aboutsummaryrefslogtreecommitdiff
path: root/rpkid
diff options
context:
space:
mode:
Diffstat (limited to 'rpkid')
-rw-r--r--rpkid/Doxyfile (renamed from rpkid/rpki/Doxyfile)6
-rw-r--r--rpkid/Makefile14
-rwxr-xr-xrpkid/cronjob.sh7
-rw-r--r--rpkid/doc/INSTALLATION (renamed from rpkid/INSTALLATION)2
-rw-r--r--rpkid/doc/OPERATION (renamed from rpkid/OPERATION)2
-rw-r--r--rpkid/doc/left-right-protocol477
-rw-r--r--rpkid/doc/publication-protocol227
7 files changed, 718 insertions, 17 deletions
diff --git a/rpkid/rpki/Doxyfile b/rpkid/Doxyfile
index 53ac97da..8907523a 100644
--- a/rpkid/rpki/Doxyfile
+++ b/rpkid/Doxyfile
@@ -40,7 +40,7 @@ PROJECT_NUMBER = 1.0
# If a relative path is entered, it will be relative to the location
# where doxygen was started. If left blank the current directory will be used.
-OUTPUT_DIRECTORY =
+OUTPUT_DIRECTORY = doc
# If the CREATE_SUBDIRS tag is set to YES, then doxygen will create
# 4096 sub-directories (in 2 levels) under the output directory of each output
@@ -474,7 +474,7 @@ WARN_LOGFILE =
# directories like "/usr/src/myproject". Separate the files or directories
# with spaces.
-INPUT = .
+INPUT = rpki rpkid.py pubd.py
# This tag can be used to specify the character encoding of the source files that
# doxygen parses. Internally doxygen uses the UTF-8 encoding, which is also the default
@@ -529,7 +529,7 @@ EXCLUDE_SYMBOLS =
# directories that contain example code fragments that are included (see
# the \include command).
-EXAMPLE_PATH = ..
+EXAMPLE_PATH = .
# If the value of the EXAMPLE_PATH tag contains directories, you can use the
# EXAMPLE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp
diff --git a/rpkid/Makefile b/rpkid/Makefile
index f9e2dd17..ba94e12f 100644
--- a/rpkid/Makefile
+++ b/rpkid/Makefile
@@ -79,21 +79,21 @@ irbe-cli.usage: irbe-cli.py
python irbe-cli.py --help | sed 's/^/ /' >$@
dox doxygen: irbe-cli.usage
- cd rpki && TZ='' doxygen
- cd rpki/latex && TZ='' make >/dev/null 2>&1
+ TZ='' doxygen
+ cd doc/latex && TZ='' make >/dev/null 2>&1
-doc:: dox INSTALLATION OPERATION ../docs/left-right-protocol ../docs/publication-protocol
+doc:: dox doc/INSTALLATION doc/OPERATION doc/left-right-protocol doc/publication-protocol
-INSTALLATION: rpki/html/Installation.html
+doc/INSTALLATION: doc/html/Installation.html
${HTML2TEXT}
-OPERATION: rpki/html/Operation.html
+doc/OPERATION: doc/html/Operation.html
${HTML2TEXT}
-../docs/left-right-protocol: rpki/html/Left-right.html
+doc/left-right-protocol: doc/html/Left-right.html
${HTML2TEXT}
-../docs/publication-protocol: rpki/html/Publication.html
+doc/publication-protocol: doc/html/Publication.html
${HTML2TEXT}
tags:
diff --git a/rpkid/cronjob.sh b/rpkid/cronjob.sh
index 97438a86..6e2e8a70 100755
--- a/rpkid/cronjob.sh
+++ b/rpkid/cronjob.sh
@@ -16,8 +16,6 @@
# PERFORMANCE OF THIS SOFTWARE.
# Generate Doxygen manual for RPKI code.
-#
-# At the moment this is just for the Python libraries.
