rpki-client >= 9.6 `CCR hashes`

[job]

Ola!

Rpki-client 9.6 has a new feature that seems useful for the kartograf project: CCR manifest state hash and CCR ROA payloads hash (displayed in the JSON output and as log message on the console at the end of the program's execution).

CCR stands for Canonical Cache Representation: https://datatracker.ietf.org/doc/html/draft-spaghetti-sidrops-rpki-ccr

The core idea is that by using a deterministic canonical way to represent the state of the validated cache, it is easier to compare the state of different validator instances with each other. (different validator runs across points in time or validators on different computers)

The two hashes that seem relevant for the project are the CCR manifest hash and ROA payload hash. The first one is the head of a merkle tree that represents the entire "physical" state of all the files in the validated cache directory. The second (ROA) hash is a hash over the deduplicated Prefix<>ASN tuples that are the payload of the ROAs.

If a RPKI CA resigns a CRL but doesn't change any ROAs, then the Manifest hash will change but not the ROA hash. If a RPKI CA adds or removes a prefix entry in a ROA then both hashes will change. These hashes should make it easier to recognize whether the "form" or the "substance" of the RPKI changed between 2 runs.

[fjahr]

Awesome, that looks very intersting for us! We have been testing rpki-client 9.6 with kartograf and @jurraca is experimenting with the -p option which looks to work very well so far! But we hadn't noticed the significance this feature, we'll definitely look into it!

@jurraca are you interested in this or should I pick this up while you work on -p and the other stuff you have in the pipeline?

[jurraca]

wow definitely interesting for us Job, thank you!
yea i'd like to wrap up what I have in flight @fjahr , feel free to take a look.