< draft-ietf-sidr-bgpsec-algs-16.txt   draft-ietf-sidr-bgpsec-algs-17.txt >
Secure Inter-Domain Routing Working Group S. Turner Secure Inter-Domain Routing Working Group S. Turner
Internet-Draft sn3rd Internet-Draft sn3rd
Updates: 7935 (if approved) November 14, 2016 Updates: 7935 (if approved) O. Borchert
Intended status: Standards Track Intended status: Standards Track NIST
Expires: May 18, 2017 Expires: September 7, 2017 March 6, 2017
BGPsec Algorithms, Key Formats, & Signature Formats BGPsec Algorithms, Key Formats, & Signature Formats
draft-ietf-sidr-bgpsec-algs-16 draft-ietf-sidr-bgpsec-algs-17
Abstract Abstract
This document specifies the algorithms, algorithm parameters, This document specifies the algorithms, algorithm parameters,
asymmetric key formats, asymmetric key size and signature format used asymmetric key formats, asymmetric key size and signature format used
in BGPsec (Border Gateway Protocol Security). This document updates in BGPsec (Border Gateway Protocol Security). This document updates
the Profile for Algorithms and Key Sizes for Use in the Resource the Profile for Algorithms and Key Sizes for Use in the Resource
Public Key Infrastructure (RFC 7935). Public Key Infrastructure (RFC 7935).
This document also includes example BGPsec Update messages as well
as the private keys used to generate the messages and the
certificates necessary to validate those signatures.
Status of this Memo Status of this Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 18 skipping to change at page 2, line 20
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
2. Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Asymmetric Key Pair Formats . . . . . . . . . . . . . . . . . 3 3. Asymmetric Key Pair Formats . . . . . . . . . . . . . . . . . 3
3.1. Public Key Format . . . . . . . . . . . . . . . . . . . . 4 3.1. Public Key Format . . . . . . . . . . . . . . . . . . . . 4
3.2. Private Key Format . . . . . . . . . . . . . . . . . . . . 4 3.2. Private Key Format . . . . . . . . . . . . . . . . . . . . 4
4. Signature Format . . . . . . . . . . . . . . . . . . . . . . . 4 4. Signature Format . . . . . . . . . . . . . . . . . . . . . . . 4
5. Additional Requirements . . . . . . . . . . . . . . . . . . . 4 5. Additional Requirements . . . . . . . . . . . . . . . . . . . 4
6. Security Considerations . . . . . . . . . . . . . . . . . . . 4 6. Security Considerations . . . . . . . . . . . . . . . . . . . 4
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 5 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 5
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 5 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6
9.1. Normative References . . . . . . . . . . . . . . . . . . . 5 9.1. Normative References . . . . . . . . . . . . . . . . . . . 6
9.2. Informative References . . . . . . . . . . . . . . . . . . 7 9.2. Informative References . . . . . . . . . . . . . . . . . . 7
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 7 Appendix A Examples . . . . . . . . . . . . . . . . . . . . . . . 8
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 15
1. Introduction 1. Introduction
This document specifies: This document specifies:
o the digital signature algorithm and parameters; o the digital signature algorithm and parameters;
o the hash algorithm and parameters; o the hash algorithm and parameters;
o the public and private key formats; and, o the public and private key formats; and,
o the signature format o the signature format
used by Resource Public Key Infrastructure (RPKI) Certification used by Resource Public Key Infrastructure (RPKI) Certification
Authorities (CA), and BGPsec (Border Gateway Protocol Security) Authorities (CA), and BGPsec (Border Gateway Protocol Security)
skipping to change at page 2, line 47 skipping to change at page 2, line 50
BGPsec Update messages [ID.sidr-bgpsec-protocol]. BGPsec Update messages [ID.sidr-bgpsec-protocol].
