RPKI: A small primer

Laban Mwangi

April 28, 2011

Contents
1 Introduction 2
1.1 What is RPKI . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 What is RPKI. . . Really? . . . . . . . . . . . . . . . . . . . . . 4

2 On Certificates 5
2.1 Trust Anchor Locator . . . . . . . . . . . . . . . . . . . . . . 5
2.2 Root certificate . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.3 Resource certificate . . . . . . . . . . . . . . . . . . . . . . . . 8

3 CRLs 11

4 ROAs 13

5 Manifests 16

6 Tools 18

List of Figures
1 RPKI for the allocation hierarchy for table 1 on page 2. . . . 3
2 AfriNIC Trust anchor locator . . . . . . . . . . . . . . . . . . 5
3 AfriNIC root certificate . . . . . . . . . . . . . . . . . . . . . 7
4 RIR certificate . . . . . . . . . . . . . . . . . . . . . . . . . . 9
5 LIR certificate . . . . . . . . . . . . . . . . . . . . . . . . . . 10
6 LIR certificate revocation list . . . . . . . . . . . . . . . . . . 12
7 LIR ROA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
8 EE certificate embedded in a ROA . . . . . . . . . . . . . . . 15
9 Sample Manifest . . . . . . . . . . . . . . . . . . . . . . . . . 17
10 Sample asn1 dump . . . . . . . . . . . . . . . . . . . . . . . . 18

1
1 Introduction
This is a work in progress. Mistakes will probably sneak in. If you notice
them please send corrections/comments to laban@afrinic.net.

1.1 What is RPKI

Resource Public Key Infrastructure (RPKI) is the name of the game. For
the Internet to work, we need BGP1 which in turn requires IP prefixes and
AS numbers. When an LIR or any multi homed organization wants to be
reachable on the Internet, they have to announce these number resources to
their peers. No security framework exists that authenticates whether a peer
does indeed own the resource set that they are advertising. Consequently,
rogue announcements2 may appear on the internet that will impact on the
reachability of legitimate sites. RPKI allows one to take these resources3 ,
add them into a certificate and then use these resource aware certificates
to sign Route Origin Authorizations (ROA) and a set of other objects that
may be defined in the future4 .
Number resources are issued by IANA to the 5 RIRs. These RIRs then
issue resources to LIRs/NIRs which issue their resources to their customers.
Their customers may issue their resources. . .
PKIs do follow a similar tree structure where there’s a root (self signed
CA certificate) which may issue other certificates (Which may be CA certifi-
cates). Consequently, every resource owner can and should have a resource
certificate.
These two hierarchical structures are similar and this allows them to be
tightly integrated.
An example allocation structure:

ORG IPV4 IPV6 ASN Function

IANA 0/0 0/0 1–232 Issues resources to RIRS
AFRINIC 196/8 2001:4200/23 327680–328703 Issues resources to LIRS
LIR C 196.1/16 2001:4200/32 327680–327690 Large ISP.
ISP X 196.1.0/23 2001:4200/48 327685 Small ISP.

Table 1: Resource Allocation table

An example PKI structure:

1
For more information, visit http://en.wikipedia.org/wiki/Border_Gateway_
Protocol
2
Such incidences do occur. See http://ripe.net/news/study-youtube-hijacking.
html
3
Number resources: IP prefixes and AS numbers
4
The underlying specification documents are still in a state of flux. For the latest and
up to date specifications, please see http://tools.ietf.org/wg/sidr/charters

2
Figure 1: RPKI for the allocation hierarchy for table 1 on page 2

3
1.2 What is RPKI. . . Really?
Well, RPKI:

• It allows a resource holder to prove that they do actually owns a set

of resources (Binds number resources to the subject of the certificate).

• A resource holder can provide a PKI based authorisation attesting

that a peer is allowed to originate a set of prefixes on their behalf (In
simple terms, I am a small company X who buys bandwidth with A
& C. A ROA can be created to attest that only A & C can advertise
X’s prefixes)

• CRLs are also published and their distribution points listed in certifi-
cates.

