draft-ietf-sidr-rtr-keying-11.txt   draft-ietf-sidr-rtr-keying-12.txt 
Network Working Group R. Bush Network Working Group R. Bush
Internet-Draft IIJ Lab / Dragon Research Lab Internet-Draft IIJ Lab / Dragon Research Lab
Intended status: Standards Track S. Turner Intended status: Standards Track S. Turner
Expires: December 17, 2016 IECA, Inc. Expires: December 17, 2016 IECA, Inc.
K. Patel K. Patel
Cisco Systems Cisco Systems
June 15, 2016 June 15, 2016
Router Keying for BGPsec Router Keying for BGPsec
draft-ietf-sidr-rtr-keying-11 draft-ietf-sidr-rtr-keying-12
Abstract Abstract
BGPsec-speaking routers are provisioned with private keys in order to BGPsec-speaking routers are provisioned with private keys in order to
sign BGPsec announcements. The corresponding public keys are sign BGPsec announcements. The corresponding public keys are
published in the global Resource Public Key Infrastructure, enabling published in the global Resource Public Key Infrastructure, enabling
verification of BGPsec messages. This document describes two methods verification of BGPsec messages. This document describes two methods
of generating the public-private key-pairs: router-driven and of generating the public-private key-pairs: router-driven and
operator-driven. operator-driven.
skipping to change at page 2, line 22 skipping to change at page 2, line 22
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 Table of Contents
2. Management / Router Communication . . . . . . . . . . . . . . 3
3. Exchanging Certificates . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
4. Set-Up . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Management / Router Communication . . . . . . . . . . . . . . 4
5. PKCS#10 Generation . . . . . . . . . . . . . . . . . . . . . 4 3. Exchanging Certificates . . . . . . . . . . . . . . . . . . . 4
5.1. Router-Generated Keys . . . . . . . . . . . . . . . . . . 4 4. Set-Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
5.2. Operator-Generated Keys . . . . . . . . . . . . . . . . . 5 5. PKCS#10 Generation . . . . . . . . . . . . . . . . . . . . . . 4
6. Installing Signed Keys . . . . . . . . . . . . . . . . . . . 5 5.1. Router-Generated Keys . . . . . . . . . . . . . . . . . . 5
7. Key Management . . . . . . . . . . . . . . . . . . . . . . . 6 5.2. Operator-Generated Keys . . . . . . . . . . . . . . . . . 5
7.1. Key Validity . . . . . . . . . . . . . . . . . . . . . . 7 6. Installing Signed Keys . . . . . . . . . . . . . . . . . . . . 5
7.2. Key Roll-Over . . . . . . . . . . . . . . . . . . . . . . 7 7. Key Management . . . . . . . . . . . . . . . . . . . . . . . . 7
7.3. Key Revocation . . . . . . . . . . . . . . . . . . . . . 8 7.1. Key Validity . . . . . . . . . . . . . . . . . . . . . . . 7
7.4. Router Replacement . . . . . . . . . . . . . . . . . . . 8 7.2. Key Roll-Over . . . . . . . . . . . . . . . . . . . . . . 7
8. Security Considerations . . . . . . . . . . . . . . . . . . . 9 7.3. Key Revocation . . . . . . . . . . . . . . . . . . . . . . 8
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 7.4. Router Replacement . . . . . . . . . . . . . . . . . . . . 9
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 8. Security Considerations . . . . . . . . . . . . . . . . . . . 9
10.1. Normative References . . . . . . . . . . . . . . . . . . 10 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
10.2. Informative References . . . . . . . . . . . . . . . . . 11 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 10
Appendix A. Management/Router Channel Security . . . . . . . . . 12 10.1. Normative References . . . . . . . . . . . . . . . . . . 10
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 10.2. Informative References . . . . . . . . . . . . . . . . . 11
Appendix A. Management/Router Channel Security . . . . . . . . . 12
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 13
1. Introduction 1. Introduction
BGPsec-speaking routers are provisioned with private keys, which BGPsec-speaking routers are provisioned with private keys, which
allow them to digitally sign BGPsec announcements. To verify the allow them to digitally sign BGPsec announcements. To verify the
signature, the public key, in the form of a certificate signature, the public key, in the form of a certificate [I-D.ietf-
[I-D.ietf-sidr-bgpsec-pki-profiles], is published in the Resource sidr-bgpsec-pki-profiles], is published in the Resource Public Key
Public Key Infrastructure (RPKI). This document describes Infrastructure (RPKI). This document describes provisioning of
provisioning of BGPsec-speaking routers with the appropriate public- BGPsec-speaking routers with the appropriate public- private key-
private key-pairs. There are two sub-methods, router-driven and pairs. There are two sub-methods, router-driven and operator-driven.
operator-driven.
