idnits 2.17.1 

draft-ietf-sidr-rpki-grandparenting-00.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  == The page length should not exceed 58 lines per page, but there was 1
     longer page, the longest (page 2) being 60 lines


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** The document seems to lack separate sections for Informative/Normative
     References.  All references will be assumed normative when checking for
     downward references.

  == There are 2 instances of lines with non-RFC6890-compliant IPv4 addresses
     in the document.  If these are example addresses, they should be changed.

  == There are 1 instance of lines with private range IPv4 addresses in the
     document.  If these are generic example addresses, they should be changed
     to use any of the ranges defined in RFC 6890 (or successor): 192.0.2.x,
     198.51.100.x or 203.0.113.x.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  -- The document date (October 2012) is 4211 days in the past.  Is this
     intentional?


  Checking references for intended status: Informational
  ----------------------------------------------------------------------------

  == Unused Reference: 'I-D.ietf-sidr-bgpsec-pki-profiles' is defined on line
     145, but no explicit reference was found in the text

  == Outdated reference: A later version (-21) exists of
     draft-ietf-sidr-bgpsec-pki-profiles-03

  == Outdated reference: A later version (-23) exists of
     draft-ietf-sidr-origin-ops-19


     Summary: 1 error (**), 0 flaws (~~), 7 warnings (==), 1 comment (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	Network Working Group                                            R. Bush
3	Internet-Draft                                 Internet Initiative Japan
4	Intended status: Informational                              October 2012
5	Expires: April 02, 2013

7	                 Responsible Grandparenting in the RPKI
8	                 draft-ietf-sidr-rpki-grandparenting-00

10	Abstract

12	   There are circumstances in RPKI operations where a resource holder's
13	   parent may not be able to, or may not choose to, facilitate full and
14	   proper registration of the holder's data.  As in real life, the
15	   holder may form a relationship with their grandparent who is willing
16	   to aid the grandchild.  This document describes simple procedures for
17	   doing so.

19	Status of This Memo

21	   This Internet-Draft is submitted in full conformance with the
22	   provisions of BCP 78 and BCP 79.

24	   Internet-Drafts are working documents of the Internet Engineering
25	   Task Force (IETF).  Note that other groups may also distribute
26	   working documents as Internet-Drafts.  The list of current Internet-
27	   Drafts is at http://datatracker.ietf.org/drafts/current/.

29	   Internet-Drafts are draft documents valid for a maximum of six months
30	   and may be updated, replaced, or obsoleted by other documents at any
31	   time.  It is inappropriate to use Internet-Drafts as reference
32	   material or to cite them other than as "work in progress."

34	   This Internet-Draft will expire on April 02, 2013.

36	Copyright Notice

38	   Copyright (c) 2012 IETF Trust and the persons identified as the
39	   document authors.  All rights reserved.

41	   This document is subject to BCP 78 and the IETF Trust's Legal
42	   Provisions Relating to IETF Documents (http://trustee.ietf.org/
43	   license-info) in effect on the date of publication of this document.
44	   Please review these documents carefully, as they describe your rights
45	   and restrictions with respect to this document.  Code Components
46	   extracted from this document must include Simplified BSD License text
47	   as described in Section 4.e of the Trust Legal Provisions and are
48	   provided without warranty as described in the Simplified BSD License.

50	Table of Contents

52	   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  2
53	   2.  Suggested Reading  . . . . . . . . . . . . . . . . . . . . . .  2
54	   3.  What to Do . . . . . . . . . . . . . . . . . . . . . . . . . .  2
55	   4.  Security Considerations  . . . . . . . . . . . . . . . . . . .  3
56	   5.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . .  3
57	   6.  References . . . . . . . . . . . . . . . . . . . . . . . . . .  3
58	   Author's Address . . . . . . . . . . . . . . . . . . . . . . . . .  4

60	1.  Introduction

62	   There are circumstances in RPKI operations where a resource holder's
63	   parent may not be able to, or may not choose to, facilitate full and
64	   proper registration of the holder's data.  As in real life, the
65	   holder may form a relationship with their grandparent who is willing
66	   to aid the grandchild.  This document describes simple procedures for
67	   doing so.

