Internet-Draft rdap-rpki October 2024
Singh & Newton Expires 12 April 2025 [Page]
Workgroup:
Registration Protocols Extensions (regext)
Internet-Draft:
draft-jasdips-regext-rdap-rpki-00
Published:
Intended Status:
Standards Track
Expires:
Authors:
J. Singh
ARIN
A. Newton
ICANN

An RDAP Extension for RPKI Registration Data

Abstract

The Resource Public Key Infrastructure (RPKI) is used to secure inter-domain routing on the internet. This document defines a new Registration Data Access Protocol (RDAP) extension, "rpki1", for accessing the RPKI registration data in the Internet Number Registry System (INRS) through RDAP. The Internet Number Registry System (INRS) is composed of Regional Internet Registries (RIRs), National Internet Registries (NIRs), and Local Internet Registries (LIRs).

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 12 April 2025.

Table of Contents

1. Introduction

The network operators are increasingly deploying the Resource Public Key Infrastructure (RPKI, [RFC6480]) to secure inter-domain routing ([RFC4271]) on the internet. RPKI enables Internet Number Resource (INR) holders to cryptographically assert about their registered IP addresses and autonomous system numbers to prevent route hijacks and leaks. To that end, RPKI defines the following cryptographic profiles:

This document defines a new RDAP extension, "rpki1", for accessing the RPKI registration data within the Internet Number Registry System (INRS) for aforementioned RPKI profiles through RDAP. The Internet Number Registry System (INRS) is composed of Regional Internet Registries (RIRs), National Internet Registries (NIRs), and Local Internet Registries (LIRs).

The motivation here is that such RDAP data could complement the existing RPKI diagnostic tools when troubleshooting a route hijack or leak, by conveniently providing access to registration information from a registry's database beside what is inherently available from an RPKI profile object. There is registration metadata that is often needed for troubleshooting that does not appear in, say, a ROA or a VRP (Verified ROA Payload); such as:

Furthermore, correlating registered RPKI data with registered IP networks and autonomous system numbers would also give access to the latter's contact information through RDAP entity objects, which should aid troubleshooting.

In addition to troubleshooting, serving RPKI meta-data over RDAP offers a convenience to network operators through a simple lookup mechanism. As is demonstrated in [RDAP-GUIDE], constructing custom RDAP scripts is relatively easy and beneficial to network operators for the purposes of reporting. Though not RDAP-based, systems such as [JDR] and [CLOUDFLARE] have shown the utility of an approach that allows users to explore the RPKI hierarchy in a visual fashion, without interacting with the signed objects directly.

For these purposes, this specification defines RDAP object classes, as well as lookup and search path segments, for the ROA, ASPA, and X.509 resource certificate registration data.

1.1. Requirements Language

The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [BCP14] when, and only when, they appear in all capitals, as shown here.

Indentation and whitespace in examples are provided only to illustrate element relationships, and are not a REQUIRED feature of this protocol.

"..." in examples is used as shorthand for elements defined outside of this document.

2. Common Data Members

The RDAP object classes for RPKI (Section 3.1, Section 4.1, Section 5.1) can contain one or more of the following common members:

3. Route Origin Authorization

3.1. Object Class

The Route Origin Authorization (ROA) object class can contain the following members:

  • "objectClassName" -- the string "rpki1_roa"
  • "handle" -- see Section 2
  • "name" -- see Section 2
  • "roaIpAddresses" -- an array of objects representing CIDR address blocks within a ROA; such an object can contain the following members:

    • "startAddress" -- a string representing the start IP address (a.k.a. CIDR prefix) of a CIDR address block, either IPv4 or IPv6 (Section 4 of [RFC9582])
    • "prefixLength" -- a number representing the prefix length (a.k.a. CIDR length) of a CIDR address block; up to 32 for IPv4 and up to 128 for IPv6 (Section 4 of [RFC9582])
    • "ipVersion" -- a string signifying the IP protocol version of a CIDR address block: "v4" for IPv4 and "v6" for IPv6 (Section 4 of [RFC9582])
    • "maxLength" -- a number representing the maximum prefix length of a CIDR address block that the origin AS is authorized to advertise; up to 32 for IPv4 and up to 128 for IPv6 (Section 4 of [RFC9582])
  • "originAutnum" -- an unsigned 32-bit integer representing the origin autonomous system number (Section 4 of [RFC9582])
  • "notValidBefore" -- see Section 2
  • "notValidAfter" -- see Section 2
  • "autoRenewed" -- see Section 2
  • "publicationUri" -- see Section 2
  • "entities" -- see Section 2
  • "rpkiType" -- see Section 2
  • "events" -- see Section 4.5 of [RFC9083]
  • "links" -- "self" link, and "related" links for IP network and IRR (when defined) objects (Section 4.2 of [RFC9083])
  • "remarks" -- see Section 4.3 of [RFC9083]

Here is an elided example of a ROA object:

{
  "objectClassName": "rpki1_roa",
  "handle": "XXXX",
  "name": "ROA-1",
  "roaIpAddresses":
  [
    {
      "startAddress": "2001:db8::",
      "prefixLength": 48,
      "ipVersion": "v6",
      "maxLength": 64
    },
    ...
  ],
  "originAutnum": 65536,
  "notValidBefore": "2024-04-27T23:59:59Z",
  "notValidAfter": "2025-04-27T23:59:59Z",
  "autoRenewed": true,
  "publicationUri": "rsync://example.net/path/to/XXXX.roa",
  "entities":
  [
    {
      "objectClassName": "entity",
      "handle": "XYZ-RIR",
      ...
    },
    ...
  ],
  "rpkiType": "hosted",
  "events":
  [
    {
      "eventAction": "registration",
      "eventDate": "2024-01-01T23:59:59Z"
    },
    ...
  ],
  "links":
  [
    {
      "value": "https://example.net/rdap/rpki1/roa/XXXX",
      "rel": "self",
      "href": "https://example.net/rdap/rpki1/roa/XXXX",
      "type": "application/rdap+json"
    },
    {
      "value": "https://example.net/rdap/rpki1/roa/XXXX",
      "rel": "related",
      "href": "https://example.net/rdap/ip/2001:db8::/48",
      "type": "application/rdap+json"
    },
    ...
  ],
  "remarks":
  [
    {
      "description": [ "A ROA object in RDAP" ]
    }
  ]
}

3.2. Lookup

The resource type path segment for exact or closest match lookup of a ROA object is "rpki1/roa".

