Internet Engineering Task Force (IETF) O. Borchert Internet-Draft D. Montgomery Updates: 8205 (if approved) USA NIST Intended status: Standards Track Expires: July 19, 2021 January 15, 2021 BGPsec Validation State Unverified draft-borchert-sidrops-bgpsec-state-unverified-04 Abstract In case operators decide to delay BGPsec path validation, none of the available states do properly represent this decision. This document introduces "Unverified" as a well-defined validation state which allows to properly identify a non-evaluated BGPsec routes as not verified. Status of This Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/1id-abstracts.html The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html Borchert & Montgomery Expires July 19, 2021 [Page 1] Internet Draft BGPsec Validation State Unverified January 15, 2021 Copyright Notice Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 2. Suggested Reading . . . . . . . . . . . . . . . . . . . . . . 3 3. Initializing BGPsec route . . . . . . . . . . . . . . . . . . 3 3.1. Changes to RFC 8205 . . . . . . . . . . . . . . . . . . . . 4 3. Usage Considerations . . . . . . . . . . . . . . . . . . . . . 4 4. Security Considerations . . . . . . . . . . . . . . . . . . . 4 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 5 6.1. Normative References . . . . . . . . . . . . . . . . . . . 5 8.2. Informative References . . . . . . . . . . . . . . . . . . 5 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . 5 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 6 Borchert & Montgomery Expires July 19, 2021 [Page 2] Internet Draft BGPsec Validation State Unverified January 15, 2021 1. Introduction BGPsec path validation [RFC8205] provides well defined validation states. Though, there are instances in which BGPsec routes are not immediately validated upon receiving them. This could be due to configuration where the operator chose to perform "Lazy Evaluation" or due to instances where router configuration could enable the operator to delay route validation during situations of unexpectedly high loads such as DDOS attacks or others. Here, the absence of a well-defined initialization state requires to use a validation state, that is otherwise well-defined and therefore "waters" down the meaning of that state. Hence, this document updates the RFC 8205 by adding the proposed validation state "Unverified". 1.1. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 2. Suggested Reading It is assumed that the reader understands BGP [RFC4271] and BGPsec Protocol Specification [RFC8205] 3. Initializing BGPsec route This document introduces the validation state "Unverified" to be used for BGPsec routes that are not evaluated otherwise. To allow proper initialization the following state is introduced: o Unverified: Specifies the state of a BGPsec route where no evaluation has been performed. Borchert & Montgomery Expires July 19, 2021 [Page 3] Internet Draft BGPsec Validation State Unverified January 15, 2021 3.1. Changes to RFC 8205 The BGPsec protocol specification as specified in [RFC8205] suffers the limitation described above in this document. [Section 5.1] of RFC 8205 specifies two states for BGPsec path validation: The validation procedure results in one of two states: 'Valid' and 'Not Valid'. Also, [Section 5.1] makes it clear that: BGPsec validation need only be performed at the eBGP edge. This document updates RFC 8205 in such that: BGPsec routes MUST be initialized using the BGPsec validation state "Unverified" until proper evaluation of the BGPsec route has been performed. 3. Usage Considerations The validation state "Unverified" allows to distinguish between evaluated BGPsec routes and non-evaluated BGPsec routes. This allows the operator to create policies to treat such routes different from routes labeled with either validation state "Valid" or "Not Valid" 4. Security Considerations This document introduces no new security concerns beyond what is described in [RFC8205] 5. IANA Considerations This document has no IANA actions. Borchert & Montgomery Expires July 19, 2021 [Page 4] Internet Draft BGPsec Validation State Unverified January 15, 2021 6. References 6.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [RFC8205] Lepinski, M., Ed., and K. Sriram, Ed., "BGPsec Protocol Specification", RFC 8205, DOI 10.17487/RFC8205, September 2017, . 8.2. Informative References [RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A Border Gateway Protocol 4 (BGP-4)", RFC 4271, DOI 10.17487/RFC4271, January 2006, . Acknowledgements The authors would like to acknowledge the valuable review and suggestions from K. Sriram on this document. Borchert & Montgomery Expires July 19, 2021 [Page 5] Internet Draft BGPsec Validation State Unverified January 15, 2021 Authors' Addresses Oliver Borchert National Institute of Standards and Technology (NIST) 100 Bureau Drive Gaithersburg, MD 20899 United States of America Email: oliver.borchert@nist.gov Doug Montgomery National Institute of Standards and Technology (NIST) 100 Bureau Drive Gaithersburg, MD 20899 United States of America Email: dougm@nist.gov Borchert & Montgomery Expires July 19, 2021 [Page 6]