draft-ietf-sidr-bgpsec-pki-profiles-14.txt   draft-ietf-sidr-bgpsec-pki-profiles-15.txt 
Secure Inter-Domain Routing Working Group M. Reynolds Secure Inter-Domain Routing Working Group M. Reynolds
Internet-Draft IPSw Internet-Draft IPSw
Updates: 6487 (if approved) S. Turner Updates: 6487 (if approved) S. Turner
Intended status: Standard Track IECA Intended status: Standard Track IECA
Expires: May 7, 2016 S. Kent Expires: May 8, 2016 S. Kent
BBN BBN
November 4, 2015 November 5, 2015
A Profile for BGPsec Router Certificates, A Profile for BGPsec Router Certificates,
Certificate Revocation Lists, and Certification Requests Certificate Revocation Lists, and Certification Requests
draft-ietf-sidr-bgpsec-pki-profiles-14 draft-ietf-sidr-bgpsec-pki-profiles-15
Abstract Abstract
This document defines a standard profile for X.509 certificates used This document defines a standard profile for X.509 certificates used
to enable validation of Autonomous System (AS) paths in the Border to enable validation of Autonomous System (AS) paths in the Border
Gateway Protocol (BGP), as part of an extension to that protocol Gateway Protocol (BGP), as part of an extension to that protocol
known as BGPsec. BGP is the standard for inter-domain routing in the known as BGPsec. BGP is the standard for inter-domain routing in the
Internet; it is the "glue" that holds the Internet together. BGPsec Internet; it is the "glue" that holds the Internet together. BGPsec
is being developed as one component of a solution that addresses the is being developed as one component of a solution that addresses the
requirement to provide security for BGP. The goal of BGPsec is to requirement to provide security for BGP. The goal of BGPsec is to
skipping to change at page 2, line 48 skipping to change at page 2, line 48
3.2. BGPsec Router Certificate Request Profile . . . . . . . . 7 3.2. BGPsec Router Certificate Request Profile . . . . . . . . 7
3.3. BGPsec Router Certificate Validation . . . . . . . . . . . 7 3.3. BGPsec Router Certificate Validation . . . . . . . . . . . 7
4. Design Notes . . . . . . . . . . . . . . . . . . . . . . . . . 8 4. Design Notes . . . . . . . . . . . . . . . . . . . . . . . . . 8
5. Security Considerations . . . . . . . . . . . . . . . . . . . 8 5. Security Considerations . . . . . . . . . . . . . . . . . . . 8
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9
8.1. Normative References . . . . . . . . . . . . . . . . . . . 9 8.1. Normative References . . . . . . . . . . . . . . . . . . . 9
8.2. Informative References . . . . . . . . . . . . . . . . . . 9 8.2. Informative References . . . . . . . . . . . . . . . . . . 9
Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 10 Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 10
Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 12 Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 14 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 13
1. Introduction 1. Introduction
This document defines a profile for X.509 end-entity (EE) This document defines a profile for X.509 end-entity (EE)
certificates [RFC5280] for use in the context of certification of certificates [RFC5280] for use in the context of certification of
Autonomous System (AS) paths in the Border Gateway Protocol Security Autonomous System (AS) paths in the Border Gateway Protocol Security
protocol (BGPsec). Such certificates are termed "BGPsec Router protocol (BGPsec). Such certificates are termed "BGPsec Router
Certificates". The holder of the private key associated with a Certificates". The holder of the private key associated with a
BGPsec Router Certificate is authorized to send secure route BGPsec Router Certificate is authorized to send secure route
advertisements (BGPsec UPDATEs) on behalf of the AS(es) named in the advertisements (BGPsec UPDATEs) on behalf of the AS(es) named in the
certificate. A router holding the private key is authorized to send certificate. A router holding the private key is authorized to send
route advertisements (to its peers) that contain one or more of the route advertisements (to its peers) that contain one or more of the
specified AS number as the last item in the AS PATH attribute. A key specified AS number as the last item in the AS PATH attribute. A key
property provided by BGPsec is that every AS along the AS PATH can property provided by BGPsec is that every AS along the AS PATH can
verify that the other ASes along the path have authorized the verify that the other ASes along the path have authorized the
advertisement of the given route (to the next AS along the AS PATH). advertisement of the given route (to the next AS along the AS PATH).
