draft-ietf-sidr-bgpsec-pki-profiles-15.txt   draft-ietf-sidr-bgpsec-pki-profiles-16.txt 
Secure Inter-Domain Routing Working Group M. Reynolds Secure Inter-Domain Routing Working Group M. Reynolds
Internet-Draft IPSw Internet-Draft IPSw
Updates: 6487 (if approved) S. Turner Updates: 6487 (if approved) S. Turner
Intended status: Standard Track IECA Intended status: Standard Track IECA
Expires: May 8, 2016 S. Kent Expires: September 22, 2016 S. Kent
BBN BBN
November 5, 2015 March 21, 2016
A Profile for BGPsec Router Certificates, A Profile for BGPsec Router Certificates,
Certificate Revocation Lists, and Certification Requests Certificate Revocation Lists, and Certification Requests
draft-ietf-sidr-bgpsec-pki-profiles-15 draft-ietf-sidr-bgpsec-pki-profiles-16
Abstract Abstract
This document defines a standard profile for X.509 certificates used This document defines a standard profile for X.509 certificates used
to enable validation of Autonomous System (AS) paths in the Border to enable validation of Autonomous System (AS) paths in the Border
Gateway Protocol (BGP), as part of an extension to that protocol Gateway Protocol (BGP), as part of an extension to that protocol
known as BGPsec. BGP is the standard for inter-domain routing in the known as BGPsec. BGP is the standard for inter-domain routing in the
Internet; it is the "glue" that holds the Internet together. BGPsec Internet; it is the "glue" that holds the Internet together. BGPsec
is being developed as one component of a solution that addresses the is being developed as one component of a solution that addresses the
requirement to provide security for BGP. The goal of BGPsec is to requirement to provide security for BGP. The goal of BGPsec is to
skipping to change at page 2, line 10 skipping to change at page 2, line 10
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 42 skipping to change at page 2, line 42
3.1.3. BGPsec Router Certificate Version 3 Extension Fields . 6 3.1.3. BGPsec Router Certificate Version 3 Extension Fields . 6
3.1.3.1. Basic Constraints . . . . . . . . . . . . . . . . 6 3.1.3.1. Basic Constraints . . . . . . . . . . . . . . . . 6
3.1.3.2. Extended Key Usage . . . . . . . . . . . . . . . . 6 3.1.3.2. Extended Key Usage . . . . . . . . . . . . . . . . 6
3.1.3.3. Subject Information Access . . . . . . . . . . . . 6 3.1.3.3. Subject Information Access . . . . . . . . . . . . 6
3.1.3.4. IP Resources . . . . . . . . . . . . . . . . . . . 6 3.1.3.4. IP Resources . . . . . . . . . . . . . . . . . . . 6
3.1.3.5. AS Resources . . . . . . . . . . . . . . . . . . . 6 3.1.3.5. AS Resources . . . . . . . . . . . . . . . . . . . 6
3.2. BGPsec Router Certificate Request Profile . . . . . . . . 7 3.2. BGPsec Router Certificate Request Profile . . . . . . . . 7
3.3. BGPsec Router Certificate Validation . . . . . . . . . . . 7 3.3. BGPsec Router Certificate Validation . . . . . . . . . . . 7
4. Design Notes . . . . . . . . . . . . . . . . . . . . . . . . . 8 4. Design Notes . . . . . . . . . . . . . . . . . . . . . . . . . 8
5. Security Considerations . . . . . . . . . . . . . . . . . . . 8 5. Security Considerations . . . . . . . . . . . . . . . . . . . 8
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 9
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9
8.1. Normative References . . . . . . . . . . . . . . . . . . . 9 8.1. Normative References . . . . . . . . . . . . . . . . . . . 9
8.2. Informative References . . . . . . . . . . . . . . . . . . 9 8.2. Informative References . . . . . . . . . . . . . . . . . . 10
Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 10 Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 11
Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 11 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 13
1. Introduction 1. Introduction
This document defines a profile for X.509 end-entity (EE) This document defines a profile for X.509 end-entity (EE)
certificates [RFC5280] for use in the context of certification of certificates [RFC5280] for use in the context of certification of
Autonomous System (AS) paths in the Border Gateway Protocol Security Autonomous System (AS) paths in the Border Gateway Protocol Security
protocol (BGPsec). Such certificates are termed "BGPsec Router protocol (BGPsec). Such certificates are termed "BGPsec Router
Certificates". The holder of the private key associated with a Certificates". The holder of the private key associated with a
BGPsec Router Certificate is authorized to send secure route BGPsec Router Certificate is authorized to send secure route
advertisements (BGPsec UPDATEs) on behalf of the AS(es) named in the advertisements (BGPsec UPDATEs) on behalf of the AS(es) named in the
skipping to change at page 7, line 10 skipping to change at page 7, line 10
Identifier Delegation extension, as specified in section 4.8.11 of Identifier Delegation extension, as specified in section 4.8.11 of
[RFC6487]. The AS Resource Identifier Delegation extension MUST [RFC6487]. The AS Resource Identifier Delegation extension MUST
include one or more AS numbers, and the "inherit" element MUST NOT be include one or more AS numbers, and the "inherit" element MUST NOT be
specified. specified.