• Certificates, CRLs and products such as ROAs for each authority pub-
lication point are listed along with their hashes in a signed structure
that is published. This structure is called a manifest(mft).

• CA certs, CRLs, MFTs, ROAs are published in a repository to the

world over rsync and optionally https.

• Validation tools exist that can validate an entire repository tree.

4
2 On Certificates
Resource certificates are defined in the SIDR resource certificate profile spec-
ification 5 . In this section, we’ll start analysing a set of certificates from the
AfriNIC repository (rsync://rpki.afrinic.net6 ) from the top. We’ll visit the
trust anchor locator, trust anchor certificate, RIR certificate and an LIR
certificate. An important point to note is that each certificate is a CA
certificate with the exception of embedded end entity certificates.

2.1 Trust Anchor Locator

A trust anchor as a trusted entry point of any PKI is expected to be stable
over time. However, the current practice has RIRs running their own roots
with their resources specified in the root cert. If an RIR receives an allo-
cation, they have to issue a new certificate that contains the new resources
which will have to be propagated to validators. Taking the case of IPV4,
17 blocks were allocated in a span of a year. This corresponds to 1 trust
anchor change every 21 days on average. On top of this, certificates have
time constraints which will induce certificate re-issues due to expiry.
The TAL format is specified in the SIDR TA draft 7 . to work around
these issues. Essentially, the TAL contains the rsync URI of the root rfc3779
certificate and the public key component of that certificate. The two are
separated using a [CR]LF According to the specification, the public key is
“a base 64-encoded, DER-encoded X.509 subjectPublicKeyInfo [RFC5280]”.
It can easily be generated by using shell utilities and OpenSSL8 .
Since the TAL doesn’t have resources and time constraints, It can be
long lived requiring change when the key is rolled.
Here is the AfriNIC TAL9 .
d
rsync://rpki.afrinic.net/repository/AfriNIC.cer
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxsAqAhWIO+ON2Ef9oRDM
pKxv+AfmSLIdLWJtjrvUyDxJPBjgR+kVrOHUeTaujygFUp49tuN5H2C1rUuQavTH
vve6xNF5fU3OkTcqEzMOZy+ctkbde2SRMVdvbO22+TH9gNhKDc9l7Vu01qU4LeJH
k3X0f5uu5346YrGAOSv6AaYBXVgXxa0s9ZvgqFpim50pReQe/WI3QwFKNgpPzfQL
6Y7fDPYdYaVOXPXSKtx7P4s4KLA/ZWmRL/bobw/i2fFviAGhDrjqqqum+/9w1hEl
L/vqihVnV18saKTnLvkItA/Bf5i11Yhw2K7qv573YWxyuqCknO/iYLTR1DToBZcZ
UQIDAQAB

Figure 2: AfriNIC Trust anchor locator

5
http://tools.ietf.org/html/draft-ietf-sidr-res-certs-17
6
Which is also located at https://rpki.afrinic.net
7
http://tools.ietf.org/html/draft-ietf-sidr-ta
8
See http://subvert-rpki.hactrn.net/rcynic/make-tal.sh
9
Retrieved from rsync://rpki.afrinic.net/repository/AfriNIC.cer

5
2.2 Root certificate
The root certificate sits at the root of the Resource PKI. It contains all the
resources suballocated in the tree below it. In an ideal world, there would
be the one root certificate and it’s number resources would be:

• 0/0 for IPV4

• 0/0 for IPV6

• 1–4294967296 for AS numbers

Unfortunately, in the current structure, each RIR is running it’s own root
and encoding it’s resources only. So for example, the AfriNIC certificate will
only contain IANA’s allocation to AfriNIC10 .
In figure 1 on page 3, the first dashed rectangle represents the root
repository. It contains all the certificates issued by the root, a crl and a
manifest for this repository. This structure is replicated across the entire
PKI tree that is, each certificate has a repository that is accessible over rsync
and contains:

• A CRL.

• A manifest.

• Zero or more products (ROAs, AAAs...) in it’s repository.

• Certificates for sub CAs.

An example certificate can be seen in figure 3 on page 7. It’s highlights are:

• Self signed which implies that it’s a root certificate.

