idnits 2.17.1 draft-ietf-sidr-rpki-rtr-impl-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** The abstract seems to contain references ([I-D.ietf-sidr-rpki-rtr]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. == There are 1 instance of lines with non-RFC2606-compliant FQDNs in the document. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet has text resembling RFC 2119 boilerplate text. -- The document date (July 2012) is 4295 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 2 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group R. Bush 3 Internet-Draft Internet Initiative Japan 4 Intended status: Standards Track R. Austein 5 Expires: December 31, 2012 Dragon Research Labs 6 K. Patel 7 Cisco Systems 8 H. Gredler 9 Juniper Networks, Inc. 10 M. Waehlisch 11 FU Berlin 12 July 2012 14 RPKI Router Implementation Report 15 draft-ietf-sidr-rpki-rtr-impl-01 17 Abstract 19 This document provides an implementation report for RPKI Router 20 protocol as defined in [I-D.ietf-sidr-rpki-rtr]. The editor did not 21 verify the accuracy of the information provided by respondents or by 22 any alternative means. The respondents are experts with the 23 implementations they reported on, and their responses are considered 24 authoritative for the implementations for which their responses 25 represent. Respondents were asked to only use the YES answer if the 26 feature had at least been tested in the lab. 28 Requirements Language 30 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 31 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" are to 32 be interpreted as described in RFC 2119 [RFC2119] only when they 33 appear in all upper case. They may also appear in lower or mixed 34 case as English words, without any normative meaning. 36 Status of This Memo 38 This Internet-Draft is submitted in full conformance with the 39 provisions of BCP 78 and BCP 79. 41 Internet-Drafts are working documents of the Internet Engineering 42 Task Force (IETF). Note that other groups may also distribute 43 working documents as Internet-Drafts. The list of current Internet- 44 Drafts is at http://datatracker.ietf.org/drafts/current/. 46 Internet-Drafts are draft documents valid for a maximum of six months 47 and may be updated, replaced, or obsoleted by other documents at any 48 time. It is inappropriate to use Internet-Drafts as reference 49 material or to cite them other than as "work in progress." 51 This Internet-Draft will expire on December 31, 2012. 53 Copyright Notice 55 Copyright (c) 2012 IETF Trust and the persons identified as the 56 document authors. All rights reserved. 58 This document is subject to BCP 78 and the IETF Trust's Legal 59 Provisions Relating to IETF Documents (http://trustee.ietf.org/ 60 license-info) in effect on the date of publication of this document. 61 Please review these documents carefully, as they describe your rights 62 and restrictions with respect to this document. Code Components 63 extracted from this document must include Simplified BSD License text 64 as described in Section 4.e of the Trust Legal Provisions and are 65 provided without warranty as described in the Simplified BSD License. 67 Table of Contents 69 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 70 2. Implementation Forms . . . . . . . . . . . . . . . . . . . . . 3 71 3. Protocol Data Units . . . . . . . . . . . . . . . . . . . . . 3 72 4. Protocol Sequence . . . . . . . . . . . . . . . . . . . . . . 4 73 5. Protocol Transport . . . . . . . . . . . . . . . . . . . . . . 5 74 6. Error Codes . . . . . . . . . . . . . . . . . . . . . . . . . 5 75 7. Incremental Updates Support . . . . . . . . . . . . . . . . . 6 76 8. Session ID Support . . . . . . . . . . . . . . . . . . . . . . 6 77 9. Incremental Session Startup Support . . . . . . . . . . . . . 7 78 10. Interoperable Implementations . . . . . . . . . . . . . . . . 7 79 10.1. Cisco Implementation . . . . . . . . . . . . . . . . . . 7 80 10.2. Juniper Implementation . . . . . . . . . . . . . . . . . 7 81 10.3. rpki.net Implementation . . . . . . . . . . . . . . . . . 7 82 10.4. RIPE NCC Implementation . . . . . . . . . . . . . . . . . 