| < draft-ietf-sidr-bgpsec-pki-profiles-15.txt | draft-ietf-sidr-bgpsec-pki-profiles-16.txt > | |||
|---|---|---|---|---|
| Secure Inter-Domain Routing Working Group M. Reynolds | Secure Inter-Domain Routing Working Group M. Reynolds | |||
| Internet-Draft IPSw | Internet-Draft IPSw | |||
| Updates: 6487 (if approved) S. Turner | Updates: 6487 (if approved) S. Turner | |||
| Intended status: Standard Track IECA | Intended status: Standard Track IECA | |||
| Expires: May 8, 2016 S. Kent | Expires: September 22, 2016 S. Kent | |||
| BBN | BBN | |||
| November 5, 2015 | March 21, 2016 | |||
| A Profile for BGPsec Router Certificates, | A Profile for BGPsec Router Certificates, | |||
| Certificate Revocation Lists, and Certification Requests | Certificate Revocation Lists, and Certification Requests | |||
| draft-ietf-sidr-bgpsec-pki-profiles-15 | draft-ietf-sidr-bgpsec-pki-profiles-16 | |||
| Abstract | Abstract | |||
| This document defines a standard profile for X.509 certificates used | This document defines a standard profile for X.509 certificates used | |||
| to enable validation of Autonomous System (AS) paths in the Border | to enable validation of Autonomous System (AS) paths in the Border | |||
| Gateway Protocol (BGP), as part of an extension to that protocol | Gateway Protocol (BGP), as part of an extension to that protocol | |||
| known as BGPsec. BGP is the standard for inter-domain routing in the | known as BGPsec. BGP is the standard for inter-domain routing in the | |||
| Internet; it is the "glue" that holds the Internet together. BGPsec | Internet; it is the "glue" that holds the Internet together. BGPsec | |||
| is being developed as one component of a solution that addresses the | is being developed as one component of a solution that addresses the | |||
| requirement to provide security for BGP. The goal of BGPsec is to | requirement to provide security for BGP. The goal of BGPsec is to | |||
| skipping to change at page 2, line 10 ¶ | skipping to change at page 2, line 10 ¶ | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2015 IETF Trust and the persons identified as the | Copyright (c) 2016 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| skipping to change at page 2, line 42 ¶ | skipping to change at page 2, line 42 ¶ | |||
| 3.1.3. BGPsec Router Certificate Version 3 Extension Fields . 6 | 3.1.3. BGPsec Router Certificate Version 3 Extension Fields . 6 | |||
| 3.1.3.1. Basic Constraints . . . . . . . . . . . . . . . . 6 | 3.1.3.1. Basic Constraints . . . . . . . . . . . . . . . . 6 | |||
| 3.1.3.2. Extended Key Usage . . . . . . . . . . . . . . . . 6 | 3.1.3.2. Extended Key Usage . . . . . . . . . . . . . . . . 6 | |||
| 3.1.3.3. Subject Information Access . . . . . . . . . . . . 6 | 3.1.3.3. Subject Information Access . . . . . . . . . . . . 6 | |||
| 3.1.3.4. IP Resources . . . . . . . . . . . . . . . . . . . 6 | 3.1.3.4. IP Resources . . . . . . . . . . . . . . . . . . . 6 | |||
| 3.1.3.5. AS Resources . . . . . . . . . . . . . . . . . . . 6 | 3.1.3.5. AS Resources . . . . . . . . . . . . . . . . . . . 6 | |||
| 3.2. BGPsec Router Certificate Request Profile . . . . . . . . 7 | 3.2. BGPsec Router Certificate Request Profile . . . . . . . . 7 | |||
| 3.3. BGPsec Router Certificate Validation . . . . . . . . . . . 7 | 3.3. BGPsec Router Certificate Validation . . . . . . . . . . . 7 | |||
| 4. Design Notes . . . . . . . . . . . . . . . . . . . . . . . . . 8 | 4. Design Notes . . . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8 | 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . . 9 | 8.1. Normative References . . . . . . . . . . . . . . . . . . . 9 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . . 9 | 8.2. Informative References . . . . . . . . . . . . . . . . . . 10 | |||
| Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 10 | Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 11 | |||
| Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 11 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 13 | ||||
| 1. Introduction | 1. Introduction | |||
| This document defines a profile for X.509 end-entity (EE) | This document defines a profile for X.509 end-entity (EE) | |||
| certificates [RFC5280] for use in the context of certification of | certificates [RFC5280] for use in the context of certification of | |||
| Autonomous System (AS) paths in the Border Gateway Protocol Security | Autonomous System (AS) paths in the Border Gateway Protocol Security | |||
| protocol (BGPsec). Such certificates are termed "BGPsec Router | protocol (BGPsec). Such certificates are termed "BGPsec Router | |||
| Certificates". The holder of the private key associated with a | Certificates". The holder of the private key associated with a | |||
| BGPsec Router Certificate is authorized to send secure route | BGPsec Router Certificate is authorized to send secure route | |||
| advertisements (BGPsec UPDATEs) on behalf of the AS(es) named in the | advertisements (BGPsec UPDATEs) on behalf of the AS(es) named in the | |||
| skipping to change at page 7, line 10 ¶ | skipping to change at page 7, line 10 ¶ | |||
| Identifier Delegation extension, as specified in section 4.8.11 of | Identifier Delegation extension, as specified in section 4.8.11 of | |||
| [RFC6487]. The AS Resource Identifier Delegation extension MUST | [RFC6487]. The AS Resource Identifier Delegation extension MUST | |||
| include one or more AS numbers, and the "inherit" element MUST NOT be | include one or more AS numbers, and the "inherit" element MUST NOT be | |||
| specified. | specified. | |||
| 3.2. BGPsec Router Certificate Request Profile | 3.2. BGPsec Router Certificate Request Profile | |||
| Refer to section 6 of [RFC6487]. The only differences between this | Refer to section 6 of [RFC6487]. The only differences between this | |||
| profile and the profile in [RFC6487] are: | profile and the profile in [RFC6487] are: | |||
| o The ExtendedKeyUsage extension request MUST be included and the CA | o The Basic Constraints extension: | |||
| MUST honor the request; | ||||
| If included, the CA MUST NOT honor the cA boolean if set to TRUE. | ||||
| o The Extended Key Usage extension: | ||||
| If included, id-kp-bgpsec-router MUST be present (see Section | ||||
| 3.1). If included, the CA MUST honor the request for id-kp- | ||||
| bgpsec-router. | ||||
| o The Subject Information Access extension: | ||||
| If included, the CA MUST NOT honor the request to include the | ||||
| extension. | ||||
| o The SubjectPublicKeyInfo and PublicKey fields are specified in | o The SubjectPublicKeyInfo and PublicKey fields are specified in | |||
| [ID.sidr-bgpsec-algs]; and, | [ID.sidr-bgpsec-algs]. | |||
| o The request is signed with the algorithms specified in [ID.sidr- | o The request is signed with the algorithms specified in [ID.sidr- | |||
| bgpsec-algs]. | bgpsec-algs]. | |||
| 3.3. BGPsec Router Certificate Validation | 3.3. BGPsec Router Certificate Validation | |||
| The validation procedure used for BGPsec Router Certificates is | The validation procedure used for BGPsec Router Certificates is | |||
| identical to the validation procedure described in Section 7 of | identical to the validation procedure described in Section 7 of | |||
| [RFC6487], but using the constraints applied come from this | [RFC6487], but using the constraints applied come from this | |||
