| draft-ietf-sidr-rpki-oob-setup-01.txt | draft-ietf-sidr-rpki-oob-setup-02.txt | |||
|---|---|---|---|---|
| Network Working Group R. Austein | Network Working Group R. Austein | |||
| Internet-Draft Dragon Research Labs | Internet-Draft Dragon Research Labs | |||
| Intended status: Standards Track July 2, 2014 | Intended status: Standards Track October 16, 2015 | |||
| Expires: January 3, 2015 | Expires: April 18, 2016 | |||
| An Out-Of-Band Setup Protocol For RPKI Production Services | An Out-Of-Band Setup Protocol For RPKI Production Services | |||
| draft-ietf-sidr-rpki-oob-setup-01 | draft-ietf-sidr-rpki-oob-setup-02 | |||
| Abstract | Abstract | |||
| This note describes a simple out-of-band protocol to ease setup of | This note describes a simple out-of-band protocol to ease setup of | |||
| the RPKI provisioning and publication protocols between two parties. | the RPKI provisioning and publication protocols between two parties. | |||
| The protocol is encoded in a small number of XML messages, which can | The protocol is encoded in a small number of XML messages, which can | |||
| be passed back and forth by any mutually agreeable secure means. | be passed back and forth by any mutually agreeable secure means. | |||
| This setup protocol is not part of the provisioning or publication | This setup protocol is not part of the provisioning or publication | |||
| protocol, rather, it is intended to simplify configuration of these | protocol, rather, it is intended to simplify configuration of these | |||
| skipping to change at page 1, line 38 | skipping to change at page 1, line 38 | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on January 3, 2015. | This Internet-Draft will expire on April 18, 2016. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2014 IETF Trust and the persons identified as the | Copyright (c) 2015 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| skipping to change at page 2, line 28 | skipping to change at page 2, line 28 | |||
| 3.3.2. <parent_response/> . . . . . . . . . . . . . . . . . 6 | 3.3.2. <parent_response/> . . . . . . . . . . . . . . . . . 6 | |||
| 3.3.3. <publisher_request/> . . . . . . . . . . . . . . . . 8 | 3.3.3. <publisher_request/> . . . . . . . . . . . . . . . . 8 | |||
| 3.3.4. <repository_response/> . . . . . . . . . . . . . . . 9 | 3.3.4. <repository_response/> . . . . . . . . . . . . . . . 9 | |||
| 3.4. <authorization/> . . . . . . . . . . . . . . . . . . . . 10 | 3.4. <authorization/> . . . . . . . . . . . . . . . . . . . . 10 | |||
| 3.5. <error/> . . . . . . . . . . . . . . . . . . . . . . . . 11 | 3.5. <error/> . . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 4. Protocol Walk-Through . . . . . . . . . . . . . . . . . . . . 12 | 4. Protocol Walk-Through . . . . . . . . . . . . . . . . . . . . 12 | |||
| 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 | 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 17 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 17 | |||
| 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 17 | 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 17 | |||
| 8. Normative References . . . . . . . . . . . . . . . . . . . . 17 | 8. Normative References . . . . . . . . . . . . . . . . . . . . 17 | |||
| Appendix A. RelaxNG Schema . . . . . . . . . . . . . . . . . . . 17 | Appendix A. RelaxNG Schema . . . . . . . . . . . . . . . . . . . 18 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 19 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 19 | |||
| 1. Introduction | 1. Introduction | |||
| This note describes a small XML-based out-of-band protocol used to | This note describes a small XML-based out-of-band protocol used to | |||
| set up relationships between parents and children in the RPKI | set up relationships between parents and children in the RPKI | |||
| provisioning protocol ([RFC6492]) and between publishers and | provisioning protocol ([RFC6492]) and between publishers and | |||
| repositories in the RPKI publication protocol | repositories in the RPKI publication protocol | |||
| ([I-D.ietf-sidr-publication]). | ([I-D.ietf-sidr-publication]). | |||
| skipping to change at page 4, line 37 | skipping to change at page 4, line 37 | |||
| Issuer: CN = Alice CA | Issuer: CN = Alice CA | |||
| Subject: CN = Alice EE | Subject: CN = Alice EE | |||