This document is a profile of [RFC6487], which is a profile of This document is a profile of [RFC6487], which is a profile of
[RFC5280]; thus this document [RFC6487]. It establishes requirements [RFC5280]; thus this document updates [RFC6487]. It establishes
imposed on a Resource Certificate that is used as a BGPsec Router requirements imposed on a Resource Certificate that is used as a
Certificate, i.e., it defines constraints for certificate fields and BGPsec Router Certificate, i.e., it defines constraints for
extensions for the certificate to be valid in this context. This certificate fields and extensions for the certificate to be valid in
document also profiles the certification requests used to acquire this context. This document also profiles the certification requests
BGPsec Router Certificates. Finally, this document specifies the used to acquire BGPsec Router Certificates. Finally, this document
Relying Party (RP) certificate path validation procedures for these specifies the Relying Party (RP) certificate path validation
certificates. procedures for these certificates.
1.1. Terminology 1.1. Terminology
It is assumed that the reader is familiar with the terms and concepts It is assumed that the reader is familiar with the terms and concepts
described in "A Profile for X.509 PKIX Resource Certificates" described in "A Profile for X.509 PKIX Resource Certificates"
[RFC6487], "BGPsec Protocol Specification" [ID.sidr-bgpsec-protocol], [RFC6487], "BGPsec Protocol Specification" [ID.sidr-bgpsec-protocol],
"A Border Gateway Protocol 4 (BGP-4)" [RFC4271], "BGP Security "A Border Gateway Protocol 4 (BGP-4)" [RFC4271], "BGP Security
Vulnerabilities Analysis" [RFC4272], "Considerations in Validating Vulnerabilities Analysis" [RFC4272], "Considerations in Validating
the Path in BGP" [RFC5123], and "Capability Advertisement with BGP-4" the Path in BGP" [RFC5123], and "Capability Advertisement with BGP-4"
[RFC5492]. [RFC5492].
skipping to change at page 4, line 5 skipping to change at page 4, line 5
[RFC2119]. [RFC2119].
2. Describing Resources in Certificates 2. Describing Resources in Certificates
Figure 1 depicts some of the entities in the RPKI and some of the Figure 1 depicts some of the entities in the RPKI and some of the
products generated by RPKI entities. IANA issues a Certification products generated by RPKI entities. IANA issues a Certification
Authority (CA) certificate to each Regional Internet Registry (RIR). Authority (CA) certificate to each Regional Internet Registry (RIR).
The RIR, in turn, issues a CA certificate to an Internet Service The RIR, in turn, issues a CA certificate to an Internet Service
Providers (ISP). The ISP in turn issues EE Certificates to itself to Providers (ISP). The ISP in turn issues EE Certificates to itself to
enable verification of signatures on RPKI signed objects. The CA also enable verification of signatures on RPKI signed objects. The CA also
generate. The CA also generates CRLs. These CA and EE certificates generate. The CA also generates Certificate Revocation Lists (CRLs).
are referred to as "Resource Certificates", and are profiled in These CA and EE certificates are referred to as "Resource
[RFC6487]. The [RFC6480] envisioned using Resource Certificates to Certificates", and are profiled in [RFC6487]. The [RFC6480]
enable verification of Manifests [RFC6486] and Route Origin envisioned using Resource Certificates to enable verification of
Authorizations (ROAs) [RFC6482]. ROAs and Manifests include the Manifests [RFC6486] and Route Origin Authorizations (ROAs) [RFC6482].
Resource Certificates used to verify them. ROAs and Manifests include the Resource Certificates used to verify
them.
+---------+ +------+ +---------+ +------+
| CA Cert |---| IANA | | CA Cert |---| IANA |
+---------+ +------+ +---------+ +------+
\ \
+---------+ +-----+ +---------+ +-----+
| CA Cert |---| RIR | | CA Cert |---| RIR |
+---------+ +-----+ +---------+ +-----+
\ \
+---------+ +-----+ +---------+ +-----+
 End of changes. 6 change blocks. 
19 lines changed or deleted 20 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/