draft-ietf-sidr-rpki-rtr-22.txt   draft-ietf-sidr-rpki-rtr-23.txt 
Network Working Group R. Bush Network Working Group R. Bush
Internet-Draft Internet Initiative Japan Internet-Draft Internet Initiative Japan
Intended status: Standards Track R. Austein Intended status: Standards Track R. Austein
Expires: June 21, 2012 Dragon Research Labs Expires: July 12, 2012 Dragon Research Labs
December 19, 2011 January 9, 2012
The RPKI/Router Protocol The RPKI/Router Protocol
draft-ietf-sidr-rpki-rtr-22 draft-ietf-sidr-rpki-rtr-23
Abstract Abstract
In order to formally validate the origin ASs of BGP announcements, In order to formally validate the origin ASs of BGP announcements,
routers need a simple but reliable mechanism to receive RPKI routers need a simple but reliable mechanism to receive RPKI
[I-D.ietf-sidr-arch] prefix origin data from a trusted cache. This [I-D.ietf-sidr-arch] prefix origin data from a trusted cache. This
document describes a protocol to deliver validated prefix origin data document describes a protocol to deliver validated prefix origin data
to routers. to routers.
Requirements Language Requirements Language
skipping to change at page 1, line 41 skipping to change at page 1, line 41
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 21, 2012. This Internet-Draft will expire on July 12, 2012.
Copyright Notice Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Deployment Structure . . . . . . . . . . . . . . . . . . . . . 4 3. Deployment Structure . . . . . . . . . . . . . . . . . . . . . 4
4. Operational Overview . . . . . . . . . . . . . . . . . . . . . 4 4. Operational Overview . . . . . . . . . . . . . . . . . . . . . 4
5. Protocol Data Units (PDUs) . . . . . . . . . . . . . . . . . . 5 5. Protocol Data Units (PDUs) . . . . . . . . . . . . . . . . . . 5
5.1. Serial Notify . . . . . . . . . . . . . . . . . . . . . . 5 5.1. Serial Notify . . . . . . . . . . . . . . . . . . . . . . 6
5.2. Serial Query . . . . . . . . . . . . . . . . . . . . . . . 6 5.2. Serial Query . . . . . . . . . . . . . . . . . . . . . . . 6
5.3. Reset Query . . . . . . . . . . . . . . . . . . . . . . . 7 5.3. Reset Query . . . . . . . . . . . . . . . . . . . . . . . 7
5.4. Cache Response . . . . . . . . . . . . . . . . . . . . . . 7 5.4. Cache Response . . . . . . . . . . . . . . . . . . . . . . 7
5.5. IPv4 Prefix . . . . . . . . . . . . . . . . . . . . . . . 8 5.5. IPv4 Prefix . . . . . . . . . . . . . . . . . . . . . . . 8
5.6. IPv6 Prefix . . . . . . . . . . . . . . . . . . . . . . . 9 5.6. IPv6 Prefix . . . . . . . . . . . . . . . . . . . . . . . 9
5.7. End of Data . . . . . . . . . . . . . . . . . . . . . . . 9 5.7. End of Data . . . . . . . . . . . . . . . . . . . . . . . 9
5.8. Cache Reset . . . . . . . . . . . . . . . . . . . . . . . 10 5.8. Cache Reset . . . . . . . . . . . . . . . . . . . . . . . 10
5.9. Error Report . . . . . . . . . . . . . . . . . . . . . . . 10 5.9. Error Report . . . . . . . . . . . . . . . . . . . . . . . 10
5.10. Fields of a PDU . . . . . . . . . . . . . . . . . . . . . 11 5.10. Fields of a PDU . . . . . . . . . . . . . . . . . . . . . 11
6. Protocol Sequences . . . . . . . . . . . . . . . . . . . . . . 13 6. Protocol Sequences . . . . . . . . . . . . . . . . . . . . . . 13
skipping to change at page 3, line 26 skipping to change at page 3, line 26
sequences are described in Section 6. The transport protocol options sequences are described in Section 6. The transport protocol options
are described in Section 7. Section 8 details how routers and caches are described in Section 7. Section 8 details how routers and caches
are configured to connect and authenticate. Section 9 describes are configured to connect and authenticate. Section 9 describes
likely deployment scenarios. The traditional security and IANA likely deployment scenarios. The traditional security and IANA
considerations end the document. considerations end the document.
The protocol is extensible to support new PDUs with new semantics The protocol is extensible to support new PDUs with new semantics
when and as needed, as indicated by deployment experience. PDUs are when and as needed, as indicated by deployment experience. PDUs are
versioned should deployment experience call for change. versioned should deployment experience call for change.
For an implementation (not inter-op) report, see
[I-D.ymbk-rpki-rtr-impl]
2. Glossary 2. Glossary
The following terms are used with special meaning: The following terms are used with special meaning:
Global RPKI: The authoritative data of the RPKI are published in a Global RPKI: The authoritative data of the RPKI are published in a
distributed set of servers at the IANA, RIRs, NIRs, and ISPs, see distributed set of servers at the IANA, RIRs, NIRs, and ISPs, see
[I-D.ietf-sidr-repos-struct]. [I-D.ietf-sidr-repos-struct].
