draft-ietf-sidr-bgpsec-pki-profiles-11.txt   draft-ietf-sidr-bgpsec-pki-profiles-12.txt 
Secure Inter-Domain Routing Working Group M. Reynolds Secure Inter-Domain Routing Working Group M. Reynolds
Internet-Draft IPSw Internet-Draft IPSw
Updates: 6487 (if approved) S. Turner Updates: 6487 (if approved) S. Turner
Intended status: BCP IECA Intended status: BCP IECA
Expires: February 7, 2016 S. Kent Expires: April 16, 2016 S. Kent
BBN BBN
August 6, 2015 October 14, 2015
A Profile for BGPsec Router Certificates, A Profile for BGPsec Router Certificates,
Certificate Revocation Lists, and Certification Requests Certificate Revocation Lists, and Certification Requests
draft-ietf-sidr-bgpsec-pki-profiles-11 draft-ietf-sidr-bgpsec-pki-profiles-12
Abstract Abstract
This document defines a standard profile for X.509 certificates for This document defines a standard profile for X.509 certificates for
the purposes of supporting validation of Autonomous System (AS) paths the purposes of supporting validation of Autonomous System (AS) paths
in the Border Gateway Protocol (BGP), as part of an extension to that in the Border Gateway Protocol (BGP), as part of an extension to that
protocol known as BGPsec. BGP is a critical component for the proper protocol known as BGPsec. BGP is a critical component for the proper
operation of the Internet as a whole. The BGPsec protocol is under operation of the Internet as a whole. The BGPsec protocol is under
development as a component to address the requirement to provide development as a component to address the requirement to provide
security for the BGP protocol. The goal of BGPsec is to design a security for the BGP protocol. The goal of BGPsec is to design a
skipping to change at page 2, line 22 skipping to change at page 2, line 22
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
2. Describing Resources in Certificates . . . . . . . . . . . . . 3
3. Updates to [RFC6487] . . . . . . . . . . . . . . . . . . . . . 5
3.1 BGPsec Router Certificate Fields . . . . . . . . . . . . . 5
3.1.1.1. Subject . . . . . . . . . . . . . . . . . . . . . 5
3.1.2. Subject Public Key Info . . . . . . . . . . . . . . . 5
3.1.3. BGPsec Router Certificate Version 3 Extension Fields . 6
3.1.3.1. Basic Constraints . . . . . . . . . . . . . . . . 6
3.1.3.2. Extended Key Usage . . . . . . . . . . . . . . . . 6
3.1.3.3. Subject Information Access . . . . . . . . . . . . 6
3.1.3.4. IP Resources . . . . . . . . . . . . . . . . . . . 6
3.1.3.5. AS Resources . . . . . . . . . . . . . . . . . . . 6
3.2. BGPsec Router Certificate Request Profile . . . . . . . . 7
3.3. BGPsec Router Certificate Validation . . . . . . . . . . . 7
4. Design Notes . . . . . . . . . . . . . . . . . . . . . . . . . 8
5. Security Considerations . . . . . . . . . . . . . . . . . . . 8
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9
8.1. Normative References . . . . . . . . . . . . . . . . . . . 9
8.2. Informative References . . . . . . . . . . . . . . . . . . 9
Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 10
Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 13
1. Introduction 1. Introduction
This document defines a profile for X.509 end-entity (EE) This document defines a profile for X.509 end-entity (EE)
certificates [RFC5280] for use in the context of certification of certificates [RFC5280] for use in the context of certification of
Autonomous System (AS) paths in the Border Gateway Protocol Security Autonomous System (AS) paths in the Border Gateway Protocol Security
(BGPsec) protocol. Such certificates are termed "BGPsec Router (BGPsec) protocol. Such certificates are termed "BGPsec Router
Certificates". The holder of the private key associated with a Certificates". The holder of the private key associated with a
BGPsec Router Certificate is authorized to send secure route BGPsec Router Certificate is authorized to send secure route
advertisements (BGPsec UPDATEs) on behalf of the AS(es) named in the advertisements (BGPsec UPDATEs) on behalf of the AS(es) named in the
certificate. That is, a router holding the private key may send to certificate. That is, a router holding the private key may send to
skipping to change at page 7, line 39 skipping to change at page 8, line 30
validation. validation.
