| < draft-ietf-sidr-bgpsec-pki-profiles-12.txt | draft-ietf-sidr-bgpsec-pki-profiles-13.txt > | |||
|---|---|---|---|---|
| Secure Inter-Domain Routing Working Group M. Reynolds | Secure Inter-Domain Routing Working Group M. Reynolds | |||
| Internet-Draft IPSw | Internet-Draft IPSw | |||
| Updates: 6487 (if approved) S. Turner | Updates: 6487 (if approved) S. Turner | |||
| Intended status: BCP IECA | Intended status: BCP IECA | |||
| Expires: April 16, 2016 S. Kent | Expires: May 5, 2016 S. Kent | |||
| BBN | BBN | |||
| October 14, 2015 | November 2, 2015 | |||
| A Profile for BGPsec Router Certificates, | A Profile for BGPsec Router Certificates, | |||
| Certificate Revocation Lists, and Certification Requests | Certificate Revocation Lists, and Certification Requests | |||
| draft-ietf-sidr-bgpsec-pki-profiles-12 | draft-ietf-sidr-bgpsec-pki-profiles-13 | |||
| Abstract | Abstract | |||
| This document defines a standard profile for X.509 certificates for | This document defines a standard profile for X.509 certificates used | |||
| the purposes of supporting validation of Autonomous System (AS) paths | to enable validation of Autonomous System (AS) paths in the Border | |||
| in the Border Gateway Protocol (BGP), as part of an extension to that | Gateway Protocol (BGP), as part of an extension to that protocol | |||
| protocol known as BGPsec. BGP is a critical component for the proper | known as BGPsec. BGP is the standard for inter-domain routing in the | |||
| operation of the Internet as a whole. The BGPsec protocol is under | Internet; it is the "glue" that holds the Internet together. BGPsec | |||
| development as a component to address the requirement to provide | is being developed as one component of a solution that addresses the | |||
| security for the BGP protocol. The goal of BGPsec is to design a | requirement to provide security for BGP. The goal of BGPsec is to | |||
| protocol for full AS path validation based on the use of strong | provide full AS path validation based on the use of strong | |||
| cryptographic primitives. The end-entity (EE) certificates specified | cryptographic primitives. The end-entity (EE) certificates specified | |||
| by this profile are issued under Resource Public Key Infrastructure | by this profile are issued (to routers within an Autonomous System). | |||
| (RPKI) Certification Authority (CA) certificates, containing the AS | Each of these certificates is issued under a Resource Public Key | |||
| Identifier Delegation extension, to routers within the Autonomous | Infrastructure (RPKI) Certification Authority (CA) certificate. | |||
| System (AS) or ASes. The certificate asserts that the router(s) | These CA certificates and EE certificates both contain the AS | |||
| holding the private key are authorized to send out secure route | Identifier Delegation extension. An EE certificate of this type | |||
| advertisements on behalf of the specified AS(es). This document also | asserts that the router(s) holding the corresponding private key are | |||
| profiles the Certificate Revocation List (CRL), profiles the format | authorized to emit secure route advertisements on behalf of the | |||
| of certification requests, and specifies Relying Party certificate | AS(es) specified in the certificate. This document also profiles the | |||
| path validation procedures. The document extends the RPKI; | format of certification requests, and specifies Relying Party (RP) | |||
| therefore, this documents updates the RPKI Resource Certificates | certificate path validation procedures for these EE certificates. | |||
| Profile (RFC 6487). | This document extends the RPKI; therefore, this documents updates the | |||
| RPKI Resource Certificates Profile (RFC 6487). | ||||
| Status of this Memo | Status of this Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| skipping to change at page 2, line 47 ¶ | skipping to change at page 2, line 48 ¶ | |||
| 3.2. BGPsec Router Certificate Request Profile . . . . . . . . 7 | 3.2. BGPsec Router Certificate Request Profile . . . . . . . . 7 | |||
| 3.3. BGPsec Router Certificate Validation . . . . . . . . . . . 7 | 3.3. BGPsec Router Certificate Validation . . . . . . . . . . . 7 | |||
| 4. Design Notes . . . . . . . . . . . . . . . . . . . . . . . . . 8 | 4. Design Notes . . . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8 | 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . . 9 | 8.1. Normative References . . . . . . . . . . . . . . . . . . . 9 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . . 9 | 8.2. Informative References . . . . . . . . . . . . . . . . . . 9 | |||
| Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 10 | Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 10 | |||
| Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 11 | Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 12 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 13 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 1. Introduction | 1. Introduction | |||
| This document defines a profile for X.509 end-entity (EE) | This document defines a profile for X.509 end-entity (EE) | |||
| certificates [RFC5280] for use in the context of certification of | certificates [RFC5280] for use in the context of certification of | |||
| Autonomous System (AS) paths in the Border Gateway Protocol Security | Autonomous System (AS) paths in the Border Gateway Protocol Security | |||
| (BGPsec) protocol. Such certificates are termed "BGPsec Router | protocol (BGPsec). Such certificates are termed "BGPsec Router | |||
| Certificates". The holder of the private key associated with a | Certificates". The holder of the private key associated with a | |||
| BGPsec Router Certificate is authorized to send secure route | BGPsec Router Certificate is authorized to send secure route | |||
| advertisements (BGPsec UPDATEs) on behalf of the AS(es) named in the | advertisements (BGPsec UPDATEs) on behalf of the AS(es) named in the | |||
| certificate. That is, a router holding the private key may send to | certificate. A router holding the private key is authorized to send | |||
| its BGP peers, route advertisements that contain one or more of the | route advertisements (to its peers) that contain one or more of the | |||
| specified AS number as the last item in the AS PATH attribute. A key | specified AS number as the last item in the AS PATH attribute. A key | |||
| property that BGPsec will provide is that every AS along the AS PATH | property provided by BGPsec is that every AS along the AS PATH can | |||
| can verify that the other ASes along the path have authorized the | verify that the other ASes along the path have authorized the | |||
| advertisement of the given route (to the next AS along the AS PATH). | advertisement of the given route (to the next AS along the AS PATH). | |||
| This document is a profile of [RFC6487], which is a profile of | This document is a profile of [RFC6487], which is a profile of | |||
| [RFC5280], and it updates [RFC6487]. It establishes requirements | [RFC5280]; thus this document [RFC6487]. It establishes requirements | |||
| imposed on a Resource Certificate that is used as a BGPsec Router | imposed on a Resource Certificate that is used as a BGPsec Router | |||
| Certificate, i.e., it defines constraints for certificate fields and | Certificate, i.e., it defines constraints for certificate fields and | |||
| extensions for the certificate to be valid in this context. This | extensions for the certificate to be valid in this context. This | |||
| document also profiles the Certificate Revocation List (CRL) and | document also profiles the certification requests used to acquire | |||
| certification requests. Finally, this document specifies the Relying | BGPsec Router Certificates. Finally, this document specifies the | |||
| Party (RP) certificate path validation procedures. | Relying Party (RP) certificate path validation procedures for these | |||
| certificates. | ||||
| 1.1. Terminology | 1.1. Terminology | |||
| It is assumed that the reader is familiar with the terms and concepts | It is assumed that the reader is familiar with the terms and concepts | |||
| described in "A Profile for X.509 PKIX Resource Certificates" | described in "A Profile for X.509 PKIX Resource Certificates" | |||
| [RFC6487], "BGPsec Protocol Specification" [ID.sidr-bgpsec-protocol], | [RFC6487], "BGPsec Protocol Specification" [ID.sidr-bgpsec-protocol], | |||
| "A Border Gateway Protocol 4 (BGP-4)" [RFC4271], "BGP Security | "A Border Gateway Protocol 4 (BGP-4)" [RFC4271], "BGP Security | |||
| Vulnerabilities Analysis" [RFC4272], "Considerations in Validating | Vulnerabilities Analysis" [RFC4272], "Considerations in Validating | |||
| the Path in BGP" [RFC5123], and "Capability Advertisement with BGP-4" | the Path in BGP" [RFC5123], and "Capability Advertisement with BGP-4" | |||
| [RFC5492]. | [RFC5492]. | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in | "OPTIONAL" in this document are to be interpreted as described in | |||
| [RFC2119]. | [RFC2119]. | |||
| 2. Describing Resources in Certificates | 2. Describing Resources in Certificates | |||
| Figure 1 depicts some of the entities in the RPKI and some of the | Figure 1 depicts some of the entities in the RPKI and some of the | |||
| products generated by RPKI entities. IANA issues a Certification | products generated by RPKI entities. IANA issues a Certification | |||
