draft-ietf-sidrops-rp-05.txt   draft-ietf-sidrops-rp-06.txt 
SIDROPS D. Ma SIDROPS D. Ma
Internet-Draft ZDNS Internet-Draft ZDNS
Intended status: Informational S. Kent Intended status: Informational S. Kent
Expires: October 19, 2019 Independent Expires: April 9, 2020 Independent
April 17, 2019 October 7, 2019
Requirements for Resource Public Key Infrastructure (RPKI) Relying Requirements for Resource Public Key Infrastructure (RPKI) Relying
Parties Parties
draft-ietf-sidrops-rp-05 draft-ietf-sidrops-rp-06
Abstract Abstract
This document provides a single reference point for requirements for This document provides a single reference point for requirements for
Relying Party (RP) software for use in the Resource Public Key Relying Party (RP) software for use in the Resource Public Key
Infrastructure (RPKI) in the context of securing Internet routing. Infrastructure (RPKI) in the context of securing Internet routing.
It cites requirements that appear in several RPKI RFCs, making it It cites requirements that appear in several RPKI RFCs, making it
easier for implementers to become aware of these requirements that easier for implementers to become aware of these requirements that
are segmented with orthogonal functionalities. are segmented with orthogonal functionalities.
skipping to change at page 1, line 37 skipping to change at page 1, line 37
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 19, 2019. This Internet-Draft will expire on April 9, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 22 skipping to change at page 3, line 22
RFC 6486 (Manifests) RFC 6486 (Manifests)
RFC 6487 (Certificate and CRL profile) RFC 6487 (Certificate and CRL profile)
RFC 6488 (RPKI Signed Objects) RFC 6488 (RPKI Signed Objects)
RFC 6489 (Key Rollover) RFC 6489 (Key Rollover)
RFC 6810 (RPKI to Router Protocol) RFC 6810 (RPKI to Router Protocol)
RFC 6916 (Algorithm Agility) RFC 6916 (Algorithm Agility)
RFC 7935 (Algorithms) RFC 7935 (Algorithms)
RFC 8209 (Router Certificates) RFC 8209 (Router Certificates)
RFC 8210 (RPKI to Router Protocol,Version 1) RFC 8210 (RPKI to Router Protocol,Version 1)
RFC 8360 (Certificate Validation Procedure) RFC 8360 (Certificate Validation Procedure)
I-D.ietf-sidrops-https-tal (Trust Anchor Locator) RFC 8630 (Trust Anchor Locator)
This makes it hard for an implementer to be confident that he/she has This makes it hard for an implementer to be confident that he/she has
addressed all of these generalized requirements. Besides, software addressed all of these generalized requirements. Besides, software
engineering calls for how to segment the RP system into components engineering calls for how to segment the RP system into components
with orthogonal functionalities, so that those components could be with orthogonal functionalities, so that those components could be
distributed across the operational timeline of the user. Taxonomy of distributed across the operational timeline of the user. Taxonomy of
generalized RP requirements is going to help have 'the role of the generalized RP requirements is going to help have 'the role of the
RP' well framed. RP' well framed.
To consolidate RP requirements in one document, with pointers to all To consolidate RP requirements in one document, with pointers to all
skipping to change at page 4, line 18 skipping to change at page 4, line 18
In the RPKI, each RP chooses its own set of trust anchors (TAs). In the RPKI, each RP chooses its own set of trust anchors (TAs).
Consistent with the extant INR allocation hierarchy, the IANA and/or Consistent with the extant INR allocation hierarchy, the IANA and/or
the five RIRs are obvious candidates to be default TAs for the RP. the five RIRs are obvious candidates to be default TAs for the RP.
An RP does not retrieve TAs directly. A set of Trust Anchor Locators An RP does not retrieve TAs directly. A set of Trust Anchor Locators
(TALs) is used by each RP to retrieve and verify the authenticity of (TALs) is used by each RP to retrieve and verify the authenticity of
each TA. each TA.
