From 6c57726173a1eebb5516fede1ef9ab2b0001f959 Mon Sep 17 00:00:00 2001 From: Alex Band Date: Mon, 10 May 2021 21:28:35 +0200 Subject: [PATCH 1/3] terminology page --- source/about/terminology.rst | 45 ++++++++++++++++++++++++++++++++++++ source/index.rst | 1 + 2 files changed, 46 insertions(+) create mode 100644 source/about/terminology.rst diff --git a/source/about/terminology.rst b/source/about/terminology.rst new file mode 100644 index 0000000..bc0f250 --- /dev/null +++ b/source/about/terminology.rst @@ -0,0 +1,45 @@ +.. _doc_about_terminology: + +Introduction +============ + +Throughout this documentation you will find references to standards, specific +terminology, and various implementation choices. This page is meant to introduce +you to some of the specifics of RPKI. + +ROAs, VRPs and ROV +------------------ + +It's quite common to use the term ROA and VRP interchangably, but they are quite +different. + +Route Origin Attestations (ROAs) are cryptographically signed objects that +contain a statement authorising a *single* Autonomous System Number (ASN) to +originate one or more IP prefixes, along with their maximum prefix length. A ROA +can only be created by the legitimate holder of the IP prefixes contained witin +it. + +RPKI Relying Party software performs cryptographic verification on all published +ROAs. If everything checks out, the software will produce one or more validated +ROA payloads (VRPs) for each ROA, depending on how many IP prefixes are +contained with in it. Each VRP is a tuple of an ASN, a single prefix and its +maximum prefix length. If verification fails, the ROA is discarded and it'll be +like no statement was ever made. + +The collection of all VRPs can be compared to the BGP route announcements seen +by your routers. This process is called Route Origin Validation (ROV). + +Verification, Validation and Validity +------------------------------------- + +The terms "Valid" and "Invalid" are often used in different contexts, which can +be confusing. + +As explained, ROAs and all related crytographic objects are verified by Relying +Party Software. If they pass verification, one or more VRPs are emitted and each +is compared to a BGP route. If the route origin is authorised by the VRP, it is +considered "RPKI Valid", if it isn't it is "RPKI Invalid". If nothing can be +said about the validity of the route, it is considered "RPKI NotFound". + +Only a ROA that has passed cryptographic verification – i.e. a *Valid ROA* – can +make a BGP route "RPKI Valid" or "RPKI Invalid". diff --git a/source/index.rst b/source/index.rst index 32be8e2..3fc40c2 100644 --- a/source/index.rst +++ b/source/index.rst @@ -39,6 +39,7 @@ The main documentation is organised into the following sections: about/introduction about/faq + about/terminology about/help .. toctree:: From 9f099fd264cde3bdab653897522ef71d63c3fb58 Mon Sep 17 00:00:00 2001 From: Alex Band Date: Tue, 11 May 2021 14:53:59 +0200 Subject: [PATCH 2/3] validated ROA --- source/ops/router-support.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/ops/router-support.rst b/source/ops/router-support.rst index fbae1c4..20d7947 100644 --- a/source/ops/router-support.rst +++ b/source/ops/router-support.rst @@ -61,7 +61,7 @@ RTRLib is a C library that implements the client side of the RPKI-RTR protocol, as well as route origin validation. RTRlib powers RPKI in BGP software routers such as `FRR `_. In a nutshell, it maintains data from RPKI relying party software and allows to verify whether an autonomous -system (AS) is the legitimate origin AS, based on the fetched valid ROA data. +system (AS) is the legitimate origin AS, based on the fetched validated ROA data. `BGP‑SRx `_ by NIST is a prototype that can perform similar functions. From 0a62f1e0b0c0101aae559f3629fa2075c239087b Mon Sep 17 00:00:00 2001 From: Alex Band Date: Sun, 16 May 2021 21:09:58 +0200 Subject: [PATCH 3/3] linting --- source/about/terminology.rst | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/source/about/terminology.rst b/source/about/terminology.rst index bc0f250..285e20b 100644 --- a/source/about/terminology.rst +++ b/source/about/terminology.rst @@ -10,13 +10,13 @@ you to some of the specifics of RPKI. ROAs, VRPs and ROV ------------------ -It's quite common to use the term ROA and VRP interchangably, but they are quite +It's quite common to use the term ROA and VRP interchangeably, but they are quite different. Route Origin Attestations (ROAs) are cryptographically signed objects that contain a statement authorising a *single* Autonomous System Number (ASN) to originate one or more IP prefixes, along with their maximum prefix length. A ROA -can only be created by the legitimate holder of the IP prefixes contained witin +can only be created by the legitimate holder of the IP prefixes contained within it. RPKI Relying Party software performs cryptographic verification on all published @@ -41,5 +41,5 @@ is compared to a BGP route. If the route origin is authorised by the VRP, it is considered "RPKI Valid", if it isn't it is "RPKI Invalid". If nothing can be said about the validity of the route, it is considered "RPKI NotFound". -Only a ROA that has passed cryptographic verification – i.e. a *Valid ROA* – can -make a BGP route "RPKI Valid" or "RPKI Invalid". +Only a ROA that has passed cryptographic verification – i.e. a *Validated ROA* – +can make a BGP route "RPKI Valid" or "RPKI Invalid".