SIDROPS J. Snijders Internet-Draft Intended status: Standards Track B. Bakker Expires: 18 March 2026 T. Bruijnzeels RIPE NCC 14 September 2025 A Profile for Resource Public Key Infrastructure (RPKI) Canonical Cache Representation (CCR) draft-spaghetti-sidrops-rpki-ccr-01 Abstract This document specifies a Canonical Cache Representation (CCR) content type for use with the Resource Public Key Infrastructure (RPKI). CCR is a DER-encoded data interchange format which can be used to represent various aspects of the state of a validated cache at a particular point in time. The CCR profile is a compact and versatile format well-suited for a diverse set of applications such as audit trail keeping, validated payload dissemination, and analytics pipelines. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 18 March 2026. Copyright Notice Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Snijders, et al. Expires 18 March 2026 [Page 1] Internet-Draft RPKI Canonical Cache Representation September 2025 Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 2. The Canonical Cache Representation content type . . . . . . . 3 3. The Canonical Cache Representation content . . . . . . . . . 3 3.1. version . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.2. hashAlg . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.3. producedAt . . . . . . . . . . . . . . . . . . . . . . . 6 3.4. State aspect fields . . . . . . . . . . . . . . . . . . . 6 3.4.1. ManifestState . . . . . . . . . . . . . . . . . . . . 6 3.4.2. ROAPayloadState . . . . . . . . . . . . . . . . . . . 6 3.4.3. ASPAPayloadState . . . . . . . . . . . . . . . . . . 7 3.4.4. TrustAnchorState . . . . . . . . . . . . . . . . . . 7 3.4.5. RouterKeyState . . . . . . . . . . . . . . . . . . . 7 4. Operational Considerations . . . . . . . . . . . . . . . . . 8 4.1. Verifying CCR file integrity . . . . . . . . . . . . . . 8 5. Security Considerations . . . . . . . . . . . . . . . . . . . 8 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 6.1. SMI Security for S/MIME CMS Content Type (1.2.840.113549.1.9.16.1) . . . . . . . . . . . . . . . . 8 6.2. RPKI Repository Name Schemes . . . . . . . . . . . . . . 8 6.3. SMI Security for S/MIME Module Identifier (1.2.840.113549.1.9.16.0) . . . . . . . . . . . . . . . . 9 6.4. Media Types . . . . . . . . . . . . . . . . . . . . . . . 9 6.4.1. Canonical Cache Representation Media Type . . . . . . 9 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 7.1. Normative References . . . . . . . . . . . . . . . . . . 10 7.2. Informative References . . . . . . . . . . . . . . . . . 11 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 12 Appendix B. Example CCR . . . . . . . . . . . . . . . . . . . . 12 Appendix C. Implementation status . . . . . . . . . . . . . . . 15 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 1. Introduction This document specifies a Canonical Cache Representation (CCR) content type for use with the Resource Public Key Infrastructure (RPKI). A validated cache contains all RPKI objects that the Relying Party (RP) has verified to be valid according to the rules for validation (see [RFC6487], [RFC6488], [RFC9286]). CCR is a data interchange format using Distinguished Encoding Rules (DER, [X.690]) Snijders, et al. Expires 18 March 2026 [Page 2] Internet-Draft RPKI Canonical Cache Representation September 2025 which can be used to represent various aspects of the state of a validated cache at a particular point in time. The CCR profile is a compact and versatile format well-suited for a diverse set of applications such as audit record keeping, validated payload dissemination, and analytics pipelines. The format was primarily designed to support comparative analysis of uniformities and differences among multiple RP instances using different RPKI transport protocols (such as [RFC5781], [RFC8182], and [I-D.spaghetti-sidrops-rpki-erik-protocol]). 