idnits 2.17.1 draft-ietf-sidr-roa-validation-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 16. -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on line 450. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 461. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 468. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 474. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (August 7, 2008) is 5712 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Duplicate reference: draft-ietf-sidr-roa-format, mentioned in 'ID.ietf-rpsec-bgpsecrec', was also mentioned in 'I-D.ietf-sidr-roa-format'. Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Individual Submission G. Huston 3 Internet-Draft G. Michaelson 4 Intended status: Informational APNIC 5 Expires: February 8, 2009 August 7, 2008 7 Validation of Route Origination in BGP using the Resource Certificate 8 PKI 9 draft-ietf-sidr-roa-validation-00.txt 11 Status of this Memo 13 By submitting this Internet-Draft, each author represents that any 14 applicable patent or other IPR claims of which he or she is aware 15 have been or will be disclosed, and any of which he or she becomes 16 aware will be disclosed, in accordance with Section 6 of BCP 79. 18 Internet-Drafts are working documents of the Internet Engineering 19 Task Force (IETF), its areas, and its working groups. Note that 20 other groups may also distribute working documents as Internet- 21 Drafts. 23 Internet-Drafts are draft documents valid for a maximum of six months 24 and may be updated, replaced, or obsoleted by other documents at any 25 time. It is inappropriate to use Internet-Drafts as reference 26 material or to cite them other than as "work in progress." 28 The list of current Internet-Drafts can be accessed at 29 http://www.ietf.org/ietf/1id-abstracts.txt. 31 The list of Internet-Draft Shadow Directories can be accessed at 32 http://www.ietf.org/shadow.html. 34 This Internet-Draft will expire on February 8, 2009. 36 Copyright Notice 38 Copyright (C) The IETF Trust (2008). 40 Abstract 42 This document defines an application of the Resource Public Key 43 Infrastructure to validate the origination of routes advertised in 44 the Border Gateway Protocol. The proposed application is intended to 45 fit within the requirements for adding security to inter-domain 46 routing, including the ability to support incremental and piecemeal 47 deployment, and does not require any changes to the specification of 48 BGP. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 53 2. Validation Outcomes of a BGP Route Object . . . . . . . . . . 3 54 2.1. Decoupled Validation . . . . . . . . . . . . . . . . . . . 4 55 2.2. Linked Validation . . . . . . . . . . . . . . . . . . . . 5 56 3. Applying Validation Outcomes to BGP Route Selection . . . . . 6 57 3.1. Using Validation Outcomes to reject BGP advertisements . . 7 58 4. Open Issues . . . . . . . . . . . . . . . . . . . . . . . . . 8 59 5. Security Considerations . . . . . . . . . . . . . . . . . . . 9 60 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 61 7. Normative References . . . . . . . . . . . . . . . . . . . . . 9 62 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10 63 Intellectual Property and Copyright Statements . . . . . . . . . . 11 65 1. Introduction 67 This document defines an application of the Resource Public Key 68 Infrastructure (RPKI) to validate the origination of routes 69 advertised in the Border Gateway Protocol (BGP) [RFC4271]. 71 The RPKI is based on Resource Certificates. Resource Certificates 72 are X.509 certificates that conform to the PKIX profile [RFC5280], 73 and to the extensions for IP addresses and AS identifiers [RFC3779]. 74 A Resource Certificate describes an action by an Issuer that binds a 75 list of IP address blocks and Autonomous System (AS) numbers to the 76 Subject of a certificate, identified by the unique association of the 77 Subject's private key with the public key contained in the Resource 78 Certificate. The PKI is structured such that each current Resource 79 Certificate matches a current resource allocation or assignment. 80 This is described in [I-D.ietf-sidr-arch]. 82 Route Origin Authorizations (ROAs) are digitally signed objects that 83 bind an address to an AS number, signed by the address holder. A ROA 84 provides a means of verifying that an IP address block holder has 85 authorized an AS to originate route objects in the inter-domain 86 routing environment for that address block. ROAs are described in 87 [I-D.ietf-sidr-roa-format]. 