This document updates [RFC7935] to add support for a) a different This document updates [RFC7935] to add support for a) a different
algorithm for BGPsec certificate requests, which are issued only by algorithm for BGPsec certificate requests, which are issued only by
BGPsec speakers; b) a different Subject Public Key Info format for BGPsec speakers; b) a different Subject Public Key Info format for
BGPsec certificates, which is needed for the specified BGPsec BGPsec certificates, which is needed for the specified BGPsec
signature algorithm; and, c) a different signature format for BGPsec signature algorithm; and, c) a different signature format for BGPsec
signatures, which is needed for the specified BGPsec signature signatures, which is needed for the specified BGPsec signature
algorithm. The BGPsec certificate are differentiated from other RPKI algorithm. The BGPsec certificate are differentiated from other RPKI
certificates by the use of the BGPsec Extended Key Usage defined in certificates by the use of the BGPsec Extended Key Usage defined in
[ID.sidr-bgpsec-pki-profiles]. [ID.sidr-bgpsec-pki-profiles]. BGPsec uses a different algorithm as
compared to the rest of the RPKI to minimize the size of the protocol
exchanged between routers [RFC5480].
Appendix A contains example BGPsec Update messages as well as the
private keys used to generate the signatures and the certificates
necessary to validate those signatures.
1.1. Terminology 1.1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in "OPTIONAL" in this document are to be interpreted as described in
[RFC2119]. [RFC2119].
2. Algorithms 2. Algorithms
skipping to change at page 5, line 29 skipping to change at page 5, line 35
Algorithm Digest Signature Specification Algorithm Digest Signature Specification
Suite Algorithm Algorithm Pointer Suite Algorithm Algorithm Pointer
Identifier Identifier
+------------+------------+-------------+---------------------+ +------------+------------+-------------+---------------------+
| 0x0 | Reserved | Reserved | This draft | | 0x0 | Reserved | Reserved | This draft |
+------------+------------+-------------+---------------------+ +------------+------------+-------------+---------------------+
| 0x1 | SHA-256 | ECDSA P-256 | [SHS][DSS][RFC6090] | | 0x1 | SHA-256 | ECDSA P-256 | [SHS][DSS][RFC6090] |
+------------+------------+-------------+---------------------+ +------------+------------+-------------+---------------------+
| 0x2-0xE | Unassigned | Unassigned | This draft | | 0x2-0xEF | Unassigned | Unassigned | This draft |
+------------+------------+-------------+---------------------+ +------------+------------+-------------+---------------------+
| 0xF | Reserved | Reserved | This draft | | 0xFF | Reserved | Reserved | This draft |
+------------+------------+-------------+---------------------+ +------------+------------+-------------+---------------------+
Future assignments are to be made using the Standards Action process Future assignments are to be made using the Standards Action process
defined in [RFC5226]. Assignments consist of the one-octet algorithm defined in [RFC5226]. Assignments consist of the one-octet algorithm
suite identifier value and the associated digest algorithm name and suite identifier value and the associated digest algorithm name and
signature algorithm name. signature algorithm name.
8. Acknowledgements 8. Acknowledgements
The author wishes to thank Geoff Huston and George Michaelson for The author wishes to thank Geoff Huston and George Michaelson for
producing [RFC7935], which this document is entirely based on. I'd producing [RFC7935], which this document is entirely based on. I'd
also like to thank Roque Gagliano, David Mandelberg, Tom Petch, Sam also like to thank Roque Gagliano, David Mandelberg, Tom Petch, Sam
Weiller, and Stephen Kent for their reviews and comments. Weiller, and Stephen Kent for their reviews and comments. Mehmet
Adalier, Kotikalapudi Sriram, and Doug Montgomery were instrumental
in developing the test vectors found in Appendix A.
9. References 9. References
9.1. Normative References 9.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, DOI Requirement Levels", BCP 14, RFC 2119, DOI
10.17487/RFC2119, March 1997, <http://www.rfc- 10.17487/RFC2119, March 1997, <http://www.rfc-
editor.org/info/rfc2119>. editor.org/info/rfc2119>.
skipping to change at page 7, line 26 skipping to change at page 8, line 5
Publication 186-4, July 2013. Publication 186-4, July 2013.
[SHS] National Institute of Standards and Technology (NIST), U.S. [SHS] National Institute of Standards and Technology (NIST), U.S.
Department of Commerce, "Secure Hash Standard", FIPS Department of Commerce, "Secure Hash Standard", FIPS
Publication 180-4, August 2015. Publication 180-4, August 2015.