lock=cronjob.lock
@@ -30,11 +28,10 @@ case "$1" in
locked)
exec >cronjob.log 2>&1
set -x
- cd rpki || exit
/usr/local/bin/svn update --quiet
- /bin/rm -rf html
+ /bin/rm -rf doc/html
PATH=/bin:/usr/bin:/usr/local/bin /usr/local/bin/doxygen </dev/null
- /usr/local/bin/rsync --archive --itemize-changes --delete-after html/ $target/
+ /usr/local/bin/rsync --archive --itemize-changes --delete-after doc/html/ $target/
;;
*)
diff --git a/rpkid/INSTALLATION b/rpkid/doc/INSTALLATION
index 4e2717c4..aec99f3f 100644
--- a/rpkid/INSTALLATION
+++ b/rpkid/doc/INSTALLATION
@@ -68,5 +68,5 @@ Installation
__________________________________________________________________
- Generated on Thu Jun 12 02:43:52 2008 for RPKI Engine by doxygen
+ Generated on Thu Jun 12 17:41:24 2008 for RPKI Engine by doxygen
1.5.5
diff --git a/rpkid/OPERATION b/rpkid/doc/OPERATION
index 7304512a..19471050 100644
--- a/rpkid/OPERATION
+++ b/rpkid/doc/OPERATION
@@ -688,5 +688,5 @@ testpoke.py
__________________________________________________________________
- Generated on Thu Jun 12 02:43:52 2008 for RPKI Engine by doxygen
+ Generated on Thu Jun 12 17:41:24 2008 for RPKI Engine by doxygen
1.5.5
diff --git a/rpkid/doc/left-right-protocol b/rpkid/doc/left-right-protocol
new file mode 100644
index 00000000..ba2d447f
--- /dev/null
+++ b/rpkid/doc/left-right-protocol
@@ -0,0 +1,477 @@
+Left-right protocol
+
+ The left-right protocol is really two separate client/server protocols
+ over separate channels between the RPKI engine and the IR back end
+ (IRBE).
+
+ The IRBE is the client for one of the subprotocols, the RPKI engine is
+ the client for the other.
+
+Terminology
+
+ * IRBE: Internet Registry Back End
+
+ * IRDB: Internet Registry Data Base
+
+ * BPKI: Business PKI
+
+ * RPKI: Resource PKI
+
+initiated by the IRBE
+
+ This part of the protcol uses a kind of message-passing. Each object
+ that the RPKI engine knows about takes five messages: "create", "set",
+ "get", "list", and "destroy". Actions which are not just data
+ operations on objects are handled via an SNMP-like mechanism, as if
+ they were fields to be set. For example, to generate a keypair one
+ "sets" the "generate-keypair" field of a BSC object, even though there
+ is no such field in the object itself as stored in SQL. This is a bit
+ of a kludge, but the reason for doing it as if these were variables
+ being set is to allow composite operations such as creating a BSC,
+ populating all of its data fields, and generating a keypair, all as a
+ single operation. With this model, that's trivial, otherwise it's at
+ least two round trips.
+
+ Fields can be set in either "create" or "set" operations, the
+ difference just being whether the object already exists. A "get"
+ operation returns all visible fields of the object. A "list" operation
+ returns a list containing what "get" would have returned on each of
+ those objects.
+
+ Left-right protocol objects are encoded as signed CMS messages
+ containing XML as eContent and using an eContentType OID of id-ct-xml
+ (1.2.840.113549.1.9.16.1.28). These CMS messages are in turn passed as
+ the data for HTTPS POST operations, with an HTTP content type of
+ "application/x-rpki" for both the POST data and the response data.
+
+ All operations allow an optional "tag" attribute which can be any
+ alphanumeric token. The main purpose of the tag attribute is to allow
+ batching of multiple requests into a single PDU.
+
+<self/> object
+
+ A <self/> object represents one virtual RPKI engine. In simple cases
+ where the RPKI engine operator operates the engine only on their own
+ behalf, there will only be one <self/> object, representing the engine
+ operator's organization, but in environments where the engine operator
+ hosts other entities, there will be one <self/> object per hosted
+ entity (probably including the engine operator's own organization,
+ considered as a hosted customer of itself).
+
+ Some of the RPKI engine's configured parameters and data are shared by
+ all hosted entities, but most are tied to a specific <self/> object.
+ Data which are shared by all hosted entities are referred to as
+ "per-engine" data, data which are specific to a particular <self/>
+ object are "per-self" data.
+
+ Since all other RPKI engine objects refer to a <self/> object via a
+ "self_id" value, one must create a <self/> object before one can
+ usefully configure any other left-right protocol objects.
+
+ Every <self/> object has a self_id attribute, which must be specified
+ for the "set", "get", and "destroy" actions.
+
+ Payload data which can be configured in a <self/> object:
+
+ * use_hsm (attribute): Whether to use a Hardware Signing Module. At
+ present this option has no effect, as the implementation does not
+ yet support HSMs.
