| < draft-ietf-sidr-bgpsec-pki-profiles-02.txt | draft-ietf-sidr-bgpsec-pki-profiles-03.txt > | |||
|---|---|---|---|---|
| Secure Inter-Domain Routing Working Group M. Reynolds | Secure Inter-Domain Routing Working Group M. Reynolds | |||
| Internet-Draft IPSw | Internet-Draft IPSw | |||
| Updates: 6487 (if approved) S. Turner | Updates: 6487 (if approved) S. Turner | |||
| Intended Status: Standards Track IECA | Intended Status: Standards Track IECA | |||
| Expires: September 27, 2012 S. Kent | Expires: October 15, 2012 S. Kent | |||
| BBN | BBN | |||
| March 26, 2012 | April 13, 2012 | |||
| A Profile for BGPSEC Router Certificates, | A Profile for BGPSEC Router Certificates, | |||
| Certificate Revocation Lists, and Certification Requests | Certificate Revocation Lists, and Certification Requests | |||
| draft-ietf-sidr-bgpsec-pki-profiles-02 | draft-ietf-sidr-bgpsec-pki-profiles-03 | |||
| Abstract | Abstract | |||
| This document defines a standard profile for X.509 certificates for | This document defines a standard profile for X.509 certificates for | |||
| the purposes of supporting validation of Autonomous System (AS) paths | the purposes of supporting validation of Autonomous System (AS) paths | |||
| in the Border Gateway Protocol (BGP), as part of an extension to that | in the Border Gateway Protocol (BGP), as part of an extension to that | |||
| protocol known as BGPSEC. BGP is a critical component for the proper | protocol known as BGPSEC. BGP is a critical component for the proper | |||
| operation of the Internet as a whole. The BGPSEC protocol is under | operation of the Internet as a whole. The BGPSEC protocol is under | |||
| development as a component to address the requirement to provide | development as a component to address the requirement to provide | |||
| security for the BGP protocol. The goal of BGPSEC is to design a | security for the BGP protocol. The goal of BGPSEC is to design a | |||
| skipping to change at page 2, line 8 ¶ | skipping to change at page 2, line 8 ¶ | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2011 IETF Trust and the persons identified as the | Copyright (c) 2012 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| skipping to change at page 4, line 14 ¶ | skipping to change at page 4, line 14 ¶ | |||
| certificate is explained in Section 1 and falls within the scope of | certificate is explained in Section 1 and falls within the scope of | |||
| appropriate uses defined within [RFC6484]. The issuance of BGPSEC | appropriate uses defined within [RFC6484]. The issuance of BGPSEC | |||
| Router Certificates has minimal impact on RPKI CAs because the RPKI | Router Certificates has minimal impact on RPKI CAs because the RPKI | |||
| CA certificate and CRL profile remain unchanged (i.e., they are as | CA certificate and CRL profile remain unchanged (i.e., they are as | |||
| specified in [RFC6487]). Further, the algorithms used to generate | specified in [RFC6487]). Further, the algorithms used to generate | |||
| RPKI CA certificates that issue the BGPSEC Router Certificates and | RPKI CA certificates that issue the BGPSEC Router Certificates and | |||
| the CRLs necessary to check the validity of the BGPSEC Router | the CRLs necessary to check the validity of the BGPSEC Router | |||
| Certificates remain unchanged (i.e., they are as specified in | Certificates remain unchanged (i.e., they are as specified in | |||
| [RFC6485]). The only impact is that the RPKI CAs will need to be | [RFC6485]). The only impact is that the RPKI CAs will need to be | |||
| able to process a profiled certificate request (see Section 5) signed | able to process a profiled certificate request (see Section 5) signed | |||
| with algorithms found in [ID.turner-sidr-bgpsec-algs]. The use of | with algorithms found in [ID.sidr-bgpsec-algs]. The use of BGPSEC | |||
| BGPSEC Router Certificates in no way affects RPKI RPs that process | Router Certificates in no way affects RPKI RPs that process Manifests | |||
| Manifests and ROAs because the public key found in the BGPSEC Router | and ROAs because the public key found in the BGPSEC Router | |||
| Certificate is only ever used to verify the signature on the BGPSEC | Certificate is only ever used to verify the signature on the BGPSEC | |||
| certificate request (only CAs process these), another BGPSEC Router | certificate request (only CAs process these), another BGPSEC Router | |||