| Authority (CA) to a Regional Internet Registries (RIR). The RIR, in | Authority (CA) certificate to each Regional Internet Registry (RIR). | |||
| turn, issues a CA certificate to an Internet Service Providers (ISP). | The RIR, in turn, issues a CA certificate to an Internet Service | |||
| The ISP in turn issues End-Entity (EE) Certificates to itself as well | Providers (ISP). The ISP in turn issues EE Certificates to itself to | |||
| as CRLs. These certificates are referred to as "Resource | enable verification of signatures on RPKI signed objects. The CA also | |||
| Certificates", and are profiled in [RFC6487]. The [RFC6480] | generate. The CA also generates CRLs. These CA and EE certificates | |||
| envisioned using Resource Certificates to generate Manifests | are referred to as "Resource Certificates", and are profiled in | |||
| [RFC6486] and Route Origin Authorizations (ROAs) [RFC6482]. ROAs and | [RFC6487]. The [RFC6480] envisioned using Resource Certificates to | |||
| Manifests also include the Resource Certificates used to sign them. | enable verification of Manifests [RFC6486] and Route Origin | |||
| Authorizations (ROAs) [RFC6482]. ROAs and Manifests include the | ||||
| Resource Certificates used to verify them. | ||||
| +---------+ +------+ | +---------+ +------+ | |||
| | CA Cert |---| IANA | | | CA Cert |---| IANA | | |||
| +---------+ +------+ | +---------+ +------+ | |||
| \ | \ | |||
| +---------+ +-----+ | +---------+ +-----+ | |||
| | CA Cert |---| RIR | | | CA Cert |---| RIR | | |||
| +---------+ +-----+ | +---------+ +-----+ | |||
| \ | \ | |||
| +---------+ +-----+ | +---------+ +-----+ | |||
| skipping to change at page 4, line 41 ¶ | skipping to change at page 4, line 44 ¶ | |||
| This document defines another type of Resource Certificate, which is | This document defines another type of Resource Certificate, which is | |||
| referred to as a "BGPsec Router Certificate". The purpose of this | referred to as a "BGPsec Router Certificate". The purpose of this | |||
| certificate is explained in Section 1 and falls within the scope of | certificate is explained in Section 1 and falls within the scope of | |||
| appropriate uses defined within [RFC6484]. The issuance of BGPsec | appropriate uses defined within [RFC6484]. The issuance of BGPsec | |||
| Router Certificates has minimal impact on RPKI CAs because the RPKI | Router Certificates has minimal impact on RPKI CAs because the RPKI | |||
| CA certificate and CRL profile remain unchanged (i.e., they are as | CA certificate and CRL profile remain unchanged (i.e., they are as | |||
| specified in [RFC6487]). Further, the algorithms used to generate | specified in [RFC6487]). Further, the algorithms used to generate | |||
| RPKI CA certificates that issue the BGPsec Router Certificates and | RPKI CA certificates that issue the BGPsec Router Certificates and | |||
| the CRLs necessary to check the validity of the BGPsec Router | the CRLs necessary to check the validity of the BGPsec Router | |||
| Certificates remain unchanged (i.e., they are as specified in | Certificates remain unchanged (i.e., they are as specified in | |||
| [ID.sidr-rfc6485bis]). The only impact is that the RPKI CAs will | [ID.sidr-rfc6485bis]). The only impact is that RPKI CAs will need to | |||
| need to be able to process a profiled certificate request (see | be able to process a profiled certificate request (see Section 5) | |||
| Section 5) signed with algorithms found in [ID.sidr-bgpsec-algs]. | signed with algorithms found in [ID.sidr-bgpsec-algs]. The use of | |||
| The use of BGPsec Router Certificates in no way affects RPKI RPs that | BGPsec Router Certificates in no way affects RPKI RPs that process | |||
| process Manifests and ROAs because the public key found in the BGPsec | Manifests and ROAs because the public key found in the BGPsec Router | |||
| Router Certificate is only ever used to verify the signature on the | Certificate is used only to verify the signature on the BGPsec | |||
| BGPsec certificate request (only CAs process these) and the signature | certificate request (only CAs process these) and the signature on a | |||
| on a BGPsec Update Message [ID.sidr-bgpsec-protocol] (only BGPsec | BGPsec Update Message [ID.sidr-bgpsec-protocol] (only BGPsec routers | |||
| routers process these). | process these). | |||
| Only the differences between this profile and the profile in | This document enumerates only the differences between this profile | |||
| [RFC6487] are listed. Note that BGPsec Router Certificates are EE | and the profile in [RFC6487]. Note that BGPsec Router Certificates | |||