+
+ * crl_interval (attribute): Positive integer representing the planned
+ lifetime of an RPKI CRL for this <self/>, measured in seconds.
+
+ * regen_margin (attribute): Positive integer representing how long
+ before expiration of an RPKI certificiate a new one should be
+ generated, measured in seconds. At present this only affects the
+ one-off EE certificates associated with ROAs.
+
+ * bpki_cert (element): BPKI CA certificate for this <self/>. This is
+ used as part of the certificate chain when validating incoming TLS
+ and CMS messages, and should be the issuer of cross-certification
+ BPKI certificates used in <repository/>, <parent/>, and <child/>
+ objects. If the bpki_glue certificate is in use (below), the
+ bpki_cert certificate should be issued by the bpki_glue
+ certificate; otherwise, the bpki_cert certificate should be issued
+ by the per-engine bpki_ta certificate.
+
+ * bpki_glue (element): Another BPKI CA certificate for this <self/>,
+ usually not needed. Certain pathological cross-certification cases
+ require a two-certificate chain due to issuer name conflicts. If
+ used, the bpki_glue certificate should be the issuer of the
+ bpki_cert certificate and should be issued by the per-engine
+ bpki_ta certificate; if not needed, the bpki_glue certificate
+ should be left unset.
+
+ Control attributes that can be set to "yes" to force actions:
+
+ * rekey: Start a key rollover for every RPKI CA associated with every
+ <parent/> object associated with this <self/> object. This is the
+ first phase of a key rollover operation.
+
+ * revoke: Revoke any remaining certificates for any expired key
+ associated with any RPKI CA for any <parent/> object associated
+ with this <self/> object. This is the second (cleanup) phase for a
+ key rollover operation; it's separate from the first phase to leave
+ time for new RPKI certificates to propegate and be installed.
+
+ * reissue: Not implemented, may be removed from protocol. Original
+ theory was that this operation would force reissuance of any object
+ with a changed key, but as that happens automatically as part of
+ the key rollover mechanism this operation seems unnecessary.
+
+ * run_now: Force immediate processing for all tasks associated with
+ this <self/> object that would ordinarily be performed under cron.
+ Not currently implemented.
+
+ * publish_world_now: Force (re)publication of every publishable
+ object for this <self/> object. Not currently implemented. Intended
+ to aid in recovery if RPKI engine and publication engine somehow
+ get out of sync.
+
+<bsc/> object
+
+ The <bsc/> ("business signing context") object represents all the BPKI
+ data needed to sign outgoing CMS or HTTPS messages. Various other
+ objects include pointers to a <bsc/> object. Whether a particular
+ <self/> uses only one <bsc/> or multiple is a configuration decision
+ based on external requirements: the RPKI engine code doesn't care, it
+ just cares that, for any object representing a relationship for which
+ it must sign messages, there be a <bsc/> object that it can use to
+ produce that signature.
+
+ Every <bsc/> object has a bsc_id, which must be specified for the
+ "get", "set", and "destroy" actions. Every <bsc/> also has a self_id
+ attribute which indicates the <self/> object with which this <bsc/>
+ object is associated.
+
+ Payload data which can be configured in a <isc/> object:
+
+ * signing_cert (element): BPKI certificate to use when generating a
+ signature.
+
+ * signing_cert_crl (element): CRL which would list signing_cert if it
+ had been revoked.
+
+ Control attributes that can be set to "yes" to force actions:
+
+ * generate_keypair: Generate a new BPKI keypair and return a PKCS #10
+ certificate request. The resulting certificate, once issued, should
+ be configured as this <bsc/> object's signing_cert.
+
+ Additional attributes which may be specified when specifying
+ "generate_keypair":
+
+ * key_type: Type of BPKI keypair to generate. "rsa" is both the
+ default and, at the moment, the only allowed value.
+
+ * hash_alg: Cryptographic hash algorithm to use with this keypair.
+ "sha256" is both the default and, at the moment, the only allowed
+ value.
+
+ * key_length: Length in bits of the keypair to be generated. "2048"
+ is both the default and, at the moment, the only allowed value.
+
+ Replies to "create" and "set" actions that specify "generate-keypair"
+ include a <bsc_pkcs10/> element, as do replies to "get" and "list"
+ actions for a <bsc/> object for which a "generate-keypair" command has
+ been issued. The RPKI engine stores the PKCS #10 request, which allows
+ the IRBE to reuse the request if and when it needs to reissue the
+ corresponding BPKI signing certificate.