1.1. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 2. The Canonical Cache Representation content type The contentType for a CCR currently is defined as id-ct- rpkiCanonicalCacheRepresentation, with temporary Object Identifier (OID) 1.3.6.1.4.1.41948.825. Note: as part of the standardization process, at a future point in time, the aforementioned contentType value will change from the current Private Enterprise Number ([RFC9371]) to an OID assigned by IANA (Section 6). 3. The Canonical Cache Representation content The content of a Canonical Cache Representation is formally defined as follows: RpkiCanonicalCacheRepresentation-2025 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) mod(0) id-mod-rpkiCCR-2025(TBD) } DEFINITIONS EXPLICIT TAGS ::= BEGIN IMPORTS CONTENT-TYPE, Digest, DigestAlgorithmIdentifier, SubjectKeyIdentifier FROM CryptographicMessageSyntax-2010 -- in [RFC6268] { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) } Snijders, et al. Expires 18 March 2026 [Page 3] Internet-Draft RPKI Canonical Cache Representation September 2025 -- in [draft-spaghetti-sidrops-rpki-erik-protocol-01] ManifestRef FROM RpkiErikPartition-2025 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) mod(0) id-mod-rpkiErikPartition-2025(TBD) } ASID, ROAIPAddressFamily FROM RPKI-ROA-2023 -- in [RFC9582] { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) mod(0) id-mod-rpkiROA-2023(75) } SubjectPublicKeyInfo FROM PKIX1Explicit-2009 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) } ; ct-rpkiCanonicalCacheRepresentation CONTENT-TYPE ::= { TYPE RpkiCanonicalCacheRepresentation IDENTIFIED BY id-ct-rpkiCanonicalCacheRepresentation } id-ct-rpkiCanonicalCacheRepresentation OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) snijders(41948) ccr(825) } RpkiCanonicalCacheRepresentation ::= SEQUENCE { version [0] INTEGER DEFAULT 0, hashAlg DigestAlgorithmIdentifier, producedAt GeneralizedTime, mfts [1] ManifestState OPTIONAL, vrps [2] ROAPayloadState OPTIONAL, vaps [3] ASPAPayloadState OPTIONAL, tas [4] TrustAnchorState OPTIONAL, rks [5] RouterKeyState OPTIONAL, ... } -- at least one of mfts, vrps, vaps, or tas MUST be present ( WITH COMPONENTS { ..., mfts PRESENT } | WITH COMPONENTS { ..., vrps PRESENT } | WITH COMPONENTS { ..., vaps PRESENT } | WITH COMPONENTS { ..., tas PRESENT } | WITH COMPONENTS { ..., rks PRESENT } ) ManifestState ::= SEQUENCE { mftrefs SEQUENCE OF ManifestRef, mostRecentUpdate GeneralizedTime, hash Digest } ROAPayloadState ::= SEQUENCE { Snijders, et al. Expires 18 March 2026 [Page 4] Internet-Draft RPKI Canonical Cache Representation September 2025 rps SEQUENCE OF ROAPayloadSet, hash Digest } ROAPayloadSet ::= SEQUENCE { asID ASID, ipAddrBlocks SEQUENCE (SIZE(1..2)) OF ROAIPAddressFamily } ASPAPayloadState ::= SEQUENCE { aps SEQUENCE OF ASPAPayloadSet, hash Digest } ASPAPayloadSet ::= SEQUENCE { customerASID ASID, providers SEQUENCE (SIZE(1..MAX)) OF ASID } TrustAnchorState ::= SEQUENCE { skis SEQUENCE (SIZE(1..MAX)) OF SubjectKeyIdentifier, hash Digest } RouterKeyState ::= SEQUENCE { rksets SEQUENCE OF RouterKeySet, hash Digest } RouterKeySet ::= SEQUENCE { asID ASID, routerKeys SEQUENCE (SIZE(1..MAX)) OF RouterKey } RouterKey ::= SEQUENCE { ski SubjectKeyIdentifier, spki SubjectPublicKeyInfo } END 3.1. version The version field contains the format version for the RpkiCanonicalCacheRepresentation structure, in this version of the specification it MUST be 0. 