeed remarks: either as a geofeed: attribute or in a geofeed remarks:
attribute, other geographic hints such as country:, geoloc:, DNS attribute, other geographic hints such as country:, geoloc:, DNS
geoloc RRsets, etc., for that address range MUST be ignored. geoloc RRsets, etc., for that address range <bcp14>MUST</bcp14> be ignor ed.
</t> </t>
<t> <t>
There is open-source code to traverse the RPSL data across all There is open-source code to traverse the RPSL data across all of the
of the RIRs, collect all geofeed references, and process them RIRs, collect all geofeed references, and process them <xref
<xref target="GEOFEED-FINDER"/>. It implements the steps above target="GEOFEED-FINDER"/>. It implements the steps above and of all
and of all the Operational Considerations described in <xref the Operational Considerations described in <xref target="ops"/>,
target="ops"/>, including caching. It produces a single geofeed including caching. It produces a single geofeed file, merging all the
file, merging all the geofeed files found. This open-source geofeed files found. This open-source code can be run daily by a
code can be run daily by a cronjob, and the output file can be cron job, and the output file can be directly used.
directly used.
</t> </t>
<t> <t>
RIRs are converging on RDAP support which includes geofeed data, RIRs are converging on Registration Data Access Protocol (RDAP)
see <xref target="I-D.ietf-regext-rdap-geofeed"/>. This SHOULD support, which includes geofeed data; see <xref
NOT be used for bulk retrieval of geofeed data. target="I-D.ietf-regext-rdap-geofeed"/>. This <bcp14>SHOULD
NOT</bcp14> be used for bulk retrieval of geofeed data.
</t> </t>
</section> </section>
<section anchor="auth" numbered="true" toc="default"> <section anchor="auth" numbered="true" toc="default">
<name>Authenticating Geofeed Data (Optional)</name> <name>Authenticating Geofeed Data (Optional)</name>
<t> <t>
The question arises whether a particular geofeed <xref The question arises whether a particular geofeed <xref
target="RFC8805"/> data set is valid, i.e., is authorized by the target="RFC8805"/> data set is valid, i.e., is authorized by the
"owner" of the IP address space and is authoritative in some "owner" of the IP address space and is authoritative in some sense.
sense. The inetnum: that points to the geofeed <xref The inetnum: that points to the geofeed <xref target="RFC8805"/> file
target="RFC8805"/> file provides some assurance. Unfortunately, provides some assurance. Unfortunately, the RPSL in some repositories
the RPSL in some repositories is weakly authenticated at best. is weakly authenticated at best. An approach where the RPSL was
An approach where RPSL was signed per <xref target="RFC7909"/> signed per <xref target="RFC7909"/> would be good, except it would
would be good, except it would have to be deployed by all RPSL have to be deployed by all RPSL registries, and there is a fair number
registries, and there is a fair number of them. of them.
</t> </t>
<t> <t>
The remainder of this section specifies an optional The remainder of this section specifies an optional
authenticator for the geofeed data set that follows the Signed authenticator for the geofeed data set that follows "Signed
Object Template for the Resource Public Key Infrastructure Object Template for the Resource Public Key Infrastructure
(RPKI) <xref target="RFC6488"/>. (RPKI)" <xref target="RFC6488"/>.
</t> </t>
<t> <t>
A single optional authenticator MAY be appended to a geofeed A single optional authenticator <bcp14>MAY</bcp14> be appended to a geofe ed
<xref target="RFC8805"/> file. It is a digest of the main body <xref target="RFC8805"/> file. It is a digest of the main body
of the file signed by the private key of the relevant RPKI of the file signed by the private key of the relevant RPKI
certificate for a covering address range. The following format certificate for a covering address range. The following format
bundles the relevant RPKI certificate with a signature over the bundles the relevant RPKI certificate with a signature over the
geofeed text. geofeed text.
</t> </t>
<t> <t>
The canonicalization procedure converts the data from their The canonicalization procedure converts the data from their
internal character representation to the UTF-8 <xref internal character representation to the UTF-8 <xref target="RFC3629"/> c
target="RFC3629"/> character encoding, and the &lt;CRLF&gt; haracter encoding, and the &lt;CRLF&gt;
sequence MUST be used to denote the end of each line of text. A sequence <bcp14>MUST</bcp14> be used to denote the end of each line of te
xt. A
blank line is represented solely by the &lt;CRLF&gt; sequence. blank line is represented solely by the &lt;CRLF&gt; sequence.
For robustness, any non-printable characters MUST NOT be changed For robustness, any non-printable characters <bcp14>MUST NOT</bcp14> be c
by canonicalization. Trailing blank lines MUST NOT appear at hanged
by canonicalization. Trailing blank lines <bcp14>MUST NOT</bcp14> appear
at
the end of the file. That is, the file must not end with the end of the file. That is, the file must not end with
multiple consecutive &lt;CRLF&gt; sequences. Any end-of-file multiple consecutive &lt;CRLF&gt; sequences. Any end-of-file
marker used by an operating system is not considered to be part marker used by an operating system is not considered to be part
of the file content. When present, such end-of-file markers of the file content. When present, such end-of-file markers
MUST NOT be covered by the digital signature. <bcp14>MUST NOT</bcp14> be covered by the digital signature.
</t> </t>
<t> <t>
If the authenticator is not in the canonical form described above, If the authenticator is not in the canonical form described above,
then, the authenticator is invalid. then the authenticator is invalid.
</t> </t>
<t> <t>
Borrowing detached signatures from <xref target="RFC5485"/>, Borrowing detached signatures from <xref target="RFC5485"/>, after
after file canonicalization, the Cryptographic Message Syntax file canonicalization, the Cryptographic Message Syntax (CMS) <xref
(CMS) <xref target="RFC5652"/> is used to create a detached target="RFC5652"/> is used to create a detached DER-encoded signature
DER-encoded signature that is then Base64 encoded with padding that is then Base64 encoded with padding (as defined in <xref
(as defined in Section 4 of <xref target="RFC4648"/>) and line target="RFC4648" sectionFormat="of" section="4"/>) and line wrapped to
wrapped to 72 or fewer characters. The same digest algorithm 72 or fewer characters. The same digest algorithm <bcp14>MUST</bcp14>
MUST be used for calculating the message digest of the content be used for calculating the message digest of the content being
being signed, which is the geofeed file, and for calculating the signed, which is the geofeed file, and for calculating the message
message digest on the SignerInfo SignedAttributes <xref digest on the SignerInfo SignedAttributes <xref target="RFC8933"/>.
target="RFC8933"/>. The message digest algorithm identifier The message digest algorithm identifier <bcp14>MUST</bcp14> appear in
MUST appear in both the CMS SignedData both the CMS SignedData DigestAlgorithmIdentifiers and the SignerInfo
DigestAlgorithmIdentifiers and the SignerInfo
DigestAlgorithmIdentifier <xref target="RFC5652"/>. The RPKI DigestAlgorithmIdentifier <xref target="RFC5652"/>. The RPKI
certificate covering the geofeed inetnum: object's address range certificate covering the geofeed inetnum: object's address range is
is included in the CMS SignedData certificates field <xref included in the CMS SignedData certificates field <xref
target="RFC5652"/>. target="RFC5652"/>.
</t> </t>
<t> <t>
The address range of the signing certificate MUST cover all The address range of the signing certificate <bcp14>MUST</bcp14> cover al l
prefixes in the signed geofeed file. If not, the authenticator prefixes in the signed geofeed file. If not, the authenticator
is invalid. is invalid.
</t> </t>
<t> <t>
The signing certificate MUST NOT include the Autonomous System The signing certificate <bcp14>MUST NOT</bcp14> include the Autonomous Sy
Identifier Delegation certificate extension <xref stem
target="RFC3779"/>. If it is present, the authenticator is Identifier Delegation certificate extension <xref target="RFC3779"/>. If
it is present, the authenticator is
invalid. invalid.
</t> </t>
<t> <t>
As with many other RPKI signed objects, the IP Address As with many other RPKI signed objects, the IP Address Delegation
Delegation certificate extension MUST NOT use the "inherit" certificate extension <bcp14>MUST NOT</bcp14> use the "inherit"
capability defined in Section 2.2.3.5 of <xref capability defined in <xref target="RFC3779" sectionFormat="of" section=
target="RFC3779"/>. If "inherit" is used, the authenticator is "2.2.3.5"/>. If
invalid. "inherit" is used, the authenticator is invalid.
</t> </t>
<t> <t>
An IP Address Delegation extension using "inherit" would An IP Address Delegation extension using "inherit" would
complicate processing. The implementation would have to build complicate processing. The implementation would have to build
the certification path from the end-entity to the trust anchor, the certification path from the end entity to the trust anchor,
then validate the path from the trust anchor to the end-entity, then validate the path from the trust anchor to the end entity,
and then the parameter would have to be remembered when the and then the parameter would have to be remembered when the
validated public key was used to validate a signature on a CMS validated public key was used to validate a signature on a CMS
object. Having to remember things from certification path object. Having to remember things from certification path
validation for use with CMS object processing would be quite validation for use with CMS object processing would be quite
complex and error prone. And, the certificates do not get that complex and error-prone. Additionally, the certificates do not get that
much bigger by repeating the information. much bigger by repeating the information.
</t> </t>
<t> <t>
An address range A "covers" address range B if the range of B is An address range A "covers" address range B if the range of B is
identical to or a subset of A. "Address range" is used here identical to or a subset of A. "Address range" is used here
because inetnum: objects and RPKI certificates need not align on because inetnum: objects and RPKI certificates need not align on
Classless Inter-Domain Routing (CIDR) <xref target="RFC4632"/> Classless Inter-Domain Routing (CIDR) <xref target="RFC4632"/>
prefix boundaries, while those of the lines in a geofeed file do prefix boundaries, while those of the lines in a geofeed file do
align. align.