| Public Key: [Alice EE Public Key] | Public Key: [Alice EE Public Key] | |||
| [[Need some text detailing required and allowed values in the | [[Need some text detailing required and allowed values in the | |||
| certificates: 2048-bit RSA, what extensions, .... But once we go | certificates: 2048-bit RSA, what extensions, .... But once we go | |||
| there we also have to provide a path for algorithm agility.]] | there we also have to provide a path for algorithm agility.]] | |||
| 3. Protocol Elements | 3. Protocol Elements | |||
| Each message in the protocol is a distinct XML element in the "http:/ | Each message in the protocol is a distinct XML element in the | |||
| /www.hactrn.net/uris/rpki/rpki-setup/" XML namespace. | "http://www.hactrn.net/uris/rpki/rpki-setup/" XML namespace. | |||
| 3.1. Nomenclature | 3.1. Nomenclature | |||
| All of the protocols configured by this setup protocol have their own | All of the protocols configured by this setup protocol have their own | |||
| terminology for their actors, but in the context of this protocol | terminology for their actors, but in the context of this protocol | |||
| that terminology becomes somewhat confusing. All of the players in | that terminology becomes somewhat confusing. All of the players in | |||
| this setup protocol issue certificates, are the subjects of other | this setup protocol issue certificates, are the subjects of other | |||
| certificates, operate servers, and, in most cases, act as clients for | certificates, operate servers, and, in most cases, act as clients for | |||
| one protocol or another. Therefore, this note uses its own terms for | one protocol or another. Therefore, this note uses its own terms for | |||
| the actors in this protocol. | the actors in this protocol. | |||
| skipping to change at page 9, line 47 | skipping to change at page 9, line 47 | |||
| ([I-D.ietf-sidr-publication]). | ([I-D.ietf-sidr-publication]). | |||
| publisher_handle: The publisher_handle attribute is the repository's | publisher_handle: The publisher_handle attribute is the repository's | |||
| name for the publisher. This may or may not match the | name for the publisher. This may or may not match the | |||
| publisher_handle attribute in the publisher's <publisher_request/> | publisher_handle attribute in the publisher's <publisher_request/> | |||
| message. | message. | |||
| sia_base: The sia_base attribute is the rsync:// URI for the base of | sia_base: The sia_base attribute is the rsync:// URI for the base of | |||
| the publication space allocated to the publisher. | the publication space allocated to the publisher. | |||
| rrdp_notification_uri: The optional rrdp_notification_uri attribute | ||||
| is the URI for the RRDP notification file covering the publication | ||||
| space allocated to the publisher | ||||
| ([I-D.tbruijnzeels-sidr-delta-protocol]). | ||||
| repository_bpki_ta: The <repository_bpki_ta/> element is the | repository_bpki_ta: The <repository_bpki_ta/> element is the | |||
| repository's BPKI identity, a self-signed X.509 BPKI certificate. | repository's BPKI identity, a self-signed X.509 BPKI certificate. | |||
| --------------------------------------------------------------------- | --------------------------------------------------------------------- | |||
| <repository_response | <repository_response | |||
| publisher_handle="Alice/Bob-42" | publisher_handle="Alice/Bob-42" | |||
| rrdp_notification_uri="https://rpki.example/rrdp/notify.xml" | ||||
| service_uri="http://a.example/publication/Alice/Bob-42" | service_uri="http://a.example/publication/Alice/Bob-42" | |||
| sia_base="rsync://a.example/rpki/Alice/Bob-42/" | sia_base="rsync://a.example/rpki/Alice/Bob-42/" | |||
| version="1" | version="1" | |||
| xmlns="http://www.hactrn.net/uris/rpki/rpki-setup/"> | xmlns="http://www.hactrn.net/uris/rpki/rpki-setup/"> | |||
| <repository_bpki_ta> | <repository_bpki_ta> | |||
| WW91IGNhbiBoYWNrIGFueXRoaW5nIHlvdSB3YW50IHdpdGggVEVDTyBhbmQgRERU | WW91IGNhbiBoYWNrIGFueXRoaW5nIHlvdSB3YW50IHdpdGggVEVDTyBhbmQgRERU | |||
| </repository_bpki_ta> | </repository_bpki_ta> | |||
| </repository_response> | </repository_response> | |||
| --------------------------------------------------------------------- | --------------------------------------------------------------------- | |||