9.2. Informative References 9.2. Informative References
None. None.
Appendix A Examples
AS(64496)----AS(65536)----AS(65537)
Prefix Announcements: AS(64496), 192.0.2.0/24, 2001:db8::/32
For this example, the ECDSA algorithm was provided with a static
k to make the result deterministic.
The k used for all signature operations was taken from RFC 6979,
chapter A.2.5 ?Signatures With SHA-256, message 'sample'?.
k = A6E3C57DD01ABE90086538398355DD4C
3B17AA873382B0F24D6129493D8AAD60
Keys of AS64496:
================
ski: AB4D910F55CAE71A215EF3CAFE3ACC45B5EEC154
private key:
x = D8AA4DFBE2478F86E88A7451BF075565
709C575AC1C136D081C540254CA440B9
public key:
Ux = 7391BABB92A0CB3BE10E59B19EBFFB21
4E04A91E0CBA1B139A7D38D90F77E55A
Uy = A05B8E695678E0FA16904B55D9D4F5C0
DFC58895EE50BC4F75D205A25BD36FF5
Router Key Certificate example using OpenSSL 1.0.1e-fips 11 Feb 2013
--------------------------------------------------------------------
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 38655612 (0x24dd67c)
Signature Algorithm: ecdsa-with-SHA256
Issuer: CN=ROUTER-0000FBF0
Validity
Not Before: Jan 1 05:00:00 2017 GMT
Not After : Jul 1 05:00:00 2018 GMT
Subject: CN=ROUTER-0000FBF0
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:73:91:ba:bb:92:a0:cb:3b:e1:0e:59:b1:9e:bf:
fb:21:4e:04:a9:1e:0c:ba:1b:13:9a:7d:38:d9:0f:
77:e5:5a:a0:5b:8e:69:56:78:e0:fa:16:90:4b:55:
d9:d4:f5:c0:df:c5:88:95:ee:50:bc:4f:75:d2:05:
a2:5b:d3:6f:f5
ASN1 OID: prime256v1
X509v3 extensions:
X509v3 Key Usage:
Digital Signature
X509v3 Subject Key Identifier:
AB:4D:91:0F:55:CA:E7:1A:21:5E:
F3:CA:FE:3A:CC:45:B5:EE:C1:54
X509v3 Extended Key Usage:
1.3.6.1.5.5.7.3.30
sbgp-autonomousSysNum: critical
Autonomous System Numbers:
64496
Routing Domain Identifiers:
inherit
Signature Algorithm: ecdsa-with-SHA256
30:44:02:20:07:b7:b4:6a:5f:a4:f1:cc:68:36:39:03:a4:83:
ec:7c:80:02:d2:f6:08:9d:46:b2:ec:2a:7b:e6:92:b3:6f:b1:
02:20:00:91:05:4a:a1:f5:b0:18:9d:27:24:e8:b4:22:fd:d1:
1c:f0:3d:b1:38:24:5d:64:29:35:28:8d:ee:0c:38:29
-----BEGIN CERTIFICATE-----
MIIBiDCCAS+gAwIBAgIEAk3WfDAKBggqhkjOPQQDAjAaMRgwFgYDVQQDDA9ST1VU
RVItMDAwMEZCRjAwHhcNMTcwMTAxMDUwMDAwWhcNMTgwNzAxMDUwMDAwWjAaMRgw
