idnits 2.17.1 draft-ietf-sidr-bgpsec-rollover-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 21, 2016) is 2958 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-16) exists of draft-ietf-sidr-bgpsec-ops-07 == Outdated reference: A later version (-23) exists of draft-ietf-sidr-bgpsec-protocol-15 == Outdated reference: A later version (-16) exists of draft-ietf-sidr-rtr-keying-10 Summary: 0 errors (**), 0 flaws (~~), 4 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group R. Gagliano 3 Internet-Draft K. Patel 4 Intended status: Standards Track B. Weis 5 Expires: September 22, 2016 Cisco Systems 6 March 21, 2016 8 BGPsec Router Certificate Rollover 9 draft-ietf-sidr-bgpsec-rollover-05 11 Abstract 13 BGPsec will need to address the impact from regular and emergency 14 rollover processes for the BGPsec End-Entity (EE) certificates that 15 will be performed by Certificate Authorities (CAs) participating at 16 the Resource Public Key Infrastructure (RPKI). Rollovers of BGPsec 17 EE certificates must be carefully managed in order to synchronize 18 distribution of router public keys and the usage of those pubic keys 19 by BGPsec routers. This document provides general recommendations 20 for that process, as well as describing reasons why the rollover of 21 BGPsec EE certificates might be necessary. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at http://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on September 22, 2016. 40 Copyright Notice 42 Copyright (c) 2016 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (http://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Requirements notation . . . . . . . . . . . . . . . . . . . . 2 58 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 59 3. Key rollover in BGPsec . . . . . . . . . . . . . . . . . . . 3 60 3.1. A proposed process for BGPsec key rollover . . . . . . . 4 61 4. BGPsec key rollover as a measure against replays attacks in 62 BGPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 63 4.1. BGPsec Replay attack window requirement . . . . . . . . . 6 64 4.2. BGPsec key rollover as a mechanism to protect against 65 replay attacks . . . . . . . . . . . . . . . . . . . . . 7 66 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 67 6. Security Considerations . . . . . . . . . . . . . . . . . . . 8 68 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 69 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 70 8.1. Normative References . . . . . . . . . . . . . . . . . . 8 71 8.2. Informative References . . . . . . . . . . . . . . . . . 8 72 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 74 1. Requirements notation 76 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 77 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 78 "OPTIONAL" in this document are to be interpreted as described in 79 [RFC2119]. 81 2. Introduction 83 In BGPsec, a key rollover (or re-keying) is the process of changing a 84 router's key pair (or pairs), issuing the corresponding new End- 85 Entity certificate and (if the old certificate is still valid) 86 revoking the old certificate. This process will need to happen at 87 regular intervals, normally due to local policies at each network. 88 This document provides general recommendations for that process. 89 Certificate Practice Statements (CPS) documents MAY reference these 90 recommendations. This memo only addresses changing of a router's key 91 pair within the RPKI. Refer to [RFC6489] for a procedure to rollover 92 RPKI Certificate Authority key pairs. 94 When a router receives or creates a new key pair (depending on the 95 key provisioning mechanism to be selected), this key pair will be 96 used to sign new BGPsec_Path attributes 98 [I-D.ietf-sidr-bgpsec-protocol] that are originated or that transit 99 through the BGP speaker. Additionally, the BGP speaker MUST refresh 100 its outbound BGPsec Update messages to include a signature using the 101 new key (replacing the replaced key). When the rollover process 102 finishes, the old BGPsec certificate (and its key) will not longer be 103 valid and thus any BGPsec Update that includes a BGPsec_Path 104 attribute with a signature performed by the old key will be invalid. 105 Consequently, if the router does not refresh its outbound BGPsec 106 Update messages, routing information may be treated as 107 unauthenticated after the rollover process is finished. It is 108 therefore extremely important that the BGPsec router key rollover be 109 performed such that the probability of new router EE certificates 110 have been distributed throughout the RPKI before the router begin 111 signing BGPsec_Path attributes with a new private key. 113 It is also important for an AS to minimize the BGPsec router key 114 rollover interval (i.e., in between the time an AS distributes an EE 115 certificate with a new public key and the time a BGPsec router begins 116 to use its new private key). This can be due to a need for a BGPsec 117 router to distribute BGPsec_Path attributes signed with a new private 118 key in order to invalidate BGPsec_Path attributes signed with the old 119 private key. In particular, if the AS suspects that a stale 120 BGPsec_Path attribute is being distributed instead of the most 121 recently signed attribute it can cause the stale BGPsec_Path 122 attribute to be invalidated by completing a key rollover procedure. 