draft-ietf-sidr-rpki-rtr-09.txt   draft-ietf-sidr-rpki-rtr-10.txt 
Network Working Group R. Bush Network Working Group R. Bush
Internet-Draft IIJ Internet-Draft IIJ
Intended status: Standards Track R. Austein Intended status: Standards Track R. Austein
Expires: August 21, 2011 ISC Expires: September 4, 2011 ISC
February 17, 2011 March 3, 2011
The RPKI/Router Protocol The RPKI/Router Protocol
draft-ietf-sidr-rpki-rtr-09 draft-ietf-sidr-rpki-rtr-10
Abstract Abstract
In order to formally validate the origin ASes of BGP announcements, In order to formally validate the origin ASes of BGP announcements,
routers need a simple but reliable mechanism to receive RPKI routers need a simple but reliable mechanism to receive RPKI
[I-D.ietf-sidr-arch] or analogous prefix origin data from a trusted [I-D.ietf-sidr-arch] or analogous prefix origin data from a trusted
cache. This document describes a protocol to deliver validated cache. This document describes a protocol to deliver validated
prefix origin data to routers over ssh. prefix origin data to routers over ssh.
Requirements Language Requirements Language
skipping to change at page 1, line 41 skipping to change at page 1, line 41
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 21, 2011. This Internet-Draft will expire on September 4, 2011.
Copyright Notice Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 28 skipping to change at page 2, line 28
4.1. Serial Notify . . . . . . . . . . . . . . . . . . . . . . 5 4.1. Serial Notify . . . . . . . . . . . . . . . . . . . . . . 5
4.2. Serial Query . . . . . . . . . . . . . . . . . . . . . . . 5 4.2. Serial Query . . . . . . . . . . . . . . . . . . . . . . . 5
4.3. Reset Query . . . . . . . . . . . . . . . . . . . . . . . 6 4.3. Reset Query . . . . . . . . . . . . . . . . . . . . . . . 6
4.4. Cache Response . . . . . . . . . . . . . . . . . . . . . . 6 4.4. Cache Response . . . . . . . . . . . . . . . . . . . . . . 6
4.5. IPv4 Prefix . . . . . . . . . . . . . . . . . . . . . . . 7 4.5. IPv4 Prefix . . . . . . . . . . . . . . . . . . . . . . . 7
4.6. IPv6 Prefix . . . . . . . . . . . . . . . . . . . . . . . 8 4.6. IPv6 Prefix . . . . . . . . . . . . . . . . . . . . . . . 8
4.7. End of Data . . . . . . . . . . . . . . . . . . . . . . . 9 4.7. End of Data . . . . . . . . . . . . . . . . . . . . . . . 9
4.8. Cache Reset . . . . . . . . . . . . . . . . . . . . . . . 9 4.8. Cache Reset . . . . . . . . . . . . . . . . . . . . . . . 9
4.9. Error Report . . . . . . . . . . . . . . . . . . . . . . . 9 4.9. Error Report . . . . . . . . . . . . . . . . . . . . . . . 9
4.10. Fields of a PDU . . . . . . . . . . . . . . . . . . . . . 10 4.10. Fields of a PDU . . . . . . . . . . . . . . . . . . . . . 10
5. Protocol Sequences . . . . . . . . . . . . . . . . . . . . . . 11 5. Protocol Sequences . . . . . . . . . . . . . . . . . . . . . . 12
5.1. Start or Restart . . . . . . . . . . . . . . . . . . . . . 12 5.1. Start or Restart . . . . . . . . . . . . . . . . . . . . . 12
5.2. Typical Exchange . . . . . . . . . . . . . . . . . . . . . 13 5.2. Typical Exchange . . . . . . . . . . . . . . . . . . . . . 13
5.3. No Incremental Update Available . . . . . . . . . . . . . 13 5.3. No Incremental Update Available . . . . . . . . . . . . . 13
5.4. Cache has No Data Available . . . . . . . . . . . . . . . 14 5.4. Cache has No Data Available . . . . . . . . . . . . . . . 14
6. SSH Transport . . . . . . . . . . . . . . . . . . . . . . . . 14 6. SSH Transport . . . . . . . . . . . . . . . . . . . . . . . . 14
7. Router-Cache Set-Up . . . . . . . . . . . . . . . . . . . . . 15 7. Router-Cache Set-Up . . . . . . . . . . . . . . . . . . . . . 15
8. Deployment Scenarios . . . . . . . . . . . . . . . . . . . . . 16 8. Deployment Scenarios . . . . . . . . . . . . . . . . . . . . . 16
9. Error Codes . . . . . . . . . . . . . . . . . . . . . . . . . 17 9. Error Codes . . . . . . . . . . . . . . . . . . . . . . . . . 17