• The location of the repository and manifest are encoded in the certifi-
cate.

• The certificate has x509 CA extensions (Green sections).

• Has rfc3779 extensions (sbgp-* sections).

10
See http://www.iana.org/numbers/ for allocation statistics.

6
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
9f:46:64:f1:db:82:4a:e0
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=AfriNIC-Root-Certificate
Validity
Not Before: Dec 24 11:00:32 2010 GMT
Not After : Dec 23 11:00:32 2015 GMT
Subject: CN=AfriNIC-Root-Certificate
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:c6:c0:2a:02:15:88:3b:e3:8d:d8:47:fd:a1:10:
cc:a4:ac:6f:f8:07:e6:48:b2:1d:2d:62:6d:8e:bb:
...
19:51
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Certificate Policies: critical
Policy: 1.3.6.1.5.5.7.14.2
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
EB:68:0F:38:F5:D6:C7:1B:B4:B1:06:B8:BD:06:58:50:12:DA:31:B6
Subject Information Access:
CA Repository - URI:rsync://rpki.afrinic.net/repository-
/04E8B0D80F4D11E0B657D8931367AE7D/
1.3.6.1.5.5.7.48.10 - URI:rsync://rpki.afrinic.net/repository-
/04E8B0D80F4D11E0B657D8931367AE7D/62gPOPXWxxu0sQa4vQZYUBLaMbY.mft
sbgp-autonomousSysNum: critical
Autonomous System Numbers:
1228-1232
2018
2561
...
36864-37887
327680-328703

sbgp-ipAddrBlock: critical
IPv4:
41.0.0.0/8
105.0.0.0/8
154.0.0.0/8
196.0.0.0/7
IPv6:
2001:4200::/23
2c00::/12
Signature Algorithm: sha256WithRSAEncryption
37:c7:d7:6a:18:93:30:af:bd:35:4c:8b:d2:7d:f6:b4:59:34:
...

Figure 3: AfriNIC root certificate

7
2.3 Resource certificate
The root certificate is a special case of the resource certificate. A non root
resource certificate has:

• A parent - Authority Information Access in a certificate.

• Zero or more children - Subject Information Access is a pointer to a

store with this certificate’s children.

• Zero or more - Subject Information Access also points to a store with

this certificate’s products. products.

An example tree is shown below. In this case, the root certificate in

figure 3 issues the RIR certificate in figure 4 which in turn issues the LIR
certificate in figure 5. Please note that relationship between the certificates
as indicated by the colour coding.

8
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 8 (0x8)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=AfriNIC-Root-Certificate
Validity
Not Before: Dec 27 08:26:48 2010 GMT
Not After : Dec 27 00:00:00 2011 GMT
Subject: CN=1320AEA9/serialNumber=374E802284C331BCF6A6282BFDDDB-
798F2B37479
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c2:77:0d:12:fe:67:31:be:95:1f:c7:1d:98:4c:
...
99:11
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
37:4E:80:22:84:C3:31:BC:F6:A6:28:2B:FD:DD:B7:98:F2:B3:74:79
X509v3 Authority Key Identifier:
keyid:EB:68:0F:38:F5:D6:C7:1B:B4:B1:06:B8:BD:06:58:50:12:DA:31:B6
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 CRL Distribution Points:
Full Name:
URI:rsync://rpki.afrinic.net/repository/-
04E8B0D80F4D11E0B657D8931367AE7D/62gPOPXWxxu0sQa4vQZYUBLaMbY.crl
Authority Information Access:
CA Issuers - URI:https://rpki.afrinic.net/repository/AfriNIC.cer
CA Issuers - URI:rsync://rpki.afrinic.net/repository/AfriNIC.cer
X509v3 Certificate Policies: critical
Policy: 1.3.6.1.5.5.7.14.2
Subject Information Access:
CA Repository - URI:rsync://rpki.afrinic.net/repository/-
89208CE4119211E0B3FFDB1BAE001804/
1.3.6.1.5.5.7.48.10 - URI:rsync://rpki.afrinic.net/repository/-
89208CE4119211E0B3FFDB1BAE001804/N06AIoTDMbz2pigr_d23mPKzdHk.mft
sbgp-autonomousSysNum: critical
Autonomous System Numbers:
1228-1232
2018
2561
...
327680-328703
sbgp-ipAddrBlock: critical
IPv4:
41.0.0.0/8
...
196.0.0.0/7
IPv6:
2001:4200::/23
2c00::/12
Signature Algorithm: sha256WithRSAEncryption
7f:59:79:5e:ef:c4:54:70:eb:bc:28:25:31:03:07:39:ad:90:
...
91:1e:e7:66