| certificates and as such there is no impact on process described in | are EE certificates and as such there is no impact on process | |||
| [RFC6916]. | described in [RFC6916]. | |||
| 3. Updates to [RFC6487] | 3. Updates to [RFC6487] | |||
| 3.1 BGPsec Router Certificate Fields | 3.1 BGPsec Router Certificate Fields | |||
| A BGPsec Router Certificate is a valid X.509 public key certificate, | A BGPsec Router Certificate is a valid X.509 public key certificate, | |||
| consistent with the PKIX profile [RFC5280], containing the fields | consistent with the PKIX profile [RFC5280], containing the fields | |||
| listed in this section. This profile is also based on [RFC6487] and | listed in this section. This profile is also based on [RFC6487] and | |||
| only the differences between this profile and the profile in | only the differences between this profile and the profile in | |||
| [RFC6487] are listed. | [RFC6487] are specified below. | |||
| 3.1.1.1. Subject | 3.1.1.1. Subject | |||
| This field identifies the router to which the certificate has been | This field identifies the router to which the certificate has been | |||
| issued. Consistent with [RFC6487], only two attributes are allowed | issued. Consistent with [RFC6487], only two attributes are allowed | |||
| in the Subject field: common name and serial number. Moreover, the | in the Subject field: common name and serial number. Moreover, the | |||
| only common name encoding options that are supported are | only common name encoding options that are supported are | |||
| printableString and UTF8String. For BGPsec Router Certificates, it | printableString and UTF8String. For BGPsec Router Certificates, it | |||
| is RECOMMENDED that the common name attribute contain the literal | is RECOMMENDED that the common name attribute contain the literal | |||
| string "ROUTER-" followed by the 32-bit AS Number [RFC3779] encoded | string "ROUTER-" followed by the 32-bit AS Number [RFC3779] encoded | |||
| skipping to change at page 6, line 25 ¶ | skipping to change at page 6, line 25 ¶ | |||
| extension. As specified in [RFC6487] this extension MUST be marked | extension. As specified in [RFC6487] this extension MUST be marked | |||
| as non-critical. This document defines one EKU for BGPsec Router | as non-critical. This document defines one EKU for BGPsec Router | |||
| Certificates: | Certificates: | |||
| id-kp OBJECT IDENTIFIER ::= | id-kp OBJECT IDENTIFIER ::= | |||
| { iso(1) identified-organization(3) dod(6) internet(1) | { iso(1) identified-organization(3) dod(6) internet(1) | |||
| security(5) mechanisms(5) pkix(7) kp(3) } | security(5) mechanisms(5) pkix(7) kp(3) } | |||
| id-kp-bgpsec-router OBJECT IDENTIFIER ::= { id-kp 30 } | id-kp-bgpsec-router OBJECT IDENTIFIER ::= { id-kp 30 } | |||
| Relying Parties MUST require the extended key usage extension to be | A BGPsec router MUST require the extended key usage extension to be | |||
| present in a BGPsec Router Certificate. If multiple KeyPurposeId | present in a BGPsec Router Certificate it receives. If multiple | |||
| values are included, the relying parties need not recognize all of | KeyPurposeId values are included, the BGPsec routers need not | |||
| them, as long as the required KeyPurposeId value is present. BGPsec | recognize all of them, as long as the required KeyPurposeId value is | |||
| RPs MUST reject certificates that do not contain the BGPsec Router | present. BGPsec routers MUST reject certificates that do not contain | |||
| EKU even if they include the anyExtendedKeyUsage OID defined in | the BGPsec Router EKU even if they include the anyExtendedKeyUsage | |||
| [RFC5280]. | OID defined in [RFC5280]. | |||
| 3.1.3.3. Subject Information Access | 3.1.3.3. Subject Information Access | |||
| This extension is not used in BGPsec Router Certificates. It MUST be | This extension is not used in BGPsec Router Certificates. It MUST be | |||
| omitted. | omitted. | |||
| 3.1.3.4. IP Resources | 3.1.3.4. IP Resources | |||
| This extension is not used in BGPsec Router Certificates. It MUST be | This extension is not used in BGPsec Router Certificates. It MUST be | |||
| omitted. | omitted. | |||
| skipping to change at page 7, line 23 ¶ | skipping to change at page 7, line 23 ¶ | |||
| o The SubjectPublicKeyInfo and PublicKey fields are specified in | o The SubjectPublicKeyInfo and PublicKey fields are specified in | |||
| [ID.sidr-bgpsec-algs]; and, | [ID.sidr-bgpsec-algs]; and, | |||
| o The request is signed with the algorithms specified in [ID.sidr- | o The request is signed with the algorithms specified in [ID.sidr- | |||
| bgpsec-algs]. | bgpsec-algs]. | |||
