draft-ietf-sidr-pfx-validate-01.txt   draft-ietf-sidr-pfx-validate-02.txt 
Network Working Group P. Mohapatra, Ed. Network Working Group P. Mohapatra, Ed.
Internet-Draft Cisco Systems Internet-Draft Cisco Systems
Intended status: Standards Track J. Scudder, Ed. Intended status: Standards Track J. Scudder, Ed.
Expires: August 11, 2011 D. Ward, Ed. Expires: January 12, 2012 D. Ward, Ed.
Juniper Networks Juniper Networks
R. Bush, Ed. R. Bush, Ed.
Internet Initiative Japan, Inc. Internet Initiative Japan, Inc.
R. Austein, Ed. R. Austein, Ed.
Internet Systems Consortium Internet Systems Consortium
February 7, 2011 July 11, 2011
BGP Prefix Origin Validation BGP Prefix Origin Validation
draft-ietf-sidr-pfx-validate-01 draft-ietf-sidr-pfx-validate-02
Abstract Abstract
To help reduce well-known threats against BGP including prefix mis- To help reduce well-known threats against BGP including prefix mis-
announcing and monkey-in-the-middle attacks, one of the security announcing and monkey-in-the-middle attacks, one of the security
requirements is the ability to validate the origination AS of BGP requirements is the ability to validate the origination AS of BGP
routes. More specifically, one needs to validate that the AS number routes. More specifically, one needs to validate that the AS number
claiming to originate an address prefix (as derived from the AS_PATH claiming to originate an address prefix (as derived from the AS_PATH
attribute of the BGP route) is in fact authorized by the prefix attribute of the BGP route) is in fact authorized by the prefix
holder to do so. This document describes a simple validation holder to do so. This document describes a simple validation
skipping to change at page 1, line 43 skipping to change at page 1, line 43
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 11, 2011. This Internet-Draft will expire on January 12, 2012.
Copyright Notice Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 4, line 52 skipping to change at page 4, line 52
relying parties either at AS or organization level obtain a local relying parties either at AS or organization level obtain a local
copy of the signed object collection, verify the signatures, and copy of the signed object collection, verify the signatures, and
process them. The cache must also be refreshed periodically. The process them. The cache must also be refreshed periodically. The
exact access mechanism used to retrieve the local cache is beyond the exact access mechanism used to retrieve the local cache is beyond the
scope of this document. scope of this document.
Individual BGP speakers can utilize the processed data contained in Individual BGP speakers can utilize the processed data contained in
the local cache to validate BGP announcements. The protocol details the local cache to validate BGP announcements. The protocol details
to retrieve the processed data from the local cache to the BGP to retrieve the processed data from the local cache to the BGP
speakers is beyond the scope of this document (refer to speakers is beyond the scope of this document (refer to
[I-D.ymbk-rpki-rtr-protocol] for such a mechanism). This document [I-D.ietf-sidr-rpki-rtr] for such a mechanism). This document
proposes a means by which a BGP speaker can make use of the processed proposes a means by which a BGP speaker can make use of the processed
data in order to assign a "validity state" to each prefix in a data in order to assign a "validity state" to each prefix in a
received BGP UPDATE message. received BGP UPDATE message.
Note that the complete path attestation against the AS_PATH attribute Note that the complete path attestation against the AS_PATH attribute
of a route is outside the scope of this document. of a route is outside the scope of this document.
