idnits 2.17.1 draft-ymbk-rpki-rtr-impl-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([I-D.ietf-sidr-rpki-rtr]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. == There are 1 instance of lines with non-RFC2606-compliant FQDNs in the document. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (January 8, 2012) is 4485 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-26) exists of draft-ietf-sidr-rpki-rtr-22 Summary: 1 error (**), 0 flaws (~~), 4 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group R. Bush 3 Internet-Draft Internet Initiative Japan 4 Intended status: Standards Track R. Austein 5 Expires: July 11, 2012 Dragon Research Labs 6 K. Patel 7 Cisco Systems 8 H. Gredler 9 Juniper Networks, Inc. 10 M. Waehlisch 11 FU Berlin 12 January 8, 2012 14 RPKI Router Implementation Report 15 draft-ymbk-rpki-rtr-impl-01 17 Abstract 19 This document provides an implementation report for RPKI Router 20 protocol as defined in [I-D.ietf-sidr-rpki-rtr]. The editor did not 21 verify the accuracy of the information provided by respondents or by 22 any alternative means. The respondents are experts with the 23 implementations they reported on, and their responses are considered 24 authoritative for the implementations for which their responses 25 represent. Respondents were asked to only use the YES answer if the 26 feature had at least been tested in the lab. 28 Requirements Language 30 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 31 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 32 document are to be interpreted as described in RFC 2119 [RFC2119]. 34 Status of this Memo 36 This Internet-Draft is submitted in full conformance with the 37 provisions of BCP 78 and BCP 79. 39 Internet-Drafts are working documents of the Internet Engineering 40 Task Force (IETF). Note that other groups may also distribute 41 working documents as Internet-Drafts. The list of current Internet- 42 Drafts is at http://datatracker.ietf.org/drafts/current/. 44 Internet-Drafts are draft documents valid for a maximum of six months 45 and may be updated, replaced, or obsoleted by other documents at any 46 time. It is inappropriate to use Internet-Drafts as reference 47 material or to cite them other than as "work in progress." 48 This Internet-Draft will expire on July 11, 2012. 50 Copyright Notice 52 Copyright (c) 2012 IETF Trust and the persons identified as the 53 document authors. All rights reserved. 55 This document is subject to BCP 78 and the IETF Trust's Legal 56 Provisions Relating to IETF Documents 57 (http://trustee.ietf.org/license-info) in effect on the date of 58 publication of this document. Please review these documents 59 carefully, as they describe your rights and restrictions with respect 60 to this document. Code Components extracted from this document must 61 include Simplified BSD License text as described in Section 4.e of 62 the Trust Legal Provisions and are provided without warranty as 63 described in the Simplified BSD License. 65 Table of Contents 67 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 68 2. Implementation Forms . . . . . . . . . . . . . . . . . . . . . 4 69 3. Protocol Data Units . . . . . . . . . . . . . . . . . . . . . 5 70 4. Protocol Sequence . . . . . . . . . . . . . . . . . . . . . . 6 71 5. Protocol Transport . . . . . . . . . . . . . . . . . . . . . . 7 72 6. Error Codes . . . . . . . . . . . . . . . . . . . . . . . . . 7 73 7. Incremental Updates Support . . . . . . . . . . . . . . . . . 8 74 8. Session ID Support . . . . . . . . . . . . . . . . . . . . . . 8 75 9. Incremental Session Startup Support . . . . . . . . . . . . . 9 76 10. Interoperable Implementations . . . . . . . . . . . . . . . . 9 77 10.1. Cisco Implementation . . . . . . . . . . . . . . . . . . 9 78 10.2. Juniper Implementation . . . . . . . . . . . . . . . . . 9 79 10.3. rpki.net Implementation . . . . . . . . . . . . . . . . . 9 80 10.4. RIPE NCC Implementation . . . . . . . . . . . . . . . . . 10 81 10.5. RTRlib Implementation . . . . . . . . . . . . . . . . . . 10 82 10.6. BBN RPSTIR Implementation . . . . . . . . . . . . . . . . 