draft-ietf-sidr-bgpsec-pki-profiles-16.txt   draft-ietf-sidr-bgpsec-pki-profiles-17.txt 
Secure Inter-Domain Routing Working Group M. Reynolds Secure Inter-Domain Routing Working Group M. Reynolds
Internet-Draft IPSw Internet-Draft IPSw
Updates: 6487 (if approved) S. Turner Updates: 6487 (if approved) S. Turner
Intended status: Standard Track IECA Intended status: Standard Track IECA
Expires: September 22, 2016 S. Kent Expires: December 3, 2016 S. Kent
BBN BBN
March 21, 2016 June 1, 2016
A Profile for BGPsec Router Certificates, A Profile for BGPsec Router Certificates,
Certificate Revocation Lists, and Certification Requests Certificate Revocation Lists, and Certification Requests
draft-ietf-sidr-bgpsec-pki-profiles-16 draft-ietf-sidr-bgpsec-pki-profiles-17
Abstract Abstract
This document defines a standard profile for X.509 certificates used This document defines a standard profile for X.509 certificates used
to enable validation of Autonomous System (AS) paths in the Border to enable validation of Autonomous System (AS) paths in the Border
Gateway Protocol (BGP), as part of an extension to that protocol Gateway Protocol (BGP), as part of an extension to that protocol
known as BGPsec. BGP is the standard for inter-domain routing in the known as BGPsec. BGP is the standard for inter-domain routing in the
Internet; it is the "glue" that holds the Internet together. BGPsec Internet; it is the "glue" that holds the Internet together. BGPsec
is being developed as one component of a solution that addresses the is being developed as one component of a solution that addresses the
requirement to provide security for BGP. The goal of BGPsec is to requirement to provide security for BGP. The goal of BGPsec is to
skipping to change at page 2, line 40 skipping to change at page 2, line 40
3.1.1.1. Subject . . . . . . . . . . . . . . . . . . . . . 5 3.1.1.1. Subject . . . . . . . . . . . . . . . . . . . . . 5
3.1.2. Subject Public Key Info . . . . . . . . . . . . . . . 5 3.1.2. Subject Public Key Info . . . . . . . . . . . . . . . 5
3.1.3. BGPsec Router Certificate Version 3 Extension Fields . 6 3.1.3. BGPsec Router Certificate Version 3 Extension Fields . 6
3.1.3.1. Basic Constraints . . . . . . . . . . . . . . . . 6 3.1.3.1. Basic Constraints . . . . . . . . . . . . . . . . 6
3.1.3.2. Extended Key Usage . . . . . . . . . . . . . . . . 6 3.1.3.2. Extended Key Usage . . . . . . . . . . . . . . . . 6
3.1.3.3. Subject Information Access . . . . . . . . . . . . 6 3.1.3.3. Subject Information Access . . . . . . . . . . . . 6
3.1.3.4. IP Resources . . . . . . . . . . . . . . . . . . . 6 3.1.3.4. IP Resources . . . . . . . . . . . . . . . . . . . 6
3.1.3.5. AS Resources . . . . . . . . . . . . . . . . . . . 6 3.1.3.5. AS Resources . . . . . . . . . . . . . . . . . . . 6
3.2. BGPsec Router Certificate Request Profile . . . . . . . . 7 3.2. BGPsec Router Certificate Request Profile . . . . . . . . 7
3.3. BGPsec Router Certificate Validation . . . . . . . . . . . 7 3.3. BGPsec Router Certificate Validation . . . . . . . . . . . 7
3.4. Router Certificates and Signing Functions in the RPKI . . 8
4. Design Notes . . . . . . . . . . . . . . . . . . . . . . . . . 8 4. Design Notes . . . . . . . . . . . . . . . . . . . . . . . . . 8
5. Security Considerations . . . . . . . . . . . . . . . . . . . 8 5. Security Considerations . . . . . . . . . . . . . . . . . . . 9
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 9 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10
8.1. Normative References . . . . . . . . . . . . . . . . . . . 9 8.1. Normative References . . . . . . . . . . . . . . . . . . . 10
8.2. Informative References . . . . . . . . . . . . . . . . . . 10 8.2. Informative References . . . . . . . . . . . . . . . . . . 11
Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 11 Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 12
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 12
1. Introduction 1. Introduction
This document defines a profile for X.509 end-entity (EE) This document defines a profile for X.509 end-entity (EE)
certificates [RFC5280] for use in the context of certification of certificates [RFC5280] for use in the context of certification of
Autonomous System (AS) paths in the Border Gateway Protocol Security Autonomous System (AS) paths in the Border Gateway Protocol Security
protocol (BGPsec). Such certificates are termed "BGPsec Router protocol (BGPsec). Such certificates are termed "BGPsec Router
Certificates". The holder of the private key associated with a Certificates". The holder of the private key associated with a
BGPsec Router Certificate is authorized to send secure route BGPsec Router Certificate is authorized to send secure route
advertisements (BGPsec UPDATEs) on behalf of the AS(es) named in the advertisements (BGPsec UPDATEs) on behalf of the AS(es) named in the
skipping to change at page 8, line 17 skipping to change at page 8, line 17
rfc6485bis]. rfc6485bis].