| 3.3. BGPsec Router Certificate Validation | 3.3. BGPsec Router Certificate Validation | |||
| The validation procedure used for BGPsec Router Certificates is | The validation procedure used for BGPsec Router Certificates is | |||
| identical to the validation procedure described in Section 7 of | identical to the validation procedure described in Section 7 of | |||
| [RFC6487]. The exception is that the constraints applied come from | [RFC6487], but using the constraints applied come from this | |||
| this specification (e.g., in step 3: the certificate contains all the | specification. For example, in step 3: "the certificate contains all | |||
| field that must be present - refers to the fields that are required | the field that must be present" - refers to the fields that are | |||
| by this specification). | required by this specification. | |||
| The differences are as follows: | The differences are as follows: | |||
| o BGPsec Router Certificates MUST include the BGPsec EKU defined in | o BGPsec Router Certificates MUST include the BGPsec EKU defined in | |||
| Section 3.1.3.1. | Section 3.1.3.1. | |||
| o BGPsec Router Certificates MUST NOT include the SIA extension. | o BGPsec Router Certificates MUST NOT include the SIA extension. | |||
| o BGPsec Router Certificates MUST NOT include the IP Resource | o BGPsec Router Certificates MUST NOT include the IP Resource | |||
| extension. | extension. | |||
| skipping to change at page 7, line 48 ¶ | skipping to change at page 7, line 48 ¶ | |||
| o BGPsec Router Certificates MUST include the AS Resource Identifier | o BGPsec Router Certificates MUST include the AS Resource Identifier | |||
| Delegation extension. | Delegation extension. | |||
| o BGPsec Router Certificate MUST include the "Subject Public Key | o BGPsec Router Certificate MUST include the "Subject Public Key | |||
| Info" described in [ID.sidr-bgpsec-algs] as it updates [ID.sidr- | Info" described in [ID.sidr-bgpsec-algs] as it updates [ID.sidr- | |||
| rfc6485bis]. | rfc6485bis]. | |||
| NOTE: The cryptographic algorithms used by BGPsec routers are found | NOTE: The cryptographic algorithms used by BGPsec routers are found | |||
| in [ID.sidr-bgpsec-algs]. Currently, the algorithms specified in | in [ID.sidr-bgpsec-algs]. Currently, the algorithms specified in | |||
| [ID.sidr-bgpsec-algs] and [ID.sidr-rfc6485bis] are different. BGPsec | [ID.sidr-bgpsec-algs] and [ID.sidr-rfc6485bis] are different. BGPsec | |||
| RPs will need to support algorithms that are needed to validate | RPs will need to support algorithms that are used to validate BGPsec | |||
| BGPsec signatures as well as the algorithms that are needed to | signatures as well as the algorithms that are needed to validate | |||
| validate signatures on BGPsec certificates, RPKI CA certificates, and | signatures on BGPsec certificates, RPKI CA certificates, and RPKI | |||
| RPKI CRLs. | CRLs. | |||
| 4. Design Notes | 4. Design Notes | |||
| The BGPsec Router Certificate profile is based on the Resource | The BGPsec Router Certificate profile is based on the Resource | |||
| Certificate profile as specified in [ID.sidr-rfc6485bis]. As a | Certificate profile as specified in [ID.sidr-rfc6485bis]. As a | |||
| result, many of the design choices herein are a reflection of the | result, many of the design choices herein are a reflection of the | |||
| design choices that were taken in that prior work. The reader is | design choices that were taken in that prior work. The reader is | |||
| referred to [RFC6484] for a fuller discussion of those choices. | referred to [RFC6484] for a fuller discussion of those choices. | |||
| 5. Security Considerations | 5. Security Considerations | |||
| The Security Considerations of [RFC6487] apply. | The Security Considerations of [RFC6487] apply. | |||
| A BGPsec certificate will fail RPKI validation, as defined in | A BGPsec Router Certificate will fail RPKI validation, as defined in | |||
| [RFC6487], because the algorithm suite is different. Consequently, a | [RFC6487], because the algorithm suite is different. Consequently, a | |||
| RP needs to identify the EKU before applying the correspondent | RP needs to identify the EKU to determine the appropriate Validation | |||
| validation. | constraint. | |||
| A BGPsec Router Certificate is an extension of the RPKI [RFC6480] to | A BGPsec Router Certificate is an extension of the RPKI [RFC6480] to | |||
| encompass routers. It is a building block of the larger BGPsec | encompass routers. It is a building block BGPsec and is used to | |||
| security protocol used to validate signatures on BGPsec Signature- | validate signatures on BGPsec Signature-Segment origination of | |||