10 83 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 84 12. Security considerations . . . . . . . . . . . . . . . . . . . 10 85 13. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10 86 14. Normative References . . . . . . . . . . . . . . . . . . . . . 10 87 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11 89 1. Introduction 91 In order to formally validate the origin ASs of BGP announcements, 92 routers need a simple but reliable mechanism to receive RPKI 93 [I-D.ietf-sidr-rpki-rtr] prefix origin data from a trusted cache. 94 The RPKI Router protocol defined in [I-D.ietf-sidr-rpki-rtr] provides 95 a mechanism to deliver validated prefix origin data to routers. 97 This document provides an implementation report for the RPKI Router 98 protocol as defined in [I-D.ietf-sidr-rpki-rtr]. 100 The editor did not verify the accuracy of the information provided by 101 respondents or by any alternative means. The respondents are experts 102 with the implementations they reported on, and their responses are 103 considered authoritative for the implementations for which their 104 responses represent. Respondents were asked to only use the YES 105 answer if the feature had at least been tested in the lab. 107 2. Implementation Forms 109 Contact and implementation information for person filling out this 110 form: 112 IOS Name: Keyur Patel, Email: keyupate@cisco.com, Vendor: Cisco 113 Systems, Inc. Release: IOS 115 XR Name: Forhad Ahmed, Email:foahmed@cisco.com, Vendor: Cisco 116 Systems, Inc. Release: IOS-XR 118 JUNOS Name: Hannes Gredler, Email: hannes@juniper.net, Vendor: 119 Juniper Networks, Inc., Release: JUNOS 121 rpki.net Name: Rob Austein, Email: sra@hactrn.net, Vendor: rpki.net 122 project, Release: http://subvert-rpki.hactrn.net/trunk/ 124 NCC Name: Tim Bruijnzeels, Email: tim@ripe.net, Vendor: RIPE NCC 125 Release: RIPE NCC validator-app 2.0.0 https:// 126 certification.ripe.net/content/public-repo/releases/net/ripe/ 127 rpki-validator/rpki-validator-app/2.0.0/ 128 rpki-validator-app-2.0.0-bin.zip 130 RTRlib Name: Fabian Holler, Matthias Waehlisch, Email: 131 waehlisch@ieee.org, Vendor: HAW Hamburg, FU Berlin, RTRlib 132 project, Release: RTRlib 0.2 http://rpki.realmv6.org/ 134 BBN Name: David Mandelberg, Email: dmandelb@bbn.com, Vendor: 135 Raytheon/BBN Technologies, Release: RPSTIR 0.2 136 http://sourceforge.net/projects/rpstir/ 138 3. Protocol Data Units 140 Does the implementation support Protocol Data Units (PDUs) as 141 described in Section 5 of [I-D.ietf-sidr-rpki-rtr]? 143 +-----------+-----+-----+-------+--------+--------+--------+--------+ 144 | | IOS | XR | JUNOS | rpki | NCC | RTR- | BBN | 145 | | | | | .net | | lib | | 146 +-----------+-----+-----+-------+--------+--------+--------+--------+ 147 | Rcv. | YES | YES | YES | YES | UNIT | YES | SYS | 148 | Serial | | | | | TEST | | TEST | 149 | Notify | | | | | | | | 150 | Snd. | NO | NO | NO | YES | YES | NO | YES | 151 | Serial | | | | | | | | 152 | Notify | | | | | | | | 153 | Rcv. | NO | NO | NO | YES | YES | NO | YES | 154 | Serial | | | | | | | | 155 | Query | | | | | | | | 156 | Snd. | YES | YES | YES | YES | UNIT | YES | SYS | 157 | Serial | | | | | TEST | | TEST | 158 | Query | | | | | | | | 159 | Rcv. | NO | NO | NO | YES | YES | NO | YES | 160 | Reset | | | | | | | | 161 | Query | | | | | | | | 162 | Snd. | YES | YES | YES | YES | UNIT | YES | SYS | 163 | Reset | | | | | TEST | | TEST | 164 | Query | | | | | | | | 165 | Rcv. | YES | YES | YES | YES | UNIT | YES | SYS | 166 | Cache | | | | | TEST | | TEST | 167 | Resp. | | | | | | | | 168 | Snd. | NO | NO | NO | YES | YES | NO | YES | 169 | Cache | | | | | | | | 170 | Resp. | | | | | | | | 171 | Rcv. IPv4 | YES | YES | YES | YES | UNIT | YES | SYS | 172 | Prefix | | | | | TEST | | TEST | 173 | Snd. IPv4 | NO | NO | NO | YES | YES | NO | YES | 174 | Prefix | | | | | | | | 175 | Rcv. IPv6 | YES | YES | YES | YES | UNIT | YES | SYS | 176 | Prefix | | | | | TEST | | TEST | 177 | Snd. IPv6 | NO | NO | NO | YES | YES | NO | YES | 178 | Prefix | | | | | | | | 179 | Rcv. End | YES | YES | YES | YES | UNIT | YES | SYS | 180 | of Data | | | | | TEST | | TEST | 181 | Snd. End | NO | NO | NO | YES | YES | NO | YES | 182 | of Data | | | | | | | | 183 | Rcv. | YES | YES | YES | YES | UNIT | YES | SYS | 184 | Cache | | | | | TEST | | TEST | 185 | Reset | | | | | | | | 186 | Snd. | NO | NO | NO | YES | YES | NO | YES | 187 | Cache | | | | | | | | 188 | Reset | | | | | | | | 189 | Rcv. | YES | YES | NO~1 | YES | YES | YES | YES | 190 | Error | | | | | | | | 191 | Report | | | | | | | | 192 | Snd. | YES | NO | NO | YES | YES | YES | YES | 193 | Error | | | | | | | | 194 | Report | | | | | | | | 195 +-----------+-----+-----+-------+--------+--------+--------+--------+ 197 1) No, Error PDU gets silently ignored 199 4. Protocol Sequence 201 Does RPKI Router protocol implementation follow the four protocol 202 sequences as outlined in Section 6 of [I-D.ietf-sidr-rpki-rtr]? 204 S1: Start or Restart 206 S2: Typical Exchange 208 S3: Generation of Incremental Updates Sequence 210 S4: Receipt of Incremental Updates Sequence 212 S5: Generation of Cache has No data Sequence 214 +----+-----+-----+-------+----------+------+--------+-----+ 215 | | IOS | XR | JUNOS | rpki.net | NCC | RTRlib | BBN | 216 +----+-----+-----+-------+----------+------+--------+-----+ 217 | S1 | YES | YES | YES | YES | YES | YES | YES | 218 | S2 | YES | YES | YES | YES | NO~1 | YES | YES | 219 | S3 | NO | NO | NO | YES | NO | YES | YES | 220 | S4 | YES | YES | YES | YES | NO | YES | NO | 221 | S5 | NO | NO | NO | YES | YES | YES | YES | 222 +----+-----+-----+-------+----------+------+--------+-----+ 224 1) NO, we always respond as described in 6.3 of 225 [I-D.ietf-sidr-rpki-rtr] 227 5. Protocol Transport 229 Does RPKI Router protocol implementation support different protocol 230 transport mechanism outlined in Section 7 of 231 [I-D.ietf-sidr-rpki-rtr]? 233 +---------+-----+-----+-------+----------+-----+--------+-------+ 234 | | IOS | XR | JUNOS | rpki.net | NCC | RTRlib | BBN | 235 +---------+-----+-----+-------+----------+-----+--------+-------+ 236 | SSH | NO | YES | NO | YES | NO | YES | YES~1 | 237 | TLS | NO | NO | NO | YES | NO | NO | YES~2 | 238 | TCP | YES | YES | YES | YES | YES | YES | YES | 239 | TCP-MD5 | NO | NO | NO | NO | NO | NO | NO | 240 | TCP-AO | NO | NO | NO | NO | NO | NO | NO | 241 +---------+-----+-----+-------+----------+-----+--------+-------+ 243 1) Yes, using netcat as the ssh subsystem to connect to the RTR 244 server on localhost via TCP. This is currently untested. 246 2) Yes, using stunnel to verify client certificates and forward 247 traffic to the server on localhost via TCP. This is currently 248 untested. 250 6. Error Codes 252 Does RPKI Router protocol implementation support different protocol 253 error codes outlined in Section 10 of [I-D.ietf-sidr-rpki-rtr]? 254 +-------+-----+-----+-------+----------+-------+--------+----------+ 255 | | IOS | XR | JUNOS | rpki.net | NCC | RTRlib | BBN | 256 +-------+-----+-----+-------+----------+-------+--------+----------+ 257 | Rcv.0 | YES | YES | NO | YES | YES | YES | YES | 258 | Snd.0 | YES | YES | NO | YES | YES | YES | YES | 259 | Rcv.1 | YES | YES | NO | YES | YES | YES | YES | 260 | Snd.1 | YES | YES | NO | YES | YES | YES | YES | 261 | Rcv.2 | YES | YES | NO | YES | N/A | YES | YES | 262 | Snd.2 | YES | YES | NO | YES | YES | N/A | YES | 263 | Rcv.3 | YES | YES | NO | YES | N/A | YES | YES | 264 | Snd.3 | NO | NO | NO | YES | YES | NO | YES | 265 | Rcv.4 | YES | YES | NO | YES | YES | YES | YES | 266 | Snd.4 | YES | YES | NO | YES | YES | YES | YES | 267 | Rcv.5 | YES | YES | NO | YES | YES | YES | YES | 268 | Snd.5 | YES | YES | NO | YES | YES | YES | YES | 269 | Rcv.6 | NO | NO | NO | YES | YES~1 | N/A | YES | 270 | Snd.6 | YES | YES | NO | NO | N/A | YES | SYS TEST | 271 | Rcv.7 | NO | NO | NO | YES | YES~1 | N/A | YES | 272 | Snd.7 | YES | YES | NO | NO | N/A | YES | SYS TEST | 273 +-------+-----+-----+-------+----------+-------+--------+----------+ 275 1) YES, but... fatal, so connection is dropped, but cache does not 276 conclude it's inconsistent 278 7. Incremental Updates Support 280 RPKI Router protocol does support Incremental Updates defined in 281 Section 4 of [I-D.ietf-sidr-rpki-rtr]. 