idnits 2.17.1 

draft-ymbk-rpki-grandparenting-04.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  -- The document has an IETF Trust Provisions (28 Dec 2009) Section 6.c(ii)
     Publication Limitation clause.  If this document is intended for
     submission to the IESG for publication, this constitutes an error.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  == There are 2 instances of lines with non-RFC6890-compliant IPv4 addresses
     in the document.  If these are example addresses, they should be changed.

  == There are 1 instance of lines with private range IPv4 addresses in the
     document.  If these are generic example addresses, they should be changed
     to use any of the ranges defined in RFC 6890 (or successor): 192.0.2.x,
     198.51.100.x or 203.0.113.x.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  -- The document date (February 4, 2014) is 3731 days in the past.  Is this
     intentional?


  Checking references for intended status: Informational
  ----------------------------------------------------------------------------

  == Outdated reference: A later version (-21) exists of
     draft-ietf-sidr-bgpsec-pki-profiles-04


     Summary: 0 errors (**), 0 flaws (~~), 4 warnings (==), 2 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.
--------------------------------------------------------------------------------


2	Network Working Group                                            R. Bush
3	Internet-Draft                                 Internet Initiative Japan
4	Intended status: Informational                          February 4, 2014
5	Expires: August 8, 2014

7	                 Responsible Grandparenting in the RPKI
8	                   draft-ymbk-rpki-grandparenting-04

10	Abstract

12	   There are circumstances in RPKI operations where a resource holder's
13	   parent may not be able to, or may not choose to, facilitate full and
14	   proper registration of the holder's data.  As in real life, the
15	   holder may form a relationship with their grandparent who is willing
16	   to aid the grandchild.  This document describes simple procedures for
17	   doing so.

19	Status of This Memo

21	   This Internet-Draft is submitted in full conformance with the
22	   provisions of BCP 78 and BCP 79.

24	   Internet-Drafts are working documents of the Internet Engineering
25	   Task Force (IETF).  Note that other groups may also distribute
26	   working documents as Internet-Drafts.  The list of current Internet-
27	   Drafts is at http://datatracker.ietf.org/drafts/current/.

29	   Internet-Drafts are draft documents valid for a maximum of six months
30	   and may be updated, replaced, or obsoleted by other documents at any
31	   time.  It is inappropriate to use Internet-Drafts as reference
32	   material or to cite them other than as "work in progress."

34	   This Internet-Draft will expire on August 8, 2014.

36	Copyright Notice

38	   Copyright (c) 2014 IETF Trust and the persons identified as the
39	   document authors.  All rights reserved.

41	   This document is subject to BCP 78 and the IETF Trust's Legal
42	   Provisions Relating to IETF Documents
43	   (http://trustee.ietf.org/license-info) in effect on the date of
44	   publication of this document.  Please review these documents
45	   carefully, as they describe your rights and restrictions with respect
46	   to this document.  Code Components extracted from this document must
47	   include Simplified BSD License text as described in Section 4.e of
48	   the Trust Legal Provisions and are provided without warranty as
49	   described in the Simplified BSD License.

51	   This document may not be modified, and derivative works of it may not
52	   be created, and it may not be published except as an Internet-Draft.

54	Table of Contents

56	   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
57	   2.  Suggested Reading . . . . . . . . . . . . . . . . . . . . . .   3
58	   3.  What to Do  . . . . . . . . . . . . . . . . . . . . . . . . .   3
59	   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   3
60	   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   4
61	   6.  Informative References  . . . . . . . . . . . . . . . . . . .   4
62	   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   4

64	1.  Introduction

66	   There are circumstances in RPKI operations where a resource holder's
67	   parent may not be able to, or may not choose to, facilitate full and
68	   proper registration of the holder's data.  As in real life, the
69	   holder may form a relationship with their grandparent who is willing
70	   to aid the grandchild.  This document describes simple procedures for
71	   doing so.

73	   An example might be when provider A allowed a child, C, to move to
74	   other provider(s) and keep their address space, either temporarily or
75	   permanently, and C's child, G, wished to stay with provider A.