123 The BGPsec rollover interval can be minimized when an automated 124 certificate provisioning process such as Enrollment over Secure 125 Transport (EST) [RFC7030]) is used. 127 The Security Requirements for BGP Path Validation [RFC7353] also 128 describes the need for protecting against the replay of BGP UPDATE 129 messages, such as controlling BGPsec's window of exposure to replay 130 attacks. The BGPsec rollover method in this document can be used to 131 achieve this goal. 133 In [I-D.ietf-sidr-rtr-keying], the "operator-driven" method is 134 introduced, in which a key pair can be shared among different BGP 135 Speakers. In this scenario, the roll-over of the correspondent 136 BGPsec certificate will impact all the BGP Speakers sharing the same 137 private key. 139 3. Key rollover in BGPsec 141 An BGPsec EE certificate SHOULD be replaced when the following events 142 occur, and can be replaced for any other reason at the discretion of 143 the AS responsible for the EE certificate. 145 BGPsec scheduled rollover: BGPsec certificates have an expiration 146 date (NotValidAfter) that requires a frequent rollover process. 147 The validity period for these certificates is typically 148 expressed at the CA's CPS document. 150 BGPsec certificate fields changes: Information contained in a BGPsec 151 certificate (such as the ASN or the Subject) may need to be 152 changed. 154 BGPsec emergency rollover Some special circumstances (such as a 155 compromised key) may require the replacement of a BGPsec 156 certificate. 158 BGPsec signature anti-replay protection An AS may determine stale 159 BGPsec_Path attributes signed by the AS are being propagated 160 instead of the most recently signed BGPsec_Path attributes. 161 Changing the BGPsec router signing key, distributing a new 162 BGPsec EE certificate for the router,and revoking the old 163 BGPsec EE certificate will invalidate the replayed BGPsec_Path 164 attributes. 166 In some of these cases it is possible to generate a new certificate 167 without changing the key pair. This practice simplifies the rollover 168 process as the corresponding BGP speakers do not even need to be 169 aware of the changes to its correspondent certificate. However, not 170 replacing the certificate key for a long period of time increases the 171 risk that the router private key may be compromised. Distributing 172 the OLD public key in a new certificate is NOT RECOMMENDED when the 173 rollover event is due to the key has been compromised or stale 174 BGPsec_Path attribute signatures are being distributed. 176 3.1. A proposed process for BGPsec key rollover 178 The BGPsec key rollover process will be dependent on the key 179 provisioning mechanisms that are adopted by an AS. The key 180 provisioning mechanisms for BGPsec are not yet fully documented (see 181 [I-D.ietf-sidr-rtr-keying] as a work in progress document). It is 182 assumed that an automatic provisioning mechanism such as EST will be 183 in place as such a provisioning mechanism will allow BGPsec code to 184 include automatic re-keying scripts with minimum development cost. 186 If we work under the assumption that an automatic mechanism will 187 exist to rollover a BGPsec certificate, a RECOMMENDED process is as 188 follows. 190 1. New Certificate Publication: The first step in the rollover 191 mechanism is to publish the new public key in a new certificate. 192 In order to accomplish this goal, the new key pair and 193 certificate will need to be generated and published at the 194 appropriate RPKI repository publication point. The details of 195 this process will vary as they depend on whether the keys are 196 assigned per-BGP speaker or shared, whether the keys are 197 generated on each BGP speaker or in a central location and 198 whether the RPKI repository is locally or externally hosted. 