| skipping to change at page 14, line 10 | skipping to change at page 14, line 10 | |||
| <repository_response/> message in response. Alice recognizes Bob as | <repository_response/> message in response. Alice recognizes Bob as | |||
| one of her own children, because she's already seen Bob's self-signed | one of her own children, because she's already seen Bob's self-signed | |||
| BPKI certificate, so she allocates publication space to Bob under her | BPKI certificate, so she allocates publication space to Bob under her | |||
| own publication space, so that relying parties who rsync her products | own publication space, so that relying parties who rsync her products | |||
| will pick up Bob's products automatically without needing an | will pick up Bob's products automatically without needing an | |||
| additional fetch operation. | additional fetch operation. | |||
| --------------------------------------------------------------------- | --------------------------------------------------------------------- | |||
| <repository_response | <repository_response | |||
| publisher_handle="Alice/Bob-42" | publisher_handle="Alice/Bob-42" | |||
| rrdp_notification_uri="https://rpki.example/rrdp/notify.xml" | ||||
| service_uri="http://a.example/publication/Alice/Bob-42" | service_uri="http://a.example/publication/Alice/Bob-42" | |||
| sia_base="rsync://a.example/rpki/Alice/Bob-42/" | sia_base="rsync://a.example/rpki/Alice/Bob-42/" | |||
| version="1" | version="1" | |||
| xmlns="http://www.hactrn.net/uris/rpki/rpki-setup/"> | xmlns="http://www.hactrn.net/uris/rpki/rpki-setup/"> | |||
| <repository_bpki_ta> | <repository_bpki_ta> | |||
| WW91IGNhbiBoYWNrIGFueXRoaW5nIHlvdSB3YW50IHdpdGggVEVDTyBhbmQgRERU | WW91IGNhbiBoYWNrIGFueXRoaW5nIHlvdSB3YW50IHdpdGggVEVDTyBhbmQgRERU | |||
| </repository_bpki_ta> | </repository_bpki_ta> | |||
| </repository_response> | </repository_response> | |||
| --------------------------------------------------------------------- | --------------------------------------------------------------------- | |||
| skipping to change at page 17, line 28 | skipping to change at page 17, line 28 | |||
| The author would like to thank: Byron Ellacott, George Michaelson, | The author would like to thank: Byron Ellacott, George Michaelson, | |||
| Leif Johansson, Matsuzaki Yoshinobu, Michael Elkins, Randy Bush, | Leif Johansson, Matsuzaki Yoshinobu, Michael Elkins, Randy Bush, | |||
| Seiichi Kawamura, Tim Bruijnzeels, and anybody else who helped along | Seiichi Kawamura, Tim Bruijnzeels, and anybody else who helped along | |||
| the way whose name the author has temporarily forgotten. | the way whose name the author has temporarily forgotten. | |||
| 8. Normative References | 8. Normative References | |||
| [I-D.ietf-sidr-publication] | [I-D.ietf-sidr-publication] | |||
| Weiler, S., Sonalker, A., and R. Austein, "A Publication | Weiler, S., Sonalker, A., and R. Austein, "A Publication | |||
| Protocol for the Resource Public Key Infrastructure | Protocol for the Resource Public Key Infrastructure | |||
| (RPKI)", draft-ietf-sidr-publication-05 (work in | (RPKI)", draft-ietf-sidr-publication-07 (work in | |||
| progress), February 2014. | progress), September 2015. | |||
| [I-D.tbruijnzeels-sidr-delta-protocol] | ||||
| Bruijnzeels, T., Muravskiy, O., Weber, B., Austein, R., | ||||
| and D. Mandelberg, "RPKI Repository Delta Protocol", | ||||
| draft-tbruijnzeels-sidr-delta-protocol-03 (work in | ||||
| progress), December 2014. | ||||
| [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | |||
| Housley, R., and W. Polk, "Internet X.509 Public Key | Housley, R., and W. Polk, "Internet X.509 Public Key | |||
| Infrastructure Certificate and Certificate Revocation List | Infrastructure Certificate and Certificate Revocation List | |||
| (CRL) Profile", RFC 5280, May 2008. | (CRL) Profile", RFC 5280, May 2008. | |||
| [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", RFC | [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", RFC | |||
| 5652, STD 70, September 2009. | 5652, STD 70, September 2009. | |||
| [RFC6492] Huston, G., Loomans, R., Ellacott, B., and R. Austein, "A | [RFC6492] Huston, G., Loomans, R., Ellacott, B., and R. Austein, "A | |||
| Protocol for Provisioning Resource Certificates", RFC | Protocol for Provisioning Resource Certificates", RFC | |||
| 6492, February 2012. | 6492, February 2012. | |||