</t> </t>
<t> <t>
The Certificate Authority (CA) SHOULD sign only one geofeed file The Certification Authority (CA) <bcp14>SHOULD</bcp14> sign only one geof
with each generated private key and SHOULD generate a new key eed file
pair for each new version of a perticular geofeed file. The CA with each generated private key and <bcp14>SHOULD</bcp14> generate a new
MUST generate a new End Entity (EE) certificate for each signing key
pair for each new version of a particular geofeed file. The CA
<bcp14>MUST</bcp14> generate a new end entity (EE) certificate for each s
igning
of a particular geofeed file. An associated EE certificate used of a particular geofeed file. An associated EE certificate used
in this fashion is termed a "one-time-use" EE certificate (see in this fashion is termed a "one-time-use" EE certificate (see
Section 3 of <xref target="RFC6487"/>). <xref target="RFC6487" sectionFormat="of" section="3"/>).
</t> </t>
<t> <t>
Identifying the private key associated with the certificate and Identifying the private key associated with the certificate and
getting the department that controls the private key (which getting the department that controls the private key (which
might be stored in a Hardware Security Module (HSM)) to generate might be stored in a Hardware Security Module (HSM)) to generate
the CMS signature is left as an exercise for the implementor. the CMS signature is left as an exercise for the implementor.
On the other hand, verifying the signature has no similar On the other hand, verifying the signature has no similar
complexity; the certificate, which is validated in the public complexity; the certificate, which is validated in the public
RPKI, contains the needed public key. The RPKI trust anchors RPKI, contains the needed public key. The RPKI trust anchors
for the RIRs are expected to already be available to the party for the RIRs are expected to already be available to the party
performing signature validation. Validation of the CMS performing signature validation. Validation of the CMS
signature over the geofeed file involves: signature over the geofeed file involves:
</t> </t>
<ol spacing="normal" type="1"> <ol spacing="normal" type="1">
<li> <li>
Obtaining the signer's certificate from the CMS SignedData Obtaining the signer's certificate from the CMS SignedData
CertificateSet <xref target="RFC5652"/>. The certificate CertificateSet <xref target="RFC5652"/>. The certificate
SubjectKeyIdentifier extension <xref target="RFC5280"/> MUST SubjectKeyIdentifier extension <xref target="RFC5280"/> <bcp14>MUST</bc p14>
match the SubjectKeyIdentifier in the CMS SignerInfo match the SubjectKeyIdentifier in the CMS SignerInfo
SignerIdentifier <xref target="RFC5652"/>. If the key SignerIdentifier <xref target="RFC5652"/>. If the key
identifiers do not match, then validation MUST fail. identifiers do not match, then validation <bcp14>MUST</bcp14> fail.
</li> </li>
<li>
<li> Validating the signer's certificate <bcp14>MUST</bcp14> ensure that it
Validating the signer's certificate MUST ensure that it is is
part of the current <xref target="RFC9286"/> manifest and that part of the current <xref target="RFC9286"/> manifest and that
all resources are covered by the RPKI certificate. all resources are covered by the RPKI certificate.
</li> </li>
<li>
<li>
Constructing the certification path for the signer's Constructing the certification path for the signer's
certificate. All of the needed certificates are expected to certificate. All of the needed certificates are expected to
be readily available in the RPKI repository. The be readily available in the RPKI repository. The
certification path MUST be valid according to the validation certification path <bcp14>MUST</bcp14> be valid according to the valida tion
algorithm in <xref target="RFC5280"/> and the additional algorithm in <xref target="RFC5280"/> and the additional
checks specified in <xref target="RFC3779"/> associated with checks specified in <xref target="RFC3779"/> associated with
the IP Address Delegation certificate extension and the the IP Address Delegation certificate extension and the
Autonomous System Identifier Delegation certificate extension. Autonomous System Identifier Delegation certificate extension.
If certification path validation is unsuccessful, then If certification path validation is unsuccessful, then
validation MUST fail. validation <bcp14>MUST</bcp14> fail.
</li> </li>
<li>
<li> Validating the CMS SignedData as specified in <xref target="RFC5652"/>
Validating the CMS SignedData as specified in <xref using the public key from the validated
target="RFC5652"/> using the public key from the validated
signer's certificate. If the signature validation is signer's certificate. If the signature validation is
unsuccessful, then validation MUST fail. unsuccessful, then validation <bcp14>MUST</bcp14> fail.
</li> </li>
<li>
<li>
Confirming that the eContentType object identifier (OID) is Confirming that the eContentType object identifier (OID) is
id-ct-geofeedCSVwithCRLF (1.2.840.113549.1.9.16.1.47). This id-ct-geofeedCSVwithCRLF (1.2.840.113549.1.9.16.1.47). This
OID MUST appear within both the eContentType in the OID <bcp14>MUST</bcp14> appear within both the eContentType in the
encapContentInfo object and the ContentType signed attribute encapContentInfo object and within the ContentType signed attribute
in the signerInfo object (see <xref target="RFC6488"/>). in the signerInfo object (see <xref target="RFC6488"/>).
</li> </li>
<li>
<li>
Verifying that the IP Address Delegation certificate Verifying that the IP Address Delegation certificate
extension <xref target="RFC3779"/> covers all of the address extension <xref target="RFC3779"/> covers all of the address
ranges of the geofeed file. If all of the address ranges are ranges of the geofeed file. If all of the address ranges are
not covered, then validation MUST fail. not covered, then validation <bcp14>MUST</bcp14> fail.
</li> </li>
</ol> </ol>
<t> <t>
All of the above steps MUST be successful to consider the All of the above steps <bcp14>MUST</bcp14> be successful to consider the
geofeed file signature as valid. geofeed file signature as valid.
</t> </t>
<t> <t>
The authenticator MUST be hidden as a series of "#" comments at the The authenticator <bcp14>MUST</bcp14> be hidden as a series of "#" commen ts at the
end of the geofeed file. The following simple example is end of the geofeed file. The following simple example is
cryptographically incorrect: cryptographically incorrect:
</t> </t>
<sourcecode type=""><![CDATA[ <sourcecode type=""><![CDATA[
# RPKI Signature: 192.0.2.0 - 192.0.2.255 # RPKI Signature: 192.0.2.0 - 192.0.2.255
# MIIGlwYJKoZIhvcNAQcCoIIGiDCCBoQCAQMxDTALBglghkgBZQMEAgEwDQYLKoZ # MIIGlwYJKoZIhvcNAQcCoIIGiDCCBoQCAQMxDTALBglghkgBZQMEAgEwDQYLKoZ
# IhvcNAQkQAS+gggSxMIIErTCCA5WgAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZu # IhvcNAQkQAS+gggSxMIIErTCCA5WgAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZu
... ...
# imwYkXpiMxw44EZqDjl36MiWsRDLdgoijBBcGbibwyAfGeR46k5raZCGvxG+4xa # imwYkXpiMxw44EZqDjl36MiWsRDLdgoijBBcGbibwyAfGeR46k5raZCGvxG+4xa
# O8PDTxTfIYwAnBjRBKAqAZ7yX5xHfm58jUXsZJ7Ileq1S7G6Kk= # O8PDTxTfIYwAnBjRBKAqAZ7yX5xHfm58jUXsZJ7Ileq1S7G6Kk=
# End Signature: 192.0.2.0 - 192.0.2.255 # End Signature: 192.0.2.0 - 192.0.2.255
]]></sourcecode> ]]></sourcecode>
<t> <t>
A correct and full example is in Appendix A. A correct and full example is in <xref target="example"/>.
</t> </t>
<t> <t>
The CMS signature does not cover the signature lines. The CMS signature does not cover the signature lines.
</t> </t>
<t> <t>
The bracketing "# RPKI Signature:" and "# End Signature:" MUST The bracketing "# RPKI Signature:" and "# End Signature:" <bcp14>MUST</bc p14>
be present as shown in the example. The RPKI Signature's IP be present as shown in the example. The RPKI Signature's IP
address range MUST match that of the geofeed URL in the inetnum: address range <bcp14>MUST</bcp14> match that of the geofeed URL in the in etnum:
that points to the geofeed file. that points to the geofeed file.
</t> </t>
</section> </section>
<section anchor="ops" numbered="true" toc="default"> <section anchor="ops" numbered="true" toc="default">
<name>Operational Considerations</name> <name>Operational Considerations</name>
<t> <t>
To create the needed inetnum: objects, an operator wishing to register To create the needed inetnum: objects, an operator wishing to register
the location of their geofeed file needs to coordinate with their the location of their geofeed file needs to coordinate with their
Regional Internet Registry (RIR) or National Internet Registry (NIR) Regional Internet Registry (RIR) or National Internet Registry (NIR)
and/or any provider Local Internet Registry (LIR) that has assigned and/or any provider Local Internet Registry (LIR) that has assigned
address ranges to them. RIRs/NIRs provide means for assignees to address ranges to them. RIRs/NIRs provide means for assignees to
create and maintain inetnum: objects. They also provide means of create and maintain inetnum: objects. They also provide means of
assigning or sub-assigning IP address resources and allowing the assigning or sub-assigning IP address resources and allowing the
assignee to create WHOIS data, including inetnum: objects, thereby assignee to create WHOIS data, including inetnum: objects, thereby
referring to geofeed files. referring to geofeed files.
</t> </t>
<t> <t>
The geofeed files MUST be published via and fetched using The geofeed files <bcp14>MUST</bcp14> be published via and fetched using
HTTPS <xref target="RFC9110" format="default"/>. HTTPS <xref target="RFC9110" format="default"/>.
</t> </t>
<t> <t>
When using data from a geofeed file, one MUST ignore data When using data from a geofeed file, one <bcp14>MUST</bcp14> ignore data
outside the referring inetnum: object's inetnum: attribute outside the referring inetnum: object's inetnum: attribute
address range. address range.
</t> </t>
<t> <t>
If and only if the geofeed file is not signed per <xref target="auth" If and only if the geofeed file is not signed per <xref target="auth" fo
format="default"/>, then multiple inetnum: objects MAY rmat="default"/>, then multiple inetnum: objects <bcp14>MAY</bcp14>
refer to the same geofeed file, and the consumer MUST refer to the same geofeed file, and the consumer <bcp14>MUST</bcp14>
use only lines in the geofeed file where the prefix is covered by the use only lines in the geofeed file where the prefix is covered by the
address range of the inetnum: object's URL it has followed. address range of the inetnum: object's URL it has followed.