89 Bogon Origin Attestations (BOAs) are digitally signed objects that 90 describe a collection of address prefixes and AS numbers that are not 91 authorised by the right-of-use holder to be advertised in the inter- 92 domain routing system [I-D.ietf-sidr-boa]. 94 This document describes how ROA and BOA validation outcomes can be 95 used in the BGP route selection process, and how the proposed 96 application of ROAs and BOAs are intended to fit within the 97 requirements for adding security to inter-domain routing 98 [ID.ietf-rpsec-bgpsecrec], including the ability to support 99 incremental and piecemeal deployment. This proposed application does 100 not require any changes to the specification of BGP protocol 101 elements. The application may be used as part of BGP's local route 102 selection algorithm [RFC4271]. 104 2. Validation Outcomes of a BGP Route Object 106 A BGP Route Object is an address prefix and a set of attributes. In 107 terms of ROA and BOA validation the prefix value and the origin AS 108 are used in the validation operation. 110 If the route object is an aggregate and the AS Path contains an AS 111 Set, then the origin AS is considered to be the AS described as the 112 AGGREGATOR [RFC4271] of the route object. 114 ROA validation is described in [I-D.ietf-sidr-roa-format], and the 115 outcome of the validation operation is that the ROA is valid in the 116 context of the RPKI, or validation has failed. 118 BOA validation is described in [I-D.ietf-sidr-boa], and the outcome 119 of the validation operation is that the BOA is valid in the context 120 of the RPKI, or validation has failed. 122 There appears to be two means of matching a route object to a ROA: 123 decoupled and linked. 125 2.1. Decoupled Validation 127 The decoupled approach is where the ROAs are managed and distributed 128 independently of the operation of the routing protocol and a local 129 BGP speaker has access to a local cache of the complete set of ROAs 130 and the RPKI data set when performing a validation operation. 132 In this case the BGP route object does not refer to a specific ROA. 133 The relying party to match a route object to one or more candidate 134 valid ROAs and BOAs in order to determine the appropriate local 135 actions to perform on the route object. 137 The relying party selects the set of ROAs where the address prefix in 138 the route object either exactly matches an ROAIPAddress (matching 139 both the address prefix value and the prefix length), or where the 140 route object spans a block of addresses that is included in the span 141 described by the ROA's address prefix value and length and where the 142 route object's prefix length is less than the ROA's prefix length and 143 greater then or equal to the ROA's corresponding maxLength attribute. 145 The following outcomes are possible using the defined ROA validation 146 procedure for each ROA in this set: 148 o An "exact match" is a valid ROA where the address prefix in the 149 route object exactly matches a prefix listed in the ROA and the 150 origin AS in the route object matches the origin AS listed in the 151 ROA. 153 o A "covering match" is a valid ROA where the address prefix in the 154 ROA is a covering aggregate of the prefix in the route object, and 155 the prefix length of the route object is greater than or equal to 156 the ROA's maxLength attribute, and the origin AS in the route 157 object matches the AS listed in the ROA. 159 o An "exact mismatch" is a ROA where the address prefix in the route 160 object exactly matches a prefix listed in the ROA and the origin 161 AS of the route object does not match the AS listed in the ROA. 163 o A "covering mismatch" is a ROA where the address prefix in the ROA 164 is a covering aggregate of the prefix in the route object, the 165 prefix length of the route object is greater than or equal to the 166 ROA's maxLength attribute, and the origin AS of the route object 167 does not match the AS listed in the ROA. 169 o "ROA missing" is where there are no exact or covering matches, no 170 exact or covering mismatches and no exact of covering failures in 171 the RPKI repository. 173 In this case the ROA that would be used for the validation function 174 is selected from the set such that the most specific valid ROA that 175 matches or covers the route object address prefix and where the route 176 object origin AS matches the ROA AS. If there is no such ROA in the 177 set, then the most specific valid ROA is selected. If there is no 178 such ROA in the set then the most specific ROA is selected. 