idnits 2.17.1 draft-ietf-sidr-rpki-rtr-impl-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([RFC6810]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (December 11, 2013) is 3782 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- No issues found here. Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group R. Bush 3 Internet-Draft Internet Initiative Japan 4 Intended status: Informational R. Austein 5 Expires: June 14, 2014 Dragon Research Labs 6 K. Patel 7 Cisco Systems 8 H. Gredler 9 Juniper Networks, Inc. 10 M. Waehlisch 11 FU Berlin 12 December 11, 2013 14 RPKI Router Implementation Report 15 draft-ietf-sidr-rpki-rtr-impl-05 17 Abstract 19 This document is an implementation report for the RPKI Router 20 protocol as defined in [RFC6810]. The editor did not verify the 21 accuracy of the information provided by respondents. The respondents 22 are experts with the implementations they reported on, and their 23 responses are considered authoritative for the implementations for 24 which their responses represent. Respondents were asked to only use 25 the YES answer if the feature had at least been tested in the lab. 27 Status of This Memo 29 This Internet-Draft is submitted in full conformance with the 30 provisions of BCP 78 and BCP 79. 32 Internet-Drafts are working documents of the Internet Engineering 33 Task Force (IETF). Note that other groups may also distribute 34 working documents as Internet-Drafts. The list of current Internet- 35 Drafts is at http://datatracker.ietf.org/drafts/current/. 37 Internet-Drafts are draft documents valid for a maximum of six months 38 and may be updated, replaced, or obsoleted by other documents at any 39 time. It is inappropriate to use Internet-Drafts as reference 40 material or to cite them other than as "work in progress." 42 This Internet-Draft will expire on June 14, 2014. 44 Copyright Notice 46 Copyright (c) 2013 IETF Trust and the persons identified as the 47 document authors. All rights reserved. 49 This document is subject to BCP 78 and the IETF Trust's Legal 50 Provisions Relating to IETF Documents 51 (http://trustee.ietf.org/license-info) in effect on the date of 52 publication of this document. Please review these documents 53 carefully, as they describe your rights and restrictions with respect 54 to this document. Code Components extracted from this document must 55 include Simplified BSD License text as described in Section 4.e of 56 the Trust Legal Provisions and are provided without warranty as 57 described in the Simplified BSD License. 59 Table of Contents 61 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 62 2. Implementation Forms . . . . . . . . . . . . . . . . . . . . 3 63 3. Protocol Data Units . . . . . . . . . . . . . . . . . . . . . 5 64 4. Protocol Sequence . . . . . . . . . . . . . . . . . . . . . . 6 65 5. Protocol Transport . . . . . . . . . . . . . . . . . . . . . 6 66 6. Error Codes . . . . . . . . . . . . . . . . . . . . . . . . . 7 67 7. Incremental Updates Support . . . . . . . . . . . . . . . . . 7 68 8. Session ID Support . . . . . . . . . . . . . . . . . . . . . 8 69 9. Incremental Session Startup Support . . . . . . . . . . . . . 8 70 10. Interoperable Implementations . . . . . . . . . . . . . . . . 8 71 10.1. Cisco Implementation . . . . . . . . . . . . . . . . . . 8 72 10.2. Juniper Implementation . . . . . . . . . . . . . . . . . 9 73 10.3. rpki.net Implementation . . . . . . . . . . . . . . . . 9 74 10.4. RIPE NCC Implementation . . . . . . . . . . . . . . . . 9 75 10.5. RTRlib Implementation . . . . . . . . . . . . . . . . . 9 76 10.6. BBN RPSTIR Implementation . . . . . . . . . . . . . . . 9 77 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 78 12. Security considerations . . . . . . . . . . . . . . . . . . . 10 79 13. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10 80 14. Normative References . . . . . . . . . . . . . . . . . . . . 