Figure 4: RIR certificate

9
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15 (0xf)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=1320AEA9/serialNumber=374E802284C331BCF6A6282BFDDDB798F2B37479
Validity
Not Before: Jan 2 01:00:02 2011 GMT
Not After : Dec 31 00:00:00 2012 GMT
Subject: CN=F3634D22/serialNumber=2437CBED9D10ECA3CDD060EBB29D-
44272637A30A
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a6:a7:4f:cc:cd:63:1c:3c:a4:cb:3f:99:60:61:
...
5d:7d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
24:37:CB:ED:9D:10:EC:A3:CD:D0:60:EB:B2:9D:44:27:26:37:A3:0A
X509v3 Authority Key Identifier:
keyid:37:4E:80:22:84:C3:31:BC:F6:A6:28:2B:FD:DD:B7:98:F2:B3:74:79
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 CRL Distribution Points:
Full Name:
URI:rsync://rpki.afrinic.net/repository/-
89208CE4119211E0B3FFDB1BAE001804/N06AIoTDMbz2pigr_d23mPKzdHk.crl
Authority Information Access:
CA Issuers - URI:rsync://rpki.afrinic.net/repository/-
04E8B0D80F4D11E0B657D8931367AE7D/N06AIoTDMbz2pigr_d23mPKzdHk.cer
X509v3 Certificate Policies: critical
Policy: 1.3.6.1.5.5.7.14.2
Subject Information Access:
CA Repository - URI:rsync://rpki.afrinic.net/member_repository/-
F3634D22/92EF8890119911E0A59EB577833A7E19/
1.3.6.1.5.5.7.48.10 - URI:rsync://rpki.afrinic.net/-
member_repository/F3634D22/92EF8890119911E0A59EB577833A7E19/-
JDfL7Z0Q7KPN0GDrsp1EJyY3owo.mft

sbgp-autonomousSysNum: critical
Autonomous System Numbers:
33764
...
327681
sbgp-ipAddrBlock: critical
IPv4:
196.1.0.0/24
...
197.255.248.0/22
IPv6:
2001:43f8:40::/48
...
2001:43f8:120::/48
Signature Algorithm: sha256WithRSAEncryption
68:9f:8e:d1:11:73:3c:69:05:d0:1a:d0:90:f3:a6:35:e4:db:
...
0d:0f:47:99

Figure 5: LIR certificate

10
3 CRLs
Each engine (rpki instance with a certificate) is expected to maintain an up-
date to date CRL that is generated at regular intervals. The CRL records
any keys revoked due to product expiry or security incidences. Each certifi-
cate points to it’s parent CRL by using the X509v3 CRL Distribution Points
attribute (It’s the parent that issued a certificate. Consequently, revocation
responsibility lies with the parent).
An example CRL is shown below. The important bits:

• Authority Key Identifier and Issuer point to the issuer (certificate in

figure 5).

• CRL number which is incremented with each issue.

• Last update and next update time constraints.

• Revocation number and date of each certificate identified by a serial

number.

