A Profile for Resource Public Key Infrastructure (RPKI) Canonical Cache Representation (CCR) BSD Software Development
Amsterdam Netherlands job@bsd.nl https://www.bsd.nl
RIPE NCC
Netherlands bbakker@ripe.net
RIPE NCC
Netherlands tbruijnzeels@ripe.net
OpenBSD
Switzerland tb@openbsd.org
ops SIDROPS security cryptography X.509 This document specifies a Canonical Cache Representation (CCR) content type for use with the Resource Public Key Infrastructure (RPKI). CCR is a DER-encoded data interchange format which can be used to represent various aspects of the state of a validated cache at a particular point in time. The CCR profile is a compact and versatile format well-suited for a diverse set of applications such as audit trail keeping, validated payload dissemination, and analytics pipelines.
Introduction This document specifies a Canonical Cache Representation (CCR) content type for use with the Resource Public Key Infrastructure (RPKI). A validated cache contains all RPKI objects that the Relying Party (RP) has verified to be valid according to the rules for validation (see , , ). CCR is a data interchange format using Distinguished Encoding Rules (DER, ) which can be used to represent various aspects of the state of a validated cache at a particular point in time. The CCR profile is a compact and versatile format well-suited for a diverse set of applications such as audit record keeping, validated payload dissemination, and analytics pipelines. The format was primarily designed to support comparative analysis of uniformities and differences among multiple RP instances using different RPKI transport protocols (such as , , and ).
Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.
The Canonical Cache Representation content type The content of a CCR file is an instance of ContentInfo. The contentType for a CCR is defined as id-ct-rpkiCanonicalCacheRepresentation, with Object Identifier (OID) 1.2.840.113549.1.9.16.1.54. The content is an instance of RpkiCanonicalCacheRepresentation.
The Canonical Cache Representation content The content of a Canonical Cache Representation is formally defined as follows: RpkiCanonicalCacheRepresentation-2025 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) mod(0) id-mod-rpkiCCR-2025(TBD) } DEFINITIONS EXPLICIT TAGS ::= BEGIN IMPORTS CONTENT-TYPE, Digest, DigestAlgorithmIdentifier, SubjectKeyIdentifier FROM CryptographicMessageSyntax-2010 -- in [RFC6268] { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) } ASID, ROAIPAddressFamily FROM RPKI-ROA-2023 -- in [RFC9582] { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) mod(0) id-mod-rpkiROA-2023(75) } CertificateSerialNumber, SubjectPublicKeyInfo FROM PKIX1Explicit-2009 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) } AccessDescription, KeyIdentifier FROM PKIX1Implicit-2009 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59) } ; ContentInfo ::= SEQUENCE { contentType CONTENT-TYPE.&id({ContentSet}), content [0] EXPLICIT CONTENT-TYPE.&Type({ContentSet}{@contentType}) } ContentSet CONTENT-TYPE ::= { ct-rpkiCanonicalCacheRepresentation, ... } ct-rpkiCanonicalCacheRepresentation CONTENT-TYPE ::= { TYPE RpkiCanonicalCacheRepresentation IDENTIFIED BY id-ct-rpkiCanonicalCacheRepresentation } id-ct-rpkiCanonicalCacheRepresentation OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) id-smime(16) id-ct(1) ccr(54) } RpkiCanonicalCacheRepresentation ::= SEQUENCE { version [0] INTEGER DEFAULT 0, hashAlg DigestAlgorithmIdentifier, producedAt GeneralizedTime, mfts [1] ManifestState OPTIONAL, vrps [2] ROAPayloadState OPTIONAL, vaps [3] ASPAPayloadState OPTIONAL, tas [4] TrustAnchorState OPTIONAL, rks [5] RouterKeyState OPTIONAL, ... } -- at least one of mfts, vrps, vaps, tas, or rks MUST be present ( WITH COMPONENTS { ..., mfts PRESENT } | WITH COMPONENTS { ..., vrps PRESENT } | WITH COMPONENTS { ..., vaps PRESENT } | WITH COMPONENTS { ..., tas PRESENT } | WITH COMPONENTS { ..., rks PRESENT } ) ManifestState ::= SEQUENCE { mis SEQUENCE OF ManifestInstance, mostRecentUpdate GeneralizedTime, hash Digest } ManifestInstance ::= SEQUENCE { hash Digest, size INTEGER (1000..MAX), aki KeyIdentifier, manifestNumber INTEGER (0..MAX), thisUpdate GeneralizedTime, locations SEQUENCE SIZE (1..MAX) OF AccessDescription, subordinates SEQUENCE (SIZE(1..MAX)) OF SubjectKeyIdentifier OPTIONAL } ROAPayloadState ::= SEQUENCE { rps SEQUENCE OF ROAPayloadSet, hash Digest } ROAPayloadSet ::= SEQUENCE { asID ASID, ipAddrBlocks SEQUENCE (SIZE(1..2)) OF ROAIPAddressFamily } ASPAPayloadState ::= SEQUENCE { aps SEQUENCE OF ASPAPayloadSet, hash Digest } ASPAPayloadSet ::= SEQUENCE { customerASID ASID, providers SEQUENCE (SIZE(1..MAX)) OF ASID } TrustAnchorState ::= SEQUENCE { skis SEQUENCE (SIZE(1..MAX)) OF SubjectKeyIdentifier, hash Digest } RouterKeyState ::= SEQUENCE { rksets SEQUENCE OF RouterKeySet, hash Digest } RouterKeySet ::= SEQUENCE { asID ASID, routerKeys SEQUENCE (SIZE(1..MAX)) OF RouterKey } RouterKey ::= SEQUENCE { ski SubjectKeyIdentifier, spki SubjectPublicKeyInfo } END
version The version field contains the format version for the RpkiCanonicalCacheRepresentation structure, in this version of the specification it MUST be 0.