3.2. hashAlg The hashAlg field specifies the algorithm used to construct the message digests. This profile uses SHA-256 [SHS], therefore the OID MUST be 2.16.840.1.101.3.4.2.1. Snijders, et al. Expires 18 March 2026 [Page 5] Internet-Draft RPKI Canonical Cache Representation September 2025 3.3. producedAt The producedAt field contains a GeneralizedTime and indicates the moment in time the CCR was generated. 3.4. State aspect fields Each CCR contains one or more fields representing particular aspects of the cache's state. Implementers should note the ellipsis extension marker in the RpkiCanonicalCacheRepresentation ASN.1 notation and anticipate future changes as new signed object types are standardized. Each state aspect generally consists of a sequence of details extracted from RPKI Objects of a specific type, along with a digest computed by hashing the aforementioned DER-encoded sequence, optionally including some metadata. 3.4.1. ManifestState An instance of ManifestState represents the set of valid, current Manifests ([RFC9286]) in the cache. It contains three fields: The mftrefs field contains a SEQUENCE of ManifestRef structures (see Section 3 of [I-D.spaghetti-sidrops-rpki-erik-protocol]) sorted in ascending order by hash value. The hash value in each instance of ManifestRef MUST be unique with respect to the other instances of ManifestRef. The mostRecentUpdate is a metadata field which contains the most recent thisUpdate amongst all Manifests. If the mftrefs field contains an empty sequence, the mostRecentUpdate MUST be set to the POSIX Epoch ("19700101000000Z"). The hash field contains a message digest computed using the mftrefs value (encoded in DER format) as input message. 3.4.2. ROAPayloadState An instance of ROAPayloadState contains a field named rps which represents the current set of Validated ROA Payloads (Section 2 of [RFC6811]) encoded as a SEQUENCE of ROAPayloadSet instances. Snijders, et al. Expires 18 March 2026 [Page 6] Internet-Draft RPKI Canonical Cache Representation September 2025 The ROAPayloadSet structure is modeled after the RouteOriginAttestation (Section 4 of [RFC9582]). The asID value in each instance of ROAPayloadSet MUST be unique with respect to other instances of ROAPayloadSet. The contents of the ipAddrBlocks field MUST appear in canonical form and ordered as defined in Section 4.3.3 of [RFC9582]. The hash field contains a message digest computed using the rps value (encoded in DER format) as input message. 3.4.3. ASPAPayloadState An instance of ASPAPayloadState contains an aps field which represents the current set of deduplicated and merged ASPA payloads ([I-D.ietf-sidrops-aspa-profile]) ordered by ascending customerASID value encoded as a SEQUENCE of ASPAPayloadSet instances. The customerASID value in each instance of ASPAPayloadSet MUST be unique with respect to other instances of ASPAPayloadSet. The ASPAPayloadSet structure is modeled after the ProviderASSet (Section 3.3 of [I-D.ietf-sidrops-aspa-profile]). The hash field contains a message digest computed using the aps value (encoded in DER format) as input message. 3.4.4. TrustAnchorState An instance of TrustAnchorState represents the set of valid Trust Anchor (TA) Certification Authority (CA) resource certificates used by the relying party when producing the CCR. Each SubjectKeyIdentifier is the 160-bit SHA-1 hash of the value of the DER-encoded ASN.1 bit string of the TA's Subject Public Key, as described in Section 4.8.2 of [RFC6487]. The skis field contains a sequence of Subject Key Identifiers (SKI) sorted in ascending order by interpreting the SKI value as an unsigned 160-bit integer. The hash field contains a message digest computed using the skis value (encoded in DER format) as input message. 