Network Working Group J. Snijders Internet-Draft Fastly Intended status: Standards Track M. Abrahamsson Expires: 8 September 2022 NTT B. Maddison Workonline 7 March 2022 Resource Public Key Infrastructure (RPKI) object profile for Discard Origin Authorizations (DOA) draft-spaghetti-sidrops-rpki-doa-00 Abstract This document defines a Cryptographic Message Syntax (CMS) profile for Discard Origin Authorizations (DOAs), for use with the Resource Public Key Infrastructure (RPKI). A DOA is a digitally signed object that provides a means of verifying that an IP address block holder has authorized an Autonomous System (AS) to originate routes to one or more prefixes within the address block tagged with a specific set of Border Gateway Protocol (BGP) Communities, to signal a request to discard IP traffic destined towards the tagged IP prefix. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 8 September 2022. Snijders, et al. Expires 8 September 2022 [Page 1] Internet-Draft RPKI DOA March 2022 Copyright Notice Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. DOA EncapsulatedContentInfo . . . . . . . . . . . . . . . . . 3 2.1. ASN.1 Module . . . . . . . . . . . . . . . . . . . . . . 3 2.2. The DOA eContentType . . . . . . . . . . . . . . . . . . 5 2.3. The DOA eContent . . . . . . . . . . . . . . . . . . . . 5 2.3.1. version . . . . . . . . . . . . . . . . . . . . . . . 5 2.3.2. ipAddrBlocks . . . . . . . . . . . . . . . . . . . . 5 2.3.3. originAsID . . . . . . . . . . . . . . . . . . . . . 5 2.3.4. peerAsIDs . . . . . . . . . . . . . . . . . . . . . . 6 2.3.5. communities . . . . . . . . . . . . . . . . . . . . . 6 3. DOA Validation . . . . . . . . . . . . . . . . . . . . . . . 6 4. RPKI-RTR protocol extensions . . . . . . . . . . . . . . . . 6 5. BGP Route Matching . . . . . . . . . . . . . . . . . . . . . 6 6. Route Origin Validation Co-Existance . . . . . . . . . . . . 7 7. Exporting RTBH Routes . . . . . . . . . . . . . . . . . . . . 8 8. Operational Considerations . . . . . . . . . . . . . . . . . 8 9. Security Considerations . . . . . . . . . . . . . . . . . . . 8 10. Implementation status . . . . . . . . . . . . . . . . . . . . 8 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 11.1. SMI Security for S/MIME CMS Module Identifier (1.2.840.113549.1.9.16.0) . . . . . . . . . . . . . . . 9 11.2. SMI Security for S/MIME CMS Content Type (1.2.840.113549.1.9.16.1) . . . . . . . . . . . . . . . 9 11.3. RPKI Signed Objects registry . . . . . . . . . . . . . . 9 11.4. RPKI Repository Name Schemes registry . . . . . . . . . 10 11.5. Media Types registry . . . . . . . . . . . . . . . . . . 10 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 12.1. Normative References . . . . . . . . . . . . . . . . . . 11 12.2. Informative References . . . . . . . . . . . . . . . . . 11 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 12 Appendix B. Document Changelog . . . . . . . . . . . . . . . . . 12 B.1. Individual Submission Phase . . . . . . . . . . . . . . . 12 Snijders, et al. Expires 8 September 2022 [Page 2] Internet-Draft RPKI DOA March 2022 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 1. Introduction Internet operators commonly provide a means for adjacent networks to advertise routes in BGP with the intention that traffic matching such a route be discarded, rather than being forwarded towards the advertising network. This is referred to as Remotely Triggered Blackholing (RTBH), and is typically acheived through the use of a BGP Community [RFC1997]. [RFC7999] defines a "well known" community value for this purpose. The route used to signal an RTBH request is referred to as an RTBH route. Inter-AS RTBH signalling, however, is in tension with the deployment of Route Origin Validation (ROV) based on the Resource Public Key Infrastructure (RPKI) [RFC6811]. Because a blackhole route is likely to have a prefix length greater than permitted in any covering ROA, an operator wishing to deploy routing policy to discard BGP paths with an ROV status of "Invalid", and simultaneously maintain a blackhole signalling service must choose either: 1. to exempt blackhole routes from processing based on ROV status, thus foregoing the benefit of ROV altogether; or 2. to insist that users of the blackhole signalling service create ROAs with a sufficiently large "maxLength" values to accomodate blackhole routes. This document defines a Cryptographic Message Syntax (CMS) [RFC5652] profile for Discard Origin Authorizations (DOAs), for use with the Resource Public Key Infrastructure (RPKI) [RFC6480], along with associated processing rules. DOAs can be used to validate whether incoming BGP route announcements carrying specific BGP Communities are meant to signify a request to discard IP traffic towards the IP destination carried in the BGP route. This enhances the concepts of [RFC3882] and [RFC7999], and can co-exist with deployed ROV policy. 