hashAlg The hashAlg field specifies the algorithm used to construct the message digests. This profile uses SHA-256 , therefore the OID MUST be 2.16.840.1.101.3.4.2.1.
producedAt The producedAt field contains a GeneralizedTime and indicates the moment in time the CCR was generated.
State aspect fields Each CCR contains one or more fields representing particular aspects of the cache's state. Implementers should note the ellipsis extension marker in the RpkiCanonicalCacheRepresentation ASN.1 notation and anticipate future changes as new signed object types are standardized. Each state aspect generally consists of a sequence of details extracted from RPKI Objects of a specific type, along with a digest computed by hashing the aforementioned DER-encoded sequence, optionally including some metadata.
ManifestState An instance of ManifestState represents the set of valid, current Manifests () in the cache. It contains three fields: mis, mostRecentUpdate, and hash.
ManifestInstance The mis field contains a SEQUENCE of ManifestInstance. There is one ManifestInstance for each current manifest. A manifest is nominally current until the time specified in nextUpdate or until a manifest is issued with a greater manifestNumber, whichever comes first (see ). A ManifestInstance is a structure consisting of the following fields:
hash
the hash of the represented DER-encoded manifest object
size
the size of the represented DER-encoded manifest object
aki
the manifest issuer's key identifier
manifestNumber
the manifest number contained within the manifest's eContent field
thisUpdate
the thisUpdate contained within the manifest's eContent field
locations
a sequence of AccessDescription instances from the manifest's End-Entity certificate's Subject Information Access extension
subordinates
a optional non-empty SEQUENCE of SubjectKeyIdentifier
The subordinates field represents the keypairs associated with the set of non-revoked, non-expired, validly signed, certification authority (CA) resource certificates subordinate to the manifest issuer. Each SubjectKeyIdentifier is the 160-bit SHA-1 hash of the value of the DER-encoded ASN.1 bit string of the resource certificate's Subject Public Key, as described in . The sequence elements of the subordinates field MUST be sorted in ascending order by interpreting each SubjectKeyIdentifier value as an unsigned 160-bit integer and MUST be unique with respect to each other. The sequence elements in the mis field MUST be sorted in ascending order by hash value contained in each instance of ManifestInstance and MUST be unique with respect to the other instances of ManifestInstance.
mostRecentUpdate The mostRecentUpdate is a metadata field which contains the most recent thisUpdate amongst all current manifests represented by the ManifestInstance structures. If the mis field contains an empty sequence, the mostRecentUpdate MUST be set to the POSIX Epoch ("19700101000000Z").
hash The hash field contains a message digest computed using the mis value (encoded in DER format) as input message.
ROAPayloadState An instance of ROAPayloadState contains a field named rps which represents the current set of Validated ROA Payloads () encoded as a SEQUENCE of ROAPayloadSet instances. The ROAPayloadSet structure is modeled after the RouteOriginAttestation (). The asID value in each instance of ROAPayloadSet MUST be unique with respect to other instances of ROAPayloadSet. The contents of the ipAddrBlocks field MUST appear in canonical form and ordered as defined in . The hash field contains a message digest computed using the rps value (encoded in DER format) as input message.
ASPAPayloadState An instance of ASPAPayloadState contains an aps field which represents the current set of deduplicated and merged ASPA payloads () ordered by ascending customerASID value encoded as a SEQUENCE of ASPAPayloadSet instances. The customerASID value in each instance of ASPAPayloadSet MUST be unique with respect to other instances of ASPAPayloadSet. The ASPAPayloadSet structure is modeled after the ProviderASSet (). The hash field contains a message digest computed using the aps value (encoded in DER format) as input message.
TrustAnchorState An instance of TrustAnchorState represents the set of valid Trust Anchor (TA) Certification Authority (CA) resource certificates used by the relying party when producing the CCR. Each SubjectKeyIdentifier is the 160-bit SHA-1 hash of the value of the DER-encoded ASN.1 bit string of the TA's Subject Public Key, as described in . The skis field contains a sequence of Subject Key Identifiers (SKI) sorted in ascending order by interpreting the SKI value as an unsigned 160-bit integer. The hash field contains a message digest computed using the skis value (encoded in DER format) as input message.
