| < draft-ietf-sidr-bgpsec-pki-profiles-11.txt | draft-ietf-sidr-bgpsec-pki-profiles-12.txt > | |||
|---|---|---|---|---|
| Secure Inter-Domain Routing Working Group M. Reynolds | Secure Inter-Domain Routing Working Group M. Reynolds | |||
| Internet-Draft IPSw | Internet-Draft IPSw | |||
| Updates: 6487 (if approved) S. Turner | Updates: 6487 (if approved) S. Turner | |||
| Intended status: BCP IECA | Intended status: BCP IECA | |||
| Expires: February 7, 2016 S. Kent | Expires: April 16, 2016 S. Kent | |||
| BBN | BBN | |||
| August 6, 2015 | October 14, 2015 | |||
| A Profile for BGPsec Router Certificates, | A Profile for BGPsec Router Certificates, | |||
| Certificate Revocation Lists, and Certification Requests | Certificate Revocation Lists, and Certification Requests | |||
| draft-ietf-sidr-bgpsec-pki-profiles-11 | draft-ietf-sidr-bgpsec-pki-profiles-12 | |||
| Abstract | Abstract | |||
| This document defines a standard profile for X.509 certificates for | This document defines a standard profile for X.509 certificates for | |||
| the purposes of supporting validation of Autonomous System (AS) paths | the purposes of supporting validation of Autonomous System (AS) paths | |||
| in the Border Gateway Protocol (BGP), as part of an extension to that | in the Border Gateway Protocol (BGP), as part of an extension to that | |||
| protocol known as BGPsec. BGP is a critical component for the proper | protocol known as BGPsec. BGP is a critical component for the proper | |||
| operation of the Internet as a whole. The BGPsec protocol is under | operation of the Internet as a whole. The BGPsec protocol is under | |||
| development as a component to address the requirement to provide | development as a component to address the requirement to provide | |||
| security for the BGP protocol. The goal of BGPsec is to design a | security for the BGP protocol. The goal of BGPsec is to design a | |||
| skipping to change at page 2, line 22 ¶ | skipping to change at page 2, line 22 ¶ | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | ||||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | ||||
| 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 | ||||
| 2. Describing Resources in Certificates . . . . . . . . . . . . . 3 | ||||
| 3. Updates to [RFC6487] . . . . . . . . . . . . . . . . . . . . . 5 | ||||
| 3.1 BGPsec Router Certificate Fields . . . . . . . . . . . . . 5 | ||||
| 3.1.1.1. Subject . . . . . . . . . . . . . . . . . . . . . 5 | ||||
| 3.1.2. Subject Public Key Info . . . . . . . . . . . . . . . 5 | ||||
| 3.1.3. BGPsec Router Certificate Version 3 Extension Fields . 6 | ||||
| 3.1.3.1. Basic Constraints . . . . . . . . . . . . . . . . 6 | ||||
| 3.1.3.2. Extended Key Usage . . . . . . . . . . . . . . . . 6 | ||||
| 3.1.3.3. Subject Information Access . . . . . . . . . . . . 6 | ||||
| 3.1.3.4. IP Resources . . . . . . . . . . . . . . . . . . . 6 | ||||
| 3.1.3.5. AS Resources . . . . . . . . . . . . . . . . . . . 6 | ||||
| 3.2. BGPsec Router Certificate Request Profile . . . . . . . . 7 | ||||
| 3.3. BGPsec Router Certificate Validation . . . . . . . . . . . 7 | ||||
| 4. Design Notes . . . . . . . . . . . . . . . . . . . . . . . . . 8 | ||||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | ||||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | ||||
| 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8 | ||||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 | ||||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . . 9 | ||||
| 8.2. Informative References . . . . . . . . . . . . . . . . . . 9 | ||||
| Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 10 | ||||
| Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 11 | ||||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 13 | ||||
| 1. Introduction | 1. Introduction | |||
| This document defines a profile for X.509 end-entity (EE) | This document defines a profile for X.509 end-entity (EE) | |||
| certificates [RFC5280] for use in the context of certification of | certificates [RFC5280] for use in the context of certification of | |||
| Autonomous System (AS) paths in the Border Gateway Protocol Security | Autonomous System (AS) paths in the Border Gateway Protocol Security | |||
| (BGPsec) protocol. Such certificates are termed "BGPsec Router | (BGPsec) protocol. Such certificates are termed "BGPsec Router | |||
| Certificates". The holder of the private key associated with a | Certificates". The holder of the private key associated with a | |||
| BGPsec Router Certificate is authorized to send secure route | BGPsec Router Certificate is authorized to send secure route | |||
| advertisements (BGPsec UPDATEs) on behalf of the AS(es) named in the | advertisements (BGPsec UPDATEs) on behalf of the AS(es) named in the | |||
| certificate. That is, a router holding the private key may send to | certificate. That is, a router holding the private key may send to | |||
| skipping to change at page 7, line 39 ¶ | skipping to change at page 8, line 30 ¶ | |||
| validation. | validation. | |||
| A BGPsec Router Certificate is an extension of the RPKI [RFC6480] to | A BGPsec Router Certificate is an extension of the RPKI [RFC6480] to | |||
| encompass routers. It is a building block of the larger BGPsec | encompass routers. It is a building block of the larger BGPsec | |||
| security protocol used to validate signatures on BGPsec Signature- | security protocol used to validate signatures on BGPsec Signature- | |||
| Segment origination of Signed-Path segments [ID.sidr-bgpsec- | Segment origination of Signed-Path segments [ID.sidr-bgpsec- | |||
| protocol]. Thus its essential security function is the secure | protocol]. Thus its essential security function is the secure | |||
| binding of one or more AS numbers to a public key, consistent with | binding of one or more AS numbers to a public key, consistent with | |||
| the RPKI allocation/assignment hierarchy. | the RPKI allocation/assignment hierarchy. | |||
| Hash functions [ID.sidr-bgpsec-algs] are used when generating the two | ||||
| key identifiers extension included in BGPsec certificates. However | ||||
| as noted in [RFC6818], collision resistance is not a required | ||||
| property of one-way hash functions when used to generate key | ||||
| identifiers. Regardless, hash collisions are possible and if | ||||
| detected the operator should be alerted. | ||||
| 6. IANA Considerations | 6. IANA Considerations | |||
| This document makes use of two object identifiers in the SMI Registry | This document makes use of two object identifiers in the SMI Registry | |||
| for PKIX. One is for the ASN.1 module in Appendix A and it comes | for PKIX. One is for the ASN.1 module in Appendix A and it comes | |||
| from the SMI Security for PKIX Module Identifier IANA registry (id- | from the SMI Security for PKIX Module Identifier IANA registry (id- | |||
| mod-bgpsec-eku). The other is for the BGPsec router EKU defined in | mod-bgpsec-eku). The other is for the BGPsec router EKU defined in | |||
| Section 3.1.3.2 and Appendix A and it comes from the SMI Security for | Section 3.1.3.2 and Appendix A and it comes from the SMI Security for | |||
| PKIX Extended Key Purpose IANA registry. No other actions are | PKIX Extended Key Purpose IANA registry. These OIDs were assigned | |||