10. Security Considerations . . . . . . . . . . . . . . . . . . . 18 10. Security Considerations . . . . . . . . . . . . . . . . . . . 18
11. Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 11. Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20
13. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 20 13. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 20
14. References . . . . . . . . . . . . . . . . . . . . . . . . . . 20 14. References . . . . . . . . . . . . . . . . . . . . . . . . . . 21
14.1. Normative References . . . . . . . . . . . . . . . . . . . 20 14.1. Normative References . . . . . . . . . . . . . . . . . . . 21
14.2. Informative References . . . . . . . . . . . . . . . . . . 20 14.2. Informative References . . . . . . . . . . . . . . . . . . 21
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 21 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 21
1. Introduction 1. Introduction
In order to formally validate the origin ASes of BGP announcements, In order to formally validate the origin ASes of BGP announcements,
routers need a simple but reliable mechanism to receive RPKI routers need a simple but reliable mechanism to receive RPKI
[I-D.ietf-sidr-arch] or analogous formally validated prefix origin [I-D.ietf-sidr-arch] or analogous formally validated prefix origin
data from a trusted cache. This document describes a protocol to data from a trusted cache. This document describes a protocol to
deliver validated prefix origin data to routers over ssh. deliver validated prefix origin data to routers over ssh.
skipping to change at page 7, line 41 skipping to change at page 7, line 41
+-------------------------------------------+ +-------------------------------------------+
| | | |
| Length=20 | | Length=20 |
| | | |
+-------------------------------------------+ +-------------------------------------------+
| | Prefix | Max | | | | Prefix | Max | |
| Flags | Length | Length | zero | | Flags | Length | Length | zero |
| | 0..32 | 0..32 | | | | 0..32 | 0..32 | |
+-------------------------------------------+ +-------------------------------------------+
| | | |
| IPv4 prefix | | IPv4 Prefix |
| | | |
+-------------------------------------------+ +-------------------------------------------+
| | | |
| Autonomous System Number | | Autonomous System Number |
| | | |
`-------------------------------------------' `-------------------------------------------'
Due to the nature of the RPKI and the IRR, there can be multiple Due to the nature of the RPKI and the IRR, there can be multiple
identical IPvX PDUs. A router MUST be prepared to receive multiple identical IPvX PDUs. A router MUST be prepared to receive multiple
identical record announcements and MUST NOT consider a record to have identical record announcements and MUST NOT consider a record to have
skipping to change at page 8, line 43 skipping to change at page 8, line 43
| Length=32 | | Length=32 |
| | | |
+-------------------------------------------+ +-------------------------------------------+
| | Prefix | Max | | | | Prefix | Max | |
| Flags | Length | Length | zero | | Flags | Length | Length | zero |
| | 0..32 | 0..128 | | | | 0..32 | 0..128 | |
+-------------------------------------------+ +-------------------------------------------+
| | | |
+--- ---+ +--- ---+
| | | |
+--- IPv6 prefix ---+ +--- IPv6 Prefix ---+
| | | |
+--- ---+ +--- ---+
| | | |
+-------------------------------------------+ +-------------------------------------------+
| | | |
| Autonomous System Number | | Autonomous System Number |
| | | |
`-------------------------------------------' `-------------------------------------------'
4.7. End of Data 4.7. End of Data
skipping to change at page 9, line 52 skipping to change at page 9, line 52
| | | |
`-------------------------------------------' `-------------------------------------------'
4.9. Error Report 4.9. Error Report
This PDU is used by either party to report an error to the other. This PDU is used by either party to report an error to the other.
