< draft-ietf-sidrops-aspa-profile-00.txt		draft-ietf-sidrops-aspa-profile-01.txt >
	Network Working Group A. Azimov		Network Working Group A. Azimov
	Internet-Draft Yandex		Internet-Draft Yandex
	Intended status: Standards Track E. Uskov		Intended status: Standards Track E. Uskov
	Expires: November 18, 2019 Qrator Labs		Expires: May 7, 2020 Qrator Labs
	R. Bush		R. Bush
	Internet Initiative Japan		Internet Initiative Japan
	K. Patel		K. Patel
	Arrcus		Arrcus
	J. Snijders		J. Snijders
	NTT		NTT
	R. Housley		R. Housley
	Vigil Security		Vigil Security
	May 17, 2019		November 4, 2019
	A Profile for Autonomous System Provider Authorization		A Profile for Autonomous System Provider Authorization
	draft-ietf-sidrops-aspa-profile-00		draft-ietf-sidrops-aspa-profile-01
	Abstract		Abstract
	This document defines a standard profile for Autonomous System		This document defines a standard profile for Autonomous System
	Provider Authorization in the Resource Public Key Infrastructure. An		Provider Authorization in the Resource Public Key Infrastructure. An
	Autonomous System Provider Authorization is a digitally signed object		Autonomous System Provider Authorization is a digitally signed object
	that provides a means of verifying that a Customer Autonomous System		that provides a means of verifying that a Customer Autonomous System
	holder has authorized a Provider Autonomous System to be its upstream		holder has authorized members of Provider set to be its upstream
	provider and for the Provider to send prefixes received from the		providers and for the Providers to send prefixes received from the
	Customer Autonomous System in all directions including providers and		Customer Autonomous System in all directions including providers and
	peers.		peers.
	Requirements Language		Requirements Language
	The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",		The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
	"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and		"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
	"OPTIONAL" in this document are to be interpreted as described in BCP		"OPTIONAL" in this document are to be interpreted as described in BCP
	14 [RFC2119] [RFC8174] when, and only when, they appear in all		14 [RFC2119] [RFC8174] when, and only when, they appear in all
	capitals, as shown here.		capitals, as shown here.
	skipping to change at page 2, line 10 ¶		skipping to change at page 2, line 10 ¶
	Internet-Drafts are working documents of the Internet Engineering		Internet-Drafts are working documents of the Internet Engineering
	Task Force (IETF). Note that other groups may also distribute		Task Force (IETF). Note that other groups may also distribute
	working documents as Internet-Drafts. The list of current Internet-		working documents as Internet-Drafts. The list of current Internet-
	Drafts is at https://datatracker.ietf.org/drafts/current/.		Drafts is at https://datatracker.ietf.org/drafts/current/.
	Internet-Drafts are draft documents valid for a maximum of six months		Internet-Drafts are draft documents valid for a maximum of six months
	and may be updated, replaced, or obsoleted by other documents at any		and may be updated, replaced, or obsoleted by other documents at any
	time. It is inappropriate to use Internet-Drafts as reference		time. It is inappropriate to use Internet-Drafts as reference
	material or to cite them other than as "work in progress."		material or to cite them other than as "work in progress."
	This Internet-Draft will expire on November 18, 2019.		This Internet-Draft will expire on May 7, 2020.
	Copyright Notice		Copyright Notice
	Copyright (c) 2019 IETF Trust and the persons identified as the		Copyright (c) 2019 IETF Trust and the persons identified as the
	document authors. All rights reserved.		document authors. All rights reserved.
	This document is subject to BCP 78 and the IETF Trust's Legal		This document is subject to BCP 78 and the IETF Trust's Legal
	Provisions Relating to IETF Documents		Provisions Relating to IETF Documents
	(https://trustee.ietf.org/license-info) in effect on the date of		(https://trustee.ietf.org/license-info) in effect on the date of
	publication of this document. Please review these documents		publication of this document. Please review these documents
	skipping to change at page 2, line 35 ¶		skipping to change at page 2, line 35 ¶
	described in the Simplified BSD License.		described in the Simplified BSD License.