| Segment origination of Signed-Path segments [ID.sidr-bgpsec- | Signed-Path segments [ID.sidr-bgpsec-protocol]. Thus its essential | |||
| protocol]. Thus its essential security function is the secure | security function is the secure binding of one or more AS numbers to | |||
| binding of one or more AS numbers to a public key, consistent with | a public key, consistent with the RPKI allocation/assignment | |||
| the RPKI allocation/assignment hierarchy. | hierarchy. | |||
| Hash functions [ID.sidr-bgpsec-algs] are used when generating the two | Hash functions [ID.sidr-bgpsec-algs] are used when generating the two | |||
| key identifiers extension included in BGPsec certificates. However | key identifiers extension included in BGPsec certificates. However | |||
| as noted in [RFC6818], collision resistance is not a required | as noted in [RFC6818], collision resistance is not a required | |||
| property of one-way hash functions when used to generate key | property of one-way hash functions when used to generate key | |||
| identifiers. Regardless, hash collisions are possible and if | identifiers. Regardless, hash collisions are possible and if | |||
| detected the operator should be alerted. | detected an operator should be alerted. | |||
| 6. IANA Considerations | 6. IANA Considerations | |||
| This document makes use of two object identifiers in the SMI Registry | This document makes use of two object identifiers in the SMI Registry | |||
| for PKIX. One is for the ASN.1 module in Appendix A and it comes | for PKIX. One is for the ASN.1 module in Appendix A and it comes | |||
| from the SMI Security for PKIX Module Identifier IANA registry (id- | from the SMI Security for PKIX Module Identifier IANA registry (id- | |||
| mod-bgpsec-eku). The other is for the BGPsec router EKU defined in | mod-bgpsec-eku). The other is for the BGPsec router EKU defined in | |||
| Section 3.1.3.2 and Appendix A and it comes from the SMI Security for | Section 3.1.3.2 and Appendix A and it comes from the SMI Security for | |||
| PKIX Extended Key Purpose IANA registry. These OIDs were assigned | PKIX Extended Key Purpose IANA registry. These OIDs were assigned | |||
| before management of the PKIX Arc was handed to IANA. No IANA | before management of the PKIX Arc was handed to IANA. No IANA | |||
| allocations are request of IANA, but please update the references in | allocations are request of IANA, but please update the references in | |||
| those registries when this document is published by the RFC editor. | those registries when this document is published by the RFC editor. | |||
| 7. Acknowledgements | 7. Acknowledgements | |||
| We would like to thank Geoff Huston, George Michaelson, and Robert | We would like to thank Geoff Huston, George Michaelson, and Robert | |||
| Loomans for their work on [RFC6487], which this work is based on. In | Loomans for their work on [RFC6487], which this work is based on. In | |||
| addition, the efforts of Steve Kent and Matt Lepinski were | addition, the efforts of Steve Kent and Matt Lepinski were | |||
| instrumental in preparing this work. Additionally, we'd like to | instrumental in preparing this work. Additionally, we'd like to | |||
| thank Roque Gagliano, Sandra Murphy, Geoff Huston, Richard Hansen, | thank Roque Gagliano, Sandra Murphy, Geoff Huston, Richard Hansen, | |||
| and David Mandelberg for their reviews and comments. | David Mandelberg, and Sam Weiller for their reviews and comments. | |||
| 8. References | 8. References | |||
| 8.1. Normative References | 8.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP | [RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP | |||
| Addresses and AS Identifiers", RFC 3779, June 2004. | Addresses and AS Identifiers", RFC 3779, June 2004. | |||
| skipping to change at page 9, line 34 ¶ | skipping to change at page 9, line 34 ¶ | |||
| Infrastructure Certificate and Certificate Revocation List | Infrastructure Certificate and Certificate Revocation List | |||
| (CRL) Profile", RFC 5280, May 2008. | (CRL) Profile", RFC 5280, May 2008. | |||
| [RFC6487] Huston, G., Michaelson, G., and R. Loomans, "A Profile for | [RFC6487] Huston, G., Michaelson, G., and R. Loomans, "A Profile for | |||
| X.509 PKIX Resource Certificates", RFC 6487, February 2012. | X.509 PKIX Resource Certificates", RFC 6487, February 2012. | |||
| [RFC6818] Yee, P., "Updates to the Internet X.509 Public Key | [RFC6818] Yee, P., "Updates to the Internet X.509 Public Key | |||
| Infrastructure Certificate and Certificate Revocation List | Infrastructure Certificate and Certificate Revocation List | |||
| (CRL) Profile", RFC 6818, January 2013. | (CRL) Profile", RFC 6818, January 2013. | |||
