9.0 KiB
9.0 KiB
10. SLURM(Simplified Local Internet Number Resource Management with the RPKI)
10.1 对象定位
SLURM是一个JSON文件,允许 RPKI 依赖方在本地“覆盖/修正/忽略”来自上游RPKI数据的内容,而不需要修改或伪造原始RPKI对象。
10.2 数据格式 (RFC 8416 §3)
SLURM
SLURM是一个只包含一个JSON对象的文件。格式要求如下(RFC 8416 §3.2):
A SLURM file consists of a single JSON object containing the
following members:
o A "slurmVersion" member that MUST be set to 1, encoded as a number
o A "validationOutputFilters" member (Section 3.3), whose value is
an object. The object MUST contain exactly two members:
* A "prefixFilters" member, whose value is described in
Section 3.3.1.
* A "bgpsecFilters" member, whose value is described in
Section 3.3.2.
o A "locallyAddedAssertions" member (Section 3.4), whose value is an
object. The object MUST contain exactly two members:
* A "prefixAssertions" member, whose value is described in
Section 3.4.1.
* A "bgpsecAssertions" member, whose value is described in
Section 3.4.2.
一个空的SLURM json结构体如下:
{
"slurmVersion": 1,
"validationOutputFilters": {
"prefixFilters": [],
"bgpsecFilters": []
},
"locallyAddedAssertions": {
"prefixAssertions": [],
"bgpsecAssertions": []
}
}
prefixFilters
其中prefixFilters格式要求如下(RFC 8416 §3.3.1):
The above is expressed as a value of the "prefixFilters" member, as
an array of zero or more objects. Each object MUST contain either 1)
one of the following members or 2) one of each of the following
members.
o A "prefix" member, whose value is a string representing either an
IPv4 prefix (see Section 3.1 of [RFC4632]) or an IPv6 prefix (see
[RFC5952]).
o An "asn" member, whose value is a number.
In addition, each object MAY contain one optional "comment" member,
whose value is a string.
示例:
"prefixFilters": [
{
"prefix": "192.0.2.0/24",
"comment": "All VRPs encompassed by prefix"
},
{
"asn": 64496,
"comment": "All VRPs matching ASN"
},
{
"prefix": "198.51.100.0/24",
"asn": 64497,
"comment": "All VRPs encompassed by prefix, matching ASN"
}
]
bgpsecFilters
bgpsecFilters格式要求如下(RFC 8416 §3.3.2)
The above is expressed as a value of the "bgpsecFilters" member, as
an array of zero or more objects. Each object MUST contain one of
either, or one each of both following members:
o An "asn" member, whose value is a number
o An "SKI" member, whose value is the Base64 encoding without
trailing ’=’ (Section 5 of [RFC4648]) of the certificate’s Subject
Key Identifier as described in Section 4.8.2 of [RFC6487]. (This
is the value of the ASN.1 OCTET STRING without the ASN.1 tag or
length fields.)
In addition, each object MAY contain one optional "comment" member,
whose value is a string.
示例:
"bgpsecFilters": [
{
"asn": 64496,
"comment": "All keys for ASN"
},
{
"SKI": "<Base 64 of some SKI>",
"comment": "Key matching Router SKI"
},
{
"asn": 64497,
"SKI": "<Base 64 of some SKI>",
"comment": "Key for ASN 64497 matching Router SKI"
}
]
prefixAssertions
prefixAssertions格式要求如下(RFC 8416 §3.4.1)
The above is expressed as a value of the "prefixAssertions" member,
as an array of zero or more objects. Each object MUST contain one of
each of the following members:
o A "prefix" member, whose value is a string representing either an
IPv4 prefix (see Section 3.1 of [RFC4632]) or an IPv6 prefix (see
[RFC5952]).
o An "asn" member, whose value is a number.
In addition, each object MAY contain one of each of the following
members:
o A "maxPrefixLength" member, whose value is a number.
o A "comment" member, whose value is a string.