| requested of IANA. | before management of the PKIX Arc was handed to IANA. No IANA | |||
| allocations are request of IANA, but please update the references in | ||||
| those registries when this document is published by the RFC editor. | ||||
| 7. Acknowledgements | 7. Acknowledgements | |||
| We would like to thank Geoff Huston, George Michaelson, and Robert | We would like to thank Geoff Huston, George Michaelson, and Robert | |||
| Loomans for their work on [RFC6487], which this work is based on. In | Loomans for their work on [RFC6487], which this work is based on. In | |||
| addition, the efforts of Steve Kent and Matt Lepinski were | addition, the efforts of Steve Kent and Matt Lepinski were | |||
| instrumental in preparing this work. Additionally, we'd like to | instrumental in preparing this work. Additionally, we'd like to | |||
| thank Roque Gagliano, Sandra Murphy, Geoff Huston, Richard Hansen, | thank Roque Gagliano, Sandra Murphy, Geoff Huston, Richard Hansen, | |||
| and David Mandelberg for their reviews and comments. | and David Mandelberg for their reviews and comments. | |||
| skipping to change at page 8, line 31 ¶ | skipping to change at page 9, line 30 ¶ | |||
| Gateway Protocol 4 (BGP-4)", RFC 4271, January 2006. | Gateway Protocol 4 (BGP-4)", RFC 4271, January 2006. | |||
| [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | |||
| Housley, R., and W. Polk, "Internet X.509 Public Key | Housley, R., and W. Polk, "Internet X.509 Public Key | |||
| Infrastructure Certificate and Certificate Revocation List | Infrastructure Certificate and Certificate Revocation List | |||
| (CRL) Profile", RFC 5280, May 2008. | (CRL) Profile", RFC 5280, May 2008. | |||
| [RFC6487] Huston, G., Michaelson, G., and R. Loomans, "A Profile for | [RFC6487] Huston, G., Michaelson, G., and R. Loomans, "A Profile for | |||
| X.509 PKIX Resource Certificates", RFC 6487, February 2012. | X.509 PKIX Resource Certificates", RFC 6487, February 2012. | |||
| [ID.sidr-rfc6485bis] Huston, G., and G. Michaelson, "BThe Profile for | [RFC6818] Yee, P., "Updates to the Internet X.509 Public Key | |||
| Algorithms and Key Sizes for use in the Resource Public Key | Infrastructure Certificate and Certificate Revocation List | |||
| Infrastructure", draft-ietf-sidr-rfc6485bis, work-in- | (CRL) Profile", RFC 6818, January 2013. | |||
| progress. | ||||
| [ID.sidr-bgpsec-algs] Reynolds, M. and S. Turner, "BGP Algorithms, | [ID.sidr-rfc6485bis] G. Huston, "The Profile for Algorithms and Key | |||
| Key Formats, & Signature Formats", draft-ietf-sidr-bgpsec- | Sizes for use in the Resource Public Key Infrastructure", | |||
| algs, work-in-progress. | draft-ietf-sidr-rfc6485bis, work-in-progress. | |||
| [ID.sidr-bgpsec-algs] S. Turner, "BGP Algorithms, Key Formats, & | ||||
| Signature Formats", draft-ietf-sidr-bgpsec-algs, work-in- | ||||
| progress. | ||||
| 8.2. Informative References | 8.2. Informative References | |||
| [RFC4272] Murphy, S., "BGP Security Vulnerabilities Analysis", | [RFC4272] Murphy, S., "BGP Security Vulnerabilities Analysis", | |||
| RFC 4272, January 2006. | RFC 4272, January 2006. | |||
| [RFC5123] White, R. and B. Akyol, "Considerations in Validating the | [RFC5123] White, R. and B. Akyol, "Considerations in Validating the | |||
| Path in BGP", RFC 5123, February 2008. | Path in BGP", RFC 5123, February 2008. | |||
| [RFC5492] Scudder, J. and R. Chandra, "Capabilities Advertisement | [RFC5492] Scudder, J. and R. Chandra, "Capabilities Advertisement | |||
| skipping to change at page 10, line 4 ¶ | skipping to change at page 11, line 6 ¶ | |||