</t> </t>
<t> <t>
If the geofeed file is signed, and the signer's certificate If the geofeed file is signed, and the signer's certificate
changes, the signature in the geofeed file MUST changes, the signature in the geofeed file <bcp14>MUST</bcp14>
be updated. be updated.
</t> </t>
<t> <t>
It is good key hygiene to use a given key for only one purpose. It is good key hygiene to use a given key for only one purpose.
To dedicate a signing private key for signing a geofeed file, an To dedicate a signing private key for signing a geofeed file, an
RPKI Certification Authority (CA) may issue a subordinate RPKI Certification Authority (CA) may issue a subordinate
certificate exclusively for the purpose shown in <xref certificate exclusively for the purpose shown in <xref target="example"
target="example" format="default"/>. format="default"/>.
</t> </t>
<t> <t>
Harvesting and publishing aggregated geofeed data outside of the Harvesting and publishing aggregated geofeed data outside of the RPSL
RPSL model should be avoided as it can have the effect that more model should be avoided as it could lead to detailed data
specifics from one aggregatee could undesirably affect the less of one aggregatee undesirably affecting the less detailed data of a
specifics of a different aggregatee. Moreover, publishing different aggregatee. Moreover, publishing
aggregated geofeed data prevents the reader of the data to aggregated geofeed data prevents the reader of the data from
perform the checks described in <xref target="fetch"/> and <xref performing the checks described in <xref target="fetch"/> and <xref targ
target="auth"/>. et="auth"/>.
</t> </t>
<t> <t>
At the time of publishing this document, geolocation providers At the time of publishing this document, geolocation providers
have bulk WHOIS data access at all the RIRs. An anonymized have bulk WHOIS data access at all the RIRs. An anonymized
version of such data is openly available for all RIRs except version of such data is openly available for all RIRs except
ARIN, which requires an authorization. However, for users ARIN, which requires an authorization. However, for users
without such authorization, the same result can be achieved with without such authorization, the same result can be achieved with
extra RDAP effort. There is open-source code to pass over such extra RDAP effort. There is open-source code to pass over such
data across all RIRs, collect all geofeed references, and data across all RIRs, collect all geofeed references, and
process them <xref target="GEOFEED-FINDER" format="default"/>. process them <xref target="GEOFEED-FINDER" format="default"/>.
skipping to change at line 699 skipping to change at line 636
<t> <t>
At the time of publishing this document, geolocation providers At the time of publishing this document, geolocation providers
have bulk WHOIS data access at all the RIRs. An anonymized have bulk WHOIS data access at all the RIRs. An anonymized
version of such data is openly available for all RIRs except version of such data is openly available for all RIRs except
ARIN, which requires an authorization. However, for users ARIN, which requires an authorization. However, for users
without such authorization, the same result can be achieved with without such authorization, the same result can be achieved with
extra RDAP effort. There is open-source code to pass over such extra RDAP effort. There is open-source code to pass over such
data across all RIRs, collect all geofeed references, and data across all RIRs, collect all geofeed references, and
process them <xref target="GEOFEED-FINDER" format="default"/>. process them <xref target="GEOFEED-FINDER" format="default"/>.
</t> </t>
<t> <t>
To prevent undue load on RPSL and geofeed servers, To prevent undue load on RPSL and geofeed servers,
entity-fetching geofeed data using these mechanisms MUST entity-fetching geofeed data using these mechanisms <bcp14>MUST
NOT do frequent real-time lookups. <xref NOT</bcp14> do frequent real-time lookups. <xref target="RFC8805" secti
target="RFC8805" sectionFormat="of" section="3.4" onFormat="of" section="3.4" format="default"/> suggests use of the HTTP Expires
format="default"/> suggests use of the HTTP Expires header <xref header <xref target="RFC9111" format="default"/> to signal when geofeed data
target="RFC7234" format="default"/> to signal when geofeed data
should be refetched. As the data change very infrequently, in should be refetched. As the data change very infrequently, in
the absence of such an HTTP Header signal, collectors the absence of such an HTTP Header signal, collectors
SHOULD NOT fetch more frequently than weekly. It <bcp14>SHOULD NOT</bcp14> fetch more frequently than weekly. It
would be polite not to fetch at magic times such as midnight would be polite not to fetch at magic times such as midnight
UTC, the first of the month, etc., because too many others are UTC, the first of the month, etc., because too many others are
likely to do the same. likely to do the same.
</t> </t>
</section> </section>
<section anchor="privacy" numbered="true" toc="default"> <section anchor="privacy" numbered="true" toc="default">
<name>Privacy Considerations</name> <name>Privacy Considerations</name>
<t> <t>
<xref target="RFC8805" format="default"/> geofeed data may reveal the <xref target="RFC8805" format="default"/> geofeed data may reveal the
approximate location of an IP address, which might in turn reveal the approximate location of an IP address, which might in turn reveal the
approximate location of an individual user. Unfortunately, <xref approximate location of an individual user. Unfortunately, <xref target
target="RFC8805" format="default"/> provides no privacy guidance on ="RFC8805" format="default"/> provides no privacy guidance on
avoiding or ameliorating possible damage due to this exposure of the avoiding or ameliorating possible damage due to this exposure of the
user. In publishing pointers to geofeed files as described in this user. In publishing pointers to geofeed files as described in this
document, the operator should be aware of this exposure in geofeed document, the operator should be aware of this exposure in geofeed
data and be cautious. All the privacy considerations of <xref data and be cautious. All the privacy considerations of <xref target="R
target="RFC8805" sectionFormat="of" section="4" format="default"/> FC8805" sectionFormat="of" section="4" format="default"/>
apply to this document. apply to this document.
</t> </t>
<t> <t>
Where <xref target="RFC8805" format="default"/> provided the ability Where <xref target="RFC8805" format="default"/> provided the ability
to publish location data, this document makes bulk access to those data to publish location data, this document makes bulk access to those data
readily available. This is a goal, not an accident. readily available. This is a goal, not an accident.
</t> </t>
</section> </section>
<section anchor="impl" numbered="true" toc="default"> <section anchor="impl" numbered="true" toc="default">
<name>Implementation Status</name> <name>Implementation Status</name>
<t> <t>
At the time of publishing this document, the geofeed: attribute At the time of publishing this document, the geofeed: attribute
in inetnum objects has been implemented in the RIPE and APNIC in inetnum objects has been implemented in the RIPE and APNIC
databases. databases.
</t> </t>
<t> <t>
Registrants in databases which do not yet support the geofeed: Registrants in databases that do not yet support the geofeed:
attribute are using the remarks:, or equivalent, attribute. attribute are using the remarks: attribute, or equivalent.
</t> </t>
<t> <t>
At the time of publishing this document, the registry data At the time of publishing this document, the registry data
published by ARIN are not the same RPSL as that of the other published by ARIN are not the same RPSL as that of the other
registries (see <xref target="RFC7485" format="default"/> for a registries (see <xref target="RFC7485" format="default"/> for a
survey of the WHOIS Tower of Babel); therefore, when fetching survey of the WHOIS Tower of Babel). Therefore, when fetching
from ARIN via FTP <xref target="RFC0959" format="default"/>, from ARIN via FTP <xref target="RFC0959" format="default"/>,
WHOIS <xref target="RFC3912" format="default"/>, the WHOIS <xref target="RFC3912" format="default"/>, the RDAP <xref target="
Registration Data Access Protocol (RDAP) <xref target="RFC9082" RFC9082" format="default"/>, etc., the "NetRange" attribute/key must be
format="default"/>, etc., the "NetRange" attribute/key must be
treated as "inetnum", and the "Comment" attribute must be treated as "inetnum", and the "Comment" attribute must be
treated as "remarks". treated as "remarks".
</t> </t>
<t> <t>
<xref target="rpki-client"/> can be used to authenticate a <xref target="rpki-client"/> can be used to authenticate a
signed geofeed file. signed geofeed file.
</t> </t>
</section> </section>
<section anchor="seccons" numbered="true" toc="default"> <section anchor="seccons" numbered="true" toc="default">
<name>Security Considerations</name> <name>Security Considerations</name>
<t> <t>
It is generally prudent for a consumer of geofeed data to also It is generally prudent for a consumer of geofeed data to also
use other sources to cross-validate the data. All the security use other sources to cross-validate the data. All the security
considerations of <xref target="RFC8805" format="default"/> considerations of <xref target="RFC8805" format="default"/>
apply here as well. apply here as well.
</t> </t>
<t> <t>
The consumer of geofeed data SHOULD fetch and process the data The consumer of geofeed data <bcp14>SHOULD</bcp14> fetch and process the
themselves. Importing datasets produced and/or processed by a data
themselves. Importing data sets produced and/or processed by a
third-party places significant trust in the third-party. third-party places significant trust in the third-party.
</t> </t>
<t> <t>
As mentioned in <xref target="auth" format="default"/>, some As mentioned in <xref target="auth" format="default"/>, some
RPSL repositories have weak, if any, authentication. This RPSL repositories have weak, if any, authentication. This
allows spoofing of inetnum: objects pointing to malicious allows spoofing of inetnum: objects pointing to malicious
geofeed files. <xref target="auth" format="default"/> suggests geofeed files. <xref target="auth" format="default"/> suggests
an unfortunately complex method for stronger authentication an unfortunately complex method for stronger authentication
based on the RPKI. based on the RPKI.
</t> </t>
<t> <t>
For example, if an inetnum: for a wide address range (e.g., a For example, if an inetnum: for a wide address range (e.g., a
/16) points to an RPKI-signed geofeed file, a customer or /16) points to an RPKI-signed geofeed file, a customer or
attacker could publish an unsigned equal or narrower (e.g., a attacker could publish an unsigned equal or narrower (e.g., a
/24) inetnum: in a WHOIS registry that has weak authorization, /24) inetnum: in a WHOIS registry that has weak authorization,
abusing the rule that the most-specific inetnum: object with a abusing the rule that the most-specific inetnum: object with a
geofeed reference MUST be used. geofeed reference <bcp14>MUST</bcp14> be used.
</t> </t>
<t> <t>
If signatures were mandatory, the above attack would be stymied, but If signatures were mandatory, the above attack would be stymied, but
of course that is not happening anytime soon. of course that is not happening anytime soon.