RouterKeyState An instance of RouterKeyState contains an rksets field which represents the current set of valid BGPsec Router Keys encoded as a SEQUENCE of RouterKeySet instances. The asID value in each instance of RouterKeySet MUST be unique with respect to other instances of RouterKeySet. Instances of RouterKeySet are sorted by ascending value of asID. Instances of RouterKey are sorted by ascending value of ski by interpreting the SKI value as an unsigned 160-bit integer. The hash field contains a message digest computed using the rks value (encoded in DER format) as input message.
Operational Considerations Comparing the ManifestState mostRecentUpdate timestamp value with the producedAt timestamp might help offer insight into the timing and propagation delays of the RPKI supply chain. Given the absence of public keys and fairly repetitive content in RPKI AccessDescription instances, it should be noted CCR content compresses well.
Verifying CCR file integrity The integrity of a CCR object can be checked by confirming whether the hash values embedded inside state aspects match the computed hash value of the respective state aspect payload structure.
Security Considerations CCR objects are not signed objects.
IANA Considerations
SMI Security for S/MIME CMS Content Type (1.2.840.113549.1.9.16.1) IANA has allocated the following in the "SMI Security for S/MIME CMS Content Type (1.2.840.113549.1.9.16.1)" registry:
Decimal Description References
54 id-ct-rpkiCanonicalCacheRepresentation draft-ietf-sidrops-rpki-ccr
RPKI Repository Name Schemes IANA is requested to add the Canonical Cache Representation file extension to the "RPKI Repository Name Schemes" registry as follows:
Filename Extension RPKI Object Reference
.ccr Canonical Cache Representation draft-ietf-sidrops-rpki-ccr
SMI Security for S/MIME Module Identifier (1.2.840.113549.1.9.16.0) IANA is requested to allocate the following in the "SMI Security for S/MIME Module Identifier (1.2.840.113549.1.9.16.0)" registry:
Decimal Description References
TBD id-mod-rpkiCCR-2025 draft-ietf-sidrops-rpki-ccr
Media Types IANA is requested to register the media type "application/rpki-ccr" in the "Media Types" registry as follows:
Canonical Cache Representation Media Type
Type name:
application
Subtype name:
rpki-ccr
Required parameters:
N/A
Optional parameters:
N/A
Encoding considerations:
binary
Security considerations:
This media type contains no active content.
Interoperability considerations:
N/A
Published specification:
draft-ietf-sidrops-rpki-ccr
Applications that use this media type:
RPKI operators
Fragment identifier considerations:
N/A
Additional information:

Content:
This media type is a RPKI Canonical Cache Representation object, as defined in draft-ietf-sidrops-rpki-ccr.
Magic number(s):
N/A
File extension(s):
.ccr
Macintosh file type code(s):
N/A
Person & email address to contact for further information:
Job Snijders (job@bsd.nl)
Intended usage:
COMMON
Restrictions on usage:
N/A
Author:
Job Snijders (job@bsd.nl)
Change controller:
IETF
 References Normative References Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. A Profile for Resource Certificate Repository Structure This document defines a profile for the structure of the Resource Public Key Infrastructure (RPKI) distributed repository. Each individual repository publication point is a directory that contains files that correspond to X.509/PKIX Resource Certificates, Certificate Revocation Lists and signed objects. This profile defines the object (file) naming scheme, the contents of repository publication points (directories), and a suggested internal structure of a