NOTE: The cryptographic algorithms used by BGPsec routers are found NOTE: The cryptographic algorithms used by BGPsec routers are found
in [ID.sidr-bgpsec-algs]. Currently, the algorithms specified in in [ID.sidr-bgpsec-algs]. Currently, the algorithms specified in
[ID.sidr-bgpsec-algs] and [ID.sidr-rfc6485bis] are different. BGPsec [ID.sidr-bgpsec-algs] and [ID.sidr-rfc6485bis] are different. BGPsec
RPs will need to support algorithms that are used to validate BGPsec RPs will need to support algorithms that are used to validate BGPsec
signatures as well as the algorithms that are needed to validate signatures as well as the algorithms that are needed to validate
signatures on BGPsec certificates, RPKI CA certificates, and RPKI signatures on BGPsec certificates, RPKI CA certificates, and RPKI
CRLs. CRLs.
3.4. Router Certificates and Signing Functions in the RPKI
As described in Section 1, the primary function of BGPsec route
certificates in the RPKI is for use in the context of certification
of Autonomous System (AS) paths in the Border Gateway Protocol
Security protocol (BGPsec).
The private key associated with a router EE certificate may be used
multiple times in generating signatures in multiple instances of the
BGPsec_Path Attribute Signature Segments [ID.sidr-bgpsec-protocol].
I.e., the BGPsec router certificate is used to validate multiple
signatures.
BGPsec router certificates are stored in the issuing CA's repository,
where a repository following RFC6481 MUST use a .cer filename
extension for the certificate file.
4. Design Notes 4. Design Notes
The BGPsec Router Certificate profile is based on the Resource The BGPsec Router Certificate profile is based on the Resource
Certificate profile as specified in [ID.sidr-rfc6485bis]. As a Certificate profile as specified in [ID.sidr-rfc6485bis]. As a
result, many of the design choices herein are a reflection of the result, many of the design choices herein are a reflection of the
design choices that were taken in that prior work. The reader is design choices that were taken in that prior work. The reader is
referred to [RFC6484] for a fuller discussion of those choices. referred to [RFC6484] for a fuller discussion of those choices.
CAs are required by the Certificate Policy (CP) [RFC6484] to issue CAs are required by the Certificate Policy (CP) [RFC6484] to issue
properly formed BGPsec Router Certificates regardless of what is properly formed BGPsec Router Certificates regardless of what is
skipping to change at page 9, line 52 skipping to change at page 10, line 20
instrumental in preparing this work. Additionally, we'd like to instrumental in preparing this work. Additionally, we'd like to
thank Rob Austein, Roque Gagliano, Richard Hansen, Geoff Huston, thank Rob Austein, Roque Gagliano, Richard Hansen, Geoff Huston,
David Mandelberg, Sandra Murphy, and Sam Weiller for their reviews David Mandelberg, Sandra Murphy, and Sam Weiller for their reviews
and comments. and comments.
8. References 8. References
8.1. Normative References 8.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, DOI
10.17487/RFC2119, March 1997, <http://www.rfc-
editor.org/info/rfc2119>.
[RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP [RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP
Addresses and AS Identifiers", RFC 3779, June 2004. Addresses and AS Identifiers", RFC 3779, DOI
10.17487/RFC3779, June 2004, <http://www.rfc-
editor.org/info/rfc3779>.
[RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A Border [RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A Border
Gateway Protocol 4 (BGP-4)", RFC 4271, January 2006. Gateway Protocol 4 (BGP-4)", RFC 4271, DOI
10.17487/RFC4271, January 2006, <http://www.rfc-
editor.org/info/rfc4271>.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, May 2008. (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
<http://www.rfc-editor.org/info/rfc5280>.
[RFC6487] Huston, G., Michaelson, G., and R. Loomans, "A Profile for [RFC6487] Huston, G., Michaelson, G., and R. Loomans, "A Profile for
X.509 PKIX Resource Certificates", RFC 6487, February 2012. X.509 PKIX Resource Certificates", RFC 6487, DOI
10.17487/RFC6487, February 2012, <http://www.rfc-
editor.org/info/rfc6487>.
[RFC6818] Yee, P., "Updates to the Internet X.509 Public Key [RFC6818] Yee, P., "Updates to the Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 6818, January 2013. (CRL) Profile", RFC 6818, DOI 10.17487/RFC6818, January
2013, <http://www.rfc-editor.org/info/rfc6818>.