</t> </t>
<t> <t>
The RPSL providers have had to throttle fetching from their The RPSL providers have had to throttle fetching from their
servers due to too-frequent queries. Usually, they throttle by servers due to too-frequent queries. Usually, they throttle by
the querying IP address or block. Similar defenses will likely the querying IP address or block. Similar defenses will likely
need to be deployed by geofeed file servers. need to be deployed by geofeed file servers.
</t> </t>
</section> </section>
<section anchor="iana" numbered="true" toc="default"> <section anchor="iana" numbered="true" toc="default">
<name>IANA Considerations</name> <name>IANA Considerations</name>
<t> <t>
In the SMI Security for S/MIME CMS Content Type In the SMI Security for S/MIME CMS Content Type
(1.2.840.113549.1.9.16.1) in the Structure of Management (1.2.840.113549.1.9.16.1) in the Structure of Management
Information (SMI) Numbers (MIB Module Registrations) registry Information (SMI) Numbers (MIB Module Registrations) registry
group located at: https://www.iana.org/assignments/smi-numbers/ group (located at <eref target="https://www.iana.org/assignments/smi-numb
there is an existing registration for: ers/" brackets="angle"/>),
<figure> the reference for this registration has been updated to this document:
<artwork>
Decimal: 47
Description: id-ct-geofeedCSVwithCRLF
</artwork>
</figure>
On publication of this document, that reference needs to be
changed to the new [ RFC-to-be ].
</t> </t>
<table anchor="IANA-registration">
<name>From SMI Security for S/MIME Module Identifier (1.2.840.113549.1.9.16.1)
</name>
<thead>
<tr>
<th>Decimal</th>
<th>Description</th>
<th>Reference</th>
</tr>
</thead>
<tbody>
<tr>
<td>47</td>
<td>id-ct-geofeedCSVwithCRLF</td>
<td>RFC 9632</td>
</tr>
</tbody>
</table>
</section> </section>
<section title="Acknowledgments" anchor="acks">
<t>Thanks to Rob Austein for CMS and detached signature clue,
George Michaelson for the first and substantial external review,
and Erik Kline who was too shy to agree to coauthorship.
Additionally, we express our gratitude to early implementors,
including Menno Schepers; Flavio Luciani; Eric Dugas; and Kevin
Pack. Also, thanks to the following geolocation providers who are
consuming geofeeds with this described solution: Jonathan Kosgei
(ipdata.co), Ben Dowling (ipinfo.io), and Pol Nisenblat
(bigdatacloud.com). For an amazing number of helpful reviews, we
thank Job Snijders, who also found an ASN.1 'inherit' issue;
Adrian Farrel; Antonio Prado; Francesca Palombini; Jean-Michel
Combes (INTDIR); John Scudder; Kyle Rose (SECDIR); Martin Duke;
Mohamed Boucadair; Murray Kucherawy; Paul Kyzivat (GENART); Rob
Wilton; Roman Danyliw; and Ties de Kock.</t>
</section>
</middle> </middle>
<back> <back>
<displayreference target="I-D.ietf-regext-rdap-geofeed" to="RDAP-GEOFEED"/>
<references>
<name>References</name>
<references>
<name>Normative References</name>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2
119.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2
622.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2
725.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3
629.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3
779.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4
012.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4
648.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5
280.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5
652.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
174.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6
481.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6
487.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6
488.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
805.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
933.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9
110.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9
286.xml"/>
</references>
<references>
<name>Informative References</name>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.0
959.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3
912.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4
632.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5
485.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6
269.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7
485.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7
909.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9
082.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9
092.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9
111.xml"/>
<references title="Normative References"> <!-- [I-D.ietf-regext-rdap-geofeed] IESG state: I-D Exists as of 02/27/24-->
<?rfc include="reference.RFC.2119.xml"?> <xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-reg
<?rfc include="reference.RFC.2622.xml"?> ext-rdap-geofeed.xml"/>
<?rfc include="reference.RFC.2725.xml"?>
<?rfc include="reference.RFC.3629.xml"?>
<?rfc include="reference.RFC.3779.xml"?>
<?rfc include="reference.RFC.4012.xml"?>
<?rfc include="reference.RFC.4648.xml"?>
<?rfc include="reference.RFC.5280.xml"?>
<?rfc include="reference.RFC.5652.xml"?>
<?rfc include="reference.RFC.8174.xml"?>
<?rfc include="reference.RFC.6481.xml"?>
<?rfc include="reference.RFC.6487.xml"?>
<?rfc include="reference.RFC.6488.xml"?>
<?rfc include="reference.RFC.8805.xml"?>
<?rfc include="reference.RFC.8933.xml"?>
<?rfc include="reference.RFC.9110.xml"?>
<?rfc include="reference.RFC.9286.xml"?>
</references>
<references title="Informative References">
<?rfc include="reference.RFC.0959.xml"?>
<?rfc include="reference.RFC.3912.xml"?>
<?rfc include="reference.RFC.4632.xml"?>
<?rfc include="reference.RFC.5485.xml"?>
<?rfc include="reference.RFC.6269.xml"?>
<?rfc include="reference.RFC.7234.xml"?>
<?rfc include="reference.RFC.7485.xml"?>
<?rfc include="reference.RFC.7909.xml"?>
<?rfc include="reference.RFC.9082.xml"?>
<?rfc include="reference.RFC.9092.xml"?>
<?rfc include="reference.I-D.ietf-regext-rdap-geofeed"?>
<reference anchor="RIPE81" target="https://www.ripe.net/publications/doc s/ripe-081"> <reference anchor="RIPE81" target="https://www.ripe.net/publications/doc s/ripe-081">
<front> <front>
<title>Representation Of IP Routing Policies In The RIPE Database</t itle> <title>Representation Of IP Routing Policies In The RIPE Database</t itle>
<author> <author>
<organization>RIPE NCC</organization> <organization>RIPE NCC</organization>
