| < draft-ietf-sidr-bgpsec-algs-00.txt | draft-ietf-sidr-bgpsec-algs-01.txt > | |||
|---|---|---|---|---|
| Secure Inter-Domain Routing Working Group S. Turner | Secure Inter-Domain Routing Working Group S. Turner | |||
| Internet-Draft IECA | Internet-Draft IECA | |||
| Updates: [ID.sidr-rpki-algs] October 24, 2011 | Updates: [ID.sidr-rpki-algs] December 5, 2011 | |||
| Intended Status: Standards Track | Intended Status: Standards Track | |||
| Expires: April 26, 2012 | Expires: June 7, 2012 | |||
| BGP Algorithms, Key Formats, & Signature Formats | BGP Algorithms, Key Formats, & Signature Formats | |||
| draft-ietf-sidr-bgpsec-algs-00 | draft-ietf-sidr-bgpsec-algs-01 | |||
| Abstract | Abstract | |||
| This document specifies the algorithms, algorithms' parameters, | This document specifies the algorithms, algorithms' parameters, | |||
| asymmetric key formats, asymmetric key size and signature format used | asymmetric key formats, asymmetric key size and signature format used | |||
| in BGPSEC (Border Gateway Protocol Security). This document updates | in BGPSEC (Border Gateway Protocol Security). This document updates | |||
| the Profile for Algorithms and Key Sizes for use in the Resource | the Profile for Algorithms and Key Sizes for use in the Resource | |||
| Public Key Infrastructure (draft-ietf-sidr-rpki-algs). | Public Key Infrastructure (draft-ietf-sidr-rpki-algs). | |||
| Status of this Memo | Status of this Memo | |||
| skipping to change at page 1, line 35 ¶ | skipping to change at page 1, line 35 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on April 26, 2012. | This Internet-Draft will expire on June 7, 2012. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2011 IETF Trust and the persons identified as the | Copyright (c) 2011 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 3, line 7 ¶ | skipping to change at page 3, line 7 ¶ | |||
| 2. Algorithms | 2. Algorithms | |||
| Four cryptographic algorithms are used to support BGPSEC: | Four cryptographic algorithms are used to support BGPSEC: | |||
| o The signature algorithm used when issuing BGPSEC certificates and | o The signature algorithm used when issuing BGPSEC certificates and | |||
| CRLs, which would revoke BGPSEC certificates, MUST be as | CRLs, which would revoke BGPSEC certificates, MUST be as | |||
| specified in [ID.sidr-rpki-algs]. | specified in [ID.sidr-rpki-algs]. | |||
| o The signature algorithm used in certification requests and BGPSEC | o The signature algorithm used in certification requests and BGPSEC | |||
| Update messages MUST be Elliptic Curve Digital Signature | Update messages MUST be Elliptic Curve Digital Signature | |||
| Algorithm (ECDSA) [DSS]. | Algorithm (ECDSA) [RFC6090]. | |||
| o The hashing algorithm used when issuing certificates and CRLs | o The hashing algorithm used when issuing certificates and CRLs | |||
| MUST be as specified in [ID.sidr-rpki-algs]. | MUST be as specified in [ID.sidr-rpki-algs]. | |||
| o The hashing algorithm use when generating certification requests | o The hashing algorithm use when generating certification requests | |||
| and BGPSEC Update messages MUST be SHA-256 [SHS]. Hash | and BGPSEC Update messages MUST be SHA-256 [SHS]. Hash | |||
| algorithms are not identified by themselves in certificates, or | algorithms are not identified by themselves in certificates, or | |||
| BGPSEC Update messages instead they are combined with the digital | BGPSEC Update messages instead they are combined with the digital | |||
| signature algorithm (see below). | signature algorithm (see below). | |||
| skipping to change at page 4, line 47 ¶ | skipping to change at page 4, line 47 ¶ | |||
| specifications, and also accommodate the orderly deprecation of | specifications, and also accommodate the orderly deprecation of | |||
| previously specified algorithms and keys. Accordingly, CAs and RPs | previously specified algorithms and keys. Accordingly, CAs and RPs | |||
| SHOULD be capable of supporting multiple RPKI algorithm and key | SHOULD be capable of supporting multiple RPKI algorithm and key | |||
| profiles simultaneously within the scope of such anticipated | profiles simultaneously within the scope of such anticipated | |||