| specification. For example, in step 3: "the certificate contains all | specification. For example, in step 3: "the certificate contains all | |||
| the field that must be present" - refers to the fields that are | the field that must be present" - refers to the fields that are | |||
| required by this specification. | required by this specification. | |||
| The differences are as follows: | The differences are as follows: | |||
| o BGPsec Router Certificates MUST include the BGPsec EKU defined in | o BGPsec Router Certificates MUST include the BGPsec Router EKU | |||
| Section 3.1.3.1. | defined in Section 3.1.3.2. | |||
| o BGPsec Router Certificates MUST NOT include the SIA extension. | o BGPsec Router Certificates MUST NOT include the SIA extension. | |||
| o BGPsec Router Certificates MUST NOT include the IP Resource | o BGPsec Router Certificates MUST NOT include the IP Resource | |||
| extension. | extension. | |||
| o BGPsec Router Certificates MUST include the AS Resource Identifier | o BGPsec Router Certificates MUST include the AS Resource Identifier | |||
| Delegation extension. | Delegation extension. | |||
| o BGPsec Router Certificate MUST include the "Subject Public Key | o BGPsec Router Certificate MUST include the "Subject Public Key | |||
| skipping to change at page 8, line 13 ¶ | skipping to change at page 8, line 25 ¶ | |||
| CRLs. | CRLs. | |||
| 4. Design Notes | 4. Design Notes | |||
| The BGPsec Router Certificate profile is based on the Resource | The BGPsec Router Certificate profile is based on the Resource | |||
| Certificate profile as specified in [ID.sidr-rfc6485bis]. As a | Certificate profile as specified in [ID.sidr-rfc6485bis]. As a | |||
| result, many of the design choices herein are a reflection of the | result, many of the design choices herein are a reflection of the | |||
| design choices that were taken in that prior work. The reader is | design choices that were taken in that prior work. The reader is | |||
| referred to [RFC6484] for a fuller discussion of those choices. | referred to [RFC6484] for a fuller discussion of those choices. | |||
| CAs are required by the Certificate Policy (CP) [RFC6484] to issue | ||||
| properly formed BGPsec Router Certificates regardless of what is | ||||
| present in the certification request so there is some flexibility | ||||
| permitted in the certificate requests: | ||||
| o BGPsec Router Certificates are always EE certificates; therefore, | ||||
| requests to issue a CA certificate result in EE certificates; | ||||
| o BGPsec Router Certificates are always EE certificates; therefore, | ||||
| requests for Key Usage extension values keyCertSign and cRLSign | ||||
| result in certificates with neither of these values; | ||||
| o BGPsec Router Certificates always include the BGPsec Rouer EKU | ||||
| value; therefore, request without the value result in certificates | ||||
| with the value; and, | ||||
| o BGPsec Router Certificates never include the Subject Information | ||||
| Access extension; therefore, request with this extension result in | ||||
| certificates without the extension. | ||||
| Note that this behavior is similar to the CA including the AS | ||||
| Resource Identifier Delegation extension in issued BGPsec Router | ||||
| Certificates despite the fact it is not present in the request. | ||||
| 5. Security Considerations | 5. Security Considerations | |||
| The Security Considerations of [RFC6487] apply. | The Security Considerations of [RFC6487] apply. | |||
| A BGPsec Router Certificate will fail RPKI validation, as defined in | A BGPsec Router Certificate will fail RPKI validation, as defined in | |||