180 The set of BOAs that are used in validation are composed of the set 181 of valid BOAs where the origin AS matches an AS described in a BOA, 182 or where the BOA's address prefix is an exact match or a covering 183 aggregate of the route object. In the case that the validation 184 outcome using ROAs is one of ("exact mismatch", "covering mismatch" 185 or "ROA missing"), then the validation outcome of the BOA changes the 186 overall validation result to "bogon match". 188 2.2. Linked Validation 190 The linked approach requires the route object to reference a ROA 191 either by inclusion of the ROA as an attribute of the route object, 192 or inclusion of a identity field in an attribute of the route object 193 as a means of identifying a particular ROA. The relying party will 194 still need check for BOAs that refer to this route object in the case 195 that an exact match or a covering match is not present. The set of 196 possible outcomes of linked validation is as follows: 198 o "exact match" 200 o "covering match" 202 o "exact mismatch" 204 o "covering mismatch" 205 o "bogon match" 207 o "ROA missing" 209 3. Applying Validation Outcomes to BGP Route Selection 211 Within the framework of the abstract model of BGP operation, a 212 received prefix announcement from a peer is compared to all 213 announcements for this prefix received from other peers and a route 214 selection procedure is used to select the "best" route object from 215 this candidate set which is then used locally by placing it in the 216 loc-RIB, and is announced to peers as the local "best" route. 218 It is proposed that the validation outcome be used as part of the 219 determination of the local degree of preference as defined in section 220 9.1.1 of the BGP specification [RFC4271]. 222 In the case of partial deployment of ROAs there are a very limited 223 set of circumstances where the outcome of ROA validation can be used 224 as grounds to reject all consideration of the route object as an 225 invalid advertisement. While the presence of a valid ROA that 226 matches the advertisement is a strong indication that an 227 advertisement matches the authority provided by the prefix holder to 228 advertise the prefix into the routing system, the absence of a ROA or 229 the invalidity of a covering ROA does not provide a conclusive 230 indication that the advertisement has been undertaken without the 231 address holder's permission, unless the object is described in a BOA. 233 In the case of a partial deployment scenario or RPKI route 234 attestation objects, when some prefixes are described in ROAs or BOAs 235 and others are not, then the relative ranking of validation outcomes 236 from the highest (most preferred) to the lowest (least preferred) 237 degree of preference are proposed as follows: 239 1. "exact match" 241 An exact match indicates that the prefix has been allocated and 242 is routeable, and that the prefix right-of-use holder has 243 authorized the originating AS to originate precisely this 244 announcement. 246 2. "covering match" 248 A covering match is slightly less preferred because it is 249 possible that the address holder of the aggregate has allocated 250 the prefix in question to a different party, and both the 251 aggregate address holder and the prefix holder have signed ROAs 252 and are advertising the prefix. 254 3. "ROA missing" 256 In the case of partial deployment of ROAs the absence of 257 validation credentials is neutral, in that there is no grounds to 258 increase or decrease the relative degree of preference for the 259 prefix. 261 4. "covering mismatch" 263 A covering mismatch is considered to be less preferable than a 264 neutral position in that the address holder of a covering 265 aggregate has indicated an originating AS that is not the 266 originating AS of this announcement. On the other hand it may be 267 the case that this prefix has been validly allocated to another 268 party who has not generated a ROA for this prefix even through 269 the announcement is valid. 271 5. An "exact mismatch" 273 Here the exact match prefix holder has validly provided an 274 authority for origination by an AS that is not the AS that is 275 originating this announcement. This would appear to be a bogus 276 announcement by inference. 278 6. "bogon match" 280 Here the right-of-use holder of the AS or address prefix has 281 explicitly tagged the address prefix or the AS as a "bogon". 