]> IPinfo

oliver@ipinfo.io

IIJ Research & Arrcus

5147 Crystal Springs Bainbridge Island Washington 98110 United States of America randy@psg.com

NTT

Siriusdreef 70-72 Hoofddorp 2132 WT Netherlands massimo@ntt.net

Vigil Security, LLC

516 Dranesville Road Herndon VA 20170 USA housley@vigilsec.com

prefix allocation RPSL inetnum This document specifies how to augment the Routing Policy Specification Language (RPSL) inetnum: class to refer specifically to prefixlen comma-separated values (CSV) data files and describes an optional scheme that uses the Resource Public Key Infrastructure (RPKI) to authenticate the prefixlen data files.

Introduction Internet service providers (ISPs) delegate IP addresses or entire IP prefixes to their users. Similarly, cloud providers assign customers who use their services such as virtual machines a prefix of a specific size. Therefore, there are countless variations of different end-site prefix length present in the Internet. Currently, there is no easy way for content providers to know the end-site prefix size of someone accessing their service. Knowing the correct end-site's prefix size has multiple implications such as:

• Blocklisting/throttling: In IPv4, IP addresses can be blocked at different prefix levels, such as /24 or /32. In IPv6 on the other hand, blocking at e.g. the /64 level could lead to overblocking (throwing multiple VMs from different users into the same bucket), while blocking at the e.g. /128 level would lead to filling up space in the blocklist pretty quickly. The same applies to throttling. recently also raised this issue.
• Rate limiting/CAPTCHAs: A similar issue arises on the Web, where "close" prefixes might be thrown together (e.g. in the same /56, even though the ISP hands out /64s), which leads to people "jointly" running into rate limits and then either being blocked from a service or having to solve annoying CAPTCHAs.
• Geolocation: Getting the right prefix size for IPv6 geolocation is similarly hard. If you aggregate too little, you throw together different clients in different locations, and if you aggregate too much, you fill up the geolocation database with unnecessary entries.

This document specifies how to augment the Routing Policy Specification Language (RPSL) inetnum: class to refer specifically to prefixlen data files and how to use them. In all places inetnum: is used, inet6num: should also be assumed . The reader may find and informative, and certainly more verbose, descriptions of the inetnum: database classes. An optional means for authenticating prefixlen data is also defined in .

Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

prefixlen Files prefixlen files are CSV (Comma Separated Values) files in UTF-8 text format; not HTML, richtext, or other formats. Lines MUST be delimited by a line break (CRLF), and blank lines MUST be ignored. Text from a '#' character to the end of the current line MUST be treated as a comment only and is similarly ignored. The first field of each non-ignored line specifies the prefix in question and the second field the end-site prefix length within that prefix as an integer. If an ISP delegates /56 IPv6 prefixes of the 2001:db8::/32 range, and /32 IPv4 prefixes (i.e. a single IPv4 address) of the 192.0.2.0/24 range to its customers, it would create a prefix length file containing the following example entries: If a cloud provider assigns /120 IPv6 prefixes to each customer VM and a /64 prefix to premium customers, it would create a prefix length file containing the following example entries: Note that the second entry in the above example is a subprefix of the first entry. Therefore, longest prefix matching has to be taken into account when parsing prefixlen files. prefixlen files can also be used to signal the presence of Carrier-Grade NAT (CGN) networks. This is especially useful for cases where multiple end-sites behind a CGN accessing a service at the same time might run into rate limiting issues by service providers. In case a prefixlen file signals the presence of a CGN, service providers can treat these prefixes in a way that rate limits are not triggered. To signal the presence of a CGN, a prefixlen file contains a prefix length field larger than the most specific prefix sizes, i.e., 32 for IPv4 and 128 for IPv6. Specifically, the prefix length field value is specified as prefix_length + log_2(number_of_cgn_end_sites). For example, a CGN prefix 192.0.2.0/24 containing 65,536 end sites would lead to a prefix length value of 24 + log_2(65536) = 24 + 16 = 40 and is specified as follows: Duplicate prefix entries MUST be considered an error, and consumer implementations SHOULD log the repeated entries for further administrative review. Publishers SHOULD take measures to ensure there is one and only one entry per prefix. Content providers and other parties who wish to differentiate services based on end site prefixes need to find the relevant prefixlen data. In , this document specifies how to find the relevant prefixlen file given an IP address. prefixlen data for large providers with significant horizontal scale and high granularity can be quite large. The size of a file can be even larger if an unsigned prefixlen file combines data for many prefixes, if dual IPv4/IPv6 spaces are represented, etc. This document also suggests an optional signature to strongly authenticate the data in the prefixlen files.