3.2. BGPsec Router Certificate Request Profile 3.2. BGPsec Router Certificate Request Profile
Refer to section 6 of [RFC6487]. The only differences between this Refer to section 6 of [RFC6487]. The only differences between this
profile and the profile in [RFC6487] are: profile and the profile in [RFC6487] are:
o The ExtendedKeyUsage extension request MUST be included and the CA o The Basic Constraints extension:
MUST honor the request;
If included, the CA MUST NOT honor the cA boolean if set to TRUE.
o The Extended Key Usage extension:
If included, id-kp-bgpsec-router MUST be present (see Section
3.1). If included, the CA MUST honor the request for id-kp-
bgpsec-router.
o The Subject Information Access extension:
If included, the CA MUST NOT honor the request to include the
extension.
o The SubjectPublicKeyInfo and PublicKey fields are specified in o The SubjectPublicKeyInfo and PublicKey fields are specified in
[ID.sidr-bgpsec-algs]; and, [ID.sidr-bgpsec-algs].
o The request is signed with the algorithms specified in [ID.sidr- o The request is signed with the algorithms specified in [ID.sidr-
bgpsec-algs]. bgpsec-algs].
3.3. BGPsec Router Certificate Validation 3.3. BGPsec Router Certificate Validation
The validation procedure used for BGPsec Router Certificates is The validation procedure used for BGPsec Router Certificates is
identical to the validation procedure described in Section 7 of identical to the validation procedure described in Section 7 of
[RFC6487], but using the constraints applied come from this [RFC6487], but using the constraints applied come from this
specification. For example, in step 3: "the certificate contains all specification. For example, in step 3: "the certificate contains all
the field that must be present" - refers to the fields that are the field that must be present" - refers to the fields that are
required by this specification. required by this specification.
The differences are as follows: The differences are as follows:
o BGPsec Router Certificates MUST include the BGPsec EKU defined in o BGPsec Router Certificates MUST include the BGPsec Router EKU
Section 3.1.3.1. defined in Section 3.1.3.2.
o BGPsec Router Certificates MUST NOT include the SIA extension. o BGPsec Router Certificates MUST NOT include the SIA extension.
o BGPsec Router Certificates MUST NOT include the IP Resource o BGPsec Router Certificates MUST NOT include the IP Resource
extension. extension.
o BGPsec Router Certificates MUST include the AS Resource Identifier o BGPsec Router Certificates MUST include the AS Resource Identifier
Delegation extension. Delegation extension.
o BGPsec Router Certificate MUST include the "Subject Public Key o BGPsec Router Certificate MUST include the "Subject Public Key
skipping to change at page 8, line 13 skipping to change at page 8, line 25
CRLs. CRLs.
4. Design Notes 4. Design Notes
The BGPsec Router Certificate profile is based on the Resource The BGPsec Router Certificate profile is based on the Resource
Certificate profile as specified in [ID.sidr-rfc6485bis]. As a Certificate profile as specified in [ID.sidr-rfc6485bis]. As a
result, many of the design choices herein are a reflection of the result, many of the design choices herein are a reflection of the
design choices that were taken in that prior work. The reader is design choices that were taken in that prior work. The reader is
referred to [RFC6484] for a fuller discussion of those choices. referred to [RFC6484] for a fuller discussion of those choices.
