draft-ietf-sidr-bgpsec-pki-profiles-00.txt   draft-ietf-sidr-bgpsec-pki-profiles-01.txt 
Secure Inter-Domain Routing Working Group M. Reynolds Secure Inter-Domain Routing Working Group M. Reynolds
Internet-Draft BBN Internet-Draft IPSw
Updates: [ID.sidr-res-cert-profile] S. Turner Updates: [ID.sidr-res-cert-profile] S. Turner
Intended Status: Standards Track IECA Intended Status: Standards Track IECA
Expires: April 25, 2012 October 24, 2011 Expires: June 7, 2012 S. Kent
BBN
December 5, 2011
A Profile for BGPSEC Router Certificates, A Profile for BGPSEC Router Certificates,
Certificate Revocation Lists, and Certification Requests Certificate Revocation Lists, and Certification Requests
draft-ietf-sidr-bgpsec-pki-profiles-00 draft-ietf-sidr-bgpsec-pki-profiles-01
Abstract Abstract
This document defines a standard profile for X.509 certificates for This document defines a standard profile for X.509 certificates for
the purposes of supporting validation of Autonomous System (AS) paths the purposes of supporting validation of Autonomous System (AS) paths
in the Border Gateway Protocol (BGP), as part of an extension to that in the Border Gateway Protocol (BGP), as part of an extension to that
protocol known as BGPSEC. BGP is a critical component for the proper protocol known as BGPSEC. BGP is a critical component for the proper
operation of the Internet as a whole. The BGPSEC protocol is under operation of the Internet as a whole. The BGPSEC protocol is under
development as a component to address the requirement to provide development as a component to address the requirement to provide
security for the BGP protocol. The goal of BGPSEC is to design a security for the BGP protocol. The goal of BGPSEC is to design a
skipping to change at page 2, line 4 skipping to change at page 2, line 5
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 26, 2012.
This Internet-Draft will expire on June 7, 2012.
Copyright Notice Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 5, line 32 skipping to change at page 5, line 33
3.1.3.1. Extended Key Usage 3.1.3.1. Extended Key Usage
BGPSEC Router Certificates MUST include the Extended Key Usage (EKU) BGPSEC Router Certificates MUST include the Extended Key Usage (EKU)
extension. As specified, in [ID.sidr-res-cert-profile] this extension. As specified, in [ID.sidr-res-cert-profile] this
extension MUST be marked as non-critical. This document defines one extension MUST be marked as non-critical. This document defines one
EKU for BGPSEC Router Certificates: EKU for BGPSEC Router Certificates:
id-kp OBJECT IDENTIFIER ::= id-kp OBJECT IDENTIFIER ::=
{ iso(1) identified-organization(3) dod(6) internet(1) { iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) TBD } security(5) mechanisms(5) pkix(7) kp(3) }
id-kp-bgpsec-router OBJECT IDENTIFIER ::= { id-kp TBD } id-kp-bgpsec-router OBJECT IDENTIFIER ::= { id-kp TBD }
Relying Parties MUST require the extended key usage extension to be Relying Parties MUST require the extended key usage extension to be
present in a BGPSEC Router Certificate. If multiple KeyPurposeId present in a BGPSEC Router Certificate. If multiple KeyPurposeId
values are included, the relying parties need not recognize all of values are included, the relying parties need not recognize all of
them, as long as the required KeyPurposeId value is present. BGPSEC them, as long as the required KeyPurposeId value is present. BGPSEC
RPs MUST reject certificates that do not contain the BGPSEC Router RPs MUST reject certificates that do not contain the BGPSEC Router
EKU even if they include the anyExtendedKeyUsage OID defined in EKU even if they include the anyExtendedKeyUsage OID defined in
[RFC5280]. [RFC5280].
skipping to change at page 9, line 22 skipping to change at page 9, line 24
progress. progress.
[ID.sidr-algorithm-agility] Gagliano, R., Kent, S., and S. Turner, [ID.sidr-algorithm-agility] Gagliano, R., Kent, S., and S. Turner,
"Algorithm Agility Procedure for RPKI", draft-ietf-sidr- "Algorithm Agility Procedure for RPKI", draft-ietf-sidr-
algorithm-agility, work-in-progress. algorithm-agility, work-in-progress.
[ID.sidr-bgpsec-protocol] Lepinksi, M., "BGPSEC Protocol [ID.sidr-bgpsec-protocol] Lepinksi, M., "BGPSEC Protocol
Specification", draft-ietf-sidr-bgpsec-protocol, work-in- Specification", draft-ietf-sidr-bgpsec-protocol, work-in-
progress. progress.
