idnits 2.17.1 draft-ietf-sidr-roa-format-08.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 3 instances of too long lines in the document, the longest one being 1 character in excess of 72. == There are 1 instance of lines with private range IPv4 addresses in the document. If these are generic example addresses, they should be changed to use any of the ranges defined in RFC 6890 (or successor): 192.0.2.x, 198.51.100.x or 203.0.113.x. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document seems to contain a disclaimer for pre-RFC5378 work, and may have content which was first submitted before 10 November 2008. The disclaimer is necessary when there are original authors that you have been unable to contact, or if some do not wish to grant the BCP78 rights to the IETF Trust. If you are able to get all authors (current and original) to grant those rights, you can and should remove the disclaimer; otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (November 8, 2010) is 4911 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '0' on line 133 == Unused Reference: 'ALGS' is defined on line 264, but no explicit reference was found in the text == Unused Reference: 'RESCERT' is defined on line 268, but no explicit reference was found in the text == Unused Reference: 'CP' is defined on line 281, but no explicit reference was found in the text == Unused Reference: 'REPOS' is defined on line 284, but no explicit reference was found in the text == Unused Reference: 'RFC4049' is defined on line 288, but no explicit reference was found in the text -- No information found for draft-ietf-sidr-rpki-alg - is the name correct? -- Possible downref: Normative reference to a draft: ref. 'ALGS' -- No information found for draft-ietf-sidr-rpki-signed-object - is the name correct? -- Possible downref: Normative reference to a draft: ref. 'SIGNOBJ' -- Obsolete informational reference (is this intentional?): RFC 4049 (Obsoleted by RFC 6019) Summary: 1 error (**), 0 flaws (~~), 8 warnings (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Secure Inter-Domain Routing (sidr) M. Lepinski 2 Internet Draft S. Kent 3 Expires: May 8, 2011 D. Kong 4 Intended Status: Proposed Standard BBN Technologies 5 November 8, 2010 7 A Profile for Route Origin Authorizations (ROAs) 8 draft-ietf-sidr-roa-format-08.txt 10 Status of this Memo 12 This Internet-Draft is submitted to IETF in full conformance with the 13 provisions of BCP 78 and BCP 79. 15 Internet-Drafts are working documents of the Internet Engineering 16 Task Force (IETF), its areas, and its working groups. Note that 17 other groups may also distribute working documents as Internet- 18 Drafts. 20 Internet-Drafts are draft documents valid for a maximum of six months 21 and may be updated, replaced, or obsoleted by other documents at any 22 time. It is inappropriate to use Internet-Drafts as reference 23 material or to cite them other than as "work in progress." 25 The list of current Internet-Drafts can be accessed at 26 http://www.ietf.org/ietf/1id-abstracts.txt 28 The list of Internet-Draft Shadow Directories can be accessed at 29 http://www.ietf.org/shadow.html 31 This Internet-Draft will expire on January 28, 2011. 33 Copyright Notice 35 Copyright (c) 2010 IETF Trust and the persons identified as the 36 document authors. All rights reserved. 38 This document is subject to BCP 78 and the IETF Trust's Legal 39 Provisions Relating to IETF Documents 40 (http://trustee.ietf.org/license-info) in effect on the date of 41 publication of this document. Please review these documents 42 carefully, as they describe your rights and restrictions with respect 43 to this document. Code Components extracted from this document must 44 include Simplified BSD License text as described in Section 4.e of 45 the Trust Legal Provisions and are provided without warranty as 46 described in the Simplified BSD License. 48 Abstract 50 This document defines a standard profile for Route Origin 51 Authorizations (ROAs). A ROA is a digitally signed object that 52 provides a means of verifying that an IP address block holder has 53 authorized an Autonomous System (AS) to originate routes to that one 54 or more prefixes within the address block. 56 Table of Contents 58 1. Introduction...................................................2 59 1.1. Terminology...............................................3 60 2. The ROA ContentType............................................3 61 3. The ROA eContent...............................................3 62 3.1. version...................................................4 63 3.2. asID......................................................4 64 3.3. ipAddrBlocks..............................................4 65 4. ROA Validation.................................................5 66 5. Security Considerations........................................5 67 6. IANA Considerations............................................6 68 7. Acknowledgments................................................6 69 8. References.....................................................7 70 8.1. Normative References......................................7 71 8.2. Informative References....................................7 72 Authors' Addresses................................................8 73 Pre-5378 Material Disclaimer......................................8 75 1. Introduction 77 The primary purpose of the Internet IP Address and AS Number Resource 78 Public Key Infrastructure (RPKI) system is to improve routing 79 security. As part of this system, a mechanism is needed to allow 80 entities to verify that an AS has been given permission by an IP 81 address block holder to advertise routes to one or more prefixes 82 within that block. A ROA provides this function. 