| iso(1) identified-organization(3) dod(6) internet(1) | iso(1) identified-organization(3) dod(6) internet(1) | |||
| security(5) mechanisms(5) kp(3) } | security(5) mechanisms(5) kp(3) } | |||
| -- BGPsec Router Extended Key Usage -- | -- BGPsec Router Extended Key Usage -- | |||
| id-kp-bgpsec-router OBJECT IDENTIFIER ::= { id-kp 30 } | id-kp-bgpsec-router OBJECT IDENTIFIER ::= { id-kp 30 } | |||
| END | END | |||
| Appendix B. Change Log | Appendix B. Change Log | |||
| Please delete this section prior to publication. | Please delete this section prior to publication. | |||
| B.1 Changes from sidr-bgpsec-pki-profiles-10 to sidr-bgpsec-pki- | B.0 Changes from sidr-bgpsec-pki-profiles-11 to sidr-bgpsec-pki- | |||
| profiles-12 | ||||
| Added security consideration to address SKI collisions. Also updated | ||||
| the IANA considerations section. | ||||
| B.1 Changes from sidr-bgpsec-pki-profiles-10 to sidr-bgpsec-pki- | ||||
| profiles-11 | profiles-11 | |||
| Removed text in s3.1.3. Consistently used BGPsec to refer to BGP | Removed text in s3.1.3. Consistently used BGPsec to refer to BGP | |||
| Security. Fixed typos. Refer to RFC6485bis instead of RFC6485. | Security. Fixed typos. Refer to RFC6485bis instead of RFC6485. | |||
| Included OIDs. | Included OIDs. | |||
| B.2. Changes from sidr-bgpsec-pki-profiles-09 to sidr-bgpsec-pki- | B.2. Changes from sidr-bgpsec-pki-profiles-09 to sidr-bgpsec-pki- | |||
| profiles-10 | profiles-10 | |||
| Updated dates. | Updated dates. | |||
| B.3. Changes from sidr-bgpsec-pki-profiles-08 to sidr-bgpsec-pki- | B.3. Changes from sidr-bgpsec-pki-profiles-08 to sidr-bgpsec-pki- | |||
| profiles-09 | profiles-09 | |||
| Editorial fixes for the sake of brevity. | Editorial fixes for the sake of brevity. | |||
| B.4. Changes from sidr-bgpsec-pki-profiles-07 to sidr-bgpsec-pki- | B.4. Changes from sidr-bgpsec-pki-profiles-07 to sidr-bgpsec-pki- | |||
| profiles-08 | profiles-08 | |||
| Fixed section numbering. | Fixed section numbering. | |||
| B.5. Changes from sidr-bgpsec-pki-profiles-06 to sidr-bgpsec-pki- | B.5. Changes from sidr-bgpsec-pki-profiles-06 to sidr-bgpsec-pki- | |||
| profiles-07 | profiles-07 | |||
| Added text to multiple AS numbers in a single certificate. Updated | Added text to multiple AS numbers in a single certificate. Updated | |||
| reference to RFC 6916. | reference to RFC 6916. | |||
| B.6. Changes from sidr-bgpsec-pki-profiles-05 to sidr-bgpsec-pki- | B.6. Changes from sidr-bgpsec-pki-profiles-05 to sidr-bgpsec-pki- | |||
| profiles-06 | profiles-06 | |||
| Keep alive version. | Keep alive version. | |||
| B.7. Changes from sidr-bgpsec-pki-profiles-04 to sidr-bgpsec-pki- | B.7. Changes from sidr-bgpsec-pki-profiles-04 to sidr-bgpsec-pki- | |||
| profiles-05 | profiles-05 | |||
| Keep alive version. | Keep alive version. | |||
| B.8. Changes from sidr-bgpsec-pki-profiles-03 to sidr-bgpsec-pki- | B.8. Changes from sidr-bgpsec-pki-profiles-03 to sidr-bgpsec-pki- | |||
| profiles-04 | profiles-04 | |||
| In s2.1, removed the phrase "another BGPSEC Router Certificate (only | In s2.1, removed the phrase "another BGPSEC Router Certificate (only | |||
| BGPSEC routers process these)" because the BGPSEC certificates are | BGPSEC routers process these)" because the BGPSEC certificates are | |||
| only ever EE certificates and they're never used to verify another | only ever EE certificates and they're never used to verify another | |||
| certificate only the PDUs that are signed. | certificate only the PDUs that are signed. | |||
| Added new s3.1.3.1 to explicitly state that EE certificates are only | Added new s3.1.3.1 to explicitly state that EE certificates are only | |||
