| < draft-ietf-sidr-bgpsec-pki-profiles-16.txt | draft-ietf-sidr-bgpsec-pki-profiles-17.txt > | |||
|---|---|---|---|---|
| Secure Inter-Domain Routing Working Group M. Reynolds | Secure Inter-Domain Routing Working Group M. Reynolds | |||
| Internet-Draft IPSw | Internet-Draft IPSw | |||
| Updates: 6487 (if approved) S. Turner | Updates: 6487 (if approved) S. Turner | |||
| Intended status: Standard Track IECA | Intended status: Standard Track IECA | |||
| Expires: September 22, 2016 S. Kent | Expires: December 3, 2016 S. Kent | |||
| BBN | BBN | |||
| March 21, 2016 | June 1, 2016 | |||
| A Profile for BGPsec Router Certificates, | A Profile for BGPsec Router Certificates, | |||
| Certificate Revocation Lists, and Certification Requests | Certificate Revocation Lists, and Certification Requests | |||
| draft-ietf-sidr-bgpsec-pki-profiles-16 | draft-ietf-sidr-bgpsec-pki-profiles-17 | |||
| Abstract | Abstract | |||
| This document defines a standard profile for X.509 certificates used | This document defines a standard profile for X.509 certificates used | |||
| to enable validation of Autonomous System (AS) paths in the Border | to enable validation of Autonomous System (AS) paths in the Border | |||
| Gateway Protocol (BGP), as part of an extension to that protocol | Gateway Protocol (BGP), as part of an extension to that protocol | |||
| known as BGPsec. BGP is the standard for inter-domain routing in the | known as BGPsec. BGP is the standard for inter-domain routing in the | |||
| Internet; it is the "glue" that holds the Internet together. BGPsec | Internet; it is the "glue" that holds the Internet together. BGPsec | |||
| is being developed as one component of a solution that addresses the | is being developed as one component of a solution that addresses the | |||
| requirement to provide security for BGP. The goal of BGPsec is to | requirement to provide security for BGP. The goal of BGPsec is to | |||
| skipping to change at page 2, line 40 ¶ | skipping to change at page 2, line 40 ¶ | |||
| 3.1.1.1. Subject . . . . . . . . . . . . . . . . . . . . . 5 | 3.1.1.1. Subject . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3.1.2. Subject Public Key Info . . . . . . . . . . . . . . . 5 | 3.1.2. Subject Public Key Info . . . . . . . . . . . . . . . 5 | |||
| 3.1.3. BGPsec Router Certificate Version 3 Extension Fields . 6 | 3.1.3. BGPsec Router Certificate Version 3 Extension Fields . 6 | |||
| 3.1.3.1. Basic Constraints . . . . . . . . . . . . . . . . 6 | 3.1.3.1. Basic Constraints . . . . . . . . . . . . . . . . 6 | |||
| 3.1.3.2. Extended Key Usage . . . . . . . . . . . . . . . . 6 | 3.1.3.2. Extended Key Usage . . . . . . . . . . . . . . . . 6 | |||
| 3.1.3.3. Subject Information Access . . . . . . . . . . . . 6 | 3.1.3.3. Subject Information Access . . . . . . . . . . . . 6 | |||
| 3.1.3.4. IP Resources . . . . . . . . . . . . . . . . . . . 6 | 3.1.3.4. IP Resources . . . . . . . . . . . . . . . . . . . 6 | |||
| 3.1.3.5. AS Resources . . . . . . . . . . . . . . . . . . . 6 | 3.1.3.5. AS Resources . . . . . . . . . . . . . . . . . . . 6 | |||
| 3.2. BGPsec Router Certificate Request Profile . . . . . . . . 7 | 3.2. BGPsec Router Certificate Request Profile . . . . . . . . 7 | |||
| 3.3. BGPsec Router Certificate Validation . . . . . . . . . . . 7 | 3.3. BGPsec Router Certificate Validation . . . . . . . . . . . 7 | |||
| 3.4. Router Certificates and Signing Functions in the RPKI . . 8 | ||||
| 4. Design Notes . . . . . . . . . . . . . . . . . . . . . . . . . 8 | 4. Design Notes . . . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 9 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 9 | 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . . 9 | 8.1. Normative References . . . . . . . . . . . . . . . . . . . 10 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . . 10 | 8.2. Informative References . . . . . . . . . . . . . . . . . . 11 | |||
| Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 11 | Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 12 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 1. Introduction | 1. Introduction | |||
| This document defines a profile for X.509 end-entity (EE) | This document defines a profile for X.509 end-entity (EE) | |||
| certificates [RFC5280] for use in the context of certification of | certificates [RFC5280] for use in the context of certification of | |||
| Autonomous System (AS) paths in the Border Gateway Protocol Security | Autonomous System (AS) paths in the Border Gateway Protocol Security | |||
| protocol (BGPsec). Such certificates are termed "BGPsec Router | protocol (BGPsec). Such certificates are termed "BGPsec Router | |||
| Certificates". The holder of the private key associated with a | Certificates". The holder of the private key associated with a | |||
| BGPsec Router Certificate is authorized to send secure route | BGPsec Router Certificate is authorized to send secure route | |||
| advertisements (BGPsec UPDATEs) on behalf of the AS(es) named in the | advertisements (BGPsec UPDATEs) on behalf of the AS(es) named in the | |||
| skipping to change at page 8, line 17 ¶ | skipping to change at page 8, line 17 ¶ | |||
| rfc6485bis]. | rfc6485bis]. | |||
| NOTE: The cryptographic algorithms used by BGPsec routers are found | NOTE: The cryptographic algorithms used by BGPsec routers are found | |||
| in [ID.sidr-bgpsec-algs]. Currently, the algorithms specified in | in [ID.sidr-bgpsec-algs]. Currently, the algorithms specified in | |||
| [ID.sidr-bgpsec-algs] and [ID.sidr-rfc6485bis] are different. BGPsec | [ID.sidr-bgpsec-algs] and [ID.sidr-rfc6485bis] are different. BGPsec | |||
| RPs will need to support algorithms that are used to validate BGPsec | RPs will need to support algorithms that are used to validate BGPsec | |||
| signatures as well as the algorithms that are needed to validate | signatures as well as the algorithms that are needed to validate | |||
| signatures on BGPsec certificates, RPKI CA certificates, and RPKI | signatures on BGPsec certificates, RPKI CA certificates, and RPKI | |||
| CRLs. | CRLs. | |||
| 3.4. Router Certificates and Signing Functions in the RPKI | ||||
| As described in Section 1, the primary function of BGPsec route | ||||
| certificates in the RPKI is for use in the context of certification | ||||
| of Autonomous System (AS) paths in the Border Gateway Protocol | ||||
| Security protocol (BGPsec). | ||||
| The private key associated with a router EE certificate may be used | ||||
| multiple times in generating signatures in multiple instances of the | ||||
| BGPsec_Path Attribute Signature Segments [ID.sidr-bgpsec-protocol]. | ||||
| I.e., the BGPsec router certificate is used to validate multiple | ||||
| signatures. | ||||
| BGPsec router certificates are stored in the issuing CA's repository, | ||||
| where a repository following RFC6481 MUST use a .cer filename | ||||
| extension for the certificate file. | ||||
| 4. Design Notes | 4. Design Notes | |||
| The BGPsec Router Certificate profile is based on the Resource | The BGPsec Router Certificate profile is based on the Resource | |||
| Certificate profile as specified in [ID.sidr-rfc6485bis]. As a | Certificate profile as specified in [ID.sidr-rfc6485bis]. As a | |||
| result, many of the design choices herein are a reflection of the | result, many of the design choices herein are a reflection of the | |||
| design choices that were taken in that prior work. The reader is | design choices that were taken in that prior work. The reader is | |||