3.4.5. RouterKeyState An instance of RouterKeyState contains an rksets field which represents the current set of valid BGPsec Router Keys [RFC8205] encoded as a SEQUENCE of RouterKeySet instances. The asID value in each instance of RouterKeySet MUST be unique with respect to other instances of RouterKeySet. Instances of RouterKeySet are sorted by ascending value of asID. Instances of RouterKey are sorted by Snijders, et al. Expires 18 March 2026 [Page 7] Internet-Draft RPKI Canonical Cache Representation September 2025 ascending value of ski by interpreting the SKI value as an unsigned 160-bit integer. The hash field contains a message digest computed using the rks value (encoded in DER format) as input message. 4. Operational Considerations Comparing the ManifestState mostRecentUpdate timestamp value with the producedAt timestamp might help offer insight into the timing and propagation delays of the RPKI supply chain. Given the absence of public keys and fairly repetitive content in RPKI AccessDescription instances, it should be noted CCR content compresses well. 4.1. Verifying CCR file integrity The integrity of a CCR object can be checked by confirming whether the hash values embedded inside state aspects match the computed hash value of the respective state aspect payload structure. 5. Security Considerations CCR objects are not signed objects. 6. IANA Considerations 6.1. SMI Security for S/MIME CMS Content Type (1.2.840.113549.1.9.16.1) IANA is requested to allocate the following in the "SMI Security for S/MIME CMS Content Type (1.2.840.113549.1.9.16.1)" registry: +=========+==================================+==================+ | Decimal | Description | References | +=========+==================================+==================+ | TBD | id-ct- | draft-spaghetti- | | | rpkiCanonicalCacheRepresentation | sidrops-rpki-ccr | +---------+----------------------------------+------------------+ Table 1 6.2. RPKI Repository Name Schemes IANA is requested to add the Canonical Cache Representation file extension to the "RPKI Repository Name Schemes" registry [RFC6481] as follows: Snijders, et al. Expires 18 March 2026 [Page 8] Internet-Draft RPKI Canonical Cache Representation September 2025 +===========+=================+==================================+ | Filename | RPKI Object | Reference | | Extension | | | +===========+=================+==================================+ | .ccr | Canonical Cache | draft-spaghetti-sidrops-rpki-ccr | | | Representation | | +-----------+-----------------+----------------------------------+ Table 2 6.3. SMI Security for S/MIME Module Identifier (1.2.840.113549.1.9.16.0) IANA is requested to allocate the following in the "SMI Security for S/MIME Module Identifier (1.2.840.113549.1.9.16.0)" registry: +=========+=====================+==================================+ | Decimal | Description | References | +=========+=====================+==================================+ | TBD | id-mod-rpkiCCR-2025 | draft-spaghetti-sidrops-rpki-ccr | +---------+---------------------+----------------------------------+ Table 3 6.4. Media Types IANA is requested to register the media type "application/rpki-ccr" in the "Media Types" registry as follows: 6.4.1. Canonical Cache Representation Media Type Type name: application Subtype name: rpki-ccr Required parameters: N/A Optional parameters: N/A Encoding considerations: binary Security considerations: This media type contains no active content. Interoperability considerations: N/A Published specification: draft-spaghetti-sidrops-rpki-ccr Applications that use this media type: RPKI operators Fragment