11
$ openssl crl -text -noout -inform DER -in F3634D22/-
92EF8890119911E0A59EB577833A7E19/JDfL7Z0Q7KPN0GDrsp1EJyY3owo.crl
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /CN=F3634D22/serialNumber=2437CBED9D10ECA3CDD060EBB29D44272637A30A
Last Update: Mar 21 21:03:05 2011 GMT
Next Update: Mar 22 21:03:05 2011 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:24:37:CB:ED:9D:10:EC:A3:CD:D0:60:EB:B2:9D:44:27:26:37:A3:0A

X509v3 CRL Number:

180
Revoked Certificates:
Serial Number: 01
Revocation Date: Dec 27 09:18:53 2010 GMT
...
Serial Number: 58
Revocation Date: Mar 15 21:03:04 2011 GMT
Serial Number: 59
Revocation Date: Mar 16 21:03:04 2011 GMT
Serial Number: 5A
Revocation Date: Mar 17 21:03:05 2011 GMT
Serial Number: 5B
Revocation Date: Mar 18 21:03:04 2011 GMT
Serial Number: 5C
Revocation Date: Mar 19 21:03:05 2011 GMT
Serial Number: 5D
Revocation Date: Mar 20 21:03:05 2011 GMT
Serial Number: 5E
Revocation Date: Mar 21 21:03:05 2011 GMT
Signature Algorithm: sha256WithRSAEncryption
4d:d2:e8:ae:dd:48:fa:18:5a:a8:f1:2b:ae:03:48:7c:cf:a5:
...
ed:23:a5:90

Figure 6: LIR certificate revocation list

12
4 ROAs
Current described by http://tools.ietf.org/html/draft-ietf-sidr-roa-format-10,
Route Origin Authorizations (ROAs) associate an AS number and a list pre-
fixes in an object which is then cms signed by a the owner of the prefixes. By
generating a ROA, the owner of the prefix is stating that the as number in the
ROA is allowed to originate the prefixes listed in the ROA. Third parties can
then fetch ROAs, verify their cms signature and then use validation rules as
per http://tools.ietf.org/wg/sidr/draft-ietf-sidr-roa-validation/.
A sample ROA is shown below in figure 7. ROAs encapsulate end entity
certificates within them which will be explored in figure 8.
An embedded end entity certificate of the ROA shown in figure 7 can be
seen in figure 8

13
$ readroa.pl F3634D22/92EF8890119911E0A59EB577833A7E19/-
D0E0C780119A11E091DEBD10B8DD93AD.roa
version: 0

as_id: 12345678

prefixes:
196.1.0.0/24
2001:42d0::/48

signing certificate:
serial: 5 (0x5)
not before: 2010-12-25T04:21:28
not after: 2011-12-31T04:21:28
subject: CN=4d185ad1-f933
ski: 29733c726b82db6b95a6f9d463734a2f7252a6d0
g_ski: KXM8cmuC22uVpvnUY3NKL3JSptA
sia:
signedObject: rsync://rpki.afrinic.net/member_repository/F3634D22/-
92EF8890119911E0A59EB577833A7E19/D0E0C780119A11E091DEBD10B8DD93AD.roa
issuer: CN=F3634D22, SN=2437CBED9D10ECA3CDD060EBB29D44272637A30A
aki: 2437cbed9d10eca3cdd060ebb29d44272637a30a
g_aki: JDfL7Z0Q7KPN0GDrsp1EJyY3owo
aia:
caIssuers: rsync://rpki.afrinic.net/repository/89208CE4119211E0B3FFDB1BAE001804/-
JDfL7Z0Q7KPN0GDrsp1EJyY3owo.cer
resources:
ipv4:
196.1.0.0/24
ipv6:
2001:42d0::/48