| [ID.sidr-rfc6485bis] G. Huston, "The Profile for Algorithms and Key | [ID.sidr-rfc6485bis] G. Huston and G. Michaelson, "The Profile for | |||
| Sizes for use in the Resource Public Key Infrastructure", | Algorithms and Key Sizes for use in the Resource Public Key | |||
| draft-ietf-sidr-rfc6485bis, work-in-progress. | Infrastructure", draft-ietf-sidr-rfc6485bis, work-in- | |||
| progress. | ||||
| [ID.sidr-bgpsec-algs] S. Turner, "BGP Algorithms, Key Formats, & | [ID.sidr-bgpsec-algs] S. Turner, "BGP Algorithms, Key Formats, & | |||
| Signature Formats", draft-ietf-sidr-bgpsec-algs, work-in- | Signature Formats", draft-ietf-sidr-bgpsec-algs, work-in- | |||
| progress. | progress. | |||
| 8.2. Informative References | 8.2. Informative References | |||
| [RFC4272] Murphy, S., "BGP Security Vulnerabilities Analysis", | [RFC4272] Murphy, S., "BGP Security Vulnerabilities Analysis", | |||
| RFC 4272, January 2006. | RFC 4272, January 2006. | |||
| [RFC5123] White, R. and B. Akyol, "Considerations in Validating the | [RFC5123] White, R. and B. Akyol, "Considerations in Validating the | |||
| Path in BGP", RFC 5123, February 2008. | Path in BGP", RFC 5123, February 2008. | |||
| skipping to change at page 11, line 9 ¶ | skipping to change at page 12, line 9 ¶ | |||
| -- BGPsec Router Extended Key Usage -- | -- BGPsec Router Extended Key Usage -- | |||
| id-kp-bgpsec-router OBJECT IDENTIFIER ::= { id-kp 30 } | id-kp-bgpsec-router OBJECT IDENTIFIER ::= { id-kp 30 } | |||
| END | END | |||
| Appendix B. Change Log | Appendix B. Change Log | |||
| Please delete this section prior to publication. | Please delete this section prior to publication. | |||
| B.0 Changes from sidr-bgpsec-pki-profiles-11 to sidr-bgpsec-pki- | B.0 Changes from sidr-bgpsec-pki-profiles-12 to sidr-bgpsec-pki- | |||
| profiles-13 | ||||
| Minor modifications to address WGLC comments. | ||||
| B.1 Changes from sidr-bgpsec-pki-profiles-11 to sidr-bgpsec-pki- | ||||
| profiles-12 | profiles-12 | |||
| Added security consideration to address SKI collisions. Also updated | Added security consideration to address SKI collisions. Also updated | |||
| the IANA considerations section. | the IANA considerations section. | |||
| B.1 Changes from sidr-bgpsec-pki-profiles-10 to sidr-bgpsec-pki- | B.2 Changes from sidr-bgpsec-pki-profiles-10 to sidr-bgpsec-pki- | |||
| profiles-11 | profiles-11 | |||
| Removed text in s3.1.3. Consistently used BGPsec to refer to BGP | Removed text in s3.1.3. Consistently used BGPsec to refer to BGP | |||
| Security. Fixed typos. Refer to RFC6485bis instead of RFC6485. | Security. Fixed typos. Refer to RFC6485bis instead of RFC6485. | |||
| Included OIDs. | Included OIDs. | |||
| B.2. Changes from sidr-bgpsec-pki-profiles-09 to sidr-bgpsec-pki- | B.3. Changes from sidr-bgpsec-pki-profiles-09 to sidr-bgpsec-pki- | |||
| profiles-10 | profiles-10 | |||
| Updated dates. | Updated dates. | |||
| B.3. Changes from sidr-bgpsec-pki-profiles-08 to sidr-bgpsec-pki- | B.4. Changes from sidr-bgpsec-pki-profiles-08 to sidr-bgpsec-pki- | |||
| profiles-09 | profiles-09 | |||
| Editorial fixes for the sake of brevity. | Editorial fixes for the sake of brevity. | |||
| B.4. Changes from sidr-bgpsec-pki-profiles-07 to sidr-bgpsec-pki- | B.5. Changes from sidr-bgpsec-pki-profiles-07 to sidr-bgpsec-pki- | |||
| profiles-08 | profiles-08 | |||
| Fixed section numbering. | Fixed section numbering. | |||
| B.5. Changes from sidr-bgpsec-pki-profiles-06 to sidr-bgpsec-pki- | B.6. Changes from sidr-bgpsec-pki-profiles-06 to sidr-bgpsec-pki- | |||
| profiles-07 | profiles-07 | |||
| Added text to multiple AS numbers in a single certificate. Updated | Added text to multiple AS numbers in a single certificate. Updated | |||
| reference to RFC 6916. | reference to RFC 6916. | |||
| B.6. Changes from sidr-bgpsec-pki-profiles-05 to sidr-bgpsec-pki- | B.7. Changes from sidr-bgpsec-pki-profiles-05 to sidr-bgpsec-pki- | |||
| profiles-06 | profiles-06 | |||
| Keep alive version. | Keep alive version. | |||
| B.7. Changes from sidr-bgpsec-pki-profiles-04 to sidr-bgpsec-pki- | B.8. Changes from sidr-bgpsec-pki-profiles-04 to sidr-bgpsec-pki- | |||
| profiles-05 | profiles-05 | |||
| Keep alive version. | Keep alive version. | |||
| B.8. Changes from sidr-bgpsec-pki-profiles-03 to sidr-bgpsec-pki- | B.9. Changes from sidr-bgpsec-pki-profiles-03 to sidr-bgpsec-pki- | |||
| profiles-04 | profiles-04 | |||
| In s2.1, removed the phrase "another BGPSEC Router Certificate (only | In s2.1, removed the phrase "another BGPSEC Router Certificate (only | |||
| BGPSEC routers process these)" because the BGPSEC certificates are | BGPSEC routers process these)" because the BGPSEC certificates are | |||