FgYDVQQDDA9ST1VURVItMDAwMEZCRjAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC
AARzkbq7kqDLO+EOWbGev/shTgSpHgy6GxOafTjZD3flWqBbjmlWeOD6FpBLVdnU
9cDfxYiV7lC8T3XSBaJb02/1o2MwYTALBgNVHQ8EBAMCB4AwHQYDVR0OBBYEFKtN
kQ9VyucaIV7zyv46zEW17sFUMBMGA1UdJQQMMAoGCCsGAQUFBwMeMB4GCCsGAQUF
BwEIAQH/BA8wDaAHMAUCAwD78KECBQAwCgYIKoZIzj0EAwIDRwAwRAIgB7e0al+k
8cxoNjkDpIPsfIAC0vYInUay7Cp75pKzb7ECIACRBUqh9bAYnSck6LQi/dEc8D2x
OCRdZCk1KI3uDDgp
-----END CERTIFICATE-----
Keys of AS(65636):
==================
ski: 47F23BF1AB2F8A9D26864EBBD8DF2711C74406EC
private key:
x = 6CB2E931B112F24554BCDCAAFD9553A9
519A9AF33C023B60846A21FC95583172
public key:
Ux = 28FC5FE9AFCF5F4CAB3F5F85CB212FC1
E9D0E0DBEAEE425BD2F0D3175AA0E989
Uy = EA9B603E38F35FB329DF495641F2BA04
0F1C3AC6138307F257CBA6B8B588F41F
Router Key Certificate example using OpenSSL 1.0.1e-fips 11 Feb 2013
--------------------------------------------------------------------
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3168189942 (0xbcd6bdf6)
Signature Algorithm: ecdsa-with-SHA256
Issuer: CN=ROUTER-0000FFFF
Validity
Not Before: Jan 1 05:00:00 2017 GMT
Not After : Jul 1 05:00:00 2018 GMT
Subject: CN=ROUTER-0000FFFF
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:28:fc:5f:e9:af:cf:5f:4c:ab:3f:5f:85:cb:21:
2f:c1:e9:d0:e0:db:ea:ee:42:5b:d2:f0:d3:17:5a:
a0:e9:89:ea:9b:60:3e:38:f3:5f:b3:29:df:49:56:
41:f2:ba:04:0f:1c:3a:c6:13:83:07:f2:57:cb:a6:
b8:b5:88:f4:1f
ASN1 OID: prime256v1
X509v3 extensions:
X509v3 Key Usage:
Digital Signature
X509v3 Subject Key Identifier:
47:F2:3B:F1:AB:2F:8A:9D:26:86:
4E:BB:D8:DF:27:11:C7:44:06:EC
X509v3 Extended Key Usage:
1.3.6.1.5.5.7.3.30
sbgp-autonomousSysNum: critical
Autonomous System Numbers:
65535
Routing Domain Identifiers:
inherit
Signature Algorithm: ecdsa-with-SHA256
30:45:02:21:00:df:04:c5:17:04:d0:f2:b9:fa:f3:d9:6e:3f:
6f:a1:58:d8:fe:6c:18:e4:37:ca:19:7c:c8:75:40:57:6e:7e:
9d:02:20:12:45:e8:a8:58:6b:00:7b:e6:a9:0e:f2:b6:62:50:
4b:1c:01:6f:3b:41:11:69:88:30:73:9f:d7:02:9e:64:4f
-----BEGIN CERTIFICATE-----
MIIBijCCATCgAwIBAgIFALzWvfYwCgYIKoZIzj0EAwIwGjEYMBYGA1UEAwwPUk9V
VEVSLTAwMDBGRkZGMB4XDTE3MDEwMTA1MDAwMFoXDTE4MDcwMTA1MDAwMFowGjEY
MBYGA1UEAwwPUk9VVEVSLTAwMDBGRkZGMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