The following lookup path segments are defined for a ROA object:

Syntax: rpki1/roa/<handle>

Syntax: rpki1/roa/<IP address>

Syntax: rpki1/roa/<CIDR prefix>/<CIDR length>

A lookup query for ROA information by handle is specified using this form:

rpki1/roa/XXXX

XXXX is a string representing the "handle" property of a ROA, as described in Section 3.1. The following URL would be used to find information for a ROA that exactly matches the "8a848ab0729f0f4f0173ba2013bc5eb3" handle:

https://example.net/rdap/rpki1/roa/8a848ab0729f0f4f0173ba2013bc5eb3

A lookup query for ROA information by IP address is specified using this form:

rpki1/roa/YYYY

YYYY is a string representing an IPv4 or IPv6 address. The following URL would be used to find information for a ROA that completely encompasses the "192.0.2.0" IP address:

https://example.net/rdap/rpki1/roa/192.0.2.0

A lookup query for ROA information by CIDR is specified using this form:

rpki1/roa/YYYY/ZZZZ

YYYY is an IP address representing the "startAddress" property of a CIDR address block within a ROA and ZZZZ is a CIDR length representing its "prefixLength" property, as described in Section 3.1. The following URL would be used to find information for the most-specific ROA matching the "2001:db8::/64" CIDR:

https://example.net/rdap/rpki1/roa/2001%3Adb8%3A%3A%2F64

In the "links" array of a ROA object, the context URI ("value" member) of each link should be the lookup URL by its handle, and if that's not available, then the lookup URL by one of its IP addresses.

3.5. Relationship with IP Network Object Class

It would be useful to show all the ROAs associated with an IP network object. To that end, this extension adds a new "rpki1_roas" member to the IP Network object class (Section 5.4 of [RFC9083]):

  • "rpki1_roas" -- an array of ROA objects (Section 3.1) associated with an IP network object; if the array is too large, the server MAY truncate it, per Section 9 of [RFC9083]

Here is an elided example for an IP network object with ROAs:

{
  "objectClassName": "ip network",
  "handle": "ZZZZ-RIR",
  "startAddress": "2001:db8::",
  "endAddress": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff",
  "ipVersion": "v6",
  ...
  "rpki1_roas":
  [
    {
      "objectClassName": "rpki1_roa",
      "handle": "XXXX",
      "name": "ROA-1",
      "roaIpAddresses":
      [
        {
          "startAddress": "2001:db8::",
          "prefixLength": 48,
          "ipVersion": "v6",
          "maxLength": 64
        },
        ...
      ],
      "originAutnum": 65536,
      "notValidBefore": "2024-04-27T23:59:59Z",
      "notValidAfter": "2025-04-27T23:59:59Z",
      "autoRenewed": true,
      "publicationUri": "rsync://example.net/path/to/XXXX.roa",
      "entities":
      [
        {
          "objectClassName": "entity",
          "handle": "XYZ-RIR",
          ...
        },
        ...
      ],
      "rpkiType": "hosted",
      "events":
      [
        {
          "eventAction": "registration",
          "eventDate": "2024-01-01T23:59:59Z"
        },
        ...
      ],
      "links":
      [
        {
          "value": "https://example.net/rdap/rpki1/roa/XXXX",
          "rel": "self",
          "href": "https://example.net/rdap/rpki1/roa/XXXX",
          "type": "application/rdap+json"
        },
        {
          "value": "https://example.net/rdap/rpki1/roa/XXXX",
          "rel": "related",
          "href": "https://example.net/rdap/ip/2001:db8::/48",
          "type": "application/rdap+json"
        },
        ...
      ]
    },
    {
      "objectClassName": "rpki1_roa",
      "handle": "YYYY",
      "name": "ROA-2",
      "roaIpAddresses":
      [
        {
          "startAddress": "2001:db8:1::",
          "prefixLength": 48,
          "ipVersion": "v6",
          "maxLength": 64
        },
        ...
      ],
      "originAutnum": 65537,
      "notValidBefore": "2024-04-27T23:59:59Z",
      "notValidAfter": "2025-04-27T23:59:59Z",
      "autoRenewed": false,
      "publicationUri": "rsync://example.net/path/to/YYYY.roa",
      "entities":
      [
        {
          "objectClassName": "entity",
          "handle": "XYZ-RIR",
          ...
        },
        ...
      ],
      "rpkiType": "hosted",
      "events":
      [
        {
          "eventAction": "registration",
          "eventDate": "2024-01-01T23:59:59Z"
        },
        ...
      ],
      "links":
      [
        {
          "value": "https://example.net/rdap/rpki1/roa/YYYY",
          "rel": "self",
          "href": "https://example.net/rdap/rpki1/roa/YYYY",
          "type": "application/rdap+json"
        },
        {
          "value": "https://example.net/rdap/rpki1/roa/YYYY",
          "rel": "related",
          "href": "https://example.net/rdap/ip/2001:db8:1::/48",
          "type": "application/rdap+json"
        },
        ...
      ]
    },
    ...
  ]
}

4. Autonomous System Provider Authorization

4.1. Object Class

The Autonomous System Provider Authorization (ASPA) object class can contain the following members:

Here is an elided example of an ASPA object:

{
  "objectClassName": "rpki1_aspa",
  "handle": "XXXX",
  "name": "ASPA-1",
  "autnum": 65536,
  "providerAutnums":
  [
    65542,
    ...
  ],
  "notValidBefore": "2024-04-27T23:59:59Z",
  "notValidAfter": "2025-04-27T23:59:59Z",
  "autoRenewed": true,
  "publicationUri": "rsync://example.net/path/to/XXXX.aspa",
  "entities":
  [
    {
      "objectClassName": "entity",
      "handle": "XYZ-RIR",
      ...
    },
    ...
  ],
  "rpkiType": "hosted",
  "events":
  [
    {
      "eventAction": "registration",
      "eventDate": "2024-01-01T23:59:59Z"
    },
    ...
  ],
  "links":
  [
    {
      "value": "https://example.net/rdap/rpki1/aspa/XXXX",
      "rel": "self",
      "href": "https://example.net/rdap/rpki1/aspa/XXXX",
      "type": "application/rdap+json"
    },
    {
      "value": "https://example.net/rdap/rpki1/aspa/XXXX",
      "rel": "related",
      "href": "https://example.net/rdap/autnum/65536",
      "type": "application/rdap+json"
    },
    ...
  ],
  "remarks":
  [
    {
      "description": [ "An ASPA object in RDAP" ]
    }
  ]
}

4.2. Lookup

The resource type path segment for exact match lookup of an ASPA object is "rpki1/aspa".

The following lookup path segments are defined for an ASPA object:

Syntax: rpki1/aspa/<handle>

Syntax: rpki1/aspa/<autonomous system number>

A lookup query for ASPA information by handle is specified using this form:

rpki1/aspa/XXXX

XXXX is a string representing the "handle" property of an ASPA, as described in Section 4.1. The following URL would be used to find information for an ASPA that exactly matches the "47ab80ed8693f25d0187d93a07db4484" handle:

https://example.net/rdap/rpki1/aspa/47ab80ed8693f25d0187d93a07db4484

A lookup query for ASPA information by autonomous system number is specified using this form:

rpki1/aspa/YYYY

YYYY is an autonomous system number representing the "autnum" property of an ASPA, as described in Section 4.1. The following URL would be used to find information for an ASPA with autonomous system number 65536:

https://example.net/rdap/rpki1/aspa/65536

In the "links" array of an ASPA object, the context URI ("value" member) of each link should be the lookup URL by its handle, and if that's not available, then the lookup URL by its autonomous system number.

4.3. Search

The resource type path segment for searching ASPA objects is "rpki1/aspas".

The following search path segments are defined for ASPA objects:

Syntax: rpki1/aspas?name=<name search pattern>

Syntax: rpki1/aspas?providerAutnum=<autonomous system number>

Searches for ASPA information by name are specified using this form:

rpki1/aspas?name=XXXX

XXXX is a search pattern per Section 4.1 of [RFC9082], representing the "name" property of an ASPA, as described in Section 4.1. The following URL would be used to find information for ASPA names matching the "ASPA-*" pattern:

https://example.net/rdap/rpki1/aspas?name=ASPA-*

Searches for ASPA information by provider autonomous system number are specified using this form:

rpki1/aspas?providerAutnum=YYYY

YYYY is an autonomous system number within the "providerAutnums" property of an ASPA, as described in Section 4.1. The following URL would be used to find information for ASPAs with provider autonomous system number 65542:

https://example.net/rdap/rpki1/aspas?providerAutnum=65542

4.3.1. Search Results

The ASPA search results are returned in the "rpki1_aspaSearchResults" member, which is an array of ASPA objects (Section 4.1).

Here is an elided example of the search results when finding information for ASPAs with provider autonomous system number 65542:

{
  "rdapConformance":
  [
    "rdap_level_0",
    "rpki1",
    ...
  ],
  ...
  "rpki1_aspaSearchResults":
  [
    {
      "objectClassName": "rpki1_aspa",
      "handle": "XXXX",
      "name": "ASPA-1",
      "autnum": 65536,
      "providerAutnums":
      [
        65542,
        ...
      ],
      "notValidBefore": "2024-04-27T23:59:59Z",
      "notValidAfter": "2025-04-27T23:59:59Z",
      "autoRenewed": true,
      "publicationUri": "rsync://example.net/path/to/XXXX.aspa",
      "entities":
      [
        {
          "objectClassName": "entity",
          "handle": "XYZ-RIR",
          ...
        },
        ...
      ],
      "rpkiType": "hosted",
      "events":
      [
        {
          "eventAction": "registration",
          "eventDate": "2024-01-01T23:59:59Z"
        },
        ...
      ],
      "links":
      [
        {
          "value": "https://example.net/rdap/rpki1/aspa/XXXX",
          "rel": "self",
          "href": "https://example.net/rdap/rpki1/aspa/XXXX",
          "type": "application/rdap+json"
        },
        {
          "value": "https://example.net/rdap/rpki1/aspa/XXXX",
          "rel": "related",
          "href": "https://example.net/rdap/autnum/65536",
          "type": "application/rdap+json"
        },
        ...
      ],
      ...
    },
    ...
  ]
}

4.4. Reverse Search

Per Section 2 of [RFC9536], if a server receives a reverse search query with a searchable resource type of "autnums" (Section 5 of [I-D.ietf-regext-rdap-rir-search]), a related resource type of "rpki1_aspa", and an ASPA property of "autnum" or "providerAutnum", then the reverse search will be performed on the autonomous system number objects from its data store.

Section 8.2 and Section 8.3 include registration of entries for autonomous system number searches in the RDAP Reverse Search and RDAP Reverse Search Mapping IANA registries when the related resource type is "rpki1_aspa".

