| < draft-ietf-sidr-bgpsec-algs-05.txt | draft-ietf-sidr-bgpsec-algs-06.txt > | |||
|---|---|---|---|---|
| Secure Inter-Domain Routing Working Group S. Turner | Secure Inter-Domain Routing Working Group S. Turner | |||
| Internet-Draft IECA | Internet-Draft IECA | |||
| Updates: 6485 (if approved) September 17, 2013 | Updates: 6485 (if approved) March 27, 2014 | |||
| Intended Status: Standards Track | Intended Status: Standards Track | |||
| Expires: March 21, 2014 | Expires: September 28, 2014 | |||
| BGP Algorithms, Key Formats, & Signature Formats | BGP Algorithms, Key Formats, & Signature Formats | |||
| draft-ietf-sidr-bgpsec-algs-05 | draft-ietf-sidr-bgpsec-algs-06 | |||
| Abstract | Abstract | |||
| This document specifies the algorithms, algorithms' parameters, | This document specifies the algorithms, algorithms' parameters, | |||
| asymmetric key formats, asymmetric key size and signature format used | asymmetric key formats, asymmetric key size and signature format used | |||
| in BGPSEC (Border Gateway Protocol Security). This document updates | in BGPSEC (Border Gateway Protocol Security). This document updates | |||
| the Profile for Algorithms and Key Sizes for use in the Resource | the Profile for Algorithms and Key Sizes for use in the Resource | |||
| Public Key Infrastructure (RFC 6485). | Public Key Infrastructure (RFC 6485). | |||
| Status of this Memo | Status of this Memo | |||
| skipping to change at page 1, line 37 ¶ | skipping to change at page 1, line 37 ¶ | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2013 IETF Trust and the persons identified as the | Copyright (c) 2014 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| skipping to change at page 2, line 15 ¶ | skipping to change at page 2, line 15 ¶ | |||
| 1. Introduction | 1. Introduction | |||
| This document specifies: | This document specifies: | |||
| o the digital signature algorithm and parameters; | o the digital signature algorithm and parameters; | |||
| o the hash algorithm and parameters; | o the hash algorithm and parameters; | |||
| o the public and private key formats; and, | o the public and private key formats; and, | |||
| o the signature format | o the signature format | |||
| used by Resource Public Key Infrastructure (RPKI) Certification | used by Resource Public Key Infrastructure (RPKI) Certification | |||
| Authorities (CA), and BGPSEC (Border Gateway Protocol Security) | Authorities (CA), and BGPSEC (Border Gateway Protocol Security) | |||
| speakers (i.e., routers). CAs use these algorithms when issuing | speakers (i.e., routers). CAs use these algorithms when issuing | |||
| BGPSEC Router Certificates [ID.bgpsec-pki-profiles] and CRLs | BGPSEC Router Certificates [ID.sidr-bgpsec-pki-profiles] and CRLs | |||
| [RFC6487]. BGPSEC routers use these when requesting BGPSEC | [RFC6487]. BGPSEC routers use these when requesting BGPSEC | |||
| certificates [ID.bgpsec-pki-profiles], generating BGPSEC Update | certificates [ID.sidr-bgpsec-pki-profiles], generating BGPSEC Update | |||
| messages [ID.sidr-bgpsec-protocol], and verifying BGPSEC Update | messages [ID.sidr-bgpsec-protocol], and verifying BGPSEC Update | |||
| messages [ID.sidr-bgpsec-protocol]. | messages [ID.sidr-bgpsec-protocol]. | |||
| This document is referenced by the BGPSEC specification [ID.bgpsec- | This document is referenced by the BGPSEC specification [ID.sidr- | |||
| protocol] and the profile for BGPSEC Router Certificates and | bgpsec-protocol] and the profile for BGPSEC Router Certificates and | |||
| Certification Requests [ID.bgpsec-pki-profiles]. Familiarity with | Certification Requests [ID.sidr-bgpsec-pki-profiles]. Familiarity | |||
| these documents is assumed. Implementers are reminded, however, | with these documents is assumed. Implementers are reminded, however, | |||
| that, as noted in Section 2 of [ID.bgpsec-pki-profiles], the | that, as noted in Section 2 of [ID.sidr-bgpsec-pki-profiles], the | |||
| algorithms used to sign CA Certificates, BGPSEC Router Certificates, | algorithms used to sign CA Certificates, BGPSEC Router Certificates, | |||
