< draft-ietf-sidr-bgpsec-pki-profiles-03.txt		draft-ietf-sidr-bgpsec-pki-profiles-04.txt >
	Secure Inter-Domain Routing Working Group M. Reynolds		Secure Inter-Domain Routing Working Group M. Reynolds
	Internet-Draft IPSw		Internet-Draft IPSw
	Updates: 6487 (if approved) S. Turner		Updates: 6487 (if approved) S. Turner
	Intended Status: Standards Track IECA		Intended Status: Standards Track IECA
	Expires: October 15, 2012 S. Kent		Expires: April 16, 2013 S. Kent
	BBN		BBN
	April 13, 2012		October 13, 2012
	A Profile for BGPSEC Router Certificates,		A Profile for BGPSEC Router Certificates,
	Certificate Revocation Lists, and Certification Requests		Certificate Revocation Lists, and Certification Requests
	draft-ietf-sidr-bgpsec-pki-profiles-03		draft-ietf-sidr-bgpsec-pki-profiles-04
	Abstract		Abstract
	This document defines a standard profile for X.509 certificates for		This document defines a standard profile for X.509 certificates for
	the purposes of supporting validation of Autonomous System (AS) paths		the purposes of supporting validation of Autonomous System (AS) paths
	in the Border Gateway Protocol (BGP), as part of an extension to that		in the Border Gateway Protocol (BGP), as part of an extension to that
	protocol known as BGPSEC. BGP is a critical component for the proper		protocol known as BGPSEC. BGP is a critical component for the proper
	operation of the Internet as a whole. The BGPSEC protocol is under		operation of the Internet as a whole. The BGPSEC protocol is under
	development as a component to address the requirement to provide		development as a component to address the requirement to provide
	security for the BGP protocol. The goal of BGPSEC is to design a		security for the BGP protocol. The goal of BGPSEC is to design a
	skipping to change at page 4, line 18 ¶		skipping to change at page 4, line 18 ¶
	specified in [RFC6487]). Further, the algorithms used to generate		specified in [RFC6487]). Further, the algorithms used to generate
	RPKI CA certificates that issue the BGPSEC Router Certificates and		RPKI CA certificates that issue the BGPSEC Router Certificates and
	the CRLs necessary to check the validity of the BGPSEC Router		the CRLs necessary to check the validity of the BGPSEC Router
	Certificates remain unchanged (i.e., they are as specified in		Certificates remain unchanged (i.e., they are as specified in
	[RFC6485]). The only impact is that the RPKI CAs will need to be		[RFC6485]). The only impact is that the RPKI CAs will need to be
	able to process a profiled certificate request (see Section 5) signed		able to process a profiled certificate request (see Section 5) signed
	with algorithms found in [ID.sidr-bgpsec-algs]. The use of BGPSEC		with algorithms found in [ID.sidr-bgpsec-algs]. The use of BGPSEC
	Router Certificates in no way affects RPKI RPs that process Manifests		Router Certificates in no way affects RPKI RPs that process Manifests
	and ROAs because the public key found in the BGPSEC Router		and ROAs because the public key found in the BGPSEC Router
	Certificate is only ever used to verify the signature on the BGPSEC		Certificate is only ever used to verify the signature on the BGPSEC
	certificate request (only CAs process these), another BGPSEC Router		certificate request (only CAs process these) and the signature on a
	Certificate (only BGPSEC routers process these), and the signature on		BGPSEC Update Message [ID.sidr-bgpsec-protocol] (only BGPSEC routers
	a BGPSEC Update Message [ID.sidr-bgpsec-protocol] (only BGPSEC		process these).
	routers process these).
	Only the differences between this profile and the profile in		Only the differences between this profile and the profile in
	[RFC6487] are listed. Note that BGPSEC Router Certificates are EE		[RFC6487] are listed. Note that BGPSEC Router Certificates are EE
	certificates and as such there is no impact on process described in		certificates and as such there is no impact on process described in
	[ID.sidr-algorithm-agility].		[ID.sidr-algorithm-agility].
	3. Updates to [RFC6487]		3. Updates to [RFC6487]
	3.1 BGPSEC Router Certificate Fields		3.1 BGPSEC Router Certificate Fields
	A BGPSEC Router Certificate is a valid X.509 public key certificate,		A BGPSEC Router Certificate is a valid X.509 public key certificate,
	consistent with the PKIX profile [RFC5280], containing the fields		consistent with the PKIX profile [RFC5280], containing the fields
	listed in this section. This profile is also based on [RFC6487] and		listed in this section. This profile is also based on [RFC6487] and
	only the differences between this profile and the profile in		only the differences between this profile and the profile in
	[RFC6487] are listed.		[RFC6487] are listed.