10 81 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 83 1. Introduction 85 In order to formally validate the origin Autonomous Systems (ASs) of 86 BGP announcements, routers need a simple but reliable mechanism to 87 receive Resource Public Key Infrastructure (RPKI) [RFC6810] prefix 88 origin data from a trusted cache. The RPKI Router protocol defined 89 in [RFC6810] provides a mechanism to deliver validated prefix origin 90 data to routers. 92 This document provides an implementation report for the RPKI Router 93 protocol as defined in RFC 6810 [RFC6810]. 95 The editor did not verify the accuracy of the information provided by 96 respondents or by any alternative means. The respondents are experts 97 with the implementations they reported on, and their responses are 98 considered authoritative for the implementations for which their 99 responses represent. Respondents were asked to only use the YES 100 answer if the feature had at least been tested in the lab. 102 2. Implementation Forms 104 Contact and implementation information for person filling out this 105 form: 107 IOS 108 Name: Keyur Patel 109 Email: keyupate@cisco.com 110 Vendor: Cisco Systems, Inc. 111 Release: IOS 112 Protocol Role: Client 114 XR 115 Name: Forhad Ahmed 116 Email:foahmed@cisco.com 117 Vendor: Cisco Systems, Inc. 118 Release: IOS-XR 119 Protocol Role: Client 121 JUNOS 122 Name: Hannes Gredler 123 Email: hannes@juniper.net 124 Vendor: Juniper Networks, Inc. 125 Release: JUNOS 126 Protocol Role: Client 128 rpki.net 129 Name: Rob Austein 130 Email: sra@hactrn.net 131 Vendor: rpki.net project 132 Release: http://subvert-rpki.hactrn.net/trunk/ 133 Protocol Role: Client, Server 135 NCC 136 Name: Tim Bruijnzeels 137 Email: tim@ripe.net 138 Vendor: RIPE NCC 139 Release: RIPE NCC validator-app 2.0.0 https://github.com/RIPE-NCC/ 140 rpki-validator 141 Protocol Role: Server 143 RTRlib 144 Name: Fabian Holler, Matthias Waehlisch 145 Email: waehlisch@ieee.org 146 Vendor: HAW Hamburg, FU Berlin, RTRlib project 147 Release: RTRlib 0.2 http://rpki.realmv6.org/ 148 Protocol Role: Client 150 BBN 151 Name: David Mandelberg, Andrew Chi 152 Email: dmandelb@bbn.com 153 Vendor: Raytheon/BBN Technologies 154 Release: RPSTIR 0.2 http://sourceforge.net/projects/rpstir/ 155 Protocol Role: Server 157 3. Protocol Data Units 159 Does the implementation support Protocol Data Units (PDUs) as 160 described in Section 5 of [RFC6810]? 162 P0: Serial Notify 164 P1: Serial Query 166 P2: Reset Query 168 P3: Cache Response 170 P4: IPv4 Prefix 172 P6: IPv6 Prefix 174 P7: End of Data 176 P8: Cache Reset 178 P10: Error Report 180 +---------+------+-----+-------+--------+--------+-----+------+-----+ 181 | | IOS | XR | JUNOS | rpki | rpki | NCC | RTR- | BBN | 182 | | | | | .net | .net | | lib | | 183 | | | | | clnt | srvr | | | | 184 +---------+------+-----+-------+--------+--------+-----+------+-----+ 185 | Rcv.P0 | YES | YES | YES | YES | --- | --- | YES | --- | 186 | Snd.P0 | --- | --- | --- | --- | YES | YES | --- | YES | 187 | Rcv.P1 | --- | --- | --- | --- | YES | YES | --- | YES | 188 | Snd.P1 | YES | YES | YES | YES | --- | --- | YES | --- | 189 | Rcv.P2 | --- | --- | --- | --- | YES | YES | --- | YES | 190 | Snd.P2 | YES | YES | YES | YES | --- | --- | YES | --- | 191 | Rcv.P3 | YES | YES | YES | YES | --- | --- | YES | --- | 192 | Snd.P3 | --- | --- | --- | --- | YES | YES | --- | YES | 193 | Rcv.P4 | YES | YES | YES | YES | --- | --- | YES | --- | 194 | Snd.P4 | --- | --- | --- | --- | YES | YES | --- | YES | 195 | Rcv.P6 | YES | YES | YES | YES | --- | --- | YES | --- | 196 | Snd.P6 | --- | --- | --- | --- | YES | YES | --- | YES | 197 | Rcv.P7 | YES | YES | YES | YES | --- | --- | YES | --- | 198 | Snd.P7 | --- | --- | --- | --- | YES | YES | --- | YES | 199 | Rcv.P8 | YES | YES | YES | YES | --- | --- | YES | --- | 200 | Snd.P8 | --- | --- | --- | --- | YES | YES | --- | YES | 201 | Rcv.P10 | YES | YES | NO~1 | YES | YES | YES | YES | YES | 202 | Snd.P10 | YES | NO | NO | YES | YES | YES | YES | YES | 203 +---------+------+-----+-------+--------+--------+-----+------+-----+ 204 Note 1: No, Error PDU gets silently ignored. 206 4. Protocol Sequence 208 Does RPKI Router protocol implementation follow the four protocol 209 sequences as outlined in Section 6 of [RFC6810]? 