A BGPsec Router Certificate is an extension of the RPKI [RFC6480] to A BGPsec Router Certificate is an extension of the RPKI [RFC6480] to
encompass routers. It is a building block of the larger BGPsec encompass routers. It is a building block of the larger BGPsec
security protocol used to validate signatures on BGPsec Signature- security protocol used to validate signatures on BGPsec Signature-
Segment origination of Signed-Path segments [ID.sidr-bgpsec- Segment origination of Signed-Path segments [ID.sidr-bgpsec-
protocol]. Thus its essential security function is the secure protocol]. Thus its essential security function is the secure
binding of one or more AS numbers to a public key, consistent with binding of one or more AS numbers to a public key, consistent with
the RPKI allocation/assignment hierarchy. the RPKI allocation/assignment hierarchy.
Hash functions [ID.sidr-bgpsec-algs] are used when generating the two
key identifiers extension included in BGPsec certificates. However
as noted in [RFC6818], collision resistance is not a required
property of one-way hash functions when used to generate key
identifiers. Regardless, hash collisions are possible and if
detected the operator should be alerted.
6. IANA Considerations 6. IANA Considerations
This document makes use of two object identifiers in the SMI Registry This document makes use of two object identifiers in the SMI Registry
for PKIX. One is for the ASN.1 module in Appendix A and it comes for PKIX. One is for the ASN.1 module in Appendix A and it comes
from the SMI Security for PKIX Module Identifier IANA registry (id- from the SMI Security for PKIX Module Identifier IANA registry (id-
mod-bgpsec-eku). The other is for the BGPsec router EKU defined in mod-bgpsec-eku). The other is for the BGPsec router EKU defined in
Section 3.1.3.2 and Appendix A and it comes from the SMI Security for Section 3.1.3.2 and Appendix A and it comes from the SMI Security for
PKIX Extended Key Purpose IANA registry. No other actions are PKIX Extended Key Purpose IANA registry. These OIDs were assigned
requested of IANA. before management of the PKIX Arc was handed to IANA. No IANA
allocations are request of IANA, but please update the references in
those registries when this document is published by the RFC editor.
7. Acknowledgements 7. Acknowledgements
We would like to thank Geoff Huston, George Michaelson, and Robert We would like to thank Geoff Huston, George Michaelson, and Robert
Loomans for their work on [RFC6487], which this work is based on. In Loomans for their work on [RFC6487], which this work is based on. In
addition, the efforts of Steve Kent and Matt Lepinski were addition, the efforts of Steve Kent and Matt Lepinski were
instrumental in preparing this work. Additionally, we'd like to instrumental in preparing this work. Additionally, we'd like to
thank Roque Gagliano, Sandra Murphy, Geoff Huston, Richard Hansen, thank Roque Gagliano, Sandra Murphy, Geoff Huston, Richard Hansen,
and David Mandelberg for their reviews and comments. and David Mandelberg for their reviews and comments.
skipping to change at page 8, line 31 skipping to change at page 9, line 30
Gateway Protocol 4 (BGP-4)", RFC 4271, January 2006. Gateway Protocol 4 (BGP-4)", RFC 4271, January 2006.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, May 2008. (CRL) Profile", RFC 5280, May 2008.
[RFC6487] Huston, G., Michaelson, G., and R. Loomans, "A Profile for [RFC6487] Huston, G., Michaelson, G., and R. Loomans, "A Profile for
X.509 PKIX Resource Certificates", RFC 6487, February 2012. X.509 PKIX Resource Certificates", RFC 6487, February 2012.
[ID.sidr-rfc6485bis] Huston, G., and G. Michaelson, "BThe Profile for [RFC6818] Yee, P., "Updates to the Internet X.509 Public Key
Algorithms and Key Sizes for use in the Resource Public Key Infrastructure Certificate and Certificate Revocation List
Infrastructure", draft-ietf-sidr-rfc6485bis, work-in- (CRL) Profile", RFC 6818, January 2013.
progress.
[ID.sidr-bgpsec-algs] Reynolds, M. and S. Turner, "BGP Algorithms, [ID.sidr-rfc6485bis] G. Huston, "The Profile for Algorithms and Key
Key Formats, & Signature Formats", draft-ietf-sidr-bgpsec- Sizes for use in the Resource Public Key Infrastructure",
algs, work-in-progress. draft-ietf-sidr-rfc6485bis, work-in-progress.