-----BEGIN CERTIFICATE-----
MIIEnTCCA4WgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBGMREwDwYDVQQDEwhGMzYz
NEQyMjExMC8GA1UEBRMoMjQzN0NCRUQ5RDEwRUNBM0NERDA2MEVCQjI5RDQ0Mjcy
NjM3QTMwQTAeFw0xMDEyMjUwNDIxMjhaFw0xMTEyMzEwNDIxMjhaMBgxFjAUBgNV
BAMTDTRkMTg1YWQxLWY5MzMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANmG
WfuxRXigWF21yD1Q/kO10wtmL41/FZQb9yzwon/2qqrHw/IxTbWNk11NvlH9I/UJ
Eo7/P92npxhHxuXA6ANQ/rGLL6YkCL2RaeSHjgmq+3JNlg+hsP1ewcnXRudiv4W3
+4CGE03w7dG2tHtqCwHtltocim4uu0PbLiipSChlAgMBAAGjggJGMIICQjAdBgNV
HQ4EFgQUKXM8cmuC22uVpvnUY3NKL3JSptAwHwYDVR0jBBgwFoAUJDfL7Z0Q7KPN
0GDrsp1EJyY3owowDgYDVR0PAQH/BAQDAgeAMIGFBgNVHR8EfjB8MHqgeKB2hnRy
c3luYzovL3Jwa2kuYWZyaW5pYy5uZXQvbWVtYmVyX3JlcG9zaXRvcnkvRjM2MzRE
MjIvOTJFRjg4OTAxMTk5MTFFMEE1OUVCNTc3ODMzQTdFMTkvSkRmTDdaMFE3S1BO
MEdEcnNwMUVKeVkzb3dvLmNybDCBgAYIKwYBBQUHAQEEdDByMHAGCCsGAQUFBzAC
hmRyc3luYzovL3Jwa2kuYWZyaW5pYy5uZXQvcmVwb3NpdG9yeS84OTIwOENFNDEx
OTIxMUUwQjNGRkRCMUJBRTAwMTgwNC9KRGZMN1owUTdLUE4wR0Ryc3AxRUp5WTNv
d28uY2VyMBgGA1UdIAEB/wQOMAwwCgYIKwYBBQUHDgIwgZgGCCsGAQUFBwELBIGL
MIGIMIGFBggrBgEFBQcwC4Z5cnN5bmM6Ly9ycGtpLmFmcmluaWMubmV0L21lbWJl
cl9yZXBvc2l0b3J5L0YzNjM0RDIyLzkyRUY4ODkwMTE5OTExRTBBNTlFQjU3Nzgz
M0E3RTE5L0QwRTBDNzgwMTE5QTExRTA5MURFQkQxMEI4REQ5M0FELnJvYTAwBggr
BgEFBQcBBwEB/wQhMB8wDAQCAAEwBgMEAMQBADAPBAIAAjAJAwcAIAFC0AAAMA0G
CSqGSIb3DQEBCwUAA4IBAQBX7/dR1lKw9ExdfoiyY9Tr/7799ahtRa22qqCVzrmv
+aMoB2z6EHW9nmzVZ0JAY8f7q4+KT4ou524pf3JsOd6HTqDRmYs4QpkLuD3ugDaS
7BIRq9ayRjSIVr9rlJxiQZjkBSqadPhq/tu8qDrUAyfUo4NbOInhqfdcc7g/StaJ
/OmW8Yddzkjmtpd+GRp8OckLjzGH+RdHEmnPXYDpXr/Noa3vDK58sv7kQxpGQuRO
qwqSnPXrtywWGuQjakZ78+hftm+TS1Y5NRrNEFtj7bm36mBGz2MZpmBn2K7WlfJv
aCK1vVcAPvq3dFw1MDGjp+hCd6nQ0944psSu/+54im/h
-----END CERTIFICATE-----

Figure 7: LIR ROA

14
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 5 (0x5)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=F3634D22/serialNumber=2437CBED9D10ECA3CDD060EBB29D44272637A30A
Validity
Not Before: Dec 25 04:21:28 2010 GMT
Not After : Dec 31 04:21:28 2011 GMT
Subject: CN=4d185ad1-f933
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:d9:86:59:fb:b1:45:78:a0:58:5d:b5:c8:3d:50:
...
bb:43:db:2e:28:a9:48:28:65
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
29:73:3C:72:6B:82:DB:6B:95:A6:F9:D4:63:73:4A:2F:72:52:A6:D0
X509v3 Authority Key Identifier:
keyid:24:37:CB:ED:9D:10:EC:A3:CD:D0:60:EB:B2:9D:44:27:26:37:A3:0A
X509v3 Key Usage: critical
Digital Signature
X509v3 CRL Distribution Points:
Full Name:
URI:rsync://rpki.afrinic.net/member_repository/F3634D22/-
92EF8890119911E0A59EB577833A7E19/JDfL7Z0Q7KPN0GDrsp1EJyY3owo.crl