282 This implies that the announcement has been made without the 283 appropriate authority, and the prefix should be ranked at a level 284 commensurate with rejecting the route object. 286 In the case of comprehensive deployment of ROAs the absence of a 287 specific origination authority for the route object should render it 288 as an unusable for routing. In this case the relative degree of 289 preference the relative local degree of preference can be adjusted 290 such that cases 3 through 5 of the above list have an equal level of 291 lesser preference. 293 3.1. Using Validation Outcomes to reject BGP advertisements 295 The use of a validation outcome of a missing ROA, or a covering or 296 exact mismatch as sufficient grounds to reject a route object should 297 be undertaken with care. The consideration here is one of potential 298 circularity of dependence. If the authoritative publication point of 299 the repository of ROAs or any certificates used to related to an 300 address prefix is stored at a location that lies within the address 301 prefix described in a ROA, then the repository can only be accessed 302 once a route for the prefix has been accepted. It is also noted that 303 the propagation time of RPKI objects may be different to the 304 propagation time of route objects in BGP, and that route objects may 305 be received before the relying party's local repository cache picks 306 up the associated ROAs and recognises them as valid within the RPKI. 308 For these reasons it is proposed that even in the case of 309 comprehensive deployment of ROAs a missing ROA or a mismatch should 310 not be considered as sufficient grounds to reject a route 311 advertisement. 313 4. Open Issues 315 This document provides a description of how ROAs and BOAs could be 316 used by a BGP speaker. 318 It is noted that the proposed procedure requires no changes to the 319 operation of BGP. 321 It is also noted that the decoupled and linked approach are not 322 mutually exclusive, and the same procedure can be applied to route 323 objects that contain an explicit pointer to the associated ROA and 324 route objects where the local BGP speaker has to create a set of 325 candidate ROAs that could be applied to a route object. However, 326 there are a number of questions about this approach that are not 327 resolved here. 329 Some open issues at this point are: 331 o When should validation of an advertised prefix be performed by a 332 BGP speaker? Is it strictly necessary to perform validation at a 333 point prior to loading the object into the Adj-RIB-In structure, 334 or once the object has been loaded into Adj-RIB-In, or at a later 335 time that is determined by a local configuration setting? Should 336 validation be performed each time a route object is updated by a 337 peer even when the origin AS has not altered? 339 o What is the lifetime of a validation outcome? When should the 340 routing object be revalidated? Should the validation outcome be 341 regarded as valid until the route object is withdrawn or further 342 updated, or should validation occur at more frequent intervals? 344 o Are there circumstances that would allow a route object to be 345 removed from further consideration in route selection upon a 346 validation failure, similar to the actions of Route Flap Damping? 348 o Can ROA validation be performed on a per-AS basis rather than a 349 per-BGP speaker? What BGP mechanisms would be appropriate to 350 support such a mode of operation? 352 o If a relying party had access to RPKI signed objects with 353 comparable semantics to a Route Registry's Route Object (RRRO), 354 namely the acknowledgement by an AS holder that it intends to 355 originate an advertisement for a specified address prefix, how 356 would this validation procedure be altered. Presumably these 357 signed RRROs would need to describe the complete set of address 358 prefixes that may be announced by this originating AS in order to 359 be of use in this context. Failure to match a valid RPKI RRRO 360 would then be commensurate with a "bogon match", namely rejection 361 of the route object, in a manner similar to the operation of a 362 filter list constructed from a Route Registry. 364 5. Security Considerations 366 [To be Completed - the intent of this validation approach is to 367 improve the level of confidence in route objects in the IDR domain. 