4.5. Relationship with Autonomous System Number Object Class

It would be useful to show all the ASPAs associated with an autonomous system number object. To that end, this extension adds a new "rpki1_aspas" member to the Autonomous System Number object class (Section 5.5 of [RFC9083]):

  • "rpki1_aspas" -- an array of ASPA objects (Section 4.1) for the autonomous system number range in the autonomous system number object; if the array is too large, the server MAY truncate it, per Section 9 of [RFC9083]

Here is an elided example for an autonomous system number object with ASPAs:

{
  "objectClassName": "autnum",
  "handle": "ZZZZ-RIR",
  "startAutnum": 65536,
  "endAutnum": 65541,
  ...
  "rpki1_aspas":
  [
    {
      "objectClassName": "rpki1_aspa",
      "handle": "XXXX",
      "name": "ASPA-1",
      "autnum": 65536,
      "providerAutnums":
      [
        65542,
        ...
      ],
      "notValidBefore": "2024-04-27T23:59:59Z",
      "notValidAfter": "2025-04-27T23:59:59Z",
      "autoRenewed": true,
      "publicationUri": "rsync://example.net/path/to/XXXX.aspa",
      "entities":
      [
        {
          "objectClassName": "entity",
          "handle": "XYZ-RIR",
          ...
        },
        ...
      ],
      "rpkiType": "hosted",
      "events":
      [
        {
          "eventAction": "registration",
          "eventDate": "2024-01-01T23:59:59Z"
        },
        ...
      ],
      "links":
      [
        {
          "value": "https://example.net/rdap/rpki1/aspa/XXXX",
          "rel": "self",
          "href": "https://example.net/rdap/rpki1/aspa/XXXX",
          "type": "application/rdap+json"
        },
        {
          "value": "https://example.net/rdap/rpki1/aspa/XXXX",
          "rel": "related",
          "href": "https://example.net/rdap/autnum/65536",
          "type": "application/rdap+json"
        },
        ...
      ],
      ...
    },
    {
      "objectClassName": "rpki1_aspa",
      "handle": "YYYY",
      "name": "ASPA-2",
      "autnum": 65537,
      "providerAutnums":
      [
        65543,
        ...
      ],
      "notValidBefore": "2024-04-27T23:59:59Z",
      "notValidAfter": "2025-04-27T23:59:59Z",
      "autoRenewed": false,
      "publicationUri": "rsync://example.net/path/to/YYYY.aspa",
      "entities":
      [
        {
          "objectClassName": "entity",
          "handle": "XYZ-RIR",
          ...
        },
        ...
      ],
      "rpkiType": "hosted",
      "events":
      [
        {
          "eventAction": "registration",
          "eventDate": "2024-01-01T23:59:59Z"
        },
        ...
      ],
      "links":
      [
        {
          "value": "https://example.net/rdap/rpki1/aspa/YYYY",
          "rel": "self",
          "href": "https://example.net/rdap/rpki1/aspa/YYYY",
          "type": "application/rdap+json"
        },
        {
          "value": "https://example.net/rdap/rpki1/aspa/YYYY",
          "rel": "related",
          "href": "https://example.net/rdap/autnum/65537",
          "type": "application/rdap+json"
        },
        ...
      ],
      ...
    },
    ...
  ]
}

5. X.509 Resource Certificate

5.1. Object Class

The X.509 resource certificate object class can contain the following members:

  • "objectClassName" -- the string "rpki1_x509_resource_cert"
  • "handle" -- see Section 2
  • "serialNumber" -- a string representing the unique identifier for the certificate (Section 4.2 of [RFC6487])
  • "issuer" -- a string representing the CA that issued the certificate (Section 4.4 of [RFC6487])
  • "signatureAlgorithm" -- a string representing the algorithm used by the CA to sign the certificate (Section 4.3 of [RFC6487])
  • "subject" -- a string representing the identity of the subject the certificate is issued to (Section 4.5 of [RFC6487])
  • "subjectPublicKeyInfo" -- an object representing the subject's public key information (Section 4.7 of [RFC6487]), with the following members:

    • "publicKeyAlgorithm" -- a string representing the algorithm for the public key
    • "publicKey" -- a string representation of the public key
  • "subjectKeyIdentifier" -- a string, typically Base64-encoded, representing the unique identifier for the public key (Section 4.8.2 of [RFC6487])
  • "ips" -- an array of strings, each representing an IPv4 or IPv6 CIDR address block with the "<CIDR prefix>/<CIDR length>" format (Section 4.8.10 of [RFC6487])
  • "autnums" -- an array of unsigned 32-bit integers, each representing an autonomous system number (Section 4.8.11 of [RFC6487])
  • "notValidBefore" -- see Section 2
  • "notValidAfter" -- see Section 2
  • "autoRenewed" -- see Section 2
  • "publicationUri" -- see Section 2
  • "entities" -- see Section 2
  • "rpkiType" -- see Section 2
  • "events" -- see Section 4.5 of [RFC9083]
  • "links" -- "self" link, and "related" links for IP network and/or autonomous system number objects (Section 4.2 of [RFC9083])
  • "remarks" -- see Section 4.3 of [RFC9083]

Here is an elided example of an X.509 resource certificate object -- specifically, a BGPSec router certificate ([RFC8209]) where an ASN(s) holder cryptographically asserts that a router holding the corresponding private key is authorized to emit secure route advertisements on behalf of the AS(es) specified in the certificate:

{
  "objectClassName": "rpki1_x509_resource_cert",
  "handle": "ABCD",
  "serialNumber": "1234",
  "issuer": "CN=ISP-CA",
  "signatureAlgorithm": "ecdsa-with-SHA256",
  "subject": "CN=BGPSEC-ROUTER",
  "subjectPublicKeyInfo":
  {
    "publicKeyAlgorithm": "id-ecPublicKey",
    "publicKey": "..."
  },
  "subjectKeyIdentifier": "hOcGgxqXDa7mYv78fR+sGBKMtWJqItSLfaIYJDKYi8A=",
  "autnums":
  [
    65536,
    65537
  ],
  "notValidBefore": "2024-04-27T23:59:59Z",
  "notValidAfter": "2025-04-27T23:59:59Z",
  "publicationUri": "rsync://example.net/path/to/ABCD.cer",
  "entities":
  [
    {
      "objectClassName": "entity",
      "handle": "XYZ-RIR",
      ...
    },
    ...
  ],
  "rpkiType": "hosted",
  "events":
  [
    {
      "eventAction": "registration",
      "eventDate": "2024-01-01T23:59:59Z"
    },
    ...
  ],
  "links":
  [
    {
      "value": "https://example.net/rdap/rpki1/x509_resource_cert/ABCD",
      "rel": "self",
      "href": "https://example.net/rdap/rpki1/x509_resource_cert/ABCD",
      "type": "application/rdap+json"
    },
    {
      "value": "https://example.net/rdap/rpki1/x509_resource_cert/ABCD",
      "rel": "related",
      "href": "https://example.net/rdap/autnum/65536",
      "type": "application/rdap+json"
    },
    {
      "value": "https://example.net/rdap/rpki1/x509_resource_cert/ABCD",
      "rel": "related",
      "href": "https://example.net/rdap/autnum/65537",
      "type": "application/rdap+json"
    },
    ...
  ],
  "remarks":
  [
    {
      "description": [ "An X.509 resource certificate object in RDAP" ]
    }
  ]
}

5.2. Lookup

The resource type path segment for exact match lookup of an X.509 resource certificate object is "rpki1/x509_resource_cert".

The following lookup path segment is defined for an X.509 resource certificate object:

Syntax: rpki1/x509_resource_cert/<handle>

For example:

https://example.net/rdap/rpki1/x509_resource_cert/ABCD

5.3. Search

The resource type path segment for searching X.509 resource certificate objects is "rpki1/x509_resource_certs".

The following search path segments are defined for X.509 resource certificate objects:

Syntax: rpki1/x509_resource_certs?handle=<handle search pattern>

Syntax: rpki1/x509_resource_certs?issuer=<issuer search pattern>

Syntax: rpki1/x509_resource_certs?subject=<subject search pattern>

Syntax: rpki1/x509_resource_certs?subjectKeyIdentifier=<subject key identifier>

Syntax: rpki1/x509_resource_certs?ip=<IP address>

Syntax: rpki1/x509_resource_certs?cidr=<CIDR>

Syntax: rpki1/x509_resource_certs?autnum=<autonomous system number>

Searches for X.509 resource certificate information by handle are specified using this form:

rpki1/x509_resource_certs?handle=XXXX

XXXX is a search pattern per Section 4.1 of [RFC9082], representing the "handle" property of an X.509 resource certificate object, as described in Section 5.1. The following URL would be used to find information for X.509 resource certificate objects with handle matching the "ABC*" pattern:

https://example.net/rdap/rpki1/x509_resource_certs?handle=ABC*

Searches for X.509 resource certificate information by certificate issuer are specified using this form:

rpki1/x509_resource_certs?issuer=YYYY

YYYY is a search pattern per Section 4.1 of [RFC9082], representing the "issuer" property of an X.509 resource certificate object, as described in Section 5.1. The following URL would be used to find information for X.509 resource certificate objects with issuer matching the "CN=ISP-*" pattern:

https://example.net/rdap/rpki1/x509_resource_certs?issuer=CN%3DISP-*

Searches for X.509 resource certificate information by certificate subject are specified using this form:

rpki1/x509_resource_certs?subject=ZZZZ

ZZZZ is a search pattern per Section 4.1 of [RFC9082], representing the "subject" property of an X.509 resource Certificate object, as described in Section 5.1. The following URL would be used to find information for X.509 resource certificate objects with subject matching the "CN=BGPSEC-ROUTE*" pattern:

https://example.net/rdap/rpki1/x509_resource_certs?subject=CN%3DBGPSEC-ROUTE*

Searches for X.509 resource certificate information by subject key identifier are specified using this form:

rpki1/x509_resource_certs?subjectKeyIdentifier=BBBB

BBBB is a string representing the "subjectKeyIdentifier" property of an X.509 resource certificate object, as described in Section 5.1. The following URL would be used to find an X.509 resource certificate object with subject key identifier matching the "hOcGgxqXDa7mYv78fR+sGBKMtWJqItSLfaIYJDKYi8A=" string:

https://example.net/rdap/rpki1/x509_resource_certs?subjectKeyIdentifier=hOcGgxqXDa7mYv78fR+sGBKMtWJqItSLfaIYJDKYi8A=

Searches for X.509 resource certificate information by an IP address are specified using this form:

rpki1/x509_resource_certs?ip=CCCC

CCCC is a string representing an IPv4 or IPv6 address. The following URL would be used to find information for X.509 resource certificate objects with the "ips" member encompassing the "192.0.2.0" IP address:

https://example.net/rdap/rpki1/x509_resource_certs?ip=192.0.2.0

Similarly, for the "2001:db8::" IP address:

https://example.net/rdap/rpki1/x509_resource_certs?ip=2001%3Adb8%3A%3A

Searches for X.509 resource certificate information by a CIDR are specified using this form:

rpki1/x509_resource_certs?cidr=CCCC/DDDD

"CCCC/DDDD" is a string representing an IPv4 or IPv6 CIDR, with CCCC as the CIDR prefix and DDDD as the CIDR length. The following URL would be used to find information for X.509 resource certificate objects with the "ips" member encompassing the "192.0.2.0/25" CIDR:

https://example.net/rdap/rpki1/x509_resource_certs?cidr=192.0.2.0%2F25

Similarly, for the "2001:db8::/64" CIDR:

https://example.net/rdap/rpki1/x509_resource_certs?cidr=2001%3Adb8%3A%3A%2F64

Searches for X.509 resource certificate information by an autonomous system number are specified using this form:

rpki1/x509_resource_certs?autnum=EEEE

EEEE is an autonomous system number within the "autnums" property of an X.509 resource certificate object, as described in Section 5.1. The following URL would be used to find information for X.509 resource certificate objects with the "autnums" member including autonomous system number 65536:

https://example.net/rdap/rpki1/x509_resource_certs?autnum=65536

5.3.1. Search Results

The X.509 resource certificate search results are returned in the "rpki1_x509ResourceCertSearchResults" member, which is an array of X.509 resource certificate objects (Section 5.1).

