| < draft-ietf-sidr-bgpsec-pki-profiles-08.txt | draft-ietf-sidr-bgpsec-pki-profiles-09.txt > | |||
|---|---|---|---|---|
| SIDR Working Group M. Reynolds | SIDR Working Group M. Reynolds | |||
| Internet-Draft IPSw | Internet-Draft IPSw | |||
| Updates: 6487 (if approved) S. Turner | Updates: 6487 (if approved) S. Turner | |||
| Intended status: Standards Track IECA, Inc. | Intended status: Standards Track IECA, Inc. | |||
| Expires: February 14, 2015 S. Kent | Expires: May 14, 2015 S. Kent | |||
| BBN | BBN | |||
| August 13, 2014 | November 10, 2014 | |||
| A Profile for BGPSEC Router Certificates, Certificate Revocation Lists, | A Profile for BGPSEC Router Certificates, Certificate Revocation Lists, | |||
| and Certification Requests | and Certification Requests | |||
| draft-ietf-sidr-bgpsec-pki-profiles-08 | draft-ietf-sidr-bgpsec-pki-profiles-09 | |||
| Abstract | Abstract | |||
| This document defines a standard profile for X.509 certificates for | This document defines a standard profile for X.509 certificates for | |||
| the purposes of supporting validation of Autonomous System (AS) paths | the purposes of supporting validation of Autonomous System (AS) paths | |||
| in the Border Gateway Protocol (BGP), as part of an extension to that | in the Border Gateway Protocol (BGP), as part of an extension to that | |||
| protocol known as BGPSEC. BGP is a critical component for the proper | protocol known as BGPSEC. BGP is a critical component for the proper | |||
| operation of the Internet as a whole. The BGPSEC protocol is under | operation of the Internet as a whole. The BGPSEC protocol is under | |||
| development as a component to address the requirement to provide | development as a component to address the requirement to provide | |||
| security for the BGP protocol. The goal of BGPSEC is to design a | security for the BGP protocol. The goal of BGPSEC is to design a | |||
| skipping to change at page 2, line 7 ¶ | skipping to change at page 2, line 7 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on February 14, 2015. | This Internet-Draft will expire on May 14, 2015. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2014 IETF Trust and the persons identified as the | Copyright (c) 2014 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 5, line 26 ¶ | skipping to change at page 5, line 26 ¶ | |||
| This field identifies the router to which the certificate has been | This field identifies the router to which the certificate has been | |||
| issued. Consistent with [RFC6487], only two attributes are allowed | issued. Consistent with [RFC6487], only two attributes are allowed | |||
| in the Subject field: common name and serial number. Moreover, the | in the Subject field: common name and serial number. Moreover, the | |||
| only common name encoding options that are supported are | only common name encoding options that are supported are | |||
| printableString and UTF8String. For BGPSEC Router Certificates, it | printableString and UTF8String. For BGPSEC Router Certificates, it | |||
| is RECOMMENDED that the common name attribute contain the literal | is RECOMMENDED that the common name attribute contain the literal | |||
| string "ROUTER-" followed by the 32-bit AS Number [RFC3779] encoded | string "ROUTER-" followed by the 32-bit AS Number [RFC3779] encoded | |||
| as eight hexadecimal digits and that the serial number attribute | as eight hexadecimal digits and that the serial number attribute | |||
| contain the 32-bit BGP Identifier [RFC4271] (i.e., the router ID) | contain the 32-bit BGP Identifier [RFC4271] (i.e., the router ID) | |||
| encoded as eight hexadecimal digits. If more than one certificate | encoded as eight hexadecimal digits. Routers can support multiple | |||
| for an AS is issued (i.e., more than one router gets a certificate | ASs with separate keys pairs, one for each AS. Note that router IDs | |||
| for the AS and hence the private key is shared among more than one | are not guaranteed to be unique across the Internet, and thus the | |||
| router), the choice of the router ID used in Subject name is at the | Subject name in a BGPSEC Router Certificate issued using this | |||
| discretion of the Issuer. Note that router IDs are not guaranteed to | convention also is not guaranteed to be unique across different | |||
| be unique across the Internet, and thus the Subject name in a BGPSEC | issuers. However, each certificate issued by an individual CA MUST | |||
| Router Certificate issued using this convention also is not | contain a Subject name that is unique within that context. | |||
| guaranteed to be unique across different issuers. However, each | ||||
| certificate issued by an individual CA MUST contain a Subject name | ||||
| that is unique within that context. | ||||
| 3.1.2. Subject Public Key Info | 3.1.2. Subject Public Key Info | |||
| Refer to section 3.1 of [I-D.ietf-sidr-bgpsec-algs]. | Refer to section 3.1 of [I-D.ietf-sidr-bgpsec-algs]. | |||
| 3.1.3. BGPSEC Router Certificate Version 3 Extension Fields | 3.1.3. BGPSEC Router Certificate Version 3 Extension Fields | |||
| The following X.509 V3 extensions MUST be present (or MUST be absent, | The following X.509 V3 extensions MUST be present (or MUST be absent, | |||
| if so stated) in a conforming BGPSEC Router Certificate, except where | if so stated) in a conforming BGPSEC Router Certificate, except where | |||
| explicitly noted otherwise. No other extensions are allowed in a | explicitly noted otherwise. No other extensions are allowed in a | |||
| skipping to change at page 9, line 42 ¶ | skipping to change at page 9, line 42 ¶ | |||
| (CRL) Profile", RFC 5280, May 2008. | (CRL) Profile", RFC 5280, May 2008. | |||
| [RFC6487] Huston, G., Michaelson, G., and R. Loomans, "A Profile for | [RFC6487] Huston, G., Michaelson, G., and R. Loomans, "A Profile for | |||
| X.509 PKIX Resource Certificates", RFC 6487, February | X.509 PKIX Resource Certificates", RFC 6487, February | |||
| 2012. | 2012. | |||
| 8.2. Informative References | 8.2. Informative References | |||
| [I-D.ietf-sidr-bgpsec-protocol] | [I-D.ietf-sidr-bgpsec-protocol] | |||
| Lepinski, M., "BGPSEC Protocol Specification", draft-ietf- | Lepinski, M., "BGPSEC Protocol Specification", draft-ietf- | |||
| sidr-bgpsec-protocol-09 (work in progress), July 2014. | sidr-bgpsec-protocol-10 (work in progress), October 2014. | |||
| [RFC4272] Murphy, S., "BGP Security Vulnerabilities Analysis", RFC | [RFC4272] Murphy, S., "BGP Security Vulnerabilities Analysis", RFC | |||
| 4272, January 2006. | 4272, January 2006. | |||
| [RFC5123] White, R. and B. Akyol, "Considerations in Validating the | [RFC5123] White, R. and B. Akyol, "Considerations in Validating the | |||
| Path in BGP", RFC 5123, February 2008. | Path in BGP", RFC 5123, February 2008. | |||
| [RFC5492] Scudder, J. and R. Chandra, "Capabilities Advertisement | [RFC5492] Scudder, J. and R. Chandra, "Capabilities Advertisement | |||
| with BGP-4", RFC 5492, February 2009. | with BGP-4", RFC 5492, February 2009. | |||
| End of changes. 6 change blocks. | ||||
| 15 lines changed or deleted | 12 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||