211 S1: Start or Restart 213 S2: Typical Exchange 215 S3: No Incremental Update Available 217 S4: Cache Has No Data Available 219 +-----+-----+-----+-------+--------+--------+------+--------+-------+ 220 | | IOS | XR | JUNOS | rpki | rpki | NCC | RTRlib | BBN | 221 | | | | | .net | .net | | | | 222 | | | | | clnt | srvr | | | | 223 +-----+-----+-----+-------+--------+--------+------+--------+-------+ 224 | S1 | YES | YES | YES | YES | YES | YES | YES | YES | 225 | S2 | YES | YES | YES | YES | YES | NO~1 | YES | YES | 226 | S3 | YES | YES | YES | YES | YES | YES | YES | YES | 227 | S4 | YES | YES | YES | YES | YES | YES | YES | YES~2 | 228 +-----+-----+-----+-------+--------+--------+------+--------+-------+ 230 Note 1: Does not implement Serial Query, thus Incremental Update is 231 never available, so responds to Serial Query with Cache Reset as 232 described in Section 6.3 of [RFC6810] 234 Note 2: Sends Cache Reset in response to Serial Query when no data; 235 sends Error Report PDU in response to Reset Query when no data. 237 5. Protocol Transport 239 Does RPKI Router protocol implementation support different protocol 240 transport mechanism outlined in Section 7 of [RFC6810]? 242 +---------+-------+------+-------+------+------+-----+--------+-----+ 243 | | IOS | XR | JUNOS | rpki | rpki | NCC | RTRlib | BBN | 244 | | | | | .net | .net | | | | 245 | | | | | clnt | srvr | | | | 246 +---------+-------+------+-------+------+------+-----+--------+-----+ 247 | SSH | NO | YES | NO | YES | YES | NO | YES | YES | 248 | TLS | NO | NO | NO | NO | NO | NO | NO | NO | 249 | TCP | YES | YES | YES | YES | YES | YES | YES | YES | 250 | TCP-MD5 | NO | NO | NO | NO | NO | NO | NO | NO | 251 | TCP-AO | NO | NO | NO | NO | NO | NO | NO | NO | 252 | IPsec | NO | NO | NO | NO | NO | NO | NO | NO | 253 +---------+-------+------+-------+------+------+-----+--------+-----+ 255 6. Error Codes 257 Does RPKI Router protocol implementation support different protocol 258 error codes outlined in Section 10 of [RFC6810]? 260 +-------+-------+------+-------+------+------+-------+--------+-----+ 261 | | IOS | XR | JUNOS | rpki | rpki | NCC | RTRlib | BBN | 262 | | | | | .net | .net | | | | 263 | | | | | clnt | srvr | | | | 264 +-------+-------+------+-------+------+------+-------+--------+-----+ 265 | Rcv.0 | YES | YES | NO | YES | YES | YES | YES | YES | 266 | Snd.0 | YES | YES | NO | YES | YES | YES | YES | YES | 267 | Rcv.1 | YES | YES | NO | YES | YES | YES | YES | YES | 268 | Snd.1 | YES | YES | NO | YES | YES | YES | YES | YES | 269 | Rcv.2 | YES | YES | NO | YES | --- | --- | YES | --- | 270 | Snd.2 | --- | --- | --- | --- | YES | YES | --- | YES | 271 | Rcv.3 | YES | YES | NO | YES | --- | --- | YES | --- | 272 | Snd.3 | --- | --- | --- | --- | YES | YES | --- | YES | 273 | Rcv.4 | YES | YES | NO | YES | YES | YES | YES | YES | 274 | Snd.4 | YES | YES | NO | YES | YES | YES | YES | YES | 275 | Rcv.5 | YES | YES | NO | YES | YES | YES | YES | YES | 276 | Snd.5 | YES | YES | NO | YES | YES | YES | YES | YES | 277 | Rcv.6 | --- | --- | --- | --- | YES | YES~1 | --- | YES | 278 | Snd.6 | YES | YES | NO | NO | --- | --- | YES | --- | 279 | Rcv.7 | --- | --- | --- | --- | YES | YES~1 | --- | YES | 280 | Snd.7 | YES | YES | NO | NO | --- | --- | YES | --- | 281 +-------+-------+------+-------+------+------+-------+--------+-----+ 283 Note 1: YES, but... fatal, so connection is dropped, but cache does 284 not conclude it's inconsistent. 286 7. Incremental Updates Support 288 Does the RPKI Router implementation support Incremental Updates as 289 defined in Section 4 of [RFC6810]? 290 +-----+------+-------+------------+------------+-----+--------+-----+ 291 | IOS | XR | JUNOS | rpki.net | rpki.net | NCC | RTRlib | BBN | 292 | | | | clnt | srvr | | | | 293 +-----+------+-------+------------+------------+-----+--------+-----+ 294 | NO | NO | YES | YES | YES | NO | YES | YES | 295 +-----+------+-------+------------+------------+-----+--------+-----+ 297 8. Session ID Support 299 Session ID is used to indicate that the cache server may have 300 restarted and that the incremental restart may not be possible. 