local repository cache that is intended to facilitate synchronization across a distributed collection of repository publication points and to facilitate certification path construction. [STANDARDS-TRACK] A Profile for X.509 PKIX Resource Certificates This document defines a standard profile for X.509 certificates for the purpose of supporting validation of assertions of "right-of-use" of Internet Number Resources (INRs). The certificates issued under this profile are used to convey the issuer's authorization of the subject to be regarded as the current holder of a "right-of-use" of the INRs that are described in the certificate. This document contains the normative specification of Certificate and Certificate Revocation List (CRL) syntax in the Resource Public Key Infrastructure (RPKI). This document also specifies profiles for the format of certificate requests and specifies the Relying Party RPKI certificate path validation procedure. [STANDARDS-TRACK] Signed Object Template for the Resource Public Key Infrastructure (RPKI) This document defines a generic profile for signed objects used in the Resource Public Key Infrastructure (RPKI). These RPKI signed objects make use of Cryptographic Message Syntax (CMS) as a standard encapsulation format. [STANDARDS-TRACK] BGP Prefix Origin Validation To help reduce well-known threats against BGP including prefix mis- announcing and monkey-in-the-middle attacks, one of the security requirements is the ability to validate the origination Autonomous System (AS) of BGP routes. More specifically, one needs to validate that the AS number claiming to originate an address prefix (as derived from the AS_PATH attribute of the BGP route) is in fact authorized by the prefix holder to do so. This document describes a simple validation mechanism to partially satisfy this requirement. [STANDARDS-TRACK] Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Manifests for the Resource Public Key Infrastructure (RPKI) This document defines a "manifest" for use in the Resource Public Key Infrastructure (RPKI). A manifest is a signed object (file) that contains a listing of all the signed objects (files) in the repository publication point (directory) associated with an authority responsible for publishing in the repository. For each certificate, Certificate Revocation List (CRL), or other type of signed objects issued by the authority that are published at this repository publication point, the manifest contains both the name of the file containing the object and a hash of the file content. Manifests are intended to enable a relying party (RP) to detect certain forms of attacks against a repository. Specifically, if an RP checks a manifest's contents against the signed objects retrieved from a repository publication point, then the RP can detect replay attacks, and unauthorized in-flight modification or deletion of signed objects. This document obsoletes RFC 6486. A Profile for Route Origin Authorizations (ROAs) This document defines a standard profile for Route Origin Authorizations (ROAs). A ROA is a digitally signed object that provides a means of verifying that an IP address block holder has authorized an Autonomous System (AS) to originate routes to one or more prefixes within the address block. This document obsoletes RFC 6482. A Profile for Autonomous System Provider Authorization Yandex JetLend Internet Initiative Japan Vigil Security, LLC Workonline This document defines a Cryptographic Message Syntax (CMS) protected content type for Autonomous System Provider Authorization (ASPA) objects for use with the Resource Public Key Infrastructure (RPKI). An