draft-ietf-sidr-pfx-validate-05.txt   draft-ietf-sidr-pfx-validate-06.txt 
Network Working Group P. Mohapatra Network Working Group P. Mohapatra
Internet-Draft Cisco Systems Internet-Draft Cisco Systems
Intended status: Standards Track J. Scudder Intended status: Standards Track J. Scudder
Expires: October 19, 2012 Juniper Networks Expires: November 23, 2012 Juniper Networks
D. Ward D. Ward
Cisco Systems Cisco Systems
R. Bush R. Bush
Internet Initiative Japan, Inc. Internet Initiative Japan, Inc.
R. Austein R. Austein
Dragon Research Labs Dragon Research Labs
April 17, 2012 May 22, 2012
BGP Prefix Origin Validation BGP Prefix Origin Validation
draft-ietf-sidr-pfx-validate-05 draft-ietf-sidr-pfx-validate-06
Abstract Abstract
To help reduce well-known threats against BGP including prefix mis- To help reduce well-known threats against BGP including prefix mis-
announcing and monkey-in-the-middle attacks, one of the security announcing and monkey-in-the-middle attacks, one of the security
requirements is the ability to validate the origination AS of BGP requirements is the ability to validate the origination AS of BGP
routes. More specifically, one needs to validate that the AS number routes. More specifically, one needs to validate that the AS number
claiming to originate an address prefix (as derived from the AS_PATH claiming to originate an address prefix (as derived from the AS_PATH
attribute of the BGP route) is in fact authorized by the prefix attribute of the BGP route) is in fact authorized by the prefix
holder to do so. This document describes a simple validation holder to do so. This document describes a simple validation
skipping to change at page 1, line 44 skipping to change at page 1, line 44
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 19, 2012. This Internet-Draft will expire on November 23, 2012.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 11 skipping to change at page 3, line 11
not be created outside the IETF Standards Process, except to format not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other it for publication as an RFC or to translate it into languages other
than English. than English.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 5 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 5
2. Prefix-to-AS Mapping Database . . . . . . . . . . . . . . . . 5 2. Prefix-to-AS Mapping Database . . . . . . . . . . . . . . . . 5
2.1. Pseudo-Code . . . . . . . . . . . . . . . . . . . . . . . 7 2.1. Pseudo-Code . . . . . . . . . . . . . . . . . . . . . . . 7
3. Policy Control . . . . . . . . . . . . . . . . . . . . . . . . 7 3. Policy Control . . . . . . . . . . . . . . . . . . . . . . . . 8
4. Interaction with Local Cache . . . . . . . . . . . . . . . . . 8 4. Interaction with Local Cache . . . . . . . . . . . . . . . . . 8
5. Deployment Considerations . . . . . . . . . . . . . . . . . . 8 5. Deployment Considerations . . . . . . . . . . . . . . . . . . 8
6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 8 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 9
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
8. Security Considerations . . . . . . . . . . . . . . . . . . . 9 8. Security Considerations . . . . . . . . . . . . . . . . . . . 9
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10
9.1. Normative References . . . . . . . . . . . . . . . . . . . 9 9.1. Normative References . . . . . . . . . . . . . . . . . . . 10
9.2. Informational References . . . . . . . . . . . . . . . . . 10 9.2. Informational References . . . . . . . . . . . . . . . . . 10
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10
1. Introduction 1. Introduction
A BGP route associates an address prefix with a set of autonomous A BGP route associates an address prefix with a set of autonomous
systems (AS) that identify the interdomain path the prefix has systems (AS) that identify the interdomain path the prefix has
traversed in the form of BGP announcements. This set is represented traversed in the form of BGP announcements. This set is represented
as the AS_PATH attribute in BGP [RFC4271] and starts with the AS that as the AS_PATH attribute in BGP [RFC4271] and starts with the AS that
originated the prefix. To help reduce well-known threats against BGP originated the prefix. To help reduce well-known threats against BGP
skipping to change at page 5, line 47 skipping to change at page 5, line 47
[RFC4271], Section 1.1. The Route includes one Prefix and an [RFC4271], Section 1.1. The Route includes one Prefix and an
AS_PATH; it may include other attributes to characterize the AS_PATH; it may include other attributes to characterize the
prefix. prefix.
o VRP Prefix: The Prefix from a VRP. o VRP Prefix: The Prefix from a VRP.
o VRP ASN: The origin AS number from a VRP. o VRP ASN: The origin AS number from a VRP.
o Route Prefix: The Prefix derived from a route. o Route Prefix: The Prefix derived from a route.
o Route Origin ASN: The origin AS number derived from a Route. The o Route Origin ASN: The origin AS number derived from a Route as
origin AS number is the rightmost AS in the final segment of the follows:
AS_PATH attribute in the Route if that segment is of type
AS_SEQUENCE, or the distinguished value "NONE" if the final * the rightmost AS in the final segment of the AS_PATH attribute
segment of the AS_PATH attribute is of any type other than in the Route if that segment is of type AS_SEQUENCE, or
AS_SEQUENCE.