	Table of Contents		Table of Contents
	1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2		1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
	2. The ASPA Content Type . . . . . . . . . . . . . . . . . . . . 3		2. The ASPA Content Type . . . . . . . . . . . . . . . . . . . . 3
	3. The ASPA eContent . . . . . . . . . . . . . . . . . . . . . . 3		3. The ASPA eContent . . . . . . . . . . . . . . . . . . . . . . 3
	3.1. version . . . . . . . . . . . . . . . . . . . . . . . . . 4		3.1. version . . . . . . . . . . . . . . . . . . . . . . . . . 4
	3.2. AFI . . . . . . . . . . . . . . . . . . . . . . . . . . . 4		3.2. AFI . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
	3.3. customerASID . . . . . . . . . . . . . . . . . . . . . . 4		3.3. customerASID . . . . . . . . . . . . . . . . . . . . . . 4
	3.4. providerASID . . . . . . . . . . . . . . . . . . . . . . 4		3.4. providerASSET . . . . . . . . . . . . . . . . . . . . . . 4
	4. ASPA Validation . . . . . . . . . . . . . . . . . . . . . . . 5		4. ASPA Validation . . . . . . . . . . . . . . . . . . . . . . . 5
	5. ASN.1 Module for the ASPA Content Type . . . . . . . . . . . 5		5. ASN.1 Module for the ASPA Content Type . . . . . . . . . . . 5
	6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6		6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
	7. Security Considerations . . . . . . . . . . . . . . . . . . . 7		7. Security Considerations . . . . . . . . . . . . . . . . . . . 7
	8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 7		8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 7
	9. References . . . . . . . . . . . . . . . . . . . . . . . . . 7		9. References . . . . . . . . . . . . . . . . . . . . . . . . . 7
	9.1. Normative References . . . . . . . . . . . . . . . . . . 7		9.1. Normative References . . . . . . . . . . . . . . . . . . 7
	9.2. Informative References . . . . . . . . . . . . . . . . . 8		9.2. Informative References . . . . . . . . . . . . . . . . . 8
	Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8		Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8
	1. Introduction		1. Introduction
	The primary purpose of the Resource Public Key Infrastructure (RPKI)		The primary purpose of the Resource Public Key Infrastructure (RPKI)
	is to improve routing security. (See [RFC6480] for more		is to improve routing security. (See [RFC6480] for more
	information.) As part of this infrastructure, a mechanism is needed		information.) As part of this infrastructure, a mechanism is needed
	to verify that a Provider AS (PAS) has permission from a Customer AS		to verify that a AS has permission from a Customer AS (CAS) holder to
	(CAS) holder to send routes in all directions. The digitally signed		send routes in all directions. The digitally signed Autonomous
	Autonomous System Provider Authorization (ASPA) object provides this		System Provider Authorization (ASPA) object provides this
	verification mechanism.		verification mechanism.
	The ASPA uses the template for RPKI digitally signed objects		The ASPA uses the template for RPKI digitally signed objects
	[RFC6488], which defines a Cryptographic Message Syntax (CMS)		[RFC6488], which defines a Cryptographic Message Syntax (CMS)
	[RFC5652] wrapper for the ASPA content as well as a generic		[RFC5652] wrapper for the ASPA content as well as a generic
	validation procedure for RPKI signed objects. As ASPAs need to be		validation procedure for RPKI signed objects. As ASPAs need to be
	validated with RPKI certificates issued by the current		validated with RPKI certificates issued by the current
	infrastructure, we assume the mandatory-to-implement algorithms in		infrastructure, we assume the mandatory-to-implement algorithms in
	[RFC6485], or its successor.		[RFC6485], or its successor.
	skipping to change at page 3, line 41 ¶		skipping to change at page 3, line 41 ¶
	The content-type for an ASPA is defined as id-cct-ASPA, which has the		The content-type for an ASPA is defined as id-cct-ASPA, which has the
	numerical value of 1.2.840.113549.1.9.16.1.TBD. This OID MUST appear		numerical value of 1.2.840.113549.1.9.16.1.TBD. This OID MUST appear
	both within the eContentType in the encapContentInfo structure as		both within the eContentType in the encapContentInfo structure as
	well as the content-type signed attribute within the signerInfo		well as the content-type signed attribute within the signerInfo
	structure (see [RFC6488]).		structure (see [RFC6488]).
	3. The ASPA eContent		3. The ASPA eContent
	The content of an ASPA identifies the Customer AS (CAS) as well as		The content of an ASPA identifies the Customer AS (CAS) as well as
	the Provider AS (PAS) that is authorized to further propagate		the Set of Provider ASes (SPAS) that are authorized to further
	announcements received from the customer. If customer has multiple		propagate announcements received from the customer. If customer has
	providers, it issues multiple ASPAs, one for each provider AS. An		multiple providers they SHOULD be registered in a single ASPA object.
