Re: [OPSAWG] WG LC: draft-ietf-opsawg-finding-geofeeds

Job Snijders <> Mon, 01 February 2021 19:16 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 199943A13F1 for <>; Mon, 1 Feb 2021 11:16:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id OwXQ8f4nJat3 for <>; Mon, 1 Feb 2021 11:16:45 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4864:20::344]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B98623A13EF for <>; Mon, 1 Feb 2021 11:16:44 -0800 (PST)
Received: by with SMTP id i9so270306wmq.1 for <>; Mon, 01 Feb 2021 11:16:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=date:from:to:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=HG1fDfXC3Y/HR7swCc7g7hYhFi0rfHUSCvDJ7TueZE4=; b=gU1oMNdZfL8tlJbzgJJ2cu0M6X5dfg4GydFBPgBmOly+WeDVss5aqU7PyGmO8AOBJs 0qSbhaufBr6oc9yLVaTXgsa/0SnqMAc+qNHLyU+/2rS+qWegFsS/2QrmlGHmN+dqdTx2 bbRDA/nJWpVcFbc/4wCabS5DZNYg4aToXkrqU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=HG1fDfXC3Y/HR7swCc7g7hYhFi0rfHUSCvDJ7TueZE4=; b=fGYguZR3U+CoeE5Awb4VlTgGNzEX3+VDJVFojsBroq/KIO3Ve0C87IPEZtvxXJyYiM sP675/4gry3jFUXqUign5951Q13Op1lDSHuLs+xoYNwioWr+X2t+cgNcYYaQyeuF6+5j QUk8ZWDJyBxZecL/nlUabfa1B4YFVtp8XOZr7gkY0dOvXrsaUAqM15k2URNySy2HMahV zSP33veaQIbzO80E7K6vUsquRP163F8Cu375abDkXFp9igcUTDw9gvxJ3skmjSVsqAse cJDY3ymj+FRTdgp5B50TewQNo0oIcKRp2E8aon/z/MnpU3iulLCoK4GSmnV6J4RzFC8d jTWQ==
X-Gm-Message-State: AOAM530FCUZXuSUQ/FrxfS6eC4ueyXCuMWwZ7olWSlGqLZ8JNLV7F4uE N4EaUiwaxThuMEVdxJFM8F6l+08KJuzULlw24Bs17Zwvk1DQGpU8zCV/dhR1uqbk8rEaPVDSh7A rF5pV4+uzlKfPtokUhlR1qe0pX45LYrNEiNTTZ3ZSTFDSxL8kUEub3OAX
X-Google-Smtp-Source: ABdhPJygvvqUQVRR/Kcp5l87B0KJ8t7GmmV02kzn6a2/9Ow206QsEVTdKUxyLx897iPTolgOLMzNDw==
X-Received: by 2002:a1c:9c01:: with SMTP id f1mr290155wme.159.1612207002493; Mon, 01 Feb 2021 11:16:42 -0800 (PST)
Received: from snel ( []) by with ESMTPSA id x81sm223091wmg.40.2021. (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Feb 2021 11:16:41 -0800 (PST)
Date: Mon, 1 Feb 2021 20:16:40 +0100
From: Job Snijders <>
Message-ID: <YBhTmPpaH7d/w9L+@snel>
References: <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <>
Subject: Re: [OPSAWG] WG LC: draft-ietf-opsawg-finding-geofeeds
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 01 Feb 2021 19:16:47 -0000

Dear working group,

On Fri, Jan 22, 2021 at 09:43:26PM +0000, Joe Clarke (jclarke) wrote:
> Happy new year, opsawg.  The draft-ietf-opsawg-finding-geofeeds draft
> has undergone some discussion and with the recent -01 revision of the WG
> version of the document, the authors have made all pending changes based
> on feedback.
> We would like to conduct a two-week working group last call on this
> document (ending February 5, 2021).  George Michaelson has agreed to
> shepherd this document through the last-call and IESG processes.
> Please reply with your comments by Feb 5, 2021.  Thanks.

I've read the draft and labored to the implement various moving parts
described in the draft in the real world. I'll summarize the various
implementation aspects and provide POSIX-y CLI examples.


Finding the Geofeed

mechanism #1: 'native attribute'

Internet Routing Registry daemon (IRRd) version 4 supports 'geofeed:'
RPSL attributes natively:

mechanism #2: 'overloading remarks: field'

As the RIPE NCC WHOIS Server does not yet support the 'geofeed:', I
opted to use the "remarks: Geofeed ${URI}" workaround, gotta love
permission-less innovation! :-).

One can query the RIPE NCC database using WHOIS to find the reference
(or plow through

    $ whois -h -- '-rBGTinet6num 2001:67c:208c::/48' \
        | grep Geofeed
    remarks:        Geofeed

One can download the linked Geofeed file for inspection:

    $ ftp -MV
    $ ls -al geofeed.csv
    -rw-r--r--  1 job  wheel  2120 Feb  1 17:31 geofeed.csv

Authenticating the Geofeed data

The uncommented section of the file conforms to RFC 8805:

    $ head -1 geofeed.csv | tee geofeed_tbs

The commented out section of the geofeed.csv file contains a base64
encoded detached CMS signature (DER) using the 'id-ct-geofeedCSVwithCRLF'
content type, a sha256 message digest, and can be verified against a
public CA. The CA can be reached through the RIPE NCC RPKI Trust Anchor
and has 2001:67c:208c::/48 as subordinate resource.

Extract DER encoded signature:

    $ cat geofeed.csv | sed '1,2d;$d' | base64 -d > signature.der

Extract the EE certificate (in PEM format) from the CMS envelope:

    $ openssl cms -verify -noverify -in signature.der -inform DER \
          -certsout ee.pem 2>/dev/zero

Inspect the EE certificate to see which authority signed it:

    $ openssl x509 -in ee.pem -noout -ext sbgp-ipAddrBlock,authorityInfoAccess
    sbgp-ipAddrBlock: critical

     Authority Information Access:
         CA Issuers - URI:rsync://

A validated RPKI cache on the local filesystem can be constructed using
a utility like OpenBSD's rpki-client ( Copy
the CA certificate from the validated cache, and convert it to PEM format:

    $ openssl x509 \
        -in /var/cache/rpki-client/ \
        -inform DER -out ca.pem 

Finally, verify the signature over the Geofeed content against the

    $ openssl cms -verify -content geofeed_tbs \
        -in signature.der -inform DER -CAfile ca.pem
    Verification successful


I believe with the above I've independently implemented all aspects of
draft-ietf-opsawg-finding-geofeeds in one way or another, demonstrating
the described procedures are correct, verifyable, and somewhat

The prefix I used is a real-world example, allowing others to inspect
the referenced inet6num RPSL object, the associated Geofeed file,
including the authentication aspect. Appendix A was very helpful.

Kind regards,