* the BGP speaker's own AS number if that segment is of type
AS_CONFED_SEQUENCE or AS_CONFED_SET or if the AS_PATH is empty,
or
* the distinguished value "NONE" if the final segment of the
AS_PATH attribute is of any other type.
o Covered: A Route Prefix is said to be Covered by a VRP when the o Covered: A Route Prefix is said to be Covered by a VRP when the
VRP prefix length is less than or equal to the Route prefix length VRP prefix length is less than or equal to the Route prefix
and the VRP prefix address matches the Route prefix address for length, and the VRP prefix address and the Route prefix address
all bits specified by the VRP prefix length. (This is simply a are identical for all bits specified by the VRP prefix
statement of the well-known concept of determining a prefix length.(I.e. the Route prefix is either identical to the VRP
match.) prefix or a more specific of the VRP prefix.)
o Matched: A Route Prefix is said to be Matched by a VRP when the o Matched: A Route Prefix is said to be Matched by a VRP when the
Route Prefix is Covered by that VRP and in addition, the Route Route Prefix is Covered by that VRP and in addition, the Route
prefix length is less than or equal to the VRP maximum length and prefix length is less than or equal to the VRP maximum length and
the Route Origin ASN is equal to the VRP ASN. the Route Origin ASN is equal to the VRP ASN.
Given these definitions, any given BGP Route will be found to have Given these definitions, any given BGP Route will be found to have
one of the following "validation states": one of the following "validation states":
o NotFound: No VRP Covers the Route Prefix. o NotFound: No VRP Covers the Route Prefix.
skipping to change at page 9, line 4 skipping to change at page 9, line 11
to propagate the validation state to the IBGP peer. This can be to propagate the validation state to the IBGP peer. This can be
accomplished on the sending side by setting a community or extended accomplished on the sending side by setting a community or extended
community based on the validation state, and on the receiving side by community based on the validation state, and on the receiving side by
matching the (extended) community and setting the validation state. matching the (extended) community and setting the validation state.
6. Acknowledgments 6. Acknowledgments
The authors wish to thank Rex Fernando, Hannes Gredler, Mouhcine The authors wish to thank Rex Fernando, Hannes Gredler, Mouhcine
Guennoun, Russ Housley, Junaid Israr, Miya Kohno, Shin Miyakawa, Taka Guennoun, Russ Housley, Junaid Israr, Miya Kohno, Shin Miyakawa, Taka
Mizuguchi, Hussein Mouftah, Keyur Patel, Tomoya Yoshida, Kannan Mizuguchi, Hussein Mouftah, Keyur Patel, Tomoya Yoshida, Kannan
Varadhan, and Wes George. The authors are grateful for the feedback Varadhan, Wes George, Jay Borkenhagen, and Sandra Murphy. The
from the members of the SIDR working group. authors are grateful for the feedback from the members of the SIDR
working group.
Junaid Israr's contribution to this specification was part of his PhD Junaid Israr's contribution to this specification was part of his PhD
research work and thesis at University of Ottawa. research work and thesis at University of Ottawa.
7. IANA Considerations 7. IANA Considerations
8. Security Considerations 8. Security Considerations
Although this specification discusses one portion of a system to Although this specification discusses one portion of a system to
validate BGP routes, it should be noted that it relies on a database validate BGP routes, it should be noted that it relies on a database
skipping to change at page 10, line 17 skipping to change at page 10, line 29
[RFC4893] Vohra, Q. and E. Chen, "BGP Support for Four-octet AS [RFC4893] Vohra, Q. and E. Chen, "BGP Support for Four-octet AS
Number Space", RFC 4893, May 2007. Number Space", RFC 4893, May 2007.
[RFC6482] Lepinski, M., Kent, S., and D. Kong, "A Profile for Route [RFC6482] Lepinski, M., Kent, S., and D. Kong, "A Profile for Route
Origin Authorizations (ROAs)", RFC 6482, February 2012. Origin Authorizations (ROAs)", RFC 6482, February 2012.
9.2. Informational References 9.2. Informational References
[I-D.ietf-idr-as0] [I-D.ietf-idr-as0]
Kumari, W., Bush, R., Schiller, H., and K. Patel, Kumari, W., Bush, R., Schiller, H., and K. Patel,
"Codification of AS 0 processing.", draft-ietf-idr-as0-03 "Codification of AS 0 processing.", draft-ietf-idr-as0-04
(work in progress), January 2012. (work in progress), May 2012.
[I-D.ietf-sidr-origin-ops] [I-D.ietf-sidr-origin-ops]
Bush, R., "RPKI-Based Origin Validation Operation", Bush, R., "RPKI-Based Origin Validation Operation",
draft-ietf-sidr-origin-ops-15 (work in progress), draft-ietf-sidr-origin-ops-15 (work in progress),
March 2012. March 2012.
[I-D.ietf-sidr-rpki-rtr] [I-D.ietf-sidr-rpki-rtr]
Bush, R. and R. Austein, "The RPKI/Router Protocol", Bush, R. and R. Austein, "The RPKI/Router Protocol",
draft-ietf-sidr-rpki-rtr-26 (work in progress), draft-ietf-sidr-rpki-rtr-26 (work in progress),
February 2012. February 2012.
 End of changes. 11 change blocks. 
23 lines changed or deleted 30 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/