draft-ietf-sidrops-rp-04.txt   draft-ietf-sidrops-rp-05.txt 
SIDROPS D. Ma SIDROPS D. Ma
Internet-Draft ZDNS Internet-Draft ZDNS
Intended status: Informational S. Kent Intended status: Informational S. Kent
Expires: October 19, 2019 Independent Expires: October 19, 2019 Independent
April 17, 2019 April 17, 2019
Requirements for Resource Public Key Infrastructure (RPKI) Relying Requirements for Resource Public Key Infrastructure (RPKI) Relying
Parties Parties
draft-ietf-sidrops-rp-04 draft-ietf-sidrops-rp-05
Abstract Abstract
This document provides a single reference point for requirements for This document provides a single reference point for requirements for
Relying Party (RP) software for use in the Resource Public Key Relying Party (RP) software for use in the Resource Public Key
Infrastructure (RPKI) in the context of securing Internet routing. Infrastructure (RPKI) in the context of securing Internet routing.
It cites requirements that appear in several RPKI RFCs, making it It cites requirements that appear in several RPKI RFCs, making it
easier for implementers to become aware of these requirements that easier for implementers to become aware of these requirements that
are segmented with orthogonal functionalities. are segmented with orthogonal functionalities.
skipping to change at page 2, line 32 skipping to change at page 2, line 32
4. Processing RPKI Repository Signed Objects . . . . . . . . . . 6 4. Processing RPKI Repository Signed Objects . . . . . . . . . . 6
4.1. Basic Signed Object Syntax Checks . . . . . . . . . . . . 6 4.1. Basic Signed Object Syntax Checks . . . . . . . . . . . . 6
4.2. Syntax and Validation for Each Type of Signed Object . . 6 4.2. Syntax and Validation for Each Type of Signed Object . . 6
4.2.1. Manifest . . . . . . . . . . . . . . . . . . . . . . 6 4.2.1. Manifest . . . . . . . . . . . . . . . . . . . . . . 6
4.2.2. ROA . . . . . . . . . . . . . . . . . . . . . . . . . 7 4.2.2. ROA . . . . . . . . . . . . . . . . . . . . . . . . . 7
4.2.3. Ghostbusters . . . . . . . . . . . . . . . . . . . . 7 4.2.3. Ghostbusters . . . . . . . . . . . . . . . . . . . . 7
4.2.4. Verifying BGPsec Router Certificate . . . . . . . . . 7 4.2.4. Verifying BGPsec Router Certificate . . . . . . . . . 7
4.3. How to Make Use of Manifest Data . . . . . . . . . . . . 7 4.3. How to Make Use of Manifest Data . . . . . . . . . . . . 7
4.4. What to Do with Ghostbusters Information . . . . . . . . 8 4.4. What to Do with Ghostbusters Information . . . . . . . . 8
5. Distributing Validated Cache . . . . . . . . . . . . . . . . 8 5. Distributing Validated Cache . . . . . . . . . . . . . . . . 8
6. Security Considerations . . . . . . . . . . . . . . . . . . . 8 6. Local Control . . . . . . . . . . . . . . . . . . . . . . . . 8
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 7. Security Considerations . . . . . . . . . . . . . . . . . . . 9
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9
9.1. Normative References . . . . . . . . . . . . . . . . . . 9 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 9
9.2. Informative References . . . . . . . . . . . . . . . . . 11 10.1. Normative References . . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 10.2. Informative References . . . . . . . . . . . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12
1. Introduction 1. Introduction
The RPKI Relying Party (RP) software is used by network operators and The RPKI Relying Party (RP) software is used by network operators and
others to acquire and verify Internet Number Resource (INR) data others to acquire and verify Internet Number Resource (INR) data
stored in the RPKI repository system. RPKI data, when verified, stored in the RPKI repository system. RPKI data, when verified,
allow an RP to verify assertions about which Autonomous Systems allow an RP to verify assertions about which Autonomous Systems
(ASes) are authorized to originate routes for IP address prefixes. (ASes) are authorized to originate routes for IP address prefixes.