| referred to [RFC6484] for a fuller discussion of those choices. | referred to [RFC6484] for a fuller discussion of those choices. | |||
| CAs are required by the Certificate Policy (CP) [RFC6484] to issue | CAs are required by the Certificate Policy (CP) [RFC6484] to issue | |||
| properly formed BGPsec Router Certificates regardless of what is | properly formed BGPsec Router Certificates regardless of what is | |||
| skipping to change at page 9, line 52 ¶ | skipping to change at page 10, line 20 ¶ | |||
| instrumental in preparing this work. Additionally, we'd like to | instrumental in preparing this work. Additionally, we'd like to | |||
| thank Rob Austein, Roque Gagliano, Richard Hansen, Geoff Huston, | thank Rob Austein, Roque Gagliano, Richard Hansen, Geoff Huston, | |||
| David Mandelberg, Sandra Murphy, and Sam Weiller for their reviews | David Mandelberg, Sandra Murphy, and Sam Weiller for their reviews | |||
| and comments. | and comments. | |||
| 8. References | 8. References | |||
| 8.1. Normative References | 8.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, DOI | |||
| 10.17487/RFC2119, March 1997, <http://www.rfc- | ||||
| editor.org/info/rfc2119>. | ||||
| [RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP | [RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP | |||
| Addresses and AS Identifiers", RFC 3779, June 2004. | Addresses and AS Identifiers", RFC 3779, DOI | |||
| 10.17487/RFC3779, June 2004, <http://www.rfc- | ||||
| editor.org/info/rfc3779>. | ||||
| [RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A Border | [RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A Border | |||
| Gateway Protocol 4 (BGP-4)", RFC 4271, January 2006. | Gateway Protocol 4 (BGP-4)", RFC 4271, DOI | |||
| 10.17487/RFC4271, January 2006, <http://www.rfc- | ||||
| editor.org/info/rfc4271>. | ||||
| [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | |||
| Housley, R., and W. Polk, "Internet X.509 Public Key | Housley, R., and W. Polk, "Internet X.509 Public Key | |||
| Infrastructure Certificate and Certificate Revocation List | Infrastructure Certificate and Certificate Revocation List | |||
| (CRL) Profile", RFC 5280, May 2008. | (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, | |||
| <http://www.rfc-editor.org/info/rfc5280>. | ||||
| [RFC6487] Huston, G., Michaelson, G., and R. Loomans, "A Profile for | [RFC6487] Huston, G., Michaelson, G., and R. Loomans, "A Profile for | |||
| X.509 PKIX Resource Certificates", RFC 6487, February 2012. | X.509 PKIX Resource Certificates", RFC 6487, DOI | |||
| 10.17487/RFC6487, February 2012, <http://www.rfc- | ||||
| editor.org/info/rfc6487>. | ||||
| [RFC6818] Yee, P., "Updates to the Internet X.509 Public Key | [RFC6818] Yee, P., "Updates to the Internet X.509 Public Key | |||
| Infrastructure Certificate and Certificate Revocation List | Infrastructure Certificate and Certificate Revocation List | |||
| (CRL) Profile", RFC 6818, January 2013. | (CRL) Profile", RFC 6818, DOI 10.17487/RFC6818, January | |||
| 2013, <http://www.rfc-editor.org/info/rfc6818>. | ||||
| [ID.sidr-rfc6485bis] G. Huston and G. Michaelson, "The Profile for | [ID.sidr-rfc6485bis] G. Huston and G. Michaelson, "The Profile for | |||
| Algorithms and Key Sizes for use in the Resource Public Key | Algorithms and Key Sizes for use in the Resource Public Key | |||
| Infrastructure", draft-ietf-sidr-rfc6485bis, work-in- | Infrastructure", draft-ietf-sidr-rfc6485bis, work-in- | |||
| progress. | progress. | |||
| [ID.sidr-bgpsec-algs] S. Turner, "BGP Algorithms, Key Formats, & | [ID.sidr-bgpsec-algs] S. Turner, "BGP Algorithms, Key Formats, & | |||