Although RPKI provides the context for this draft, it is equally Although RPKI provides the context for this draft, it is equally
possible to use any other database which is able to map prefixes to possible to use any other database which is able to map prefixes to
their authorized origin ASes. Each distinct database will have its their authorized origin ASes. Each distinct database will have its
skipping to change at page 5, line 33 skipping to change at page 5, line 33
2. Prefix-to-AS Mapping Database 2. Prefix-to-AS Mapping Database
In loading the validated objects from the local cache to the BGP In loading the validated objects from the local cache to the BGP
speaker, the BGP speaker will store this data in the form of a speaker, the BGP speaker will store this data in the form of a
database that maintains the relationship between prefixes and the database that maintains the relationship between prefixes and the
corresponding set of authorized origin ASes. The primary key for corresponding set of authorized origin ASes. The primary key for
this database is a prefix set represented as (IP prefix)/[min. this database is a prefix set represented as (IP prefix)/[min.
length, max. length]. The value stored against each prefix set is length, max. length]. The value stored against each prefix set is
the set of AS numbers that is assigned or sub-allocated the the set of AS numbers that is assigned or sub-allocated the
corresponding IP address block. An AS can originate more than one corresponding IP address block. An AS can originate more than one
prefix set. Thus, multiple prefix sets in the database may contain prefix set. Thus, multiple prefix sets in the database can contain
the same origin AS(es). the same origin AS(es).
Whenever UPDATEs are received from peers, a BGP speaker is expected Whenever UPDATEs are received from peers, a BGP speaker is expected
to perform a lookup in this database for each of the prefixes in the to perform a lookup in this database for each of the prefixes in the
UPDATE message. To aid with better description, we define terms UPDATE message. To aid with better description, we define terms
"UPDATE prefix" and "UPDATE origin AS number" to denote the values "UPDATE prefix" and "UPDATE origin AS number" to denote the values
derived from the received UPDATE message, and "database prefix set" derived from the received UPDATE message, and "database prefix set"
and "database origin AS number set" to mean the values derived from and "database origin AS number set" to mean the values derived from
the database lookup. Note that in the presence of overlapping the database lookup. Note that in the presence of overlapping
prefixes, the database lookup against the "UPDATE prefix" may yield prefixes, the database lookup against the "UPDATE prefix" can yield
multiple matches. multiple matches.
The following are the different types of results expected from such a The following are the different types of results expected from such a
lookup operation: lookup operation:
o If the "UPDATE prefix" finds no matching or covering prefixes in o If the "UPDATE prefix" finds no matching or covering prefixes in
the database (i.e. the "UPDATE prefix" is not a sub-block of any the database (i.e. the "UPDATE prefix" is not a sub-block of any
of the database prefixes), the lookup result is returned as "not of the database prefixes), the lookup result is returned as "not
found". Due to incremental deployment model of the RPKI found". Due to incremental deployment model of the RPKI
repository, it is expected that a complete registry of all IP repository, it is expected that a complete registry of all IP
skipping to change at page 7, line 36 skipping to change at page 7, line 36
result = BGP_PFXV_STATE_INVALID; result = BGP_PFXV_STATE_INVALID;
} }
return (result); return (result);
3. Policy Control 3. Policy Control
An implementation MUST provide the ability to match and set the An implementation MUST provide the ability to match and set the
validation state of routes as part of its route policy filtering validation state of routes as part of its route policy filtering
function. Use of validation state in route policy is elaborated in function. Use of validation state in route policy is elaborated in
Section 5. Section 5. For more details on operational policy considerations,
see [I-D.ietf-sidr-origin-ops].
4. Interaction with Local Cache 4. Interaction with Local Cache
Each BGP speaker supporting prefix validation as described in this Each BGP speaker supporting prefix validation as described in this
document is expected to communicate with one or multiple local caches document is expected to communicate with one or multiple local caches
that store a database of RPKI signed objects. The protocol that store a database of RPKI signed objects. The protocol
mechanisms used to fetch the data and store them locally at the BGP mechanisms used to fetch the data and store them locally at the BGP
speaker is beyond the scope of this document (please refer speaker is beyond the scope of this document (please refer
[I-D.ymbk-rpki-rtr-protocol]). Irrespective of the protocol, the [I-D.ietf-sidr-rpki-rtr]). Irrespective of the protocol, the prefix
prefix validation algorithm as outlined in this document is expected validation algorithm as outlined in this document is expected to
to function correctly in the event of failures and other timing function correctly in the event of failures and other timing
conditions that may result in an empty and/or partial prefix-to-AS conditions that may result in an empty and/or partial prefix-to-AS
mapping database. Indeed, if the (in-PoP) cache is not available and mapping database. Indeed, if the (in-PoP) cache is not available and
the mapping database is empty on the BGP speaker, all the lookups the mapping database is empty on the BGP speaker, all the lookups
will result in "not found" state and the prefixes will be advertised will result in "not found" state and the prefixes will be advertised
to rest of the network (unless restricted by policy configuration). to rest of the network (unless restricted by policy configuration).