84 The ROA makes use of the template for RPKI digitally signed objects 85 [SIGNOBJ], which defines a Crytopgraphic Message Syntax (CMS) 86 [RFC5652] wrapper for the ROA content as well as a generic validation 87 procedure for RPKI signed objects. Therefore, to complete the 88 specification of the ROA (see Section 4 of [SIGNOBJ]), this document 89 defines: 91 1. The OID that identifies the signed object as being a ROA. (This 92 OID appears within the eContentType in the encapContentInfo 93 object as well as the ContentType signed attribute in the 94 signerInfo object.) 96 2. The ASN.1 syntax for the ROA eContent. (This is the payload 97 that specifies the AS being authorized to originate routes as 98 well as the prefixes to which the AS may originate routes.) 100 3. An additional step required to validate ROAs (in addition to 101 the validation steps specified in [SIGNOBJ]). 103 1.1. Terminology 105 It is assumed that the reader is familiar with the terms and concepts 106 described in "Internet X.509 Public Key Infrastructure Certificate 107 and Certificate Revocation List (CRL) Profile" [RFC5280] and "X.509 108 Extensions for IP Addresses and AS Identifiers" [RFC3779]. 110 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 111 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 112 document are to be interpreted as described in RFC-2119 [RFC2119]. 114 2. The ROA ContentType 116 The ContentType for a ROA is defined as routeOriginAttestation and 117 has the numerical value of 1.2.840.113549.1.9.16.1.24. 119 This OID must appear both within the eContentType in the 120 encapContentInfo object as well as the ContentType signed attribute 121 in the signerInfo object (see [SIGNOBJ]). 123 3. The ROA eContent 125 The content of a ROA identifies a single AS that has been authorized 126 by the address space holder to originate routes and a list of one or 127 more IP address prefixes that will be advertised. If the address 128 space holder needs to authorize multiple ASes to advertise the same 129 set of address prefixes, the holder issues multiple ROAs, one per AS 130 number. A ROA is formally defined as: 132 RouteOriginAttestation ::= SEQUENCE { 133 version [0] INTEGER DEFAULT 0, 134 asID ASID, 135 ipAddrBlocks SEQUENCE OF ROAIPAddressFamily } 137 ASID ::= INTEGER 138 ROAIPAddressFamily ::= SEQUENCE { 139 addressFamily OCTET STRING (SIZE (2..3)), 140 addresses SEQUENCE OF ROAIPAddress } 142 ROAIPAddress ::= SEQUENCE { 143 address IPAddress, 144 maxLength INTEGER OPTIONAL } 146 IPAddress ::= BIT STRING 148 Note that this content appears as the eContent within the 149 encapContentInfo (see [SIGNOBJ]). 151 3.1. version 153 The version number of the RouteOriginAttestation MUST be 0. 155 3.2. asID 157 The asID field contains the AS number that is authorized to originate 158 routes to the given IP address prefixes. 160 3.3. ipAddrBlocks 162 The ipAddrBlocks field encodes the set of IP address prefixes to 163 which the AS is authorized to originate routes. Note that the syntax 164 here is more restrictive than that used in the IP Address Delegation 165 extension defined in RFC 3779. That extension can represent arbitrary 166 address ranges, whereas ROAs need to represent only prefixes. 168 Within the ROAIPAddressFamily structure, addressFamily contains the 169 Address Family Identifier (AFI) of an IP address family. This 170 specification only supports IPv4 and IPv6. Therefore, addressFamily 171 MUST be either 0001 or 0002. 173 Within a ROAIPAddress structure, the addresses field represents 174 prefixes as a sequence of type IPAddress. (See [RFC3779] for more 175 details). If present, the maxLength must be an integer greater than 176 or equal to the length of the accompanying prefix and less than or 177 equal to the length (in bits) of an IP address in the address family 178 (32 for IPv4 and 128 for IPv6). When present, the maxLength specifies 179 the maximum length of IP address prefix that the AS is authorized to 180 advertise. (For example, if the IP Address prefix is 10.0/16 and the 181 maxLength is 24, the AS is authorized to advertise any more specific 182 prefix having length at most 24. That is, in this example, the AS 183 would be authorized to advertise 10.0/16, 10.0.128/20, or 184 10.0.255/24, but not 10.0.255.0/25.) When the maxLength is not 185 present, the AS is only authorized to advertise exactly the prefix 186 specified in the ROA. 188 Note that a valid ROA may contain an IP Address prefix (within a 189 ROAIPAddress element) that is encompassed by another IP Address 190 prefix (within a separate ROAIPAddress element). For example, a ROA 191 may contain the prefix 10.0/16 with maxLength 18, as well as the 192 prefix 10.0.0/24 with maxLength 24. (Such a ROA would authorize the 193 indicated AS to advertise any prefix beginning with 10.0 with length 