RPKI data also establishes binding between public keys and BGP RPKI data also establishes binding between public keys and BGP
routers, and indicates the AS numbers that each router is authorized routers, and indicates the AS numbers that each router is authorized
skipping to change at page 8, line 40 skipping to change at page 8, line 40
On a periodic basis, BGP speakers within an AS request updated On a periodic basis, BGP speakers within an AS request updated
validated origin AS data and router/ASN data from the validated cache validated origin AS data and router/ASN data from the validated cache
of RPKI data. The RP may either transfer the validated data to the of RPKI data. The RP may either transfer the validated data to the
BGP speakers directly, or it may transfer the validated data to a BGP speakers directly, or it may transfer the validated data to a
cache server that is responsible for provisioning such data to BGP cache server that is responsible for provisioning such data to BGP
speakers. The specification of the protocol designed to deliver speakers. The specification of the protocol designed to deliver
validated cache data to a BGP Speaker is provided in [RFC6810] and validated cache data to a BGP Speaker is provided in [RFC6810] and
[RFC8210]. [RFC8210].
6. Security Considerations 6. Local Control
ISPs may want to establish a local view of exceptions to the RPKI
data in the form of local filters and additions. For instance, a
network operator might wish to make use of a local override
capability to protect routes from adverse actions [RFC8211] . The
mechanisms developed to provide this capability to network operators
are called "Simplified Local Internet Number Resource Management with
the RPKI (SLURM). If an ISP wants to implement SLURM, its RP system
can follow the instruction specified in [RFC8416] .
7. Security Considerations
The RP links the RPKI provisioning side and the routing system, The RP links the RPKI provisioning side and the routing system,
establishing the local view of global RPKI data to BGP speakers. The establishing the local view of global RPKI data to BGP speakers. The
security of the RP is critical to BGP messages exchanging. The RP security of the RP is critical to BGP messages exchanging. The RP
implementation is expected to offer cache backup management to implementation is expected to offer cache backup management to
facilitate recovery from outage state. The RP implementation also facilitate recovery from outage state. The RP implementation also
should support application of secure transport (e.g., IPsec should support application of secure transport (e.g., IPsec
[RFC4301]) that is able to protect validated cache delivery in a [RFC4301]) that is able to protect validated cache delivery in a
unsafe environment. unsafe environment.
7. IANA Considerations 8. IANA Considerations
This document has no actions for IANA. This document has no actions for IANA.
8. Acknowledgements 9. Acknowledgements
The authors thank David Mandelberg, Wei Wang, Tim Bruijnzeels, George The authors thank David Mandelberg, Wei Wang, Tim Bruijnzeels, George
Michaelson and Oleg Muravskiy for their review, feedback and Michaelson and Oleg Muravskiy for their review, feedback and
editorial assistance in preparing this document. editorial assistance in preparing this document.
9. References 10. References
9.1. Normative References 10.1. Normative References
[I-D.ietf-sidrops-https-tal] [I-D.ietf-sidrops-https-tal]
Huston, G., Weiler, S., Michaelson, G., Kent, S., and T. Huston, G., Weiler, S., Michaelson, G., Kent, S., and T.
Bruijnzeels, "Resource Public Key Infrastructure (RPKI) Bruijnzeels, "Resource Public Key Infrastructure (RPKI)
Trust Anchor Locator", draft-ietf-sidrops-https-tal-07 Trust Anchor Locator", draft-ietf-sidrops-https-tal-07
(work in progress), March 2019. (work in progress), March 2019.
[RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP [RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP
Addresses and AS Identifiers", RFC 3779, Addresses and AS Identifiers", RFC 3779,
DOI 10.17487/RFC3779, June 2004, DOI 10.17487/RFC3779, June 2004,
skipping to change at page 11, line 5 skipping to change at page 11, line 16
Infrastructure (RPKI) to Router Protocol, Version 1", Infrastructure (RPKI) to Router Protocol, Version 1",
RFC 8210, DOI 10.17487/RFC8210, September 2017, RFC 8210, DOI 10.17487/RFC8210, September 2017,
<https://www.rfc-editor.org/info/rfc8210>. <https://www.rfc-editor.org/info/rfc8210>.