[ID.sidr-bgpsec-algs] S. Turner, "BGP Algorithms, Key Formats, &
Signature Formats", draft-ietf-sidr-bgpsec-algs, work-in-
progress.
8.2. Informative References 8.2. Informative References
[RFC4272] Murphy, S., "BGP Security Vulnerabilities Analysis", [RFC4272] Murphy, S., "BGP Security Vulnerabilities Analysis",
RFC 4272, January 2006. RFC 4272, January 2006.
[RFC5123] White, R. and B. Akyol, "Considerations in Validating the [RFC5123] White, R. and B. Akyol, "Considerations in Validating the
Path in BGP", RFC 5123, February 2008. Path in BGP", RFC 5123, February 2008.
[RFC5492] Scudder, J. and R. Chandra, "Capabilities Advertisement [RFC5492] Scudder, J. and R. Chandra, "Capabilities Advertisement
skipping to change at page 10, line 4 skipping to change at page 11, line 6
iso(1) identified-organization(3) dod(6) internet(1) iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) kp(3) } security(5) mechanisms(5) kp(3) }
-- BGPsec Router Extended Key Usage -- -- BGPsec Router Extended Key Usage --
id-kp-bgpsec-router OBJECT IDENTIFIER ::= { id-kp 30 } id-kp-bgpsec-router OBJECT IDENTIFIER ::= { id-kp 30 }
END END
Appendix B. Change Log Appendix B. Change Log
Please delete this section prior to publication. Please delete this section prior to publication.
B.1 Changes from sidr-bgpsec-pki-profiles-10 to sidr-bgpsec-pki- B.0 Changes from sidr-bgpsec-pki-profiles-11 to sidr-bgpsec-pki-
profiles-12
Added security consideration to address SKI collisions. Also updated
the IANA considerations section.
B.1 Changes from sidr-bgpsec-pki-profiles-10 to sidr-bgpsec-pki-
profiles-11 profiles-11
Removed text in s3.1.3. Consistently used BGPsec to refer to BGP Removed text in s3.1.3. Consistently used BGPsec to refer to BGP
Security. Fixed typos. Refer to RFC6485bis instead of RFC6485. Security. Fixed typos. Refer to RFC6485bis instead of RFC6485.
Included OIDs. Included OIDs.
B.2. Changes from sidr-bgpsec-pki-profiles-09 to sidr-bgpsec-pki- B.2. Changes from sidr-bgpsec-pki-profiles-09 to sidr-bgpsec-pki-
profiles-10 profiles-10
Updated dates. Updated dates.
B.3. Changes from sidr-bgpsec-pki-profiles-08 to sidr-bgpsec-pki- B.3. Changes from sidr-bgpsec-pki-profiles-08 to sidr-bgpsec-pki-
profiles-09 profiles-09
Editorial fixes for the sake of brevity. Editorial fixes for the sake of brevity.
B.4. Changes from sidr-bgpsec-pki-profiles-07 to sidr-bgpsec-pki- B.4. Changes from sidr-bgpsec-pki-profiles-07 to sidr-bgpsec-pki-
profiles-08 profiles-08
Fixed section numbering. Fixed section numbering.
B.5. Changes from sidr-bgpsec-pki-profiles-06 to sidr-bgpsec-pki- B.5. Changes from sidr-bgpsec-pki-profiles-06 to sidr-bgpsec-pki-
profiles-07 profiles-07
Added text to multiple AS numbers in a single certificate. Updated Added text to multiple AS numbers in a single certificate. Updated
reference to RFC 6916. reference to RFC 6916.
B.6. Changes from sidr-bgpsec-pki-profiles-05 to sidr-bgpsec-pki- B.6. Changes from sidr-bgpsec-pki-profiles-05 to sidr-bgpsec-pki-
profiles-06 profiles-06
Keep alive version. Keep alive version.
B.7. Changes from sidr-bgpsec-pki-profiles-04 to sidr-bgpsec-pki- B.7. Changes from sidr-bgpsec-pki-profiles-04 to sidr-bgpsec-pki-
profiles-05 profiles-05
Keep alive version. Keep alive version.