+
+<parent/> object
+
+ The <parent/> object represents the RPKI engine's view of a particular
+ parent of the current <self/> object in the up-down protocol. Due to
+ the way that the resource hierarchy works, a given <self/> may obtain
+ resources from multiple parents, but it will always have at least one;
+ in the case of IANA or an RIR, the parent RPKI engine may be a trivial
+ stub.
+
+ Every <parent/> object has a parent_id, which must be specified for the
+ "get", "set", and "destroy" actions. Every <parent/> also has a self_id
+ attribute which indicates the <self/> object with which this <parent/>
+ object is associated, a bsc_id attribute indicating the <bsc/> object
+ to be used when signing messages sent to this parent, and a
+ repository_id indicating the <repository/> object to be used when
+ publishing issued by the certificate issued by this parent.
+
+ Payload data which can be configured in a <parent/> object:
+
+ * peer_contact_uri (attribute): HTTPS URI used to contact this
+ parent.
+
+ * sia_base (attribute): The leading portion of an rsync URI that the
+ RPKI engine should use when composing the publication URI for
+ objects issued by the RPKI certificate issued by this parent.
+
+ * sender_name (attribute): Sender name to use in the up-down protocol
+ when talking to this parent. The RPKI engine doesn't really care
+ what this value is, but other implementations of the up-down
+ protocol do care.
+
+ * recipient_name (attribute): Recipient name to use in the up-down
+ protocol when talking to this parent. The RPKI engine doesn't
+ really care what this value is, but other implementations of the
+ up-down protocol do care.
+
+ * bpki_cms_cert (element): BPKI CMS CA certificate for this
+ <parent/>. This is used as part of the certificate chain when
+ validating incoming CMS messages If the bpki_cms_glue certificate
+ is in use (below), the bpki_cms_cert certificate should be issued
+ by the bpki_cms_glue certificate; otherwise, the bpki_cms_cert
+ certificate should be issued by the bpki_cert certificate in the
+ <self/> object.
+
+ * bpki_cms_glue (element): Another BPKI CMS CA certificate for this
+ <parent/>, usually not needed. Certain pathological
+ cross-certification cases require a two-certificate chain due to
+ issuer name conflicts. If used, the bpki_cms_glue certificate
+ should be the issuer of the bpki_cms_cert certificate and should be
+ issued by the bpki_cert certificate in the <self/> object; if not
+ needed, the bpki_cms_glue certificate should be left unset.
+
+ * bpki_https_cert (element): BPKI HTTPS CA certificate for this
+ <parent/>. This is like the bpki_cms_cert object, only used for
+ validating incoming TLS messages rather than CMS.
+
+ * bpki_cms_glue (element): Another BPKI HTTPS CA certificate for this
+ <parent/>, usually not needed. This is like the bpki_cms_glue
+ certificate, only used for validating incoming TLS messages rather
+ than CMS.
+
+ Control attributes that can be set to "yes" to force actions:
+
+ * rekey: This is like the rekey command in the <self/> object, but
+ limited to RPKI CAs under this parent.
+
+ * reissue: This is like the reissue command in the <self/> object,
+ but limited to RPKI CAs under this parent.
+
+ * revoke: This is like the revoke command in the <self/> object, but
+ limited to RPKI CAs under this parent.
+
+<child/> object
+
+ The <child/> object represents the RPKI engine's view of particular
+ child of the current <self/> in the up-down protocol.
+
+ Every <child/> object has a parent_id, which must be specified for the
+ "get", "set", and "destroy" actions. Every <child/> also has a self_id
+ attribute which indicates the <self/> object with which this <child/>
+ object is associated.
+
+ Payload data which can be configured in a <child/> object:
+
+ * bpki_cert (element): BPKI CA certificate for this <child/>. This is
+ used as part of the certificate chain when validating incoming TLS
+ and CMS messages. If the bpki_glue certificate is in use (below),
+ the bpki_cert certificate should be issued by the bpki_glue
+ certificate; otherwise, the bpki_cert certificate should be issued
+ by the bpki_cert certificate in the <self/> object.
+
+ * bpki_glue (element): Another BPKI CA certificate for this <child/>,
+ usually not needed. Certain pathological cross-certification cases
+ require a two-certificate chain due to issuer name conflicts. If
+ used, the bpki_glue certificate should be the issuer of the
+ bpki_cert certificate and should be issued by the bpki_cert
+ certificate in the <self/> object; if not needed, the bpki_glue
+ certificate should be left unset.