| Certificate (only BGPSEC routers process these), and the signature on | Certificate (only BGPSEC routers process these), and the signature on | |||
| a BGPSEC Update Message [ID.sidr-bgpsec-protocol] (only BGPSEC | a BGPSEC Update Message [ID.sidr-bgpsec-protocol] (only BGPSEC | |||
| routers process these). | routers process these). | |||
| Only the differences between this profile and the profile in | Only the differences between this profile and the profile in | |||
| [RFC6487] are listed. Note that BGPSEC Router Certificates are EE | [RFC6487] are listed. Note that BGPSEC Router Certificates are EE | |||
| certificates and as such there is no impact on process described in | certificates and as such there is no impact on process described in | |||
| [ID.sidr-algorithm-agility]. | [ID.sidr-algorithm-agility]. | |||
| skipping to change at page 6, line 31 ¶ | skipping to change at page 6, line 31 ¶ | |||
| o The SubjectPublicKeyInfo and PublicKey fields are specified in | o The SubjectPublicKeyInfo and PublicKey fields are specified in | |||
| [ID.sidr-bgpsec-algs]; and, | [ID.sidr-bgpsec-algs]; and, | |||
| o The request is signed with the algorithms specified in [ID.sidr- | o The request is signed with the algorithms specified in [ID.sidr- | |||
| bgpsec-algs]. | bgpsec-algs]. | |||
| 3.3. BGPSEC Router Certificate Validation | 3.3. BGPSEC Router Certificate Validation | |||
| The validation procedure used for BGPSEC Router Certificates is | The validation procedure used for BGPSEC Router Certificates is | |||
| identical to the validation procedure described in Section 7 of | identical to the validation procedure described in Section 7 of | |||
| [RFC6487] except that where "this specification" refers to [RFC6487] | [RFC6487]. The exception is that the constraints applied come from | |||
| in that profile in this profile "this specification" is this | this specification (e.g., in step 3: the certificate contains all the | |||
| document. | field that must be present - refers to the fields that are required | |||
| by this specification). | ||||
| The differences are as follows: | The differences are as follows: | |||
| o BGPSEC Router Certificates MUST include the BGPSEC EKU defined in | o BGPSEC Router Certificates MUST include the BGPSEC EKU defined in | |||
| Section 3.9.5. | Section 3.1.3.1. | |||
| o BGPSEC Router Certificates MUST NOT include the SIA extension. | o BGPSEC Router Certificates MUST NOT include the SIA extension. | |||
| o BGPSEC Router Certificates MUST NOT include the IP Resource | o BGPSEC Router Certificates MUST NOT include the IP Resource | |||
| extension. | extension. | |||
| o BGPSEC Router Certificates MUST include the AS Resource Identifier | o BGPSEC Router Certificates MUST include the AS Resource Identifier | |||
| Delegation extension. | Delegation extension. | |||
| o BGPSEC Router Certificate MUST include the "Subject Public Key | o BGPSEC Router Certificate MUST include the "Subject Public Key | |||
| skipping to change at page 7, line 42 ¶ | skipping to change at page 7, line 43 ¶ | |||
| binding of an AS number to a public key, consistent with the RPKI | binding of an AS number to a public key, consistent with the RPKI | |||
| allocation/assignment hierarchy. | allocation/assignment hierarchy. | |||
| 6. IANA Considerations | 6. IANA Considerations | |||
| None. | None. | |||
| 7. Acknowledgements | 7. Acknowledgements | |||
| We would like to thanks Geoff Huston, George Michaelson, and Robert | We would like to thanks Geoff Huston, George Michaelson, and Robert | |||
| Loomans for their work on [ID.sidr-res-cert-profile], which this work | Loomans for their work on [RFC6487], which this work is based on. In | |||
| is based on. In addition, the efforts of Steve Kent and Matt | addition, the efforts of Steve Kent and Matt Lepinski were | |||
| Lepinski were instrumental in preparing this work. Additionally, | instrumental in preparing this work. Additionally, we'd like to | |||
| we'd like to thank Roque Gagliano, Sandra Murphy, and Geoff Huston | thank Roque Gagliano, Sandra Murphy, and Geoff Huston for their | |||
| for their reviews and comments. | reviews and comments. | |||
| 8. References | 8. References | |||
| 8.1. Normative References | 8.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP | [RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP | |||
