| < draft-ietf-sidr-bgpsec-pki-profiles-00.txt | draft-ietf-sidr-bgpsec-pki-profiles-01.txt > | |||
|---|---|---|---|---|
| Secure Inter-Domain Routing Working Group M. Reynolds | Secure Inter-Domain Routing Working Group M. Reynolds | |||
| Internet-Draft BBN | Internet-Draft IPSw | |||
| Updates: [ID.sidr-res-cert-profile] S. Turner | Updates: [ID.sidr-res-cert-profile] S. Turner | |||
| Intended Status: Standards Track IECA | Intended Status: Standards Track IECA | |||
| Expires: April 25, 2012 October 24, 2011 | Expires: June 7, 2012 S. Kent | |||
| BBN | ||||
| December 5, 2011 | ||||
| A Profile for BGPSEC Router Certificates, | A Profile for BGPSEC Router Certificates, | |||
| Certificate Revocation Lists, and Certification Requests | Certificate Revocation Lists, and Certification Requests | |||
| draft-ietf-sidr-bgpsec-pki-profiles-00 | draft-ietf-sidr-bgpsec-pki-profiles-01 | |||
| Abstract | Abstract | |||
| This document defines a standard profile for X.509 certificates for | This document defines a standard profile for X.509 certificates for | |||
| the purposes of supporting validation of Autonomous System (AS) paths | the purposes of supporting validation of Autonomous System (AS) paths | |||
| in the Border Gateway Protocol (BGP), as part of an extension to that | in the Border Gateway Protocol (BGP), as part of an extension to that | |||
| protocol known as BGPSEC. BGP is a critical component for the proper | protocol known as BGPSEC. BGP is a critical component for the proper | |||
| operation of the Internet as a whole. The BGPSEC protocol is under | operation of the Internet as a whole. The BGPSEC protocol is under | |||
| development as a component to address the requirement to provide | development as a component to address the requirement to provide | |||
| security for the BGP protocol. The goal of BGPSEC is to design a | security for the BGP protocol. The goal of BGPSEC is to design a | |||
| skipping to change at page 2, line 4 ¶ | skipping to change at page 2, line 5 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on April 26, 2012. | ||||
| This Internet-Draft will expire on June 7, 2012. | ||||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2011 IETF Trust and the persons identified as the | Copyright (c) 2011 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 5, line 32 ¶ | skipping to change at page 5, line 33 ¶ | |||
| 3.1.3.1. Extended Key Usage | 3.1.3.1. Extended Key Usage | |||
| BGPSEC Router Certificates MUST include the Extended Key Usage (EKU) | BGPSEC Router Certificates MUST include the Extended Key Usage (EKU) | |||
| extension. As specified, in [ID.sidr-res-cert-profile] this | extension. As specified, in [ID.sidr-res-cert-profile] this | |||
| extension MUST be marked as non-critical. This document defines one | extension MUST be marked as non-critical. This document defines one | |||
| EKU for BGPSEC Router Certificates: | EKU for BGPSEC Router Certificates: | |||
| id-kp OBJECT IDENTIFIER ::= | id-kp OBJECT IDENTIFIER ::= | |||
| { iso(1) identified-organization(3) dod(6) internet(1) | { iso(1) identified-organization(3) dod(6) internet(1) | |||
| security(5) mechanisms(5) pkix(7) TBD } | security(5) mechanisms(5) pkix(7) kp(3) } | |||
| id-kp-bgpsec-router OBJECT IDENTIFIER ::= { id-kp TBD } | id-kp-bgpsec-router OBJECT IDENTIFIER ::= { id-kp TBD } | |||
| Relying Parties MUST require the extended key usage extension to be | Relying Parties MUST require the extended key usage extension to be | |||
| present in a BGPSEC Router Certificate. If multiple KeyPurposeId | present in a BGPSEC Router Certificate. If multiple KeyPurposeId | |||
| values are included, the relying parties need not recognize all of | values are included, the relying parties need not recognize all of | |||
| them, as long as the required KeyPurposeId value is present. BGPSEC | them, as long as the required KeyPurposeId value is present. BGPSEC | |||
| RPs MUST reject certificates that do not contain the BGPSEC Router | RPs MUST reject certificates that do not contain the BGPSEC Router | |||
| EKU even if they include the anyExtendedKeyUsage OID defined in | EKU even if they include the anyExtendedKeyUsage OID defined in | |||
| [RFC5280]. | [RFC5280]. | |||
| skipping to change at page 9, line 22 ¶ | skipping to change at page 9, line 24 ¶ | |||
| progress. | progress. | |||
| [ID.sidr-algorithm-agility] Gagliano, R., Kent, S., and S. Turner, | [ID.sidr-algorithm-agility] Gagliano, R., Kent, S., and S. Turner, | |||
| "Algorithm Agility Procedure for RPKI", draft-ietf-sidr- | "Algorithm Agility Procedure for RPKI", draft-ietf-sidr- | |||
| algorithm-agility, work-in-progress. | algorithm-agility, work-in-progress. | |||
| [ID.sidr-bgpsec-protocol] Lepinksi, M., "BGPSEC Protocol | [ID.sidr-bgpsec-protocol] Lepinksi, M., "BGPSEC Protocol | |||