+
+ Control attributes that can be set to "yes" to force actions:
+
+ * reissue: Not implemented, may be removed from protocol.
+
+<repository/> object
+
+ The <repository/> object represents the RPKI engine's view of a
+ particular publication repository used by the current <self/> object.
+
+ Every <repository/> object has a repository_id, which must be specified
+ for the "get", "set", and "destroy" actions. Every <repository/> also
+ has a self_id attribute which indicates the <self/> object with which
+ this <repository/> object is associated.
+
+ Payload data which can be configured in a <repository/> object:
+
+ * peer_contact_uri (attribute): HTTPS URI used to contact this
+ repository.
+
+ * bpki_cms_cert (element): BPKI CMS CA certificate for this
+ <repository/>. This is used as part of the certificate chain when
+ validating incoming CMS messages If the bpki_cms_glue certificate
+ is in use (below), the bpki_cms_cert certificate should be issued
+ by the bpki_cms_glue certificate; otherwise, the bpki_cms_cert
+ certificate should be issued by the bpki_cert certificate in the
+ <self/> object.
+
+ * bpki_cms_glue (element): Another BPKI CMS CA certificate for this
+ <repository/>, usually not needed. Certain pathological
+ cross-certification cases require a two-certificate chain due to
+ issuer name conflicts. If used, the bpki_cms_glue certificate
+ should be the issuer of the bpki_cms_cert certificate and should be
+ issued by the bpki_cert certificate in the <self/> object; if not
+ needed, the bpki_cms_glue certificate should be left unset.
+
+ * bpki_https_cert (element): BPKI HTTPS CA certificate for this
+ <repository/>. This is like the bpki_cms_cert object, only used for
+ validating incoming TLS messages rather than CMS.
+
+ * bpki_cms_glue (element): Another BPKI HTTPS CA certificate for this
+ <repository/>, usually not needed. This is like the bpki_cms_glue
+ certificate, only used for validating incoming TLS messages rather
+ than CMS.
+
+ At present there are no control attributes for <repository/> objects.
+
+<route_origin/> object
+
+ The <route_origin/> object is a kind of prototype for a ROA. It
+ contains all the information needed to generate a ROA once the RPKI
+ engine obtains the appropriate RPKI certificates from its parent(s).
+
+ Note that a <route_origin/> object represents a ROA to be generated on
+ behalf of <self/>, not on behalf of a <child/>. Thus, a hosted entity
+ that has no children but which does need to generate ROAs would be
+ represented by a hosted <self/> with no <child/> objects but one or
+ more <route_origin/> objects. While lumping ROA generation in with the
+ other RPKI engine activities may seem a little odd at first, it's a
+ natural consequence of the design requirement that the RPKI daemon
+ never transmit private keys across the network in any form; given this
+ requirement, the RPKI engine that holds the private keys for an RPKI
+ certificate must also be the engine which generates any ROAs that
+ derive from that RPKI certificate.
+
+ The precise content of the <route_origin/> has changed over time as the
+ underlying ROA specification has changed. The current implementation as
+ of this writing matches what we expect to see in
+ draft-ietf-sidr-roa-format-03, once it is issued. In particular, note
+ that the exactMatch boolean from the -02 draft has been replaced by the
+ prefix and maxLength encoding used in the -03 draft.
+
+ Payload data which can be configured in a <route_origin/> object:
+
+ * as_number (attribute): Autonomous System Number (ASN) to place in
+ the generated ROA. A single ROA can only grant authorization to a
+ single ASN; multiple ASNs require multiple ROAs, thus multiple
+ <route_origin/> objects.
+
+ * ipv4 (attribute): List of IPv4 prefix and maxLength values, see
+ below for format.
+
+ * ipv6 (attribute): List of IPv6 prefix and maxLength values, see
+ below for format.
+
+ Control attributes that can be set to "yes" to force actions:
+
+ * suppress_publication: Not implemented, may be removed from
+ protocol.
+
+ The lists of IPv4 and IPv6 prefix and maxLength values are represented
+ as comma-separated text strings, with no whitespace permitted. Each
+ entry in such a string represents a single prefix/maxLength pair.
+
+ ABNF for these address lists:
+
+
+ <ROAIPAddress> ::= <address> "/" <prefixlen> [ "-" <max_prefixlen> ]
+ ; Where <max_prefixlen> defaults to the same
+ ; value as <prefixlen>.