2. DOA EncapsulatedContentInfo DOA follows the Signed Object Template for the RPKI [RFC6488]. 2.1. ASN.1 Module The following ASN.1 module specifies the encapContentInfo component for DOA objects: Snijders, et al. Expires 8 September 2022 [Page 3] Internet-Draft RPKI DOA March 2022 RpkiDiscardOriginAuthorization-2021 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) mod(0) TBD } DEFINITIONS EXPLICIT TAGS ::= BEGIN IMPORTS CONTENT-TYPE FROM CryptographicMessageSyntax-2010 -- in [RFC6268] { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) } IPAddressOrRange, IPAddressRange, IPAddress, ASId FROM IPAddrAndASCertExtn -- in [RFC3779] { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) mod(0) id-mod-ip-addr-and-as-ident(30) } ; ct-discardOriginAuthorization CONTENT-TYPE ::= { TYPE DiscardOriginAuthorization IDENTIFIED BY id-ct-discardOriginAuthorization } id-ct-discardOriginAuthorization OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) id-smime(16) id-ct(1) TBD } DiscardOriginAuthorization ::= SEQUENCE { version [0] INTEGER DEFAULT 0, ipAddrBlocks IPListRange, originAsID ASId, peerAsIDs [1] SEQUENCE SIZE(1..MAX) OF ASId OPTIONAL, communities [2] SEQUENCE SIZE(1..MAX) OF Community } IPListRange ::= SEQUENCE (SIZE(1..MAX)) OF IPAddressFamilyRange IPAddressFamilyRange ::= SEQUENCE { addressFamily OCTET STRING (SIZE(2..3)), addressOrRange IPAddressOrRange, prefixLengthRange PrefixLengthRange OPTIONAL -- if omitted, assume hostroutes } PrefixLengthRange ::= SEQUENCE { minLength INTEGER, maxLength INTEGER } Snijders, et al. Expires 8 September 2022 [Page 4] Internet-Draft RPKI DOA March 2022 Community ::= CHOICE { bgpCommunity [0] OCTET STRING (SIZE(4)), bgpLargeCommunity [1] OCTET STRING (SIZE(12)) } END 2.2. The DOA eContentType The eContentType for a DOA is defined as id-ct- discardOriginAuthorization as specified in Section 2.1. This OID MUST appear both within the eContentType in the encapContentInfo object as well as the ContentType signed attribute in the signerInfo object (see [RFC6488]). 2.3. The DOA eContent The content of a DOA is formally defined as DiscardOriginAuthorization as specified in Section 2.1 2.3.1. version The version number of the DiscardOriginAuthorization MUST be 0. 2.3.2. ipAddrBlocks The IP address prefixes for which the announcement of RTBH routes is authorized. The IP address resources contained here are the resources used to mark the authorization, and MUST match the set of resources listed by the EE certificate carried in the CMS certificates field. See [RFC6482] Section 3.3 for a similar, but not entirely similar appraoch. A notable difference is the absense of MaxLength, and instead a PrefixLengthRange is used. If no PrefixLengthRange is present, only the "host route" prefix length (i.e. 32 for IPv4 and 128 for IPv6) is authorized. 2.3.3. originAsID The asID field contains the AS number that is authorized to originate RTBH routes for the given IP address prefixes. The asID does not have to be contained by the resources listed on the EE certificate. Snijders, et al. Expires 8 September 2022 [Page 5] Internet-Draft RPKI DOA March 2022 2.3.4. peerAsIDs The peerAsIDs field contains zero or more AS numbers that are authorized to propagate routes intended to signal an RTBH request for the given IP address prefixes. The peerAsIDs do not have to be contained by the resources listed on the EE certificate. Network operators MUST only accept the RTBH request if it was received from any listed peerAsIDs. The peerAsIDs field allows DOAs to be used to validate RTBH routes with one AS hop between originator and receipient. 2.3.5. communities The communities field contains the Classic BGP communities or Large BGP Communities which are to be the 'trigger' to start RTBH. TBD: are communities 'and' or 'or'? 3. DOA Validation To validate a DOA the relying party MUST perform all the validation checks specified in [RFC6488] as well as the following additional DOA-specific validation step: * The IP delegation extension [RFC3779] MUST be present in the end- entity certificate (contained in the DOA), and every IP address prefix present in the ipAddrBlocks component of the DOA eContent is contained within the set of IP addresses specified in the EE certificate's IP address delegation extension. 4. RPKI-RTR protocol extensions TODO: Seperate document? 