368 It is noted that this approach does not allow for 'comprehensive' 369 validation given that there remains some issues of potential 370 circularity of dependence and time lags between the propagation of 371 information in the routing system and propagation of information in 372 the RPKI, and issues of treatment of unauthorised route objects in 373 the scenario of partial use of the RPKI. The consequence is that 374 ROAs can increase the confidence in the validity of route objects 375 that match a valid ROA, but cannot perform the opposite of explicitly 376 rejecting invalid route objects. To assist in the case of rejecting 377 invalid route objects the BOA has been used as a means of explicit 378 rejection of certain classes route objects. The implication is that 379 RRs should issue both ROAs and BOAs in order to provide the greatest 380 level of information that will allow relying parties to make 381 appropriate choices in terms of route preference selection.] 383 6. IANA Considerations 385 [There are no IANA considerations in this document at this stage. 386 Later iterations of this draft may propose to add a ROA identifier 387 into the BGP attribute set] 389 7. Normative References 391 [I-D.ietf-sidr-arch] 392 Lepinski, M., Kent, S., and R. Barnes, "An Infrastructure 393 to Support Secure Internet Routing", draft-ietf-sidr-arch 394 (work in progress), February 2008. 396 [I-D.ietf-sidr-boa] 397 Huston, G., Manderson, T., and G. Michaelson, "Profile for 398 Bogon Origin Attestations (BOAs)", draft-ietf-sidr-bogons 399 (work in progress), August 2008. 401 [I-D.ietf-sidr-roa-format] 402 Lepinski, M., Kent, S., and D. Kong, "An Infrastructure to 403 Support Secure Internet Routing", 404 draft-ietf-sidr-roa-format (work in progress), July 2008. 406 [ID.ietf-rpsec-bgpsecrec] 407 Christian, B. and T. Tauber, "BGP Security Requirements", 408 draft-ietf-sidr-roa-format (work in progress), 409 November 2007. 411 [RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP 412 Addresses and AS Identifiers", RFC 3779, June 2004. 414 [RFC4271] Rekhter, Y., Li, T., and S. Hares, "A Border Gateway 415 Protocol 4 (BGP-4)", RFC 4271, January 2006. 417 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 418 Housley, R., and W. Polk, "Internet X.509 Public Key 419 Infrastructure Certificate and Certificate Revocation List 420 (CRL) Profile", RFC 5280, May 2008. 422 Authors' Addresses 424 Geoff Huston 425 Asia Pacific Network Information Centre 427 Email: gih@apnic.net 428 URI: http://www.apnic.net 430 George Michaelson 431 Asia Pacific Network Information Centre 433 Email: ggm@apnic.net 434 URI: http://www.apnic.net 436 Full Copyright Statement 438 Copyright (C) The IETF Trust (2008). 440 This document is subject to the rights, licenses and restrictions 441 contained in BCP 78, and except as set forth therein, the authors 442 retain all their rights. 444 This document and the information contained herein are provided on an 445 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 446 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND 447 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS 448 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 449 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 450 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 452 Intellectual Property 454 The IETF takes no position regarding the validity or scope of any 455 Intellectual Property Rights or other rights that might be claimed to 456 pertain to the implementation or use of the technology described in 457 this document or the extent to which any license under such rights 458 might or might not be available; nor does it represent that it has 459 made any independent effort to identify any such rights. Information 460 on the procedures with respect to rights in RFC documents can be 461 found in BCP 78 and BCP 79. 463 Copies of IPR disclosures made to the IETF Secretariat and any 464 assurances of licenses to be made available, or the result of an 465 attempt made to obtain a general license or permission for the use of 466 such proprietary rights by implementers or users of this 467 specification can be obtained from the IETF on-line IPR repository at 468 http://www.ietf.org/ipr. 470 The IETF invites any interested party to bring to its attention any 471 copyrights, patents or patent applications, or other proprietary 472 rights that may cover technology that may be required to implement 473 this standard. Please address the information to the IETF at 474 ietf-ipr@ietf.org. 476 Acknowledgment 478 Funding for the RFC Editor function is provided by the IETF 479 Administrative Support Activity (IASA).