| Signature Formats", draft-ietf-sidr-bgpsec-algs, work-in- | Signature Formats", draft-ietf-sidr-bgpsec-algs, work-in- | |||
| progress. | progress. | |||
| 8.2. Informative References | 8.2. Informative References | |||
| [RFC4272] Murphy, S., "BGP Security Vulnerabilities Analysis", | [RFC4272] Murphy, S., "BGP Security Vulnerabilities Analysis", | |||
| RFC 4272, January 2006. | RFC 4272, DOI 10.17487/RFC4272, January 2006, | |||
| <http://www.rfc-editor.org/info/rfc4272>. | ||||
| [RFC5123] White, R. and B. Akyol, "Considerations in Validating the | [RFC5123] White, R. and B. Akyol, "Considerations in Validating the | |||
| Path in BGP", RFC 5123, February 2008. | Path in BGP", RFC 5123, DOI 10.17487/RFC5123, February | |||
| 2008, <http://www.rfc-editor.org/info/rfc5123>. | ||||
| [RFC5492] Scudder, J. and R. Chandra, "Capabilities Advertisement | [RFC5492] Scudder, J. and R. Chandra, "Capabilities Advertisement | |||
| with BGP-4", RFC 5492, February 2009. | with BGP-4", RFC 5492, DOI 10.17487/RFC5492, February 2009, | |||
| <http://www.rfc-editor.org/info/rfc5492>. | ||||
| [RFC6480] Lepinski, M. and S. Kent, "An Infrastructure to Support | [RFC6480] Lepinski, M. and S. Kent, "An Infrastructure to Support | |||
| Secure Internet Routing", RFC 6480, February 2012. | Secure Internet Routing", RFC 6480, DOI 10.17487/RFC6480, | |||
| February 2012, <http://www.rfc-editor.org/info/rfc6480>. | ||||
| [RFC6482] Lepinski, M., Kent, S., and D. Kong, "A Profile for Route | [RFC6482] Lepinski, M., Kent, S., and D. Kong, "A Profile for Route | |||
| Origin Authorizations (ROAs)", RFC 6482, February 2012. | Origin Authorizations (ROAs)", RFC 6482, DOI | |||
| 10.17487/RFC6482, February 2012, <http://www.rfc- | ||||
| editor.org/info/rfc6482>. | ||||
| [RFC6484] Kent, S., Kong, D., Seo, K., and R. Watro, "Certificate | [RFC6484] Kent, S., Kong, D., Seo, K., and R. Watro, "Certificate | |||
| Policy (CP) for the Resource Public Key Infrastructure | Policy (CP) for the Resource Public Key Infrastructure | |||
| (RPKI)", BCP 173, RFC 6484, February 2012. | (RPKI)", BCP 173, RFC 6484, DOI 10.17487/RFC6484, February | |||
| 2012, <http://www.rfc-editor.org/info/rfc6484>. | ||||
| [RFC6486] Austein, R., Huston, G., Kent, S., and M. Lepinski, | [RFC6486] Austein, R., Huston, G., Kent, S., and M. Lepinski, | |||
| "Manifests for the Resource Public Key Infrastructure | "Manifests for the Resource Public Key Infrastructure | |||
| (RPKI)", RFC 6486, February 2012. | (RPKI)", RFC 6486, DOI 10.17487/RFC6486, February 2012, | |||
| <http://www.rfc-editor.org/info/rfc6486>. | ||||
| [RFC6916] Gagliano, R., Kent, S., and S. Turner, "Algorithm Agility | [RFC6916] Gagliano, R., Kent, S., and S. Turner, "Algorithm Agility | |||
| Procedure for the Resource Public Key Infrastructure | Procedure for the Resource Public Key Infrastructure | |||
| (RPKI)", BCP 182, RFC 6916, April 2013. | (RPKI)", BCP 182, RFC 6916, DOI 10.17487/RFC6916, April | |||
| 2013, <http://www.rfc-editor.org/info/rfc6916>. | ||||
| [ID.sidr-bgpsec-protocol] Lepinksi, M., "BGPsec Protocol | [ID.sidr-bgpsec-protocol] Lepinksi, M., "BGPsec Protocol | |||
| Specification", draft-ietf-sidr-bgpsec-protocol, work-in- | Specification", draft-ietf-sidr-bgpsec-protocol, work-in- | |||
| progress. | progress. | |||
| Appendix A. ASN.1 Module | Appendix A. ASN.1 Module | |||
| BGPSECEKU { iso(1) identified-organization(3) dod(6) internet(1) | BGPSECEKU { iso(1) identified-organization(3) dod(6) internet(1) | |||
| security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-bgpsec-eku(84) } | security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-bgpsec-eku(84) } | |||
| End of changes. 21 change blocks. | ||||
| 24 lines changed or deleted | 61 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||