draft-ietf-sidr-bgpsec-pki-profiles-02.txt   draft-ietf-sidr-bgpsec-pki-profiles-03.txt 
Secure Inter-Domain Routing Working Group M. Reynolds Secure Inter-Domain Routing Working Group M. Reynolds
Internet-Draft IPSw Internet-Draft IPSw
Updates: 6487 (if approved) S. Turner Updates: 6487 (if approved) S. Turner
Intended Status: Standards Track IECA Intended Status: Standards Track IECA
Expires: September 27, 2012 S. Kent Expires: October 15, 2012 S. Kent
BBN BBN
March 26, 2012 April 13, 2012
A Profile for BGPSEC Router Certificates, A Profile for BGPSEC Router Certificates,
Certificate Revocation Lists, and Certification Requests Certificate Revocation Lists, and Certification Requests
draft-ietf-sidr-bgpsec-pki-profiles-02 draft-ietf-sidr-bgpsec-pki-profiles-03
Abstract Abstract
This document defines a standard profile for X.509 certificates for This document defines a standard profile for X.509 certificates for
the purposes of supporting validation of Autonomous System (AS) paths the purposes of supporting validation of Autonomous System (AS) paths
in the Border Gateway Protocol (BGP), as part of an extension to that in the Border Gateway Protocol (BGP), as part of an extension to that
protocol known as BGPSEC. BGP is a critical component for the proper protocol known as BGPSEC. BGP is a critical component for the proper
operation of the Internet as a whole. The BGPSEC protocol is under operation of the Internet as a whole. The BGPSEC protocol is under
development as a component to address the requirement to provide development as a component to address the requirement to provide
security for the BGP protocol. The goal of BGPSEC is to design a security for the BGP protocol. The goal of BGPSEC is to design a
skipping to change at page 2, line 8 skipping to change at page 2, line 8
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
Copyright Notice Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 4, line 14 skipping to change at page 4, line 14
certificate is explained in Section 1 and falls within the scope of certificate is explained in Section 1 and falls within the scope of
appropriate uses defined within [RFC6484]. The issuance of BGPSEC appropriate uses defined within [RFC6484]. The issuance of BGPSEC
Router Certificates has minimal impact on RPKI CAs because the RPKI Router Certificates has minimal impact on RPKI CAs because the RPKI
CA certificate and CRL profile remain unchanged (i.e., they are as CA certificate and CRL profile remain unchanged (i.e., they are as
specified in [RFC6487]). Further, the algorithms used to generate specified in [RFC6487]). Further, the algorithms used to generate
RPKI CA certificates that issue the BGPSEC Router Certificates and RPKI CA certificates that issue the BGPSEC Router Certificates and
the CRLs necessary to check the validity of the BGPSEC Router the CRLs necessary to check the validity of the BGPSEC Router
Certificates remain unchanged (i.e., they are as specified in Certificates remain unchanged (i.e., they are as specified in
[RFC6485]). The only impact is that the RPKI CAs will need to be [RFC6485]). The only impact is that the RPKI CAs will need to be
able to process a profiled certificate request (see Section 5) signed able to process a profiled certificate request (see Section 5) signed
with algorithms found in [ID.turner-sidr-bgpsec-algs]. The use of with algorithms found in [ID.sidr-bgpsec-algs]. The use of BGPSEC
BGPSEC Router Certificates in no way affects RPKI RPs that process Router Certificates in no way affects RPKI RPs that process Manifests
Manifests and ROAs because the public key found in the BGPSEC Router and ROAs because the public key found in the BGPSEC Router
Certificate is only ever used to verify the signature on the BGPSEC Certificate is only ever used to verify the signature on the BGPSEC
certificate request (only CAs process these), another BGPSEC Router certificate request (only CAs process these), another BGPSEC Router
Certificate (only BGPSEC routers process these), and the signature on Certificate (only BGPSEC routers process these), and the signature on
a BGPSEC Update Message [ID.sidr-bgpsec-protocol] (only BGPSEC a BGPSEC Update Message [ID.sidr-bgpsec-protocol] (only BGPSEC
routers process these). routers process these).