5. BGP Route Matching TODO: Seperate document? A BGP speaker MAY assign to each path it receives from its peers one of 3 RTBH request validation states: * Matched: a validated DOA object was found covering the prefix of the received path, and matching the contraints of the DOA; * Unmatched: a validated DOA object was found covering the prefix of the received path, but the constraints of the DOA were not matched; or Snijders, et al. Expires 8 September 2022 [Page 6] Internet-Draft RPKI DOA March 2022 * NotFound: a validated DOA object covering the prefix of the receieved path was not found. Where "covering" is used as in its definition in Section 2 [RFC6811]. In order for a BGP path to be considered to have matched the constraints of a DOA object, the following conditions MUST be met: * The route originated from the ASN listed in the ASId. * The route was received from a PeerAS which is either the ASId or listed in the peerAsIDs field. * The route's prefix length matches the listed permissible prefix lengths. * The route is tagged with (TODO: one or more of?) the designated BGP community. 6. Route Origin Validation Co-Existance It is important to observe that ROAs and DOAs can and will be issued for the same covered address space, and that the resulting ROV validation state MUST be entirely independent of the resulting DOA validation state. In particular it is expected that legitimate RTBH routes will commonly receive a DOA validation state of 'Matched' whilst also receiving a ROV validation state of 'Invalid' due to the (likely) longer prefix-length of an RTBH route. For this reason, it is recommended that operators construct policy so as to act on the DOA validation early in the routing policy application process, such that routes that are 'Matched' may be installed as RTBH routes, and routes that are 'Unmatched' or 'NotFound' can "fall-through" to be processed as "normal" routes, including the possible application of policy based on their ROV validation state. Critically, in order that operators are able to construct policy according to their needs conforming implementations MUST NOT take any policy action on a route based on either its DOA or ROV validation state by default. See also [RFC8481]. Snijders, et al. Expires 8 September 2022 [Page 7] Internet-Draft RPKI DOA March 2022 7. Exporting RTBH Routes The guidance of Section 3.2 [RFC7999] that, in general, RTBH routes SHOULD NOT be propagated beyond the receiving AS continues to apply to RTBH routes validated in terms of the above mechanisms. The exception to this guidance is that an operator MAY propagate a received RTBH route to neighboring ASes if its own AS number appears in the peerAsIDs field of the matched DOA, since this indicates a desire by the issuer that neighbors of the local AS honour the route as a legitimate RTBH signal. To facilitate the construction of routing policies by operators that implemented this behaviour, conforming BGP speaker implementations SHOULD provide a means of distinguishing between 'Matched' routes for which the local AS appears in the peerAsIDs of the matched DOA from those for which it does not. 8. Operational Considerations TODO 9. Security Considerations TODO 10. Implementation status This section is to be removed before publishing as an RFC. This section records the status of known implementations of the protocol defined by this specification at the time of posting of this Internet-Draft, and is based on a proposal described in RFC 7942. The description of implementations in this section is intended to assist the IETF in its decision processes in progressing drafts to RFCs. Please note that the listing of any individual implementation here does not imply endorsement by the IETF. Furthermore, no effort has been spent to verify the information presented here that was supplied by IETF contributors. This is not intended as, and must not be construed to be, a catalog of available implementations or their features. Readers are advised to note that other implementations may exist. Snijders, et al. Expires 8 September 2022 [Page 8] Internet-Draft RPKI DOA March 2022 According to RFC 7942, "this will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature. It is up to the individual working groups to use this information as they see fit". * A signer implementation [rpkimancer-doa] written in Python has been developed by Ben Maddison. 11. IANA Considerations 11.1. SMI Security for S/MIME CMS Module Identifier (1.2.840.113549.1.9.16.0) The IANA is requested to register the following entry for this document in the "SMI Security for S/MIME CMS Module Identifier (1.2.840.113549.1.9.16.0)" registry: Decimal Description References ----------------------------------------------------------------------------- [TBD] id-mod-rpkiDOA [draft-spaghetti-sidrops-rpki-doa] Upon publication of this document, IANA is requested to reference the RFC publication instead of this draft. 