draft-ietf-sidr-rpki-rtr-18.txt   draft-ietf-sidr-rpki-rtr-19.txt 
Network Working Group R. Bush Network Working Group R. Bush
Internet-Draft Internet Initiative Japan Internet-Draft Internet Initiative Japan
Intended status: Standards Track R. Austein Intended status: Standards Track R. Austein
Expires: April 16, 2012 Dragon Research Labs Expires: May 3, 2012 Dragon Research Labs
October 14, 2011 October 31, 2011
The RPKI/Router Protocol The RPKI/Router Protocol
draft-ietf-sidr-rpki-rtr-18 draft-ietf-sidr-rpki-rtr-19
Abstract Abstract
In order to formally validate the origin ASs of BGP announcements, In order to formally validate the origin ASs of BGP announcements,
routers need a simple but reliable mechanism to receive RPKI routers need a simple but reliable mechanism to receive RPKI
[I-D.ietf-sidr-arch] prefix origin data from a trusted cache. This [I-D.ietf-sidr-arch] prefix origin data from a trusted cache. This
document describes a protocol to deliver validated prefix origin data document describes a protocol to deliver validated prefix origin data
to routers. to routers.
Requirements Language Requirements Language
skipping to change at page 1, line 41 skipping to change at page 1, line 41
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 16, 2012. This Internet-Draft will expire on May 3, 2012.
Copyright Notice Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 19 skipping to change at page 2, line 19
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Deployment Structure . . . . . . . . . . . . . . . . . . . . . 4 3. Deployment Structure . . . . . . . . . . . . . . . . . . . . . 4
4. Operational Overview . . . . . . . . . . . . . . . . . . . . . 4 4. Operational Overview . . . . . . . . . . . . . . . . . . . . . 4
5. Protocol Data Units (PDUs) . . . . . . . . . . . . . . . . . . 5 5. Protocol Data Units (PDUs) . . . . . . . . . . . . . . . . . . 5
5.1. Serial Notify . . . . . . . . . . . . . . . . . . . . . . 6 5.1. Serial Notify . . . . . . . . . . . . . . . . . . . . . . 5
5.2. Serial Query . . . . . . . . . . . . . . . . . . . . . . . 6 5.2. Serial Query . . . . . . . . . . . . . . . . . . . . . . . 6
5.3. Reset Query . . . . . . . . . . . . . . . . . . . . . . . 7 5.3. Reset Query . . . . . . . . . . . . . . . . . . . . . . . 7
5.4. Cache Response . . . . . . . . . . . . . . . . . . . . . . 7 5.4. Cache Response . . . . . . . . . . . . . . . . . . . . . . 7
5.5. IPv4 Prefix . . . . . . . . . . . . . . . . . . . . . . . 8 5.5. IPv4 Prefix . . . . . . . . . . . . . . . . . . . . . . . 8
5.6. IPv6 Prefix . . . . . . . . . . . . . . . . . . . . . . . 9 5.6. IPv6 Prefix . . . . . . . . . . . . . . . . . . . . . . . 9
5.7. End of Data . . . . . . . . . . . . . . . . . . . . . . . 9 5.7. End of Data . . . . . . . . . . . . . . . . . . . . . . . 9
5.8. Cache Reset . . . . . . . . . . . . . . . . . . . . . . . 10 5.8. Cache Reset . . . . . . . . . . . . . . . . . . . . . . . 10
5.9. Error Report . . . . . . . . . . . . . . . . . . . . . . . 10 5.9. Error Report . . . . . . . . . . . . . . . . . . . . . . . 10
5.10. Fields of a PDU . . . . . . . . . . . . . . . . . . . . . 11 5.10. Fields of a PDU . . . . . . . . . . . . . . . . . . . . . 11
6. Protocol Sequences . . . . . . . . . . . . . . . . . . . . . . 13 6. Protocol Sequences . . . . . . . . . . . . . . . . . . . . . . 13
skipping to change at page 6, line 5 skipping to change at page 5, line 41
As a cache server must evaluate certificates and ROAs which are time As a cache server must evaluate certificates and ROAs which are time
dependent, servers' clocks MUST be correct to a tolerance of dependent, servers' clocks MUST be correct to a tolerance of
approximately an hour. approximately an hour.
5. Protocol Data Units (PDUs) 5. Protocol Data Units (PDUs)
The exchanges between the cache and the router are sequences of The exchanges between the cache and the router are sequences of
exchanges of the following PDUs according to the rules described in exchanges of the following PDUs according to the rules described in
Section 6. Section 6.
Fields with unspecified content MUST be zero on transmission and MAY
be ignored on receipt.
5.1. Serial Notify 5.1. Serial Notify
The cache notifies the router that the cache has new data. The cache notifies the router that the cache has new data.