TAL acquisition and processing are specified in Section 3 of TAL acquisition and processing are specified in Section 3 of
[I-D.ietf-sidrops-https-tal]. [RFC8630].
2.2. Locating RPKI Objects Using Authority and Subject Information 2.2. Locating RPKI Objects Using Authority and Subject Information
Extensions Extensions
The RPKI repository system is a distributed one, consisting of The RPKI repository system is a distributed one, consisting of
multiple repository instances. Each repository instance contains one multiple repository instances. Each repository instance contains one
or more repository publication points. An RP discovers publication or more repository publication points. An RP discovers publication
points using the Subject Information Access (SIA) and the Authority points using the Subject Information Access (SIA) and the Authority
Information Access (AIA) extensions from (validated) certificates. Information Access (AIA) extensions from (validated) certificates.
skipping to change at page 4, line 40 skipping to change at page 4, line 40
by using the SIA and AIA extensions. Detailed specifications of SIA by using the SIA and AIA extensions. Detailed specifications of SIA
and AIA extensions in a resource certificate are described in and AIA extensions in a resource certificate are described in
Section 4 of [RFC6487]. Section 4 of [RFC6487].
2.3. Dealing with Key Rollover 2.3. Dealing with Key Rollover
An RP takes the key rollover period into account with regard to its An RP takes the key rollover period into account with regard to its
frequency of synchronization with RPKI repository system. frequency of synchronization with RPKI repository system.
RP requirements in dealing with key rollover are described in RP requirements in dealing with key rollover are described in
Section 3 of [RFC6489] and Section 3 of Section 3 of [RFC6489] and Section 3 of [RFC8634].
[I-D.ietf-sidrops-bgpsec-rollover].
2.4. Dealing with Algorithm Transition 2.4. Dealing with Algorithm Transition
The set of cryptographic algorithms used with the RPKI is expected to The set of cryptographic algorithms used with the RPKI is expected to
change over time. Each RP is expected to be aware of the milestones change over time. Each RP is expected to be aware of the milestones
established for the algorithm transition and what actions are established for the algorithm transition and what actions are
required at every juncture. required at every juncture.
RP requirements for dealing with algorithm transition are specified RP requirements for dealing with algorithm transition are specified
in Section 4 of [RFC6916]. in Section 4 of [RFC6916].
skipping to change at page 9, line 30 skipping to change at page 9, line 30
9. Acknowledgements 9. Acknowledgements
The authors thank David Mandelberg, Wei Wang, Tim Bruijnzeels, George The authors thank David Mandelberg, Wei Wang, Tim Bruijnzeels, George
Michaelson and Oleg Muravskiy for their review, feedback and Michaelson and Oleg Muravskiy for their review, feedback and
editorial assistance in preparing this document. editorial assistance in preparing this document.
10. References 10. References
10.1. Normative References 10.1. Normative References
[I-D.ietf-sidrops-https-tal]
Huston, G., Weiler, S., Michaelson, G., Kent, S., and T.
Bruijnzeels, "Resource Public Key Infrastructure (RPKI)
Trust Anchor Locator", draft-ietf-sidrops-https-tal-07
(work in progress), March 2019.
[RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP [RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP
Addresses and AS Identifiers", RFC 3779, Addresses and AS Identifiers", RFC 3779,
DOI 10.17487/RFC3779, June 2004, DOI 10.17487/RFC3779, June 2004,
<https://www.rfc-editor.org/info/rfc3779>. <https://www.rfc-editor.org/info/rfc3779>.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
<https://www.rfc-editor.org/info/rfc5280>. <https://www.rfc-editor.org/info/rfc5280>.
skipping to change at page 11, line 16 skipping to change at page 11, line 11
Infrastructure (RPKI) to Router Protocol, Version 1", Infrastructure (RPKI) to Router Protocol, Version 1",
RFC 8210, DOI 10.17487/RFC8210, September 2017, RFC 8210, DOI 10.17487/RFC8210, September 2017,
<https://www.rfc-editor.org/info/rfc8210>. <https://www.rfc-editor.org/info/rfc8210>.