ASPA is a digitally signed object through which the issuer (the holder of an Autonomous System identifier), can authorize one or more other Autonomous Systems (ASes) as its upstream providers. When validated, an ASPA's eContent can be used for detection and mitigation of route leaks. Secure Hash Standard National Institute of Standards and Technology Information technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER) ITU-T Informative References The Erik Synchronization Protocol for use with the Resource Public Key Infrastructure (RPKI) BSD Software Development RIPE NCC APNIC JPNIC This document specifies the Erik Synchronization Protocol for use with the Resource Public Key Infrastructure (RPKI). Erik Synchronization can be characterized as a data replication system using Merkle trees, a content-addressable naming scheme, concurrency control using monotonically increasing sequence numbers, and HTTP transport. Relying Parties can combine information retrieved via Erik Synchronization with other RPKI transport protocols. The protocol's design is intended to be efficient, fast, easy to implement, and robust in the face of partitions or faults in the network. The rsync URI Scheme This document specifies the rsync Uniform Resource Identifier (URI) scheme. This document is not an Internet Standards Track specification; it is published for informational purposes. The RPKI Repository Delta Protocol (RRDP) In the Resource Public Key Infrastructure (RPKI), Certificate Authorities (CAs) publish certificates, including end-entity certificates, Certificate Revocation Lists (CRLs), and RPKI signed objects to repositories. Relying Parties retrieve the published information from those repositories. This document specifies a new RPKI Repository Delta Protocol (RRDP) for this purpose. RRDP was specifically designed for scaling. It relies on an Update Notification File which lists the current Snapshot and Delta Files that can be retrieved using HTTPS (HTTP over Transport Layer Security (TLS)), and it enables the use of Content Distribution Networks (CDNs) or other caching infrastructures for the retrieval of these files. BGPsec Protocol Specification This document describes BGPsec, an extension to the Border Gateway Protocol (BGP) that provides security for the path of Autonomous Systems (ASes) through which a BGP UPDATE message passes. BGPsec is implemented via an optional non-transitive BGP path attribute that carries digital signatures produced by each AS that propagates the UPDATE message. The digital signatures provide confidence that every AS on the path of ASes listed in the UPDATE message has explicitly authorized the advertisement of the route. rpki-client rpki-client
Acknowledgements The authors wish to thank and for their generous feedback on this specification.
The below is a Base64-encoded example CCR object. For a more elaborate example based on the global RPKI, see the URL in . MIIN9wYLKoZIhvcNAQkQATaggg3mMIIN4jALBglghkgBZQMEAgEYDzIwMjUxMjA0MTAzO TIyWqGCCd4wggnaMIIJozCB0QQgAn4v94Lj6dIrJVXA6nPyEXUf2KSwui6SPTq5B4TuRu ACAgfOBBSQIY6AGlMllem3HGQ2hOoF+Wv18wICBMAYDzIwMjUxMjA0MDIwMTA5WjB+MHw GCCsGAQUFBzALhnByc3luYzovL3Jwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxU LzNmLzFiNjYyNC04NDQxLTRkMDEtOTZlMy02MDE4MTJlZjQyOGIvMS9rQ0dPZ0JwVEpaW HB0eHhrTm9UcUJmbHI5Zk0ubWZ0MIHRBCACgrfBbvv/vMbbn2Ix5BHOXUqO+1b3/eDjEx kW+c8crgICCBgEFAUrhklp6WgHZImQFeFj7Od7tMt2AgILSBgPMjAyNTEyMDQxMDAwMDl aMH4wfAYIKwYBBQUHMAuGcHJzeW5jOi8vcnBraS5yaXBlLm5ldC9yZXBvc2l0b3J5L0RF RkFVTFQvMjQvNDc1OWY5LTdmZGYtNDkxNi1hOTk1LTY5NzBlY2Q5YTYxMC8xL0JTdUdTV 25wYUFka2laQVY0V1BzNTN1MHkzWS5tZnQwgdEEIAKDa5Xc2Ckfla7w7za0h40htY2Gv9 