identifier considerations: N/A Additional information: Content: This media type is a RPKI Canonical Cache Representation object, as defined in draft- spaghetti-sidrops-rpki-ccr. Magic number(s): N/A File extension(s): .ccr Macintosh file type code(s): N/A Snijders, et al. Expires 18 March 2026 [Page 9] Internet-Draft RPKI Canonical Cache Representation September 2025 Person & email address to contact for further information: Job Snijders (job@sobornost.net) Intended usage: COMMON Restrictions on usage: N/A Author: Job Snijders (job@sobornost.net) Change controller: IETF 7. References 7.1. Normative References [I-D.ietf-sidrops-aspa-profile] Azimov, A., Uskov, E., Bush, R., Snijders, J., Housley, R., and B. Maddison, "A Profile for Autonomous System Provider Authorization", Work in Progress, Internet-Draft, draft-ietf-sidrops-aspa-profile-20, 18 August 2025, . [I-D.spaghetti-sidrops-rpki-erik-protocol] Snijders, J., Bruijnzeels, T., Harrison, T., and W. Ohgai, "The Erik Synchronization Protocol for use with the Resource Public Key Infrastructure (RPKI)", Work in Progress, Internet-Draft, draft-spaghetti-sidrops-rpki- erik-protocol-01, 11 September 2025, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC6481] Huston, G., Loomans, R., and G. Michaelson, "A Profile for Resource Certificate Repository Structure", RFC 6481, DOI 10.17487/RFC6481, February 2012, . [RFC6487] Huston, G., Michaelson, G., and R. Loomans, "A Profile for X.509 PKIX Resource Certificates", RFC 6487, DOI 10.17487/RFC6487, February 2012, . [RFC6488] Lepinski, M., Chi, A., and S. Kent, "Signed Object Template for the Resource Public Key Infrastructure (RPKI)", RFC 6488, DOI 10.17487/RFC6488, February 2012, . Snijders, et al. Expires 18 March 2026 [Page 10] Internet-Draft RPKI Canonical Cache Representation September 2025 [RFC6811] Mohapatra, P., Scudder, J., Ward, D., Bush, R., and R. Austein, "BGP Prefix Origin Validation", RFC 6811, DOI 10.17487/RFC6811, January 2013, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [RFC9286] Austein, R., Huston, G., Kent, S., and M. Lepinski, "Manifests for the Resource Public Key Infrastructure (RPKI)", RFC 9286, DOI 10.17487/RFC9286, June 2022, . [RFC9582] Snijders, J., Maddison, B., Lepinski, M., Kong, D., and S. Kent, "A Profile for Route Origin Authorizations (ROAs)", RFC 9582, DOI 10.17487/RFC9582, May 2024, . [SHS] National Institute of Standards and Technology, "Secure Hash Standard", March 2012, . [X.690] ITU-T, "Information technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (B ER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)", ITU-T Recommendation X.690, ISO/IEC 8825-1:2021, February 2021, . 7.2. Informative References [RFC5781] Weiler, S., Ward, D., and R. Housley, "The rsync URI Scheme", RFC 5781, DOI 10.17487/RFC5781, February 2010, . [RFC8182] Bruijnzeels, T., Muravskiy, O., Weber, B., and R. Austein, "The RPKI Repository Delta Protocol (RRDP)", RFC 8182, DOI 10.17487/RFC8182, July 2017, . [RFC8205] Lepinski, M., Ed. and K. Sriram, Ed., "BGPsec Protocol Specification", RFC 8205, DOI 10.17487/RFC8205, September 2017, . Snijders, et al. Expires 18 March 2026 [Page 11] Internet-Draft RPKI Canonical Cache Representation September 2025 [RFC9371] Baber, A. and P. Hoffman, "Registration Procedures for Private Enterprise Numbers (PENs)", RFC 9371, DOI 10.17487/RFC9371, March 2023, . [rpki-client] Jeker, C., Dzonsons, K., Buehler, T., and J. Snijders, "rpki-client", September 2025, . Appendix A. Acknowledgements The authors wish to thank Theo Buehler and Russ Housley for their generous feedback on this specification, Appendix B. Example CCR The below is a Base64-encoded example CCR object. For a