Only the differences between this profile and the profile in Only the differences between this profile and the profile in
[RFC6487] are listed. Note that BGPSEC Router Certificates are EE [RFC6487] are listed. Note that BGPSEC Router Certificates are EE
certificates and as such there is no impact on process described in certificates and as such there is no impact on process described in
[ID.sidr-algorithm-agility]. [ID.sidr-algorithm-agility].
skipping to change at page 6, line 31 skipping to change at page 6, line 31
o The SubjectPublicKeyInfo and PublicKey fields are specified in o The SubjectPublicKeyInfo and PublicKey fields are specified in
[ID.sidr-bgpsec-algs]; and, [ID.sidr-bgpsec-algs]; and,
o The request is signed with the algorithms specified in [ID.sidr- o The request is signed with the algorithms specified in [ID.sidr-
bgpsec-algs]. bgpsec-algs].
3.3. BGPSEC Router Certificate Validation 3.3. BGPSEC Router Certificate Validation
The validation procedure used for BGPSEC Router Certificates is The validation procedure used for BGPSEC Router Certificates is
identical to the validation procedure described in Section 7 of identical to the validation procedure described in Section 7 of
[RFC6487] except that where "this specification" refers to [RFC6487] [RFC6487]. The exception is that the constraints applied come from
in that profile in this profile "this specification" is this this specification (e.g., in step 3: the certificate contains all the
document. field that must be present - refers to the fields that are required
by this specification).
The differences are as follows: The differences are as follows:
o BGPSEC Router Certificates MUST include the BGPSEC EKU defined in o BGPSEC Router Certificates MUST include the BGPSEC EKU defined in
Section 3.9.5. Section 3.1.3.1.
o BGPSEC Router Certificates MUST NOT include the SIA extension. o BGPSEC Router Certificates MUST NOT include the SIA extension.
o BGPSEC Router Certificates MUST NOT include the IP Resource o BGPSEC Router Certificates MUST NOT include the IP Resource
extension. extension.
o BGPSEC Router Certificates MUST include the AS Resource Identifier o BGPSEC Router Certificates MUST include the AS Resource Identifier
Delegation extension. Delegation extension.
o BGPSEC Router Certificate MUST include the "Subject Public Key o BGPSEC Router Certificate MUST include the "Subject Public Key
skipping to change at page 7, line 42 skipping to change at page 7, line 43
binding of an AS number to a public key, consistent with the RPKI binding of an AS number to a public key, consistent with the RPKI
allocation/assignment hierarchy. allocation/assignment hierarchy.
6. IANA Considerations 6. IANA Considerations
None. None.
7. Acknowledgements 7. Acknowledgements
We would like to thanks Geoff Huston, George Michaelson, and Robert We would like to thanks Geoff Huston, George Michaelson, and Robert
Loomans for their work on [ID.sidr-res-cert-profile], which this work Loomans for their work on [RFC6487], which this work is based on. In
is based on. In addition, the efforts of Steve Kent and Matt addition, the efforts of Steve Kent and Matt Lepinski were
Lepinski were instrumental in preparing this work. Additionally, instrumental in preparing this work. Additionally, we'd like to
we'd like to thank Roque Gagliano, Sandra Murphy, and Geoff Huston thank Roque Gagliano, Sandra Murphy, and Geoff Huston for their
for their reviews and comments. reviews and comments.
8. References 8. References
8.1. Normative References 8.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP [RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP
Addresses and AS Identifiers", RFC 3779, June 2004. Addresses and AS Identifiers", RFC 3779, June 2004.
skipping to change at page 10, line 8 skipping to change at page 10, line 8
END END
Appendix B. Example BGPSEC Router Certificate Appendix B. Example BGPSEC Router Certificate
Appendix C. Example BGPSEC Router Certificate Request Appendix C. Example BGPSEC Router Certificate Request
Appendix D. Change Log Appendix D. Change Log
Please delete this section prior to publication. Please delete this section prior to publication.