| ever EE certs. | ever EE certs. | |||
| B.9. Changes from sidr-bgpsec-pki-profiles-02 to sidr-bgpsec-pki- | B.9. Changes from sidr-bgpsec-pki-profiles-02 to sidr-bgpsec-pki- | |||
| profiles-03 | profiles-03 | |||
| Updated s3.3 to clarify restrictions on path validation procedures | Updated s3.3 to clarify restrictions on path validation procedures | |||
| are in this specification (1st para was reworded). | are in this specification (1st para was reworded). | |||
| Updated s3.3 to point to s3.1.3.1 for BGPSEC EKU (thanks Tom). | Updated s3.3 to point to s3.1.3.1 for BGPSEC EKU (thanks Tom). | |||
| B.10. Changes from sidr-bgpsec-pki-profiles-01 to sidr-bgpsec-pki- | B.10. Changes from sidr-bgpsec-pki-profiles-01 to sidr-bgpsec-pki- | |||
| profiles-02 | profiles-02 | |||
| Updated references. | Updated references. | |||
| B.11. Changes from sidr-bgpsec-pki-profiles-00 to sidr-bgpsec-pki- | B.11. Changes from sidr-bgpsec-pki-profiles-00 to sidr-bgpsec-pki- | |||
| profiles-01 | profiles-01 | |||
| Added an ASN.1 Module and corrected the id-kp OID in s3.1.3.1. | Added an ASN.1 Module and corrected the id-kp OID in s3.1.3.1. | |||
| B.12. Changes from turner-bgpsec-pki-profiles-02 to sidr-bgpsec-pki- | B.12. Changes from turner-bgpsec-pki-profiles-02 to sidr-bgpsec-pki- | |||
| profiles-00 | profiles-00 | |||
| Added this change log. | Added this change log. | |||
| Amplified that a BGPSEC RP will need to support both the algorithms | Amplified that a BGPSEC RP will need to support both the algorithms | |||
| in [ID.sidr-bgpsec-algs] for BGPSEC and the algorithms in [ID.sidr- | in [ID.sidr-bgpsec-algs] for BGPSEC and the algorithms in [ID.sidr- | |||
| rpki-algs] for certificates and CRLs. | rpki-algs] for certificates and CRLs. | |||
| Changed the name of AS Resource extension to AS Resource Identifier | Changed the name of AS Resource extension to AS Resource Identifier | |||
| Delegation to match what's in RFC 3779. | Delegation to match what's in RFC 3779. | |||
| B.13. Changes from turner-bgpsec-pki-profiles -01 to -02 | B.13. Changes from turner-bgpsec-pki-profiles -01 to -02 | |||
| Added text in Section 2 to indicate that there's no impact on the | Added text in Section 2 to indicate that there's no impact on the | |||
| procedures defined in [RFC6916]. | procedures defined in [RFC6916]. | |||
| Added a security consideration to let implementers know the BGPSEC | Added a security consideration to let implementers know the BGPSEC | |||
| certificates will not pass RPKI validation [RFC6487] and that keying | certificates will not pass RPKI validation [RFC6487] and that keying | |||
| off the EKU will help tremendously. | off the EKU will help tremendously. | |||
| B.14. Changes from turner-bgpsec-pki-profiles -00 to -01 | B.14. Changes from turner-bgpsec-pki-profiles -00 to -01 | |||
| Corrected Section 2 to indicate that CA certificates are also RPKI | Corrected Section 2 to indicate that CA certificates are also RPKI | |||
| certificates. | certificates. | |||
| Removed sections and text that was already in [RFC6487]. This will | Removed sections and text that was already in [RFC6487]. This will | |||
| make it easier for reviewers to figure out what is different. | make it easier for reviewers to figure out what is different. | |||
| Modified Section 6 to use 2119-language. | Modified Section 6 to use 2119-language. | |||
| Removed requirement from Section 6 to check that the AS # in the | Removed requirement from Section 6 to check that the AS # in the | |||
| End of changes. 22 change blocks. | ||||
| 25 lines changed or deleted | 72 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||