inetnum: Class The original RPSL specifications starting with , , and a trail of subsequent documents were written by the RIPE community. The IETF standardized RPSL in and . Since then, it has been modified and extensively enhanced in the Regional Internet Registry (RIR) community, mostly by RIPE . At the time of publishing this document, change control of RPSL effectively lies in the operator community. The RPSL, and and used by the Regional Internet Registries (RIRs), specify the inetnum: database class. Each of these objects describes an IP address range and its attributes. The inetnum: objects form a hierarchy ordered on the address space. Ideally, RPSL would be augmented to define a new RPSL prefixlen: attribute in the inetnum: class. Absent implementation of the prefixlen: attribute in a particular RIR database, this document defines the syntax of a prefixlen remarks: attribute, which contains an HTTPS URL of a prefixlen file. The format of the inetnum: prefixlen remarks: attribute MUST be as in this example, "remarks: Prefixlen ", where the token "prefixlen" MUST be case sensitive, followed by a URL that will vary, but it MUST refer only to a single prefixlen file. While we leave global agreement of RPSL modification to the relevant parties, we specify that a proper prefixlen: attribute in the inetnum: class MUST be "prefixlen:" and MUST be followed by a single URL that will vary, but it MUST refer only to a single prefixlen file. The URL uses HTTPS, so the WebPKI provides authentication, integrity, and confidentiality for the fetched prefixlen file. However, the WebPKI can not provide authentication of IP address space assignment. In contrast, the RPKI (see ) can be used to authenticate IP space assignment; see optional authentication in . In addition to publishing the location of prefixlen files in WHOIS with the prefixlen: or remarks: approaches, there is currently a proposal being discussed to introduce a new RPSL attribute of type extref: for generic external references . With this extref approach a prefixlen can be referenced as follows: Until all producers of inetnum: objects, i.e., the RIRs, state that they have migrated to supporting a prefixlen: or extref: attribute, consumers looking at inetnum: objects to find prefixlen URLs MUST be able to consume the remarks:, prefixlen:, and extref: forms. The migration not only implies that the RIRs support the prefixlen: or extref: attributes, but that all registrants have migrated any inetnum: objects from remarks: to prefixlen: or extref: attributes. Any particular inetnum: object SHOULD have, at most, one prefixlen reference, whether a remarks:, extref:, or prefixlen: attribute when it is implemented. As the remarks: form can not be formally checked by the RIR, this can not be formally enforced. A prefixlen: or extref: attribute is preferred, of course, if the RIR supports it. If there is more than one type of attribute in the inetnum: object, the prefixlen: or extref: attributes MUST be used. For inetnum:s covering the same address range, a signed prefixlen file MUST be preferred over an unsigned file. If none are signed, or more than one is signed, the (signed) inetnum: with the most recent last-modified: attribute MUST be preferred. If a prefixlen file describes multiple disjoint ranges of IP address space, there are likely to be prefixlen references from multiple inetnum: objects. Files with prefixlen references from multiple inetnum: objects are not compatible with the signing procedure in . An unsigned, and only an unsigned, prefixlen file MAY be referenced by multiple inetnum:s and MAY contain prefixes from more than one registry. When fetching, the most specific inetnum: object with a prefixlen reference MUST be used. It is significant that prefixlen data may have finer granularity than the inetnum: that refers to them. For example, an inetnum: object for an address range P could refer to a prefixlen file in which P has been subdivided into one or more longer prefixes.

Fetching prefixlen Data This document is to provides a guideline for how interested parties should fetch and read prefixlen files. To minimize the load on RIRs' WHOIS services, the RIR's FTP services SHOULD be used for large-scale access to gather inetnum:s with prefixlen references. This uses efficient bulk access instead of fetching via brute-force search through the IP space. On the other hand, RIRs are converging on RDAP support which includes geofeed data, see . It is hoped that this will be extended, or generalized, to support prefixlen data. When reading data from an unsigned prefixlen file, one MUST ignore data outside the referring inetnum: object's address range. This is to avoid importing data about ranges not under the control of the operator. Note that signed files MUST only contain prefixes within the referring inetnum:'s range as mandated in . If prefixlen files are fetched, other prefix length information from the inetnum: MUST be ignored. Given an address range of interest, the most specific inetnum: object with a prefixlen reference MUST be used to fetch the prefixlen file. For example, if the fetching party finds the following inetnum: objects: An application looking for prefixlen data for 192.0.2.0/29, MUST ignore data in prefixlen_1 because 192.0.2.0/29 is within the more specific 192.0.2.0/24 inetnum: covering that address range and that inetnum: does have a prefixlen reference.

