draft-ietf-sidr-bgpsec-pki-profiles-17.txt   draft-ietf-sidr-bgpsec-pki-profiles-18.txt 
Secure Inter-Domain Routing Working Group M. Reynolds Secure Inter-Domain Routing Working Group M. Reynolds
Internet-Draft IPSw Internet-Draft IPSw
Updates: 6487 (if approved) S. Turner Updates: 6487 (if approved) S. Turner
Intended status: Standard Track IECA Intended status: Standard Track sn3rd
Expires: December 3, 2016 S. Kent Expires: January 22, 2017 S. Kent
BBN BBN
June 1, 2016 July 21, 2016
A Profile for BGPsec Router Certificates, A Profile for BGPsec Router Certificates,
Certificate Revocation Lists, and Certification Requests Certificate Revocation Lists, and Certification Requests
draft-ietf-sidr-bgpsec-pki-profiles-17 draft-ietf-sidr-bgpsec-pki-profiles-18
Abstract Abstract
This document defines a standard profile for X.509 certificates used This document defines a standard profile for X.509 certificates used
to enable validation of Autonomous System (AS) paths in the Border to enable validation of Autonomous System (AS) paths in the Border
Gateway Protocol (BGP), as part of an extension to that protocol Gateway Protocol (BGP), as part of an extension to that protocol
known as BGPsec. BGP is the standard for inter-domain routing in the known as BGPsec. BGP is the standard for inter-domain routing in the
Internet; it is the "glue" that holds the Internet together. BGPsec Internet; it is the "glue" that holds the Internet together. BGPsec
is being developed as one component of a solution that addresses the is being developed as one component of a solution that addresses the
requirement to provide security for BGP. The goal of BGPsec is to requirement to provide security for BGP. The goal of BGPsec is to
skipping to change at page 2, line 38 skipping to change at page 2, line 38
3. Updates to [RFC6487] . . . . . . . . . . . . . . . . . . . . . 5 3. Updates to [RFC6487] . . . . . . . . . . . . . . . . . . . . . 5
3.1 BGPsec Router Certificate Fields . . . . . . . . . . . . . 5 3.1 BGPsec Router Certificate Fields . . . . . . . . . . . . . 5
3.1.1.1. Subject . . . . . . . . . . . . . . . . . . . . . 5 3.1.1.1. Subject . . . . . . . . . . . . . . . . . . . . . 5
3.1.2. Subject Public Key Info . . . . . . . . . . . . . . . 5 3.1.2. Subject Public Key Info . . . . . . . . . . . . . . . 5
3.1.3. BGPsec Router Certificate Version 3 Extension Fields . 6 3.1.3. BGPsec Router Certificate Version 3 Extension Fields . 6
3.1.3.1. Basic Constraints . . . . . . . . . . . . . . . . 6 3.1.3.1. Basic Constraints . . . . . . . . . . . . . . . . 6
3.1.3.2. Extended Key Usage . . . . . . . . . . . . . . . . 6 3.1.3.2. Extended Key Usage . . . . . . . . . . . . . . . . 6
3.1.3.3. Subject Information Access . . . . . . . . . . . . 6 3.1.3.3. Subject Information Access . . . . . . . . . . . . 6
3.1.3.4. IP Resources . . . . . . . . . . . . . . . . . . . 6 3.1.3.4. IP Resources . . . . . . . . . . . . . . . . . . . 6
3.1.3.5. AS Resources . . . . . . . . . . . . . . . . . . . 6 3.1.3.5. AS Resources . . . . . . . . . . . . . . . . . . . 6
3.2. BGPsec Router Certificate Request Profile . . . . . . . . 7 3.2. BGPsec Router Certificate Request Profile . . . . . . . . 6
3.3. BGPsec Router Certificate Validation . . . . . . . . . . . 7 3.3. BGPsec Router Certificate Validation . . . . . . . . . . . 7
3.4. Router Certificates and Signing Functions in the RPKI . . 8 3.4. Router Certificates and Signing Functions in the RPKI . . 8
4. Design Notes . . . . . . . . . . . . . . . . . . . . . . . . . 8 4. Design Notes . . . . . . . . . . . . . . . . . . . . . . . . . 8
5. Security Considerations . . . . . . . . . . . . . . . . . . . 9 5. Implementation Considerations . . . . . . . . . . . . . . . . . 9
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10
8.1. Normative References . . . . . . . . . . . . . . . . . . . 10 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10
8.2. Informative References . . . . . . . . . . . . . . . . . . 11 9.1. Normative References . . . . . . . . . . . . . . . . . . . 10
9.2. Informative References . . . . . . . . . . . . . . . . . . 11
Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 12 Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 12
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 12 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 12
1. Introduction 1. Introduction
This document defines a profile for X.509 end-entity (EE) This document defines a profile for X.509 end-entity (EE)
certificates [RFC5280] for use in the context of certification of certificates [RFC5280] for use in the context of certification of
Autonomous System (AS) paths in the Border Gateway Protocol Security Autonomous System (AS) paths in the Border Gateway Protocol Security
protocol (BGPsec). Such certificates are termed "BGPsec Router protocol (BGPsec). Such certificates are termed "BGPsec Router
Certificates". The holder of the private key associated with a Certificates". The holder of the private key associated with a
skipping to change at page 7, line 35 skipping to change at page 7, line 32
o The SubjectPublicKeyInfo and PublicKey fields are specified in o The SubjectPublicKeyInfo and PublicKey fields are specified in
[ID.sidr-bgpsec-algs]. [ID.sidr-bgpsec-algs].
o The request is signed with the algorithms specified in [ID.sidr- o The request is signed with the algorithms specified in [ID.sidr-
bgpsec-algs]. bgpsec-algs].