69	   An example might be when provider A allowed a child, C, to move to
70	   other provider(s) and keep their address space, either temporarily or
71	   permanently, and C's child, G, wished to stay with provider A.

73	   Or a child, C, in the process of going out of business might place
74	   their grandchildren in precarious circumstances until they can re-
75	   home.  The grandparent, without disturbing the child's data, could
76	   simply issue ROAs for the grandchildren, or issue certificates for
77	   those willing to manage their own rpki data.

79	   Certification Authorities with a large number of children, e.g.  very
80	   large ISPs or RIRs, might offer documented grandparenting processes
81	   and/or agreements.  This might reassure grandchildren with worries
82	   about irresponsible parents.

84	   Other examples occur in administrative hierarchies, such as large
85	   organizations or military and other government hierarchies, when A's
86	   child C wishes to manage their own data but does not wish the
87	   technical or administrative burden of managing their children's, Gs',
88	   data.

90	2.  Suggested Reading

92	   It is assumed that the reader understands the RPKI, see [RFC6480],
93	   ROAs, see [RFC6482], BGPSEC Router Certificates, see [I-D.ietf-sidr-
94	   bgpsec-pki-profiles], and the operational guidance for origin
95	   validation, [I-D.ietf-sidr-origin-ops].

97	3.  What to Do

99	   A hypothetical example might be that A has the rights to 10.0.0.0/8,
100	   has delegated 10.42.0.0/16 to their child C, who delegated 10.42.2.0/
101	   23 to their child G.  C has changed providers and kept, with A's
102	   consent, 10.42.0.0/16, but G wishes to stay with A and keep 10.42.2.0
103	   /23.

105	   Perhaps there are also AS resources involved, and G wishes to issue
106	   Router Certificates for their AS(s).

108	   Managing RPKI data in such relationships is simple, but should be
109	   done carefully.

111	   First, using whatever administrative and/or contractual procedures
112	   are appropriate in the local hierarchy, the grandparent, A, should
113	   ensure their relationship to the grandchild, G, and that G has the
114	   right to the resources which they wish to have registered.  These are
115	   local matters between A and G.

117	   Although A has the rights over their child's, C's, resources, it
118	   would be prudent and polite to ensure that C agrees to A forming a
119	   relationship to G.  Again, these are local matters between A, C, and
120	   G.  Often, no one outside of one of these bi-lateral relationships
121	   actually knows the agreement between the parties.

123	   Then, it is trivial within the RPKI for A to certify G's data, even
124	   though it is a subset of the resources A delegated to C.  A may
125	   certify G's resources, or issue one or more EE certificates and ROAs
126	   for G's resources.  Which is done is a local matter between A and G.

128	4.  Security Considerations

130	   This operational practice presents no technical security threats
131	   beyond those of the relevant RPKI specifications.

133	   There are threats of social engineering by G, lying to A about their
134	   relationship to and rights gained from C.

136	   There are also threats of social engineering by C, attempting to
137	   prevent A from giving rights to G which G legitimately deserves.

139	5.  IANA Considerations

141	   This document has no IANA Considerations.

143	6.  References

145	   [I-D.ietf-sidr-bgpsec-pki-profiles]
146	              Reynolds, M., Turner, S. and S. Kent, "A Profile for
147	              BGPSEC Router Certificates, Certificate Revocation Lists,
148	              and Certification Requests", Internet-Draft draft-ietf-
149	              sidr-bgpsec-pki-profiles-03, April 2012.

151	   [I-D.ietf-sidr-origin-ops]
152	              Bush, R., "RPKI-Based Origin Validation Operation",
153	              Internet-Draft draft-ietf-sidr-origin-ops-19, August 2012.

155	   [RFC6480]  Lepinski, M. and S. Kent, "An Infrastructure to Support
156	              Secure Internet Routing", RFC 6480, February 2012.

158	   [RFC6482]  Lepinski, M., Kent, S. and D. Kong, "A Profile for Route
159	              Origin Authorizations (ROAs)", RFC 6482, February 2012.

161	Author's Address

163	   Randy Bush
164	   Internet Initiative Japan
165	   5147 Crystal Springs
166	   Bainbridge Island, Washington 98110
167	   US

169	   Email: randy@psg.com