194 at least 16 and no greater than 18, as well as the specific prefix 195 10.0.0/24.) Additionally, a ROA MAY contain two ROAIPAddress elements 196 where the IP Address prefix is identical in both cases. However, this 197 is NOT RECOMMENDED as in such a case the ROAIPAddress with the 198 shorter maxLength grants no additional privileges to the indicated AS 199 and thus can be omitted without changing the meaning of the ROA. 201 4. ROA Validation 203 Before a relying party can use a ROA to validate a routing 204 announcement, the relying party must first validate the ROA. To 205 validate a ROA the relying party MUST perform all the validation 206 checks specified in [SIGNOBJ] as well as the following additional 207 ROA-specific validation step. 209 1. The IP Address Delegation extension [RFC3779] is present in the EE 210 certificate (contained within the ROA) and each IP address 211 prefix(es) in ROA is contained within the set of IP addresses 212 specified by the EE certificate's IP address delegation extension. 214 5. Security Considerations 216 There is no assumption of confidentiality for the data in a ROA; it 217 is anticipated that ROAs will be stored in repositories that are 218 accessible to all ISPs, and perhaps to all Internet users. There is 219 no explicit authentication associated with a ROA, since the PKI used 220 for ROA validation provides authorization but not authentication. 221 Although the ROA is a signed, application layer object, there is no 222 intent to convey non-repudiation via a ROA. 224 The purpose of a ROA is to convey authorization for an AS to 225 originate a route to the prefix(es) in the ROA. Thus the integrity of 226 a ROA must be established. The ROA makes use of the CMS signed 227 message format for integrity, and thus inherits the security 228 considerations associated with that data structure. The right of the 229 ROA signer to authorize the target AS to originate routes to the 230 prefix(es) is established through use of the address space and AS 231 number PKI described in [ARCH]. Specifically one must verify the 232 signature on the ROA using an X.509 certificate issued under this 233 PKI, and check that the prefix(es) in the ROA match those in the 234 address space extension in the certificate. 236 6. IANA Considerations 238 None. 240 7. Acknowledgments 242 The authors wish to thank Charles Gardiner and Russ Housley for their 243 help and contributions. Additionally, the authors would like to thank 244 Rob Austein, Roque Gagliano, Danny McPherson and Sam Weiler for their 245 careful reviews and helpful comments. 247 8. References 249 8.1. Normative References 251 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 252 Requirement Levels", BCP 14, RFC 2119, March 1997. 254 [RFC5652] Housley, R., ''Cryptographic Message Syntax'', RFC 5652, 255 September 2009. 257 [RFC3779] Lynn, C., Kent, S., and Seo, K., ''X.509 Extensions for IP 258 Addresses and AS Identifiers'', RFC 3779, June 2004. 260 [RFC5280] Cooper, D., et. al., ''Internet X.509 Public Key 261 Infrastructure and Certificate Revocation List (CRL) 262 Profile'', RFC 5280, May 2008. 264 [ALGS] Huston, G., ''A Profile for Algorithms and Key Sizes for use 265 in the Resource Public Key Infrastructure'', draft-ietf- 266 sidr-rpki-alg, May 2010 268 [RESCERT] Huston, G., Michaelson, G., and Loomans, R., ''A Profile for 269 X.509 PKIX Resource Certificates'', draft-ietf-sidr-res- 270 certs, May 2010. 272 [SIGNOBJ] Lepinski, M., Chi, A., and Kent, S., ''Generic Signed 273 Objects for the Resource Public Key Infrastructure'', draft- 274 ietf-sidr-rpki-signed-object, September 2010. 276 8.2. Informative References 278 [ARCH] Lepinski, M. and Kent, S., "An Infrastructure to Support 279 Secure Internet Routing," draft-ietf-sidr-arch, July 2010. 281 [CP] Seo, K., et. al., ''A Certificate Policy for the Resource 282 PKI,'' draft-ietf-sidr-cp, July 2010. 284 [REPOS] Huston, G., Michaelson, G., and Loomans, R., "A Profile for 285 Resource Certificate Repository Structure", draft-ietf- 286 sidr-repos-struct, May 2010. 288 [RFC4049] Housley, R., ''BinaryTime: An Alternative Format for 289 Representing Time in ASN.1,'' RFC 4049, April 2005. 291 Authors' Addresses 293 Matt Lepinski 294 BBN Technologies 295 10 Moulton Street 296 Cambridge MA 02138 298 Email: mlepinski@bbn.com 300 Stephen Kent 301 BBN Technologies 302 10 Moulton Street 303 Cambridge MA 02138 305 Email: skent@bbn.com 307 Derrick Kong 308 BBN Technologies 309 10 Moulton Street 310 Cambridge MA 02138 312 Email: dkong@bbn.com 314 Pre-5378 Material Disclaimer 316 This document may contain material from IETF Documents or IETF 317 Contributions published or made publicly available before November 318 10, 2008. The person(s) controlling the copyright in some of this 319 material may not have granted the IETF Trust the right to allow 320 modifications of such material outside the IETF Standards Process. 321 Without obtaining an adequate license from the person(s) controlling 322 the copyright in such materials, this document may not be modified 323 outside the IETF Standards Process, and derivative works of it may 324 not be created outside the IETF Standards Process, except to format 325 it for publication as an RFC or to translate it into languages other 326 than English.