| < draft-ietf-sidr-bgpsec-pki-profiles-14.txt | draft-ietf-sidr-bgpsec-pki-profiles-15.txt > | |||
|---|---|---|---|---|
| Secure Inter-Domain Routing Working Group M. Reynolds | Secure Inter-Domain Routing Working Group M. Reynolds | |||
| Internet-Draft IPSw | Internet-Draft IPSw | |||
| Updates: 6487 (if approved) S. Turner | Updates: 6487 (if approved) S. Turner | |||
| Intended status: Standard Track IECA | Intended status: Standard Track IECA | |||
| Expires: May 7, 2016 S. Kent | Expires: May 8, 2016 S. Kent | |||
| BBN | BBN | |||
| November 4, 2015 | November 5, 2015 | |||
| A Profile for BGPsec Router Certificates, | A Profile for BGPsec Router Certificates, | |||
| Certificate Revocation Lists, and Certification Requests | Certificate Revocation Lists, and Certification Requests | |||
| draft-ietf-sidr-bgpsec-pki-profiles-14 | draft-ietf-sidr-bgpsec-pki-profiles-15 | |||
| Abstract | Abstract | |||
| This document defines a standard profile for X.509 certificates used | This document defines a standard profile for X.509 certificates used | |||
| to enable validation of Autonomous System (AS) paths in the Border | to enable validation of Autonomous System (AS) paths in the Border | |||
| Gateway Protocol (BGP), as part of an extension to that protocol | Gateway Protocol (BGP), as part of an extension to that protocol | |||
| known as BGPsec. BGP is the standard for inter-domain routing in the | known as BGPsec. BGP is the standard for inter-domain routing in the | |||
| Internet; it is the "glue" that holds the Internet together. BGPsec | Internet; it is the "glue" that holds the Internet together. BGPsec | |||
| is being developed as one component of a solution that addresses the | is being developed as one component of a solution that addresses the | |||
| requirement to provide security for BGP. The goal of BGPsec is to | requirement to provide security for BGP. The goal of BGPsec is to | |||
| skipping to change at page 2, line 48 ¶ | skipping to change at page 2, line 48 ¶ | |||
| 3.2. BGPsec Router Certificate Request Profile . . . . . . . . 7 | 3.2. BGPsec Router Certificate Request Profile . . . . . . . . 7 | |||
| 3.3. BGPsec Router Certificate Validation . . . . . . . . . . . 7 | 3.3. BGPsec Router Certificate Validation . . . . . . . . . . . 7 | |||
| 4. Design Notes . . . . . . . . . . . . . . . . . . . . . . . . . 8 | 4. Design Notes . . . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8 | 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . . 9 | 8.1. Normative References . . . . . . . . . . . . . . . . . . . 9 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . . 9 | 8.2. Informative References . . . . . . . . . . . . . . . . . . 9 | |||
| Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 10 | Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 10 | |||
| Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 12 | Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 11 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 14 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 1. Introduction | 1. Introduction | |||
| This document defines a profile for X.509 end-entity (EE) | This document defines a profile for X.509 end-entity (EE) | |||
| certificates [RFC5280] for use in the context of certification of | certificates [RFC5280] for use in the context of certification of | |||
| Autonomous System (AS) paths in the Border Gateway Protocol Security | Autonomous System (AS) paths in the Border Gateway Protocol Security | |||
| protocol (BGPsec). Such certificates are termed "BGPsec Router | protocol (BGPsec). Such certificates are termed "BGPsec Router | |||
| Certificates". The holder of the private key associated with a | Certificates". The holder of the private key associated with a | |||
| BGPsec Router Certificate is authorized to send secure route | BGPsec Router Certificate is authorized to send secure route | |||
| advertisements (BGPsec UPDATEs) on behalf of the AS(es) named in the | advertisements (BGPsec UPDATEs) on behalf of the AS(es) named in the | |||
| certificate. A router holding the private key is authorized to send | certificate. A router holding the private key is authorized to send | |||
| route advertisements (to its peers) that contain one or more of the | route advertisements (to its peers) that contain one or more of the | |||
| specified AS number as the last item in the AS PATH attribute. A key | specified AS number as the last item in the AS PATH attribute. A key | |||
| property provided by BGPsec is that every AS along the AS PATH can | property provided by BGPsec is that every AS along the AS PATH can | |||
| verify that the other ASes along the path have authorized the | verify that the other ASes along the path have authorized the | |||