Authority Information Access:

CA Issuers - URI:rsync://rpki.afrinic.net/repository/-
89208CE4119211E0B3FFDB1BAE001804/JDfL7Z0Q7KPN0GDrsp1EJyY3owo.cer

X509v3 Certificate Policies: critical

Policy: 1.3.6.1.5.5.7.14.2

Subject Information Access:

1.3.6.1.5.5.7.48.11 - URI:rsync://rpki.afrinic.net/member_repository/-
F3634D22/92EF8890119911E0A59EB577833A7E19/D0E0C780119A11E091DEBD10B8DD93AD.roa

sbgp-ipAddrBlock: critical
IPv4:
196.1.0.0/24
IPv6:
2001:42d0::/48

Signature Algorithm: sha256WithRSAEncryption

57:ef:f7:51:d6:52:b0:f4:4c:5d:7e:88:b2:63:d4:eb:ff:be:
...
78:8a:6f:e1

Figure 8: EE certificate embedded in a ROA

15
5 Manifests
Manifests are currently documented by this sidr draft http://tools.ietf.
org/html/draft-ietf-sidr-rpki-manifests-10. Manifest are signed ob-
jects that have a list of all the objects in a repository (except the manifest
itself) and their corresponding hash. A valid manifest helps to ascertain
that the objects in a publication point are fresh (latest issued) and complete
i.e. none are missing.
Similar to ROAs, manifests embed an EE which enforces the manifest
validy period. A sample manifest is shown in figure fig:LIR.mft.