D.1 Changes from turner-bgpsec-pki-profiles-01 to sidr-bgpsec-pki- D.1 Changes from turner-bgpsec-pki-profiles-02 to sidr-bgpsec-pki-
profiles-03
Updated s3.3 to clarifify restrictions on path validation procedures
are in this specification (1st para was reworded).
Updated s3.3 to point to s3.1.3.1 for BGPSEC EKU (thanks Tom).
D.2 Changes from turner-bgpsec-pki-profiles-01 to sidr-bgpsec-pki-
profiles-02 profiles-02
Updated references. Updated references.
D.2 Changes from turner-bgpsec-pki-profiles-00 to sidr-bgpsec-pki- D.3 Changes from turner-bgpsec-pki-profiles-00 to sidr-bgpsec-pki-
profiles-01 profiles-01
Added an ASN.1 Module and corrected the id-kp OID in s3.1.3.1. Added an ASN.1 Module and corrected the id-kp OID in s3.1.3.1.
D.3 Changes from turner-bgpsec-pki-profiles-00 to sidr-bgpsec-pki- D.4 Changes from turner-bgpsec-pki-profiles-00 to sidr-bgpsec-pki-
profiles-00 profiles-00
Added this change log. Added this change log.
Amplified that a BGPSEC RP will need to support both the algorithms Amplified that a BGPSEC RP will need to support both the algorithms
in [ID.sidr-bgpsec-algs] for BGPSEC and the algorithms in [ID.sidr- in [ID.sidr-bgpsec-algs] for BGPSEC and the algorithms in [ID.sidr-
rpki-algs] for certificates and CRLs. rpki-algs] for certificates and CRLs.
Changed the name of AS Resource extension to AS Resource Identifier Changed the name of AS Resource extension to AS Resource Identifier
Delegation to match what's in RFC 3779. Delegation to match what's in RFC 3779.
D.4 Changes from turner-bgpsec-pki-profiles -01 to -02 D.5 Changes from turner-bgpsec-pki-profiles -01 to -02
Added text in Section 2 to indicate that there's no impact on the Added text in Section 2 to indicate that there's no impact on the
procedures defined in [ID.sidr-algorithm-agility]. procedures defined in [ID.sidr-algorithm-agility].
Added a security consideration to let implementers know the BGPSEC Added a security consideration to let implementers know the BGPSEC
certificates will not pass RPKI validation [ID.sidr-res-cert-profile] certificates will not pass RPKI validation [RFC6487] and that keying
and that keying off the EKU will help tremendously. off the EKU will help tremendously.
D.5 Changes from turner-bgpsec-pki-profiles -00 to -01 D.6 Changes from turner-bgpsec-pki-profiles -00 to -01
Corrected Section 2 to indicate that CA certificates are also RPKI Corrected Section 2 to indicate that CA certificates are also RPKI
certificates. certificates.
Removed sections and text that was already in [ID.sidr-res-cert- Removed sections and text that was already in [RFC6487]. This will
profile]. This will make it easier for reviewers to figure out what make it easier for reviewers to figure out what is different.
is different.
Modified Section 6 to use 2119-language. Modified Section 6 to use 2119-language.
Removed requirement from Section 6 to check that the AS # in the Removed requirement from Section 6 to check that the AS # in the
certificate is the last number in the AS path information of each BGP certificate is the last number in the AS path information of each BGP
UPDATE message. Moved to [ID.sidr-bgpsec-protocol]. UPDATE message. Moved to [ID.sidr-bgpsec-protocol].
Authors' Addresses Authors' Addresses
Mark Reynolds Mark Reynolds
 End of changes. 15 change blocks. 
26 lines changed or deleted 34 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/