more elaborate example based on the global RPKI, see the URL in Appendix C. MIIMSQYKKwYBBAGCx1yGOaCCDDkEggw1MIIMMQYJYIZIAWUDBAIBGA8yMDI1MDkxNDE1MDEw MFqhggiRMIIIjTCCCFYwgcAEIAACZB8QGnG7oNnfSN0YAOvCdN3Ur3Bi/6ZUr3zhjIzTAgIH zgQU9YgvM/dIDcx7h2N66nY2gonXXC0CAgOdMH4wfAYIKwYBBQUHMAuGcHJzeW5jOi8vcnBr aS5yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkFVTFQvNTgvOTJmZjJhLWExNmEtNGE3OC05OWIy LWE5NTEwNWYxNmU2Ni8xLzlZZ3ZNX2RJRGN4N2gyTjY2blkyZ29uWFhDMC5tZnQwgcAEIAAD FaS3OeYdIGrlYdplmWRCc/b/vIIZ41x2cYIDB98tAgIHhAQU4iUB2aQBcJg48z0a4nm85xAL PM8CAhD7MH4wfAYIKwYBBQUHMAuGcHJzeW5jOi8vcnBraS5yaXBlLm5ldC9yZXBvc2l0b3J5 L0RFRkFVTFQvNzMvNjNmYWU5LTQ5OWYtNDNkNS04NzY4LWY5ODExZWUzZmE4Ny8xLzRpVUIy YVFCY0pnNDh6MGE0bm04NXhBTFBNOC5tZnQwgcAEIAAGX7XATpqomReZH/kFJzRvTis+ZZQU Uvy4yHtIoMl4AgIHzgQUbRZNm2s8fL0enSecbIZ7rTl9HhcCAgq9MH4wfAYIKwYBBQUHMAuG cHJzeW5jOi8vcnBraS5yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkFVTFQvNmYvYWViMjNhLWY4 ZDgtNGExYi1hMjMyLTNkN2U0YjQ5NmIyMy8xL2JSWk5tMnM4ZkwwZW5TZWNiSVo3clRsOUho Yy5tZnQwgcAEIAAK+8PP7qfz2VJ7ZMW3712a2FQOJW4WmXci6gZ+e9/1AgIHzgQUu7w9vRpP Ikq4StYJwmgHn7Yktb0CAgKnMH4wfAYIKwYBBQUHMAuGcHJzeW5jOi8vcnBraS5yaXBlLm5l dC9yZXBvc2l0b3J5L0RFRkFVTFQvMmYvNTRiMDA2LTY4MDktNDQxYi04NGQ3LWEyNGNiNTcy Mjk4ZS8xL3U3dzl2UnBQSWtxNFN0WUp3bWdIbjdZa3RiMC5tZnQwgcMEIAALBdj1jcZE3mUP 6sZ9IuMl+tvuJocXB2upV1xYqndWAgIIQQQUsTgy/KSTRJYjasOJSZjD3VE9fAkCAgHRMIGA MH4GCCsGAQUFBzALhnJyc3luYzovL3Jwa2kuYXBuaWMubmV0L21lbWJlcl9yZXBvc2l0b3J5 L0E5MUQ0QTE2L0JBRTdFRkZFQ0M1MzExRUQ4MUY0QzUxNUM0RjlBRTAyL3NUZ3lfS1NUUkpZ amFzT0pTWmpEM1ZFOWZBay5tZnQwgcAEIAAMULeEV120Ki3nY2IviSgoIojxc0fY4QYbLHW1 RvCIAgIIGAQUCu6u4IY9HcpiT2HzmyGBx9tsuj8CAhaCMH4wfAYIKwYBBQUHMAuGcHJzeW5j Oi8vcnBraS5yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkFVTFQvNmIvYjYyODc4LWNjYzgtNGQ1 Ny05ZmUwLTdhMTA0YjgwY2Q3MS8xL0N1NnU0SVk5SGNwaVQySHpteUdCeDl0c3VqOC5tZnQw gcMEIAAPWzF28fMyncCx12qaz7kQioEFqQUDlREIskDel37rAgIIkAQUV4yNAq7wtD4p/s6h iV3MnRBmNTUCAgCaMIGAMH4GCCsGAQUFBzALhnJyc3luYzovL3Jwa2kuYXBuaWMubmV0L21l bWJlcl9yZXBvc2l0b3J5L0E5MUQ0Nzg2LzM0NTk4QzcwQTdDMzExRUZCNTExRTA1M0M0RjlB RTAyL1Y0eU5BcTd3dEQ0cF9zNmhpVjNNblJCbU5UVS5tZnQwgaYEIAAP4knx9MqNi0cX7y/U Snijders, et al. Expires 18 March 2026 [Page 12] Internet-Draft RPKI Canonical Cache Representation September 2025 ZCBKNPjQLYHTOQSvKSBsHJbQAgIIJAQUEjAdQAli3Zh6PHuDozZih9R/hv0CAgGeMGQwYgYI KwYBBQUHMAuGVnJzeW5jOi8vcnBraS1yZXBvc2l0b3J5Lm5pYy5hZC5qcC9hcC9BOTFBNzM4 MTAwMDAvMTE2NC9FakFkUUFsaTNaaDZQSHVEb3paaWg5Ul9odjAubWZ0MIHGBCAAHYvnx16W YeV19+TMxzpAMn0XfX48Qlpq727twfGMtgICCHwEFLHwp1he0Ygng8avgCuCZgeruSZxAgIA pDCBgzCBgAYIKwYBBQUHMAuGdHJzeW5jOi8vcmVwby1ycGtpLmlkbmljLm5ldC9yZXBvLzM4 OTEzODkzLTVmNjQtNGE1ZS1hOGQyLTVkNTFlYmRlNDczZi8wL0IxRjBBNzU4NUVEMTg4Mjc4 M0M2QUY4MDJCODI2NjA3QUJCOTI2NzEubWZ0MIHABCAAIPL6MV7immGLGseP+wvPZ/pf1o04 eIRwWx5FgolA8gICB84EFDnkBZ5RnnytBTa9VNkbyXh1ZEzbAgIWFDB+MHwGCCsGAQUFBzAL hnByc3luYzovL3Jwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxUL2QwL2VmOTIyMS1j MzU0LTRlNjctYTMyZi04NGU1OTZhM2MxMjEvMS9PZVFGbmxHZWZLMEZOcjFVMlJ2SmVIVmtU TnMubWZ0MIHDBCAAItuJfm7KzB0tZ67VMEfyn2RWofj0LL+NKF3PIlD+EAICCEEEFB1JL6Pz spWASVpogNQE7gw3CtklAgIHvzCBgDB+BggrBgEFBQcwC4ZycnN5bmM6Ly9ycGtpLmFwbmlj Lm5ldC9tZW1iZXJfcmVwb3NpdG9yeS9BOTE1RDk2My85MEU4MEJDODk3RTIxMUVCOUIzOUQ1 MzFDNEY5QUUwMi9IVWt2b19PeWxZQkpXbWlBMUFUdUREY0syU1UubWZ0GA8yMDI1MDkxNDA4 NDYxMVoEIOkncqTT5I7ju5ZUA+jvmRH7IRVnBv57fE09ZL0xLlMFooIBcjCCAW4wggFIMGQC AQcwXzBIBAIAATBCMAkDBADAI14CASAwCQMEAMBDKwIBIDAJAwQAwiBFAgEgMAkDBAHCINoC ASAwCQMEAMIiigIBIDAJAwQBwj1cAgEgMBMEAgACMA0wCwMFAyoLO0ACAgCAMIGjAgIgWzCB nDB+BAIAATB4MAYDBABb0CIwBgMEAF6O8DAGAwQDXo7wMAYDBABejvEwBgMEAF6O8jAGAwQA Xo70MAYDBABejvUwBgMEAF6O9jAGAwQAXo73MAYDBAC5NOAwBgMEArk04DAGAwQAuTThMAYD BAC5NOIwBgMEALk04zAGAwQAyzgsMBoEAgACMBQwCQMHACABBngGiDAHAwUAKgIImDA6AgI8 