Similarly, if BGP UPDATEs arrive at the speaker while the fetch Similarly, if BGP UPDATEs arrive at the speaker while the fetch
operation from the cache is in progress, some prefix lookups will operation from the cache is in progress, some prefix lookups will
also result in "not found" state. The implementation is expected to also result in "not found" state. The implementation is expected to
handle these timing conditions and MUST re-validate affected prefixes handle these timing conditions and MUST re-validate affected prefixes
once the fetch operation is complete. The same applies during any once the fetch operation is complete. The same applies during any
skipping to change at page 10, line 14 skipping to change at page 10, line 14
provide any path validation. It only attempts to verify the origin. provide any path validation. It only attempts to verify the origin.
In general, this system should be thought of more as a protection In general, this system should be thought of more as a protection
against misconfiguration than as true "security" in the strong sense. against misconfiguration than as true "security" in the strong sense.
10. References 10. References
10.1. Normative References 10.1. Normative References
[I-D.ietf-sidr-arch] [I-D.ietf-sidr-arch]
Lepinski, M. and S. Kent, "An Infrastructure to Support Lepinski, M. and S. Kent, "An Infrastructure to Support
Secure Internet Routing", draft-ietf-sidr-arch-09 (work in Secure Internet Routing", draft-ietf-sidr-arch-13 (work in
progress), October 2009. progress), May 2011.
[I-D.ietf-sidr-roa-format] [I-D.ietf-sidr-roa-format]
Lepinski, M., Kent, S., and D. Kong, "A Profile for Route Lepinski, M., Kent, S., and D. Kong, "A Profile for Route
Origin Authorizations (ROAs)", Origin Authorizations (ROAs)",
draft-ietf-sidr-roa-format-06 (work in progress), draft-ietf-sidr-roa-format-12 (work in progress),
October 2009. May 2011.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP [RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP
Addresses and AS Identifiers", RFC 3779, June 2004. Addresses and AS Identifiers", RFC 3779, June 2004.
[RFC4271] Rekhter, Y., Li, T., and S. Hares, "A Border Gateway [RFC4271] Rekhter, Y., Li, T., and S. Hares, "A Border Gateway
Protocol 4 (BGP-4)", RFC 4271, January 2006. Protocol 4 (BGP-4)", RFC 4271, January 2006.
10.2. Informational References 10.2. Informational References
[I-D.ymbk-rpki-rtr-protocol] [I-D.ietf-sidr-origin-ops]
Bush, R., "RPKI-Based Origin Validation Operation",
draft-ietf-sidr-origin-ops-10 (work in progress),
July 2011.
[I-D.ietf-sidr-rpki-rtr]
Bush, R. and R. Austein, "The RPKI/Router Protocol", Bush, R. and R. Austein, "The RPKI/Router Protocol",
draft-ymbk-rpki-rtr-protocol-05 (work in progress), draft-ietf-sidr-rpki-rtr-14 (work in progress), July 2011.
February 2010.
Authors' Addresses Authors' Addresses
Pradosh Mohapatra (editor) Pradosh Mohapatra (editor)
Cisco Systems Cisco Systems
170 W. Tasman Drive 170 W. Tasman Drive
San Jose, CA 95134 San Jose, CA 95134
USA USA
Email: pmohapat@cisco.com Email: pmohapat@cisco.com
 End of changes. 13 change blocks. 
18 lines changed or deleted 23 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/