	3.1.1.1 Subject		3.1.1.1. Subject
	This field identifies the router to which the certificate has been		This field identifies the router to which the certificate has been
	issued. Consistent with [RFC6487], only two attributes are allowed		issued. Consistent with [RFC6487], only two attributes are allowed
	in the Subject field: common name and serial number. Moreover, the		in the Subject field: common name and serial number. Moreover, the
	only common name encoding options that are supported are		only common name encoding options that are supported are
	printableString and UTF8String. For BGPSEC Router Certificates, it		printableString and UTF8String. For BGPSEC Router Certificates, it
	is RECOMMENDED that the common name attribute contain the literal		is RECOMMENDED that the common name attribute contain the literal
	string "ROUTER-" followed by the 32-bit AS Number [RFC3779] encoded		string "ROUTER-" followed by the 32-bit AS Number [RFC3779] encoded
	as eight hexadecimal digits and that the serial number attribute		as eight hexadecimal digits and that the serial number attribute
	contain the 32-bit BGP Identifier [RFC4271] (i.e., the router ID)		contain the 32-bit BGP Identifier [RFC4271] (i.e., the router ID)
	skipping to change at page 5, line 22 ¶		skipping to change at page 5, line 21 ¶
	Refer to section 3.1 of [ID.sidr-bgpsec-algs].		Refer to section 3.1 of [ID.sidr-bgpsec-algs].
	3.1.3. BGPSEC Router Certificate Version 3 Extension Fields		3.1.3. BGPSEC Router Certificate Version 3 Extension Fields
	The following X.509 V3 extensions MUST be present (or MUST be absent,		The following X.509 V3 extensions MUST be present (or MUST be absent,
	if so stated) in a conforming BGPSEC Router Certificate, except where		if so stated) in a conforming BGPSEC Router Certificate, except where
	explicitly noted otherwise. No other extensions are allowed in a		explicitly noted otherwise. No other extensions are allowed in a
	conforming BGPSEC Router Certificate.		conforming BGPSEC Router Certificate.
	3.1.3.1. Extended Key Usage		3.1.3.1. Basic Constraints
			BGPSEC speakers are EEs; therefore, the Basic Constraints extension
			must not be present, as per [RFC6487].
			3.1.3.2. Extended Key Usage
	BGPSEC Router Certificates MUST include the Extended Key Usage (EKU)		BGPSEC Router Certificates MUST include the Extended Key Usage (EKU)
	extension. As specified, in [RFC6487] this extension MUST be marked		extension. As specified, in [RFC6487] this extension MUST be marked
	as non-critical. This document defines one EKU for BGPSEC Router		as non-critical. This document defines one EKU for BGPSEC Router
	Certificates:		Certificates:
	id-kp OBJECT IDENTIFIER ::=		id-kp OBJECT IDENTIFIER ::=
	{ iso(1) identified-organization(3) dod(6) internet(1)		{ iso(1) identified-organization(3) dod(6) internet(1)
	security(5) mechanisms(5) pkix(7) kp(3) }		security(5) mechanisms(5) pkix(7) kp(3) }
	id-kp-bgpsec-router OBJECT IDENTIFIER ::= { id-kp TBD }		id-kp-bgpsec-router OBJECT IDENTIFIER ::= { id-kp TBD }
	Relying Parties MUST require the extended key usage extension to be		Relying Parties MUST require the extended key usage extension to be
	present in a BGPSEC Router Certificate. If multiple KeyPurposeId		present in a BGPSEC Router Certificate. If multiple KeyPurposeId
	values are included, the relying parties need not recognize all of		values are included, the relying parties need not recognize all of
	them, as long as the required KeyPurposeId value is present. BGPSEC		them, as long as the required KeyPurposeId value is present. BGPSEC
	RPs MUST reject certificates that do not contain the BGPSEC Router		RPs MUST reject certificates that do not contain the BGPSEC Router
	EKU even if they include the anyExtendedKeyUsage OID defined in		EKU even if they include the anyExtendedKeyUsage OID defined in
	[RFC5280].		[RFC5280].
	3.1.3.2. Subject Information Access		3.1.3.3. Subject Information Access
	This extension is not used in BGPSEC Router Certificates. It MUST be		This extension is not used in BGPSEC Router Certificates. It MUST be
	omitted.		omitted.
	3.1.3.3. IP Resources		3.1.3.4. IP Resources
	This extension is not used in BGPSEC Router Certificates. It MUSt be		This extension is not used in BGPSEC Router Certificates. It MUSt be
	omitted.		omitted.
	3.1.3.4. AS Resources		3.1.3.5. AS Resources
	Each BGPSEC Router Certificate MUST include the AS Resource		Each BGPSEC Router Certificate MUST include the AS Resource
	Identifier Delegation extension, as specified in section 4.8.11 of		Identifier Delegation extension, as specified in section 4.8.11 of
	[RFC6487]. The AS Resource Identifier Delegation extension MUST		[RFC6487]. The AS Resource Identifier Delegation extension MUST
	include exactly one AS number, and the "inherit" element MUST NOT be		include exactly one AS number, and the "inherit" element MUST NOT be
	specified.		specified.