3.3. BGPsec Router Certificate Validation 3.3. BGPsec Router Certificate Validation
The validation procedure used for BGPsec Router Certificates is The validation procedure used for BGPsec Router Certificates is
identical to the validation procedure described in Section 7 of identical to the validation procedure described in Section 7 of
[RFC6487], but using the constraints applied come from this [RFC6487] (and any RFC that updates this procedure), but using the
specification. For example, in step 3: "the certificate contains all constraints applied come from this specification. For example, in
the field that must be present" - refers to the fields that are step 3: "the certificate contains all the field that must be present"
required by this specification. - refers to the fields that are required by this specification.
The differences are as follows: The differences are as follows:
o BGPsec Router Certificates MUST include the BGPsec Router EKU o BGPsec Router Certificates MUST include the BGPsec Router EKU
defined in Section 3.1.3.2. defined in Section 3.1.3.2.
o BGPsec Router Certificates MUST NOT include the SIA extension. o BGPsec Router Certificates MUST NOT include the SIA extension.
o BGPsec Router Certificates MUST NOT include the IP Resource o BGPsec Router Certificates MUST NOT include the IP Resource
extension. extension.
skipping to change at page 9, line 17 skipping to change at page 9, line 15
with the value; and, with the value; and,
o BGPsec Router Certificates never include the Subject Information o BGPsec Router Certificates never include the Subject Information
Access extension; therefore, request with this extension result in Access extension; therefore, request with this extension result in
certificates without the extension. certificates without the extension.
Note that this behavior is similar to the CA including the AS Note that this behavior is similar to the CA including the AS
Resource Identifier Delegation extension in issued BGPsec Router Resource Identifier Delegation extension in issued BGPsec Router
Certificates despite the fact it is not present in the request. Certificates despite the fact it is not present in the request.
5. Security Considerations 5. Implementation Considerations
This document permits the operator to include a list of ASNs in a
BGPsec Router Certificate. In that case, the router certificate would
become invalid if any one of the ASNs is removed from any superior CA
certificate along the path to a trust anchor. Operators could choose
to avoid this possibility by issuing a separate BGPsec Router
Certificate for each distinct ASN, so that the router certificates
for ASNs that are retained in the superior CA certificate would
remain valid.
6. Security Considerations
The Security Considerations of [RFC6487] apply. The Security Considerations of [RFC6487] apply.
A BGPsec Router Certificate will fail RPKI validation, as defined in A BGPsec Router Certificate will fail RPKI validation, as defined in
[RFC6487], because the algorithm suite is different. Consequently, a [RFC6487], because the algorithm suite is different. Consequently, a
RP needs to identify the EKU to determine the appropriate Validation RP needs to identify the EKU to determine the appropriate Validation
constraint. constraint.
A BGPsec Router Certificate is an extension of the RPKI [RFC6480] to A BGPsec Router Certificate is an extension of the RPKI [RFC6480] to
encompass routers. It is a building block BGPsec and is used to encompass routers. It is a building block BGPsec and is used to
skipping to change at page 9, line 41 skipping to change at page 9, line 50
a public key, consistent with the RPKI allocation/assignment a public key, consistent with the RPKI allocation/assignment
hierarchy. hierarchy.
Hash functions [ID.sidr-bgpsec-algs] are used when generating the two Hash functions [ID.sidr-bgpsec-algs] are used when generating the two
key identifiers extension included in BGPsec certificates. However key identifiers extension included in BGPsec certificates. However
as noted in [RFC6818], collision resistance is not a required as noted in [RFC6818], collision resistance is not a required
property of one-way hash functions when used to generate key property of one-way hash functions when used to generate key
identifiers. Regardless, hash collisions are possible and if identifiers. Regardless, hash collisions are possible and if
detected an operator should be alerted. detected an operator should be alerted.
6. IANA Considerations 7. IANA Considerations
This document makes use of two object identifiers in the SMI Registry This document makes use of two object identifiers in the SMI Registry
for PKIX. One is for the ASN.1 module in Appendix A and it comes for PKIX. One is for the ASN.1 module in Appendix A and it comes
from the SMI Security for PKIX Module Identifier IANA registry (id- from the SMI Security for PKIX Module Identifier IANA registry (id-
mod-bgpsec-eku). The other is for the BGPsec router EKU defined in mod-bgpsec-eku). The other is for the BGPsec router EKU defined in
Section 3.1.3.2 and Appendix A and it comes from the SMI Security for Section 3.1.3.2 and Appendix A and it comes from the SMI Security for
PKIX Extended Key Purpose IANA registry. These OIDs were assigned PKIX Extended Key Purpose IANA registry. These OIDs were assigned
before management of the PKIX Arc was handed to IANA. No IANA before management of the PKIX Arc was handed to IANA. No IANA
allocations are request of IANA, but please update the references in allocations are request of IANA, but please update the references in
those registries when this document is published by the RFC editor. those registries when this document is published by the RFC editor.