The Error Number is described in Section 9. The Error Number is described in Section 9.
If the error is not associated with any particular PDU, the Erroneous If the error is not associated with any particular PDU, the Erroneous
PDU field should be empty and the Length of Encapsulated PDU field PDU field MUST be empty and the Length of Encapsulated PDU field MUST
should be zero. be zero.
If the error is associated with a PDU of excessive, or possibly
corrupt, length, the Erroneous PDU field MAY be truncated.
The diagnostic text is optional, if not present the Length of Error The diagnostic text is optional, if not present the Length of Error
Text field should be zero. If error text is present, it SHOULD be a Text field SHOULD be zero. If error text is present, it SHOULD be a
string in US-ASCII, for maximum portability; if non-US-ASCII string in US-ASCII, for maximum portability; if non-US-ASCII
characters are absolutely required, the error text MUST use UTF-8 characters are absolutely required, the error text MUST use UTF-8
encoding. encoding.
0 8 16 24 31 0 8 16 24 31
.-------------------------------------------. .-------------------------------------------.
| Protocol | PDU | | | Protocol | PDU | |
| Version | Type | Error Number | | Version | Type | Error Number |
| 0 | 10 | | | 0 | 10 | |
+-------------------------------------------+ +-------------------------------------------+
skipping to change at page 17, line 33 skipping to change at page 17, line 33
To keep load on global RPKI services from unnecessary peaks, it is To keep load on global RPKI services from unnecessary peaks, it is
recommended that primary caches which load from the distributed recommended that primary caches which load from the distributed
global RPKI not do so all at the same times, e.g. on the hour. global RPKI not do so all at the same times, e.g. on the hour.
Choose a random time, perhaps the ISP's AS number modulo 60 and Choose a random time, perhaps the ISP's AS number modulo 60 and
jitter the inter-fetch timing. jitter the inter-fetch timing.
9. Error Codes 9. Error Codes
This section contains a preliminary list of error codes. The authors This section contains a preliminary list of error codes. The authors
expect additions to this section during development of the initial expect additions to this section during development of the initial
implementations. Eventually, these error codes will probably need to implementations. Errors which are considered fatal SHOULD cause the
reside in an IANA registry. session to be dropped.
0: Reserved. 0: Corrupt Data (fatal): The receiver believes the received PDU to
be corrupt in a manner not specified by other error codes.
1: Internal Error: The party reporting the error experienced some 1: Internal Error (fatal): The party reporting the error experienced
kind of internal error unrelated to protocol operation (ran out of some kind of internal error unrelated to protocol operation (ran
memory, a coding assertion failed, et cetera). out of memory, a coding assertion failed, et cetera).
2: No Data Available: The cache believes itself to be in good 2: No Data Available: The cache believes itself to be in good
working order, but is unable to answer either a Serial Query or a working order, but is unable to answer either a Serial Query or a
Reset Query because it has no useful data available at this time. Reset Query because it has no useful data available at this time.
This is likely to be a temporary error, and most likely indicates This is likely to be a temporary error, and most likely indicates
that the cache has not yet completed pulling down an initial that the cache has not yet completed pulling down an initial
current data set from the global RPKI system after some kind of current data set from the global RPKI system after some kind of
event that invalidated whatever data it might have previously held event that invalidated whatever data it might have previously held
(reboot, network partition, etcetera). (reboot, network partition, etcetera).
3: Invalid Request: The cache server believes the client's request 3: Invalid Request (fatal): The cache server believes the client's
to be invalid. request to be invalid.