These two sub-methods differ in where the keys are generated: on the These two sub-methods differ in where the keys are generated: on the
router in the router-driven method, and elsewhere in the operator- router in the router-driven method, and elsewhere in the operator-
driven method. Routers are required to support at least one of the driven method. Routers are required to support at least one of the
methods in order to work in various deployment environments. Some methods in order to work in various deployment environments. Some
routers may not allow the private key to be off-loaded while others routers may not allow the private key to be off-loaded while others
may. While off-loading private keys would ease swapping of routing may. While off-loading private keys would ease swapping of routing
engines, exposure of private keys is a well known security risk. engines, exposure of private keys is a well known security risk.
In the operator-driven method, the operator generates the private/ In the operator-driven method, the operator generates the private/
skipping to change at page 3, line 46 skipping to change at page 3, line 49
The remainder of this document describes how operators can use the The remainder of this document describes how operators can use the
two methods to provision new and existing routers. two methods to provision new and existing routers.
Useful References: [I-D.ietf-sidr-bgpsec-overview] gives an overview Useful References: [I-D.ietf-sidr-bgpsec-overview] gives an overview
of the BGPsec protocol, [I-D.ietf-sidr-bgpsec-protocol] gives the of the BGPsec protocol, [I-D.ietf-sidr-bgpsec-protocol] gives the
gritty details, [I-D.ietf-sidr-bgpsec-pki-profiles] specifies the gritty details, [I-D.ietf-sidr-bgpsec-pki-profiles] specifies the
format for the PKCS #10 request, and [I-D.ietf-sidr-bgpsec-algs] format for the PKCS #10 request, and [I-D.ietf-sidr-bgpsec-algs]
specifies the algorithms used to generate the signature. specifies the algorithms used to generate the signature.
Useful Formats: Formats for the objects used by routers are:
Private keys see [I-D.ietf-sidr-bgpsec-algs] concerning local storage
and Section 6 concerning PKCS#8 for operator-generated keys.
Public key certificates see [I-D.ietf-sidr-bgpsec-pki-profiles]
Certificate Status Request (CSR) see [I-D.ietf-sidr-bgpsec-pki-
profiles] concerning the PKCS#10 requests and PKCS#7 responses.
2. Management / Router Communication 2. Management / Router Communication
Operators are free to use either the router-driven or operator-driven Operators are free to use either the router-driven or operator-driven
method as supported by the platform. Regardless of the method method as supported by the platform. Regardless of the method
chosen, operators first establish a secure communication channel chosen, operators first establish a secure communication channel
between the management system and the router. How this channel is between the management system and the router. How this channel is
established is router-specific and is beyond scope of this document. established is router-specific and is beyond scope of this document.
Though other configuration mechanisms might be used, e.g. NetConf Though other configuration mechanisms might be used, e.g. NetConf
(see [RFC6470]); for simplicity, in this document, the communication (see [RFC6470]); for simplicity, in this document, the communication
channel between the management platform and the router is assumed to channel between the management platform and the router is assumed to
be an SSH-protected CLI. See Appendix A for security considerations be an SSH-protected CLI. See Appendix A for security considerations
for this channel. for this channel.
3. Exchanging Certificates 3. Exchanging Certificates
The operator management station can exchange certificate requests and The operator management station can exchange certificate requests and
certificates with routers and with the RPKI CA infrastructure using certificates with routers and with the RPKI CA infrastructure using
skipping to change at page 13, line 16 skipping to change at page 13, line 24
Randy Bush Randy Bush
IIJ / Dragon Research Labs IIJ / Dragon Research Labs
5147 Crystal Springs 5147 Crystal Springs
Bainbridge Island, Washington 98110 Bainbridge Island, Washington 98110
US US
Email: randy@psg.com Email: randy@psg.com
Sean Turner Sean Turner
IECA, Inc. sn3rd
3057 Nutley Street, Suite 106
Fairfax, Virginia 22031
US
Email: sean@sn3rd.com Email: sean@sn3rd.com
Keyur Patel Keyur Patel
Cisco Systems Cisco Systems
170 W. Tasman Drive 170 W. Tasman Drive
San Jose, CA 95134 San Jose, CA 95134
USA USA
Email: keyupate@cisco.com Email: keyupate@cisco.com
 End of changes. 6 change blocks. 
32 lines changed or deleted 39 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/