7 83 10.5. RTRlib Implementation . . . . . . . . . . . . . . . . . . 7 84 10.6. BBN RPSTIR Implementation . . . . . . . . . . . . . . . . 7 85 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 86 12. Security considerations . . . . . . . . . . . . . . . . . . . 8 87 13. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8 88 14. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8 89 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 8 91 1. Introduction 93 In order to formally validate the origin ASs of BGP announcements, 94 routers need a simple but reliable mechanism to receive RPKI [I-D 95 .ietf-sidr-rpki-rtr] prefix origin data from a trusted cache. The 96 RPKI Router protocol defined in [I-D.ietf-sidr-rpki-rtr] provides a 97 mechanism to deliver validated prefix origin data to routers. 99 This document provides an implementation report for the RPKI Router 100 protocol as defined in [I-D.ietf-sidr-rpki-rtr]. 102 The editor did not verify the accuracy of the information provided by 103 respondents or by any alternative means. The respondents are experts 104 with the implementations they reported on, and their responses are 105 considered authoritative for the implementations for which their 106 responses represent. Respondents were asked to only use the YES 107 answer if the feature had at least been tested in the lab. 109 2. Implementation Forms 111 Contact and implementation information for person filling out this 112 form: 114 IOS Name: Keyur Patel, Email: keyupate@cisco.com, Vendor: Cisco 115 Systems, Inc. Release: IOS 117 XR Name: Forhad Ahmed, Email:foahmed@cisco.com, Vendor: Cisco 118 Systems, Inc. Release: IOS-XR 120 JUNOS Name: Hannes Gredler, Email: hannes@juniper.net, Vendor: 121 Juniper Networks, Inc., Release: JUNOS 123 rpki.net Name: Rob Austein, Email: sra@hactrn.net, Vendor: rpki.net 124 project, Release: http://subvert-rpki.hactrn.net/trunk/ 126 NCC Name: Tim Bruijnzeels, Email: tim@ripe.net, Vendor: RIPE NCC 127 Release: RIPE NCC validator-app 2.0.0 https:// 128 certification.ripe.net/content/public-repo/releases/net/ripe/rpki- 129 validator/rpki-validator-app/2.0.0/rpki-validator- 130 app-2.0.0-bin.zip 132 RTRlib Name: Fabian Holler, Matthias Waehlisch, Email: 133 waehlisch@ieee.org, Vendor: HAW Hamburg, FU Berlin, RTRlib 134 project, Release: RTRlib 0.2 http://rpki.realmv6.org/ 136 BBN Name: David Mandelberg, Andrew Chi Email: dmandelb@bbn.com, 137 achi@bbn.com, Vendor: Raytheon/BBN Technologies, Release: RPSTIR 138 0.2 http://sourceforge.net/projects/rpstir/ 140 3. Protocol Data Units 142 Does the implementation support Protocol Data Units (PDUs) as 143 described in Section 5 of [I-D.ietf-sidr-rpki-rtr]? 144 +------------+-----+-----+-------+--------+--------+--------+-------+ 145 | | IOS | XR | JUNOS | rpki | NCC | RTR- | BBN | 146 | | | | | .net | | lib | | 147 +------------+-----+-----+-------+--------+--------+--------+-------+ 148 | Rcv. | YES | YES | YES | YES | UNIT | YES | SYS | 149 | Serial | | | | | TEST | | TEST | 150 | Notify | | | | | | | | 151 | Snd. | NO | NO | NO | YES | YES | NO | YES | 152 | Serial | | | | | | | | 153 | Notify | | | | | | | | 154 | Rcv. | NO | NO | NO | YES | YES | NO | YES | 155 | Serial | | | | | | | | 156 | Query | | | | | | | | 157 | Snd. | YES | YES | YES | YES | UNIT | YES | SYS | 158 | Serial | | | | | TEST | | TEST | 159 | Query | | | | | | | | 160 | Rcv. Reset | NO | NO | NO | YES | YES | NO | YES | 161 | Query | | | | | | | | 162 | Snd. Reset | YES | YES | YES | YES | UNIT | YES | SYS | 163 | Query | | | | | TEST | | TEST | 164 | Rcv. Cache | YES | YES | YES | YES | UNIT | YES | SYS | 165 | Resp. | | | | | TEST | | TEST | 166 | Snd. Cache | NO | NO | NO | YES | YES | NO | YES | 167 | Resp. | | | | | | | | 168 | Rcv. IPv4 | YES | YES | YES | YES | UNIT | YES | SYS | 169 | Prefix | | | | | TEST | | TEST | 170 | Snd. IPv4 | NO | NO | NO | YES | YES | NO | YES | 171 | Prefix | | | | | | | | 172 | Rcv. IPv6 | YES | YES | YES | YES | UNIT | YES | SYS | 173 | Prefix | | | | | TEST | | TEST | 174 | Snd. IPv6 | NO | NO | NO | YES | YES | NO | YES | 175 | Prefix | | | | | | | | 176 | Rcv. End | YES | YES | YES | YES | UNIT | YES | SYS | 177 | of Data | | | | | TEST | | TEST | 178 | Snd. End | NO | NO | NO | YES | YES | NO | YES | 179 | of Data | | | | | | | | 180 | Rcv. Cache | YES | YES | YES | YES | UNIT | YES | SYS | 181 | Reset | | | | | TEST | | TEST | 182 | Snd. Cache | NO | NO | NO | YES | YES | NO | YES | 183 | Reset | | | | | | | | 184 | Rcv. Error | YES | YES | NO~1 | YES | YES | YES | YES | 185 | Report | | | | | | | | 186 | Snd. Error | YES | NO | NO | YES | YES | YES | YES | 187 | Report | | | | | | | | 188 +------------+-----+-----+-------+--------+--------+--------+-------+ 190 1) No, Error PDU gets silently ignored 192 4. Protocol Sequence 194 Does RPKI Router protocol implementation follow the four protocol 195 sequences as outlined in Section 6 of [I-D.ietf-sidr-rpki-rtr]? 196 S1: Start or Restart 198 S2: Typical Exchange 200 S3: Generation of Incremental Updates Sequence 202 S4: Receipt of Incremental Updates Sequence 204 S5: Generation of Cache has No data Sequence 206 +----+-----+-----+-------+----------+------+--------+-----+ 207 | | IOS | XR | JUNOS | rpki.net | NCC | RTRlib | BBN | 208 +----+-----+-----+-------+----------+------+--------+-----+ 209 | S1 | YES | YES | YES | YES | YES | YES | YES | 210 | S2 | YES | YES | YES | YES | NO~1 | YES | YES | 211 | S3 | NO | NO | NO | YES | NO | YES | YES | 212 | S4 | YES | YES | YES | YES | NO | YES | NO | 213 | S5 | NO | NO | NO | YES | YES | YES | YES | 214 +----+-----+-----+-------+----------+------+--------+-----+ 216 1) NO, we always respond as described in 6.3 of [I-D.ietf-sidr-rpki- 217 rtr] 219 5. Protocol Transport 221 Does RPKI Router protocol implementation support different protocol 222 transport mechanism outlined in Section 7 of [I-D.ietf-sidr-rpki- 223 rtr]? 225 +---------+-----+-----+-------+----------+-----+--------+-------+ 226 | | IOS | XR | JUNOS | rpki.net | NCC | RTRlib | BBN | 227 +---------+-----+-----+-------+----------+-----+--------+-------+ 228 | SSH | NO | YES | NO | YES | NO | YES | YES~1 | 229 | TLS | NO | NO | NO | NO | NO | NO | NO | 230 | TCP | YES | YES | YES | YES | YES | YES | YES | 231 | TCP-MD5 | NO | NO | NO | NO | NO | NO | NO | 232 | TCP-AO | NO | NO | NO | NO | NO | NO | NO | 233 +---------+-----+-----+-------+----------+-----+--------+-------+ 235 1) Yes, using netcat as the ssh subsystem to connect to the RTR 236 server on localhost via TCP. This is currently untested. 238 6. Error Codes 240 Does RPKI Router protocol implementation support different protocol 241 error codes outlined in Section 10 of [I-D.ietf-sidr-rpki-rtr]? 242 +-------+-----+-----+-------+----------+-------+--------+----------+ 243 | | IOS | XR | JUNOS | rpki.net | NCC | RTRlib | BBN | 244 +-------+-----+-----+-------+----------+-------+--------+----------+ 245 | Rcv.0 | YES | YES | NO | YES | YES | YES | YES | 246 | Snd.0 | YES | YES | NO | YES | YES | YES | YES | 247 | Rcv.1 | YES | YES | NO | YES | YES | YES | YES | 248 | Snd.1 | YES | YES | NO | YES | YES | YES | YES | 249 | Rcv.2 | YES | YES | NO | YES | N/A | YES | YES | 250 | Snd.2 | YES | YES | NO | YES | YES | N/A | YES | 251 | Rcv.3 | YES | YES | NO | YES | N/A | YES | YES | 252 | Snd.3 | NO | NO | NO | YES | YES | NO | YES | 253 | Rcv.4 | YES | YES | NO | YES | YES | YES | YES | 254 | Snd.4 | YES | YES | NO | YES | YES | YES | YES | 255 | Rcv.5 | YES | YES | NO | YES | YES | YES | YES | 256 | Snd.5 | YES | YES | NO | YES | YES | YES | YES | 257 | Rcv.6 | NO | NO | NO | YES | YES~1 | N/A | YES | 258 | Snd.6 | YES | YES | NO | NO | N/A | YES | SYS TEST | 259 | Rcv.7 | NO | NO | NO | YES | YES~1 | N/A | YES | 260 | Snd.7 | YES | YES | NO | NO | N/A | YES | SYS TEST | 261 +-------+-----+-----+-------+----------+-------+--------+----------+ 263 1) YES, but... fatal, so connection is dropped, but cache does not 264 conclude it's inconsistent 266 7. Incremental Updates Support 268 RPKI Router protocol does support Incremental Updates defined in 269 Section 4 of [I-D.ietf-sidr-rpki-rtr]. 