+
+ <ROAIPAddressList> ::= <ROAIPAddress> *( "," <ROAIPAddress> )
+
+
+ For example, "10.0.1.0/24-32,10.0.2.0/24", which is a shorthand form of
+ "10.0.1.0/24-32,10.0.2.0/24-24".
+
+Operations initiated by the RPKI engine
+
+ The left-right protocol also includes queries from the RPKI engine back
+ to the IRDB. These queries do not follow the message-passing pattern
+ used in the IRBE-initiated part of the protocol. Instead, there's a
+ single query back to the IRDB, with a corresponding response. The CMS
+ and HTTPS encoding are the same as in the rest of the protocol, but the
+ BPKI certificates will be different as the back-queries and responses
+ form a separate communication channel.
+
+<list_resources/> messages
+
+ The <list_resources/> query and response allow the RPKI engine to ask
+ the IRDB for information about resources assigned to a particular
+ child. The query must include both a "self_id" attribute naming the
+ <self/> that is making the request and also a "child_id" attribute
+ naming the child that is the subject of the query. The query and
+ response also allow an optional "tag" attribute of the same form used
+ elsewhere in this protocol, to allow batching.
+
+ A <list_resources/> response includes the following attributes, along
+ with the tag (if specified), self_id, and child_id copied from the
+ request:
+
+ * valid_until: A timestamp indicating the date and time at which
+ certificates generated by the RPKI engine for these data should
+ expire. The timestamp is expressed as an XML xsd:dateTime, must be
+ expressed in UTC, and must carry the "Z" suffix indicating UTC.
+
+ * subject_name: An optional text string naming the child. Not
+ currently used.
+
+ * asn: A list of autonomous sequence numbers, expressed as a
+ comma-separated sequence of decimal integers with no whitespace.
+
+ * ipv4: A list of IPv4 address prefixes and ranges, expressed as a
+ comma-separated list of prefixes and ranges with no whitespace. See
+ below for format details.
+
+ * ipv6: A list of IPv6 address prefixes and ranges, expressed as a
+ comma-separated list of prefixes and ranges with no whitespace. See
+ below for format details.
+
+ Entries in a list of address prefixes and ranges can be either
+ prefixes, which are written in the usual address/prefixlen notation, or
+ ranges, which are expressed as a pair of addresses denoting the
+ beginning and end of the range, written in ascending order separated by
+ a single "-" character. This format is superficially similar to the
+ format used for prefix and maxLength values in the <route_origin/>
+ object, but the semantics differ: note in particular that
+ <route_origin/> objects don't allow ranges, while <list_resources/>
+ messages don't allow a maxLength specification.
+
+Error handling
+
+ Error in this protocol are handled at two levels.
+
+ Since all messages in this protocol are conveyed over HTTPS
+ connections, basic errors are indicated via the HTTP response code. 4xx
+ and 5xx responses indicate that something bad happened. Errors that
+ make it impossible to decode a query or encode a response are handled
+ in this way.
+
+ Where possible, errors will result in a <report_error/> message which
+ takes the place of the expected protocol response message.
+ <report_error/> messages are CMS-signed XML messages like the rest of
+ this protocol, and thus can be archived to provide an audit trail.
+
+ <report_error/> messages only appear in replies, never in queries. The
+ <report_error/> message can appear on either the "forward" (IRBE as
+ client of RPKI engine) or "back" (RPKI engine as client of IRDB)
+ communication channel.
+
+ The <report_error/> message includes an optional "tag" attribute to
+ assist in matching the error with a particular query when using
+ batching, and also includes a "self_id" attribute indicating the
+ <self/> that issued the error.
+
+ The error itself is conveyed in the error_code (attribute). The value
+ of this attribute is a token indicating the specific error that
+ occurred. At present this will be the name of a Python exception; the
+ production version of this protocol will nail down the allowed error
+ tokens here, probably in the RelaxNG schema.
+
+ The body of the <report_error/> element itself is an optional text
+ string; if present, this is debugging information. At present this
+ capabilty is not used, debugging information goes to syslog.
+ __________________________________________________________________
+
+
+ Generated on Thu Jun 12 17:41:25 2008 for RPKI Engine by doxygen
+ 1.5.5
diff --git a/rpkid/doc/publication-protocol b/rpkid/doc/publication-protocol
new file mode 100644
index 00000000..c6bf4c13
--- /dev/null
+++ b/rpkid/doc/publication-protocol
@@ -0,0 +1,227 @@
+Publication protocol
+
+ The publication protocol is really two separate client/server
+ protocols, between different parties.