</author> </author>
<date month="February" year="1993"/> <date month="February" year="1993"/>
</front> </front>
</reference> </reference>
<reference anchor="RIPE181" target="https://www.ripe.net/publications/do cs/ripe-181"> <reference anchor="RIPE181" target="https://www.ripe.net/publications/do cs/ripe-181">
<front> <front>
<title>Representation Of IP Routing Policies In A Routing Registry</ title> <title>Representation Of IP Routing Policies In A Routing Registry</ title>
<author> <author>
<organization>RIPE NCC</organization> <organization>RIPE NCC</organization>
</author> </author>
<date month="October" year="1994"/> <date month="October" year="1994"/>
</front> </front>
</reference> </reference>
<reference anchor="RIPE-DB" target="https://www.ripe.net/manage-ips-and- asns/db/support/documentation/ripe-database-documentation"> <reference anchor="RIPE-DB" target="https://www.ripe.net/manage-ips-and- asns/db/support/documentation/ripe-database-documentation">
<front> <front>
<title>RIPE Database Documentation</title> <title>RIPE Database Documentation</title>
<author> <author>
<organization>RIPE NCC</organization> <organization>RIPE NCC</organization>
</author> </author>
<date/> <date month="September" year="2023"/>
</front> </front>
</reference> </reference>
<reference anchor="INETNUM" target="https://www.ripe.net/manage-ips-and- asns/db/support/documentation/ripe-database-documentation/rpsl-object-types/4-2- descriptions-of-primary-objects/4-2-4-description-of-the-inetnum-object"> <reference anchor="INETNUM" target="https://apps.db.ripe.net/docs/RPSL-O bject-Types/Descriptions-of-Primary-Objects/#description-of-the-inetnum-object">
<front> <front>
<title>Description of the INETNUM Object</title> <title>RIPE Database Documentation: Description of the INETNUM Objec t</title>
<author> <author>
<organization>RIPE NCC</organization> <organization>RIPE NCC</organization>
</author> </author>
<date month="June" year="2020"/>
</front> </front>
</reference> </reference>
<reference anchor="INET6NUM" target="https://www.ripe.net/manage-ips-and -asns/db/support/documentation/ripe-database-documentation/rpsl-object-types/4-2 -descriptions-of-primary-objects/4-2-3-description-of-the-inet6num-object"> <reference anchor="INET6NUM" target="https://apps.db.ripe.net/docs/RPSL- Object-Types/Descriptions-of-Primary-Objects/#description-of-the-inet6num-object ">
<front> <front>
<title>Description of the INET6NUM Object</title> <title>RIPE Database Documentation: Description of the INET6NUM Obje ct</title>
<author> <author>
<organization>RIPE NCC</organization> <organization>RIPE NCC</organization>
</author> </author>
<date month="October" year="2019"/>
</front> </front>
</reference> </reference>
<reference anchor="GEOFEED-FINDER" target="https://github.com/massimocan dela/geofeed-finder"> <reference anchor="GEOFEED-FINDER" target="https://github.com/massimocan dela/geofeed-finder">
<front> <front>
<title>geofeed-finder</title> <title>geofeed-finder</title>
<author> <author>
<organization></organization> <organization/>
</author> </author>
<date month="June" year="2021"/> <date month="March" year="2024"/>
</front> </front>
<refcontent>commit 5f557a4</refcontent> <refcontent>commit 5f557a4</refcontent>
</reference> </reference>
<reference anchor="rpki-client" target="https://sobornost.net/~job/using_g <reference anchor="rpki-client" target="https://sobornost.net/~job/using
eofeed_authenticators.txt"> _geofeed_authenticators.txt">
<front> <front>
<title>Example on how to use rpki-client to authenticate a signed Geof <title>Example on how to use rpki-client to authenticate a signed Ge
eed</title> ofeed</title>
<author fullname="Job Snijders"/> <author fullname="Job Snijders"/>
<date month="September" year="2023" /> <date month="September" year="2023"/>
</front> </front>
</reference> </reference>
</references>
</references> </references>
<section anchor="example">
<section title="Example" anchor="example"> <name>Example</name>
<t> <t>This appendix provides an example, including a trust anchor, a
This appendix provides an example, including a trust anchor, a Certificate Revocation List (CRL) signed by the trust anchor, a CA
Certificate Revocation List (CRL) signed by the trust anchor, a CA certificate subordinate to the trust anchor, a CRL signed by the CA, an
certificate subordinate to the trust anchor, a CRL signed by the CA, end entity certificate subordinate to the CA for signing the geofeed,
an end-entity certificate subordinate to the CA for signing the and a detached signature.</t>
geofeed, and a detached signature.</t> <t>The trust anchor is represented by a self-signed certificate. As
usual in the RPKI, the trust anchor has authority over all IPv4 address
<t> blocks, all IPv6 address blocks, and all Autonomous System (AS)
The trust anchor is represented by a self-signed certificate. As numbers.</t>
usual in the RPKI, the trust anchor has authority over all IPv4 <sourcecode type=""><![CDATA[
address blocks, all IPv6 address blocks, and all Autonomous Systam
(AS) numbers.</t>
<figure><artwork><![CDATA[
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIEQTCCAymgAwIBAgIUEggycNoFVRjAuN/Fw7URu0DEZNAwDQYJKoZIhvcNAQEL MIIEQTCCAymgAwIBAgIUEggycNoFVRjAuN/Fw7URu0DEZNAwDQYJKoZIhvcNAQEL
BQAwFTETMBEGA1UEAxMKZXhhbXBsZS10YTAeFw0yMzA5MTkyMDMzMzlaFw0zMzA5 BQAwFTETMBEGA1UEAxMKZXhhbXBsZS10YTAeFw0yMzA5MTkyMDMzMzlaFw0zMzA5
MTYyMDMzMzlaMBUxEzARBgNVBAMTCmV4YW1wbGUtdGEwggEiMA0GCSqGSIb3DQEB MTYyMDMzMzlaMBUxEzARBgNVBAMTCmV4YW1wbGUtdGEwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDQprR+g/i4JyObVURTp1JpGM23vGPyE5fDKFPqV7rw AQUAA4IBDwAwggEKAoIBAQDQprR+g/i4JyObVURTp1JpGM23vGPyE5fDKFPqV7rw
M1Amm7cnew66U02IzV0X5oiv5nSGfRX5UxsbR+vwPBMceQyDgS5lexFiv4fB/Vjf M1Amm7cnew66U02IzV0X5oiv5nSGfRX5UxsbR+vwPBMceQyDgS5lexFiv4fB/Vjf
DT2qX/UjsLL9QOeaSOh7ToJSLjmtpa0D9iz7ful3hdxRjpMMZiE/reX9/ymdpW/E DT2qX/UjsLL9QOeaSOh7ToJSLjmtpa0D9iz7ful3hdxRjpMMZiE/reX9/ymdpW/E
dg0F6+T9WGZE1miPeIjl5OZwnmLHCftkN/aaYk1iPNjNniHYIOjC1jSpABmoZyTj dg0F6+T9WGZE1miPeIjl5OZwnmLHCftkN/aaYk1iPNjNniHYIOjC1jSpABmoZyTj
sgrwLE2F1fIRkVkwASqToq/D5v9voXaYYaXUNJb4H/5wenRuvT5O/n6PXh70rMQy sgrwLE2F1fIRkVkwASqToq/D5v9voXaYYaXUNJb4H/5wenRuvT5O/n6PXh70rMQy
F5yzLs96ytxqg5gGX9kabVnvxFU8nHfPa0rhlwfTJnljAgMBAAGjggGHMIIBgzAd F5yzLs96ytxqg5gGX9kabVnvxFU8nHfPa0rhlwfTJnljAgMBAAGjggGHMIIBgzAd
skipping to change at line 994 skipping to change at line 909
ZXQvbm90aWZpY2F0aW9uLnhtbDAwBggrBgEFBQcwBYYkcnN5bmM6Ly9ycGtpLmV4 ZXQvbm90aWZpY2F0aW9uLnhtbDAwBggrBgEFBQcwBYYkcnN5bmM6Ly9ycGtpLmV4