1o0fT/rzNm39EBAgIHzgQUZZq64rDK6GxBlrAgdluCOiAyB/wCAhdcGA8yMDI1MTIwNDA 3MDAxMFowfjB8BggrBgEFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpcGUubmV0L3JlcG9zaXRv cnkvREVGQVVMVC85Ni82OTRkOWItMGUxYy00M2FkLWFjOTgtMDJhYWM4YjU5NmRjLzEvW lpxNjRyREs2R3hCbHJBZ2RsdUNPaUF5Ql93Lm1mdDCCATsEIAKJwo+XaFAxvIQbXPID/4 mkW2UQmjHTsQcG0KokS9BKAgIJOAQU185GL3ELzfDYdT2D2OojR5RqfGECFAENDJ9DKFh IBelh+Yl+p9QFY/HcGA8yMDI1MTIwMzIyMDAwOFowgdUwgdIGCCsGAQUFBzALhoHFcnN5 bmM6Ly9ycGtpLmFyaW4ubmV0L3JlcG9zaXRvcnkvYXJpbi1ycGtpLXRhLzVlNGEyM2VhL WU4MGEtNDAzZS1iMDhjLTIxNzFkYTIxNTdkMy9kOWQxNTcyZi02Y2JiLTRjZjctYjU5OS 1lOWQwZTk4MWQ5YmYvOTk4Y2U2YzYtZGU3Ni00MDI4LWE2ZmUtZWEwM2NmZmZmYmNiLzk 5OGNlNmM2LWRlNzYtNDAyOC1hNmZlLWVhMDNjZmZmZmJjYi5tZnQwgdEEIAKLk3NcLwUp ybu+/VTVy3jDiw1XMRgMfuUg1L+DkSkrAgIIGAQUUH5YKtyTadqK6F3ZNXQBIwgcfu0CA goWGA8yMDI1MTIwNDA0MDA0M1owfjB8BggrBgEFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpcG UubmV0L3JlcG9zaXRvcnkvREVGQVVMVC83NS82ZWQ0MzQtY2Q1MS00MTUyLWFhNDMtMDU 2YmFlMjcyODhlLzEvVUg1WUt0eVRhZHFLNkYzWk5YUUJJd2djZnUwLm1mdDCCATsEIAKM 2e5JA/52WWa71nAV9G+ChOWEv0nksETnQFPhIwvLAgIJiwQUGggBUYL46DBD52qzRc1Uc qS0zfwCFAENDJ9DKFhAc6gwUfTYJdAsiOPbGA8yMDI1MTIwMzIzMDAwM1owgdUwgdIGCC sGAQUFBzALhoHFcnN5bmM6Ly9ycGtpLmFyaW4ubmV0L3JlcG9zaXRvcnkvYXJpbi1ycGt pLXRhLzVlNGEyM2VhLWU4MGEtNDAzZS1iMDhjLTIxNzFkYTIxNTdkMy81MjFlYjMzZi05 NjcyLTRjZDktYWNjZS0xMzcyMjdlOTcxYWMvNGU4N2Q4M2YtYjUwYy00YTY1LTlkOWEtY zI4NDU4ZmMxOTc5LzRlODdkODNmLWI1MGMtNGE2NS05ZDlhLWMyODQ1OGZjMTk3OS5tZn QwggFTBCACkKcTyzxq9pGovZfaazRbYvlJhP5FrMqFdnWHLxv37QICCUcEFHa0G4uxYRm zlpyY5QtHr7bF/4JzAhQBDQyfQyhYQHOoNVDDogCyPg+0rRgPMjAyNTEyMDQwMTAwMDNa MIHVMIHSBggrBgEFBQcwC4aBxXJzeW5jOi8vcnBraS5hcmluLm5ldC9yZXBvc2l0b3J5L 2FyaW4tcnBraS10YS81ZTRhMjNlYS1lODBhLTQwM2UtYjA4Yy0yMTcxZGEyMTU3ZDMvNz ZmZTExZDQtZDM1Mi00OTk0LThmNmMtZDZjOTFiMGI4NDE1LzcyMjViNDE1LThhZTAtNDU yMy1iMzdmLTc0ZWQ3ODA2NzZhYS83MjI1YjQxNS04YWUwLTQ1MjMtYjM3Zi03NGVkNzgw Njc2YWEubWZ0MBYEFBjAkk0jHaMBlRYLJe7mMn60Awb4MIIBOwQgApKZUyrzgxwgooY27 kVNyU/GcfKMveLqnEy9eC1eSwwCAgoqBBSNdoMwkedLBIRD98SPJFBQ0ZiW9AIUAQ0Mn0 MoWEfSt9vLHRt0f4E9Bx0YDzIwMjUxMjA0MDIwMjA5WjCB1TCB0gYIKwYBBQUHMAuGgcV yc3luYzovL3Jwa2kuYXJpbi5uZXQvcmVwb3NpdG9yeS9hcmluLXJwa2ktdGEvNWU0YTIz ZWEtZTgwYS00MDNlLWIwOGMtMjE3MWRhMjE1N2QzLzY5ZmQwMTU2LWJiMWYtNDhiNi1iZ jMyLWM5NDkyMjg2ZjE5NS80YzNiYjdlNC1jOTdlLTQzYWItYTZkZC1jYmYwZTY0MzRjNW IvNGMzYmI3ZTQtYzk3ZS00M2FiLWE2ZGQtY2JmMGU2NDM0YzViLm1mdDCCATsEIAKTgAc MIFK5KQy6hB+48lt24P5LOju8QSUJXNjqOozwAgIJOAQUuR/cF6KhF1ZW51AnlhafP7ra GygCFAENDJ9DKFhEouhGggdtM1PWJqI7GA8yMDI1MTIwNDA5MDAwOFowgdUwgdIGCCsGA QUFBzALhoHFcnN5bmM6Ly9ycGtpLmFyaW4ubmV0L3JlcG9zaXRvcnkvYXJpbi1ycGtpLX RhLzVlNGEyM2VhLWU4MGEtNDAzZS1iMDhjLTIxNzFkYTIxNTdkMy80YWI3YWU0ZC1iZDd iLTRiMzMtOWE4OC01YjIyZDJhODMzN2QvNmY0ZDhlNmItZTY2ZS00NmY5LThlZjItZjJk YTE5ODFjYmNhLzZmNGQ4ZTZiLWU2NmUtNDZmOS04ZWYyLWYyZGExOTgxY2JjYS5tZnQYD zIwMjUxMjA0MTAwMDA5WgQgaNOQqYiZBV7B7dtdF6T9PhQFyhn6h97ab7mkUePReaaigg HeMIIB2jCCAbQwZAIBBzBfMEgEAgABMEIwCQMEAMAjXgIBIDAJAwQAwEMrAgEgMAkDBAD CIEUCASAwCQMEAcIg2gIBIDAJAwQAwiKKAgEgMAkDBAHCPVwCASAwEwQCAAIwDTALAwUD Kgs7QAICAIAwgZsCAiBbMIGUMHYEAgABMHAwBgMEAFvQIjAGAwQAXo7wMAYDBANejvAwB gMEAF6O8TAGAwQAXo7yMAYDBABejvQwBgMEAF6O9TAGAwQAXo72MAYDBABejvcwBgMEAL k04DAGAwQCuTTgMAYDBAC5NOEwBgMEALk04jAGAwQAuTTjMBoEAgACMBQwCQMHACABBng GiDAHAwUAKgIImDCBrQICPMowgaYwVwQCAAEwUTAGAwQAQ931MAYDBACl/uEwCQMEAKX+ /wIBIDAGAwQAwJOoMAkDBAHGOgICARgwCQMEAcwCHgIBGDAGAwQA0RgBMAYDBADRGAUwB gMEANEYCTBLBAIAAjBFMAwDBwEgAQQYFE4CAUAwCQMHACABBnwgjDAJAwcAIAEHKBgIMA kDBwAmB/rgAkUwCQMHACoOskAAADAJAwcAKg6yQAEYBCDQKq45jwi7kIlRM6oQqIdw8Ck 6H0Wn23dFazmtj/S28KOBjDCBiTBlMAoCAghJMAQCAg0FMAkCAhGMMAMCAQAwDwICEfkw CQICIGoCAwDjAzAjAgIZGDAdAgIArgICBPkCAgUTAgIZPQICGmoCAhquAgMCJ4kwFgICG