77	   Or a child, C, in the process of going out of business might place
78	   their grandchildren in precarious circumstances until they can re-
79	   home.  The grandparent, without disturbing the child's data, could
80	   simply issue ROAs for the grandchildren, or issue certificates for
81	   those willing to manage their own rpki data.

83	   Certification Authorities with a large number of children, e.g.  very
84	   large ISPs or RIRs, might offer documented grandparenting processes
85	   and/or agreements.  This might reassure grandchildren with worries
86	   about irresponsible parents.

88	   Other examples occur in administrative hierarchies, such as large
89	   organizations or military and other government hierarchies, when A's
90	   child C wishes to manage their own data but does not wish the
91	   technical or administrative burden of managing their children's, Gs',
92	   data.

94	2.  Suggested Reading

96	   It is assumed that the reader understands the RPKI, see [RFC6480],
97	   ROAs, see [RFC6482], BGPSEC Router Certificates, see
98	   [I-D.ietf-sidr-bgpsec-pki-profiles], and the operational guidance for
99	   origin validation, [RFC7115].

101	3.  What to Do

103	   A hypothetical example might be that A has the rights to 10.0.0.0/8,
104	   has delegated 10.42.0.0/16 to their child C, who delegated 10.42.2.0/
105	   23 to their child G.  C has changed providers and kept, with A's
106	   consent, 10.42.0.0/16, but G wishes to stay with A and keep 10.42.2.0
107	   /23.

109	   Perhaps there are also AS resources involved, and G wishes to issue
110	   Router Certificates for their AS(s).

112	   Managing RPKI data in such relationships is simple, but should be
113	   done carefully.

115	   First, using whatever administrative and/or contractual procedures
116	   are appropriate in the local hierarchy, the grandparent, A, should
117	   ensure their relationship to the grandchild, G, and that G has the
118	   right to the resources which they wish to have registered.  These are
119	   local matters between A and G.

121	   Although A has the rights over their child's, C's, resources, it
122	   would be prudent and polite to ensure that C agrees to A forming a
123	   relationship to G.  Again, these are local matters between A, C, and
124	   G.  Often, no one outside of one of these bi-lateral relationships
125	   actually knows the agreement between the parties.

127	   Then, it is trivial within the RPKI for A to certify G's data, even
128	   though it is a subset of the resources A delegated to C.  A may
129	   certify G's resources, or issue one or more EE certificates and ROAs
130	   for G's resources.  Which is done is a local matter between A and G.

132	4.  Security Considerations

134	   This operational practice presents no technical security threats
135	   beyond those of the relevant RPKI specifications.

137	   There are threats of social engineering by G, lying to A about their
138	   relationship to and rights gained from C.

140	   There are also threats of social engineering by C, attempting to
141	   prevent A from giving rights to G which G legitimately deserves.

143	5.  IANA Considerations

145	   This document has no IANA Considerations.

147	6.  Informative References

149	   [I-D.ietf-sidr-bgpsec-pki-profiles]
150	              Reynolds, M., Turner, S., and S. Kent, "A Profile for
151	              BGPSEC Router Certificates, Certificate Revocation Lists,
152	              and Certification Requests", draft-ietf-sidr-bgpsec-pki-
153	              profiles-04 (work in progress), October 2012.

155	   [RFC6480]  Lepinski, M. and S. Kent, "An Infrastructure to Support
156	              Secure Internet Routing", RFC 6480, February 2012.

158	   [RFC6482]  Lepinski, M., Kent, S., and D. Kong, "A Profile for Route
159	              Origin Authorizations (ROAs)", RFC 6482, February 2012.

161	   [RFC7115]  Bush, R., "Origin Validation Operation Based on the
162	              Resource Public Key Infrastructure (RPKI)", BCP 185, RFC
163	              7115, January 2014.

165	Author's Address

167	   Randy Bush
168	   Internet Initiative Japan
169	   5147 Crystal Springs
170	   Bainbridge Island, Washington  98110
171	   US

173	   Email: randy@psg.com