YW1wbGUubmV0L3JlcG9zaXRvcnkvMCcGCCsGAQUFBwEHAQH/BBgwFjAJBAIAATAD YW1wbGUubmV0L3JlcG9zaXRvcnkvMCcGCCsGAQUFBwEHAQH/BBgwFjAJBAIAATAD
AwEAMAkEAgACMAMDAQAwIQYIKwYBBQUHAQgBAf8EEjAQoA4wDDAKAgEAAgUA//// AwEAMAkEAgACMAMDAQAwIQYIKwYBBQUHAQgBAf8EEjAQoA4wDDAKAgEAAgUA////
/zANBgkqhkiG9w0BAQsFAAOCAQEAa9eLY9QAmnlZOIyOzbpta5wqcOUQV/yR7o/0 /zANBgkqhkiG9w0BAQsFAAOCAQEAa9eLY9QAmnlZOIyOzbpta5wqcOUQV/yR7o/0
1zkEZaSavKBt19lMK6AXZurx1T5jyjIwG7bEtZZThjtH2m80V5kc2tsFjSq/yp7N 1zkEZaSavKBt19lMK6AXZurx1T5jyjIwG7bEtZZThjtH2m80V5kc2tsFjSq/yp7N
JBclMHVd3tXse9If3nXYF4bxRIcir1lXlAbYN+Eo1U3i5qJO+fxouzt7Merk2Dih JBclMHVd3tXse9If3nXYF4bxRIcir1lXlAbYN+Eo1U3i5qJO+fxouzt7Merk2Dih
nsenTeXKzN7tfmuCYZZHCC8viCoJWdH+o1uRM4TiQApZsUJ8sF4TABrrRJmA/Ed5 nsenTeXKzN7tfmuCYZZHCC8viCoJWdH+o1uRM4TiQApZsUJ8sF4TABrrRJmA/Ed5
v0CTBbgqTx7yg0+VarFLPdnjYgtpoCJqwE2C1UpX15rZSaLVuGXtbwXd/cHEg5vF v0CTBbgqTx7yg0+VarFLPdnjYgtpoCJqwE2C1UpX15rZSaLVuGXtbwXd/cHEg5vF
W6QTsMeMQFEUa6hkicDGtxLTUdhckBgmCGoF2nlZii5f1BTWAg== W6QTsMeMQFEUa6hkicDGtxLTUdhckBgmCGoF2nlZii5f1BTWAg==
-----END CERTIFICATE----- -----END CERTIFICATE-----
]]></artwork></figure> ]]></sourcecode>
<t>The CRL is issued by the trust anchor.</t>
<t> <sourcecode type=""><![CDATA[
The CRL issued by the trust anchor.</t>
<figure><artwork><![CDATA[
-----BEGIN X509 CRL----- -----BEGIN X509 CRL-----
MIIBjjB4AgEBMA0GCSqGSIb3DQEBCwUAMBUxEzARBgNVBAMTCmV4YW1wbGUtdGEX MIIBjjB4AgEBMA0GCSqGSIb3DQEBCwUAMBUxEzARBgNVBAMTCmV4YW1wbGUtdGEX
DTIzMDkyMzE1NTUzOFoXDTIzMTAyMzE1NTUzOFqgLzAtMB8GA1UdIwQYMBaAFMC9 DTIzMDkyMzE1NTUzOFoXDTIzMTAyMzE1NTUzOFqgLzAtMB8GA1UdIwQYMBaAFMC9
Ul2+0niyFuyzo0OV0gYLmQgyMAoGA1UdFAQDAgEEMA0GCSqGSIb3DQEBCwUAA4IB Ul2+0niyFuyzo0OV0gYLmQgyMAoGA1UdFAQDAgEEMA0GCSqGSIb3DQEBCwUAA4IB
AQCngOu+Nq3WC4y/pHtLoheAOtNg32WWsKPNiEyL+QalmOtURUsWMzOq41bmoPzQ AQCngOu+Nq3WC4y/pHtLoheAOtNg32WWsKPNiEyL+QalmOtURUsWMzOq41bmoPzQ
NDQoRmXe9mvohAVRe0CnM7A07HOtSfjw5aoouPXGTtfwEomHG2CYk+2U1bvxgZyA NDQoRmXe9mvohAVRe0CnM7A07HOtSfjw5aoouPXGTtfwEomHG2CYk+2U1bvxgZyA
E1c5TvyhkabFMO0+857wqxRP+ht9NV0lMX6kUFlEOCw3ELVd9oNNRBwKQtXj1huM E1c5TvyhkabFMO0+857wqxRP+ht9NV0lMX6kUFlEOCw3ELVd9oNNRBwKQtXj1huM
6Sf26va2a1tnC5zP01hN+EY3S9T5T1gcgPGBcqRWKoXJEbRzCrLsb/TMj5cMpIje 6Sf26va2a1tnC5zP01hN+EY3S9T5T1gcgPGBcqRWKoXJEbRzCrLsb/TMj5cMpIje
AHZoBojVAmvL1AIH/BnGAQj0+XqaJ0axHvlqJa8iX8QwKqhp+o6sv/atY2QDDRmE AHZoBojVAmvL1AIH/BnGAQj0+XqaJ0axHvlqJa8iX8QwKqhp+o6sv/atY2QDDRmE
Yjq/VrBVKu5VsDY2Lr29HszA Yjq/VrBVKu5VsDY2Lr29HszA
-----END X509 CRL----- -----END X509 CRL-----
]]></artwork></figure> ]]></sourcecode>
<t>
<t>
The CA certificate is issued by the trust anchor. This The CA certificate is issued by the trust anchor. This
certificate grants authority over one IPv4 address block certificate grants authority over one IPv4 address block
(192.0.2.0/24) and two AS numbers (64496 and 64497).</t> (192.0.2.0/24) and two AS numbers (64496 and 64497).</t>
<sourcecode type=""><![CDATA[
<figure><artwork><![CDATA[
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIE7DCCA9SgAwIBAgIUcyCzS10hdfG65kbRq7toQAvRDLkwDQYJKoZIhvcNAQEL MIIE7DCCA9SgAwIBAgIUcyCzS10hdfG65kbRq7toQAvRDLkwDQYJKoZIhvcNAQEL
BQAwFTETMBEGA1UEAxMKZXhhbXBsZS10YTAeFw0yMzA5MjMxNTU1MzhaFw0yNDA5 BQAwFTETMBEGA1UEAxMKZXhhbXBsZS10YTAeFw0yMzA5MjMxNTU1MzhaFw0yNDA5
MjIxNTU1MzhaMDMxMTAvBgNVBAMTKDNBQ0UyQ0VGNEZCMjFCN0QxMUUzRTE4NEVG MjIxNTU1MzhaMDMxMTAvBgNVBAMTKDNBQ0UyQ0VGNEZCMjFCN0QxMUUzRTE4NEVG
QzFFMjk3QjM3Nzg2NDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDc QzFFMjk3QjM3Nzg2NDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDc
zz1qwTxC2ocw5rqp8ktm2XyYkl8riBVuqlXwfefTxsR2YFpgz9vkYUd5Az9EVEG7 zz1qwTxC2ocw5rqp8ktm2XyYkl8riBVuqlXwfefTxsR2YFpgz9vkYUd5Az9EVEG7
6wGIyZbtmhK63eEeaqbKz2GHub467498BXeVrYysO+YuIGgCEYKznNDZ4j5aaDbo 6wGIyZbtmhK63eEeaqbKz2GHub467498BXeVrYysO+YuIGgCEYKznNDZ4j5aaDbo
j5+4/z0Qvv6HEsxQd0f8br6lKJwgeRM6+fm7796HNPB0aqD7Zj9NRCLXjbB0DCgJ j5+4/z0Qvv6HEsxQd0f8br6lKJwgeRM6+fm7796HNPB0aqD7Zj9NRCLXjbB0DCgJ
liH6rXMKR86ofgll9V2mRjesvhdKYgkGbOif9rvxVpLJ/6zdru5CE9yeuJZ59l+n liH6rXMKR86ofgll9V2mRjesvhdKYgkGbOif9rvxVpLJ/6zdru5CE9yeuJZ59l+n
YH/r6PzdJ4Q7yKrJX8qD6A60j4+biaU4MQ72KpsjhQNTTqF/HRwi0N54GDaknEwE YH/r6PzdJ4Q7yKrJX8qD6A60j4+biaU4MQ72KpsjhQNTTqF/HRwi0N54GDaknEwE
skipping to change at line 1048 skipping to change at line 958
b24ueG1sMDAGCCsGAQUFBzAFhiRyc3luYzovL3Jwa2kuZXhhbXBsZS5uZXQvcmVw b24ueG1sMDAGCCsGAQUFBzAFhiRyc3luYzovL3Jwa2kuZXhhbXBsZS5uZXQvcmVw
b3NpdG9yeS8wHwYIKwYBBQUHAQcBAf8EEDAOMAwEAgABMAYDBADAAAIwIQYIKwYB b3NpdG9yeS8wHwYIKwYBBQUHAQcBAf8EEDAOMAwEAgABMAYDBADAAAIwIQYIKwYB
BQUHAQgBAf8EEjAQoA4wDDAKAgMA+/ACAwD78TANBgkqhkiG9w0BAQsFAAOCAQEA BQUHAQgBAf8EEjAQoA4wDDAKAgMA+/ACAwD78TANBgkqhkiG9w0BAQsFAAOCAQEA
arIrZWb22wFmP+hVjhdg3IsKHB6fQdMuUR0u2DyZTVvbL6C+HyGAH32pi5mR/QLX arIrZWb22wFmP+hVjhdg3IsKHB6fQdMuUR0u2DyZTVvbL6C+HyGAH32pi5mR/QLX
FAfdqALaB7r68tQTGLIW6bGljT+BqUPJmZcj56x3cBLJlltxwFatTloypjFt3cls FAfdqALaB7r68tQTGLIW6bGljT+BqUPJmZcj56x3cBLJlltxwFatTloypjFt3cls
xFCuuD9J2iBxc6odTKi6u0mhQjD+C9m4xkbe8XXWWx85IHm1s6rYbpGgiMWxBC80 xFCuuD9J2iBxc6odTKi6u0mhQjD+C9m4xkbe8XXWWx85IHm1s6rYbpGgiMWxBC80
qqAzmBHGROWKUEvh00EYIYdiAvyFcrj7QtDiRJL5TDOySVd9pWJkerDzhqwE1IaZ qqAzmBHGROWKUEvh00EYIYdiAvyFcrj7QtDiRJL5TDOySVd9pWJkerDzhqwE1IaZ
rpHck+lkYTS7jTD++6v32HG62GdsmryOQUk3aU1rLb3kS8vzaGbrgHpGPid0Hd0x rpHck+lkYTS7jTD++6v32HG62GdsmryOQUk3aU1rLb3kS8vzaGbrgHpGPid0Hd0x
ZSl1AoIMpp5mZ7/h9aW5+A== ZSl1AoIMpp5mZ7/h9aW5+A==
-----END CERTIFICATE----- -----END CERTIFICATE-----
]]></artwork></figure> ]]></sourcecode>
<t>
<t> The CRL is issued by the CA.</t>
The CRL issued by the CA.</t> <sourcecode type=""><![CDATA[
<figure><artwork><![CDATA[
-----BEGIN X509 CRL----- -----BEGIN X509 CRL-----
MIIBrTCBlgIBATANBgkqhkiG9w0BAQsFADAzMTEwLwYDVQQDEygzQUNFMkNFRjRG MIIBrTCBlgIBATANBgkqhkiG9w0BAQsFADAzMTEwLwYDVQQDEygzQUNFMkNFRjRG
QjIxQjdEMTFFM0UxODRFRkMxRTI5N0IzNzc4NjQyFw0yMzA5MjMxNTU1MzhaFw0y QjIxQjdEMTFFM0UxODRFRkMxRTI5N0IzNzc4NjQyFw0yMzA5MjMxNTU1MzhaFw0y
MzEwMjMxNTU1MzhaoC8wLTAfBgNVHSMEGDAWgBQ6zizvT7IbfRHj4YTvweKXs3eG MzEwMjMxNTU1MzhaoC8wLTAfBgNVHSMEGDAWgBQ6zizvT7IbfRHj4YTvweKXs3eG
QjAKBgNVHRQEAwIBATANBgkqhkiG9w0BAQsFAAOCAQEACwCNzcAoqbMcUL1kBY65 QjAKBgNVHRQEAwIBATANBgkqhkiG9w0BAQsFAAOCAQEACwCNzcAoqbMcUL1kBY65
YhL95OnBqAcuc99pD4i9c1BmVOl7bXU3cJqLaOZ6Z8CmN0kBbcHyqlHBJ9oA/aYD YhL95OnBqAcuc99pD4i9c1BmVOl7bXU3cJqLaOZ6Z8CmN0kBbcHyqlHBJ9oA/aYD
ByhxsjzKk7jxtM2IlTpEvCEqvnGLSVihgS3h0NA+sgWqHGL3Rhcj6hVsi+j9GENc ByhxsjzKk7jxtM2IlTpEvCEqvnGLSVihgS3h0NA+sgWqHGL3Rhcj6hVsi+j9GENc
T6F9np1mxbI3i2xhgeDJG1pryvH0hWXh7yJiYS8ItNEaIIXDT3szK/J9wnPjukTR T6F9np1mxbI3i2xhgeDJG1pryvH0hWXh7yJiYS8ItNEaIIXDT3szK/J9wnPjukTR