| [RFC6487], because the algorithm suite is different. Consequently, a | [RFC6487], because the algorithm suite is different. Consequently, a | |||
| RP needs to identify the EKU to determine the appropriate Validation | RP needs to identify the EKU to determine the appropriate Validation | |||
| constraint. | constraint. | |||
| A BGPsec Router Certificate is an extension of the RPKI [RFC6480] to | A BGPsec Router Certificate is an extension of the RPKI [RFC6480] to | |||
| skipping to change at page 9, line 6 ¶ | skipping to change at page 9, line 43 ¶ | |||
| before management of the PKIX Arc was handed to IANA. No IANA | before management of the PKIX Arc was handed to IANA. No IANA | |||
| allocations are request of IANA, but please update the references in | allocations are request of IANA, but please update the references in | |||
| those registries when this document is published by the RFC editor. | those registries when this document is published by the RFC editor. | |||
| 7. Acknowledgements | 7. Acknowledgements | |||
| We would like to thank Geoff Huston, George Michaelson, and Robert | We would like to thank Geoff Huston, George Michaelson, and Robert | |||
| Loomans for their work on [RFC6487], which this work is based on. In | Loomans for their work on [RFC6487], which this work is based on. In | |||
| addition, the efforts of Steve Kent and Matt Lepinski were | addition, the efforts of Steve Kent and Matt Lepinski were | |||
| instrumental in preparing this work. Additionally, we'd like to | instrumental in preparing this work. Additionally, we'd like to | |||
| thank Roque Gagliano, Sandra Murphy, Geoff Huston, Richard Hansen, | thank Rob Austein, Roque Gagliano, Richard Hansen, Geoff Huston, | |||
| David Mandelberg, and Sam Weiller for their reviews and comments. | David Mandelberg, Sandra Murphy, and Sam Weiller for their reviews | |||
| and comments. | ||||
| 8. References | 8. References | |||
| 8.1. Normative References | 8.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP | [RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP | |||
| Addresses and AS Identifiers", RFC 3779, June 2004. | Addresses and AS Identifiers", RFC 3779, June 2004. | |||
| skipping to change at page 11, line 5 ¶ | skipping to change at page 11, line 42 ¶ | |||
| id-kp OBJECT IDENTIFIER ::= { | id-kp OBJECT IDENTIFIER ::= { | |||
| iso(1) identified-organization(3) dod(6) internet(1) | iso(1) identified-organization(3) dod(6) internet(1) | |||
| security(5) mechanisms(5) kp(3) } | security(5) mechanisms(5) kp(3) } | |||
| -- BGPsec Router Extended Key Usage -- | -- BGPsec Router Extended Key Usage -- | |||
| id-kp-bgpsec-router OBJECT IDENTIFIER ::= { id-kp 30 } | id-kp-bgpsec-router OBJECT IDENTIFIER ::= { id-kp 30 } | |||
| END | END | |||
| Appendix B. Change Log | ||||
| Please delete this section prior to publication. | ||||
| B.0 Changes from sidr-bgpsec-pki-profiles-12 to sidr-bgpsec-pki- | ||||
| profiles-13 | ||||
| Minor modifications to address WGLC comments. | ||||
| B.1 Changes from sidr-bgpsec-pki-profiles-11 to sidr-bgpsec-pki- | ||||
| profiles-12 | ||||
| Added security consideration to address SKI collisions. Also updated | ||||
| the IANA considerations section. | ||||
| B.2 Changes from sidr-bgpsec-pki-profiles-10 to sidr-bgpsec-pki- | ||||
| profiles-11 | ||||
| Removed text in s3.1.3. Consistently used BGPsec to refer to BGP | ||||
| Security. Fixed typos. Refer to RFC6485bis instead of RFC6485. | ||||
| Included OIDs. | ||||
| B.3. Changes from sidr-bgpsec-pki-profiles-09 to sidr-bgpsec-pki- | ||||
| profiles-10 | ||||
| Updated dates. | ||||