Here is an elided example of the search results when finding information for X.509 resource certificate objects with issuer matching the "CN=ISP-*" pattern:

{
  "rdapConformance":
  [
    "rdap_level_0",
    "rpki1",
    ...
  ],
  ...
  "rpki1_x509ResourceCertSearchResults":
  [
    {
      "objectClassName": "rpki1_x509_resource_cert",
      "handle": "ABCD",
      "serialNumber": "1234",
      "issuer": "CN=ISP-CA",
      "signatureAlgorithm": "ecdsa-with-SHA256",
      "subject": "CN=BGPSEC-ROUTER",
      "subjectPublicKeyInfo":
      {
        "publicKeyAlgorithm": "id-ecPublicKey",
        "publicKey": "..."
      },
      "subjectKeyIdentifier": "hOcGgxqXDa7mYv78fR+sGBKMtWJqItSLfaIYJDKYi8A=",
      "autnums":
      [
        65536,
        65537
      ],
      "notValidBefore": "2024-04-27T23:59:59Z",
      "notValidAfter": "2025-04-27T23:59:59Z",
      "publicationUri": "rsync://example.net/path/to/ABCD.cer",
      "entities":
      [
        {
          "objectClassName": "entity",
          "handle": "XYZ-RIR",
          ...
        },
        ...
      ],
      "rpkiType": "hosted",
      "events":
      [
        {
          "eventAction": "registration",
          "eventDate": "2024-01-01T23:59:59Z"
        },
        ...
      ],
      "links":
      [
        {
          "value": "https://example.net/rdap/rpki1/x509_resource_cert/ABCD",
          "rel": "self",
          "href": "https://example.net/rdap/rpki1/x509_resource_cert/ABCD",
          "type": "application/rdap+json"
        },
        {
          "value": "https://example.net/rdap/rpki1/x509_resource_cert/ABCD",
          "rel": "related",
          "href": "https://example.net/rdap/autnum/65536",
          "type": "application/rdap+json"
        },
        {
          "value": "https://example.net/rdap/rpki1/x509_resource_cert/ABCD",
          "rel": "related",
          "href": "https://example.net/rdap/autnum/65537",
          "type": "application/rdap+json"
        },
        ...
      ],
      ...
    },
    ...
  ]
}

5.4. Reverse Search

Per Section 2 of [RFC9536], if a server receives a reverse search query with a searchable resource type of "ips" (Section 5 of [I-D.ietf-regext-rdap-rir-search]), a related resource type of "rpki1_x509_resource_cert", and an X.509 Resource Certificate property of "handle", then the reverse search will be performed on the IP network objects from its data store.

Similarly, if a server receives a reverse search query with a searchable resource type of "autnums", a related resource type of "rpki1_x509_resource_cert", and an X.509 Resource Certificate property of "handle", then the reverse search will be performed on the autonomous system number objects.

Section 8.2 and Section 8.3 include registration of entries for IP network and autonomous system number searches in the RDAP Reverse Search and RDAP Reverse Search Mapping IANA registries when the related resource type is "rpki1_x509_resource_cert".

5.5. Relationship with Other Object Classes

It would be useful to show all the X.509 resource certificates associated with an object of another RDAP class; in particular, with an IP network object, an autonomous system number object, or an entity (organization) object. To that end, this extension adds a new "rpki1_x509_resource_certs" member to the IP Network (Section 5.4 of [RFC9083]), Autonomous System Number (Section 5.5 of [RFC9083]), and Entity (Section 5.1 of [RFC9083]) object classes:

  • "rpki1_x509_resource_certs" -- an array of X.509 resource certificate objects (Section 5.1) for the IP address range in an IP network object, the autonomous system number range in an autonomous system number object, or an entity (organization) object; if the array is too large, the server MAY truncate it, per Section 9 of [RFC9083]

Here is an elided example for an entity (organization) object with an X.509 resource certificate -- specifically, a CA certificate that a registry issues to an organization for its allocated IP addresses and/or autonomous system numbers, authorizing the organization CA to issue end-entity certificates:

{
  "objectClassName" : "entity",
  "handle":"XXXX",
  ...
  "rpki1_x509_resource_certs":
  [
    {
      "objectClassName": "rpki1_x509_resource_cert",
      "handle": "ABCD",
      "serialNumber": "1234",
      "issuer": "CN=RIR-CA",
      "signatureAlgorithm": "ecdsa-with-SHA256",
      "subject": "CN=XXXX-CA",
      "subjectPublicKeyInfo":
      {
        "publicKeyAlgorithm": "id-ecPublicKey",
        "publicKey": "..."
      },
      "subjectKeyIdentifier": "hOcGgxqXDa7mYv78fR+sGBKMtWJqItSLfaIYJDKYi8A=",
      "ips":
      [
        "192.0.2.0/24",
        "2001:db8::/48"
      ],
      "autnums":
      [
        65536,
        65537
      ],
      "notValidBefore": "2024-04-27T23:59:59Z",
      "notValidAfter": "2025-04-27T23:59:59Z",
      "publicationUri": "rsync://example.net/path/to/ABCD.cer",
      "entities":
      [
        {
          "objectClassName": "entity",
          "handle": "XYZ-RIR",
          ...
        },
        ...
      ],
      "rpkiType": "hosted",
      "events":
      [
        {
          "eventAction": "registration",
          "eventDate": "2024-01-01T23:59:59Z"
        },
        ...
      ],
      "links":
      [
        {
          "value": "https://example.net/rdap/rpki1/x509_resource_cert/ABCD",
          "rel": "self",
          "href": "https://example.net/rdap/rpki1/x509_resource_cert/ABCD",
          "type": "application/rdap+json"
        },
        {
          "value": "https://example.net/rdap/rpki1/x509_resource_cert/ABCD",
          "rel": "related",
          "href": "https://example.net/rdap/ip/192.0.2.0/24",
          "type": "application/rdap+json"
        },
        {
          "value": "https://example.net/rdap/rpki1/x509_resource_cert/ABCD",
          "rel": "related",
          "href": "https://example.net/rdap/ip/2001:db8::/48",
          "type": "application/rdap+json"
        },
        {
          "value": "https://example.net/rdap/rpki1/x509_resource_cert/ABCD",
          "rel": "related",
          "href": "https://example.net/rdap/autnum/65536",
          "type": "application/rdap+json"
        },
        {
          "value": "https://example.net/rdap/rpki1/x509_resource_cert/ABCD",
          "rel": "related",
          "href": "https://example.net/rdap/autnum/65537",
          "type": "application/rdap+json"
        },
        ...
      ],
      ...
    },
    ...
  ]
}