QgAEKPxf6a/PX0yrP1+FyyEvwenQ4Nvq7kJb0vDTF1qg6Ynqm2A+OPNfsynfSVZB
8roEDxw6xhODB/JXy6a4tYj0H6NjMGEwCwYDVR0PBAQDAgeAMB0GA1UdDgQWBBRH
8jvxqy+KnSaGTrvY3ycRx0QG7DATBgNVHSUEDDAKBggrBgEFBQcDHjAeBggrBgEF
BQcBCAEB/wQPMA2gBzAFAgMA//+hAgUAMAoGCCqGSM49BAMCA0gAMEUCIQDfBMUX
BNDyufrz2W4/b6FY2P5sGOQ3yhl8yHVAV25+nQIgEkXoqFhrAHvmqQ7ytmJQSxwB
bztBEWmIMHOf1wKeZE8=
-----END CERTIFICATE-----
BGPSec IPv4 Update from AS(65536) to AS(65537):
===============================================
Binary Form of BGPSec Update (TCP-DUMP):
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
01 00 02 00 00 00 E9 40 01 01 02 80 04 04 00 00
00 00 80 0E 0D 00 01 01 04 C6 33 64 64 00 18 C0
00 02 90 21 00 CA 00 0E 01 00 00 01 00 00 01 00
00 00 FB F0 00 BC 01 47 F2 3B F1 AB 2F 8A 9D 26
86 4E BB D8 DF 27 11 C7 44 06 EC 00 46 30 44 02
20 72 14 BC 96 47 16 0B BD 39 FF 2F 80 53 3F 5D
C6 DD D7 0D DF 86 BB 81 56 61 E8 05 D5 D4 E6 F2
7C 02 20 2D DC 00 3C 64 BE 7B 29 C9 EB DB C8 A4
97 ED 66 28 5E E9 22 76 83 E6 C1 78 CE 8D E6 D3
59 5F 41 AB 4D 91 0F 55 CA E7 1A 21 5E F3 CA FE
3A CC 45 B5 EE C1 54 00 47 30 45 02 20 72 14 BC
96 47 16 0B BD 39 FF 2F 80 53 3F 5D C6 DD D7 0D
DF 86 BB 81 56 61 E8 05 D5 D4 E6 F2 7C 02 21 00
C6 17 19 34 07 43 06 3B 8A 5C CD 54 16 39 0B 31
21 1D 3C 52 48 07 95 87 D0 13 13 7B 41 CD 23 E2
Signature From AS(64496) to AS(65536):
---------------------------------------
Digest: 21 33 E5 CA A0 26 BE 07 3D 9C 1B 4E FE B9 B9 77
9F 20 F8 F5 DE 29 FA 98 40 00 9F 60
Signature: 30 45 02 20 72 14 BC 96 47 16 0B BD 39 FF 2F 80
53 3F 5D C6 DD D7 0D DF 86 BB 81 56 61 E8 05 D5
D4 E6 F2 7C 02 21 00 C6 17 19 34 07 43 06 3B 8A
5C CD 54 16 39 0B 31 21 1D 3C 52 48 07 95 87 D0
13 13 7B 41 CD 23 E2
Signature From AS(65536) to AS(65537):
--------------------------------------
Digest: 46 4B 57 CE B1 2D 18 B0 FD 1A 1A 35 94 17 3A 4A
09 88 E5 F4 ED ED 2F 3D 83 08 5A A8
Signature: 30 44 02 20 72 14 BC 96 47 16 0B BD 39 FF 2F 80
53 3F 5D C6 DD D7 0D DF 86 BB 81 56 61 E8 05 D5
D4 E6 F2 7C 02 20 2D DC 00 3C 64 BE 7B 29 C9 EB
DB C8 A4 97 ED 66 28 5E E9 22 76 83 E6 C1 78 CE
8D E6 D3 59 5F 41
The human readable output is produced using bgpsec-io, a bgpsec
traffic generator that uses a wireshark like printout.