| advertisement of the given route (to the next AS along the AS PATH). | advertisement of the given route (to the next AS along the AS PATH). | |||
| This document is a profile of [RFC6487], which is a profile of | This document is a profile of [RFC6487], which is a profile of | |||
| [RFC5280]; thus this document [RFC6487]. It establishes requirements | [RFC5280]; thus this document updates [RFC6487]. It establishes | |||
| imposed on a Resource Certificate that is used as a BGPsec Router | requirements imposed on a Resource Certificate that is used as a | |||
| Certificate, i.e., it defines constraints for certificate fields and | BGPsec Router Certificate, i.e., it defines constraints for | |||
| extensions for the certificate to be valid in this context. This | certificate fields and extensions for the certificate to be valid in | |||
| document also profiles the certification requests used to acquire | this context. This document also profiles the certification requests | |||
| BGPsec Router Certificates. Finally, this document specifies the | used to acquire BGPsec Router Certificates. Finally, this document | |||
| Relying Party (RP) certificate path validation procedures for these | specifies the Relying Party (RP) certificate path validation | |||
| certificates. | procedures for these certificates. | |||
| 1.1. Terminology | 1.1. Terminology | |||
| It is assumed that the reader is familiar with the terms and concepts | It is assumed that the reader is familiar with the terms and concepts | |||
| described in "A Profile for X.509 PKIX Resource Certificates" | described in "A Profile for X.509 PKIX Resource Certificates" | |||
| [RFC6487], "BGPsec Protocol Specification" [ID.sidr-bgpsec-protocol], | [RFC6487], "BGPsec Protocol Specification" [ID.sidr-bgpsec-protocol], | |||
| "A Border Gateway Protocol 4 (BGP-4)" [RFC4271], "BGP Security | "A Border Gateway Protocol 4 (BGP-4)" [RFC4271], "BGP Security | |||
| Vulnerabilities Analysis" [RFC4272], "Considerations in Validating | Vulnerabilities Analysis" [RFC4272], "Considerations in Validating | |||
| the Path in BGP" [RFC5123], and "Capability Advertisement with BGP-4" | the Path in BGP" [RFC5123], and "Capability Advertisement with BGP-4" | |||
| [RFC5492]. | [RFC5492]. | |||
| skipping to change at page 4, line 5 ¶ | skipping to change at page 4, line 5 ¶ | |||
| [RFC2119]. | [RFC2119]. | |||
| 2. Describing Resources in Certificates | 2. Describing Resources in Certificates | |||
| Figure 1 depicts some of the entities in the RPKI and some of the | Figure 1 depicts some of the entities in the RPKI and some of the | |||
| products generated by RPKI entities. IANA issues a Certification | products generated by RPKI entities. IANA issues a Certification | |||
| Authority (CA) certificate to each Regional Internet Registry (RIR). | Authority (CA) certificate to each Regional Internet Registry (RIR). | |||
| The RIR, in turn, issues a CA certificate to an Internet Service | The RIR, in turn, issues a CA certificate to an Internet Service | |||
| Providers (ISP). The ISP in turn issues EE Certificates to itself to | Providers (ISP). The ISP in turn issues EE Certificates to itself to | |||
| enable verification of signatures on RPKI signed objects. The CA also | enable verification of signatures on RPKI signed objects. The CA also | |||
| generate. The CA also generates CRLs. These CA and EE certificates | generate. The CA also generates Certificate Revocation Lists (CRLs). | |||
| are referred to as "Resource Certificates", and are profiled in | These CA and EE certificates are referred to as "Resource | |||
| [RFC6487]. The [RFC6480] envisioned using Resource Certificates to | Certificates", and are profiled in [RFC6487]. The [RFC6480] | |||
| enable verification of Manifests [RFC6486] and Route Origin | envisioned using Resource Certificates to enable verification of | |||
| Authorizations (ROAs) [RFC6482]. ROAs and Manifests include the | Manifests [RFC6486] and Route Origin Authorizations (ROAs) [RFC6482]. | |||
| Resource Certificates used to verify them. | ROAs and Manifests include the Resource Certificates used to verify | |||
| them. | ||||
| +---------+ +------+ | +---------+ +------+ | |||
| | CA Cert |---| IANA | | | CA Cert |---| IANA | | |||
| +---------+ +------+ | +---------+ +------+ | |||
| \ | \ | |||
| +---------+ +-----+ | +---------+ +-----+ | |||
| | CA Cert |---| RIR | | | CA Cert |---| RIR | | |||
| +---------+ +-----+ | +---------+ +-----+ | |||
| \ | \ | |||
| +---------+ +-----+ | +---------+ +-----+ | |||
| End of changes. 6 change blocks. | ||||
| 19 lines changed or deleted | 20 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||