draft-ietf-sidr-pfx-validate-08.txt   draft-ietf-sidr-pfx-validate-09.txt 
Network Working Group P. Mohapatra Network Working Group P. Mohapatra
Internet-Draft Cisco Systems Internet-Draft Cisco Systems
Intended status: Standards Track J. Scudder Intended status: Standards Track J. Scudder
Expires: December 31, 2012 Juniper Networks Expires: March 03, 2013 Juniper Networks
D. Ward D. Ward
Cisco Systems Cisco Systems
R. Bush R. Bush
Internet Initiative Japan Internet Initiative Japan
R. Austein R. Austein
Dragon Research Labs Dragon Research Labs
July 2012 September 2012
BGP Prefix Origin Validation BGP Prefix Origin Validation
draft-ietf-sidr-pfx-validate-08 draft-ietf-sidr-pfx-validate-09
Abstract Abstract
To help reduce well-known threats against BGP including prefix mis- To help reduce well-known threats against BGP including prefix mis-
announcing and monkey-in-the-middle attacks, one of the security announcing and monkey-in-the-middle attacks, one of the security
requirements is the ability to validate the origination AS of BGP requirements is the ability to validate the origination AS of BGP
routes. More specifically, one needs to validate that the AS number routes. More specifically, one needs to validate that the AS number
claiming to originate an address prefix (as derived from the AS_PATH claiming to originate an address prefix (as derived from the AS_PATH
attribute of the BGP route) is in fact authorized by the prefix attribute of the BGP route) is in fact authorized by the prefix
holder to do so. This document describes a simple validation holder to do so. This document describes a simple validation
skipping to change at page 1, line 44 skipping to change at page 1, line 44
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 31, 2012. This Internet-Draft will expire on March 03, 2013.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (http://trustee.ietf.org/ Provisions Relating to IETF Documents (http://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components and restrictions with respect to this document. Code Components
extracted from this document must include Simplified BSD License text extracted from this document must include Simplified BSD License text
as described in Section 4.e of the Trust Legal Provisions and are as described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Simplified BSD License. provided without warranty as described in the Simplified BSD License.
This document may contain material from IETF Documents or IETF
Contributions published or made publicly available before November
10, 2008. The person(s) controlling the copyright in some of this
material may not have granted the IETF Trust the right to allow
modifications of such material outside the IETF Standards Process.
Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other
than English.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
2. Prefix-to-AS Mapping Database . . . . . . . . . . . . . . . . 4 2. Prefix-to-AS Mapping Database . . . . . . . . . . . . . . . . 4
2.1. Pseudo-Code . . . . . . . . . . . . . . . . . . . . . . . 5 2.1. Pseudo-Code . . . . . . . . . . . . . . . . . . . . . . . 6
3. Policy Control . . . . . . . . . . . . . . . . . . . . . . . . 6 3. Policy Control . . . . . . . . . . . . . . . . . . . . . . . . 6
4. Interaction with Local Cache . . . . . . . . . . . . . . . . . 6 4. Interaction with Local Cache . . . . . . . . . . . . . . . . . 7
5. Deployment Considerations . . . . . . . . . . . . . . . . . . 7 5. Deployment Considerations . . . . . . . . . . . . . . . . . . 7
6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 7 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 7
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
8. Security Considerations . . . . . . . . . . . . . . . . . . . 7 8. Security Considerations . . . . . . . . . . . . . . . . . . . 8
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8
9.1. Normative References . . . . . . . . . . . . . . . . . . . 8 9.1. Normative References . . . . . . . . . . . . . . . . . . . 8
9.2. Informational References . . . . . . . . . . . . . . . . . 8 9.2. Informational References . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 9 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 9
1. Introduction 1. Introduction
A BGP route associates an address prefix with a set of autonomous A BGP route associates an address prefix with a set of autonomous
systems (AS) that identify the interdomain path the prefix has systems (AS) that identify the interdomain path the prefix has
traversed in the form of BGP announcements. This set is represented traversed in the form of BGP announcements. This set is represented
as the AS_PATH attribute in BGP [RFC4271] and starts with the AS that as the AS_PATH attribute in BGP [RFC4271] and starts with the AS that
originated the prefix. To help reduce well-known threats against BGP originated the prefix. To help reduce well-known threats against BGP
including prefix mis-announcing and monkey-in-the-middle attacks, one including prefix mis-announcing and monkey-in-the-middle attacks, one
skipping to change at page 7, line 49 skipping to change at page 8, line 10
Mizuguchi, Hussein Mouftah, Keyur Patel, Tomoya Yoshida, Kannan Mizuguchi, Hussein Mouftah, Keyur Patel, Tomoya Yoshida, Kannan
Varadhan, Wes George, Jay Borkenhagen, and Sandra Murphy. The Varadhan, Wes George, Jay Borkenhagen, and Sandra Murphy. The
authors are grateful for the feedback from the members of the SIDR authors are grateful for the feedback from the members of the SIDR
working group. working group.