	ASPA is formally defined as:		An ASPA is formally defined as:
	ct-ASPA CONTENT-TYPE ::=		ct-ASPA CONTENT-TYPE ::=
	{ ASProviderAttestation IDENTIFIED BY id-ct-ASPA }		{ ASProviderAttestation IDENTIFIED BY id-ct-ASPA }
	id-ct-ASPA OBJECT IDENTIFIER ::= { id-ct TBD }		id-ct-ASPA OBJECT IDENTIFIER ::= { id-ct TBD }
	ASProviderAttestation ::= SEQUENCE {		ASProviderAttestation ::= SEQUENCE {
	version [0] ASPAVersion DEFAULT v0,		version [0] ASPAVersion DEFAULT v0,
	AFI AddressFamilyIdentifier,		AFI AddressFamilyIdentifier,
	customerASID ASID,		customerASID ASID,
	providerASID ASID }		providerASSET SEQUENCE (SIZE(1..MAX)) OF ASID }
	ASPAVersion ::= INTEGER { v0(0) }		ASPAVersion ::= INTEGER { v0(0) }
	AddressFamilyIdentifier ::= INTEGER		AddressFamilyIdentifier ::= INTEGER
	ASID ::= INTEGER		ASID ::= INTEGER
	Note that this content appears as the eContent within the		Note that this content appears as the eContent within the
	encapContentInfo as specified in [RFC6488].		encapContentInfo as specified in [RFC6488].
	skipping to change at page 4, line 39 ¶		skipping to change at page 4, line 39 ¶
	3.2. AFI		3.2. AFI
	The AFI field contains Address Family Identifier for which the		The AFI field contains Address Family Identifier for which the
	relation between customer and provider ASes is authorized. Presently		relation between customer and provider ASes is authorized. Presently
	defined values for the Address Family Identifier field are specified		defined values for the Address Family Identifier field are specified
	in the IANA's Address Family Numbers registry [IANA-AF].		in the IANA's Address Family Numbers registry [IANA-AF].
	3.3. customerASID		3.3. customerASID
	The customerASID field contains the AS number of the Autonomous		The customerASID field contains the AS number of the Autonomous
	System that authorizes an upstream provider (listed in the		System that authorizes an upstream providers (listed in the
	providerASId) to propagate prefixes in the specified address family		providerASSET) to propagate prefixes in the specified address family
	other ASes.		other ASes.
	3.4. providerASID		3.4. providerASSET
	The providerASID contains the AS number that is authorized to further		The providerASSET contains the sequence (set) of AS numbers that are
	propagate announcements in the specified address family received from		authorized to further propagate announcements in the specified
	the customer.		address family received from the customer.
	4. ASPA Validation		4. ASPA Validation
	Before a relying party can use an ASPA to validate a routing		Before a relying party can use an ASPA to validate a routing
	announcement, the relying party MUST first validate the ASPA object		announcement, the relying party MUST first validate the ASPA object
	itself. To validate an ASPA, the relying party MUST perform all the		itself. To validate an ASPA, the relying party MUST perform all the
	validation checks specified in [RFC6488] as well as the following		validation checks specified in [RFC6488] as well as the following
	additional ASPA-specific validation step.		additional ASPA-specific validation step.
	o The autonomous system identifier delegation extension [RFC3779] is		o The autonomous system identifier delegation extension [RFC3779] is
	skipping to change at page 6, line 36 ¶		skipping to change at page 6, line 36 ¶
	id-ct-ASPA OBJECT IDENTIFIER ::= { id-ct TBD }		id-ct-ASPA OBJECT IDENTIFIER ::= { id-ct TBD }
	ct-ASPA CONTENT-TYPE ::=		ct-ASPA CONTENT-TYPE ::=
	{ TYPE ASProviderAttestation IDENTIFIED BY id-ct-ASPA }		{ TYPE ASProviderAttestation IDENTIFIED BY id-ct-ASPA }
	ASProviderAttestation ::= SEQUENCE {		ASProviderAttestation ::= SEQUENCE {
	version [0] ASPAVersion DEFAULT v0,		version [0] ASPAVersion DEFAULT v0,
	AFI AddressFamilyIdentifier,		AFI AddressFamilyIdentifier,
	customerASID ASID,		customerASID ASID,
	providerASID ASID }		providerASSET SEQUENCE (SIZE(1..MAX)) OF ASID }
	ASPAVersion ::= INTEGER { v0(0) }		ASPAVersion ::= INTEGER { v0(0) }
	AddressFamilyIdentifier ::= INTEGER		AddressFamilyIdentifier ::= INTEGER
	ASID ::= INTEGER		ASID ::= INTEGER
	END		END
	6. IANA Considerations		6. IANA Considerations
End of changes. 13 change blocks.
	22 lines changed or deleted		22 lines changed or added
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/