The Cache Nonce reassures the router that the serial numbers are The Cache Nonce reassures the router that the serial numbers are
commensurate, i.e. the cache session has not been changed. commensurate, i.e. the cache session has not been changed.
Serial Notify is only message that the cache can send that is not in Serial Notify is only message that the cache can send that is not in
response to a message from the router. response to a message from the router.
skipping to change at page 10, line 50 skipping to change at page 10, line 50
This PDU is used by either party to report an error to the other. This PDU is used by either party to report an error to the other.
Error reports are only sent as responses to other PDUs. Error reports are only sent as responses to other PDUs.
The Error Code is described in Section 10. The Error Code is described in Section 10.
If the error is not associated with any particular PDU, the Erroneous If the error is not associated with any particular PDU, the Erroneous
PDU field MUST be empty and the Length of Encapsulated PDU field MUST PDU field MUST be empty and the Length of Encapsulated PDU field MUST
be zero. be zero.
An Error Report PDU MUST NOT be sent for an Error Report PDU. An Error Report PDU MUST NOT be sent for an Error Report PDU. If an
erroneous Error Report PDU is received, the session SHOULD be
dropped.
If the error is associated with a PDU of excessive, or possibly If the error is associated with a PDU of excessive, or possibly
corrupt, length, the Erroneous PDU field MAY be truncated. corrupt, length, the Erroneous PDU field MAY be truncated.
The diagnostic text is optional, if not present the Length of Error The diagnostic text is optional, if not present the Length of Error
Text field SHOULD be zero. If error text is present, it SHOULD be a Text field SHOULD be zero. If error text is present, it SHOULD be a
string in US-ASCII, for maximum portability; if non-US-ASCII string in US-ASCII, for maximum portability; if non-US-ASCII
characters are absolutely required, the error text MUST use UTF-8 characters are absolutely required, the error text MUST use UTF-8
encoding. encoding.
skipping to change at page 16, line 15 skipping to change at page 16, line 15
to each other. Integrity protection for payloads is also desirable to each other. Integrity protection for payloads is also desirable
to protect against monkey in the middle attacks. Unfortunately, to protect against monkey in the middle attacks. Unfortunately,
there is no protocol to do so on all currently used platforms. there is no protocol to do so on all currently used platforms.
Therefore, as of this document, there is no mandatory to implement Therefore, as of this document, there is no mandatory to implement
transport which provides authentication and integrity protection. transport which provides authentication and integrity protection.
To reduce exposure to dropped but non-terminated sessions, both To reduce exposure to dropped but non-terminated sessions, both
caches and routers SHOULD enable keep alives when available in the caches and routers SHOULD enable keep alives when available in the
chosen transport protocol. chosen transport protocol.
It is expected that, when TCP-AO [RFC5925]is available on all It is expected that, when TCP-AO [RFC2385]is available on all
platforms deployed by operators, it will become the mandatory to platforms deployed by operators, it will become the mandatory to
implement transport. implement transport.
Caches and routers MUST implement unprotected transport over TCP Caches and routers MUST implement unprotected transport over TCP
using a port, RPKI-Rtr, to be assigned, see Section 12. Operators using a port, RPKI-Rtr, to be assigned, see Section 12. Operators
SHOULD use procedural means, ACLs, ... to reduce the exposure to SHOULD use procedural means, ACLs, ... to reduce the exposure to
authentication issues. authentication issues.
If available to the operator, caches and routers SHOULD use one of If available to the operator, caches and routers SHOULD use one of
the following more protected protocols. the following more protected protocols.
Caches and routers SHOULD use TCP AO transport [RFC5925] over the Caches and routers SHOULD use TCP AO transport [RFC2385] over the
RPKI-Rtr port. RPKI-Rtr port.
Caches and routers MAY use SSH transport [RFC4252] using using a the Caches and routers MAY use SSH transport [RFC4252] using using a the
normal SSH port. For an example, see Section 7.1. normal SSH port. For an example, see Section 7.1.
Caches and routers MAY use TCP MD5 transport [RFC5925] using the Caches and routers MAY use TCP MD5 transport [RFC2385] using the
RPKI-Rtr port. RPKI-Rtr port.
Caches and routers MAY use IPsec transport [RFC4301] using the RPKI- Caches and routers MAY use IPsec transport [RFC4301] using the RPKI-
Rtr port. Rtr port.
Caches and routers MAY use TLS transport [RFC5246] using using a Caches and routers MAY use TLS transport [RFC5246] using using a
port, RPKI-Rtr TLS, to be assigned, see Section 12. port, RPKI-Rtr TLS, to be assigned, see Section 12.