6. RDAP Conformance

A server that supports the functionality specified in this document MUST include the "rpki1" string literal in the "rdapConformance" array of its responses.

7. Security Considerations

The RDAP extension in this document MUST NOT be used to directly influence internet routing. Neither RDAP nor this extension define the necessary security properties or distribution mechanisms required to securely add, remove, or modify internet routes.

This document does not introduce any new security considerations past those already discussed in the RDAP protocol specifications ([RFC7481], [RFC9560]).

8. IANA Considerations

8.1. RDAP Extensions Registry

IANA is requested to register the following values in the RDAP Extensions Registry at https://www.iana.org/assignments/rdap-extensions/:

  • Extension identifier: rpki1
  • Registry operator: Any
  • Published specification: This document.
  • Contact: IETF [email protected]
  • Intended usage: This extension identifier is used for accessing the RPKI registration data through RDAP.

8.2. RDAP Reverse Search Registry

IANA is requested to register the following entries in the RDAP Reverse Search Registry at https://www.iana.org/assignments/rdap-reverse-search/:

IP network search by the origin autonomous system number of a ROA:

  • Searchable Resource Type: ips
  • Related Resource Type: rpki1_roa
  • Property: originAutnum
  • Description: The server supports the IP network search by the origin autonomous system number of an associated RPKI ROA.
  • Registrant Name: IETF
  • Registrant Contact Information: [email protected]
  • Reference: This document.

IP network search by the start IP address of a CIDR address block of a ROA:

  • Searchable Resource Type: ips
  • Related Resource Type: rpki1_roa
  • Property: startAddress
  • Description: The server supports the IP network search by the start IP address (a.k.a. CIDR prefix) of a CIDR address block of an associated RPKI ROA.
  • Registrant Name: IETF
  • Registrant Contact Information: [email protected]
  • Reference: This document.

Autonomous system number search by the autonomous system number of an ASPA:

  • Searchable Resource Type: autnums
  • Related Resource Type: rpki1_aspa
  • Property: autnum
  • Description: The server supports the autonomous system number search by the autonomous system number of an associated RPKI ASPA.
  • Registrant Name: IETF
  • Registrant Contact Information: [email protected]
  • Reference: This document.

Autonomous system number search by a provider autonomous system number of an ASPA:

  • Searchable Resource Type: autnums
  • Related Resource Type: rpki1_aspa
  • Property: providerAutnum
  • Description: The server supports the autonomous system number search by a provider autonomous system number of an associated RPKI ASPA.
  • Registrant Name: IETF
  • Registrant Contact Information: [email protected]
  • Reference: This document.

IP network search by the handle of an X.509 resource certificate:

  • Searchable Resource Type: ips
  • Related Resource Type: rpki1_x509_resource_cert
  • Property: handle
  • Description: The server supports the IP network search by the handle of an associated RPKI X.509 resource certificate.
  • Registrant Name: IETF
  • Registrant Contact Information: [email protected]
  • Reference: This document.

Autonomous system number search by the handle of an X.509 resource certificate:

  • Searchable Resource Type: autnums
  • Related Resource Type: rpki1_x509_resource_cert
  • Property: handle
  • Description: The server supports the autonomous system number search by the handle of an associated RPKI X.509 resource certificate.
  • Registrant Name: IETF
  • Registrant Contact Information: [email protected]
  • Reference: This document.

8.3. RDAP Reverse Search Mapping Registry

IANA is requested to register the following entries in the RDAP Reverse Search Mapping Registry at https://www.iana.org/assignments/rdap-reverse-search-mapping/:

IP network search by the origin autonomous system number of a ROA:

  • Searchable Resource Type: ips
  • Related Resource Type: rpki1_roa
  • Property: originAutnum
  • Property Path: $.originAutnum
  • Registrant Name: IETF
  • Registrant Contact Information: [email protected]
  • Reference: This document.

IP network search by the start IP address of a CIDR address block of a ROA:

  • Searchable Resource Type: ips
  • Related Resource Type: rpki1_roa
  • Property: startAddress
  • Property Path: $.roaIpAddresses[*].startAddress
  • Registrant Name: IETF
  • Registrant Contact Information: [email protected]
  • Reference: This document.

Autonomous system number search by the autonomous system number of an ASPA:

  • Searchable Resource Type: autnums
  • Related Resource Type: rpki1_aspa
  • Property: autnum
  • Property Path: $.autnum
  • Registrant Name: IETF
  • Registrant Contact Information: [email protected]
  • Reference: This document.