Appendix A. Example BGPSEC Router Certificate Appendix A. ASN.1 Module
Appendix B. Example BGPSEC Router Certificate Request BGPSECEKU { iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0) TBD }
Appendix C. Change Log DEFINITIONS EXPLICIT TAGS ::=
BEGIN
-- EXPORTS ALL --
-- IMPORTS NOTHING --
-- OID Arc --
id-kp OBJECT IDENTIFIER ::= {
iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) kp(3) }
-- BGPSEC Router Extended Key Usage --
id-kp-bgpsec-router OBJECT IDENTIFIER ::= { id-kp TBD }
END
Appendix B. Example BGPSEC Router Certificate
Appendix C. Example BGPSEC Router Certificate Request
Appendix D. Change Log
Please delete this section prior to publication. Please delete this section prior to publication.
C.1 Changes from turner-bgpsec-pki-profiles-02 to sidr-bgpsec-pki- D.1 Changes from turner-bgpsec-pki-profiles-02 to sidr-bgpsec-pki-
profiles-00
Added an ASN.1 Module and corrected the id-kp OID in s3.1.3.1.
D.2 Changes from turner-bgpsec-pki-profiles-02 to sidr-bgpsec-pki-
profiles-00 profiles-00
Added this change log. Added this change log.
Amplified that a BGPSEC RP will need to support both the algorithms Amplified that a BGPSEC RP will need to support both the algorithms
in [ID.sidr-bgpsec-algs] for BGPSEC and the algorithms in [ID.sidr- in [ID.sidr-bgpsec-algs] for BGPSEC and the algorithms in [ID.sidr-
rpki-algs] for certificates and CRLs. rpki-algs] for certificates and CRLs.
Changed the name of AS Resource extension to AS Resource Identifier Changed the name of AS Resource extension to AS Resource Identifier
Delegation to match what's in RFC 3779. Delegation to match what's in RFC 3779.
C.2 Changes from turner-bgpsec-pki-profiles -01 to -02 D.3 Changes from turner-bgpsec-pki-profiles -01 to -02
Added text in Section 2 to indicate that there's no impact on the Added text in Section 2 to indicate that there's no impact on the
procedures defined in [ID.sidr-algorithm-agility]. procedures defined in [ID.sidr-algorithm-agility].
Added a security consideration to let implementers know the BGPSEC Added a security consideration to let implementers know the BGPSEC
certificates will not pass RPKI validation [ID.sidr-res-cert-profile] certificates will not pass RPKI validation [ID.sidr-res-cert-profile]
and that keying off the EKU will help tremendously. and that keying off the EKU will help tremendously.
C.3 Changes from turner-bgpsec-pki-profiles -00 to -01 D.4 Changes from turner-bgpsec-pki-profiles -00 to -01
Corrected Section 2 to indicate that CA certificates are also RPKI Corrected Section 2 to indicate that CA certificates are also RPKI
certificates. certificates.
Removed sections and text that was already in [ID.sidr-res-cert- Removed sections and text that was already in [ID.sidr-res-cert-
profile]. This will make it easier for reviewers to figure out what profile]. This will make it easier for reviewers to figure out what
is different. is different.
Modified Section 6 to use 2119-language. Modified Section 6 to use 2119-language.
Removed requirement from Section 6 to check that the AS # in the Removed requirement from Section 6 to check that the AS # in the
certificate is the last number in the AS path information of each BGP certificate is the last number in the AS path information of each BGP
UPDATE message. Moved to [ID.sidr-bgpsec-protocol]. UPDATE message. Moved to [ID.sidr-bgpsec-protocol].
Authors' Addresses Authors' Addresses
Mark Reynolds Mark Reynolds
Raytheon BBN Technologies Corp. Island Peak Software
10 Moulton St. 328 Virginia Road
Cambridge, MA 02138 Concord, MA 01742
Email: mreynold@bbn.com Email: mcr@islandpeaksoftware.com
Sean Turner Sean Turner
IECA, Inc. IECA, Inc.
3057 Nutley Street, Suite 106 3057 Nutley Street, Suite 106
Fairfax, VA 22031 Fairfax, VA 22031
USA USA
EMail: turners@ieca.com EMail: turners@ieca.com
Steve Kent
Raytheon BBN Technologies
10 Moulton St.
Cambridge, MA 02138
Email: kent@bbn.com
 End of changes. 14 change blocks. 
15 lines changed or deleted 47 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/