| only ever EE certificates and they're never used to verify another | only ever EE certificates and they're never used to verify another | |||
| certificate only the PDUs that are signed. | certificate only the PDUs that are signed. | |||
| Added new s3.1.3.1 to explicitly state that EE certificates are only | Added new s3.1.3.1 to explicitly state that EE certificates are only | |||
| ever EE certs. | ever EE certs. | |||
| B.9. Changes from sidr-bgpsec-pki-profiles-02 to sidr-bgpsec-pki- | B.10. Changes from sidr-bgpsec-pki-profiles-02 to sidr-bgpsec-pki- | |||
| profiles-03 | profiles-03 | |||
| Updated s3.3 to clarify restrictions on path validation procedures | Updated s3.3 to clarify restrictions on path validation procedures | |||
| are in this specification (1st para was reworded). | are in this specification (1st para was reworded). | |||
| Updated s3.3 to point to s3.1.3.1 for BGPSEC EKU (thanks Tom). | Updated s3.3 to point to s3.1.3.1 for BGPSEC EKU (thanks Tom). | |||
| B.10. Changes from sidr-bgpsec-pki-profiles-01 to sidr-bgpsec-pki- | B.11. Changes from sidr-bgpsec-pki-profiles-01 to sidr-bgpsec-pki- | |||
| profiles-02 | profiles-02 | |||
| Updated references. | Updated references. | |||
| B.11. Changes from sidr-bgpsec-pki-profiles-00 to sidr-bgpsec-pki- | B.12. Changes from sidr-bgpsec-pki-profiles-00 to sidr-bgpsec-pki- | |||
| profiles-01 | profiles-01 | |||
| Added an ASN.1 Module and corrected the id-kp OID in s3.1.3.1. | Added an ASN.1 Module and corrected the id-kp OID in s3.1.3.1. | |||
| B.12. Changes from turner-bgpsec-pki-profiles-02 to sidr-bgpsec-pki- | B.13. Changes from turner-bgpsec-pki-profiles-02 to sidr-bgpsec-pki- | |||
| profiles-00 | profiles-00 | |||
| Added this change log. | Added this change log. | |||
| Amplified that a BGPSEC RP will need to support both the algorithms | Amplified that a BGPSEC RP will need to support both the algorithms | |||
| in [ID.sidr-bgpsec-algs] for BGPSEC and the algorithms in [ID.sidr- | in [ID.sidr-bgpsec-algs] for BGPSEC and the algorithms in [ID.sidr- | |||
| rpki-algs] for certificates and CRLs. | rpki-algs] for certificates and CRLs. | |||
| Changed the name of AS Resource extension to AS Resource Identifier | Changed the name of AS Resource extension to AS Resource Identifier | |||
| Delegation to match what's in RFC 3779. | Delegation to match what's in RFC 3779. | |||
| B.13. Changes from turner-bgpsec-pki-profiles -01 to -02 | B.14. Changes from turner-bgpsec-pki-profiles -01 to -02 | |||
| Added text in Section 2 to indicate that there's no impact on the | Added text in Section 2 to indicate that there's no impact on the | |||
| procedures defined in [RFC6916]. | procedures defined in [RFC6916]. | |||
| Added a security consideration to let implementers know the BGPSEC | Added a security consideration to let implementers know the BGPSEC | |||
| certificates will not pass RPKI validation [RFC6487] and that keying | certificates will not pass RPKI validation [RFC6487] and that keying | |||
| off the EKU will help tremendously. | off the EKU will help tremendously. | |||
| B.14. Changes from turner-bgpsec-pki-profiles -00 to -01 | B.15. Changes from turner-bgpsec-pki-profiles -00 to -01 | |||
| Corrected Section 2 to indicate that CA certificates are also RPKI | Corrected Section 2 to indicate that CA certificates are also RPKI | |||
| certificates. | certificates. | |||
| Removed sections and text that was already in [RFC6487]. This will | Removed sections and text that was already in [RFC6487]. This will | |||
| make it easier for reviewers to figure out what is different. | make it easier for reviewers to figure out what is different. | |||
| Modified Section 6 to use 2119-language. | Modified Section 6 to use 2119-language. | |||
| Removed requirement from Section 6 to check that the AS # in the | Removed requirement from Section 6 to check that the AS # in the | |||
| skipping to change at page 13, line 37 ¶ | skipping to change at page 14, line 42 ¶ | |||
| Email: mcr@islandpeaksoftware.com | Email: mcr@islandpeaksoftware.com | |||
| Sean Turner | Sean Turner | |||
| IECA, Inc. | IECA, Inc. | |||
| 3057 Nutley Street, Suite 106 | 3057 Nutley Street, Suite 106 | |||
| Fairfax, VA 22031 | Fairfax, VA 22031 | |||
| USA | USA | |||
| EMail: turners@ieca.com | EMail: turners@ieca.com | |||
| Steve Kent | Stephen Kent | |||
| Raytheon BBN Technologies | Raytheon BBN Technologies | |||
| 10 Moulton St. | 10 Moulton St. | |||
| Cambridge, MA 02138 | Cambridge, MA 02138 | |||
| Email: kent@bbn.com | Email: kent@bbn.com | |||
| End of changes. 41 change blocks. | ||||
| 102 lines changed or deleted | 111 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||