draft-ietf-sidr-bgpsec-pki-profiles-03.txt   draft-ietf-sidr-bgpsec-pki-profiles-04.txt 
Secure Inter-Domain Routing Working Group M. Reynolds Secure Inter-Domain Routing Working Group M. Reynolds
Internet-Draft IPSw Internet-Draft IPSw
Updates: 6487 (if approved) S. Turner Updates: 6487 (if approved) S. Turner
Intended Status: Standards Track IECA Intended Status: Standards Track IECA
Expires: October 15, 2012 S. Kent Expires: April 16, 2013 S. Kent
BBN BBN
April 13, 2012 October 13, 2012
A Profile for BGPSEC Router Certificates, A Profile for BGPSEC Router Certificates,
Certificate Revocation Lists, and Certification Requests Certificate Revocation Lists, and Certification Requests
draft-ietf-sidr-bgpsec-pki-profiles-03 draft-ietf-sidr-bgpsec-pki-profiles-04
Abstract Abstract
This document defines a standard profile for X.509 certificates for This document defines a standard profile for X.509 certificates for
the purposes of supporting validation of Autonomous System (AS) paths the purposes of supporting validation of Autonomous System (AS) paths
in the Border Gateway Protocol (BGP), as part of an extension to that in the Border Gateway Protocol (BGP), as part of an extension to that
protocol known as BGPSEC. BGP is a critical component for the proper protocol known as BGPSEC. BGP is a critical component for the proper
operation of the Internet as a whole. The BGPSEC protocol is under operation of the Internet as a whole. The BGPSEC protocol is under
development as a component to address the requirement to provide development as a component to address the requirement to provide
security for the BGP protocol. The goal of BGPSEC is to design a security for the BGP protocol. The goal of BGPSEC is to design a
skipping to change at page 4, line 18 skipping to change at page 4, line 18
specified in [RFC6487]). Further, the algorithms used to generate specified in [RFC6487]). Further, the algorithms used to generate
RPKI CA certificates that issue the BGPSEC Router Certificates and RPKI CA certificates that issue the BGPSEC Router Certificates and
the CRLs necessary to check the validity of the BGPSEC Router the CRLs necessary to check the validity of the BGPSEC Router
Certificates remain unchanged (i.e., they are as specified in Certificates remain unchanged (i.e., they are as specified in
[RFC6485]). The only impact is that the RPKI CAs will need to be [RFC6485]). The only impact is that the RPKI CAs will need to be
able to process a profiled certificate request (see Section 5) signed able to process a profiled certificate request (see Section 5) signed
with algorithms found in [ID.sidr-bgpsec-algs]. The use of BGPSEC with algorithms found in [ID.sidr-bgpsec-algs]. The use of BGPSEC
Router Certificates in no way affects RPKI RPs that process Manifests Router Certificates in no way affects RPKI RPs that process Manifests
and ROAs because the public key found in the BGPSEC Router and ROAs because the public key found in the BGPSEC Router
Certificate is only ever used to verify the signature on the BGPSEC Certificate is only ever used to verify the signature on the BGPSEC
certificate request (only CAs process these), another BGPSEC Router certificate request (only CAs process these) and the signature on a
Certificate (only BGPSEC routers process these), and the signature on BGPSEC Update Message [ID.sidr-bgpsec-protocol] (only BGPSEC routers
a BGPSEC Update Message [ID.sidr-bgpsec-protocol] (only BGPSEC process these).
routers process these).
Only the differences between this profile and the profile in Only the differences between this profile and the profile in
[RFC6487] are listed. Note that BGPSEC Router Certificates are EE [RFC6487] are listed. Note that BGPSEC Router Certificates are EE
certificates and as such there is no impact on process described in certificates and as such there is no impact on process described in
[ID.sidr-algorithm-agility]. [ID.sidr-algorithm-agility].
3. Updates to [RFC6487] 3. Updates to [RFC6487]
3.1 BGPSEC Router Certificate Fields 3.1 BGPSEC Router Certificate Fields
A BGPSEC Router Certificate is a valid X.509 public key certificate, A BGPSEC Router Certificate is a valid X.509 public key certificate,
consistent with the PKIX profile [RFC5280], containing the fields consistent with the PKIX profile [RFC5280], containing the fields
listed in this section. This profile is also based on [RFC6487] and listed in this section. This profile is also based on [RFC6487] and
only the differences between this profile and the profile in only the differences between this profile and the profile in
[RFC6487] are listed. [RFC6487] are listed.