B.8. Changes from sidr-bgpsec-pki-profiles-03 to sidr-bgpsec-pki- B.8. Changes from sidr-bgpsec-pki-profiles-03 to sidr-bgpsec-pki-
profiles-04 profiles-04
In s2.1, removed the phrase "another BGPSEC Router Certificate (only In s2.1, removed the phrase "another BGPSEC Router Certificate (only
BGPSEC routers process these)" because the BGPSEC certificates are BGPSEC routers process these)" because the BGPSEC certificates are
only ever EE certificates and they're never used to verify another only ever EE certificates and they're never used to verify another
certificate only the PDUs that are signed. certificate only the PDUs that are signed.
Added new s3.1.3.1 to explicitly state that EE certificates are only Added new s3.1.3.1 to explicitly state that EE certificates are only
ever EE certs. ever EE certs.
B.9. Changes from sidr-bgpsec-pki-profiles-02 to sidr-bgpsec-pki- B.9. Changes from sidr-bgpsec-pki-profiles-02 to sidr-bgpsec-pki-
profiles-03 profiles-03
Updated s3.3 to clarify restrictions on path validation procedures Updated s3.3 to clarify restrictions on path validation procedures
are in this specification (1st para was reworded). are in this specification (1st para was reworded).
Updated s3.3 to point to s3.1.3.1 for BGPSEC EKU (thanks Tom). Updated s3.3 to point to s3.1.3.1 for BGPSEC EKU (thanks Tom).
B.10. Changes from sidr-bgpsec-pki-profiles-01 to sidr-bgpsec-pki- B.10. Changes from sidr-bgpsec-pki-profiles-01 to sidr-bgpsec-pki-
profiles-02 profiles-02
Updated references. Updated references.
B.11. Changes from sidr-bgpsec-pki-profiles-00 to sidr-bgpsec-pki- B.11. Changes from sidr-bgpsec-pki-profiles-00 to sidr-bgpsec-pki-
profiles-01 profiles-01
Added an ASN.1 Module and corrected the id-kp OID in s3.1.3.1. Added an ASN.1 Module and corrected the id-kp OID in s3.1.3.1.
B.12. Changes from turner-bgpsec-pki-profiles-02 to sidr-bgpsec-pki- B.12. Changes from turner-bgpsec-pki-profiles-02 to sidr-bgpsec-pki-
profiles-00 profiles-00
Added this change log. Added this change log.
Amplified that a BGPSEC RP will need to support both the algorithms Amplified that a BGPSEC RP will need to support both the algorithms
in [ID.sidr-bgpsec-algs] for BGPSEC and the algorithms in [ID.sidr- in [ID.sidr-bgpsec-algs] for BGPSEC and the algorithms in [ID.sidr-
rpki-algs] for certificates and CRLs. rpki-algs] for certificates and CRLs.
Changed the name of AS Resource extension to AS Resource Identifier Changed the name of AS Resource extension to AS Resource Identifier
Delegation to match what's in RFC 3779. Delegation to match what's in RFC 3779.
B.13. Changes from turner-bgpsec-pki-profiles -01 to -02 B.13. Changes from turner-bgpsec-pki-profiles -01 to -02
Added text in Section 2 to indicate that there's no impact on the Added text in Section 2 to indicate that there's no impact on the
procedures defined in [RFC6916]. procedures defined in [RFC6916].
Added a security consideration to let implementers know the BGPSEC Added a security consideration to let implementers know the BGPSEC
certificates will not pass RPKI validation [RFC6487] and that keying certificates will not pass RPKI validation [RFC6487] and that keying
off the EKU will help tremendously. off the EKU will help tremendously.
B.14. Changes from turner-bgpsec-pki-profiles -00 to -01 B.14. Changes from turner-bgpsec-pki-profiles -00 to -01
Corrected Section 2 to indicate that CA certificates are also RPKI Corrected Section 2 to indicate that CA certificates are also RPKI
certificates. certificates.
Removed sections and text that was already in [RFC6487]. This will Removed sections and text that was already in [RFC6487]. This will
make it easier for reviewers to figure out what is different. make it easier for reviewers to figure out what is different.
Modified Section 6 to use 2119-language. Modified Section 6 to use 2119-language.
Removed requirement from Section 6 to check that the AS # in the Removed requirement from Section 6 to check that the AS # in the
 End of changes. 22 change blocks. 
25 lines changed or deleted 72 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/