11.2. SMI Security for S/MIME CMS Content Type (1.2.840.113549.1.9.16.1) The IANA is requested to register the following entry for this document in the "SMI Security for S/MIME CMS Content Type (1.2.840.113549.1.9.16.1)" registry: Decimal Description References ----------------------------------------------------------------------------- [TBD] id-ct-discardOriginAuthorization [draft-spaghetti-sidrops-rpki-doa] Upon publication of this document, IANA is requested to reference the RFC publication instead of this draft. 11.3. RPKI Signed Objects registry The IANA is requested to register the OID for the RPKI Discard Origin Authorization in the "RPKI Signed Objects" registry ([RFC6488]) as follows: Snijders, et al. Expires 8 September 2022 [Page 9] Internet-Draft RPKI DOA March 2022 Name OID Reference ---------------------------------------------------- DOA 1.2.840.113549.1.9.16.1.TBD [RFC-TBD] 11.4. RPKI Repository Name Schemes registry The IANA is requested to register the RPKI Discard Origin Authorization file extension in the "RPKI Repository Name Schemes" registry ([RFC6481]) as follows: Filename Extension RPKI Object Reference ---------------------------------------------------------- .doa Discard Origin Authorization [RFC-TBD] 11.5. Media Types registry The IANA is requested to register the media type application/rpki-doa in the "Media Types" registry ([RFC6838]) as follows: Type name: application Subtype name: rpki-doa Required parameters: None Optional parameters: None Encoding considerations: binary Security considerations: Carries an RPKI Discard Origin Authorization [RFC-TBD]. Interoperability considerations: None Published specification: This document. Applications that use this media type: RPKI operators. Additional information: Content: This media type is a signed object, as defined in [RFC6488], which contains a payload of a set of matching criteria as defined above in [RFC-TBD]. Magic number(s): None File extension(s): .doa Macintosh file type code(s): Person & email address to contact for further information: Job Snijders Intended usage: COMMON Restrictions on usage: None Author: Job Snijders Change controller: Job Snijders 12. References Snijders, et al. Expires 8 September 2022 [Page 10] Internet-Draft RPKI DOA March 2022 12.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP Addresses and AS Identifiers", RFC 3779, DOI 10.17487/RFC3779, June 2004, . [RFC3882] Turk, D., "Configuring BGP to Block Denial-of-Service Attacks", RFC 3882, DOI 10.17487/RFC3882, September 2004, . [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, RFC 5652, DOI 10.17487/RFC5652, September 2009, . [RFC6481] Huston, G., Loomans, R., and G. Michaelson, "A Profile for Resource Certificate Repository Structure", RFC 6481, DOI 10.17487/RFC6481, February 2012, . [RFC6488] Lepinski, M., Chi, A., and S. Kent, "Signed Object Template for the Resource Public Key Infrastructure (RPKI)", RFC 6488, DOI 10.17487/RFC6488, February 2012, . [RFC6838] Freed, N., Klensin, J., and T. Hansen, "Media Type Specifications and Registration Procedures", BCP 13, RFC 6838, DOI 10.17487/RFC6838, January 2013, . [RFC7999] King, T., Dietzel, C., Snijders, J., Doering, G., and G. Hankins, "BLACKHOLE Community", RFC 7999, DOI 10.17487/RFC7999, October 2016, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . 12.2. Informative References Snijders, et al. Expires 8 September 2022 [Page 11] Internet-Draft RPKI DOA March 2022 [RFC1997] Chandra, R., Traina, P., and T. Li, "BGP Communities Attribute", RFC 1997, DOI 10.17487/RFC1997, August 1996, . [RFC6480] Lepinski, M. and S. Kent, "An Infrastructure to Support Secure Internet Routing", RFC 6480, DOI 10.17487/RFC6480, February 2012, . [RFC6482] Lepinski, M., Kent, S., and D. Kong, "A Profile for Route Origin Authorizations (ROAs)", RFC 6482, DOI 10.17487/RFC6482, February 2012, . [RFC6811] Mohapatra, P., Scudder, J., Ward, D., Bush, R., and R. Austein, "BGP Prefix Origin Validation", RFC 6811, DOI 10.17487/RFC6811, January 2013, . [RFC8481] Bush, R., "Clarifications to BGP Origin Validation Based on Resource Public Key Infrastructure (RPKI)", RFC 8481, DOI 10.17487/RFC8481, September 2018, . [rpkimancer-doa] Maddison, B., "rpkimancer-doa", June 2021, . Appendix A. Acknowledgements TODO Appendix B. Document Changelog This section is to be removed before publishing as an RFC. B.1. Individual Submission Phase Authors' Addresses Job Snijders Fastly Amsterdam Netherlands Email: job@fastly.com Snijders, et al. Expires 8 September 2022 [Page 12] Internet-Draft RPKI DOA March 2022 Mikael Abrahamsson NTT Ltd. Stockholm Sweden Email: mikael@swm.pp.se Ben Maddison Workonline Communications Cape Town South Africa Email: benm@workonline.africa Snijders, et al. Expires 8 September 2022 [Page 13]