Authenticating prefixlen Data (Optional) The question arises whether a particular prefixlen data set is valid, i.e., is authorized by the "owner" of the IP address space and is authoritative in some sense. The inetnum: that points to the prefixlen file provides some assurance. Unfortunately, the RPSL in some repositories is weakly authenticated at best. An approach where RPSL was signed per would be good, except it would have to be deployed by all RPSL registries, and there is a fair number of them. The remainder of this section specifies an optional authenticator for the prefixlen data set that follows the Signed Object Template for the Resource Public Key Infrastructure (RPKI) . A single optional authenticator MAY be appended to a prefixlen file. It is a digest of the main body of the file signed by the private key of the relevant RPKI certificate for a covering address range. The following format bundles the relevant RPKI certificate with a signature over the prefixlen text. The canonicalization procedure converts the data from their internal character representation to the UTF-8 character encoding, and the <CRLF> sequence MUST be used to denote the end of each line of text. A blank line is represented solely by the <CRLF> sequence. For robustness, any non-printable characters MUST NOT be changed by canonicalization. Trailing blank lines MUST NOT appear at the end of the file. That is, the file must not end with multiple consecutive <CRLF> sequences. Any end-of-file marker used by an operating system is not considered to be part of the file content. When present, such end-of-file markers MUST NOT be covered by the digital signature. If the authenticator is not in the canonical form described above, then, the authenticator is invalid. Borrowing detached signatures from , after file canonicalization, the Cryptographic Message Syntax (CMS) is used to create a detached DER-encoded signature that is then Base64 encoded with padding (as defined in Section 4 of ) and line wrapped to 72 or fewer characters. The same digest algorithm MUST be used for calculating the message digest of the content being signed, which is the prefixlen file, and for calculating the message digest on the SignerInfo SignedAttributes . The message digest algorithm identifier MUST appear in both the CMS SignedData DigestAlgorithmIdentifiers and the SignerInfo DigestAlgorithmIdentifier . The RPKI certificate covering the prefixlen inetnum: object's address range is included in the CMS SignedData certificates field . The address range of the signing certificate MUST cover all prefixes in the signed prefixlen file. If not, the authenticator is invalid. The signing certificate MUST NOT include the Autonomous System Identifier Delegation certificate extension . If it is present, the authenticator is invalid. As with many other RPKI signed objects, the IP Address Delegation certificate extension MUST NOT use the "inherit" capability defined in Section 2.2.3.5 of . If "inherit" is used, the authenticator is invalid. An IP Address Delegation extension using "inherit" would complicate processing. The implementation would have to build the certification path from the end-entity to the trust anchor, then validate the path from the trust anchor to the end-entity, and then the parameter would have to be remembered when the validated public key was used to validate a signature on a CMS object. Having to remember things from certification path validation for use with CMS object processing would be quite complex and error prone. And, the certificates do not get that much bigger by repeating the information. An address range A "covers" address range B if the range of B is identical to or a subset of A. "Address range" is used here because inetnum: objects and RPKI certificates need not align on Classless Inter-Domain Routing (CIDR) prefix boundaries, while those of the lines in a prefixlen file do align. The Certification Authority (CA) SHOULD sign only one prefixlen file with each generated private key and SHOULD generate a new key pair for each new version of a perticular prefixlen file. The CA MUST generate a new End Entity (EE) certificate for each signing of a particular prefixlen file. An associated EE certificate used in this fashion is termed a "one-time-use" EE certificate (see Section 3 of ). Identifying the private key associated with the certificate and getting the department that controls the private key (which might be stored in a Hardware Security Module (HSM)) to generate the CMS signature is left as an exercise for the implementor. On the other hand, verifying the signature has no similar complexity; the certificate, which is validated in the RPKI, contains the needed public key. The RPKI trust anchors for the RIRs are available to the party performing signature validation. Validation of the CMS signature over the prefixlen file involves:

1. Obtaining the signer's certificate from the CMS SignedData CertificateSet . The certificate SubjectKeyIdentifier extension MUST match the SubjectKeyIdentifier in the CMS SignerInfo SignerIdentifier . If the key identifiers do not match, then validation MUST fail.
2. Validating the signer's certificate MUST ensure that it is part of the current manifest and that all resources are covered by the RPKI certificate.
3. Construct and validate the certification path for the signer's certificate. All of the needed certificates are expected to be readily available in the RPKI repository. The certification path MUST be valid according to the validation algorithm in and the additional checks specified in associated with the IP Address Delegation certificate extension and the Autonomous System Identifier Delegation certificate extension. If certification path validation is unsuccessful, then validation MUST fail.
4. Validating the CMS SignedData as specified in using the public key from the validated signer's certificate. If the signature validation is unsuccessful, then validation MUST fail.
5. Confirming that the eContentType object identifier (OID) is id-ct-prefixlenCSVwithCRLF (1.2.840.113549.1.9.16.1.TBD). This OID MUST appear within both the eContentType in the encapContentInfo object and the ContentType signed attribute in the signerInfo object (see ).
6. Verifying that the IP Address Delegation certificate extension covers all of the address ranges of the prefixlen file. If all of the address ranges are not covered, then validation MUST fail.

All of the above steps MUST be successful to consider the prefixlen file signature as valid. The authenticator MUST be hidden as a series of "#" comments at the end of the prefixlen file. The following simple example is cryptographically incorrect: A correct and full example is in Appendix A. The CMS signature does not cover the signature lines. The bracketing "# RPKI Signature:" and "# End Signature:" MUST be present as shown in the example. The RPKI Signature's IP address range MUST match that of the prefixlen URL in the inetnum: that points to the prefixlen file.

Operational Considerations To create the needed inetnum: objects, an operator wishing to register the location of their prefixlen file needs to coordinate with their Regional Internet Registry (RIR) or National Internet Registry (NIR) and/or any provider Local Internet Registry (LIR) that has assigned address ranges to them. RIRs/NIRs provide means for assignees to create and maintain inetnum: objects. They also provide means of assigning or sub-assigning IP address resources and allowing the assignee to create WHOIS data, including inetnum: objects, thereby referring to prefixlen files. The prefixlen files MUST be published via and fetched using HTTPS . When using data from a prefixlen file, one MUST ignore data outside the referring inetnum: object's inetnum: attribute address range. If and only if the prefixlen file is not signed per , then multiple inetnum: objects MAY refer to the same prefixlen file, and the consumer MUST use only lines in the prefixlen file where the prefix is covered by the address range of the inetnum: object's URL it has followed. If the prefixlen file is signed, and the signer's certificate changes, the signature in the prefixlen file MUST be updated. It is good key hygiene to use a given key for only one purpose. To dedicate a signing private key for signing a prefixlen file, an RPKI Certification Authority (CA) may issue a subordinate certificate exclusively for the purpose shown in . Harvesting and publishing aggregated prefixlen data outside of the RPSL model should be avoided as it can have the effect that more specifics from one aggregatee could undesirably affect the less specifics of a different aggregatee. Moreover, publishing aggregated prefixlen data prevents the reader of the data to perform the checks described in and . An anonymized version of bulk WHOIS data is openly available for all RIRs except ARIN, which requires an authorization. However, for users without such authorization, the same result can be achieved with extra RDAP effort. There is open-source code to pass over such data across all RIRs, collect all prefixlen references, and process them . To prevent undue load on RPSL and prefixlen servers, entity-fetching prefixlen data using these mechanisms MUST NOT do frequent real-time lookups. prefixlen servers SHOULD send an HTTP Expires header to signal when prefixlen data should be refetched. As the data change very infrequently, in the absence of such an HTTP Header signal, collectors SHOULD NOT fetch more frequently than weekly. It would be polite not to fetch at magic times such as midnight UTC, the first of the month, etc., because too many others are likely to do the same.

