Resource Public Key Infrastructure (RPKI) Repository Requirements

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

The Resource Public Key Infrastructure (RPKI) as originally defined uses rsync as its distribution protocol, as outlined in . Later, the RPKI Repository Delta Protocol (RRDP) was designed to provide an alternative. In order to facilitate incremental deployment RRDP has been deployed as an additional optional protocol, while rsync was still mandatory to implement. While rsync has been very useful in the initial deployment of RPKI, a number of issues observed with it motivated the design of RRDP, e.g.: rsync is CPU and memory heavy on the server side, and easy to DoS rsync library support is lacking, complicating RP efficiency and error logging we cannot ensure that RPs get atomic sets of updated objects RRDP was designed to leverage HTTPS CDN infrastructure to provide RPKI Repository content in a resilient way, while reducing the load on the Repository server. It supports that updates are published as atomic deltas, which can help prevent most of the issues described in section 6 of . For a longer discussion please see section 1 of . In conclusion: we believe that while RRDP is not perfect, and we may indeed need future work to improve on it, it is an improvement over using rsync in the context of RPKI. Therefore, this document outlines a transition plan where RRDP becomes mandatory to implement, and the operational dependency on rsync is reduced to that of a fallback option.

Changing the RPKI infrastructure to rely on RRDP instead of rsync is a delicate operation. There is current deployment of Certification Authorities, Repository Servers and Relying Party software which relies on rsync, and which may not yet support RRDP. Therefore we need to have a plan that ultimately updates the relevant RFCs, but which uses a phased approach combined with measurements to limit the operational impact of doing this to (almost) zero. The general outline of the plan is as follows. We will describe each step in more detail below. Phase Description 0RPKI repositories support rsync, and optionally RRDP 1RPKI repositories support both rsync and RRDP 2All RP software prefers RRDP

This is the situation at the time of writing this document. Relying Parties can prefer RRDP over rsync today, but they need to support rsync until all RPKI repositories support RRDP. Therefore all repositories should support RRDP at their earliest convenience.

Repositories which support RRDP MUST ensure that RRDP resources are available to Relying Parties (section 3.3 of ). Furthermore, the RRDP repository MUST include all current repository objects. Because of this the choice of falling back to alternative repository access mechanisms was left as a local policy choice of RP software. However, following discussions on this subject it has become clear that there is a preference to instruct RP software to make use of all possible data sources. The main motivation being that because of RPKI object security using a secondary source of data can never lead to a worse outcome in terms of validation. The following update is therefore applicable to section 3.4.5 "Considerations Regarding Operational Failures in RRDP" of : OLD: Relying Parties could attempt to use alternative repository access mechanisms, if they are available, according to the accessMethod element value(s) specified in the SIA of the associated certificate (see Section 4.8.8 of [RFC6487]). NEW: Relying Parties MUST attempt to use alternative repository access mechanisms, if they are available, according to the accessMethod element value(s) specified in the SIA of the associated certificate (see Section 4.8.8 of [RFC6487]).

As noted above section 3.3 of already stipulates that RRDP files MUST be made available by repositories which support RRDP. In other words the RRDP service must be treated as a critical service wherever it is supported. During this phase the updates are applied to section 3 of , to make this abundantly clear: OLD: The publication repository SHOULD be hosted on a highly available service and high-capacity publication platform. The publication repository MUST be available using rsync [RSYNC]. Support of additional retrieval mechanisms is the choice of the repository operator. The supported retrieval mechanisms MUST be consistent with the accessMethod element value(s) specified in the SIA of the associated CA or EE certificate. NEW: The publication repository MAY be available using the RPKI Repository Delta Protocol . If RPDP is provided, it SHOULD be hosted on a highly available platform. The publication repository MUST be available using rsync [RSYNC]. The rsync server SHOULD be hosted on a highly available platform. Support of additional retrieval mechanisms is the choice of the repository operator. The supported retrieval mechanisms MUST be consistent with the accessMethod element value(s) specified in the SIA of the associated CA or EE certificate.

During this phase we will make RRDP mandatory to support for Repository Servers, and measure whether the deployed Repository Servers have been upgraded to do so, in as far as they don't support RRDP already.

During this phase the updates are applied to section 3 of . OLD: The publication repository SHOULD be hosted on a highly available service and high-capacity publication platform. The publication repository MUST be available using rsync [RSYNC]. Support of additional retrieval mechanisms is the choice of the repository operator. The supported retrieval mechanisms MUST be consistent with the accessMethod element value(s) specified in the SIA of the associated CA or EE certificate. NEW: The publication repository MUST be available using the RPKI Repository Delta Protocol . The RRDP server SHOULD be hosted on a highly available platform. The publication repository MUST be available using rsync [RSYNC]. The rsync server SHOULD be hosted on a highly available platform. Support of additional retrieval mechanisms is the choice of the repository operator. The supported retrieval mechanisms MUST be consistent with the accessMethod element value(s) specified in the SIA of the associated CA or EE certificate.

We can find out whether all RPKI repositories support RRDP by running (possibly) modified Relying Party software that keeps track of this. When it is found that Repositories do not yet support RRDP, outreach should be done to them individually. Since the number of Repositories is fairly low, and it is in their interest to run RRDP because it addresses availability concerns, we have confidence that we will find these Repositories willing to make changes.

Once all Repositories support RRDP we can proceed to make RRDP mandatory to implement for Relying Party software.