CAs are required by the Certificate Policy (CP) [RFC6484] to issue
properly formed BGPsec Router Certificates regardless of what is
present in the certification request so there is some flexibility
permitted in the certificate requests:
o BGPsec Router Certificates are always EE certificates; therefore,
requests to issue a CA certificate result in EE certificates;
o BGPsec Router Certificates are always EE certificates; therefore,
requests for Key Usage extension values keyCertSign and cRLSign
result in certificates with neither of these values;
o BGPsec Router Certificates always include the BGPsec Rouer EKU
value; therefore, request without the value result in certificates
with the value; and,
o BGPsec Router Certificates never include the Subject Information
Access extension; therefore, request with this extension result in
certificates without the extension.
Note that this behavior is similar to the CA including the AS
Resource Identifier Delegation extension in issued BGPsec Router
Certificates despite the fact it is not present in the request.
5. Security Considerations 5. Security Considerations
The Security Considerations of [RFC6487] apply. The Security Considerations of [RFC6487] apply.
A BGPsec Router Certificate will fail RPKI validation, as defined in A BGPsec Router Certificate will fail RPKI validation, as defined in
[RFC6487], because the algorithm suite is different. Consequently, a [RFC6487], because the algorithm suite is different. Consequently, a
RP needs to identify the EKU to determine the appropriate Validation RP needs to identify the EKU to determine the appropriate Validation
constraint. constraint.
A BGPsec Router Certificate is an extension of the RPKI [RFC6480] to A BGPsec Router Certificate is an extension of the RPKI [RFC6480] to
skipping to change at page 9, line 6 skipping to change at page 9, line 43
before management of the PKIX Arc was handed to IANA. No IANA before management of the PKIX Arc was handed to IANA. No IANA
allocations are request of IANA, but please update the references in allocations are request of IANA, but please update the references in
those registries when this document is published by the RFC editor. those registries when this document is published by the RFC editor.
7. Acknowledgements 7. Acknowledgements
We would like to thank Geoff Huston, George Michaelson, and Robert We would like to thank Geoff Huston, George Michaelson, and Robert
Loomans for their work on [RFC6487], which this work is based on. In Loomans for their work on [RFC6487], which this work is based on. In
addition, the efforts of Steve Kent and Matt Lepinski were addition, the efforts of Steve Kent and Matt Lepinski were
instrumental in preparing this work. Additionally, we'd like to instrumental in preparing this work. Additionally, we'd like to
thank Roque Gagliano, Sandra Murphy, Geoff Huston, Richard Hansen, thank Rob Austein, Roque Gagliano, Richard Hansen, Geoff Huston,
David Mandelberg, and Sam Weiller for their reviews and comments. David Mandelberg, Sandra Murphy, and Sam Weiller for their reviews
and comments.
8. References 8. References
8.1. Normative References 8.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP [RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP
Addresses and AS Identifiers", RFC 3779, June 2004. Addresses and AS Identifiers", RFC 3779, June 2004.
skipping to change at page 11, line 5 skipping to change at page 11, line 42
id-kp OBJECT IDENTIFIER ::= { id-kp OBJECT IDENTIFIER ::= {
iso(1) identified-organization(3) dod(6) internet(1) iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) kp(3) } security(5) mechanisms(5) kp(3) }
-- BGPsec Router Extended Key Usage -- -- BGPsec Router Extended Key Usage --
id-kp-bgpsec-router OBJECT IDENTIFIER ::= { id-kp 30 } id-kp-bgpsec-router OBJECT IDENTIFIER ::= { id-kp 30 }
END END
Appendix B. Change Log
Please delete this section prior to publication.
B.0 Changes from sidr-bgpsec-pki-profiles-12 to sidr-bgpsec-pki-
profiles-13
Minor modifications to address WGLC comments.
B.1 Changes from sidr-bgpsec-pki-profiles-11 to sidr-bgpsec-pki-
profiles-12
Added security consideration to address SKI collisions. Also updated
the IANA considerations section.