4: Unsupported Protocol Version (fatal): The Protocol Version is not
known by the receiver of the PDU.
5: Unsupported PDU Type (fatal): The PDU Type is not known by the
receiver of the PDU.
6: Withdrawal of Unknown Record (fatal): The received PDU has Flag=0
but a record for the Prefix/PrefixLength/MaxLength triple does not
exist in the receiver's database.
10. Security Considerations 10. Security Considerations
As this document describes a security protocol, many aspects of As this document describes a security protocol, many aspects of
security interest are described in the relevant sections. This security interest are described in the relevant sections. This
section points out issues which may not be obvious in other sections. section points out issues which may not be obvious in other sections.
Cache Validation: In order for a collection of caches as described Cache Validation: In order for a collection of caches as described
in Section 8 to guarantee a consistent view, they need to be given in Section 8 to guarantee a consistent view, they need to be given
consistent trust anchors to use in their internal validation consistent trust anchors to use in their internal validation
skipping to change at page 19, line 6 skipping to change at page 19, line 18
While we can not say the cache must be on the same LAN, if only While we can not say the cache must be on the same LAN, if only
due to the issue of an enterprise wanting to off-load the cache due to the issue of an enterprise wanting to off-load the cache
task to their upstream ISP(s), locality, trust, and control are task to their upstream ISP(s), locality, trust, and control are
very critical issues here. The cache(s) really SHOULD be as very critical issues here. The cache(s) really SHOULD be as
close, in the sense of controlled and protected (against DDoS, close, in the sense of controlled and protected (against DDoS,
MITM) transport, to the router(s) as possible. It also SHOULD be MITM) transport, to the router(s) as possible. It also SHOULD be
topologically close so that a minimum of validated routing data topologically close so that a minimum of validated routing data
are needed to bootstrap a router's access to a cache. are needed to bootstrap a router's access to a cache.
The ssh identity of the cache server MUST be verified and
authenticated by the router client, and vice versa, before any
data are exchanged.
11. Glossary 11. Glossary
The following terms are used with special meaning: The following terms are used with special meaning:
Global RPKI: The authoritative data of the RPKI are published in a Global RPKI: The authoritative data of the RPKI are published in a
distributed set of servers at the IANA, RIRs, NIRs, and ISPs, see distributed set of servers at the IANA, RIRs, NIRs, and ISPs, see
[I-D.ietf-sidr-repos-struct]. [I-D.ietf-sidr-repos-struct].
Non-authorative Cache: A coalesced copy of the RPKI which is Non-authorative Cache: A coalesced copy of the RPKI which is
periodically fetched/refreshed directly or indirectly from the periodically fetched/refreshed directly or indirectly from the
skipping to change at page 19, line 37 skipping to change at page 20, line 8
receiving, new incoming data, and implicit deletes, are marked receiving, new incoming data, and implicit deletes, are marked
with the new serial but MUST NOT be sent until the fetch is with the new serial but MUST NOT be sent until the fetch is
complete. A serial number is not commensurate between caches, nor complete. A serial number is not commensurate between caches, nor
need it be maintained across resets of the cache server. See need it be maintained across resets of the cache server. See
[RFC1982] on DNS Serial Number Arithmetic for too much detail on [RFC1982] on DNS Serial Number Arithmetic for too much detail on
serial number arithmetic. serial number arithmetic.
12. IANA Considerations 12. IANA Considerations
This document requests the IANA to create a registry for PDU types. This document requests the IANA to create a registry for PDU types.
The name of the registry should be rpki-rtr-pdu. The policy for
adding to the registry is RFC Required per [RFC5226]. The intitial
entries should be as follows:
0 - Serial Notify
1 - Serial Query
2 - Reset Query
3 - Cache Response
4 - IPv4 Prefix
6 - IPv6 Prefix
7 - End of Data
8 - Cache Reset
10 - Error Report
This document requests the IANA to create a registry for Error Codes. This document requests the IANA to create a registry for Error Codes.