| and CRLs are found in [RFC6485]. | and CRLs are found in [RFC6485]. | |||
| This document updates [RFC6485] to add support for a) a different | This document updates [RFC6485] to add support for a) a different | |||
| algorithm for BGPSEC certificate requests, which are only issued by | algorithm for BGPSEC certificate requests, which are only issued by | |||
| BGPSEC speakers; b) a different Subject Public Key Info format for | BGPSEC speakers; b) a different Subject Public Key Info format for | |||
| BGPSEC certificates, which is needed for the specified BGPSEC | BGPSEC certificates, which is needed for the specified BGPSEC | |||
| signature algorithm; and, c) a different signature format for BGPSEC | signature algorithm; and, c) a different signature format for BGPSEC | |||
| signatures, which is needed for the specified BGPSEC signature | signatures, which is needed for the specified BGPSEC signature | |||
| algorithm. The BGPSEC certificate are differentiated from other RPKI | algorithm. The BGPSEC certificate are differentiated from other RPKI | |||
| certificates by the use of the BGPSEC Extended Key Usage defined in | certificates by the use of the BGPSEC Extended Key Usage defined in | |||
| [ID.bgpsec-pki-profiles]. | [ID.sidr-bgpsec-pki-profiles]. | |||
| 1.1. Terminology | 1.1. Terminology | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in | "OPTIONAL" in this document are to be interpreted as described in | |||
| [RFC2119]. | [RFC2119]. | |||
| 2. Algorithms | 2. Algorithms | |||
| skipping to change at page 3, line 20 ¶ | skipping to change at page 3, line 20 ¶ | |||
| MUST be as specified in [RFC6485]. | MUST be as specified in [RFC6485]. | |||
| o The hashing algorithm use when generating certification requests | o The hashing algorithm use when generating certification requests | |||
| and BGPSEC Update messages MUST be SHA-256 [SHS]. Hash | and BGPSEC Update messages MUST be SHA-256 [SHS]. Hash | |||
| algorithms are not identified by themselves in certificates, or | algorithms are not identified by themselves in certificates, or | |||
| BGPSEC Update messages instead they are combined with the digital | BGPSEC Update messages instead they are combined with the digital | |||
| signature algorithm (see below). | signature algorithm (see below). | |||
| NOTE: The exception to the above hashing algorithm is the use of | NOTE: The exception to the above hashing algorithm is the use of | |||
| SHA-1 [SHS] when CAs generate authority and subject key | SHA-1 [SHS] when CAs generate authority and subject key | |||
| identifiers [ID.bgpsec-pki-profiles]. | identifiers [RFC6487]. | |||
| To support BGPSEC, the algorithms are identified as follows: | To support BGPSEC, the algorithms are identified as follows: | |||
| o In certificates and CRLs, an Object Identifier (OID) is used. | o In certificates and CRLs, an Object Identifier (OID) is used. | |||
| The value and locations are as specified in section 2 of | The value and locations are as specified in section 2 of | |||
| [RFC6485]. | [RFC6485]. | |||
| o In certification request, an OID is used. The ecdsa-with-SHA256 | o In certification request, an OID is used. The ecdsa-with-SHA256 | |||
| OID [RFC5480] MUST appear in the PKCS #10 signatureAlgorithm | OID [RFC5480] MUST appear in the PKCS #10 signatureAlgorithm | |||
| field [RFC4211] or in Certificate Request Message Format (CRMF) | field [RFC4211] or in Certificate Request Message Format (CRMF) | |||
| skipping to change at page 4, line 48 ¶ | skipping to change at page 4, line 48 ¶ | |||
| previously specified algorithms and keys. Accordingly, CAs and RPs | previously specified algorithms and keys. Accordingly, CAs and RPs | |||
| SHOULD be capable of supporting multiple RPKI algorithm and key | SHOULD be capable of supporting multiple RPKI algorithm and key | |||
| profiles simultaneously within the scope of such anticipated | profiles simultaneously within the scope of such anticipated | |||
| transitions. The recommended procedures to implement such a | transitions. The recommended procedures to implement such a | |||