yjA0MDIEAgACMCwwCQMHACABBnwgjDAJAwcAIAEHKBgIMAkDBwAqDrJAAAAwCQMHACoOskAB GAQgAl+KF2al/E8GWh6+c6q4ioauKZfjAZESuEPfZudU7QyjgZYwgZMwbzAOAgIDsTAIAgIF jQICM50wFwICHicwEQICA7ECAgWNAgIznQIDAO7SMA8CAkivMAkCAk/5AgMDKn8wCgIDAJha MAMCAQAwJwIDAKL4MCACAgCuAgIFEwICIyoCAwDGvQIDAOqkAgMDGrYCAwM+HAQgF4/tlzhp mL4YKhcxyv8ModrOMgZyQ1uXjP4vEctwTs6kUjBQMCwEFAucypDdDXqKN2ZrGSF/4NhAN7ei BBToVSsf1tGk9+QExtjlaA0evBY/wwQg/7Ca0JwrjmC2RyIiWmTLXda2KYGnTSaBL5i+mvS+ L4elggEZMIIBFTCB8DCB7QICPMowgeYwcQQUXUJQ4tgdREjYop786R0p/wdeyeIwWTATBgcq hkjOPQIBBggqhkjOPQMBBwNCAASAVyND+D/8sBB6sAfYymn4a5ygMAYFuEioPffA0+xfGcAZ v6a1ntdCtU70NDpSUBKG2KDn5B8QqlO0WCKp+IAVMHEEFL6Im1XQtzc5fXXEn0hbhY+pitEf MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE4FxJr0n2bux1uX1Evl+QWwZYvIadPjLuFX2m xqKuAGUhKnr7VLLDgrE++l9p5eH2kWTNVAN22FUU3db/RKpE2wQgul+0Sc77a6APNhJ5YqLu puhn/oUSu92t6cbkuLwWwdI= It decodes as follows: File: /var/db/rpki-client/rpki.ccr Hash identifier: 2I/Z4CJxz1uFzeCzNrVI0z0mwNWmjJr5rfIthoSSe/o= CCR produced at: Sun 14 Sep 2025 15:01:00 +0000 Manifest state hash: RTkyNzcyQTREM0U0OEVFM0JCOTY1NDAzRThFRjk5MTE= Manifest last update: Sun 14 Sep 2025 08:46:11 +0000 Manifest references: hash:AAJkHxAacbug2d9I3RgA68J03dSvcGL/plSvfOGMjNM= size:1998 aki:F5882F33F7480DCC7B87637AEA76368289D75C2D seqnum:039D sia:rsync://rpki.ripe.net/repository/DEFAULT/58/92ff2a-a16a-4a78-99b2-a95105f16e66/1/9YgvM_dIDcx7h2N66nY2gonXXC0.mft hash:AAMVpLc55h0gauVh2mWZZEJz9v+8ghnjXHZxggMH3y0= size:1924 aki:E22501D9A401709838F33D1AE279BCE7100B3CCF seqnum:10FB sia:rsync://rpki.ripe.net/repository/DEFAULT/73/63fae9-499f-43d5-8768-f9811ee3fa87/1/4iUB2aQBcJg48z0a4nm85xALPM8.mft hash:AAZftcBOmqiZF5kf+QUnNG9OKz5llBRS/LjIe0igyXg= size:1998 aki:6D164D9B6B3C7CBD1E9D279C6C867BAD397D1E17 seqnum:0ABD sia:rsync://rpki.ripe.net/repository/DEFAULT/6f/aeb23a-f8d8-4a1b-a232-3d7e4b496b23/1/bRZNm2s8fL0enSecbIZ7rTl9Hhc.mft hash:AAr7w8/up/PZUntkxbfvXZrYVA4lbhaZdyLqBn573/U= size:1998 aki:BBBC3DBD1A4F224AB84AD609C268079FB624B5BD seqnum:02A7 sia:rsync://rpki.ripe.net/repository/DEFAULT/2f/54b006-6809-441b-84d7-a24cb572298e/1/u7w9vRpPIkq4StYJwmgHn7Yktb0.mft hash:AAsF2PWNxkTeZQ/qxn0i4yX62+4mhxcHa6lXXFiqd1Y= size:2113 aki:B13832FCA4934496236AC3894998C3DD513D7C09 seqnum:01D1 sia:rsync://rpki.apnic.net/member_repository/A91D4A16/BAE7EFFECC5311ED81F4C515C4F9AE02/sTgy_KSTRJYjasOJSZjD3VE9fAk.mft hash:AAxQt4RXXbQqLedjYi+JKCgiiPFzR9jhBhssdbVG8Ig= size:2072 aki:0AEEAEE0863D1DCA624F61F39B2181C7DB6CBA3F seqnum:1682 sia:rsync://rpki.ripe.net/repository/DEFAULT/6b/b62878-ccc8-4d57-9fe0-7a104b80cd71/1/Cu6u4IY9HcpiT2HzmyGBx9tsuj8.mft hash:AA9bMXbx8zKdwLHXaprPuRCKgQWpBQOVEQiyQN6Xfus= size:2192 aki:578C8D02AEF0B43E29FECEA1895DCC9D10663535 seqnum:9A sia:rsync://rpki.apnic.net/member_repository/A91D4786/34598C70A7C311EFB511E053C4F9AE02/V4yNAq7wtD4p_s6hiV3MnRBmNTU.mft Snijders, et al. Expires 18 March 2026 [Page 13] Internet-Draft RPKI Canonical Cache Representation September 2025 hash:AA/iSfH0yo2LRxfvL9RkIEo0+NAtgdM5BK8pIGwcltA= size:2084 aki:12301D400962DD987A3C7B83A3366287D47F86FD seqnum:019E sia:rsync://rpki-repository.nic.ad.jp/ap/A91A73810000/1164/EjAdQAli3Zh6PHuDozZih9R_hv0.mft hash:AB2L58delmHldffkzMc6QDJ9F31+PEJaau9u7cHxjLY= size:2172 aki:B1F0A7585ED1882783C6AF802B826607ABB92671 seqnum:A4 sia:rsync://repo-rpki.idnic.net/repo/38913893-5f64-4a5e-a8d2-5d51ebde473f/0/B1F0A7585ED1882783C6AF802B826607ABB92671.mft hash:ACDy+jFe4pphixrHj/sLz2f6X9aNOHiEcFseRYKJQPI= size:1998 aki:39E4059E519E7CAD0536BD54D91BC97875644CDB seqnum:1614 sia:rsync://rpki.ripe.net/repository/DEFAULT/d0/ef9221-c354-4e67-a32f-84e596a3c121/1/OeQFnlGefK0FNr1U2RvJeHVkTNs.mft hash:ACLbiX5uyswdLWeu1TBH8p9kVqH49Cy/jShdzyJQ/hA= size:2113 aki:1D492FA3F3B29580495A6880D404EE0C370AD925 