| transitions. The recommended procedures to implement such a | transitions. The recommended procedures to implement such a | |||
| transition of key sizes and algorithms is not specified in this | transition of key sizes and algorithms is not specified in this | |||
| document. | document. | |||
| 6. Security Considerations | 6. Security Considerations | |||
| The Security Considerations of [RFC3279], [RFC5480], [ID.sidr-rpki- | The Security Considerations of [RFC3279], [RFC5480], [RFC6090], | |||
| algs], and [ID.bgpsec-pki-profiles] apply to certificates. The | [ID.sidr-rpki-algs], and [ID.bgpsec-pki-profiles] apply to | |||
| security considerations of [RFC3279], [ID.sidr-rpki-algs], | certificates. The security considerations of [RFC3279], [RFC6090], | |||
| [ID.bgpsec-pki-profiles] apply to certification requests. The | [ID.sidr-rpki-algs], [ID.bgpsec-pki-profiles] apply to certification | |||
| security considerations of [RFC3279] and [ID.sidr-bgpsec-protocol] | requests. The security considerations of [RFC3279], [ID.sidr-bgpsec- | |||
| apply to BGPSEC Update messages. No new security are introduced as a | protocol], and [RFC6090] apply to BGPSEC Update messages. No new | |||
| result of this specification. | security are introduced as a result of this specification. | |||
| 7. IANA Considerations | 7. IANA Considerations | |||
| The Internet Assigned Numbers Authority (IANA) is requested to define | The Internet Assigned Numbers Authority (IANA) is requested to define | |||
| the "BGPSEC Algorithm Suite Registry" described below. | the "BGPSEC Algorithm Suite Registry" described below. | |||
| An algorithm suite consists of a digest algorithm and a signature | An algorithm suite consists of a digest algorithm and a signature | |||
| algorithm. This specification creates an IANA registry of one-octet | algorithm. This specification creates an IANA registry of one-octet | |||
| BGPSEC algorithm suite identifiers. Additionally, this document | BGPSEC algorithm suite identifiers. Additionally, this document | |||
| registers a single algorithm suite which uses the digest algorithm | registers a single algorithm suite which uses the digest algorithm | |||
| skipping to change at page 6, line 28 ¶ | skipping to change at page 6, line 28 ¶ | |||
| [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | |||
| Housley, R., and W. Polk, "Internet X.509 Public Key | Housley, R., and W. Polk, "Internet X.509 Public Key | |||
| Infrastructure Certificate and Certificate Revocation List | Infrastructure Certificate and Certificate Revocation List | |||
| (CRL) Profile", RFC 5280, May 2008. | (CRL) Profile", RFC 5280, May 2008. | |||
| [RFC5480] Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk, | [RFC5480] Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk, | |||
| "Elliptic Curve Cryptography Subject Public Key | "Elliptic Curve Cryptography Subject Public Key | |||
| Information", RFC 5480, March 2009. | Information", RFC 5480, March 2009. | |||
| [DSS] National Institute of Standards and Technology (NIST), FIPS | [RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic | |||
| Publication 186-3: Digital Signature Standard, June 2009. | Curve Cryptography Algorithms", RFC 6090, February 2011. | |||
| [SHS] National Institute of Standards and Technology (NIST), "FIPS | [SHS] National Institute of Standards and Technology (NIST), "FIPS | |||
| Publication 180-3: Secure Hash Standard", FIPS Publication | Publication 180-3: Secure Hash Standard", FIPS Publication | |||
| 180-3, October 2008. | 180-3, October 2008. | |||
| [ID.sidr-res-cert-profile] Huston, G., Michaelson, G., and R. | [ID.sidr-res-cert-profile] Huston, G., Michaelson, G., and R. | |||
| Loomans, "A Profile for X.509 PKIX Resource Certificates", | Loomans, "A Profile for X.509 PKIX Resource Certificates", | |||
| draft-ietf-sidr-res-certs, work-in-progress. | draft-ietf-sidr-res-certs, work-in-progress. | |||
| [ID.sidr-rpki-algs] Huston, G., "A Profile for Algorithms and Key | [ID.sidr-rpki-algs] Huston, G., "A Profile for Algorithms and Key | |||
| End of changes. 7 change blocks. | ||||
| 14 lines changed or deleted | 14 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||