ncwEAICAK4CAhg8AgIbGwICMuYEICz1Hxj/8Ur8yZsJDt5IGPn/pGKgaURkFZUkoheP7O iDpFIwUDAsBBQT1PJPmp/NmNs2+TBjGAjIjzl0vAQU6FUrH9bRpPfkBMbY5WgNHrwWP8M EIKHmyNKlH4f3f7a1i6qTkZmQEBEAqGEA/uH4coZH5qAMpYIBGTCCARUwgfAwge0CAjzK MIHmMHEEFF1CUOLYHURI2KKe/OkdKf8HXsniMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQ gAEgFcjQ/g//LAQerAH2Mpp+GucoDAGBbhIqD33wNPsXxnAGb+mtZ7XQrVO9DQ6UlASht ig5+QfEKpTtFgiqfiAFTBxBBS+iJtV0Lc3OX11xJ9IW4WPqYrRHzBZMBMGByqGSM49AgE GCCqGSM49AwEHA0IABOBcSa9J9m7sdbl9RL5fkFsGWLyGnT4y7hV9psairgBlISp6+1Sy w4KxPvpfaeXh9pFkzVQDdthVFN3W/0SqRNsEILpftEnO+2ugDzYSeWKi7qboZ/6FErvdr enG5Li8FsHS It decodes as follows: =============== NOTE: '\' line wrapping per RFC 8792 ================ File: example.ccr Hash identifier: wHMUl0+oVEBXXPPxp+0XUhaHaNb2phSO0dScm+emGx8= CCR produced at: Thu 04 Dec 2025 10:39:22 +0000 Manifest state hash: NjhEMzkwQTk4ODk5MDU1RUMxRUREQjVEMTdBNEZEM0U= Manifest last update: Thu 04 Dec 2025 10:00:09 +0000 Manifest instances: hash:An4v94Lj6dIrJVXA6nPyEXUf2KSwui6SPTq5B4T\ uRuA= size:1998 aki:90218E801A532595E9B71C643684EA05F96BF5F3 seqnum:\ 04C0 thisupdate:1764813669 sia:rsync://rpki.ripe.net/repository/DEFA\ ULT/3f/1b6624-8441-4d01-96e3-601812ef428b/1/kCGOgBpTJZXptxxkNoTqBflr\ 9fM.mft hash:AoK3wW77/7zG259iMeQRzl1KjvtW9/3g4xMZFvn\ PHK4= size:2072 aki:052B864969E9680764899015E163ECE77BB4CB76 seqnum:\ 0B48 thisupdate:1764842409 sia:rsync://rpki.ripe.net/repository/DEFA\ ULT/24/4759f9-7fdf-4916-a995-6970ecd9a610/1/BSuGSWnpaAdkiZAV4WPs53u0\ y3Y.mft hash:AoNrldzYKR+VrvDvNrSHjSG1jYa/3WjR9P+vM2b\ f0QE= size:1998 aki:659ABAE2B0CAE86C4196B020765B823A203207FC seqnum:\ 175C thisupdate:1764831610 sia:rsync://rpki.ripe.net/repository/DEFA\ ULT/96/694d9b-0e1c-43ad-ac98-02aac8b596dc/1/ZZq64rDK6GxBlrAgdluCOiAy\ B_w.mft hash:AonCj5doUDG8hBtc8gP/iaRbZRCaMdOxBwbQqiR\ L0Eo= size:2360 aki:D7CE462F710BCDF0D8753D83D8EA2347946A7C61 seqnum:\ 010D0C9F4328584805E961F9897EA7D40563F1DC thisupdate:1764799208 sia:r\ sync://rpki.arin.net/repository/arin-rpki-ta/5e4a23ea-e80a-403e-b08c\ -2171da2157d3/d9d1572f-6cbb-4cf7-b599-e9d0e981d9bf/998ce6c6-de76-402\ 8-a6fe-ea03cffffbcb/998ce6c6-de76-4028-a6fe-ea03cffffbcb.mft hash:AouTc1wvBSnJu779VNXLeMOLDVcxGAx+5SDUv4O\ RKSs= size:2072 aki:507E582ADC9369DA8AE85DD935740123081C7EED seqnum:\ 0A16 thisupdate:1764820843 sia:rsync://rpki.ripe.net/repository/DEFA\ ULT/75/6ed434-cd51-4152-aa43-056bae27288e/1/UH5YKtyTadqK6F3ZNXQBIwgc\ fu0.mft hash:AozZ7kkD/nZZZrvWcBX0b4KE5YS/SeSwROdAU+E\ jC8s= size:2443 aki:1A08015182F8E83043E76AB345CD5472A4B4CDFC seqnum:\ 010D0C9F4328584073A83051F4D825D02C88E3DB thisupdate:1764802803 sia:r\ sync://rpki.arin.net/repository/arin-rpki-ta/5e4a23ea-e80a-403e-b08c\ -2171da2157d3/521eb33f-9672-4cd9-acce-137227e971ac/4e87d83f-b50c-4a6\ 5-9d9a-c28458fc1979/4e87d83f-b50c-4a65-9d9a-c28458fc1979.mft hash:ApCnE8s8avaRqL2X2ms0W2L5SYT+RazKhXZ1hy8\ b9+0= size:2375 aki:76B41B8BB16119B3969C98E50B47AFB6C5FF8273 seqnum:\ 010D0C9F4328584073A83550C3A200B23E0FB4AD thisupdate:1764810003 sia:r\ sync://rpki.arin.net/repository/arin-rpki-ta/5e4a23ea-e80a-403e-b08c\ -2171da2157d3/76fe11d4-d352-4994-8f6c-d6c91b0b8415/7225b415-8ae0-452\ 3-b37f-74ed780676aa/7225b415-8ae0-4523-b37f-74ed780676aa.mft subordi\ nates:18C0924D231DA30195160B25EEE6327EB40306F8 hash:ApKZUyrzgxwgooY27kVNyU/GcfKMveLqnEy9eC1\ eSww= size:2602 aki:8D76833091E74B048443F7C48F245050D19896F4 seqnum:\ 010D0C9F43285847D2B7DBCB1D1B747F813D071D thisupdate:1764813729 sia:r\ sync://rpki.arin.net/repository/arin-rpki-ta/5e4a23ea-e80a-403e-b08c\ -2171da2157d3/69fd0156-bb1f-48b6-bf32-c9492286f195/4c3bb7e4-c97e-43a\ b-a6dd-cbf0e6434c5b/4c3bb7e4-c97e-43ab-a6dd-cbf0e6434c5b.mft hash:ApOABwwgUrkpDLqEH7jyW3bg/ks6O7xBJQlc2Oo\ 6jPA= size:2360 