idnits 2.17.1 draft-borchert-sidrops-bgpsec-state-unverified-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document updates RFC8205, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (October 23, 2018) is 2002 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force (IETF) O. Borchert 3 Internet-Draft D. Montgomery 4 Updates: 8205 (if approved) USA NIST 5 Intended status: Standards Track 6 Expires: April 26, 2019 October 23, 2018 8 BGPsec Validation State Unverified 9 draft-borchert-sidrops-bgpsec-state-unverified-00 11 Abstract 13 In case operators decide to delay BGPsec path validation, none of the 14 available states do properly represent this decision. This document 15 introduces "Unverified" as a well-defined validation state which 16 allows to properly identify a non-evaluated BGPsec routes as not 17 verified. 19 Status of This Memo 21 This Internet-Draft is submitted to IETF in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF), its areas, and its working groups. Note that 26 other groups may also distribute working documents as 27 Internet-Drafts. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 The list of current Internet-Drafts can be accessed at 35 http://www.ietf.org/1id-abstracts.html 37 The list of Internet-Draft Shadow Directories can be accessed at 38 http://www.ietf.org/shadow.html 40 Copyright Notice 42 Copyright (c) 2018 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (http://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 58 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 59 2. Suggested Reading . . . . . . . . . . . . . . . . . . . . . . 3 60 3. Initializing BGPsec route . . . . . . . . . . . . . . . . . . 3 61 3.1. Changes to RFC 8205 . . . . . . . . . . . . . . . . . . . . 4 62 3. Usage Considerations . . . . . . . . . . . . . . . . . . . . . 4 63 4. Security Considerations . . . . . . . . . . . . . . . . . . . 4 64 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 65 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 5 66 6.1. Normative References . . . . . . . . . . . . . . . . . . . 5 67 8.2. Informative References . . . . . . . . . . . . . . . . . . 5 68 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . 5 69 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 6 71 1. Introduction 73 BGPsec path validation [RFC8205] provides well defined validation 74 states. Though, there are instances in which BGPsec routes are not 75 immediately validated upon receiving them. This could be due to 76 configuration where the operator chose to perform "Lazy Evaluation" 77 or due to instances where router configuration could enable the 78 operator to delay route validation during situations of unexpectedly 79 high loads such as DDOS attacks or others. Here, the absence of a 80 well-defined initialization state requires to use a validation state, 81 that is otherwise well-defined and therefore "waters" down the 82 meaning of that state. 84 Hence, this document updates the RFC 8205 by adding the proposed 85 validation state "Unverified". 87 1.1. Terminology 89 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 90 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 91 "OPTIONAL" in this document are to be interpreted as described in 92 BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all 93 capitals, as shown here. 95 2. Suggested Reading 97 It is assumed that the reader understands BGP [RFC4271] and BGPsec 98 Protocol Specification [RFC8205] 100 3. Initializing BGPsec route 102 This document introduces the validation state "Unverified" to be used 103 for BGPsec routes that are not evaluated otherwise. 105 To allow proper initialization the following state is introduced: 107 o Unverified: Specifies the state of a BGPsec route where no 108 evaluation has been performed. 110 3.1. Changes to RFC 8205 112 The BGPsec protocol specification as specified in [RFC8205] suffers 113 the limitation described above in this document. [Section 5.1] of 114 RFC 8205 specifies two states for BGPsec path validation: 116 The validation procedure results in one of two states: 117 'Valid' and 'Not Valid'. 119 Also, [Section 5.1] makes it clear that: 121 BGPsec validation need only be performed at the eBGP edge. 123 This document updates RFC 8205 in such that: 125 BGPsec routes MUST be initialized using the BGPsec validation state 126 "Unverified" until proper evaluation of the BGPsec route has been 127 performed. 129 3. Usage Considerations 131 The validation state "Unverified" allows to distinguish between 132 evaluated BGPsec routes and non-evaluated BGPsec routes. This allows 133 the operator to create policies to treat such routes different from 134 routes labeled with either validation state "Valid" or "Not Valid" 136 4. Security Considerations 138 This document introduces no new security concerns beyond what is 139 described in [RFC8205] 141 5. IANA Considerations 143 This document has no IANA actions. 145 6. References 147 6.1. Normative References 149 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 150 Requirement Levels", BCP 14, RFC 2119, DOI 151 10.17487/RFC2119, March 1997, . 154 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in 155 RFC 2119 Key Words", BCP 14, RFC 8174, DOI 156 10.17487/RFC8174, May 2017, . 159 [RFC8205] Lepinski, M., Ed., and K. Sriram, Ed., "BGPsec Protocol 160 Specification", RFC 8205, DOI 10.17487/RFC8205, September 161 2017, . 163 8.2. Informative References 165 [RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A 166 Border Gateway Protocol 4 (BGP-4)", RFC 4271, DOI 167 10.17487/RFC4271, January 2006, . 170 Acknowledgements 172 The authors would like to acknowledge the valuable review and 173 suggestions from K. Sriram on this document. 175 Authors' Addresses 177 Oliver Borchert 178 National Institute of Standards and Technology (NIST) 179 100 Bureau Drive 180 Gaithersburg, MD 20899 181 United States of America 183 Email: oliver.borchert@nist.gov 185 Douglas Montgomery 186 National Institute of Standards and Technology (NIST) 187 100 Bureau Drive 188 Gaithersburg, MD 20899 189 United States of America 191 Email: dougm@nist.gov