draft-ietf-sidr-rpki-rtr-04.txt   draft-ietf-sidr-rpki-rtr-05.txt 
Network Working Group R. Bush Network Working Group R. Bush
Internet-Draft IIJ Internet-Draft IIJ
Intended status: Standards Track R. Austein Intended status: Standards Track R. Austein
Expires: May 26, 2011 ISC Expires: June 19, 2011 ISC
November 22, 2010 December 16, 2010
The RPKI/Router Protocol The RPKI/Router Protocol
draft-ietf-sidr-rpki-rtr-04 draft-ietf-sidr-rpki-rtr-05
Abstract Abstract
In order to formally validate the origin ASes of BGP announcements, In order to formally validate the origin ASes of BGP announcements,
routers need a simple but reliable mechanism to receive RPKI routers need a simple but reliable mechanism to receive RPKI
[I-D.ietf-sidr-arch] or analogous prefix origin data from a trusted [I-D.ietf-sidr-arch] or analogous prefix origin data from a trusted
cache. This document describes a protocol to deliver validated cache. This document describes a protocol to deliver validated
prefix origin data to routers over ssh. prefix origin data to routers over ssh.
Requirements Language Requirements Language
skipping to change at page 1, line 41 skipping to change at page 1, line 41
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 26, 2011. This Internet-Draft will expire on June 19, 2011.
Copyright Notice Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 5, line 9 skipping to change at page 5, line 9
4. Protocol Data Units (PDUs) 4. Protocol Data Units (PDUs)
The exchanges between the cache and the router are sequences of The exchanges between the cache and the router are sequences of
exchanges of the following PDUs according to the rules described in exchanges of the following PDUs according to the rules described in
Section 5. Section 5.
4.1. Serial Notify 4.1. Serial Notify
The cache notifies the router that the cache has new data. The cache notifies the router that the cache has new data.
The Cache Nonce reassures the router that the serial numbers are
comensurate, i.e. the cache session has not been changed.
0 8 16 24 31 0 8 16 24 31
.-------------------------------------------. .-------------------------------------------.
| Protocol | PDU | | | Protocol | PDU | |
| Version | Type | reserved = zero | | Version | Type | Cache Nonce |
| 0 | 0 | | | 0 | 0 | |
+-------------------------------------------+ +-------------------------------------------+
| | | |
| Length=12 | | Length=12 |
| | | |
+-------------------------------------------+ +-------------------------------------------+
| | | |
| Serial Number | | Serial Number |
| | | |
`-------------------------------------------' `-------------------------------------------'
skipping to change at page 5, line 39 skipping to change at page 5, line 42
The cache replies to this query with a Cache Response PDU The cache replies to this query with a Cache Response PDU
(Section 4.4) if the cache has a record of the changes since the (Section 4.4) if the cache has a record of the changes since the
serial number specified by the router. If there have been no changes serial number specified by the router. If there have been no changes
since the router last queried, the cache responds with an End Of Data since the router last queried, the cache responds with an End Of Data
PDU. If the cache does not have the data needed to update the PDU. If the cache does not have the data needed to update the
router, perhaps because its records do not go back to the Serial router, perhaps because its records do not go back to the Serial
Number in the Serial Query, then it responds with a Cache Reset PDU Number in the Serial Query, then it responds with a Cache Reset PDU
(Section 4.8). (Section 4.8).
The Cache Nonce tells the cache what instance the router expects to
ensure that the serial numbers are comensurate, i.e. the cache
session has not been changed.
0 8 16 24 31 0 8 16 24 31
.-------------------------------------------. .-------------------------------------------.
| Protocol | PDU | | | Protocol | PDU | |
| Version | Type | reserved = zero | | Version | Type | Cache Nonce |
| 0 | 1 | | | 0 | 1 | |
+-------------------------------------------+ +-------------------------------------------+
| | | |
| Length=12 | | Length=12 |
| | | |
+-------------------------------------------+ +-------------------------------------------+
| | | |
| Serial Number | | Serial Number |
| | | |
`-------------------------------------------' `-------------------------------------------'
skipping to change at page 6, line 32 skipping to change at page 6, line 47
4.4. Cache Response 4.4. Cache Response
Cache Response: The cache responds with zero or more payload PDUs. Cache Response: The cache responds with zero or more payload PDUs.
When replying to a Serial Query request (Section 4.2), the cache When replying to a Serial Query request (Section 4.2), the cache
sends the set of all data records it has with serial numbers greater sends the set of all data records it has with serial numbers greater
than that sent by the client router. When replying to a Reset Query, than that sent by the client router. When replying to a Reset Query,
the cache sends the set of all data records it has; in this case the the cache sends the set of all data records it has; in this case the
withdraw/announce field in the payload PDUs MUST have the value 1 withdraw/announce field in the payload PDUs MUST have the value 1
(announce). (announce).
In response to a Reset Query, the Cache Nonce tells the router the
instance of the cache session for future confirmation. In response
to a Serial Query, the Cache Nonce reassures the router that the
serial numbers are comensurate, i.e. the cache session has not been
changed.