Send Update Message
+--marker: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+--length: 256
+--type: 2 (UPDATE)
+--withdrawn_routes_length: 0
+--total_path_attr_length: 233
+--ORIGIN: INCOMPLETE (4 bytes)
| +--Flags: 0x40 (Well-Known, Transitive, Complete)
| +--Type Code: ORIGIN (1)
| +--Length: 1 byte
| +--Origin: INCOMPLETE (1)
+--MULTI_EXIT_DISC (7 bytes)
| +--Flags: 0x80 (Optional, Complete)
| +--Type Code: MULTI_EXIT_DISC (4)
| +--Length: 4 bytes
| +--data: 00 00 00 00
+--MP_REACH_NLRI (16 bytes)
| +--Flags: 0x80 (Optional, Complete)
| +--Type Code: MP_REACH_NLRI (14)
| +--Length: 13 bytes
| +--Address family: IPv4 (1)
| +--Subsequent address family identifier: Unicast (1)
| +--Next hop network address: (4 bytes)
| | +--Next hop: 198.51.100.100
| +--Subnetwork points of attachment: 0
| +--Network layer reachability information: (4 bytes)
| +--192.0.2.0/24
| +--MP Reach NLRI prefix length: 24
| +--MP Reach NLRI IPv4 prefix: 192.0.2.0
+--BGPSEC Path Attribute (206 bytes)
+--Flags: 0x90 (Optional, Complete, Extended Length)
+--Type Code: BGPSEC Path Attribute (33)
+--Length: 202 bytes
+--Secure Path (14 bytes)
| +--Length: 14 bytes
| +--Secure Path Segment: (6 bytes)
| | +--pCount: 1
| | +--Flags: 0
| | +--AS number: 65536 (1.0)
| +--Secure Path Segment: (6 bytes)
| +--pCount: 1
| +--Flags: 0
| +--AS number: 64496 (0.64496)
+--Signature Block (188 bytes)
+--Length: 188 bytes
+--Algo ID: 1
+--Signature Segment: (92 bytes)
| +--SKI: 47F23BF1AB2F8A9D26864EBBD8DF2711C74406EC
| +--Length: 70 bytes
| +--Signature: 304402207214BC96 47160BBD39FF2F80
| 533F5DC6DDD70DDF 86BB815661E805D5
| D4E6F27C02202DDC 003C64BE7B29C9EB
| DBC8A497ED66285E E9227683E6C178CE
| 8DE6D3595F41
+--Signature Segment: (93 bytes)
+--SKI: AB4D910F55CAE71A215EF3CAFE3ACC45B5EEC154
+--Length: 71 bytes
+--Signature: 304502207214BC96 47160BBD39FF2F80
533F5DC6DDD70DDF 86BB815661E805D5
D4E6F27C022100C6 1719340743063B8A
5CCD5416390B3121 1D3C5248079587D0
13137B41CD23E2
BGPSec IPv6 Update from AS(65536) to AS(65537):
===============================================
Binary Form of BGPSec Update (TCP-DUMP):
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
01 0C 02 00 00 00 F5 40 01 01 02 80 04 04 00 00
00 00 80 0E 1A 00 02 01 10 20 01 00 10 00 00 00
00 00 00 00 00 C6 33 64 64 00 20 20 01 0D B8 90
21 00 C9 00 0E 01 00 00 01 00 00 01 00 00 00 FB
F0 00 BB 01 47 F2 3B F1 AB 2F 8A 9D 26 86 4E BB
D8 DF 27 11 C7 44 06 EC 00 46 30 44 02 20 72 14
BC 96 47 16 0B BD 39 FF 2F 80 53 3F 5D C6 DD D7
0D DF 86 BB 81 56 61 E8 05 D5 D4 E6 F2 7C 02 20
0A 9A E7 5F 56 CE 42 9C D2 D2 20 38 6B 8D 24 73
E9 5C 8A 50 E5 58 DB 92 B7 88 3D 09 E8 42 4E E7
AB 4D 91 0F 55 CA E7 1A 21 5E F3 CA FE 3A CC 45
B5 EE C1 54 00 46 30 44 02 20 72 14 BC 96 47 16
0B BD 39 FF 2F 80 53 3F 5D C6 DD D7 0D DF 86 BB
81 56 61 E8 05 D5 D4 E6 F2 7C 02 20 6E 26 52 40
CF CA 0E F6 5C 8E A1 AF 6B 65 2A 19 13 D2 FC BD
B5 8E E9 53 60 9F 85 F0 D2 69 99 DF
Signature From AS(64496) to AS(65536):
---------------------------------------
Digest: 8A 0C D3 E9 8E 55 10 45 82 1D 80 46 01 D6 55 FC
52 11 89 DF 4D B0 28 7D 84 AC FC 77
Signature: 30 44 02 20 72 14 BC 96 47 16 0B BD 39 FF 2F 80
53 3F 5D C6 DD D7 0D DF 86 BB 81 56 61 E8 05 D5
D4 E6 F2 7C 02 20 6E 26 52 40 CF CA 0E F6 5C 8E
A1 AF 6B 65 2A 19 13 D2 FC BD B5 8E E9 53 60 9F
85 F0 D2 69 99 DF
Signature From AS(65536) to AS(65537):
--------------------------------------
Digest: BA BF F7 95 BF 3C BE 81 79 1F A9 90 06 FC 30 1B
0D BC D5 49 39 5A 0A 71 C2 D5 B2 FA
Signature: 30 44 02 20 72 14 BC 96 47 16 0B BD 39 FF 2F 80
53 3F 5D C6 DD D7 0D DF 86 BB 81 56 61 E8 05 D5
D4 E6 F2 7C 02 20 0A 9A E7 5F 56 CE 42 9C D2 D2
20 38 6B 8D 24 73 E9 5C 8A 50 E5 58 DB 92 B7 88
3D 09 E8 42 4E E7
The human readable output is produced using bgpsec-io, a bgpsec
traffic generator that uses a wireshark like printout.
