draft-ietf-sidr-rpki-rtr-17.txt   draft-ietf-sidr-rpki-rtr-18.txt 
Network Working Group R. Bush Network Working Group R. Bush
Internet-Draft Internet Initiative Japan Internet-Draft Internet Initiative Japan
Intended status: Standards Track R. Austein Intended status: Standards Track R. Austein
Expires: April 4, 2012 Dragon Research Labs Expires: April 16, 2012 Dragon Research Labs
October 2, 2011 October 14, 2011
The RPKI/Router Protocol The RPKI/Router Protocol
draft-ietf-sidr-rpki-rtr-17 draft-ietf-sidr-rpki-rtr-18
Abstract Abstract
In order to formally validate the origin ASs of BGP announcements, In order to formally validate the origin ASs of BGP announcements,
routers need a simple but reliable mechanism to receive RPKI routers need a simple but reliable mechanism to receive RPKI
[I-D.ietf-sidr-arch] prefix origin data from a trusted cache. This [I-D.ietf-sidr-arch] prefix origin data from a trusted cache. This
document describes a protocol to deliver validated prefix origin data document describes a protocol to deliver validated prefix origin data
to routers. to routers.
Requirements Language Requirements Language
skipping to change at page 1, line 41 skipping to change at page 1, line 41
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 4, 2012. This Internet-Draft will expire on April 16, 2012.
Copyright Notice Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 16, line 33 skipping to change at page 16, line 33
If available to the operator, caches and routers SHOULD use one of If available to the operator, caches and routers SHOULD use one of
the following more protected protocols. the following more protected protocols.
Caches and routers SHOULD use TCP AO transport [RFC5925] over the Caches and routers SHOULD use TCP AO transport [RFC5925] over the
RPKI-Rtr port. RPKI-Rtr port.
Caches and routers MAY use SSH transport [RFC4252] using using a the Caches and routers MAY use SSH transport [RFC4252] using using a the
normal SSH port. For an example, see Section 7.1. normal SSH port. For an example, see Section 7.1.
Caches and routers MAY use TCP MD5 transport [RFC2385] using the Caches and routers MAY use TCP MD5 transport [RFC5925] using the
RPKI-Rtr port. RPKI-Rtr port.
Caches and routers MAY use IPsec transport [RFC4301] using the RPKI- Caches and routers MAY use IPsec transport [RFC4301] using the RPKI-
Rtr port. Rtr port.
Caches and routers MAY use TLS transport [RFC5246] using using a Caches and routers MAY use TLS transport [RFC5246] using using a
port, RPKI-Rtr TLS, to be assigned, see Section 12. port, RPKI-Rtr TLS, to be assigned, see Section 12.
7.1. SSH Transport 7.1. SSH Transport
skipping to change at page 17, line 43 skipping to change at page 17, line 43
roll-over; any unrevoked, unexpired certificate from the proper CA roll-over; any unrevoked, unexpired certificate from the proper CA
may be used. If such certificates are used, the CN field [RFC5280] may be used. If such certificates are used, the CN field [RFC5280]
MUST be used to denote the router's identity. MUST be used to denote the router's identity.
Clients SHOULD verify the cache's certificate as well, to avoid Clients SHOULD verify the cache's certificate as well, to avoid
monkey-in-the-middle attacks. monkey-in-the-middle attacks.
7.3. TCP MD5 Transport 7.3. TCP MD5 Transport
If TCP-MD5 is used, implementations MUST support key lengths of at If TCP-MD5 is used, implementations MUST support key lengths of at
least 80 printable ASCII bytes, per section 4.5 of [RFC2385]. least 80 printable ASCII bytes, per section 4.5 of [RFC5925].
Implementations MUST also support hexadecimal sequences of at least Implementations MUST also support hexadecimal sequences of at least
32 characters, i.e., 128 bits. 32 characters, i.e., 128 bits.
Key rollover with TCP-MD5 is problematic. Cache servers SHOULD Key rollover with TCP-MD5 is problematic. Cache servers SHOULD
support [RFC4808]. support [RFC4808].
7.4. TCP-AO Transport 7.4. TCP-AO Transport
Implementations MUST support key lengths of at least 80 printable Implementations MUST support key lengths of at least 80 printable
ASCII bytes. Implementations MUST also support hexadecimal sequences ASCII bytes. Implementations MUST also support hexadecimal sequences
skipping to change at page 23, line 42 skipping to change at page 23, line 42
Austein, "BGP Prefix Origin Validation", Austein, "BGP Prefix Origin Validation",
draft-ietf-sidr-pfx-validate-02 (work in progress), draft-ietf-sidr-pfx-validate-02 (work in progress),
July 2011. July 2011.
[RFC1982] Elz, R. and R. Bush, "Serial Number Arithmetic", RFC 1982, [RFC1982] Elz, R. and R. Bush, "Serial Number Arithmetic", RFC 1982,
August 1996. August 1996.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2385] Heffernan, A., "Protection of BGP Sessions via the TCP MD5
Signature Option", RFC 2385, August 1998.
[RFC4250] Lehtinen, S. and C. Lonvick, "The Secure Shell (SSH) [RFC4250] Lehtinen, S. and C. Lonvick, "The Secure Shell (SSH)
Protocol Assigned Numbers", RFC 4250, January 2006. Protocol Assigned Numbers", RFC 4250, January 2006.
[RFC4252] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) [RFC4252] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH)
Authentication Protocol", RFC 4252, January 2006. Authentication Protocol", RFC 4252, January 2006.
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the [RFC4301] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", RFC 4301, December 2005. Internet Protocol", RFC 4301, December 2005.
[RFC4808] Bellovin, S., "Key Change Strategies for TCP-MD5",
RFC 4808, March 2007.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 5226, IANA Considerations Section in RFCs", BCP 26, RFC 5226,
May 2008. May 2008.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008. (TLS) Protocol Version 1.2", RFC 5246, August 2008.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List Infrastructure Certificate and Certificate Revocation List
skipping to change at page 24, line 46 skipping to change at page 24, line 40
[I-D.ietf-sidr-repos-struct] [I-D.ietf-sidr-repos-struct]
Huston, G., Loomans, R., and G. Michaelson, "A Profile for Huston, G., Loomans, R., and G. Michaelson, "A Profile for
Resource Certificate Repository Structure", Resource Certificate Repository Structure",
draft-ietf-sidr-repos-struct-09 (work in progress), draft-ietf-sidr-repos-struct-09 (work in progress),
July 2011. July 2011.
[RFC1996] Vixie, P., "A Mechanism for Prompt Notification of Zone [RFC1996] Vixie, P., "A Mechanism for Prompt Notification of Zone
Changes (DNS NOTIFY)", RFC 1996, August 1996. Changes (DNS NOTIFY)", RFC 1996, August 1996.
[RFC4808] Bellovin, S., "Key Change Strategies for TCP-MD5",
RFC 4808, March 2007.
[RFC5781] Weiler, S., Ward, D., and R. Housley, "The rsync URI [RFC5781] Weiler, S., Ward, D., and R. Housley, "The rsync URI
Scheme", RFC 5781, February 2010. Scheme", RFC 5781, February 2010.
Authors' Addresses Authors' Addresses
Randy Bush Randy Bush
Internet Initiative Japan Internet Initiative Japan
5147 Crystal Springs 5147 Crystal Springs
Bainbridge Island, Washington 98110 Bainbridge Island, Washington 98110
US US
 End of changes. 8 change blocks. 
12 lines changed or deleted 9 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/