B.2 Changes from sidr-bgpsec-pki-profiles-10 to sidr-bgpsec-pki-
profiles-11
Removed text in s3.1.3. Consistently used BGPsec to refer to BGP
Security. Fixed typos. Refer to RFC6485bis instead of RFC6485.
Included OIDs.
B.3. Changes from sidr-bgpsec-pki-profiles-09 to sidr-bgpsec-pki-
profiles-10
Updated dates.
B.4. Changes from sidr-bgpsec-pki-profiles-08 to sidr-bgpsec-pki-
profiles-09
Editorial fixes for the sake of brevity.
B.5. Changes from sidr-bgpsec-pki-profiles-07 to sidr-bgpsec-pki-
profiles-08
Fixed section numbering.
B.6. Changes from sidr-bgpsec-pki-profiles-06 to sidr-bgpsec-pki-
profiles-07
Added text to multiple AS numbers in a single certificate. Updated
reference to RFC 6916.
B.7. Changes from sidr-bgpsec-pki-profiles-05 to sidr-bgpsec-pki-
profiles-06
Keep alive version.
B.8. Changes from sidr-bgpsec-pki-profiles-04 to sidr-bgpsec-pki-
profiles-05
Keep alive version.
B.9. Changes from sidr-bgpsec-pki-profiles-03 to sidr-bgpsec-pki-
profiles-04
In s2.1, removed the phrase "another BGPSEC Router Certificate (only
BGPSEC routers process these)" because the BGPSEC certificates are
only ever EE certificates and they're never used to verify another
certificate only the PDUs that are signed.
Added new s3.1.3.1 to explicitly state that EE certificates are only
ever EE certs.
B.10. Changes from sidr-bgpsec-pki-profiles-02 to sidr-bgpsec-pki-
profiles-03
Updated s3.3 to clarify restrictions on path validation procedures
are in this specification (1st para was reworded).
Updated s3.3 to point to s3.1.3.1 for BGPSEC EKU (thanks Tom).
B.11. Changes from sidr-bgpsec-pki-profiles-01 to sidr-bgpsec-pki-
profiles-02
Updated references.
B.12. Changes from sidr-bgpsec-pki-profiles-00 to sidr-bgpsec-pki-
profiles-01
Added an ASN.1 Module and corrected the id-kp OID in s3.1.3.1.
B.13. Changes from turner-bgpsec-pki-profiles-02 to sidr-bgpsec-pki-
profiles-00
Added this change log.
Amplified that a BGPSEC RP will need to support both the algorithms
in [ID.sidr-bgpsec-algs] for BGPSEC and the algorithms in [ID.sidr-
rpki-algs] for certificates and CRLs.
Changed the name of AS Resource extension to AS Resource Identifier
Delegation to match what's in RFC 3779.
B.14. Changes from turner-bgpsec-pki-profiles -01 to -02
Added text in Section 2 to indicate that there's no impact on the
procedures defined in [RFC6916].
Added a security consideration to let implementers know the BGPSEC
certificates will not pass RPKI validation [RFC6487] and that keying
off the EKU will help tremendously.
B.15. Changes from turner-bgpsec-pki-profiles -00 to -01
Corrected Section 2 to indicate that CA certificates are also RPKI
certificates.
Removed sections and text that was already in [RFC6487]. This will
make it easier for reviewers to figure out what is different.
Modified Section 6 to use 2119-language.
Removed requirement from Section 6 to check that the AS # in the
certificate is the last number in the AS path information of each BGP
UPDATE message. Moved to [ID.sidr-bgpsec-protocol].
Authors' Addresses Authors' Addresses
Mark Reynolds Mark Reynolds
Island Peak Software Island Peak Software
328 Virginia Road 328 Virginia Road
Concord, MA 01742 Concord, MA 01742
Email: mcr@islandpeaksoftware.com Email: mcr@islandpeaksoftware.com
Sean Turner Sean Turner
 End of changes. 12 change blocks. 
133 lines changed or deleted 53 lines changed or added

This html diff was produced by rfcdiff 1.44. The latest version is available from http://tools.ietf.org/tools/rfcdiff/