| Specification", draft-ietf-sidr-bgpsec-protocol, work-in- | Specification", draft-ietf-sidr-bgpsec-protocol, work-in- | |||
| progress. | progress. | |||
| Appendix A. Example BGPSEC Router Certificate | Appendix A. ASN.1 Module | |||
| Appendix B. Example BGPSEC Router Certificate Request | BGPSECEKU { iso(1) identified-organization(3) dod(6) internet(1) | |||
| security(5) mechanisms(5) pkix(7) id-mod(0) TBD } | ||||
| Appendix C. Change Log | DEFINITIONS EXPLICIT TAGS ::= | |||
| BEGIN | ||||
| -- EXPORTS ALL -- | ||||
| -- IMPORTS NOTHING -- | ||||
| -- OID Arc -- | ||||
| id-kp OBJECT IDENTIFIER ::= { | ||||
| iso(1) identified-organization(3) dod(6) internet(1) | ||||
| security(5) mechanisms(5) kp(3) } | ||||
| -- BGPSEC Router Extended Key Usage -- | ||||
| id-kp-bgpsec-router OBJECT IDENTIFIER ::= { id-kp TBD } | ||||
| END | ||||
| Appendix B. Example BGPSEC Router Certificate | ||||
| Appendix C. Example BGPSEC Router Certificate Request | ||||
| Appendix D. Change Log | ||||
| Please delete this section prior to publication. | Please delete this section prior to publication. | |||
| C.1 Changes from turner-bgpsec-pki-profiles-02 to sidr-bgpsec-pki- | D.1 Changes from turner-bgpsec-pki-profiles-02 to sidr-bgpsec-pki- | |||
| profiles-00 | ||||
| Added an ASN.1 Module and corrected the id-kp OID in s3.1.3.1. | ||||
| D.2 Changes from turner-bgpsec-pki-profiles-02 to sidr-bgpsec-pki- | ||||
| profiles-00 | profiles-00 | |||
| Added this change log. | Added this change log. | |||
| Amplified that a BGPSEC RP will need to support both the algorithms | Amplified that a BGPSEC RP will need to support both the algorithms | |||
| in [ID.sidr-bgpsec-algs] for BGPSEC and the algorithms in [ID.sidr- | in [ID.sidr-bgpsec-algs] for BGPSEC and the algorithms in [ID.sidr- | |||
| rpki-algs] for certificates and CRLs. | rpki-algs] for certificates and CRLs. | |||
| Changed the name of AS Resource extension to AS Resource Identifier | Changed the name of AS Resource extension to AS Resource Identifier | |||
| Delegation to match what's in RFC 3779. | Delegation to match what's in RFC 3779. | |||
| C.2 Changes from turner-bgpsec-pki-profiles -01 to -02 | D.3 Changes from turner-bgpsec-pki-profiles -01 to -02 | |||
| Added text in Section 2 to indicate that there's no impact on the | Added text in Section 2 to indicate that there's no impact on the | |||
| procedures defined in [ID.sidr-algorithm-agility]. | procedures defined in [ID.sidr-algorithm-agility]. | |||
| Added a security consideration to let implementers know the BGPSEC | Added a security consideration to let implementers know the BGPSEC | |||
| certificates will not pass RPKI validation [ID.sidr-res-cert-profile] | certificates will not pass RPKI validation [ID.sidr-res-cert-profile] | |||
| and that keying off the EKU will help tremendously. | and that keying off the EKU will help tremendously. | |||
| C.3 Changes from turner-bgpsec-pki-profiles -00 to -01 | D.4 Changes from turner-bgpsec-pki-profiles -00 to -01 | |||
| Corrected Section 2 to indicate that CA certificates are also RPKI | Corrected Section 2 to indicate that CA certificates are also RPKI | |||
| certificates. | certificates. | |||
| Removed sections and text that was already in [ID.sidr-res-cert- | Removed sections and text that was already in [ID.sidr-res-cert- | |||
| profile]. This will make it easier for reviewers to figure out what | profile]. This will make it easier for reviewers to figure out what | |||
| is different. | is different. | |||
| Modified Section 6 to use 2119-language. | Modified Section 6 to use 2119-language. | |||
| Removed requirement from Section 6 to check that the AS # in the | Removed requirement from Section 6 to check that the AS # in the | |||
| certificate is the last number in the AS path information of each BGP | certificate is the last number in the AS path information of each BGP | |||
| UPDATE message. Moved to [ID.sidr-bgpsec-protocol]. | UPDATE message. Moved to [ID.sidr-bgpsec-protocol]. | |||
| Authors' Addresses | Authors' Addresses | |||
| Mark Reynolds | Mark Reynolds | |||
| Raytheon BBN Technologies Corp. | Island Peak Software | |||
| 10 Moulton St. | 328 Virginia Road | |||
| Cambridge, MA 02138 | Concord, MA 01742 | |||
| Email: mreynold@bbn.com | Email: mcr@islandpeaksoftware.com | |||
| Sean Turner | Sean Turner | |||
| IECA, Inc. | IECA, Inc. | |||
| 3057 Nutley Street, Suite 106 | 3057 Nutley Street, Suite 106 | |||
| Fairfax, VA 22031 | Fairfax, VA 22031 | |||
| USA | USA | |||
| EMail: turners@ieca.com | EMail: turners@ieca.com | |||
| Steve Kent | ||||
| Raytheon BBN Technologies | ||||
| 10 Moulton St. | ||||
| Cambridge, MA 02138 | ||||
| Email: kent@bbn.com | ||||
| End of changes. 14 change blocks. | ||||
| 15 lines changed or deleted | 47 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||