302 Does RPKI Router protocol implementation support Session ID 303 procedures outlined in Section 5.1 of [RFC6810]? 305 +-----+-----+-------+------------+------------+------+--------+-----+ 306 | IOS | XR | JUNOS | rpki.net | rpki.net | NCC | RTRlib | BBN | 307 | | | | clnt | srvr | | | | 308 +-----+-----+-------+------------+------------+------+--------+-----+ 309 | YES | YES | YES | YES | YES | NO~1 | YES | YES | 310 +-----+-----+-------+------------+------------+------+--------+-----+ 312 Note 1: NO, using random, but will FIX 314 9. Incremental Session Startup Support 316 Does the RPKI Router protocol implementation support Incremental 317 session startups with Serial Number and Session ID as defined in 318 section 5.3 of [RFC6810]? 320 +------+-----+-------+------------+------------+-----+--------+-----+ 321 | IOS | XR | JUNOS | rpki.net | rpki.net | NCC | RTRlib | BBN | 322 | | | | clnt | srvr | | | | 323 +------+-----+-------+------------+------------+-----+--------+-----+ 324 | YES | YES | YES | YES | YES | NO | YES | YES | 325 +------+-----+-------+------------+------------+-----+--------+-----+ 327 10. Interoperable Implementations 329 List other implementations that you have tested interoperability of 330 RPKI Router Implementation. 332 10.1. Cisco Implementation 333 Cisco: The Cisco IOS and IOS-XR implementation should be 334 interoperable with other vendor RPKI Router Protocol implementations. 335 In particular we have tested our interoperability with rpki.net's 336 RPKI Router implementation. 338 10.2. Juniper Implementation 340 Juniper: The Juniper Networks, Inc. JUNOS implementation should be 341 interoperable with other vendor RPKI Router Protocol implementations. 342 In particular we have tested our interoperability with rpki.net's and 343 NCC's RPKI Router Cache implementation. 345 10.3. rpki.net Implementation 347 rpki.net: The rpki.net implementation should operate with other rpki- 348 rtr implementations. In particular, we have tested our rpki-rtr 349 server's interoperability with Cisco IOS, Cisco IOS-XR, and Juniper. 351 10.4. RIPE NCC Implementation 353 RIPE NCC: The RIPE NCC validator has been tested by us with other 354 rpki-rtr implementations. In particular we have tested with RTRLib 355 and CISCO IOS. We received positive feedback from close contacts 356 testing our validator with JUNOS and Quagga. 358 10.5. RTRlib Implementation 360 RTRlib: The RTRlib has been tested by us with other rpki-rtr 361 implementations. In particular, we have tested with rtr-origin from 362 rpki.net and RIPE NCC Validator. 364 10.6. BBN RPSTIR Implementation 366 BBN RPSTIR: We have not yet tested with any other implementations. 368 11. IANA Considerations 370 This document makes no request of IANA. 372 Note to RFC Editor: The IANA has requested that this section remain 373 in the document upon publication as an RFC. This note to the RFC 374 Editor, however, may be removed. 376 12. Security considerations 378 No new security issues are introduced to the RPKI Router protocol 379 defined in [RFC6810]. 381 13. Acknowledgements 383 The authors would like to thank Andrew Chi, David Mandelberg, Fabian 384 Holler, Forhad Ahmed, and Tim Bruijnzeels for their contributions to 385 this document. 387 14. Normative References 389 [RFC6810] Bush, R. and R. Austein, "The Resource Public Key 390 Infrastructure (RPKI) to Router Protocol", RFC 6810, 391 January 2013. 393 Authors' Addresses 395 Randy Bush 396 Internet Initiative Japan 397 5147 Crystal Springs 398 Bainbridge Island, Washington 98110 399 US 401 Email: randy@psg.com 403 Rob Austein 404 Dragon Research Labs 406 Email: sra@hactrn.net 408 Keyur Patel 409 Cisco Systems 410 170 West Tasman Drive 411 San Jose, CA 95134 412 US 414 Email: keyupate@cisco.com 415 Hannes Gredler 416 Juniper Networks, Inc. 417 1194 N. Mathilda Ave. 418 Sunnyvale, CA 94089 419 US 421 Email: hannes@juniper.net 423 Matthias Waehlisch 424 FU Berlin 425 Takustr. 9 426 Berlin 14195 427 Germany 429 Email: waehlisch@ieee.org 430 URI: http://www.inf.fu-berlin.de/~waehl