+
+ The first is a configuration protocol for the IRBE to use to configure
+ the publication engine, the second is the interface by which authorized
+ clients request publication of specific objects.
+
+ Much of the architecture of the publication protocol is borrowed from
+ the left-right protocol: like the left-right protocol, the publication
+ protocol uses CMS-wrapped XML over HTTPS with the same eContentType OID
+ and the same HTTPS content-type, and the overall style of the XML
+ messages is very similar to the left-right protocol. All operations
+ allow an optional "tag" attribute to allow batching.
+
+ The publication engine operates a single HTTPS server which serves both
+ of these subprotocols. The two subprotocols share a single server port,
+ but use distinct URLs.
+
+Terminology
+
+ * IRBE: Internet Registry Back End
+
+ * IRDB: Internet Registry Data Base
+
+ * BPKI: Business PKI
+
+ * RPKI: Resource PKI
+
+Publication control subprotocol
+
+ The control subprotocol reuses the message-passing design of the
+ left-right protocol. Configured objects support the "create", "set",
+ "get", "list", and "destroy" actions, or a subset thereof when the full
+ set of actions doesn't make sense.
+
+<config/> object
+
+ The <config/> object allows configuration of data that apply to the
+ entire publication server rather than a particular client.
+
+ There is exactly one <config/> object in the publication server, and it
+ only supports the "set" and "get" actions -- it cannot be created or
+ destroyed.
+
+ Payload data which can be configured in a <config/> object:
+
+ * bpki_crl (element): This is the BPKI CRL used by the publication
+ server when signing the CMS wrapper on responses in the publication
+ subprotocol. As the CRL must be updated at regular intervals, it's
+ not practical to restart the publication server when the BPKI CRL
+ needs to be updated. Fortunately, the BPKI model doesn't require
+ use of a BPKI CRL between the IRBE and the publication server, so
+ we can use the publication control subprotocol to update the BPKI
+ CRL.
+
+<client/> object
+
+ The <client/> object represents one client authorized to use the
+ publication server.
+
+ The <client/> object supports the full set of "create", "set", "get",
+ "list", and "destroy" actions. Each client has a "client_id" attribute,
+ which is used in responses and must be specified in "set", "get", or
+ "destroy" actions.
+
+ Payload data which can be configured in a <client/> object:
+
+ * base_uri (attribute): This is the base URI below which this client
+ is allowed to publish data. The publication server may impose
+ additional constraints in the case of a child publishing beneath
+ its parent.
+
+ * bpki_cert (element): BPKI CA certificate for this <client/>. This
+ is used as part of the certificate chain when validating incoming
+ TLS and CMS messages. If the bpki_glue certificate is in use
+ (below), the bpki_cert certificate should be issued by the
+ bpki_glue certificate; otherwise, the bpki_cert certificate should
+ be issued by the publication engine's bpki_ta certificate.
+
+ * bpki_glue (element): Another BPKI CA certificate for this
+ <client/>, usually not needed. Certain pathological
+ cross-certification cases require a two-certificate chain due to
+ issuer name conflicts. If used, the bpki_glue certificate should be
+ the issuer of the bpki_cert certificate and should be issued by the
+ publication engine's bpki_ta certificate; if not needed, the
+ bpki_glue certificate should be left unset.
+
+Publication subprotocol
+
+ The publication subprotocol is structured somewhat differently from the
+ publication control protocol. Objects in the publication subprotocol
+ represent objects to be published or objects to be withdrawn from
+ publication. Each kind of object supports two actions: "publish" and
+ "withdraw". In each case the XML element representing hte object to be
+ published or withdrawn has a "uri" attribute which contains the
+ publication URI. For "publish" actions, the XML element body contains
+ the DER object to be published, encoded in Base64; for "withdraw"
+ actions, the XML element body is empty.
+
+ In theory, the detailed access control for each kind of object might be
+ different. In practice, as of this writing, access control for all
+ objects is a simple check that the client's "base_uri" is a leading
+ substring of the publication URI. Details of why access control might
+ need to become more complicated are discussed in a later section.
+
+<certificate/> object
+
+ The <certificate/> object represents an RPKI certificate to be
+ published or withdrawn.
+
+<crl/> object
+
+ The <crl/> object represents an RPKI CRL to be published or withdrawn.
