| < draft-ietf-sidrops-bgpsec-algs-rfc8208-bis-01.txt | draft-ietf-sidrops-bgpsec-algs-rfc8208-bis-02.txt > | |||
|---|---|---|---|---|
| Internet Engineering Task Force (IETF) S. Turner | Internet Engineering Task Force (IETF) S. Turner | |||
| Internet-Draft sn3rd | Internet-Draft sn3rd | |||
| Updates: 8208 (if approved) O. Borchert | Updates: 8208 (if approved) O. Borchert | |||
| Intended status: Standards Track NIST | Intended status: Standards Track NIST | |||
| Expires: September 6, 2018 March 5, 2018 | Expires: March 9, 2019 September 5, 2018 | |||
| BGPsec Algorithms, Key Formats, and Signature Formats | BGPsec Algorithms, Key Formats, and Signature Formats | |||
| draft-ietf-sidrops-bgpsec-algs-rfc8208-bis-01 | draft-ietf-sidrops-bgpsec-algs-rfc8208-bis-02 | |||
| Abstract | Abstract | |||
| This document specifies the algorithms, algorithm parameters, | This document specifies the algorithms, algorithm parameters, | |||
| asymmetric key formats, asymmetric key sizes, and signature formats | asymmetric key formats, asymmetric key sizes, and signature formats | |||
| used in BGPsec (Border Gateway Protocol Security). This document | used in BGPsec (Border Gateway Protocol Security). This document | |||
| updates RFC 8208 ("BGPsec Algorithms, Key Formats, and Signature | updates RFC 8208 ("BGPsec Algorithms, Key Formats, and Signature | |||
| Formats") by adding Special-Use Algorithm IDs and correcting the | Formats") by adding Special-Use Algorithm IDs and correcting the | |||
| range of unassigned algorithms IDs to fill the complete range. | range of unassigned algorithms IDs to fill the complete range. | |||
| skipping to change at page 2, line 30 ¶ | skipping to change at page 2, line 30 ¶ | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 | 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 1.2. Changes from RFC 8208 . . . . . . . . . . . . . . . . . . 4 | 1.2. Changes from RFC 8208 . . . . . . . . . . . . . . . . . . 4 | |||
| 2. Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 2. Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2.1. Algorithm ID Types . . . . . . . . . . . . . . . . . . . . 4 | 2.1. Algorithm ID Types . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2.2. Signature Algorithms . . . . . . . . . . . . . . . . . . . 5 | 2.2. Signature Algorithms . . . . . . . . . . . . . . . . . . . 5 | |||
| 2.2.1. Algorithm ID 0x01 - (ECDSA-P256) . . . . . . . . . . . 5 | 2.2.1. Algorithm ID 0x01 - (ECDSA-P256) . . . . . . . . . . . 5 | |||
| 3. Asymmetric Key Pair Formats . . . . . . . . . . . . . . . . . 6 | 3. Asymmetric Key Pair Formats . . . . . . . . . . . . . . . . . 6 | |||
| 3.1. Asymmetric Key Pair for Algorithm ID 0x01 - (ECDSA-p256) . 6 | 3.1. Asymmetric Key Pair for Algorithm ID 0x01 - (ECDSA-P256) . 6 | |||
| 3.1.1. Public Key Format . . . . . . . . . . . . . . . . . . 6 | 3.1.1. Public Key Format . . . . . . . . . . . . . . . . . . 6 | |||
| 3.1.2. Private Key Format . . . . . . . . . . . . . . . . . . 6 | 3.1.2. Private Key Format . . . . . . . . . . . . . . . . . . 6 | |||
| 4. Signature Formats . . . . . . . . . . . . . . . . . . . . . . 6 | 4. Signature Formats . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 5. Additional Requirements . . . . . . . . . . . . . . . . . . . 6 | 5. Additional Requirements . . . . . . . . . . . . . . . . . . . 6 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 7 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 7 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . . 9 | 8.1. Normative References . . . . . . . . . . . . . . . . . . . 9 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . . 11 | 8.2. Informative References . . . . . . . . . . . . . . . . . . 11 | |||
| Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 12 | Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| skipping to change at page 4, line 10 ¶ | skipping to change at page 4, line 10 ¶ | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in | "OPTIONAL" in this document are to be interpreted as described in | |||
| BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | capitals, as shown here. | |||
| 1.2. Changes from RFC 8208 | 1.2. Changes from RFC 8208 | |||
| This section describes the significant changes between [RFC8208] and | This section describes the significant changes between [RFC8208] and | |||
| this document. | this document. | |||
| o Adding section 2.1 of algorithm ID types and what to do when these | o Added Section 2.1 of algorithm ID types. Also, the interpretation | |||
| IDs are observed. | of these IDs is described. | |||
| o Restructured Sections 2 and 3 to align with the corresponding | o Restructured Sections 2 and 3 to align with the corresponding | |||
| algorithm suite identifier value. | algorithm suite identifier value. | |||
| o Correction of range for unassigned algorithm suite identifier | o Correction of range for unassigned algorithm suite identifier | |||
| values. | values. | |||
| o Adding of Special-Use algorithm suite identifier values. | o Adding of Special-Use algorithm suite identifier values. | |||
| 2. Algorithms | 2. Algorithms | |||
| skipping to change at page 5, line 26 ¶ | skipping to change at page 5, line 26 ¶ | |||
| Special-Use algorithm IDs span from 0xFA (250) to 0xFE (254). To | Special-Use algorithm IDs span from 0xFA (250) to 0xFE (254). To | |||
| allow documentation and experimentation to accurately describe | allow documentation and experimentation to accurately describe | |||