The name of the registry should be rpki-rtr-error. The policy for
adding to the registry is Expert Review per [RFC5226], where the
responsible IESG area director should appoint the Expert Reviewer.
The initial entries should be as follows:
This document requests the IANA to add an SSH Subsystem Name, as 0 - Corrupt Data
defined in [RFC4250], of 'rpkirtr'. 1 - Internal Error
2 - No Data Available
3 - Invalid Request
4 - Unsupported Protocol Version
5 - Unsupported PDU Type
6 - Withdrawal of Unknown Record
In addition, a registry for Version Numbers would be needed if and This document requests the IANA to add an SSH Subsystem Name, as
only whan a new Version Number is defined in a new RFC. defined in [RFC4250], of 'rpki-rtr'.
Note to RFC Editor: this section may be replaced on publication as an Note to RFC Editor: this section may be replaced on publication as an
RFC. RFC.
13. Acknowledgments 13. Acknowledgments
The authors wish to thank Steve Bellovin, Rex Fernando, Russ Housley, The authors wish to thank Steve Bellovin, Rex Fernando, Russ Housley,
Pradosh Mohapatra, Keyur Patel, Sandy Murphy, Robert Raszuk, John Pradosh Mohapatra, Keyur Patel, Sandy Murphy, Robert Raszuk, John
Scudder, Ruediger Volk, and David Ward. Particular thanks go to Scudder, Ruediger Volk, and David Ward. Particular thanks go to
Hannes Gredler for showing us the dangers of unnecessary fields. Hannes Gredler for showing us the dangers of unnecessary fields.
skipping to change at page 20, line 34 skipping to change at page 21, line 24
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC4250] Lehtinen, S. and C. Lonvick, "The Secure Shell (SSH) [RFC4250] Lehtinen, S. and C. Lonvick, "The Secure Shell (SSH)
Protocol Assigned Numbers", RFC 4250, January 2006. Protocol Assigned Numbers", RFC 4250, January 2006.
[RFC4252] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) [RFC4252] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH)
Authentication Protocol", RFC 4252, January 2006. Authentication Protocol", RFC 4252, January 2006.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 5226,
May 2008.
14.2. Informative References 14.2. Informative References
[I-D.ietf-sidr-arch] [I-D.ietf-sidr-arch]
Lepinski, M. and S. Kent, "An Infrastructure to Support Lepinski, M. and S. Kent, "An Infrastructure to Support
Secure Internet Routing", draft-ietf-sidr-arch-11 (work in Secure Internet Routing", draft-ietf-sidr-arch-12 (work in
progress), September 2010. progress), February 2011.
[I-D.ietf-sidr-repos-struct] [I-D.ietf-sidr-repos-struct]
Huston, G., Loomans, R., and G. Michaelson, "A Profile for Huston, G., Loomans, R., and G. Michaelson, "A Profile for
Resource Certificate Repository Structure", Resource Certificate Repository Structure",
draft-ietf-sidr-repos-struct-06 (work in progress), draft-ietf-sidr-repos-struct-07 (work in progress),
November 2010. February 2011.
[RFC1996] Vixie, P., "A Mechanism for Prompt Notification of Zone [RFC1996] Vixie, P., "A Mechanism for Prompt Notification of Zone
Changes (DNS NOTIFY)", RFC 1996, August 1996. Changes (DNS NOTIFY)", RFC 1996, August 1996.
[RFC5781] Weiler, S., Ward, D., and R. Housley, "The rsync URI [RFC5781] Weiler, S., Ward, D., and R. Housley, "The rsync URI
Scheme", RFC 5781, February 2010. Scheme", RFC 5781, February 2010.
Authors' Addresses Authors' Addresses
Randy Bush Randy Bush
 End of changes. 22 change blocks. 
30 lines changed or deleted 74 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/