Autonomous system number search by a provider autonomous system number of an ASPA:

  • Searchable Resource Type: autnums
  • Related Resource Type: rpki1_aspa
  • Property: providerAutnum
  • Property Path: $.providerAutnums[*]
  • Registrant Name: IETF
  • Registrant Contact Information: [email protected]
  • Reference: This document.

IP network search by the handle of an X.509 resource certificate:

  • Searchable Resource Type: ips
  • Related Resource Type: rpki1_x509_resource_cert
  • Property: handle
  • Property Path: $.handle
  • Registrant Name: IETF
  • Registrant Contact Information: [email protected]
  • Reference: This document.

Autonomous system number search by the handle of an X.509 resource certificate:

  • Searchable Resource Type: autnums
  • Related Resource Type: rpki1_x509_resource_cert
  • Property: handle
  • Property Path: $.handle
  • Registrant Name: IETF
  • Registrant Contact Information: [email protected]
  • Reference: This document.

9. Acknowledgements

Job Snijders, Ties de Kock, Mark Kosters, Tim Bruijnzeels, and Bart Bakker provided valuable feedback for this document.

10. References

10.1. Normative References

[BCP14]
Best Current Practice 14, <https://www.rfc-editor.org/info/bcp14>.
At the time of writing, this BCP comprises the following:
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/info/rfc2119>.
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/info/rfc8174>.
Harrison, T. and J. Singh, "RDAP RIR Search", Work in Progress, Internet-Draft, draft-ietf-regext-rdap-rir-search-11, , <https://datatracker.ietf.org/doc/html/draft-ietf-regext-rdap-rir-search-11>.
[I-D.ietf-sidrops-aspa-profile]
Azimov, A., Uskov, E., Bush, R., Snijders, J., Housley, R., and B. Maddison, "A Profile for Autonomous System Provider Authorization", Work in Progress, Internet-Draft, draft-ietf-sidrops-aspa-profile-18, , <https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-aspa-profile-18>.
[RFC1519]
Fuller, V., Li, T., Yu, J., and K. Varadhan, "Classless Inter-Domain Routing (CIDR): an Address Assignment and Aggregation Strategy", RFC 1519, DOI 10.17487/RFC1519, , <https://www.rfc-editor.org/info/rfc1519>.
[RFC3339]
Klyne, G. and C. Newman, "Date and Time on the Internet: Timestamps", RFC 3339, DOI 10.17487/RFC3339, , <https://www.rfc-editor.org/info/rfc3339>.
[RFC5396]
Huston, G. and G. Michaelson, "Textual Representation of Autonomous System (AS) Numbers", RFC 5396, DOI 10.17487/RFC5396, , <https://www.rfc-editor.org/info/rfc5396>.
[RFC6480]
Lepinski, M. and S. Kent, "An Infrastructure to Support Secure Internet Routing", RFC 6480, DOI 10.17487/RFC6480, , <https://www.rfc-editor.org/info/rfc6480>.
[RFC6487]
Huston, G., Michaelson, G., and R. Loomans, "A Profile for X.509 PKIX Resource Certificates", RFC 6487, DOI 10.17487/RFC6487, , <https://www.rfc-editor.org/info/rfc6487>.
[RFC8209]
Reynolds, M., Turner, S., and S. Kent, "A Profile for BGPsec Router Certificates, Certificate Revocation Lists, and Certification Requests", RFC 8209, DOI 10.17487/RFC8209, , <https://www.rfc-editor.org/info/rfc8209>.
[RFC9082]
Hollenbeck, S. and A. Newton, "Registration Data Access Protocol (RDAP) Query Format", STD 95, RFC 9082, DOI 10.17487/RFC9082, , <https://www.rfc-editor.org/info/rfc9082>.
[RFC9083]
Hollenbeck, S. and A. Newton, "JSON Responses for the Registration Data Access Protocol (RDAP)", STD 95, RFC 9083, DOI 10.17487/RFC9083, , <https://www.rfc-editor.org/info/rfc9083>.
[RFC9536]
Loffredo, M. and M. Martinelli, "Registration Data Access Protocol (RDAP) Reverse Search", RFC 9536, DOI 10.17487/RFC9536, , <https://www.rfc-editor.org/info/rfc9536>.
[RFC9582]
Snijders, J., Maddison, B., Lepinski, M., Kong, D., and S. Kent, "A Profile for Route Origin Authorizations (ROAs)", RFC 9582, DOI 10.17487/RFC9582, , <https://www.rfc-editor.org/info/rfc9582>.

10.2. Informative References

[CLOUDFLARE]
Cloudflare, "RPKI Portal", , <https://rpki.cloudflare.com/>.
[JDR]
NLNet Labs, "JDR", , <https://blog.nlnetlabs.nl/introducing-jdr/>.
[RDAP-GUIDE]
Newton, A., "RDAP Guide", , <https://rdap.rcode3.com/misc/uses.html>.
[RFC2622]
Alaettinoglu, C., Villamizar, C., Gerich, E., Kessens, D., Meyer, D., Bates, T., Karrenberg, D., and M. Terpstra, "Routing Policy Specification Language (RPSL)", RFC 2622, DOI 10.17487/RFC2622, , <https://www.rfc-editor.org/info/rfc2622>.
[RFC4271]
Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A Border Gateway Protocol 4 (BGP-4)", RFC 4271, DOI 10.17487/RFC4271, , <https://www.rfc-editor.org/info/rfc4271>.
[RFC7481]
Hollenbeck, S. and N. Kong, "Security Services for the Registration Data Access Protocol (RDAP)", STD 95, RFC 7481, DOI 10.17487/RFC7481, , <https://www.rfc-editor.org/info/rfc7481>.
[RFC9560]
Hollenbeck, S., "Federated Authentication for the Registration Data Access Protocol (RDAP) Using OpenID Connect", RFC 9560, DOI 10.17487/RFC9560, , <https://www.rfc-editor.org/info/rfc9560>.

Authors' Addresses

Jasdip Singh
ARIN
Andy Newton
ICANN