+
+<manifest/> object
+
+ The <manifest/> object represents an RPKI publication manifest to be
+ published or withdrawn.
+
+ Note that part of the reason for the batching support in the
+ publication protocol is because every publication or withdrawal action
+ requires a new manifest, thus every publication or withdrawal action
+ will involve at least two objects.
+
+<roa/> object
+
+ The <roa/> object represents a ROA to be published or withdrawn.
+
+Error handling
+
+ Error in this protocol are handled at two levels.
+
+ Since all messages in this protocol are conveyed over HTTPS
+ connections, basic errors are indicated via the HTTP response code. 4xx
+ and 5xx responses indicate that something bad happened. Errors that
+ make it impossible to decode a query or encode a response are handled
+ in this way.
+
+ Where possible, errors will result in a <report_error/> message which
+ takes the place of the expected protocol response message.
+ <report_error/> messages are CMS-signed XML messages like the rest of
+ this protocol, and thus can be archived to provide an audit trail.
+
+ <report_error/> messages only appear in replies, never in queries. The
+ <report_error/> message can appear on either the "forward" (IRBE as
+ client of RPKI engine) or "back" (RPKI engine as client of IRDB)
+ communication channel.
+
+ The <report_error/> message includes an optional "tag" attribute to
+ assist in matching the error with a particular query when using
+ batching, and also includes a "self_id" attribute indicating the
+ <self/> that issued the error.
+
+ The error itself is conveyed in the error_code (attribute). The value
+ of this attribute is a token indicating the specific error that
+ occurred. At present this will be the name of a Python exception; the
+ production version of this protocol will nail down the allowed error
+ tokens here, probably in the RelaxNG schema.
+
+ The body of the <report_error/> element itself is an optional text
+ string; if present, this is debugging information. At present this
+ capabilty is not used, debugging information goes to syslog.
+
+Additional access control considerations.
+
+ As detailed above, the publication protocol is trivially simple. This
+ glosses over two bits of potential complexity:
+
+ * In the case where parent and child are sharing a repository, we'd
+ like to nest child under parent, because testing has demonstrated
+ that even on relatively slow hardware the delays involved in
+ setting up separate rsync connections tend to dominate
+ synchronization time for relying parties.
+
+ * The repository operator might also want to do some checks to assure
+ itself that what it's about to allow the RPKI engine to publish is
+ not dangerous toxic waste.
+
+ The up-down protocol includes a mechanism by which a parent can suggest
+ a publication URI to each of its children. The children are not
+ required to accept this hint, and the children must make separate
+ arrangements with the repository operator (who might or might not be
+ the same as the entity that hosts the children's RPKI engine
+ operations) to use the suggested publication point, but if everything
+ works out, this allows children to nest cleanly under their parents
+ publication points, which helps reduce synchronization time for relying
+ parties.
+
+ In this case, one could argue that the publication server is
+ responsible for preventing one of its clients (the child in the above
+ description) from stomping on data published by another of its clients
+ (the parent in the above description). This goes beyond the basic
+ access check and requires the publication server to determine whether
+ the parent has given its consent for the child to publish under the
+ parent. Since the RPKI certificate profile requires the child's
+ publication point to be indicated in an SIA extension in a certificate
+ issued by the parent to the child, the publication engine can infer
+ this permission from the parent's issuance of a certificate to the
+ child. Since, by definition, the parent also uses this publication
+ server, this is an easy check, as the publication server should already
+ have the parent's certificate available by the time it needs to check
+ the child's certificate.
+
+ The previous paragraph only covers a "publish" action for a
+ <certificate/> object. For "publish" actions on other objects, the
+ publication server would need to trace permission back to the
+ certificate issued by the parent; for "withdraw" actions, the
+ publication server would have to perform the same checks it would
+ perform for a "publish" action, using the current published data before
+ withdrawing it. The latter in turn implies an ordering constraint on
+ "withdraw" actions in order to preserve the data necessary for these
+ access control decisions; as this may prove impractical, the
+ publication server may probably need to make periodic sweeps over its
+ published data looking for orphaned objects, but that's probably a good
+ idea anyway.
+
+ Note that, in this publication model, any agreement that the repository
+ makes to publish the RPKI engine's output is conditional upon the
+ object to be published passing whatever access control checks the
+ publication server imposes.
+ __________________________________________________________________
+
+
+ Generated on Thu Jun 12 17:41:25 2008 for RPKI Engine by doxygen
+ 1.5.5
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-11 19:28:19 +0000