[RPKI] ARIN Identity.xml format

Tim Bruijnzeels tim at nlnetlabs.nl
Wed Feb 5 10:04:22 UTC 2020 

Hi Cynthia,

Thank you for sharing this, and for giving Krill a chance :)

So, it looks like rpkid from rpki.net introduced a version 2 identity exchange after RFC 8183 had been published and that ARIN supports this. This is odd because RFC 8183 itself is based on the original rpki.net implementation. And, in fact, I saw a message to the nanog list from someone who had issues getting their, presumable older version of, rpkid to work with the exchange.

I will take this up with ARIN. As chance will have it I will meet up with them this Friday. I will advise them to stick to the RFC. If an update to the format is needed then that should be discussed in the IETF first.

In the meantime, thank you! We can document this, and perhaps do some trickery of sorts if we must. But, I prefer that ARIN changes things. They can also polish off their xslt skills ;)

Tim

> On 5 Feb 2020, at 10:54, Cynthia Revström via RPKI <rpki at lists.nlnetlabs.nl> wrote:
> 
> Hello,
> 
> So there is a bit of a lack of documentation when it comes to the format of the "Up/Down Identity XML" file that ARIN wants when you are setting up Delegated RPKI and the format of the parent response from ARIN.
> ARIN's XML files are not RFC8183 but rather something a bit odd that I had to craft by hand based on example files I found in old git repositories.
> I mainly posted this in the case that someone else has a similar issue since well as I said, docs are lacking atm. (I have also brought it up with NLNetLabs so they can discuss it with ARIN)
> 
> When running `krillc parents myid` I got something in the format of:
> <child_request xmlns="http://www.hactrn.net/uris/rpki/rpki-setup/ <http://www.hactrn.net/uris/rpki/rpki-setup/>" version="1" child_handle="QUL-4">
>   <child_bpki_ta>MII...</child_bpki_ta>
> </child_request>
> 
> Where as ARIN seemingly wanted (and accepted) the format of:
> <identity xmlns="http://www.hactrn.net/uris/rpki/myrpki/ <http://www.hactrn.net/uris/rpki/myrpki/>" version="2" handle="QUL-4">
>   <bpki_ta>MII...</bpki_ta>
> </identity>
> 
> And the parent response had a similar issue, this is what I got from ARIN:
> <parent xmlns="http://www.hactrn.net/uris/rpki/myrpki/ <http://www.hactrn.net/uris/rpki/myrpki/>"
>     version="2"
>     valid_until="2120-02-05T09:01:23Z"
>     service_uri="http://updown.arin.net/ARIN/QUL-4 <http://updown.arin.net/ARIN/QUL-4>"
>     parent_handle="ARIN"
>     child_handle="QUL-4">
>   <bpki_resource_ta>
> MII...
>   </bpki_resource_ta>
>   <bpki_child_ta>
> MII...
>   </bpki_child_ta>
>   <repository type="none"/>
> </parent>
> 
> Where as krill/RFC8183 wants the format of:
> <parent_response xmlns="http://www.hactrn.net/uris/rpki/rpki-setup/ <http://www.hactrn.net/uris/rpki/rpki-setup/>"
>     version="1"
>     valid_until="2120-02-05T09:01:23Z"
>     service_uri="http://updown.arin.net/ARIN/QUL-4 <http://updown.arin.net/ARIN/QUL-4>"
>     parent_handle="ARIN"
>     child_handle="QUL-4">
>   <parent_bpki_ta>
> MII... <this is the bpki_resource_ta tag from the ARIN format>
>   </parent_bpki_ta>
> </parent_response>
> 
> - Cynthia
> -- 
> RPKI mailing list
> RPKI at lists.nlnetlabs.nl
> https://lists.nlnetlabs.nl/mailman/listinfo/rpki

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/rpki/attachments/20200205/1f5a8c3b/attachment.htm>

More information about the RPKI mailing list