From this phase onwards the updates are applied to section 3.4.1 of . OLD: When a Relying Party performs RPKI validation and learns about a valid certificate with an SIA entry for the RRDP protocol, it SHOULD use this protocol as follows. NEW: When a Relying Party performs RPKI validation and learns about a valid certificate with an SIA entry for the RRDP protocol, it MUST use this protocol with preference. Relying Parties MUST NOT attempt to fetch objects using alternate access mechanisms, if object retrieval through this protocol is successful. However, as stipulated in section 3.4.5, Relying Parties MUST attempt to use alternative repository access mechanisms, if object retrieval through this protocol is unsuccessful.

Rsync URIs are used in the RPKI to name objects and hierarchies, and they are as such very useful when doing RPKI object validation, as well as for error reporting on validation issues. Note that RRDP includes rsync URIs in its structure. See section 3.5 of . Theoretically, RRDP servers could include any rsync URI. However, Relying Party software knows which RRDP server to is expected to include the rsync URIs for RPKI objects issued under any given CA certificate, because of the id-ad-rpkiNotify SIA extenion, see section 3.2 of . Thus, objects retrieved through RRDP can be mapped easily to files and URIs, similar to as though rsync would have been used to retrieve them.

Although the tools may support RRDP, users will still need to install updated versions of these tools in their infrastructure. Any Repository operator can measure this transition by observing access to their RRDP and rsync repositories respectively. But even after new versions have been available, it is expected that there will be long, low volume, tail of users who did not upgrade and still depend on rsync. It is hard to quantify here now, what would be an acceptable moment to conclude that it's safe to move to the next phase and make rsync optional. A parallel to the so-called DNS Flag Day comes to mind.

Note that, while we discuss this here, we would probably do well to separate this section into a separate follow-up document.

The end goal of this phase would be that there will be no operational dependencies on rsync for Repositories, although they MAY still choose to operate rsync at a best effort basis. The most pragmatic way to deal with rsync URIs in the RPKI would be to continue to use them as namespaces, but no longer require that rsync is available. Much like how https based namespaces are used in XML.

From this phase onwards these updates are applied to section 3 of as it was updated during Phase 2 described above: OLD: The publication repository MUST be available using the RPKI Repository Delta Protocol . The RRDP server SHOULD be hosted on a highly available platform. The publication repository MUST be available using rsync [RSYNC]. The rsync server SHOULD be hosted on a highly available platform. Support of additional retrieval mechanisms is the choice of the repository operator. The supported retrieval mechanisms MUST be consistent with the accessMethod element value(s) specified in the SIA of the associated CA or EE certificate. NEW: The publication repository MUST be available using the RPKI Repository Delta Protocol . The RRDP server SHOULD be hosted on a highly available platform. The publication repository MAY be available using rsync [RSYNC]. Support of additional retrieval mechanisms is the choice of the repository operator. The supported retrieval mechanisms MUST be consistent with the accessMethod element value(s) specified in the SIA of the associated CA or EE certificate. Note that this means that RP software is still required to try to fall back to rsync if RRDP is unavailable, but it may find that the rsync repository is not available.

We could develop a new naming scheme for RPKI objects. Perhaps based on Universal Resource Names (). Doing so, would allow us to use names which are independent from retrieval mechanisms, and thus they could be less confusing in some regards, and provide more agility with regards to future changes in those mechanisms. However, this would require that many updates are made to existing RFCs. An incomplete list: RFC6487 New names would have be allowed in the SIA, or perhaps an X509 extension, could be used. But, the latter would have a direct impact on the deployability of updated CA certificates - RP software would reject these certificates if the extension is marked as critical by the CA and not understood by the RP. RFC6492 New names (in whatever form) would need to be included certificate sign requests sent to a parent CA. The parent CA will need to include a 'cert_url', indicating where an issued certificate is published, in a different format. RFC8181 The RPKI publication protocol is based rsync URIs, and it assumes that publishers have access to a specific directory in rsync space. This would need to be changed. RFC8183 This RFC defines the identity exchange between an RPKI CA and Publication Server. The server's response includes an 'sia_base', in the form of an rsync directory, under which a CA is supposed to name its objects. RFC8182 The RRDP protocol uses rsync URIs for compatibility with rsync as a retrieval method. This would need to be updated. Obviously this needs more discussion. The exercise would not be trivial. But, arguably doing this work will not become easier by postponing it, and once done would leave the RPKI better positioned to use alternative access methods in future as well.

Note that this section is included for tracking purposes during the discussion phase of this document and is not intended to be included in an RFC.

The currently known support for RRDP for repositories is as follows: Repository Implementation Support for RRDP afrinicyes apnicyes arinyes lacnicongoing ripe nccyes Dragon Research Labsyes(1,2) krillyes(1) (1) in use at various National Internet Registries, as well as other resource holders under RIRs. (2) not all organizations using this software have upgraded to using RRDP.

The currently known support for RRDP in Relying Party software is as follows: Relying Party Implementation RRDP version since FORTyes1.2.002/2021 OctoRPKIyes1.0.002/2019 rcynicyes?? RIPE NCC RPKI Validator 2.xyes2.1807/2015 RIPE NCC RPKI Validator 3.xyes3.003/2018 Routinatoryes0.6.009/2019 rpki-clientongoing?? RPSTIR2yes2.004/2020 The authors kindly request Relying Party software implementers to let us know in which version of their tool support for RRDP was introduced, and when that version was released.

This document has no IANA actions.

TBD