[Sidrops] Re: new idea: Canonical Cache Representation (draft-spaghetti-sidrops-rpki-ccr-00)
Russ Housley <housley@vigilsec.com> Thu, 11 September 2025 16:28 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: sidrops@mail2.ietf.org
Delivered-To: sidrops@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id D55416117E02 for <sidrops@mail2.ietf.org>; Thu, 11 Sep 2025 09:28:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.798
X-Spam-Level:
X-Spam-Status: No, score=-2.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=vigilsec.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nj3J64Lj5BMv for <sidrops@mail2.ietf.org>; Thu, 11 Sep 2025 09:28:24 -0700 (PDT)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 0D8D76117DFB for <sidrops@ietf.org>; Thu, 11 Sep 2025 09:28:24 -0700 (PDT)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id E46331A0AFD; Thu, 11 Sep 2025 12:28:23 -0400 (EDT)
Received: from smtpclient.apple (pool-96-255-71-95.washdc.fios.verizon.net [96.255.71.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id D43151A100F; Thu, 11 Sep 2025 12:28:23 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <060671EA-7EAC-403A-819B-32757C3ABF7B@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_34401D2F-ADCB-433A-A960-77C3425BF2F7"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3826.700.81\))
Date: Thu, 11 Sep 2025 12:28:13 -0400
In-Reply-To: <aMKmLzO75Zb2xebR@anton.sobornost.net>
To: Job Snijders <job@sobornost.net>
References: <aMKmLzO75Zb2xebR@anton.sobornost.net>
X-Mailer: Apple Mail (2.3826.700.81)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=vigilsec.com; h=from:message-id:content-type:mime-version:subject:date:in-reply-to:cc:to:references; s=pair-202402141609; bh=hB+XZ1Ck2nwSdTpnk7J3ck9W8uNFNKJQ3NZv+F27sDQ=; b=f24B0raSP4SAerczQC67oGrs1E36u87RHvybOGXKyxYuVv/vk70UpNW/bofozFeg0ptJ0yNf5BAOidfMaKHkCsuJD+73IEVOsukdSFw8K41ARisVQU7Gkvi4CtZztTpYG5kPeYFZx+OotDivJa3UvLftl4uqUKjyZx855FEFIvW0pjfpPMjP5oxSEGSrIUUt2AsCvOqmddgrYpol4Itvw2nDqitgxiSjAUpa6X8u0Rk3RfiOi1wxASete5dWfv4gqrTW5DznLtub6HeWqgJLPDbGj1VJPjvz4hdYHTxCHR9nFxCLuH1+0+8373yBBWoUSngowNc9CDfyMmhW40wmOA==
X-Scanned-By: mailmunge 3.09 on 66.39.134.11
Message-ID-Hash: WY5AU7MCBPUDBVQ2MCRTJ7T443EKOYGG
X-Message-ID-Hash: WY5AU7MCBPUDBVQ2MCRTJ7T443EKOYGG
X-MailFrom: housley@vigilsec.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-sidrops.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: IETF SIDRops <sidrops@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Sidrops] Re: new idea: Canonical Cache Representation (draft-spaghetti-sidrops-rpki-ccr-00)
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/o6zDqhe7Sg6QziSoMHPbke5UVH8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Owner: <mailto:sidrops-owner@ietf.org>
List-Post: <mailto:sidrops@ietf.org>
List-Subscribe: <mailto:sidrops-join@ietf.org>
List-Unsubscribe: <mailto:sidrops-leave@ietf.org>
Job: Interesting approach. The OID can be allocated under https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#security-smime-1 Russ > On Sep 11, 2025, at 6:36 AM, Job Snijders <job@sobornost.net> wrote: > > Dear all, > > While working on the Erik Synchronisation protocol, it came to us that > having a standardized way to represent (parts of) a cache's internal > validation state would be a nifty way to help analyse whether RPs using > Rsync, RRDP, Erik, or a mix of those (eventually) arrive at similar or > dissimilar outcomes. The result of those discussions is a format named > "Canonical Cache Representation" (CCR). > > CCR is an *unsigned* data interchange format. It does not replace any > currently existing components in the RPKI technology stack, it does not > change anything to the validation procedures. > > I'm also starting to suspect that the CCR format might be a very > economic alternative to the 450-megabyte--per-piece rpkiviews.org > tarballs I'm currently publishing. A PoC archive of historic CCRs is > available here: https://miso.sobornost.net/rpki/ccr/ This PoC archive > also is intended to help other implementers test their software. > > I'm not 100% sure which IANA registry the OID assignment should come > from, perhaps Russ can shed a light on that? Until then, I've assigned a > PEN number for use in this phase of the standardization process. > > Generation and decoding functionality for CCR objects has been > implemented in rpki-client, so there is running code to look at! > https://github.com/openbsd/src/blob/master/usr.sbin/rpki-client/ccr.c > > As far as I know, at the moment a common approach to compare caches is > to use the 'rtrmon' software package - or compare JSON/CSV outputs, but > this has as downside the complication of another protocol (RTR) being > inserted in the analytics pipeline, and also visibility into the > 'physical' state (aka, the Manifests) is lost. CCR might help here. > > I think it would be very useful (and kinda awesome!) if multiple > different cache implementations could be compared using the CCR format! > > Your feedback, comments, questions, and use-cases are most welcome!!! > > Kind regards, > > Job > > ----- Forwarded message from internet-drafts@ietf.org ----- > > Date: Thu, 11 Sep 2025 02:08:23 -0700 > From: internet-drafts@ietf.org > To: Bart Bakker <bbakker@ripe.net>, Job Snijders <job@sobornost.net>, Tim > Bruijnzeels <tbruijnzeels@ripe.net> > Subject: New Version Notification for draft-spaghetti-sidrops-rpki-ccr-00.txt > > A new version of Internet-Draft draft-spaghetti-sidrops-rpki-ccr-00.txt has > been successfully submitted by Job Snijders and posted to the > IETF repository. > > Name: draft-spaghetti-sidrops-rpki-ccr > Revision: 00 > Title: A Profile for Resource Public Key Infrastructure (RPKI) Canonical Cache Representation (CCR) > Date: 2025-09-11 > Group: Individual Submission > Pages: 14 > URL: https://www.ietf.org/archive/id/draft-spaghetti-sidrops-rpki-ccr-00.txt > Status: https://datatracker.ietf.org/doc/draft-spaghetti-sidrops-rpki-ccr/ > HTML: https://www.ietf.org/archive/id/draft-spaghetti-sidrops-rpki-ccr-00.html > HTMLized: https://datatracker.ietf.org/doc/html/draft-spaghetti-sidrops-rpki-ccr > > > Abstract: > > This document specifies a Canonical Cache Representation (CCR) > content type for use with the Resource Public Key Infrastructure > (RPKI). CCR is a DER-encoded data interchange format which can be > used to represent various aspects of the state of a validated cache > at a particular point in time. The CCR profile is a compact and > versatile format well-suited for a diverse set of applications such > as audit trail keeping, validated payload dissemination, and > analytics pipelines. > > > > The IETF Secretariat > > > > ----- End forwarded message ----- > > _______________________________________________ > Sidrops mailing list -- sidrops@ietf.org > To unsubscribe send an email to sidrops-leave@ietf.org
- [Sidrops] new idea: Canonical Cache Representatio… Job Snijders
- [Sidrops] Re: new idea: Canonical Cache Represent… Ties de Kock
- [Sidrops] Re: new idea: Canonical Cache Represent… Russ Housley
- [Sidrops] Re: new idea: Canonical Cache Represent… Russ Housley