seqnum:07BF sia:rsync://rpki.apnic.net/member_repository/A915D963/90E80BC897E211EB9B39D531C4F9AE02/HUkvo_OylYBJWmiA1ATuDDcK2SU.mft ROA payload state hash: MDI1RjhBMTc2NkE1RkM0RjA2NUExRUJFNzNBQUI4OEE= ROA payload entries: 192.35.94.0/24-32 AS 7 192.67.43.0/24-32 AS 7 194.32.69.0/24-32 AS 7 194.32.218.0/23-32 AS 7 194.34.138.0/24-32 AS 7 194.61.92.0/23-32 AS 7 2a0b:3b40::/29-128 AS 7 91.208.34.0/24 AS 8283 94.142.240.0/24 AS 8283 94.142.240.0/21 AS 8283 94.142.241.0/24 AS 8283 94.142.242.0/24 AS 8283 94.142.244.0/24 AS 8283 94.142.245.0/24 AS 8283 94.142.246.0/24 AS 8283 94.142.247.0/24 AS 8283 185.52.224.0/24 AS 8283 185.52.224.0/22 AS 8283 185.52.225.0/24 AS 8283 185.52.226.0/24 AS 8283 185.52.227.0/24 AS 8283 203.56.44.0/24 AS 8283 2001:678:688::/48 AS 8283 2a02:898::/32 AS 8283 2001:67c:208c::/48 AS 15562 2001:728:1808::/48 AS 15562 2a0e:b240::/48 AS 15562 2a0e:b240:118::/48 AS 15562 ASPA payload state hash: MTc4RkVEOTczODY5OThCRTE4MkExNzMxQ0FGRjBDQTE= ASPA payload entries: customer: 945 providers: 1421, 13213 customer: 7719 providers: 945, 1421, 13213, 61138 customer: 18607 providers: 20473, 207487 customer: 39002 providers: 0 customer: 41720 providers: 174, 1299, 9002, 50877, 60068, 203446, 212508 Trust anchor state hash: RkZCMDlBRDA5QzJCOEU2MEI2NDcyMjIyNUE2NENCNUQ= Trust anchor keyids: 0B9CCA90DD0D7A8A37666B19217FE0D84037B7A2, E8552B1FD6D1A4F7E404C6D8E5680D1EBC163FC3 Router key state hash: QkE1RkI0NDlDRUZCNkJBMDBGMzYxMjc5NjJBMkVFQTY= Router keys: asid:15562 ski:5D4250E2D81D4448D8A29EFCE91D29FF075EC9E2 pubkey:MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgFcjQ/g//LAQerAH2Mpp+GucoDAGBbhIqD33wNPsXxnAGb+mtZ7XQrVO9DQ6UlAShtig5+QfEKpTtFgiqfiAFQ== asid:15562 ski:BE889B55D0B737397D75C49F485B858FA98AD11F pubkey:MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE4FxJr0n2bux1uX1Evl+QWwZYvIadPjLuFX2mxqKuAGUhKnr7VLLDgrE++l9p5eH2kWTNVAN22FUU3db/RKpE2w== Validation: N/A Snijders, et al. Expires 18 March 2026 [Page 14] Internet-Draft RPKI Canonical Cache Representation September 2025 Appendix C. Implementation status This section is to be removed before publishing as an RFC. This section records the status of known implementations of the protocol defined by this specification at the time of posting of this Internet-Draft, and is based on a proposal described in RFC 7942. The description of implementations in this section is intended to assist the IETF in its decision processes in progressing drafts to RFCs. Please note that the listing of any individual implementation here does not imply endorsement by the IETF. Furthermore, no effort has been spent to verify the information presented here that was supplied by IETF contributors. This is not intended as, and must not be construed to be, a catalog of available implementations or their features. Readers are advised to note that other implementations may exist. According to RFC 7942, "this will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature. It is up to the individual working groups to use this information as they see fit". * Example .ccr files were created by Job Snijders. A current example CCR (regenerated every few minutes) is available here: https://console.rpki-client.org/rpki.ccr * A CCR serializer and deserializer implementation based on [rpki-client] was provided by Job Snijders. Authors' Addresses Job Snijders Amsterdam Netherlands Email: job@sobornost.net Bart Bakker RIPE NCC Netherlands Email: bbakker@ripe.net Tim Bruijnzeels RIPE NCC Netherlands Snijders, et al. Expires 18 March 2026 [Page 15] Internet-Draft RPKI Canonical Cache Representation September 2025 Email: tbruijnzeels@ripe.net Snijders, et al. Expires 18 March 2026 [Page 16]