5MITiK9P3TCFujawb3O7rIT5PPgkM6eiCdwDgt6gjmw6cow5+rMjNHSRa+GOviSd 5MITiK9P3TCFujawb3O7rIT5PPgkM6eiCdwDgt6gjmw6cow5+rMjNHSRa+GOviSd
gXljVDfJvF4tKHmw59Jc2aFnSGfX1/ITDNiNfXYpUYFOcsqxkYf8F0uO7AtbRmTF gXljVDfJvF4tKHmw59Jc2aFnSGfX1/ITDNiNfXYpUYFOcsqxkYf8F0uO7AtbRmTF
2w== 2w==
-----END X509 CRL----- -----END X509 CRL-----
]]></artwork></figure> ]]></sourcecode>
<t>
<t> The end entity certificate is issued by the CA. This
The end-entity certificate is issued by the CA. This
certificate grants signature authority for one IPv4 address block certificate grants signature authority for one IPv4 address block
(192.0.2.0/24). Signature authority for AS numbers is not needed (192.0.2.0/24). Signature authority for AS numbers is not needed
for geofeed data signatures, so no AS numbers are included in the for geofeed data signatures, so no AS numbers are included in the
end-entity certificate.</t> end entity certificate.</t>
<sourcecode type=""><![CDATA[
<figure><artwork><![CDATA[
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIEVjCCAz6gAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZvAwDQYJKoZIhvcNAQEL MIIEVjCCAz6gAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZvAwDQYJKoZIhvcNAQEL
BQAwMzExMC8GA1UEAxMoM0FDRTJDRUY0RkIyMUI3RDExRTNFMTg0RUZDMUUyOTdC BQAwMzExMC8GA1UEAxMoM0FDRTJDRUY0RkIyMUI3RDExRTNFMTg0RUZDMUUyOTdC
Mzc3ODY0MjAeFw0yMzA5MjMxNTU1MzhaFw0yNDA3MTkxNTU1MzhaMDMxMTAvBgNV Mzc3ODY0MjAeFw0yMzA5MjMxNTU1MzhaFw0yNDA3MTkxNTU1MzhaMDMxMTAvBgNV
BAMTKDkxNDY1MkEzQkQ1MUMxNDQyNjAxOTg4ODlGNUM0NUFCRjA1M0ExODcwggEi BAMTKDkxNDY1MkEzQkQ1MUMxNDQyNjAxOTg4ODlGNUM0NUFCRjA1M0ExODcwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCycTQrOb/qB2W3i3Ki8PhA/DEW MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCycTQrOb/qB2W3i3Ki8PhA/DEW
yii2TgGo9pgCwO9lsIRI6Zb/k+aSiWWP9kSczlcQgtPCVwr62hTQZCIowBN0BL0c yii2TgGo9pgCwO9lsIRI6Zb/k+aSiWWP9kSczlcQgtPCVwr62hTQZCIowBN0BL0c
K0/5k1imJdi5qdM3nvKswM8CnoR11vB8pQFwruZmr5xphXRvE+mzuJVLgu2V1upm K0/5k1imJdi5qdM3nvKswM8CnoR11vB8pQFwruZmr5xphXRvE+mzuJVLgu2V1upm
BXuWloeymudh6WWJ+GDjwPXO3RiXBejBrOFNXhaFLe08y4DPfr/S/tXJOBm7QzQp BXuWloeymudh6WWJ+GDjwPXO3RiXBejBrOFNXhaFLe08y4DPfr/S/tXJOBm7QzQp
tmbPLYtGfprYu45liFFqqP94UeLpISfXd36AKGzqTFCcc3EW9l5UFE1MFLlnoEog tmbPLYtGfprYu45liFFqqP94UeLpISfXd36AKGzqTFCcc3EW9l5UFE1MFLlnoEog
skipping to change at line 1102 skipping to change at line 1008
BzAChlByc3luYzovL3Jwa2kuZXhhbXBsZS5uZXQvcmVwb3NpdG9yeS8zQUNFMkNF BzAChlByc3luYzovL3Jwa2kuZXhhbXBsZS5uZXQvcmVwb3NpdG9yeS8zQUNFMkNF
RjRGQjIxQjdEMTFFM0UxODRFRkMxRTI5N0IzNzc4NjQyLmNlcjAfBggrBgEFBQcB RjRGQjIxQjdEMTFFM0UxODRFRkMxRTI5N0IzNzc4NjQyLmNlcjAfBggrBgEFBQcB
BwEB/wQQMA4wDAQCAAEwBgMEAMAAAjANBgkqhkiG9w0BAQsFAAOCAQEAlxt25FUe BwEB/wQQMA4wDAQCAAEwBgMEAMAAAjANBgkqhkiG9w0BAQsFAAOCAQEAlxt25FUe
e0+uCidTH+4p7At3u2ncgHcGTsag3UcoPjcE/I1JgQJRu9TiM4iNB1C7Lbdd131g e0+uCidTH+4p7At3u2ncgHcGTsag3UcoPjcE/I1JgQJRu9TiM4iNB1C7Lbdd131g
MdliL5GQ3P4QfKnfkuPR6S1V8suq6ZT1KQRyLJx+EPgDN2rb/iji0TOK6RKPNBdG MdliL5GQ3P4QfKnfkuPR6S1V8suq6ZT1KQRyLJx+EPgDN2rb/iji0TOK6RKPNBdG
lXVLjth4x/uu1O4V54GLEhDAPQC8IUm5intL/Hx1M1x2ptN/+j5HD3XUXd3x13yi lXVLjth4x/uu1O4V54GLEhDAPQC8IUm5intL/Hx1M1x2ptN/+j5HD3XUXd3x13yi
s6u758nbA7ND40JNhGG5JNGQgDchL4IQzIhylMNC+bKUiyyMHz3MqoVAklIB86IW s6u758nbA7ND40JNhGG5JNGQgDchL4IQzIhylMNC+bKUiyyMHz3MqoVAklIB86IW
Ucv72Mekq+i46T/w3RnaGn4x7RAJctVJWw3e5YMrFnQcuuaGOs0QcoxW7Bi4W7Eg Ucv72Mekq+i46T/w3RnaGn4x7RAJctVJWw3e5YMrFnQcuuaGOs0QcoxW7Bi4W7Eg
8fK1fd/f6fjZ9w== 8fK1fd/f6fjZ9w==
-----END CERTIFICATE----- -----END CERTIFICATE-----
]]></artwork></figure> ]]></sourcecode>
<t>
<t> The end entity certificate is displayed below in detail. For
The end-entity certificate is displayed below in detail. For
brevity, the other two certificates are not.</t> brevity, the other two certificates are not.</t>
<sourcecode type=""><![CDATA[
<figure><artwork><![CDATA[
0 1110: SEQUENCE { 0 1110: SEQUENCE {
4 830: SEQUENCE { 4 830: SEQUENCE {
8 3: [0] { 8 3: [0] {
10 1: INTEGER 2 10 1: INTEGER 2
: } : }
13 20: INTEGER 13 20: INTEGER
: 27 AD 39 40 83 D7 F2 B5 B9 9B 86 70 C7 75 B2 B9 : 27 AD 39 40 83 D7 F2 B5 B9 9B 86 70 C7 75 B2 B9
: 6E E1 66 F0 : 6E E1 66 F0
35 13: SEQUENCE { 35 13: SEQUENCE {
37 9: OBJECT IDENTIFIER 37 9: OBJECT IDENTIFIER
skipping to change at line 1290 skipping to change at line 1194
: EE 15 E7 81 8B 12 10 C0 3D 00 BC 21 49 B9 8A 7B : EE 15 E7 81 8B 12 10 C0 3D 00 BC 21 49 B9 8A 7B
: 4B FC 7C 75 33 5C 76 A6 D3 7F FA 3E 47 0F 75 D4 : 4B FC 7C 75 33 5C 76 A6 D3 7F FA 3E 47 0F 75 D4
: 5D DD F1 D7 7C A2 B3 AB BB E7 C9 DB 03 B3 43 E3 : 5D DD F1 D7 7C A2 B3 AB BB E7 C9 DB 03 B3 43 E3
: 42 4D 84 61 B9 24 D1 90 80 37 21 2F 82 10 CC 88 : 42 4D 84 61 B9 24 D1 90 80 37 21 2F 82 10 CC 88
: 72 94 C3 42 F9 B2 94 8B 2C 8C 1F 3D CC AA 85 40 : 72 94 C3 42 F9 B2 94 8B 2C 8C 1F 3D CC AA 85 40
: 92 52 01 F3 A2 16 51 CB FB D8 C7 A4 AB E8 B8 E9 : 92 52 01 F3 A2 16 51 CB FB D8 C7 A4 AB E8 B8 E9
: 3F F0 DD 19 DA 1A 7E 31 ED 10 09 72 D5 49 5B 0D : 3F F0 DD 19 DA 1A 7E 31 ED 10 09 72 D5 49 5B 0D
: DE E5 83 2B 16 74 1C BA E6 86 3A CD 10 72 8C 56 : DE E5 83 2B 16 74 1C BA E6 86 3A CD 10 72 8C 56
: EC 18 B8 5B B1 20 F1 F2 B5 7D DF DF E9 F8 D9 F7 : EC 18 B8 5B B1 20 F1 F2 B5 7D DF DF E9 F8 D9 F7
: } : }
]]></artwork></figure> ]]></sourcecode>
<t>
<t> To allow reproduction of the signature results, the end entity
To allow reproduction of the signature results, the end-entity
private key is provided. For brevity, the other two private private key is provided. For brevity, the other two private
keys are not.</t> keys are not.</t>
<sourcecode type=""><![CDATA[
<figure><artwork><![CDATA[
-----BEGIN RSA PRIVATE KEY----- -----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAsnE0Kzm/6gdlt4tyovD4QPwxFsootk4BqPaYAsDvZbCESOmW MIIEpQIBAAKCAQEAsnE0Kzm/6gdlt4tyovD4QPwxFsootk4BqPaYAsDvZbCESOmW
/5Pmkollj/ZEnM5XEILTwlcK+toU0GQiKMATdAS9HCtP+ZNYpiXYuanTN57yrMDP /5Pmkollj/ZEnM5XEILTwlcK+toU0GQiKMATdAS9HCtP+ZNYpiXYuanTN57yrMDP
Ap6EddbwfKUBcK7mZq+caYV0bxPps7iVS4LtldbqZgV7lpaHsprnYellifhg48D1 Ap6EddbwfKUBcK7mZq+caYV0bxPps7iVS4LtldbqZgV7lpaHsprnYellifhg48D1
zt0YlwXowazhTV4WhS3tPMuAz36/0v7VyTgZu0M0KbZmzy2LRn6a2LuOZYhRaqj/ zt0YlwXowazhTV4WhS3tPMuAz36/0v7VyTgZu0M0KbZmzy2LRn6a2LuOZYhRaqj/
eFHi6SEn13d+gChs6kxQnHNxFvZeVBRNTBS5Z6BKIKraC6CgAbdCJDhRingvxIHm eFHi6SEn13d+gChs6kxQnHNxFvZeVBRNTBS5Z6BKIKraC6CgAbdCJDhRingvxIHm
gXVi3uOvXXQva0H7ecOoOnJsRvmmA3SBAd+M6wIDAQABAoIBAQCyB0FeMuKm8bRo gXVi3uOvXXQva0H7ecOoOnJsRvmmA3SBAd+M6wIDAQABAoIBAQCyB0FeMuKm8bRo
