draft-ietf-sidr-pfx-validate-07.txt   draft-ietf-sidr-pfx-validate-08.txt 
Network Working Group P. Mohapatra Network Working Group P. Mohapatra
Internet-Draft Cisco Systems Internet-Draft Cisco Systems
Intended status: Standards Track J. Scudder Intended status: Standards Track J. Scudder
Expires: December 01, 2012 Juniper Networks Expires: December 31, 2012 Juniper Networks
D. Ward D. Ward
Cisco Systems Cisco Systems
R. Bush R. Bush
Internet Initiative Japan Internet Initiative Japan
R. Austein R. Austein
Dragon Research Labs Dragon Research Labs
June 2012 July 2012
BGP Prefix Origin Validation BGP Prefix Origin Validation
draft-ietf-sidr-pfx-validate-07 draft-ietf-sidr-pfx-validate-08
Abstract Abstract
To help reduce well-known threats against BGP including prefix mis- To help reduce well-known threats against BGP including prefix mis-
announcing and monkey-in-the-middle attacks, one of the security announcing and monkey-in-the-middle attacks, one of the security
requirements is the ability to validate the origination AS of BGP requirements is the ability to validate the origination AS of BGP
routes. More specifically, one needs to validate that the AS number routes. More specifically, one needs to validate that the AS number
claiming to originate an address prefix (as derived from the AS_PATH claiming to originate an address prefix (as derived from the AS_PATH
attribute of the BGP route) is in fact authorized by the prefix attribute of the BGP route) is in fact authorized by the prefix
holder to do so. This document describes a simple validation holder to do so. This document describes a simple validation
skipping to change at page 1, line 44 skipping to change at page 1, line 44
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 01, 2012. This Internet-Draft will expire on December 31, 2012.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (http://trustee.ietf.org/ Provisions Relating to IETF Documents (http://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 3, line 45 skipping to change at page 3, line 45
to retrieve the processed data from the local cache to the BGP to retrieve the processed data from the local cache to the BGP
speakers is beyond the scope of this document (refer to [I-D.ietf- speakers is beyond the scope of this document (refer to [I-D.ietf-
sidr-rpki-rtr] for such a mechanism). This document proposes a means sidr-rpki-rtr] for such a mechanism). This document proposes a means
by which a BGP speaker can make use of the processed data in order to by which a BGP speaker can make use of the processed data in order to
assign a "validation state" to each prefix in a received BGP UPDATE assign a "validation state" to each prefix in a received BGP UPDATE
message. message.
Note that the complete path attestation against the AS_PATH attribute Note that the complete path attestation against the AS_PATH attribute
of a route is outside the scope of this document. of a route is outside the scope of this document.
Like the DNS, the global RPKI presents only a loosely consistent
view, depending on timing, updating, fetching, etc. Thus, one cache
or router may have different data about a particular prefix than
another cache or router. There is no 'fix' for this, it is the
nature of distributed data with distributed caches.
Although RPKI provides the context for this draft, it is equally Although RPKI provides the context for this draft, it is equally
possible to use any other database which is able to map prefixes to possible to use any other database which is able to map prefixes to
their authorized origin ASes. Each distinct database will have its their authorized origin ASes. Each distinct database will have its
own particular operational and security characteristics; such own particular operational and security characteristics; such
characteristics are beyond the scope of this document. characteristics are beyond the scope of this document.
1.1. Requirements Language 1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" are to
document are to be interpreted as described in RFC 2119 [RFC2119]. be interpreted as described in RFC 2119 [RFC2119] only when they
appear in all upper case. They may also appear in lower or mixed
case as English words, without any normative meaning.
2. Prefix-to-AS Mapping Database 2. Prefix-to-AS Mapping Database
The BGP speaker loads validated objects from the cache into local The BGP speaker loads validated objects from the cache into local
storage. The objects loaded have the content (IP address, prefix storage. The objects loaded have the content (IP address, prefix
length, maximum length, origin AS number). We refer to such a locally length, maximum length, origin AS number). We refer to such a locally
stored object as a "Validated ROA Payload" or "VRP". stored object as a "Validated ROA Payload" or "VRP".
We define several terms in addition to "VRP". Where these terms are We define several terms in addition to "VRP". Where these terms are
used, they are capitalized: used, they are capitalized:
skipping to change at page 9, line 5 skipping to change at page 9, line 5
9.2. Informational References 9.2. Informational References
[I-D.ietf-idr-as0] [I-D.ietf-idr-as0]
Kumari, W., Bush, R., Schiller, H. and K. Patel, Kumari, W., Bush, R., Schiller, H. and K. Patel,
"Codification of AS 0 processing.", Internet-Draft draft- "Codification of AS 0 processing.", Internet-Draft draft-
ietf-idr-as0-05, May 2012. ietf-idr-as0-05, May 2012.
[I-D.ietf-sidr-origin-ops] [I-D.ietf-sidr-origin-ops]
Bush, R., "RPKI-Based Origin Validation Operation", Bush, R., "RPKI-Based Origin Validation Operation",
Internet-Draft draft-ietf-sidr-origin-ops-16, May 2012. Internet-Draft draft-ietf-sidr-origin-ops-17, June 2012.
[I-D.ietf-sidr-rpki-rtr] [I-D.ietf-sidr-rpki-rtr]
Bush, R. and R. Austein, "The RPKI/Router Protocol", Bush, R. and R. Austein, "The RPKI/Router Protocol",
Internet-Draft draft-ietf-sidr-rpki-rtr-26, February 2012. Internet-Draft draft-ietf-sidr-rpki-rtr-26, February 2012.
[RFC6480] Lepinski, M. and S. Kent, "An Infrastructure to Support [RFC6480] Lepinski, M. and S. Kent, "An Infrastructure to Support
Secure Internet Routing", RFC 6480, February 2012. Secure Internet Routing", RFC 6480, February 2012.
Authors' Addresses Authors' Addresses
 End of changes. 8 change blocks. 
8 lines changed or deleted 15 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/