0 8 16 24 31 0 8 16 24 31
.-------------------------------------------. .-------------------------------------------.
| Protocol | PDU | | | Protocol | PDU | |
| Version | Type | reserved = zero | | Version | Type | Cache Nonce |
| 0 | 3 | | | 0 | 3 | |
+-------------------------------------------+ +-------------------------------------------+
| | | |
| Length=8 | | Length=8 |
| | | |
`-------------------------------------------' `-------------------------------------------'
4.5. IPv4 Prefix 4.5. IPv4 Prefix
0 8 16 24 31 0 8 16 24 31
skipping to change at page 10, line 48 skipping to change at page 10, line 48
Protocol Version: An ordinal, currently 0, denoting the version of Protocol Version: An ordinal, currently 0, denoting the version of
this protocol. this protocol.
Serial Number: The serial number of the RPKI Cache when this ROA was Serial Number: The serial number of the RPKI Cache when this ROA was
received from the cache's up-stream cache server or gathered from received from the cache's up-stream cache server or gathered from
the global RPKI. A cache increments its serial number when the global RPKI. A cache increments its serial number when
completing an rigorously validated update from a parent cache, for completing an rigorously validated update from a parent cache, for
example via rcynic. See [RFC1982] on DNS Serial Number Arithmetic example via rcynic. See [RFC1982] on DNS Serial Number Arithmetic
for too much detail on serial number arithmetic. for too much detail on serial number arithmetic.
Cache Nonce: When a cache server is started, it generates a nonce to
identify the instance of the cache and to bind it to the sequence
of Serial Numbers that cache instance will generate. This allows
the router to restart a failed session knowing that the Serial
Number it is using is comensurate with that of the cache. If, at
any time, either the router or the cache finds the value of the
nonces they hold disagree, they MUST completely drop the session
and the router MUST flush all data learned from that cache.
Length: A 32 bit ordinal which has as its value the count of the Length: A 32 bit ordinal which has as its value the count of the
bytes in the entire PDU, including the eight bytes of header which bytes in the entire PDU, including the eight bytes of header which
end with the length field. end with the length field.
Flags: The lowest order bit of the Flags field is 1 for an Flags: The lowest order bit of the Flags field is 1 for an
announcement and 0 for a withdrawal, whether this PDU announces a announcement and 0 for a withdrawal, whether this PDU announces a
new right to announce the prefix or withdraws a previously new right to announce the prefix or withdraws a previously
announced right. A withdraw effectively deletes one previously announced right. A withdraw effectively deletes one previously
announced IPvX Prefix PDU with the exact same Prefix, Length, Max- announced IPvX Prefix PDU with the exact same Prefix, Length, Max-
Len, and ASN. Len, and ASN.
skipping to change at page 11, line 35 skipping to change at page 11, line 42
5. Protocol Sequences 5. Protocol Sequences
The sequences of PDU transmissions fall into three conversations as The sequences of PDU transmissions fall into three conversations as
follows: follows:
5.1. Start or Restart 5.1. Start or Restart
Cache Router Cache Router
~ ~ ~ ~
| <----- Reset Query -------- | R requests data | <----- Reset Query -------- | R requests data (or Serial Query)
| | | |
| ----- Cache Response -----> | C confirms request | ----- Cache Response -----> | C confirms request
| ------- IPvX Prefix ------> | C sends zero or more | ------- IPvX Prefix ------> | C sends zero or more
| ------- IPvX Prefix ------> | IPv4 and IPv6 Prefix | ------- IPvX Prefix ------> | IPv4 and IPv6 Prefix
| ------- IPvX Prefix ------> | Payload PDUs | ------- IPvX Prefix ------> | Payload PDUs
| ------ End of Data ------> | C sends End of Data | ------ End of Data ------> | C sends End of Data
| | and sends new serial | | and sends new serial
~ ~ ~ ~
When a transport session is first established, the router sends a When a transport session is first established, the router MAY send a
Reset Query and the cache responds with a data sequence of all data Reset Query and the cache responds with a data sequence of all data
it contains. it contains.
Alternatively, if the router has significant unexpired data from a
broken session with the same cache, it MAY start with a Serial Query
containing the Cache Nonce from the previous session to ensure the
serial numbers are comensurate.
This Reset Query sequence is also used when the router receives a This Reset Query sequence is also used when the router receives a
Cache Reset, chooses a new cache, or fears that it has otherwise lost Cache Reset, chooses a new cache, or fears that it has otherwise lost
its way. its way.
To limit the length of time a cache must keep the data necessary to To limit the length of time a cache must keep the data necessary to
generate incremental updates, a router MUST send either a Serial generate incremental updates, a router MUST send either a Serial
Query or a Reset Query no less frequently than once an hour. This Query or a Reset Query no less frequently than once an hour. This
also acts as a keep alive at the application layer. also acts as a keep alive at the application layer.
As the cache MAY not keep updates for more than one hour, the router
MUST have a polling interval of no greater than half an hour
5.2. Typical Exchange 5.2. Typical Exchange
Cache Router Cache Router
~ ~ ~ ~
| -------- Notify ----------> | (optional) | -------- Notify ----------> | (optional)
| | | |
| <----- Serial Query ------- | R requests data | <----- Serial Query ------- | R requests data
| | | |
| ----- Cache Response -----> | C confirms request | ----- Cache Response -----> | C confirms request
| ------- IPvX Prefix ------> | C sends zero or more | ------- IPvX Prefix ------> | C sends zero or more
 End of changes. 14 change blocks. 
9 lines changed or deleted 39 lines changed or added

This html diff was produced by rfcdiff 1.40. The latest version is available from http://tools.ietf.org/tools/rfcdiff/