[RFC8360] Huston, G., Michaelson, G., Martinez, C., Bruijnzeels, T., [RFC8360] Huston, G., Michaelson, G., Martinez, C., Bruijnzeels, T.,
Newton, A., and D. Shaw, "Resource Public Key Newton, A., and D. Shaw, "Resource Public Key
Infrastructure (RPKI) Validation Reconsidered", RFC 8360, Infrastructure (RPKI) Validation Reconsidered", RFC 8360,
DOI 10.17487/RFC8360, April 2018, DOI 10.17487/RFC8360, April 2018,
<https://www.rfc-editor.org/info/rfc8360>. <https://www.rfc-editor.org/info/rfc8360>.
10.2. Informative References [RFC8630] Huston, G., Weiler, S., Michaelson, G., Kent, S., and T.
Bruijnzeels, "Resource Public Key Infrastructure (RPKI)
Trust Anchor Locator", RFC 8630, DOI 10.17487/RFC8630,
August 2019, <https://www.rfc-editor.org/info/rfc8630>.
[I-D.ietf-sidrops-bgpsec-rollover] 10.2. Informative References
Weis, B., Gagliano, R., and K. Patel, "BGPsec Router
Certificate Rollover", draft-ietf-sidrops-bgpsec-
rollover-04 (work in progress), December 2017.
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the [RFC4301] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, Internet Protocol", RFC 4301, DOI 10.17487/RFC4301,
December 2005, <https://www.rfc-editor.org/info/rfc4301>. December 2005, <https://www.rfc-editor.org/info/rfc4301>.
[RFC6480] Lepinski, M. and S. Kent, "An Infrastructure to Support [RFC6480] Lepinski, M. and S. Kent, "An Infrastructure to Support
Secure Internet Routing", RFC 6480, DOI 10.17487/RFC6480, Secure Internet Routing", RFC 6480, DOI 10.17487/RFC6480,
February 2012, <https://www.rfc-editor.org/info/rfc6480>. February 2012, <https://www.rfc-editor.org/info/rfc6480>.
[RFC6489] Huston, G., Michaelson, G., and S. Kent, "Certification [RFC6489] Huston, G., Michaelson, G., and S. Kent, "Certification
skipping to change at page 12, line 10 skipping to change at page 12, line 5
Authority (CA) or Repository Manager in the Resource Authority (CA) or Repository Manager in the Resource
Public Key Infrastructure (RPKI)", RFC 8211, Public Key Infrastructure (RPKI)", RFC 8211,
DOI 10.17487/RFC8211, September 2017, DOI 10.17487/RFC8211, September 2017,
<https://www.rfc-editor.org/info/rfc8211>. <https://www.rfc-editor.org/info/rfc8211>.
[RFC8416] Ma, D., Mandelberg, D., and T. Bruijnzeels, "Simplified [RFC8416] Ma, D., Mandelberg, D., and T. Bruijnzeels, "Simplified
Local Internet Number Resource Management with the RPKI Local Internet Number Resource Management with the RPKI
(SLURM)", RFC 8416, DOI 10.17487/RFC8416, August 2018, (SLURM)", RFC 8416, DOI 10.17487/RFC8416, August 2018,
<https://www.rfc-editor.org/info/rfc8416>. <https://www.rfc-editor.org/info/rfc8416>.
[RFC8634] Weis, B., Gagliano, R., and K. Patel, "BGPsec Router
Certificate Rollover", BCP 224, RFC 8634,
DOI 10.17487/RFC8634, August 2019,
<https://www.rfc-editor.org/info/rfc8634>.
[rsync] "rsync web page", <http://rsync.samba.org/>. [rsync] "rsync web page", <http://rsync.samba.org/>.
Authors' Addresses Authors' Addresses
Di Ma Di Ma
ZDNS ZDNS
4 South 4th St. Zhongguancun 4 South 4th St. Zhongguancun
Haidian, Beijing 100190 Haidian, Beijing 100190
China China
 End of changes. 10 change blocks. 
19 lines changed or deleted 17 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/