Cache: A coalesced copy of the RPKI which is periodically fetched/ Cache: A coalesced copy of the RPKI which is periodically fetched/
refreshed directly or indirectly from the global RPKI using the refreshed directly or indirectly from the global RPKI using the
skipping to change at page 16, line 41 skipping to change at page 16, line 41
It is expected that, when TCP-AO [RFC5925] is available on all It is expected that, when TCP-AO [RFC5925] is available on all
platforms deployed by operators, it will become the mandatory to platforms deployed by operators, it will become the mandatory to
implement transport. implement transport.
Caches and routers MUST implement unprotected transport over TCP Caches and routers MUST implement unprotected transport over TCP
using a port, rpki-rtr, to be assigned, see Section 12. Operators using a port, rpki-rtr, to be assigned, see Section 12. Operators
SHOULD use procedural means, ACLs, ... to reduce the exposure to SHOULD use procedural means, ACLs, ... to reduce the exposure to
authentication issues. authentication issues.
If TCP is the transport, then the cache and the router MUST be on the
same trusted and controlled network. Otherwise, one of the following
better protected protocols MUST be used.
If available to the operator, caches and routers SHOULD use one of If available to the operator, caches and routers SHOULD use one of
the following more protected protocols. the following more protected protocols.
Caches and routers SHOULD use TCP AO transport [RFC2385] over the Caches and routers SHOULD use TCP-AO transport [RFC5925] over the
rpki-rtr port. rpki-rtr port.
Caches and routers MAY use SSH transport [RFC4252] using using a the Caches and routers MAY use SSH transport [RFC4252] using using a the
normal SSH port. For an example, see Section 7.1. normal SSH port. For an example, see Section 7.1.
Caches and routers MAY use TCP MD5 transport [RFC2385] using the Caches and routers MAY use TCP MD5 transport [RFC2385] using the
rpki-rtr port. rpki-rtr port.
Caches and routers MAY use IPsec transport [RFC4301] using the rpki- Caches and routers MAY use IPsec transport [RFC4301] using the rpki-
rtr port. rtr port.
skipping to change at page 22, line 31 skipping to change at page 22, line 39
topologically close so that a minimum of validated routing data topologically close so that a minimum of validated routing data
are needed to bootstrap a router's access to a cache. are needed to bootstrap a router's access to a cache.
The identity of the cache server SHOULD be verified and The identity of the cache server SHOULD be verified and
authenticated by the router client, and vice versa, before any authenticated by the router client, and vice versa, before any
data are exchanged. data are exchanged.
Transports which can not provide the necessary authentication and Transports which can not provide the necessary authentication and
integrity (see Section 7) must rely on network design and integrity (see Section 7) must rely on network design and
operational controls to provide protection against spoofing/ operational controls to provide protection against spoofing/
corruption attacks. corruption attacks. As pointed out in Section 7, TCP-AO is the
long term plan. Protocols which provide integrity and
authenticity SHOULD be used, and if they can not, i.e. TCP is
used as the transport, the router and cache MUST be on the same
trusted, controlled network.
12. IANA Considerations 12. IANA Considerations
This document requests the IANA to assign 'well known' TCP Port This document requests the IANA to assign 'well known' TCP Port
Numbers to the RPKI-Router Protocol for the following, see Section 7: Numbers to the RPKI-Router Protocol for the following, see Section 7:
rpki-rtr rpki-rtr
rpki-rtr-tls rpki-rtr-tls
This document requests the IANA to create a registry for tuples of This document requests the IANA to create a registry for tuples of
skipping to change at page 25, line 18 skipping to change at page 25, line 18
Lepinski, M. and S. Kent, "An Infrastructure to Support Lepinski, M. and S. Kent, "An Infrastructure to Support
Secure Internet Routing", draft-ietf-sidr-arch-13 (work in Secure Internet Routing", draft-ietf-sidr-arch-13 (work in
progress), May 2011. progress), May 2011.
[I-D.ietf-sidr-repos-struct] [I-D.ietf-sidr-repos-struct]
Huston, G., Loomans, R., and G. Michaelson, "A Profile for Huston, G., Loomans, R., and G. Michaelson, "A Profile for
Resource Certificate Repository Structure", Resource Certificate Repository Structure",
draft-ietf-sidr-repos-struct-09 (work in progress), draft-ietf-sidr-repos-struct-09 (work in progress),
July 2011. July 2011.
[I-D.ymbk-rpki-rtr-impl]
Bush, R., Austein, R., Patel, K., and H. Gredler, "RPKI
Router Implementation Report", draft-ymbk-rpki-rtr-impl-00
(work in progress), January 2012.
[RFC1996] Vixie, P., "A Mechanism for Prompt Notification of Zone [RFC1996] Vixie, P., "A Mechanism for Prompt Notification of Zone
Changes (DNS NOTIFY)", RFC 1996, August 1996. Changes (DNS NOTIFY)", RFC 1996, August 1996.
[RFC4808] Bellovin, S., "Key Change Strategies for TCP-MD5", [RFC4808] Bellovin, S., "Key Change Strategies for TCP-MD5",
RFC 4808, March 2007. RFC 4808, March 2007.
[RFC5781] Weiler, S., Ward, D., and R. Housley, "The rsync URI [RFC5781] Weiler, S., Ward, D., and R. Housley, "The rsync URI
Scheme", RFC 5781, February 2010. Scheme", RFC 5781, February 2010.
Authors' Addresses Authors' Addresses
 End of changes. 10 change blocks. 
8 lines changed or deleted 24 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/