| transition of key sizes and algorithms is not specified in this | transition of key sizes and algorithms is not specified in this | |||
| document. | document. | |||
| 6. Security Considerations | 6. Security Considerations | |||
| The Security Considerations of [RFC3279], [RFC5480], [RFC6090], | The Security Considerations of [RFC3279], [RFC5480], [RFC6090], | |||
| [RFC6485], and [ID.bgpsec-pki-profiles] apply to certificates. The | [RFC6485], and [ID.sidr-bgpsec-pki-profiles] apply to certificates. | |||
| security considerations of [RFC3279], [RFC6090], [RFC6485], | The security considerations of [RFC3279], [RFC6090], [RFC6485], | |||
| [ID.bgpsec-pki-profiles] apply to certification requests. The | [ID.sidr-bgpsec-pki-profiles] apply to certification requests. The | |||
| security considerations of [RFC3279], [ID.sidr-bgpsec-protocol], and | security considerations of [RFC3279], [ID.sidr-bgpsec-protocol], and | |||
| [RFC6090] apply to BGPSEC Update messages. No new security are | [RFC6090] apply to BGPSEC Update messages. No new security | |||
| introduced as a result of this specification. | considerations are introduced as a result of this specification. | |||
| 7. IANA Considerations | 7. IANA Considerations | |||
| The Internet Assigned Numbers Authority (IANA) is requested to define | The Internet Assigned Numbers Authority (IANA) is requested to define | |||
| the "BGPSEC Algorithm Suite Registry" described below. | the "BGPSEC Algorithm Suite Registry" described below. | |||
| An algorithm suite consists of a digest algorithm and a signature | An algorithm suite consists of a digest algorithm and a signature | |||
| algorithm. This specification creates an IANA registry of one-octet | algorithm. This specification creates an IANA registry of one-octet | |||
| BGPSEC algorithm suite identifiers. Additionally, this document | BGPSEC algorithm suite identifiers. Additionally, this document | |||
| registers a single algorithm suite which uses the digest algorithm | registers a single algorithm suite which uses the digest algorithm | |||
| skipping to change at page 5, line 28 ¶ | skipping to change at page 5, line 28 ¶ | |||
| BGPSEC Algorithm Suites Registry | BGPSEC Algorithm Suites Registry | |||
| Digest Signature Algorithm Suite Specification | Digest Signature Algorithm Suite Specification | |||
| Algorithm Algorithm Identifier Pointer | Algorithm Algorithm Identifier Pointer | |||
| +----------------------------------------------------------------+ | +----------------------------------------------------------------+ | |||
| | SHA-256 | ECDSA P-256 | TBD | RFC 5480 | | | SHA-256 | ECDSA P-256 | TBD | RFC 5480 | | |||
| +----------------------------------------------------------------+ | +----------------------------------------------------------------+ | |||
| Future assignments are to be made using either the Standards Action | Future assignments are to be made using either the Standards Action | |||
| process defined in [RFC5226], or the Early IANA Allocation process | process defined in [RFC5226], or the Early IANA Allocation process | |||
| defined in [RFC4020]. Assignments consist of a digest algorithm | defined in [RFC7120]. Assignments consist of a digest algorithm | |||
| name, signature algorithm name, and the algorithm suite identifier | name, signature algorithm name, and the algorithm suite identifier | |||
| value. | value. | |||
| 10. Acknowledgements | 10. Acknowledgements | |||
| The author wishes to thank Geoff Huston for producing [RFC6485], | The author wishes to thank Geoff Huston for producing [RFC6485], | |||
| which this document is heavily based on. I'd also like to thank | which this document is heavily based on. I'd also like to thank | |||
| Roque Gagliano for his review and comments. | Roque Gagliano for his review and comments. | |||
| 11. References | 11. References | |||
| skipping to change at page 6, line 6 ¶ | skipping to change at page 6, line 6 ¶ | |||
| [RFC2986] Nystrom, M. and B. Kaliski, "PKCS #10: Certification | [RFC2986] Nystrom, M. and B. Kaliski, "PKCS #10: Certification | |||