7. Acknowledgements 8. Acknowledgements
We would like to thank Geoff Huston, George Michaelson, and Robert We would like to thank Geoff Huston, George Michaelson, and Robert
Loomans for their work on [RFC6487], which this work is based on. In Loomans for their work on [RFC6487], which this work is based on. In
addition, the efforts of Steve Kent and Matt Lepinski were addition, the efforts of Steve Kent and Matt Lepinski were
instrumental in preparing this work. Additionally, we'd like to instrumental in preparing this work. Additionally, we'd like to
thank Rob Austein, Roque Gagliano, Richard Hansen, Geoff Huston, thank Rob Austein, Roque Gagliano, Richard Hansen, Geoff Huston,
David Mandelberg, Sandra Murphy, and Sam Weiller for their reviews David Mandelberg, Sandra Murphy, and Sam Weiller for their reviews
and comments. and comments.
8. References 9. References
8.1. Normative References 9.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, DOI Requirement Levels", BCP 14, RFC 2119, DOI
10.17487/RFC2119, March 1997, <http://www.rfc- 10.17487/RFC2119, March 1997, <http://www.rfc-
editor.org/info/rfc2119>. editor.org/info/rfc2119>.
[RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP [RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP
Addresses and AS Identifiers", RFC 3779, DOI Addresses and AS Identifiers", RFC 3779, DOI
10.17487/RFC3779, June 2004, <http://www.rfc- 10.17487/RFC3779, June 2004, <http://www.rfc-
editor.org/info/rfc3779>. editor.org/info/rfc3779>.
skipping to change at page 11, line 10 skipping to change at page 11, line 20
[ID.sidr-rfc6485bis] G. Huston and G. Michaelson, "The Profile for [ID.sidr-rfc6485bis] G. Huston and G. Michaelson, "The Profile for
Algorithms and Key Sizes for use in the Resource Public Key Algorithms and Key Sizes for use in the Resource Public Key
Infrastructure", draft-ietf-sidr-rfc6485bis, work-in- Infrastructure", draft-ietf-sidr-rfc6485bis, work-in-
progress. progress.
[ID.sidr-bgpsec-algs] S. Turner, "BGP Algorithms, Key Formats, & [ID.sidr-bgpsec-algs] S. Turner, "BGP Algorithms, Key Formats, &
Signature Formats", draft-ietf-sidr-bgpsec-algs, work-in- Signature Formats", draft-ietf-sidr-bgpsec-algs, work-in-
progress. progress.
8.2. Informative References 9.2. Informative References
[RFC4272] Murphy, S., "BGP Security Vulnerabilities Analysis", [RFC4272] Murphy, S., "BGP Security Vulnerabilities Analysis",
RFC 4272, DOI 10.17487/RFC4272, January 2006, RFC 4272, DOI 10.17487/RFC4272, January 2006,
<http://www.rfc-editor.org/info/rfc4272>. <http://www.rfc-editor.org/info/rfc4272>.
[RFC5123] White, R. and B. Akyol, "Considerations in Validating the [RFC5123] White, R. and B. Akyol, "Considerations in Validating the
Path in BGP", RFC 5123, DOI 10.17487/RFC5123, February Path in BGP", RFC 5123, DOI 10.17487/RFC5123, February
2008, <http://www.rfc-editor.org/info/rfc5123>. 2008, <http://www.rfc-editor.org/info/rfc5123>.
[RFC5492] Scudder, J. and R. Chandra, "Capabilities Advertisement [RFC5492] Scudder, J. and R. Chandra, "Capabilities Advertisement
skipping to change at page 12, line 40 skipping to change at page 12, line 49
Authors' Addresses Authors' Addresses
Mark Reynolds Mark Reynolds
Island Peak Software Island Peak Software
328 Virginia Road 328 Virginia Road
Concord, MA 01742 Concord, MA 01742
Email: mcr@islandpeaksoftware.com Email: mcr@islandpeaksoftware.com
Sean Turner Sean Turner
IECA, Inc. sn3rd
3057 Nutley Street, Suite 106
Fairfax, VA 22031
USA
EMail: turners@ieca.com
EMail: sean@sn3rd.com
Stephen Kent Stephen Kent
Raytheon BBN Technologies Raytheon BBN Technologies
10 Moulton St. 10 Moulton St.
Cambridge, MA 02138 Cambridge, MA 02138
Email: kent@bbn.com Email: kent@bbn.com
 End of changes. 14 change blocks. 
28 lines changed or deleted 35 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/