| B.4. Changes from sidr-bgpsec-pki-profiles-08 to sidr-bgpsec-pki- | ||||
| profiles-09 | ||||
| Editorial fixes for the sake of brevity. | ||||
| B.5. Changes from sidr-bgpsec-pki-profiles-07 to sidr-bgpsec-pki- | ||||
| profiles-08 | ||||
| Fixed section numbering. | ||||
| B.6. Changes from sidr-bgpsec-pki-profiles-06 to sidr-bgpsec-pki- | ||||
| profiles-07 | ||||
| Added text to multiple AS numbers in a single certificate. Updated | ||||
| reference to RFC 6916. | ||||
| B.7. Changes from sidr-bgpsec-pki-profiles-05 to sidr-bgpsec-pki- | ||||
| profiles-06 | ||||
| Keep alive version. | ||||
| B.8. Changes from sidr-bgpsec-pki-profiles-04 to sidr-bgpsec-pki- | ||||
| profiles-05 | ||||
| Keep alive version. | ||||
| B.9. Changes from sidr-bgpsec-pki-profiles-03 to sidr-bgpsec-pki- | ||||
| profiles-04 | ||||
| In s2.1, removed the phrase "another BGPSEC Router Certificate (only | ||||
| BGPSEC routers process these)" because the BGPSEC certificates are | ||||
| only ever EE certificates and they're never used to verify another | ||||
| certificate only the PDUs that are signed. | ||||
| Added new s3.1.3.1 to explicitly state that EE certificates are only | ||||
| ever EE certs. | ||||
| B.10. Changes from sidr-bgpsec-pki-profiles-02 to sidr-bgpsec-pki- | ||||
| profiles-03 | ||||
| Updated s3.3 to clarify restrictions on path validation procedures | ||||
| are in this specification (1st para was reworded). | ||||
| Updated s3.3 to point to s3.1.3.1 for BGPSEC EKU (thanks Tom). | ||||
| B.11. Changes from sidr-bgpsec-pki-profiles-01 to sidr-bgpsec-pki- | ||||
| profiles-02 | ||||
| Updated references. | ||||
| B.12. Changes from sidr-bgpsec-pki-profiles-00 to sidr-bgpsec-pki- | ||||
| profiles-01 | ||||
| Added an ASN.1 Module and corrected the id-kp OID in s3.1.3.1. | ||||
| B.13. Changes from turner-bgpsec-pki-profiles-02 to sidr-bgpsec-pki- | ||||
| profiles-00 | ||||
| Added this change log. | ||||
| Amplified that a BGPSEC RP will need to support both the algorithms | ||||
| in [ID.sidr-bgpsec-algs] for BGPSEC and the algorithms in [ID.sidr- | ||||
| rpki-algs] for certificates and CRLs. | ||||
| Changed the name of AS Resource extension to AS Resource Identifier | ||||
| Delegation to match what's in RFC 3779. | ||||
| B.14. Changes from turner-bgpsec-pki-profiles -01 to -02 | ||||
| Added text in Section 2 to indicate that there's no impact on the | ||||
| procedures defined in [RFC6916]. | ||||
| Added a security consideration to let implementers know the BGPSEC | ||||
| certificates will not pass RPKI validation [RFC6487] and that keying | ||||
| off the EKU will help tremendously. | ||||
| B.15. Changes from turner-bgpsec-pki-profiles -00 to -01 | ||||
| Corrected Section 2 to indicate that CA certificates are also RPKI | ||||
| certificates. | ||||
| Removed sections and text that was already in [RFC6487]. This will | ||||
| make it easier for reviewers to figure out what is different. | ||||
| Modified Section 6 to use 2119-language. | ||||
| Removed requirement from Section 6 to check that the AS # in the | ||||
| certificate is the last number in the AS path information of each BGP | ||||
| UPDATE message. Moved to [ID.sidr-bgpsec-protocol]. | ||||
| Authors' Addresses | Authors' Addresses | |||
| Mark Reynolds | Mark Reynolds | |||
| Island Peak Software | Island Peak Software | |||
| 328 Virginia Road | 328 Virginia Road | |||
| Concord, MA 01742 | Concord, MA 01742 | |||
| Email: mcr@islandpeaksoftware.com | Email: mcr@islandpeaksoftware.com | |||
| Sean Turner | Sean Turner | |||
| End of changes. 12 change blocks. | ||||
| 133 lines changed or deleted | 53 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||