	3.2. BGPSEC Router Certificate Request Profile		3.2. BGPSEC Router Certificate Request Profile
	Refer to section 6 of [RFC6487]. The only differences between this		Refer to section 6 of [RFC6487]. The only differences between this
	skipping to change at page 10, line 8 ¶		skipping to change at page 11, line 8 ¶
	END		END
	Appendix B. Example BGPSEC Router Certificate		Appendix B. Example BGPSEC Router Certificate
	Appendix C. Example BGPSEC Router Certificate Request		Appendix C. Example BGPSEC Router Certificate Request
	Appendix D. Change Log		Appendix D. Change Log
	Please delete this section prior to publication.		Please delete this section prior to publication.
	D.1 Changes from turner-bgpsec-pki-profiles-02 to sidr-bgpsec-pki-		D.1. Changes from sidr-bgpsec-pki-profiles-03 to sidr-bgpsec-pki-
			profiles-04
			In s2.1, removed the phrase "another BGPSEC Router Certificate (only
			BGPSEC routers process these)" because the BGPSEC certificates are
			only ever EE certificates and they're never used to verify another
			certificate only the PDUs that are signed.
			Added new s3.1.3.1 to explicitly state that EE certificates are only
			ever EE certs.
			D.2. Changes from sidr-bgpsec-pki-profiles-02 to sidr-bgpsec-pki-
	profiles-03		profiles-03
	Updated s3.3 to clarifify restrictions on path validation procedures		Updated s3.3 to clarifify restrictions on path validation procedures
	are in this specification (1st para was reworded).		are in this specification (1st para was reworded).
	Updated s3.3 to point to s3.1.3.1 for BGPSEC EKU (thanks Tom).		Updated s3.3 to point to s3.1.3.1 for BGPSEC EKU (thanks Tom).
	D.2 Changes from turner-bgpsec-pki-profiles-01 to sidr-bgpsec-pki-		D.3. Changes from sidr-bgpsec-pki-profiles-01 to sidr-bgpsec-pki-
	profiles-02		profiles-02
	Updated references.		Updated references.
	D.3 Changes from turner-bgpsec-pki-profiles-00 to sidr-bgpsec-pki-		D.4. Changes from sidr-bgpsec-pki-profiles-00 to sidr-bgpsec-pki-
	profiles-01		profiles-01
	Added an ASN.1 Module and corrected the id-kp OID in s3.1.3.1.		Added an ASN.1 Module and corrected the id-kp OID in s3.1.3.1.
	D.4 Changes from turner-bgpsec-pki-profiles-00 to sidr-bgpsec-pki-		D.5. Changes from turner-bgpsec-pki-profiles-02 to sidr-bgpsec-pki-
	profiles-00		profiles-00
	Added this change log.		Added this change log.
	Amplified that a BGPSEC RP will need to support both the algorithms		Amplified that a BGPSEC RP will need to support both the algorithms
	in [ID.sidr-bgpsec-algs] for BGPSEC and the algorithms in [ID.sidr-		in [ID.sidr-bgpsec-algs] for BGPSEC and the algorithms in [ID.sidr-
	rpki-algs] for certificates and CRLs.		rpki-algs] for certificates and CRLs.
	Changed the name of AS Resource extension to AS Resource Identifier		Changed the name of AS Resource extension to AS Resource Identifier
	Delegation to match what's in RFC 3779.		Delegation to match what's in RFC 3779.
	D.5 Changes from turner-bgpsec-pki-profiles -01 to -02		D.6. Changes from turner-bgpsec-pki-profiles -01 to -02
	Added text in Section 2 to indicate that there's no impact on the		Added text in Section 2 to indicate that there's no impact on the
	procedures defined in [ID.sidr-algorithm-agility].		procedures defined in [ID.sidr-algorithm-agility].
	Added a security consideration to let implementers know the BGPSEC		Added a security consideration to let implementers know the BGPSEC
	certificates will not pass RPKI validation [RFC6487] and that keying		certificates will not pass RPKI validation [RFC6487] and that keying
	off the EKU will help tremendously.		off the EKU will help tremendously.
	D.6 Changes from turner-bgpsec-pki-profiles -00 to -01		D.7. Changes from turner-bgpsec-pki-profiles -00 to -01
	Corrected Section 2 to indicate that CA certificates are also RPKI		Corrected Section 2 to indicate that CA certificates are also RPKI
	certificates.		certificates.
	Removed sections and text that was already in [RFC6487]. This will		Removed sections and text that was already in [RFC6487]. This will
	make it easier for reviewers to figure out what is different.		make it easier for reviewers to figure out what is different.
	Modified Section 6 to use 2119-language.		Modified Section 6 to use 2119-language.
	Removed requirement from Section 6 to check that the AS # in the		Removed requirement from Section 6 to check that the AS # in the
End of changes. 15 change blocks.
	18 lines changed or deleted		33 lines changed or added
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/