18aKjFGSPEoZi53srIz5bvUgIi92TBLez7ZnzL6Iym26oJ+5th+lCHGO/dqlhXio 18aKjFGSPEoZi53srIz5bvUgIi92TBLez7ZnzL6Iym26oJ+5th+lCHGO/dqlhXio
pI50C5Yc9TFbblb/ECOsuCuuqKFjZ8CD3GVsHozXKJeMM+/o5YZXQrORj6UnwT0z pI50C5Yc9TFbblb/ECOsuCuuqKFjZ8CD3GVsHozXKJeMM+/o5YZXQrORj6UnwT0z
ol/JE5pIGUCIgsXX6tz9s5BP3lUAvVQHsv6+vEVKLxQ3wj/1vIL8O/CN036EV0GJ ol/JE5pIGUCIgsXX6tz9s5BP3lUAvVQHsv6+vEVKLxQ3wj/1vIL8O/CN036EV0GJ
skipping to change at line 1325 skipping to change at line 1227
FGSli+3KxQhCNIJJfgWzq4bE0ioAMjdGbYXzIYQFAoGBAM6tuDJ36KDU+hIS6wu6 FGSli+3KxQhCNIJJfgWzq4bE0ioAMjdGbYXzIYQFAoGBAM6tuDJ36KDU+hIS6wu6
O2TPSfZhF/zPo3pCWQ78/QDb+Zdw4IEiqoBA7F4NPVLg9Y/H8UTx9r/veqe7hPOo O2TPSfZhF/zPo3pCWQ78/QDb+Zdw4IEiqoBA7F4NPVLg9Y/H8UTx9r/veqe7hPOo
Ok7NpIzSmKTHkc5XfZ60Zn9OLFoKbaQ40a1kXoJdWEu2YROaUlAe9F6/Rog6PHYz Ok7NpIzSmKTHkc5XfZ60Zn9OLFoKbaQ40a1kXoJdWEu2YROaUlAe9F6/Rog6PHYz
vLE5qscRbu0XQhLkN+z7bg5bAoGBAKDsbDEb/dbqbyaAYpmwhH2sdRSkphg7Niwc vLE5qscRbu0XQhLkN+z7bg5bAoGBAKDsbDEb/dbqbyaAYpmwhH2sdRSkphg7Niwc
DNm9qWa1J6Zw1+M87I6Q8naRREuU1IAVqqWHVLr/ROBQ6NTJ1Uc5/qFeT2XXUgkf DNm9qWa1J6Zw1+M87I6Q8naRREuU1IAVqqWHVLr/ROBQ6NTJ1Uc5/qFeT2XXUgkf
taMKv61tuyjZK3sTmznMh0HfzUpWjEhWnCEuB+ZYVdmO52ZGw2A75RdrILL2+9Dc taMKv61tuyjZK3sTmznMh0HfzUpWjEhWnCEuB+ZYVdmO52ZGw2A75RdrILL2+9Dc
PvDXVubRAoGAdqXeSWoLxuzZXzl8rsaKrQsTYaXnOWaZieU1SL5vVe8nK257UDqZ PvDXVubRAoGAdqXeSWoLxuzZXzl8rsaKrQsTYaXnOWaZieU1SL5vVe8nK257UDqZ
E3ng2j5XPTUWli+aNGFEJGRoNtcQvO60O/sFZUhu52sqq9mWVYZNh1TB5aP8X+pV E3ng2j5XPTUWli+aNGFEJGRoNtcQvO60O/sFZUhu52sqq9mWVYZNh1TB5aP8X+pV
iFcZOLUvQEcN6PA+YQK5FU11rAI1M0Gm5RDnVnUl0L2xfCYxb7FzV6Y= iFcZOLUvQEcN6PA+YQK5FU11rAI1M0Gm5RDnVnUl0L2xfCYxb7FzV6Y=
-----END RSA PRIVATE KEY----- -----END RSA PRIVATE KEY-----
]]></artwork></figure> ]]></sourcecode>
<t>
<t> The signing of "192.0.2.0/24,US,WA,Seattle," (terminated by CR and LF)
Signing of "192.0.2.0/24,US,WA,Seattle," (terminated by CR and LF),
yields the following detached CMS signature.</t> yields the following detached CMS signature.</t>
<sourcecode><![CDATA[
<figure><artwork><![CDATA[
# RPKI Signature: 192.0.2.0/24 # RPKI Signature: 192.0.2.0/24
# MIIGQAYJKoZIhvcNAQcCoIIGMTCCBi0CAQMxDTALBglghkgBZQMEAgEwDQYLKoZ # MIIGQAYJKoZIhvcNAQcCoIIGMTCCBi0CAQMxDTALBglghkgBZQMEAgEwDQYLKoZ
# IhvcNAQkQAS+gggRaMIIEVjCCAz6gAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZv # IhvcNAQkQAS+gggRaMIIEVjCCAz6gAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZv
# AwDQYJKoZIhvcNAQELBQAwMzExMC8GA1UEAxMoM0FDRTJDRUY0RkIyMUI3RDExR # AwDQYJKoZIhvcNAQELBQAwMzExMC8GA1UEAxMoM0FDRTJDRUY0RkIyMUI3RDExR
# TNFMTg0RUZDMUUyOTdCMzc3ODY0MjAeFw0yMzA5MjMxNTU1MzhaFw0yNDA3MTkx # TNFMTg0RUZDMUUyOTdCMzc3ODY0MjAeFw0yMzA5MjMxNTU1MzhaFw0yNDA3MTkx
# NTU1MzhaMDMxMTAvBgNVBAMTKDkxNDY1MkEzQkQ1MUMxNDQyNjAxOTg4ODlGNUM # NTU1MzhaMDMxMTAvBgNVBAMTKDkxNDY1MkEzQkQ1MUMxNDQyNjAxOTg4ODlGNUM
# 0NUFCRjA1M0ExODcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCycT # 0NUFCRjA1M0ExODcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCycT
# QrOb/qB2W3i3Ki8PhA/DEWyii2TgGo9pgCwO9lsIRI6Zb/k+aSiWWP9kSczlcQg # QrOb/qB2W3i3Ki8PhA/DEWyii2TgGo9pgCwO9lsIRI6Zb/k+aSiWWP9kSczlcQg
# tPCVwr62hTQZCIowBN0BL0cK0/5k1imJdi5qdM3nvKswM8CnoR11vB8pQFwruZm # tPCVwr62hTQZCIowBN0BL0cK0/5k1imJdi5qdM3nvKswM8CnoR11vB8pQFwruZm
# r5xphXRvE+mzuJVLgu2V1upmBXuWloeymudh6WWJ+GDjwPXO3RiXBejBrOFNXha # r5xphXRvE+mzuJVLgu2V1upmBXuWloeymudh6WWJ+GDjwPXO3RiXBejBrOFNXha
skipping to change at line 1368 skipping to change at line 1268
# mAgEDgBSRRlKjvVHBRCYBmIifXEWr8FOhhzALBglghkgBZQMEAgGgazAaBgkqhk # mAgEDgBSRRlKjvVHBRCYBmIifXEWr8FOhhzALBglghkgBZQMEAgGgazAaBgkqhk
# iG9w0BCQMxDQYLKoZIhvcNAQkQAS8wHAYJKoZIhvcNAQkFMQ8XDTIzMDkyMzE1N # iG9w0BCQMxDQYLKoZIhvcNAQkQAS8wHAYJKoZIhvcNAQkFMQ8XDTIzMDkyMzE1N
# TUzOFowLwYJKoZIhvcNAQkEMSIEICvi8p5S8ckg2wTRhDBQzGijjyqs5T6I+4Vt # TUzOFowLwYJKoZIhvcNAQkEMSIEICvi8p5S8ckg2wTRhDBQzGijjyqs5T6I+4Vt
# BHypfcEWMA0GCSqGSIb3DQEBAQUABIIBAKZND7pKdVdfpB6zaJN89wTt+sXd0io # BHypfcEWMA0GCSqGSIb3DQEBAQUABIIBAKZND7pKdVdfpB6zaJN89wTt+sXd0io
# 0WULMc+o6gRJFt3wmKNW2nYPrDbocJ+Q/rDMGxbp4QetJ0MQtn1+AYAS8v5jPDO # 0WULMc+o6gRJFt3wmKNW2nYPrDbocJ+Q/rDMGxbp4QetJ0MQtn1+AYAS8v5jPDO
# 4a63U4/mJ2D3wSnQsDP0lUVknqRzfnS66HgHqiOVdHB0U+OnMEJuqHNTLx0dknb # 4a63U4/mJ2D3wSnQsDP0lUVknqRzfnS66HgHqiOVdHB0U+OnMEJuqHNTLx0dknb
# L3zwxyDJTHdo+dMB0U9xdcjwpsPM3xqg57EXj5EIQK5JbardXCjrsysAnEdktUY # L3zwxyDJTHdo+dMB0U9xdcjwpsPM3xqg57EXj5EIQK5JbardXCjrsysAnEdktUY
# oyayGNbbQelANYJcOmuHhSXArR+qqzvNP2MDRqqKEcpd65YW6FSnqlVMIBH2M3P # oyayGNbbQelANYJcOmuHhSXArR+qqzvNP2MDRqqKEcpd65YW6FSnqlVMIBH2M3P
# D2F0p3sdm4IeGAZWaERVB4AXO1PUFDNdhamr4XpIwqIoAig7xiLm7j8qu5Oc= # D2F0p3sdm4IeGAZWaERVB4AXO1PUFDNdhamr4XpIwqIoAig7xiLm7j8qu5Oc=
# End Signature: 192.0.2.0/24 # End Signature: 192.0.2.0/24
]]></artwork></figure> ]]></sourcecode>
</section>
<section anchor="acks" numbered="false">
<name>Acknowledgments</name>
<t>Thanks to <contact fullname="Rob Austein"/> for the CMS and detached
signature clue, <contact fullname="George Michaelson"/> for the first
and substantial external review, and <contact fullname="Erik Kline"/>
who was too shy to agree to coauthorship. Additionally, we express our
gratitude to early implementors, including <contact fullname="Menno
Schepers"/>, <contact fullname="Flavio Luciani"/>, <contact
fullname="Eric Dugas"/>, and <contact fullname="Kevin Pack"/>. Also,
thanks to the following geolocation providers who are consuming geofeeds
with this described solution: <contact fullname="Jonathan Kosgei
(ipdata.co)"/>, <contact fullname="Ben Dowling"/> (ipinfo.io), and
<contact fullname="Pol Nisenblat"/> (bigdatacloud.com). For an amazing
number of helpful reviews, we thank <contact fullname="Job Snijders"/>,
who also found an ASN.1 'inherit' issue, <contact fullname="Adrian
Farrel"/>, <contact fullname="Antonio Prado"/>, <contact
fullname="Francesca Palombini"/>, <contact fullname="Jean-Michel Combes
(INTDIR)"/>, <contact fullname="John Scudder"/>, <contact fullname="Kyle
Rose (SECDIR)"/>, <contact fullname="Martin Duke"/>, <contact
fullname="Mohamed Boucadair"/>, <contact fullname="Murray Kucherawy"/>,
<contact fullname="Paul Kyzivat (GENART)"/>, <contact fullname="Rob
Wilton"/>, <contact fullname="Roman Danyliw"/>, and <contact fullname="Tie
s de Kock"/>.</t>
</section>
</back>
</section> <!--[rfced]
</back> Additionally, the expanded phrase "end-entity certificate" is used
</rfc> throughout Appendix A after this abbreviation is introduced. Would you
like to change them to "EE certificate"?
-->
</rfc>
 End of changes. 190 change blocks. 
459 lines changed or deleted 454 lines changed or added

This html diff was produced by rfcdiff 1.48.