283 +-----+----+-------+----------+-----+--------+-----+ 284 | IOS | XR | JUNOS | rpki.net | NCC | RTRlib | BBN | 285 +-----+----+-------+----------+-----+--------+-----+ 286 | NO | NO | YES~1 | YES | NO | YES | YES | 287 +-----+----+-------+----------+-----+--------+-----+ 289 1) YES, receive side support 291 8. Session ID Support 293 Session ID is used to indicate that the cache server may have 294 restarted and that the incremental restart may not be possible. 296 Does RPKI Router protocol implementation support Session ID 297 procedures outlined in Section 5.10 of [I-D.ietf-sidr-rpki-rtr]? 298 +-----+-----+-------+----------+------+--------+-----+ 299 | IOS | XR | JUNOS | rpki.net | NCC | RTRlib | BBN | 300 +-----+-----+-------+----------+------+--------+-----+ 301 | YES | YES | YES | YES | NO~1 | YES | YES | 302 +-----+-----+-------+----------+------+--------+-----+ 304 1) NO, using random, but will FIX 306 9. Incremental Session Startup Support 308 RPKI Router protocol does support Incremental session startups with 309 Serial Number and Session ID defined in the protocol. Does RPKI 310 Router protocol implementation support Incremental Session Startup 311 Support as defined in section 5.4 of [I-D.ietf-sidr-rpki-rtr]. 313 +-----+-----+-------+----------+-----+--------+-----+ 314 | IOS | XR | JUNOS | rpki.net | NCC | RTRlib | BBN | 315 +-----+-----+-------+----------+-----+--------+-----+ 316 | YES | YES | YES | YES | NO | YES | YES | 317 +-----+-----+-------+----------+-----+--------+-----+ 319 10. Interoperable Implementations 321 List other implementations that you have tested interoperability of 322 RPKI Router Implementation. 324 10.1. Cisco Implementation 326 Cisco: The Cisco IOS and IOS-XR implementation should be 327 interoperable with other vendor RPKI Router Protocol implementations. 328 In particular we have tested our interoperability with rpki.net's 329 RPKI Router implementation. 331 10.2. Juniper Implementation 333 Juniper: The Juniper Networks, Inc. JUNOS implementation should be 334 interoperable with other vendor RPKI Router Protocol implementations. 335 In particular we have tested our interoperability with rpki.net's and 336 NCCs RPKI Router Cache implementation. 338 10.3. rpki.net Implementation 340 rpki.net: The rpki.net implementation should operate with other rpki- 341 rtr implementations. In particular, we have tested our 342 interoperability with Cisco IOS, Cisco IOS-XR, and Juniper. 344 10.4. RIPE NCC Implementation 346 RIPE NCC: The RIPE NCC validator has been tested by us with other 347 rpki-rtr implementations. In particular we have tested with RTRLib 348 and CISCO IOS. We received positive feedback from close contacts 349 testing our validator with JUNOS and Quagga. 351 10.5. RTRlib Implementation 353 RTRlib: The RTRlib has been tested by us with other rpki-rtr 354 implementations. In particular, we have tested with rtr-origin from 355 rpki.net and RIPE NCC Validator. 357 10.6. BBN RPSTIR Implementation 359 BBN RPSTIR: We have not yet tested with any other implementations. 361 11. IANA Considerations 363 This document makes no request of IANA. 365 Note to RFC Editor: this section may be removed on publication as an 366 RFC. 368 12. Security considerations 370 No new security issues are introduced to the RPKI Router protocol 371 defined in [I-D.ietf-sidr-rpki-rtr]. 373 13. Acknowledgements 375 TBD.... 377 14. Normative References 379 [I-D.ietf-sidr-rpki-rtr] 380 Bush, R. and R. Austein, "The RPKI/Router Protocol", 381 draft-ietf-sidr-rpki-rtr-22 (work in progress), 382 December 2011. 384 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 385 Requirement Levels", BCP 14, RFC 2119, March 1997. 387 Authors' Addresses 389 Randy Bush 390 Internet Initiative Japan 391 5147 Crystal Springs 392 Bainbridge Island, Washington 98110 393 US 395 Email: randy@psg.com 397 Rob Austein 398 Dragon Research Labs 400 Email: sra@hactrn.net 402 Keyur Patel 403 Cisco Systems 404 170 West Tasman Drive 405 San Jose, CA 95134 406 US 408 Email: keyupate@cisco.com 410 Hannes Gredler 411 Juniper Networks, Inc. 412 1194 N. Mathilda Ave. 413 Sunnyvale, CA 94089 414 US 416 Email: hannes@juniper.net 418 Matthias Waehlisch 419 FU Berlin 420 Takustr. 9 421 Berlin 14195 422 Germany 424 Email: waehlisch@ieee.org 425 URI: http://www.inf.fu-berlin.de/~waehl