16
$ readmanifest.pl JDfL7Z0Q7KPN0GDrsp1EJyY3owo.mft
version: 0
manifest_number: 92
this_update: 2011-03-21T21:03:05
next_update: 2011-03-22T21:03:05
signing certificate:
serial: 95 (0x5F)
not before: 2011-03-21T21:03:05
not after: 2011-03-22T21:03:05
subject: CN=4d87bd0a-8f16
ski: d497442077a664c9f49f17f4df3ef74b0f093516
g_ski: 1JdEIHemZMn0nxf03z73Sw8JNRY
sia:
signedObject: rsync://rpki.afrinic.net/member_repository/F3634D22/-
92EF8890119911E0A59EB577833A7E19/JDfL7Z0Q7KPN0GDrsp1EJyY3owo.mft
issuer: CN=F3634D22, SN=2437CBED9D10ECA3CDD060EBB29D44272637A30A
aki: 2437cbed9d10eca3cdd060ebb29d44272637a30a
g_aki: JDfL7Z0Q7KPN0GDrsp1EJyY3owo
aia:
caIssuers: rsync://rpki.afrinic.net/repository/-
89208CE4119211E0B3FFDB1BAE001804/JDfL7Z0Q7KPN0GDrsp1EJyY3owo.cer
crldp:
rsync://rpki.afrinic.net/member_repository/F3634D22/-
92EF8890119911E0A59EB577833A7E19/JDfL7Z0Q7KPN0GDrsp1EJyY3owo.crl
resources:
ipv4: inherit
ipv6: inherit
asnum: inherit
-----BEGIN CERTIFICATE-----
MIIEoDCCA4igAwIBAgIBXzANBgkqhkiG9w0BAQsFADBGMREwDwYDVQQDEwhGMzYz
NEQyMjExMC8GA1UEBRMoMjQzN0NCRUQ5RDEwRUNBM0NERDA2MEVCQjI5RDQ0Mjcy
NjM3QTMwQTAeFw0xMTAzMjEyMTAzMDVaFw0xMTAzMjIyMTAzMDVaMBgxFjAUBgNV
BAMTDTRkODdiZDBhLThmMTYwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN/6
s/GmpwJ0ksZfc59n/cAoATOzZvxo5+V7x2VQfDDAAZrFiCmFhEOY8/W2oMtLgWCF
3e6Qmu+D1z+5cZ+En/AV+ArsV492wi5VOAaCRo+mg/Sp8zEWtIeyWWX6EshOjGZN
P5QnoOdBnkYFyZi0TvKI4ylcVFS7GBVOZAKuEW69AgMBAAGjggJJMIICRTAdBgNV
HQ4EFgQU1JdEIHemZMn0nxf03z73Sw8JNRYwHwYDVR0jBBgwFoAUJDfL7Z0Q7KPN
0GDrsp1EJyY3owowDgYDVR0PAQH/BAQDAgeAMIGFBgNVHR8EfjB8MHqgeKB2hnRy
c3luYzovL3Jwa2kuYWZyaW5pYy5uZXQvbWVtYmVyX3JlcG9zaXRvcnkvRjM2MzRE
MjIvOTJFRjg4OTAxMTk5MTFFMEE1OUVCNTc3ODMzQTdFMTkvSkRmTDdaMFE3S1BO
MEdEcnNwMUVKeVkzb3dvLmNybDCBgAYIKwYBBQUHAQEEdDByMHAGCCsGAQUFBzAC
hmRyc3luYzovL3Jwa2kuYWZyaW5pYy5uZXQvcmVwb3NpdG9yeS84OTIwOENFNDEx
OTIxMUUwQjNGRkRCMUJBRTAwMTgwNC9KRGZMN1owUTdLUE4wR0Ryc3AxRUp5WTNv
d28uY2VyMBgGA1UdIAEB/wQOMAwwCgYIKwYBBQUHDgIwgZMGCCsGAQUFBwELBIGG
MIGDMIGABggrBgEFBQcwC4Z0cnN5bmM6Ly9ycGtpLmFmcmluaWMubmV0L21lbWJl
cl9yZXBvc2l0b3J5L0YzNjM0RDIyLzkyRUY4ODkwMTE5OTExRTBBNTlFQjU3Nzgz
M0E3RTE5L0pEZkw3WjBRN0tQTjBHRHJzcDFFSnlZM293by5tZnQwFQYIKwYBBQUH
AQgBAf8EBjAEoAIFADAhBggrBgEFBQcBBwEB/wQSMBAwBgQCAAEFADAGBAIAAgUA
MA0GCSqGSIb3DQEBCwUAA4IBAQBTI0hwc7LZzOGYK2K8eNLVEWSXxdq5db1CiiOP
cI6Q/vPn1RZMrLlkpuSJorNbrJAPmPc74zkALeSaCk9hoHLrIB5x00+cZiintdot
MhScgT/UpYllh6pWtR9eN4Q4eDkOsCFcCyfuHPctI3L/5RHsFgX1xU9FwrHoYdig
1VFUR43Iolq9vgi+yXGs/1LM6Ig/klKGg+RqWKCuoaUcdnO2qvzv7h0IuA9MAa8Q
zak0Gr47UE3JAd/qVRfsijP/DK7PklAu2R3zTsTkIeLJP1Mq7p6PafpCs5NfFghH
sbtJ1rw/xsh2F3YJtnfL12rLiwReZv2nn7y0BPkfIbkujUKl
-----END CERTIFICATE-----
files:
abc24abc7cfca23592ee3f7fa20f1b6991113220d607c6ff2d925d69af620ff1 -
JDfL7Z0Q7KPN0GDrsp1EJyY3owo.crl
d9c91b56e48ec01784f728b1c1c0cce661f1f4ca7e7cfa571b18dd7b06f72a12 -
D0E0C780119A11E091DEBD10B8DD93AD.roa
ae2cc5135d907ecd2a0856df19d624e10e55ec442d7d425088adad4cc98f77c6 -
649CEC1A142011E08E3BA1F1E15CA2C6.aaa

Figure 9: Sample Manifest

17
6 Tools
An ISC implementation of the RPKI drafts can be found here http://www.
rpki.net/.
Since all objects published in RPKI repository are in ASN1, dumpasn1
can be used to quickly peek at the objects. Here’s an example.

$dumpasn1 ./F3627570/23E2DEDA222811E0978FE4E49E139081/-
BDE4266A223C11E0AF7AFACA991D58DD.roa
0 1703: SEQUENCE
4 9: OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2)
...
...
:
0 warnings, 0 errors.

Figure 10: Sample asn1 dump

18