Implementation Status At the time of publishing this document, the prefixlen: attribute in inetnum objects has not yet been implemented by any RIR database. Registrants in databases which do not yet support the prefixlen: attribute are using the remarks:, or equivalent, attribute. At the time of publishing this document, the registry data published by ARIN are not the same RPSL as that of the other registries (see for a survey of the WHOIS Tower of Babel); therefore, when fetching from ARIN via FTP , WHOIS , the Registration Data Access Protocol (RDAP) , etc., the "NetRange" attribute/key must be treated as "inetnum", and the "Comment" attribute must be treated as "remarks". can be used to authenticate a signed prefixlen file.

Security Considerations The consumer of prefixlen data SHOULD fetch and process the data themselves. Importing datasets produced and/or processed by a third-party places significant trust in the third-party. As mentioned in , some RPSL repositories have weak, if any, authentication. This allows spoofing of inetnum: objects pointing to malicious prefixlen files. suggests an unfortunately complex method for stronger authentication based on the RPKI. For example, if an inetnum: for a wide address range (e.g., a /16) points to an RPKI-signed prefixlen file, a customer or attacker could publish an unsigned equal or narrower (e.g., a /24) inetnum: in a WHOIS registry that has weak authorization, abusing the rule that the most-specific inetnum: object with a prefixlen reference MUST be used. If signatures were mandatory, the above attack would be stymied, but of course that is not happening anytime soon. The RPSL providers have had to throttle fetching from their servers due to too-frequent queries. Usually, they throttle by the querying IP address or block. Similar defenses will likely need to be deployed by prefixlen file servers. As prefixlen files disclose which parts of a prefix belong to an end site, attackers could better focus DDoS traffic towards a website hosted by a cloud provider by overwhelming only IP addresses from that specific end site. Furthermore, information collected from prefixlen files could allow for more targeted IPv6 scanning/reconnaisance, where scanners (be it benevolent or malicious ones) can target specific sub-prefixes which they deem more interesting.

IANA Considerations IANA is asked to register object identifiers for one content type in the "SMI Security for S/MIME CMS Content Type (1.2.840.113549.1.9.16.1)" registry as follows:

In the SMI Security for S/MIME CMS Content Type (1.2.840.113549.1.9.16.1) in the Structure of Management Information (SMI) Numbers (MIB Module Registrations) registry group located at: https://www.iana.org/assignments/smi-numbers/ there is no existing registration for prefixlen files yet. On publication of this document, that reference needs to be changed to the new [ RFC-to-be ].

Thanks to the authors of , , and and the folk they acknowledge from whom ideas and text have been liberally expropriated.

&RFC2119; &RFC2622; &RFC2725; &RFC3629; &RFC3779; &RFC4012; &RFC4180; &RFC4648; &RFC5280; &RFC5652; &RFC8174; &RFC6481; &RFC6487; &RFC6488; &RFC8805; &RFC8933; &RFC9110; &RFC9286; &RFC0959; &RFC3912; &RFC4632; &RFC5485; &RFC6598; &RFC7234; &RFC7485; &RFC7909; &RFC9082; &RFC9092; &RFC9632; &I-D.ietf-regext-rdap-geofeed; &I-D.ietf-opsec-ipv6-addressing; &I-D.ymbk-opsawg-rpsl-extref; RIPE NCC RIPE NCC RIPE NCC RIPE NCC RIPE NCC commit 5f557a4

This appendix provides an example, including a trust anchor, a Certificate Revocation List (CRL) signed by the trust anchor, a CA certificate subordinate to the trust anchor, a CRL signed by the CA, an end-entity certificate subordinate to the CA for signing the prefixlen, and a detached signature. The trust anchor is represented by a self-signed certificate. As usual in the RPKI, the trust anchor has authority over all IPv4 address blocks, all IPv6 address blocks, and all Autonomous Systam (AS) numbers.

The CRL issued by the trust anchor.

The CA certificate is issued by the trust anchor. This certificate grants authority over one IPv4 address block (192.0.2.0/24) and two AS numbers (64496 and 64497).

The CRL issued by the CA.

The end-entity certificate is issued by the CA. This certificate grants signature authority for one IPv4 address block (192.0.2.0/24). Signature authority for AS numbers is not needed for prefixlen data signatures, so no AS numbers are included in the end-entity certificate.

The end-entity certificate is displayed below in detail. For brevity, the other two certificates are not.

To allow reproduction of the signature results, the end-entity private key is provided. For brevity, the other two private keys are not.

Signing of "192.0.2.0/24,US,WA,Seattle," (terminated by CR and LF), yields the following detached CMS signature.