[ID.sidr-rfc6485bis] G. Huston and G. Michaelson, "The Profile for [ID.sidr-rfc6485bis] G. Huston and G. Michaelson, "The Profile for
Algorithms and Key Sizes for use in the Resource Public Key Algorithms and Key Sizes for use in the Resource Public Key
Infrastructure", draft-ietf-sidr-rfc6485bis, work-in- Infrastructure", draft-ietf-sidr-rfc6485bis, work-in-
progress. progress.
[ID.sidr-bgpsec-algs] S. Turner, "BGP Algorithms, Key Formats, & [ID.sidr-bgpsec-algs] S. Turner, "BGP Algorithms, Key Formats, &
Signature Formats", draft-ietf-sidr-bgpsec-algs, work-in- Signature Formats", draft-ietf-sidr-bgpsec-algs, work-in-
progress. progress.
8.2. Informative References 8.2. Informative References
[RFC4272] Murphy, S., "BGP Security Vulnerabilities Analysis", [RFC4272] Murphy, S., "BGP Security Vulnerabilities Analysis",
RFC 4272, January 2006. RFC 4272, DOI 10.17487/RFC4272, January 2006,
<http://www.rfc-editor.org/info/rfc4272>.
[RFC5123] White, R. and B. Akyol, "Considerations in Validating the [RFC5123] White, R. and B. Akyol, "Considerations in Validating the
Path in BGP", RFC 5123, February 2008. Path in BGP", RFC 5123, DOI 10.17487/RFC5123, February
2008, <http://www.rfc-editor.org/info/rfc5123>.
[RFC5492] Scudder, J. and R. Chandra, "Capabilities Advertisement [RFC5492] Scudder, J. and R. Chandra, "Capabilities Advertisement
with BGP-4", RFC 5492, February 2009. with BGP-4", RFC 5492, DOI 10.17487/RFC5492, February 2009,
<http://www.rfc-editor.org/info/rfc5492>.
[RFC6480] Lepinski, M. and S. Kent, "An Infrastructure to Support [RFC6480] Lepinski, M. and S. Kent, "An Infrastructure to Support
Secure Internet Routing", RFC 6480, February 2012. Secure Internet Routing", RFC 6480, DOI 10.17487/RFC6480,
February 2012, <http://www.rfc-editor.org/info/rfc6480>.
[RFC6482] Lepinski, M., Kent, S., and D. Kong, "A Profile for Route [RFC6482] Lepinski, M., Kent, S., and D. Kong, "A Profile for Route
Origin Authorizations (ROAs)", RFC 6482, February 2012. Origin Authorizations (ROAs)", RFC 6482, DOI
10.17487/RFC6482, February 2012, <http://www.rfc-
editor.org/info/rfc6482>.
[RFC6484] Kent, S., Kong, D., Seo, K., and R. Watro, "Certificate [RFC6484] Kent, S., Kong, D., Seo, K., and R. Watro, "Certificate
Policy (CP) for the Resource Public Key Infrastructure Policy (CP) for the Resource Public Key Infrastructure
(RPKI)", BCP 173, RFC 6484, February 2012. (RPKI)", BCP 173, RFC 6484, DOI 10.17487/RFC6484, February
2012, <http://www.rfc-editor.org/info/rfc6484>.
[RFC6486] Austein, R., Huston, G., Kent, S., and M. Lepinski, [RFC6486] Austein, R., Huston, G., Kent, S., and M. Lepinski,
"Manifests for the Resource Public Key Infrastructure "Manifests for the Resource Public Key Infrastructure
(RPKI)", RFC 6486, February 2012. (RPKI)", RFC 6486, DOI 10.17487/RFC6486, February 2012,
<http://www.rfc-editor.org/info/rfc6486>.
[RFC6916] Gagliano, R., Kent, S., and S. Turner, "Algorithm Agility [RFC6916] Gagliano, R., Kent, S., and S. Turner, "Algorithm Agility
Procedure for the Resource Public Key Infrastructure Procedure for the Resource Public Key Infrastructure
(RPKI)", BCP 182, RFC 6916, April 2013. (RPKI)", BCP 182, RFC 6916, DOI 10.17487/RFC6916, April
2013, <http://www.rfc-editor.org/info/rfc6916>.
[ID.sidr-bgpsec-protocol] Lepinksi, M., "BGPsec Protocol [ID.sidr-bgpsec-protocol] Lepinksi, M., "BGPsec Protocol
Specification", draft-ietf-sidr-bgpsec-protocol, work-in- Specification", draft-ietf-sidr-bgpsec-protocol, work-in-
progress. progress.
Appendix A. ASN.1 Module Appendix A. ASN.1 Module
BGPSECEKU { iso(1) identified-organization(3) dod(6) internet(1) BGPSECEKU { iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-bgpsec-eku(84) } security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-bgpsec-eku(84) }
 End of changes. 21 change blocks. 
24 lines changed or deleted 61 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/