| Request Syntax Specification Version 1.7", RFC 2986, | Request Syntax Specification Version 1.7", RFC 2986, | |||
| November 2000. | November 2000. | |||
| [RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and | [RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and | |||
| Identifiers for the Internet X.509 Public Key | Identifiers for the Internet X.509 Public Key | |||
| Infrastructure Certificate and Certificate Revocation List | Infrastructure Certificate and Certificate Revocation List | |||
| (CRL) Profile", RFC 3279, April 2002. | (CRL) Profile", RFC 3279, April 2002. | |||
| [RFC4020] Kompella, K. and A. Zinin, "Early IANA Allocation of | ||||
| Standards Track Code Points", BCP 100, RFC 4020, February | ||||
| 2005. | ||||
| [RFC4211] Schaad, J., "Internet X.509 Public Key Infrastructure | [RFC4211] Schaad, J., "Internet X.509 Public Key Infrastructure | |||
| Certificate Request Message Format (CRMF)", RFC 4211, | Certificate Request Message Format (CRMF)", RFC 4211, | |||
| September 2005. | September 2005. | |||
| [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an | [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an | |||
| IANA Considerations Section in RFCs", BCP 26, RFC 5226, May | IANA Considerations Section in RFCs", BCP 26, RFC 5226, May | |||
| 2008. | 2008. | |||
| [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | |||
| Housley, R., and W. Polk, "Internet X.509 Public Key | Housley, R., and W. Polk, "Internet X.509 Public Key | |||
| skipping to change at page 6, line 37 ¶ | skipping to change at page 6, line 33 ¶ | |||
| [RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic | [RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic | |||
| Curve Cryptography Algorithms", RFC 6090, February 2011. | Curve Cryptography Algorithms", RFC 6090, February 2011. | |||
| [RFC6485] Huston, G., "The Profile for Algorithms and Key Sizes for | [RFC6485] Huston, G., "The Profile for Algorithms and Key Sizes for | |||
| Use in the Resource Public Key Infrastructure (RPKI)", | Use in the Resource Public Key Infrastructure (RPKI)", | |||
| RFC 6485, February 2012. | RFC 6485, February 2012. | |||
| [RFC6487] Huston, G., Michaelson, G., and R. Loomans, "A Profile for | [RFC6487] Huston, G., Michaelson, G., and R. Loomans, "A Profile for | |||
| X.509 PKIX Resource Certificates", RFC 6487, February 2012. | X.509 PKIX Resource Certificates", RFC 6487, February 2012. | |||
| [RFC7120] Cotton, M., "Early IANA Allocation of Standards Track Code | ||||
| Points", BCP 100, RFC 7120, January 2014. | ||||
| [SHS] National Institute of Standards and Technology (NIST), "FIPS | [SHS] National Institute of Standards and Technology (NIST), "FIPS | |||
| Publication 180-3: Secure Hash Standard", FIPS Publication | Publication 180-3: Secure Hash Standard", FIPS Publication | |||
| 180-3, October 2008. | 180-3, October 2008. | |||
| [ID.sidr-bgpsec-protocol] Lepinski, M., "BGPSEC Protocol | [ID.sidr-bgpsec-protocol] Lepinski, M., "BGPSEC Protocol | |||
| Specification", draft-ietf-sidr-bgpsec-protocol, work-in- | Specification", draft-ietf-sidr-bgpsec-protocol, work-in- | |||
| progress. | progress. | |||
| [ID.bgpsec-pki-profiles] Reynolds, M. and S. Turner, "A Profile for | [ID.sidr-bgpsec-pki-profiles] Reynolds, M. and S. Turner, "A Profile | |||
| BGPSEC Router Certificates, Certificate Revocation Lists, | for BGPSEC Router Certificates, Certificate Revocation | |||
| and Certification Requests", draft-ietf-sidr-bpgsec-pki- | Lists, and Certification Requests", draft-ietf-sidr-bgpsec- | |||
| profiles, work-in-progress. | pki-profiles, work-in-progress. | |||
| 11.1. Informative References | 11.1. Informative References | |||
| None. | None. | |||
| Authors' Addresses | Authors' Addresses | |||
| Sean Turner | Sean Turner | |||
| IECA, Inc. | IECA, Inc. | |||
| 3057 Nutley Street, Suite 106 | 3057 Nutley Street, Suite 106 | |||
| End of changes. 15 change blocks. | ||||
| 27 lines changed or deleted | 26 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||