[RFC8360] Huston, G., Michaelson, G., Martinez, C., Bruijnzeels, T., [RFC8360] Huston, G., Michaelson, G., Martinez, C., Bruijnzeels, T.,
Newton, A., and D. Shaw, "Resource Public Key Newton, A., and D. Shaw, "Resource Public Key
Infrastructure (RPKI) Validation Reconsidered", RFC 8360, Infrastructure (RPKI) Validation Reconsidered", RFC 8360,
DOI 10.17487/RFC8360, April 2018, DOI 10.17487/RFC8360, April 2018,
<https://www.rfc-editor.org/info/rfc8360>. <https://www.rfc-editor.org/info/rfc8360>.
9.2. Informative References 10.2. Informative References
[I-D.ietf-sidrops-bgpsec-rollover] [I-D.ietf-sidrops-bgpsec-rollover]
Weis, B., Gagliano, R., and K. Patel, "BGPsec Router Weis, B., Gagliano, R., and K. Patel, "BGPsec Router
Certificate Rollover", draft-ietf-sidrops-bgpsec- Certificate Rollover", draft-ietf-sidrops-bgpsec-
rollover-04 (work in progress), December 2017. rollover-04 (work in progress), December 2017.
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the [RFC4301] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, Internet Protocol", RFC 4301, DOI 10.17487/RFC4301,
December 2005, <https://www.rfc-editor.org/info/rfc4301>. December 2005, <https://www.rfc-editor.org/info/rfc4301>.
skipping to change at page 11, line 36 skipping to change at page 11, line 47
[RFC6916] Gagliano, R., Kent, S., and S. Turner, "Algorithm Agility [RFC6916] Gagliano, R., Kent, S., and S. Turner, "Algorithm Agility
Procedure for the Resource Public Key Infrastructure Procedure for the Resource Public Key Infrastructure
(RPKI)", BCP 182, RFC 6916, DOI 10.17487/RFC6916, April (RPKI)", BCP 182, RFC 6916, DOI 10.17487/RFC6916, April
2013, <https://www.rfc-editor.org/info/rfc6916>. 2013, <https://www.rfc-editor.org/info/rfc6916>.
[RFC8182] Bruijnzeels, T., Muravskiy, O., Weber, B., and R. Austein, [RFC8182] Bruijnzeels, T., Muravskiy, O., Weber, B., and R. Austein,
"The RPKI Repository Delta Protocol (RRDP)", RFC 8182, "The RPKI Repository Delta Protocol (RRDP)", RFC 8182,
DOI 10.17487/RFC8182, July 2017, DOI 10.17487/RFC8182, July 2017,
<https://www.rfc-editor.org/info/rfc8182>. <https://www.rfc-editor.org/info/rfc8182>.
[RFC8211] Kent, S. and D. Ma, "Adverse Actions by a Certification
Authority (CA) or Repository Manager in the Resource
Public Key Infrastructure (RPKI)", RFC 8211,
DOI 10.17487/RFC8211, September 2017,
<https://www.rfc-editor.org/info/rfc8211>.
[RFC8416] Ma, D., Mandelberg, D., and T. Bruijnzeels, "Simplified
Local Internet Number Resource Management with the RPKI
(SLURM)", RFC 8416, DOI 10.17487/RFC8416, August 2018,
<https://www.rfc-editor.org/info/rfc8416>.
[rsync] "rsync web page", <http://rsync.samba.org/>. [rsync] "rsync web page", <http://rsync.samba.org/>.
Authors' Addresses Authors' Addresses
Di Ma Di Ma
ZDNS ZDNS
4 South 4th St. Zhongguancun 4 South 4th St. Zhongguancun
Haidian, Beijing 100190 Haidian, Beijing 100190
China China
 End of changes. 9 change blocks. 
14 lines changed or deleted 37 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/