Junaid Israr's contribution to this specification was part of his PhD Junaid Israr's contribution to this specification was part of his PhD
research work and thesis at University of Ottawa. research work and thesis at University of Ottawa.
7. IANA Considerations 7. IANA Considerations
[Note to RFC Editor: This section may be removed on publication]
This document has no IANA considerations.
8. Security Considerations 8. Security Considerations
Although this specification discusses one portion of a system to Although this specification discusses one portion of a system to
validate BGP routes, it should be noted that it relies on a database validate BGP routes, it should be noted that it relies on a database
(RPKI or other) to provide validation information. As such, the (RPKI or other) to provide validation information. As such, the
security properties of that database must be considered in order to security properties of that database must be considered in order to
determine the security provided by the overall solution. If determine the security provided by the overall solution. If
"invalid" routes are blocked as this specification suggests, the "invalid" routes are blocked as this specification suggests, the
overall system provides a possible denial-of-service vector, for overall system provides a possible denial-of-service vector, for
example if an attacker is able to inject or remove one or more example if an attacker is able to inject or remove one or more
records in the validation database, it could lead an otherwise valid records in the validation database, it could lead an otherwise valid
route to be marked as invalid. route to be marked as invalid.
skipping to change at page 8, line 53 skipping to change at page 9, line 13
Number Space", RFC 4893, May 2007. Number Space", RFC 4893, May 2007.
[RFC6482] Lepinski, M., Kent, S. and D. Kong, "A Profile for Route [RFC6482] Lepinski, M., Kent, S. and D. Kong, "A Profile for Route
Origin Authorizations (ROAs)", RFC 6482, February 2012. Origin Authorizations (ROAs)", RFC 6482, February 2012.
9.2. Informational References 9.2. Informational References
[I-D.ietf-idr-as0] [I-D.ietf-idr-as0]
Kumari, W., Bush, R., Schiller, H. and K. Patel, Kumari, W., Bush, R., Schiller, H. and K. Patel,
"Codification of AS 0 processing.", Internet-Draft draft- "Codification of AS 0 processing.", Internet-Draft draft-
ietf-idr-as0-05, May 2012. ietf-idr-as0-06, August 2012.
[I-D.ietf-sidr-origin-ops] [I-D.ietf-sidr-origin-ops]
Bush, R., "RPKI-Based Origin Validation Operation", Bush, R., "RPKI-Based Origin Validation Operation",
Internet-Draft draft-ietf-sidr-origin-ops-17, June 2012. Internet-Draft draft-ietf-sidr-origin-ops-19, August 2012.
[I-D.ietf-sidr-rpki-rtr] [I-D.ietf-sidr-rpki-rtr]
Bush, R. and R. Austein, "The RPKI/Router Protocol", Bush, R. and R. Austein, "The RPKI/Router Protocol",
Internet-Draft draft-ietf-sidr-rpki-rtr-26, February 2012. Internet-Draft draft-ietf-sidr-rpki-rtr-26, February 2012.
[RFC6480] Lepinski, M. and S. Kent, "An Infrastructure to Support [RFC6480] Lepinski, M. and S. Kent, "An Infrastructure to Support
Secure Internet Routing", RFC 6480, February 2012. Secure Internet Routing", RFC 6480, February 2012.
Authors' Addresses Authors' Addresses
skipping to change at page 9, line 39 skipping to change at page 10, line 4
Email: jgs@juniper.net Email: jgs@juniper.net
David Ward David Ward
Cisco Systems Cisco Systems
170 W. Tasman Drive 170 W. Tasman Drive
San Jose, CA 95134 San Jose, CA 95134
USA USA
Email: dward@cisco.com Email: dward@cisco.com
Randy Bush Randy Bush
Internet Initiative Japan Internet Initiative Japan
5147 Crystal Springs 5147 Crystal Springs
Bainbridge Island, Washington 98110 Bainbridge Island, WA 98110
USA USA
Email: randy@psg.com Email: randy@psg.com
Rob Austein Rob Austein
Dragon Research Labs Dragon Research Labs
Email: sra@hactrn.net Email: sra@hactrn.net
 End of changes. 15 change blocks. 
25 lines changed or deleted 17 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/