271 +-----+----+-------+----------+-----+--------+-----+ 272 | IOS | XR | JUNOS | rpki.net | NCC | RTRlib | BBN | 273 +-----+----+-------+----------+-----+--------+-----+ 274 | NO | NO | YES~1 | YES | NO | YES | YES | 275 +-----+----+-------+----------+-----+--------+-----+ 277 1) YES, receive side support 279 8. Session ID Support 281 Session ID is used to indicate that the cache server may have 282 restarted and that the incremental restart may not be possible. 284 Does RPKI Router protocol implementation support Session ID 285 procedures outlined in Section 5.10 of [I-D.ietf-sidr-rpki-rtr]? 287 +-----+-----+-------+----------+------+--------+-----+ 288 | IOS | XR | JUNOS | rpki.net | NCC | RTRlib | BBN | 289 +-----+-----+-------+----------+------+--------+-----+ 290 | YES | YES | YES | YES | NO~1 | YES | YES | 291 +-----+-----+-------+----------+------+--------+-----+ 293 1) NO, using random, but will FIX 295 9. Incremental Session Startup Support 297 RPKI Router protocol does support Incremental session startups with 298 Serial Number and Session ID defined in the protocol. Does RPKI 299 Router protocol implementation support Incremental Session Startup 300 Support as defined in section 5.4 of [I-D.ietf-sidr-rpki-rtr]. 302 +-----+-----+-------+----------+-----+--------+-----+ 303 | IOS | XR | JUNOS | rpki.net | NCC | RTRlib | BBN | 304 +-----+-----+-------+----------+-----+--------+-----+ 305 | YES | YES | YES | YES | NO | YES | YES | 306 +-----+-----+-------+----------+-----+--------+-----+ 308 10. Interoperable Implementations 310 List other implementations that you have tested interoperability of 311 RPKI Router Implementation. 313 10.1. Cisco Implementation 315 Cisco: The Cisco IOS and IOS-XR implementation should be 316 interoperable with other vendor RPKI Router Protocol implementations. 317 In particular we have tested our interoperability with rpki.net's 318 RPKI Router implementation. 320 10.2. Juniper Implementation 322 Juniper: The Juniper Networks, Inc. JUNOS implementation should be 323 interoperable with other vendor RPKI Router Protocol implementations. 324 In particular we have tested our interoperability with rpki.net's and 325 NCCs RPKI Router Cache implementation. 327 10.3. rpki.net Implementation 329 rpki.net: The rpki.net implementation should operate with other rpki- 330 rtr implementations. In particular, we have tested our 331 interoperability with Cisco IOS, Cisco IOS-XR, and Juniper. 333 10.4. RIPE NCC Implementation 335 RIPE NCC: The RIPE NCC validator has been tested by us with other 336 rpki-rtr implementations. In particular we have tested with RTRLib 337 and CISCO IOS. We received positive feedback from close contacts 338 testing our validator with JUNOS and Quagga. 340 10.5. RTRlib Implementation 342 RTRlib: The RTRlib has been tested by us with other rpki-rtr 343 implementations. In particular, we have tested with rtr-origin from 344 rpki.net and RIPE NCC Validator. 346 10.6. BBN RPSTIR Implementation 347 BBN RPSTIR: We have not yet tested with any other implementations. 349 11. IANA Considerations 351 This document makes no request of IANA. 353 Note to RFC Editor: this section may be removed on publication as an 354 RFC. 356 12. Security considerations 358 No new security issues are introduced to the RPKI Router protocol 359 defined in [I-D.ietf-sidr-rpki-rtr]. 361 13. Acknowledgements 363 TBD.... 365 14. References 367 [I-D.ietf-sidr-rpki-rtr] 368 Bush, R. and R. Austein, "The RPKI/Router Protocol", 369 Internet-Draft draft-ietf-sidr-rpki-rtr-26, February 2012. 371 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 372 Requirement Levels", BCP 14, RFC 2119, March 1997. 374 Authors' Addresses 376 Randy Bush 377 Internet Initiative Japan 378 5147 Crystal Springs 379 Bainbridge Island, Washington 98110 380 US 382 Email: randy@psg.com 384 Rob Austein 385 Dragon Research Labs 387 Email: sra@hactrn.net 389 Keyur Patel 390 Cisco Systems 391 170 West Tasman Drive 392 San Jose, CA 95134 393 US 395 Email: keyupate@cisco.com 396 Hannes Gredler 397 Juniper Networks, Inc. 398 1194 N. Mathilda Ave. 399 Sunnyvale, CA 94089 400 US 402 Email: hannes@juniper.net 404 Matthias Waehlisch 405 FU Berlin 406 Takustr. 9 407 Berlin 14195 408 Germany 410 Email: waehlisch@ieee.org 411 URI: http://www.inf.fu-berlin.de/~waehl