[Sidrops] RIPE NCC RPKI pilot for ASPA objects
Erik Rozendaal <erozendaal@ripe.net> Mon, 21 November 2022 14:00 UTC
Return-Path: <erozendaal@ripe.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6780EC15259B for <sidrops@ietfa.amsl.com>; Mon, 21 Nov 2022 06:00:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ripe.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SIVoeRuPgOjC for <sidrops@ietfa.amsl.com>; Mon, 21 Nov 2022 06:00:16 -0800 (PST)
Received: from mail-mx-2.ripe.net (mail-mx-2.ripe.net [IPv6:2001:67c:2e8:11::c100:1312]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08F8FC14F73A for <sidrops@ietf.org>; Mon, 21 Nov 2022 06:00:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ripe.net; s=s1-ripe-net; h=To:Date:Message-Id:Subject:Mime-Version:Content-Type:From:CC ; bh=uLmFj2jzwOvMw6aVwe127W5cwTZv/JNbJ5DRmScKYXs=; b=hNzc1A3H0M6PWuprB7HkqS1t lx0+UNvFhcBMx4A/EeM2d23fB8S8Sv3htPUO8CshqiAn+ghz60Vh0jqPCm+XFv481kLW38pWDyiGZ f7Oy/eFzBQPA2h+AOq+HtoSLhUDfZeGu9tujP4rO0sZkEa4SWOKAX4/p8JTdPxxLn+w+yjW3VxxkM CeJlmx0NpBtmObCCPk7vMQl/zHpCGK02UxIDcyW5fBUqL6k3MWu7x6WJyiqgbbcii/kS3zkJihHSo yBHildoF2CEZugNlfWcwmTwN8RhC3Q8KkyLYgrUum7Cu0bap2MpSIQmcZXhPkxPYfD8HGQuGszre1 L6CHuW17Hg==;
Received: from bufobufo.ripe.net ([2001:67c:2e8:23::c100:170d]:54366) by mail-mx-2.ripe.net with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <erozendaal@ripe.net>) id 1ox7LJ-000vu4-1t for sidrops@ietf.org; Mon, 21 Nov 2022 14:00:13 +0000
Received: from sslvpn.ipv6.ripe.net ([2001:67c:2e8:9::c100:14e6] helo=smtpclient.apple) by bufobufo.ripe.net with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <erozendaal@ripe.net>) id 1ox7LJ-0002tZ-1d for sidrops@ietf.org; Mon, 21 Nov 2022 14:00:13 +0000
From: Erik Rozendaal <erozendaal@ripe.net>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.200.110.1.12\))
Message-Id: <874C815E-DBDE-415F-B7EC-A3F7883F599B@ripe.net>
Date: Mon, 21 Nov 2022 15:00:02 +0100
To: sidrops@ietf.org
X-Mailer: Apple Mail (2.3731.200.110.1.12)
X-RIPE-Signature: 3081e9bfa2e75d9dc8fe5e8110458a386978fdfec65575250f4df4a3ec3715cb
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/xBKeFYOtaSeeHxkoKzLwQq2JBWw>
Subject: [Sidrops] RIPE NCC RPKI pilot for ASPA objects
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Nov 2022 14:02:42 -0000
ASPA (Autonomous System Provider Authorisation[1]) is a new RPKI object type and the first additional object type supported by the RIPE NCC RPKI software since its original introduction. ASPA is currently in draft status, and we implemented draft version 11 of the object profile [2]. We built this ASPA pilot to help the community advance the work in the IETF SIDR Operations (SIDROPS)working group. The initial version runs in the RIPE NCC localcert[3] pilot environment, and we plan to make it available in the production environment soon after the ASPA proposal reaches RFC status. Below you can find the description of the RIPE NCC RPKI ASPA configuration API. Please contact us at sw-enhancements@ripe.net if you have any questions or problems. # ASPA configuration API The ASPA configuration can only be retrieved and updated in this pilot environment using the RPKI Management API[4]. We added two new API endpoints for ASPA: ## Retrieve the current ASPA configuration API endpoint: `GET /api/rpki/aspa` Returns a JSON representation of your current ASPA configuration and an `entityTag`. This `entityTag` describes the current version of the configuration. Example response body: { "entityTag": "\"PUwiLtHQSA9LqD5mvUW3Rp7WqPCsS28p/5a52N9AcS8=\"", "aspaConfigurations": [{ "customerAsn": "AS64496", "providers": [ { "providerAsn": "AS64500", "afiLimit": "ANY" } ] }] } ## Update the ASPA configuration API endpoint: `PUT /api/rpki/aspa` Atomically replaces the current ASPA configuration with the provided configuration. You must provide the `entityTag` of your current configuration in the `ifMatch` field. If the provided tag no longer matches, you will get an `HTTP 412 precondition failed`[5] response. This mechanism prevents conflicting updates of the ASPA configuration. After the configuration is updated, the RIPE NCC RPKI system will update the ASPA CMS objects and publish them to the RIPE NCC RPKI repositories. This process usually takes less than 30 minutes but may be slower, with a long tail up to the time limit described in our CPS. Example request body: { "ifMatch": "\"PUwiLtHQSA9LqD5mvUW3Rp7WqPCsS28p/5a52N9AcS8=\"", "aspaConfigurations": [{ "customerAsn": "AS64496", "providers": [ { "providerAsn":"AS64500", "afiLimit": "IPv4" } ] }] } Note: it is also possible to use the HTTP `ETag`[6] response header and `If-Match`[7] request header instead of the JSON object fields. ## ASPA configuration JSON The ASPA configuration JSON has the following format. All fields are required: `aspaConfigurations`: a (possibly empty) list of ASPA configuration objects with two fields: customerAsn and providers. `customerAsn`: your ASN, which must be part of your certified resources. `providers`: a non-empty list of objects with two fields: `providerAsn` and `afiLimit`. `providerAsn`: the ASN of the authorised provider or internet exchange point route server. `afiLimit`: one of `ANY`, `IPv4`, or `IPv6` (case sensitive) to limit the kind of traffic that is authorised. # References [1]: https://datatracker.ietf.org/doc/draft-ietf-sidrops-aspa-profile/ [2]: https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-aspa-verification [3]: https://www.ripe.net/manage-ips-and-asns/resource-management/rpki/rpki-test-environment [4]: https://www.ripe.net/support/documentation/developer-documentation/rpki-management-api [5]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/412 [6]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/ETag [7]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Match
- [Sidrops] RIPE NCC RPKI pilot for ASPA objects Erik Rozendaal
- Re: [Sidrops] RIPE NCC RPKI pilot for ASPA objects Sriram, Kotikalapudi (Fed)
- Re: [Sidrops] RIPE NCC RPKI pilot for ASPA objects Erik Rozendaal
- Re: [Sidrops] RIPE NCC RPKI pilot for ASPA objects Ben Maddison
- Re: [Sidrops] RIPE NCC RPKI pilot for ASPA objects Ties de Kock