| Addresses and AS Identifiers", RFC 3779, June 2004. | Addresses and AS Identifiers", RFC 3779, June 2004. | |||
| skipping to change at page 10, line 8 ¶ | skipping to change at page 10, line 8 ¶ | |||
| END | END | |||
| Appendix B. Example BGPSEC Router Certificate | Appendix B. Example BGPSEC Router Certificate | |||
| Appendix C. Example BGPSEC Router Certificate Request | Appendix C. Example BGPSEC Router Certificate Request | |||
| Appendix D. Change Log | Appendix D. Change Log | |||
| Please delete this section prior to publication. | Please delete this section prior to publication. | |||
| D.1 Changes from turner-bgpsec-pki-profiles-01 to sidr-bgpsec-pki- | D.1 Changes from turner-bgpsec-pki-profiles-02 to sidr-bgpsec-pki- | |||
| profiles-03 | ||||
| Updated s3.3 to clarifify restrictions on path validation procedures | ||||
| are in this specification (1st para was reworded). | ||||
| Updated s3.3 to point to s3.1.3.1 for BGPSEC EKU (thanks Tom). | ||||
| D.2 Changes from turner-bgpsec-pki-profiles-01 to sidr-bgpsec-pki- | ||||
| profiles-02 | profiles-02 | |||
| Updated references. | Updated references. | |||
| D.2 Changes from turner-bgpsec-pki-profiles-00 to sidr-bgpsec-pki- | D.3 Changes from turner-bgpsec-pki-profiles-00 to sidr-bgpsec-pki- | |||
| profiles-01 | profiles-01 | |||
| Added an ASN.1 Module and corrected the id-kp OID in s3.1.3.1. | Added an ASN.1 Module and corrected the id-kp OID in s3.1.3.1. | |||
| D.3 Changes from turner-bgpsec-pki-profiles-00 to sidr-bgpsec-pki- | D.4 Changes from turner-bgpsec-pki-profiles-00 to sidr-bgpsec-pki- | |||
| profiles-00 | profiles-00 | |||
| Added this change log. | Added this change log. | |||
| Amplified that a BGPSEC RP will need to support both the algorithms | Amplified that a BGPSEC RP will need to support both the algorithms | |||
| in [ID.sidr-bgpsec-algs] for BGPSEC and the algorithms in [ID.sidr- | in [ID.sidr-bgpsec-algs] for BGPSEC and the algorithms in [ID.sidr- | |||
| rpki-algs] for certificates and CRLs. | rpki-algs] for certificates and CRLs. | |||
| Changed the name of AS Resource extension to AS Resource Identifier | Changed the name of AS Resource extension to AS Resource Identifier | |||
| Delegation to match what's in RFC 3779. | Delegation to match what's in RFC 3779. | |||
| D.4 Changes from turner-bgpsec-pki-profiles -01 to -02 | D.5 Changes from turner-bgpsec-pki-profiles -01 to -02 | |||
| Added text in Section 2 to indicate that there's no impact on the | Added text in Section 2 to indicate that there's no impact on the | |||
| procedures defined in [ID.sidr-algorithm-agility]. | procedures defined in [ID.sidr-algorithm-agility]. | |||
| Added a security consideration to let implementers know the BGPSEC | Added a security consideration to let implementers know the BGPSEC | |||
| certificates will not pass RPKI validation [ID.sidr-res-cert-profile] | certificates will not pass RPKI validation [RFC6487] and that keying | |||
| and that keying off the EKU will help tremendously. | off the EKU will help tremendously. | |||
| D.5 Changes from turner-bgpsec-pki-profiles -00 to -01 | D.6 Changes from turner-bgpsec-pki-profiles -00 to -01 | |||
| Corrected Section 2 to indicate that CA certificates are also RPKI | Corrected Section 2 to indicate that CA certificates are also RPKI | |||
| certificates. | certificates. | |||
| Removed sections and text that was already in [ID.sidr-res-cert- | Removed sections and text that was already in [RFC6487]. This will | |||
| profile]. This will make it easier for reviewers to figure out what | make it easier for reviewers to figure out what is different. | |||
| is different. | ||||
| Modified Section 6 to use 2119-language. | Modified Section 6 to use 2119-language. | |||
| Removed requirement from Section 6 to check that the AS # in the | Removed requirement from Section 6 to check that the AS # in the | |||
| certificate is the last number in the AS path information of each BGP | certificate is the last number in the AS path information of each BGP | |||
| UPDATE message. Moved to [ID.sidr-bgpsec-protocol]. | UPDATE message. Moved to [ID.sidr-bgpsec-protocol]. | |||
| Authors' Addresses | Authors' Addresses | |||
| Mark Reynolds | Mark Reynolds | |||
| End of changes. 15 change blocks. | ||||
| 26 lines changed or deleted | 34 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||