3.1.1.1 Subject 3.1.1.1. Subject
This field identifies the router to which the certificate has been This field identifies the router to which the certificate has been
issued. Consistent with [RFC6487], only two attributes are allowed issued. Consistent with [RFC6487], only two attributes are allowed
in the Subject field: common name and serial number. Moreover, the in the Subject field: common name and serial number. Moreover, the
only common name encoding options that are supported are only common name encoding options that are supported are
printableString and UTF8String. For BGPSEC Router Certificates, it printableString and UTF8String. For BGPSEC Router Certificates, it
is RECOMMENDED that the common name attribute contain the literal is RECOMMENDED that the common name attribute contain the literal
string "ROUTER-" followed by the 32-bit AS Number [RFC3779] encoded string "ROUTER-" followed by the 32-bit AS Number [RFC3779] encoded
as eight hexadecimal digits and that the serial number attribute as eight hexadecimal digits and that the serial number attribute
contain the 32-bit BGP Identifier [RFC4271] (i.e., the router ID) contain the 32-bit BGP Identifier [RFC4271] (i.e., the router ID)
skipping to change at page 5, line 22 skipping to change at page 5, line 21
Refer to section 3.1 of [ID.sidr-bgpsec-algs]. Refer to section 3.1 of [ID.sidr-bgpsec-algs].
3.1.3. BGPSEC Router Certificate Version 3 Extension Fields 3.1.3. BGPSEC Router Certificate Version 3 Extension Fields
The following X.509 V3 extensions MUST be present (or MUST be absent, The following X.509 V3 extensions MUST be present (or MUST be absent,
if so stated) in a conforming BGPSEC Router Certificate, except where if so stated) in a conforming BGPSEC Router Certificate, except where
explicitly noted otherwise. No other extensions are allowed in a explicitly noted otherwise. No other extensions are allowed in a
conforming BGPSEC Router Certificate. conforming BGPSEC Router Certificate.
3.1.3.1. Extended Key Usage 3.1.3.1. Basic Constraints
BGPSEC speakers are EEs; therefore, the Basic Constraints extension
must not be present, as per [RFC6487].
3.1.3.2. Extended Key Usage
BGPSEC Router Certificates MUST include the Extended Key Usage (EKU) BGPSEC Router Certificates MUST include the Extended Key Usage (EKU)
extension. As specified, in [RFC6487] this extension MUST be marked extension. As specified, in [RFC6487] this extension MUST be marked
as non-critical. This document defines one EKU for BGPSEC Router as non-critical. This document defines one EKU for BGPSEC Router
Certificates: Certificates:
id-kp OBJECT IDENTIFIER ::= id-kp OBJECT IDENTIFIER ::=
{ iso(1) identified-organization(3) dod(6) internet(1) { iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) kp(3) } security(5) mechanisms(5) pkix(7) kp(3) }
id-kp-bgpsec-router OBJECT IDENTIFIER ::= { id-kp TBD } id-kp-bgpsec-router OBJECT IDENTIFIER ::= { id-kp TBD }
Relying Parties MUST require the extended key usage extension to be Relying Parties MUST require the extended key usage extension to be
present in a BGPSEC Router Certificate. If multiple KeyPurposeId present in a BGPSEC Router Certificate. If multiple KeyPurposeId
values are included, the relying parties need not recognize all of values are included, the relying parties need not recognize all of
them, as long as the required KeyPurposeId value is present. BGPSEC them, as long as the required KeyPurposeId value is present. BGPSEC
RPs MUST reject certificates that do not contain the BGPSEC Router RPs MUST reject certificates that do not contain the BGPSEC Router
EKU even if they include the anyExtendedKeyUsage OID defined in EKU even if they include the anyExtendedKeyUsage OID defined in
[RFC5280]. [RFC5280].
3.1.3.2. Subject Information Access 3.1.3.3. Subject Information Access
This extension is not used in BGPSEC Router Certificates. It MUST be This extension is not used in BGPSEC Router Certificates. It MUST be
omitted. omitted.
3.1.3.3. IP Resources 3.1.3.4. IP Resources
This extension is not used in BGPSEC Router Certificates. It MUSt be This extension is not used in BGPSEC Router Certificates. It MUSt be
omitted. omitted.
3.1.3.4. AS Resources 3.1.3.5. AS Resources
Each BGPSEC Router Certificate MUST include the AS Resource Each BGPSEC Router Certificate MUST include the AS Resource
Identifier Delegation extension, as specified in section 4.8.11 of Identifier Delegation extension, as specified in section 4.8.11 of
[RFC6487]. The AS Resource Identifier Delegation extension MUST [RFC6487]. The AS Resource Identifier Delegation extension MUST
include exactly one AS number, and the "inherit" element MUST NOT be include exactly one AS number, and the "inherit" element MUST NOT be
specified. specified.