7.1. SSH Transport 7.1. SSH Transport
skipping to change at page 17, line 43 skipping to change at page 17, line 43
roll-over; any unrevoked, unexpired certificate from the proper CA roll-over; any unrevoked, unexpired certificate from the proper CA
may be used. If such certificates are used, the CN field [RFC5280] may be used. If such certificates are used, the CN field [RFC5280]
MUST be used to denote the router's identity. MUST be used to denote the router's identity.
Clients SHOULD verify the cache's certificate as well, to avoid Clients SHOULD verify the cache's certificate as well, to avoid
monkey-in-the-middle attacks. monkey-in-the-middle attacks.
7.3. TCP MD5 Transport 7.3. TCP MD5 Transport
If TCP-MD5 is used, implementations MUST support key lengths of at If TCP-MD5 is used, implementations MUST support key lengths of at
least 80 printable ASCII bytes, per section 4.5 of [RFC5925]. least 80 printable ASCII bytes, per section 4.5 of [RFC2385].
Implementations MUST also support hexadecimal sequences of at least Implementations MUST also support hexadecimal sequences of at least
32 characters, i.e., 128 bits. 32 characters, i.e., 128 bits.
Key rollover with TCP-MD5 is problematic. Cache servers SHOULD Key rollover with TCP-MD5 is problematic. Cache servers SHOULD
support [RFC4808]. support [RFC4808].
7.4. TCP-AO Transport 7.4. TCP-AO Transport
Implementations MUST support key lengths of at least 80 printable Implementations MUST support key lengths of at least 80 printable
ASCII bytes. Implementations MUST also support hexadecimal sequences ASCII bytes. Implementations MUST also support hexadecimal sequences
of at least 32 characters, i.e., 128 bits. MAC lengths of at least of at least 32 characters, i.e., 128 bits. MAC lengths of at least
96 bits MUST be supported, per section 5.3 of [RFC5925]. 96 bits MUST be supported, per section 5.3 of [RFC2385].
The cryptographic algorithms and associcated parameters described in The cryptographic algorithms and associcated parameters described in
[RFC5926] MUST be supported. [RFC5926] MUST be supported.
8. Router-Cache Set-Up 8. Router-Cache Set-Up
A cache has the public authentication data for each router it is A cache has the public authentication data for each router it is
configured to support. configured to support.
A router may be configured to peer with a selection of caches, and a A router may be configured to peer with a selection of caches, and a
skipping to change at page 23, line 42 skipping to change at page 23, line 42
Austein, "BGP Prefix Origin Validation", Austein, "BGP Prefix Origin Validation",
draft-ietf-sidr-pfx-validate-02 (work in progress), draft-ietf-sidr-pfx-validate-02 (work in progress),
July 2011. July 2011.
[RFC1982] Elz, R. and R. Bush, "Serial Number Arithmetic", RFC 1982, [RFC1982] Elz, R. and R. Bush, "Serial Number Arithmetic", RFC 1982,
August 1996. August 1996.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2385] Heffernan, A., "Protection of BGP Sessions via the TCP MD5
Signature Option", RFC 2385, August 1998.
[RFC4250] Lehtinen, S. and C. Lonvick, "The Secure Shell (SSH) [RFC4250] Lehtinen, S. and C. Lonvick, "The Secure Shell (SSH)
Protocol Assigned Numbers", RFC 4250, January 2006. Protocol Assigned Numbers", RFC 4250, January 2006.
[RFC4252] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) [RFC4252] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH)
Authentication Protocol", RFC 4252, January 2006. Authentication Protocol", RFC 4252, January 2006.
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the [RFC4301] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", RFC 4301, December 2005. Internet Protocol", RFC 4301, December 2005.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
skipping to change at page 24, line 17 skipping to change at page 24, line 20
May 2008. May 2008.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008. (TLS) Protocol Version 1.2", RFC 5246, August 2008.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, May 2008. (CRL) Profile", RFC 5280, May 2008.
[RFC5925] Touch, J., Mankin, A., and R. Bonica, "The TCP
Authentication Option", RFC 5925, June 2010.
[RFC5926] Lebovitz, G. and E. Rescorla, "Cryptographic Algorithms [RFC5926] Lebovitz, G. and E. Rescorla, "Cryptographic Algorithms
for the TCP Authentication Option (TCP-AO)", RFC 5926, for the TCP Authentication Option (TCP-AO)", RFC 5926,
June 2010. June 2010.
14.2. Informative References 14.2. Informative References
[I-D.ietf-sidr-arch] [I-D.ietf-sidr-arch]
Lepinski, M. and S. Kent, "An Infrastructure to Support Lepinski, M. and S. Kent, "An Infrastructure to Support
Secure Internet Routing", draft-ietf-sidr-arch-13 (work in Secure Internet Routing", draft-ietf-sidr-arch-13 (work in
progress), May 2011. progress), May 2011.
 End of changes. 13 change blocks. 
14 lines changed or deleted 19 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/