示例:
"prefixAssertions": [
{
"asn": 64496,
"prefix": "198.51.100.0/24",
"comment": "My other important route"
},
{
"asn": 64496,
"prefix": "2001:DB8::/32",
"maxPrefixLength": 48,
"comment": "My other important de-aggregated routes"
}
]
bgpsecAssertions
bgpsecAssertions格式要求如下(RFC 8416 §3.4.2)
The above is expressed as a value of the "bgpsecAssertions" member,
as an array of zero or more objects. Each object MUST contain one
each of all of the following members:
o An "asn" member, whose value is a number.
o An "SKI" member, whose value is the Base64 encoding without
trailing ’=’ (Section 5 of [RFC4648]) of the certificate’s Subject
Key Identifier as described in Section 4.8.2 of [RFC6487] (This is
the value of the ASN.1 OCTET STRING without the ASN.1 tag or
length fields.)
o A "routerPublicKey" member, whose value is the Base64 encoding
without trailing ’=’ (Section 5 of [RFC4648]) of the equivalent to
the subjectPublicKeyInfo value of the router certificate’s public
key, as described in [RFC8208]. This is the full ASN.1 DER
encoding of the subjectPublicKeyInfo, including the ASN.1 tag and
length values of the subjectPublicKeyInfo SEQUENCE.
示例:
"bgpsecAssertions": [
{
"asn": 64496,
"SKI": "<some base64 SKI>",
"routerPublicKey": "<some base64 public key>",
"comment": "My known key for my important ASN"
}
]
10.3 抽象数据结构
SLURM
| 字段 | 类型 | 语义 | 约束/解析规则 | RFC 引用 |
|---|---|---|---|---|
| slurm_version | number | SLURM版本 | 版本必须为1 | RFC 8416 §3.2 |
| validation_output_filters | ValidationOutputFilter | 过滤条件 | ||
| locally_added_assertions | LocallyAddedAssertions | 本地添加断言 |
ValidationOutputFilter
| 字段 | 类型 | 语义 | 约束/解析规则 | RFC 引用 |
|---|---|---|---|---|
| prefix_filters | Vec | 前缀过滤 | 可以为空数组 | RFC 8416 §3.3 |
| bgpsec_filters | Vec | BGPsec过滤 | 可以为空数组 | RFC 8416 §3.3 |
LocallyAddedAssertions
| 字段 | 类型 | 语义 | 约束/解析规则 | RFC 引用 |
|---|---|---|---|---|
| prefix_assertions | Vec | 前缀断言 | 可以为空数组 | RFC 8416 §3.4 |
| bgpsec_assertions | Vec | BGPsec断言 | 可以为空数组 | RFC 8416 §3.4 |
PrefixFilter
| 字段 | 类型 | 语义 | 约束/解析规则 | RFC 引用 |
|---|---|---|---|---|
| prefix | string | 前缀 | IPv4前缀或IPv6前缀,prefix和asn至少存在一个 | RFC 8416 §3.3.1 |
| asn | number | ASN | prefix和asn至少存在一个 | RFC 8416 §3.3.1 |
| comment | string | 备注说明 | 可选字段 | RFC 8416 §3.3.1 |
BgpsecFilter
| 字段 | 类型 | 语义 | 约束/解析规则 | RFC 引用 |
|---|---|---|---|---|
| asn | number | ASN | prefix和asn至少存在一个 | RFC 8416 §3.3.1 |
| ski | u8 | 证书的SKI | RFC 8416 §3.3.1 | |
| comment | string | 备注说明 | 可选字段 | RFC 8416 §3.3.1 |
PrefixAssertion
| 字段 | 类型 | 语义 | 约束/解析规则 | RFC 引用 |
|---|---|---|---|---|
| prefix | string | 前缀 | IPv4前缀或IPv6前缀 | RFC 8416 §3.4.1 |
| asn | number | ASN | RFC 8416 §3.4.1 | |
| max_prefix_length | number | 最大前缀长度 | 可选字段 | RFC 8416 §3.4.1 |
| comment | string | 备注说明 | 可选字段 | RFC 8416 §3.4.1 |
BgpsecAssertion
| 字段 | 类型 | 语义 | 约束/解析规则 | RFC 引用 |
|---|---|---|---|---|
| asn | number | ASN | prefix和asn至少存在一个 | RFC 8416 §3.4.2 |
| ski | u8 | 证书的SKI | RFC 8416 §3.4.2 | |
| router_public_key | u8 | 证书的SKI | RFC 8416 §3.4.2 | |
| comment | string | 备注说明 | 可选字段 | RFC 8416 §3.4.2 |
注:BGPsec部分可以在第一版考虑先留空