| deployment examples, the use of publicly assigned algorithm IDs is | deployment examples, the use of publicly assigned algorithm IDs is | |||
| inappropriate, and a reserved block of Special-Use algorithm IDs | inappropriate, and a reserved block of Special-Use algorithm IDs | |||
| is required. This ensures that documentation and experimentation | is required. This ensures that documentation and experimentation | |||
| does not clash with assigned algorithm IDs in deployed networks, | does not clash with assigned algorithm IDs in deployed networks, | |||
| and mitigates the risks to operational integrity of the network | and mitigates the risks to operational integrity of the network | |||
| through inappropriate use of documentation to perform literal | through inappropriate use of documentation to perform literal | |||
| configuration of routing elements on production systems. A router | configuration of routing elements on production systems. A router | |||
| that encounters an algorithm ID of this type outside of an | that encounters an algorithm ID of this type outside of an | |||
| experimental network, SHOULD treat these type same as | experimental network, SHOULD treat it the same as | |||
| "unsupported algorithm" as specified in Section 5.2 of [RFC8205]. | "unsupported algorithm" as specified in Section 5.2 of [RFC8205]. | |||
| 2.2. Signature Algorithms | 2.2. Signature Algorithms | |||
| 2.2.1. Algorithm ID 0x01 - (ECDSA-P256) | 2.2.1. Algorithm ID 0x01 - (ECDSA-P256) | |||
| o The signature algorithm used MUST be the Elliptic Curve Digital | o The signature algorithm used MUST be the Elliptic Curve Digital | |||
| Signature Algorithm (ECDSA) with curve P-256 [RFC6090] [DSS]. | Signature Algorithm (ECDSA) with curve P-256 [RFC6090] [DSS]. | |||
| o The hash algorithm used MUST be SHA-256 [SHS]. | o The hash algorithm used MUST be SHA-256 [SHS]. | |||
| skipping to change at page 6, line 12 ¶ | skipping to change at page 6, line 12 ¶ | |||
| identifier value 0x01 (see Section 7) is included in the | identifier value 0x01 (see Section 7) is included in the | |||
| Signature_Block List's Algorithm Suite Identifier field. | Signature_Block List's Algorithm Suite Identifier field. | |||
| 3. Asymmetric Key Pair Formats | 3. Asymmetric Key Pair Formats | |||
| The key formats used to compute signatures on CA certificates, BGPsec | The key formats used to compute signatures on CA certificates, BGPsec | |||
| Router Certificates, and CRLs are as specified in Section 3 of | Router Certificates, and CRLs are as specified in Section 3 of | |||
| [RFC7935]. This section addresses key formats found in the BGPsec | [RFC7935]. This section addresses key formats found in the BGPsec | |||
| Router Certificate requests and in BGPsec Router Certificates. | Router Certificate requests and in BGPsec Router Certificates. | |||
| 3.1. Asymmetric Key Pair for Algorithm ID 0x01 - (ECDSA-p256) | 3.1. Asymmetric Key Pair for Algorithm ID 0x01 - (ECDSA-P256) | |||
| The ECDSA private keys used to compute signatures for certificate | The ECDSA private keys used to compute signatures for certificate | |||
| requests and BGPsec UPDATE messages MUST be associated with the P-256 | requests and BGPsec UPDATE messages MUST be associated with the P-256 | |||
| curve domain parameters [RFC5480]. The public key pair MUST use the | curve domain parameters [RFC5480]. The public key pair MUST use the | |||
| uncompressed form. | uncompressed form. | |||
| 3.1.1. Public Key Format | 3.1.1. Public Key Format | |||
| The Subject's public key is included in subjectPublicKeyInfo | The Subject's public key is included in subjectPublicKeyInfo | |||
| [RFC5280]. It has two sub-fields: algorithm and subjectPublicKey. | [RFC5280]. It has two sub-fields: algorithm and subjectPublicKey. | |||
| skipping to change at page 7, line 41 ¶ | skipping to change at page 7, line 41 ¶ | |||
| IANA is asked to modify the previously registered "Unassigned" | IANA is asked to modify the previously registered "Unassigned" | |||
| address space. | address space. | |||
| Algorithm Digest Signature Specification | Algorithm Digest Signature Specification | |||
| Suite Algorithm Algorithm Pointer | Suite Algorithm Algorithm Pointer | |||
| Identifier | Identifier | |||
| +------------+---------------+--------------+-----------------------+ | +------------+---------------+--------------+-----------------------+ | |||
| | 0x2-0xEF | Unassigned | Unassigned | | | | 0x2-0xEF | Unassigned | Unassigned | | | |||
| +------------+---------------+--------------+-----------------------+ | +------------+---------------+--------------+-----------------------+ | |||
| To be modified into: | To be modified to: | |||
| Algorithm Digest Signature Specification | Algorithm Digest Signature Specification | |||
| Suite Algorithm Algorithm Pointer | Suite Algorithm Algorithm Pointer | |||
| Identifier | Identifier | |||
| +------------+---------------+--------------+-----------------------+ | +------------+---------------+--------------+-----------------------+ | |||
| | 0x2-0xFA | Unassigned | Unassigned | | | | 0x2-0xFA | Unassigned | Unassigned | | | |||
| +------------+---------------+--------------+-----------------------+ | +------------+---------------+--------------+-----------------------+ | |||
| In addition IANA is asked to register the following address space for | In addition IANA is asked to register the following address space for | |||
| "Special-Use": | "Special-Use": | |||
| End of changes. 7 change blocks. | ||||
| 8 lines changed or deleted | 8 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||