3.2. BGPSEC Router Certificate Request Profile 3.2. BGPSEC Router Certificate Request Profile
Refer to section 6 of [RFC6487]. The only differences between this Refer to section 6 of [RFC6487]. The only differences between this
skipping to change at page 10, line 8 skipping to change at page 11, line 8
END END
Appendix B. Example BGPSEC Router Certificate Appendix B. Example BGPSEC Router Certificate
Appendix C. Example BGPSEC Router Certificate Request Appendix C. Example BGPSEC Router Certificate Request
Appendix D. Change Log Appendix D. Change Log
Please delete this section prior to publication. Please delete this section prior to publication.
D.1 Changes from turner-bgpsec-pki-profiles-02 to sidr-bgpsec-pki- D.1. Changes from sidr-bgpsec-pki-profiles-03 to sidr-bgpsec-pki-
profiles-04
In s2.1, removed the phrase "another BGPSEC Router Certificate (only
BGPSEC routers process these)" because the BGPSEC certificates are
only ever EE certificates and they're never used to verify another
certificate only the PDUs that are signed.
Added new s3.1.3.1 to explicitly state that EE certificates are only
ever EE certs.
D.2. Changes from sidr-bgpsec-pki-profiles-02 to sidr-bgpsec-pki-
profiles-03 profiles-03
Updated s3.3 to clarifify restrictions on path validation procedures Updated s3.3 to clarifify restrictions on path validation procedures
are in this specification (1st para was reworded). are in this specification (1st para was reworded).
Updated s3.3 to point to s3.1.3.1 for BGPSEC EKU (thanks Tom). Updated s3.3 to point to s3.1.3.1 for BGPSEC EKU (thanks Tom).
D.2 Changes from turner-bgpsec-pki-profiles-01 to sidr-bgpsec-pki- D.3. Changes from sidr-bgpsec-pki-profiles-01 to sidr-bgpsec-pki-
profiles-02 profiles-02
Updated references. Updated references.
D.3 Changes from turner-bgpsec-pki-profiles-00 to sidr-bgpsec-pki- D.4. Changes from sidr-bgpsec-pki-profiles-00 to sidr-bgpsec-pki-
profiles-01 profiles-01
Added an ASN.1 Module and corrected the id-kp OID in s3.1.3.1. Added an ASN.1 Module and corrected the id-kp OID in s3.1.3.1.
D.4 Changes from turner-bgpsec-pki-profiles-00 to sidr-bgpsec-pki- D.5. Changes from turner-bgpsec-pki-profiles-02 to sidr-bgpsec-pki-
profiles-00 profiles-00
Added this change log. Added this change log.
Amplified that a BGPSEC RP will need to support both the algorithms Amplified that a BGPSEC RP will need to support both the algorithms
in [ID.sidr-bgpsec-algs] for BGPSEC and the algorithms in [ID.sidr- in [ID.sidr-bgpsec-algs] for BGPSEC and the algorithms in [ID.sidr-
rpki-algs] for certificates and CRLs. rpki-algs] for certificates and CRLs.
Changed the name of AS Resource extension to AS Resource Identifier Changed the name of AS Resource extension to AS Resource Identifier
Delegation to match what's in RFC 3779. Delegation to match what's in RFC 3779.
D.5 Changes from turner-bgpsec-pki-profiles -01 to -02 D.6. Changes from turner-bgpsec-pki-profiles -01 to -02
Added text in Section 2 to indicate that there's no impact on the Added text in Section 2 to indicate that there's no impact on the
procedures defined in [ID.sidr-algorithm-agility]. procedures defined in [ID.sidr-algorithm-agility].
Added a security consideration to let implementers know the BGPSEC Added a security consideration to let implementers know the BGPSEC
certificates will not pass RPKI validation [RFC6487] and that keying certificates will not pass RPKI validation [RFC6487] and that keying
off the EKU will help tremendously. off the EKU will help tremendously.
D.6 Changes from turner-bgpsec-pki-profiles -00 to -01 D.7. Changes from turner-bgpsec-pki-profiles -00 to -01
Corrected Section 2 to indicate that CA certificates are also RPKI Corrected Section 2 to indicate that CA certificates are also RPKI
certificates. certificates.
Removed sections and text that was already in [RFC6487]. This will Removed sections and text that was already in [RFC6487]. This will
make it easier for reviewers to figure out what is different. make it easier for reviewers to figure out what is different.
Modified Section 6 to use 2119-language. Modified Section 6 to use 2119-language.
Removed requirement from Section 6 to check that the AS # in the Removed requirement from Section 6 to check that the AS # in the
 End of changes. 15 change blocks. 
18 lines changed or deleted 33 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/