Send Update Message
+--marker: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+--length: 268
+--type: 2 (UPDATE)
+--withdrawn_routes_length: 0
+--total_path_attr_length: 245
+--ORIGIN: INCOMPLETE (4 bytes)
| +--Flags: 0x40 (Well-Known, Transitive, Complete)
| +--Type Code: ORIGIN (1)
| +--Length: 1 byte
| +--Origin: INCOMPLETE (1)
+--MULTI_EXIT_DISC (7 bytes)
| +--Flags: 0x80 (Optional, Complete)
| +--Type Code: MULTI_EXIT_DISC (4)
| +--Length: 4 bytes
| +--data: 00 00 00 00
+--MP_REACH_NLRI (29 bytes)
| +--Flags: 0x80 (Optional, Complete)
| +--Type Code: MP_REACH_NLRI (14)
| +--Length: 26 bytes
| +--Address family: IPv6 (2)
| +--Subsequent address family identifier: Unicast (1)
| +--Next hop network address: (16 bytes)
| | +--Next hop: 2001:0010:0000:0000:0000:0000:c633:6464
| +--Subnetwork points of attachment: 0
| +--Network layer reachability information: (5 bytes)
| +--2001:db8::/32
| +--MP Reach NLRI prefix length: 32
| +--MP Reach NLRI IPv6 prefix: 2001:db8::
+--BGPSEC Path Attribute (205 bytes)
+--Flags: 0x90 (Optional, Complete, Extended Length)
+--Type Code: BGPSEC Path Attribute (33)
+--Length: 201 bytes
+--Secure Path (14 bytes)
| +--Length: 14 bytes
| +--Secure Path Segment: (6 bytes)
| | +--pCount: 1
| | +--Flags: 0
| | +--AS number: 65536 (1.0)
| +--Secure Path Segment: (6 bytes)
| +--pCount: 1
| +--Flags: 0
| +--AS number: 64496 (0.64496)
+--Signature Block (187 bytes)
+--Length: 187 bytes
+--Algo ID: 1
+--Signature Segment: (92 bytes)
| +--SKI: 47F23BF1AB2F8A9D26864EBBD8DF2711C74406EC
| +--Length: 70 bytes
| +--Signature: 304402207214BC96 47160BBD39FF2F80
| 533F5DC6DDD70DDF 86BB815661E805D5
| D4E6F27C02200A9A E75F56CE429CD2D2
| 20386B8D2473E95C 8A50E558DB92B788
| 3D09E8424EE7
+--Signature Segment: (92 bytes)
+--SKI: AB4D910F55CAE71A215EF3CAFE3ACC45B5EEC154
+--Length: 70 bytes
+--Signature: 304402207214BC96 47160BBD39FF2F80
533F5DC6DDD70DDF 86BB815661E805D5
D4E6F27C02206E26 5240CFCA0EF65C8E
A1AF6B652A1913D2 FCBDB58EE953609F
85F0D26999DF
Authors' Addresses Authors' Addresses
Sean Turner Sean Turner
sn3rd sn3rd
EMail: sean@sn3rd.com EMail: sean@sn3rd.com
Oliver Borchert
NIST
100 Bureau Drive
Gaithersburg MD 20899
USA
Email: oliver.borchert@nist.gov
 End of changes. 12 change blocks. 
12 lines changed or deleted 392 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/