200 2. Staging Period: A staging period will be required from the time a 201 new certificate is published in the RPKI global repository until 202 the time it is fetched by RPKI caches around the globe. The 203 exact minimum staging time will be dictated by the conventional 204 interval chosen between repository fetches. If rollovers will be 205 done more frequently, an administrator can provision two 206 certificates for every router concurrently with different valid 207 start times. In this case when the rollover operation is needed, 208 the relying parties around the globe would already have the new 209 keys. A staging period may not be possible to implement during 210 emergency key rollover, in which case routing information may be 211 lost. 213 3. Twilight: At this moment, the BGP speaker that holds the private 214 key that has been rolled-over will stop using the OLD key for 215 signing and start using the NEW key. Also, the router will 216 generate appropriate BGPsec_Path attributes just as in the 217 typical operation of refreshing out-bound BGP polices. This 218 operation may generate a great number of BGPsec_Path attributes 219 (due to the need to refresh BGP outbound policies). In any given 220 BGP SPEAKER, the Twilight moment may be different for every peer 221 in order to distribute the system load (probably in the order of 222 minutes to avoid reaching any expiration time). 224 4. Certificate Revocation: This is an optional step, but SHOULD be 225 taken when the goal is to invalidate signatures used with the OLD 226 key. Reasons to invalidate OLD signatures include when the AS 227 has reason to believe that the router signing key has been 228 compromised, and when the AS needs to invalidate BGPsec_Path 229 attribute signatures used with this key. As part of the rollover 230 process, a CA MAY decide to revoke the OLD certificate by 231 publishing its serial number on the CA's CRL. On the other side, 232 the CA will just let the OLD certificate to expire and not revoke 233 it. This choice will depend on the reasons that motivated the 234 rollover process. 236 5. RPKI-Router Protocol Withdrawals: At the expiration of the OLD 237 certificate's validation, the RPKI relying parties around the 238 globe will need to communicate to their router peers that the OLD 239 certificate's public key is not longer valid (e.g., using the 240 RPKI-Router Protocol described in [RFC6810]). It is not 241 documented yet what will be a router's reaction to a message with 242 the withdrawal bit set to 1 in the RPKI-Router Protocol, but it 243 should include the removal of any RIB entry that includes a 244 BGPsec attribute signed with that key and the generation of the 245 correspondent BGP WITHDRAWALs (either implicit or explicit). 247 The proposed rollover mechanism will depend on the existence of an 248 automatic provisioning process for BGPsec certificates. It will 249 require a staging mechanism based on the RPKI propagation time of 250 around 24 hours, and it will generate BGPsec_Path attributes for all 251 prefixes in the router been re-keyed. 253 The first two steps (New Certificate Publication and Staging Period) 254 may happen in advance of the rest of the process. This will allow a 255 network operator to accelerate its subsequent key roll-over. 257 When a new BGPsec certificate is generated without changing its key, 258 steps 3 (Twilight) and 5 (RPKI-Router Protocol Withdrawals) SHOULD 259 NOT be executed. 261 4. BGPsec key rollover as a measure against replays attacks in BGPsec 263 There are two typical generic measures to mitigate replay attacks in 264 any protocol: the addition of a timestamp or the addition of a serial 265 number. However neither BGP nor BGPsec provide either measure. This 266 section discusses the use of BGPsec Rollover as a measure to mitigate 267 replay attacks. 269 4.1. BGPsec Replay attack window requirement 271 In [RFC7353] Section 4.3, the need to limit the vulnerability to 272 replay attacks is described. One important comment is that during a 273 window of exposure, a replay attack is effective only in very 274 specific circumstances: there is a downstream topology change that 275 makes the signed AS path no longer current, and the topology change 276 makes the replayed route preferable to the route associated with the 277 new update. In particular, if there have been no topology change at 278 all, then no security threat comes from a replay of a BGPsec_Path 279 attribute because the signed information is still valid. 281 The BGPsec Ops document [I-D.ietf-sidr-bgpsec-ops] gives some ideas 282 of requirements for the size of the BGPsec windows of exposure to 283 replay attacks. At that document, it is stated that for the vast 284 majority of the prefixes, the requirement will be in the order of 285 days or weeks. 287 4.2. BGPsec key rollover as a mechanism to protect against replay 288 attacks 290 Since the window requirement is in the order of a day (as documented 291 in [I-D.ietf-sidr-bgpsec-ops]) and the BGP speaker re-keying is the 292 edge router of the origin AS, it is feasible for a BGPsec Rollover to 293 mitigate replays. In this case it is important to complete the full 294 process (i.e. the OLD and NEW certificate do not share the same key). 