aki:B91FDC17A2A1175656E7502796169F3FBADA1B28 seqnum:\ 010D0C9F43285844A2E84682076D3353D626A23B thisupdate:1764838808 sia:r\ sync://rpki.arin.net/repository/arin-rpki-ta/5e4a23ea-e80a-403e-b08c\ -2171da2157d3/4ab7ae4d-bd7b-4b33-9a88-5b22d2a8337d/6f4d8e6b-e66e-46f\ 9-8ef2-f2da1981cbca/6f4d8e6b-e66e-46f9-8ef2-f2da1981cbca.mft ROA payload state hash: RDAyQUFFMzk4RjA4QkI5MDg5NTEzM0FBMTBBODg3NzA= ROA payload entries: 192.35.94.0/24-32 AS 7 192.67.43.0/24-32 AS 7 194.32.69.0/24-32 AS 7 194.32.218.0/23-32 AS 7 194.34.138.0/24-32 AS 7 194.61.92.0/23-32 AS 7 2a0b:3b40::/29-128 AS 7 91.208.34.0/24 AS 8283 94.142.240.0/24 AS 8283 94.142.240.0/21 AS 8283 94.142.241.0/24 AS 8283 94.142.242.0/24 AS 8283 94.142.244.0/24 AS 8283 94.142.245.0/24 AS 8283 94.142.246.0/24 AS 8283 94.142.247.0/24 AS 8283 185.52.224.0/24 AS 8283 185.52.224.0/22 AS 8283 185.52.225.0/24 AS 8283 185.52.226.0/24 AS 8283 185.52.227.0/24 AS 8283 2001:678:688::/48 AS 8283 2a02:898::/32 AS 8283 67.221.245.0/24 AS 15562 165.254.225.0/24 AS 15562 165.254.255.0/24-32 AS 15562 192.147.168.0/24 AS 15562 198.58.2.0/23-24 AS 15562 204.2.30.0/23-24 AS 15562 209.24.1.0/24 AS 15562 209.24.5.0/24 AS 15562 209.24.9.0/24 AS 15562 2001:418:144e::/47-64 AS 15562 2001:67c:208c::/48 AS 15562 2001:728:1808::/48 AS 15562 2607:fae0:245::/48 AS 15562 2a0e:b240::/48 AS 15562 2a0e:b240:118::/48 AS 15562 ASPA payload state hash:MkNGNTFGMThGRkYxNEFGQ0M5OUIwOTBFREU0ODE4Rjk= ASPA payload entries: customer: 2121 providers: 3333 customer: 4492 providers: 0 customer: 4601 providers: 8298, 58115 customer: 6424 providers: 174, 1273, 1299, 6\ 461, 6762, 6830, 141193 customer: 6775 providers: 174, 6204, 6939, 1\ 3030 Trust anchor state hash:QTFFNkM4RDJBNTFGODdGNzdGQjZCNThCQUE5MzkxOTk= Trust anchor keyids: 13D4F24F9A9FCD98DB36F930631808C88F3974BC, E8\ 552B1FD6D1A4F7E404C6D8E5680D1EBC163FC3 Router key state hash: QkE1RkI0NDlDRUZCNkJBMDBGMzYxMjc5NjJBMkVFQTY= Router keys: asid:15562 ski:5D4250E2D81D4448D8A29EFCE91D2\ 9FF075EC9E2 pubkey:MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgFcjQ/g//LAQe\ rAH2Mpp+GucoDAGBbhIqD33wNPsXxnAGb+mtZ7XQrVO9DQ6UlAShtig5+QfEKpTtFgiq\ fiAFQ== asid:15562 ski:BE889B55D0B737397D75C49F485B8\ 58FA98AD11F pubkey:MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE4FxJr0n2bux1u\ X1Evl+QWwZYvIadPjLuFX2mxqKuAGUhKnr7VLLDgrE++l9p5eH2kWTNVAN22FUU3db/R\ KpE2w== Validation: N/A
Implementation status This section records the status of known implementations of the protocol defined by this specification at the time of posting of this Internet-Draft, and is based on a proposal described in RFC 7942. The description of implementations in this section is intended to assist the IETF in its decision processes in progressing drafts to RFCs. Please note that the listing of any individual implementation here does not imply endorsement by the IETF. Furthermore, no effort has been spent to verify the information presented here that was supplied by IETF contributors. This is not intended as, and must not be construed to be, a catalog of available implementations or their features. Readers are advised to note that other implementations may exist. According to RFC 7942, "this will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature. It is up to the individual working groups to use this information as they see fit".
  • Example .ccr files were created by Job Snijders. A current example CCR (regenerated every few minutes) is available here:
  • A CCR serializer and deserializer implementation based on was provided by Job Snijders and Theo Buehler.
  • Another CCR serializer and deserializer implementation based on was provided by Job Snijders.