[RPKI] ARIN Identity.xml format

Tim Bruijnzeels tim at nlnetlabs.nl
Wed Feb 5 12:51:28 UTC 2020 

Hi all,

It was pointed out to me that the format that uses '<identity>' actually pre-dates the RFC. I was thrown off by the version="2" in there, but presumably that only applied to that particular namespace and the version number got reset for the RFC. My mistake.

Rob Austein who did most of the rpkid coding and author of RFC 8183 also published an XSL file that can help translating between the two formats:
https://raw.githubusercontent.com/dragonresearch/rpki.net/master/potpourri/oob-translate.xsl

I will still urge ARIN to update their portal to use the RFC style, but having this XSL available should help.

Tim


> On 5 Feb 2020, at 11:04, Tim Bruijnzeels <tim at nlnetlabs.nl> wrote:
> 
> Hi Cynthia,
> 
> Thank you for sharing this, and for giving Krill a chance :)
> 
> So, it looks like rpkid from rpki.net <http://rpki.net/> introduced a version 2 identity exchange after RFC 8183 had been published and that ARIN supports this. This is odd because RFC 8183 itself is based on the original rpki.net <http://rpki.net/> implementation. And, in fact, I saw a message to the nanog list from someone who had issues getting their, presumable older version of, rpkid to work with the exchange.
> 
> I will take this up with ARIN. As chance will have it I will meet up with them this Friday. I will advise them to stick to the RFC. If an update to the format is needed then that should be discussed in the IETF first.
> 
> In the meantime, thank you! We can document this, and perhaps do some trickery of sorts if we must. But, I prefer that ARIN changes things. They can also polish off their xslt skills ;)
> 
> Tim
> 
>> On 5 Feb 2020, at 10:54, Cynthia Revström via RPKI <rpki at lists.nlnetlabs.nl <mailto:rpki at lists.nlnetlabs.nl>> wrote:
>> 
>> Hello,
>> 
>> So there is a bit of a lack of documentation when it comes to the format of the "Up/Down Identity XML" file that ARIN wants when you are setting up Delegated RPKI and the format of the parent response from ARIN.
>> ARIN's XML files are not RFC8183 but rather something a bit odd that I had to craft by hand based on example files I found in old git repositories.
>> I mainly posted this in the case that someone else has a similar issue since well as I said, docs are lacking atm. (I have also brought it up with NLNetLabs so they can discuss it with ARIN)
>> 
>> When running `krillc parents myid` I got something in the format of:
>> <child_request xmlns="http://www.hactrn.net/uris/rpki/rpki-setup/ <http://www.hactrn.net/uris/rpki/rpki-setup/>" version="1" child_handle="QUL-4">
>>   <child_bpki_ta>MII...</child_bpki_ta>
>> </child_request>
>> 
>> Where as ARIN seemingly wanted (and accepted) the format of:
>> <identity xmlns="http://www.hactrn.net/uris/rpki/myrpki/ <http://www.hactrn.net/uris/rpki/myrpki/>" version="2" handle="QUL-4">
>>   <bpki_ta>MII...</bpki_ta>
>> </identity>
>> 
>> And the parent response had a similar issue, this is what I got from ARIN:
>> <parent xmlns="http://www.hactrn.net/uris/rpki/myrpki/ <http://www.hactrn.net/uris/rpki/myrpki/>"
>>     version="2"
>>     valid_until="2120-02-05T09:01:23Z"
>>     service_uri="http://updown.arin.net/ARIN/QUL-4 <http://updown.arin.net/ARIN/QUL-4>"
>>     parent_handle="ARIN"
>>     child_handle="QUL-4">
>>   <bpki_resource_ta>
>> MII...
>>   </bpki_resource_ta>
>>   <bpki_child_ta>
>> MII...
>>   </bpki_child_ta>
>>   <repository type="none"/>
>> </parent>
>> 
>> Where as krill/RFC8183 wants the format of:
>> <parent_response xmlns="http://www.hactrn.net/uris/rpki/rpki-setup/ <http://www.hactrn.net/uris/rpki/rpki-setup/>"
>>     version="1"
>>     valid_until="2120-02-05T09:01:23Z"
>>     service_uri="http://updown.arin.net/ARIN/QUL-4 <http://updown.arin.net/ARIN/QUL-4>"
>>     parent_handle="ARIN"
>>     child_handle="QUL-4">
>>   <parent_bpki_ta>
>> MII... <this is the bpki_resource_ta tag from the ARIN format>
>>   </parent_bpki_ta>
>> </parent_response>
>> 
>> - Cynthia
>> -- 
>> RPKI mailing list
>> RPKI at lists.nlnetlabs.nl <mailto:RPKI at lists.nlnetlabs.nl>
>> https://lists.nlnetlabs.nl/mailman/listinfo/rpki
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/rpki/attachments/20200205/af76f204/attachment.htm>

More information about the RPKI mailing list