295 By re-keying an AS is letting the BGPsec certificate validation time 296 be a sort of "timestamp" against replay attacks. However, the use of 297 frequent key rollovers comes with an additional administrative cost 298 and risks if the process fails. As documented before, re-keying 299 should be supported by automatic tools and for the great majority of 300 the Internet it will be done with good lead time to correct any risk. 302 For a transit AS that also originates BGPsec_Path attributes for its 303 own prefixes, the key rollover process may generate a large number of 304 UPDATE messages (even the complete Default Free Zone or DFZ). For 305 this reason, it is recommended that routers in this scenario been 306 provisioned with two certificates: one to sign BGPsec_Path attributes 307 in transit and a second one to sign an BGPsec_Path attribute for 308 prefixes originated in its AS. Only the second certificate (for 309 prefixes originated in its AS) should be rolled-over frequently as a 310 means of limiting replay attach windows. The transit BGPsec 311 certificate is expected to be longer living than the origin BGPsec 312 certificate. 314 Advantage of Re-keying as replay attack protection mechanism: 316 1. All expiration policies are maintained in RPKI 318 2. Much of the additional administrative cost is paid by the 319 provider that wants to protect its infrastructure, as it bears 320 the human cost of creating and initiating distribution of new 321 router key pairs and router EE certificates. (It is true that 322 the cost of relying parties will be affected by the new objects, 323 but their responses should be completely automated or otherwise 324 routine.) 326 3. Can be implemented in coordination with planned topology changes 327 by either origin ASes or transit ASes (e.g., if an AS changes 328 providers, it completes a BGP Rollover) 330 Disadvantage of Re-keying as replay attack protection mechanism: 332 1. More administrative load due to frequent rollover, although how 333 frequent is still not clear. Some initial ideas in 334 [I-D.ietf-sidr-bgpsec-ops] 336 2. Minimum window size bounded by RPKI propagation time to RPKI 337 caches for new certificate and CRL (2x propagation time). If 338 provisioning is done ahead of time the minimum window size is 339 reduced (to 1x propagation time for the CRL). However, more 340 experimentation is needed when RPKI and RPs are more massively 341 deployed. 343 3. Increases dynamics and size of RPKI repository. 345 5. IANA Considerations 347 No IANA considerations 349 6. Security Considerations 351 Several possible reasons can cause routers participating in BGPsec to 352 replace rollover their signing keys and/or signatures containing 353 their current signature verification key. Some reasons are due to 354 the usual key management operations reasons (e.g.,key exposure, 355 change of certificate attributes, due to policy). However BGPsec 356 routers also may need to change their signing keys and associated 357 certificate as an anti-replay protection. 359 The BGPsec Rollover method allows for an expedient rollover process 360 when router certificates are distributed through the RPKI, but 361 without causing routing failures due to a receiving router not being 362 able to validate a BGPsec_Path attribute created by a router that is 363 the subject of the rollover. 365 7. Acknowledgements 367 We would like to acknowledge Randy Bush, Sriram Kotikalapudi, Stephen 368 Kent and Sandy Murphy. 370 8. References 372 8.1. Normative References 374 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 375 Requirement Levels", BCP 14, RFC 2119, 376 DOI 10.17487/RFC2119, March 1997, 377 . 379 8.2. Informative References 381 [I-D.ietf-sidr-bgpsec-ops] 382 Bush, R., "BGPsec Operational Considerations", draft-ietf- 383 sidr-bgpsec-ops-07 (work in progress), December 2015. 385 [I-D.ietf-sidr-bgpsec-protocol] 386 Lepinski, M. and K. Sriram, "BGPsec Protocol 387 Specification", draft-ietf-sidr-bgpsec-protocol-15 (work 388 in progress), March 2016. 390 [I-D.ietf-sidr-rtr-keying] 391 Bush, R. and K. Patel, "Router Keying for BGPsec", draft- 392 ietf-sidr-rtr-keying-10 (work in progress), November 2015. 394 [RFC6489] Huston, G., Michaelson, G., and S. Kent, "Certification 395 Authority (CA) Key Rollover in the Resource Public Key 396 Infrastructure (RPKI)", BCP 174, RFC 6489, 397 DOI 10.17487/RFC6489, February 2012, 398 . 400 [RFC6810] Bush, R. and R. Austein, "The Resource Public Key 401 Infrastructure (RPKI) to Router Protocol", RFC 6810, 402 DOI 10.17487/RFC6810, January 2013, 403 . 405 [RFC7030] Pritikin, M., Ed., Yee, P., Ed., and D. Harkins, Ed., 406 "Enrollment over Secure Transport", RFC 7030, 407 DOI 10.17487/RFC7030, October 2013, 408 . 410 [RFC7353] Bellovin, S., Bush, R., and D. Ward, "Security 411 Requirements for BGP Path Validation", RFC 7353, 412 DOI 10.17487/RFC7353, August 2014, 413 . 415 Authors' Addresses 417 Roque Gagliano 418 Cisco Systems 419 Avenue des Uttins 5 420 Rolle, VD 1180 421 Switzerland 423 Email: rogaglia@cisco.com 425 Keyur Patel 426 Cisco Systems 427 170 W. Tasman Drive 428 San Jose, CA 95134 429 CA 431 Email: keyupate@cisco.com 432 Brian Weis 433 Cisco Systems 434 170 W. Tasman Drive 435 San Jose, CA 95134 436 CA 438 Email: bew@cisco.com