| Appendix A. RelaxNG Schema | Appendix A. RelaxNG Schema | |||
| Here is a RelaxNG schema describing the protocol elements. | Here is a RelaxNG schema describing the protocol elements. | |||
| # $Id: rpki-setup.rnc 2408 2013-05-24 13:16:55Z sra $ | # $Id: rpki-setup.rnc 3429 2015-10-14 23:46:50Z sra $ | |||
| default namespace = "http://www.hactrn.net/uris/rpki/rpki-setup/" | default namespace = "http://www.hactrn.net/uris/rpki/rpki-setup/" | |||
| version = "1" | version = "1" | |||
| base64 = xsd:base64Binary { maxLength="512000" } | base64 = xsd:base64Binary { maxLength="512000" } | |||
| handle = xsd:string { maxLength="255" pattern="[\-_A-Za-z0-9/]*" } | handle = xsd:string { maxLength="255" pattern="[\-_A-Za-z0-9/]*" } | |||
| uri = xsd:anyURI { maxLength="4096" } | uri = xsd:anyURI { maxLength="4096" } | |||
| any = element * { attribute * { text }*, ( any | text )* } | any = element * { attribute * { text }*, ( any | text )* } | |||
| authorization_token = base64 | authorization_token = base64 | |||
| bpki_ta = base64 | bpki_ta = base64 | |||
| start |= child_request | start |= element child_request { | |||
| start |= parent_response | ||||
| start |= publisher_request | ||||
| start |= repository_response | ||||
| start |= authorization | ||||
| start |= error | ||||
| child_request = | ||||
| element child_request { | ||||
| attribute version { version }, | attribute version { version }, | |||
| attribute child_handle { handle }, | attribute child_handle { handle }, | |||
| element child_bpki_ta { bpki_ta } | element child_bpki_ta { bpki_ta } | |||
| } | } | |||
| parent_response = | start |= element parent_response { | |||
| element parent_response { | ||||
| attribute version { version }, | attribute version { version }, | |||
| attribute service_uri { uri }, | attribute service_uri { uri }, | |||
| attribute child_handle { handle }, | attribute child_handle { handle }, | |||
| attribute parent_handle { handle }, | attribute parent_handle { handle }, | |||
| element parent_bpki_ta { bpki_ta }, | element parent_bpki_ta { bpki_ta }, | |||
| element offer { empty }?, | element offer { empty }?, | |||
| element referral { | element referral { | |||
| attribute referrer { handle }, | attribute referrer { handle }, | |||
| attribute contact_uri { uri }?, | attribute contact_uri { uri }?, | |||
| authorization_token | authorization_token | |||
| }* | }* | |||
| } | } | |||
| publisher_request = | start |= element publisher_request { | |||
| element publisher_request { | ||||
| attribute version { version }, | attribute version { version }, | |||
| attribute publisher_handle { handle }, | attribute publisher_handle { handle }, | |||
| element publisher_bpki_ta { bpki_ta }, | element publisher_bpki_ta { bpki_ta }, | |||
| element referral { | element referral { | |||
| attribute referrer { handle }, | attribute referrer { handle }, | |||
| authorization_token | authorization_token | |||
| }* | }* | |||
| } | } | |||
| repository_response = | start |= element repository_response { | |||
| element repository_response { | ||||
| attribute version { version }, | attribute version { version }, | |||
| attribute service_uri { uri }, | attribute service_uri { uri }, | |||
| attribute publisher_handle { handle }, | attribute publisher_handle { handle }, | |||
| attribute sia_base { uri }, | attribute sia_base { uri }, | |||
| attribute rrdp_notification_uri { uri }?, | ||||
| element repository_bpki_ta { bpki_ta } | element repository_bpki_ta { bpki_ta } | |||
| } | } | |||
| authorization = | start |= element authorization { | |||
| element authorization { | ||||
| attribute version { version }, | attribute version { version }, | |||
| attribute authorized_sia_base { uri }, | attribute authorized_sia_base { uri }, | |||
| bpki_ta | bpki_ta | |||
| } | } | |||
| error = | start |= element error { | |||
| element error { | ||||
| attribute version { version }, | attribute version { version }, | |||
| attribute reason { | attribute reason { | |||
| "syntax-error" | | "syntax-error" | | |||
| "authentication-failure" | | "authentication-failure" | | |||
| "refused" | "refused" | |||
| }, | }, | |||
| any? | any? | |||
| } | } | |||
| Author's Address | Author's Address | |||
| End of changes. 19 change blocks. | ||||
| 30 lines changed or deleted | 32 lines changed or added | |||
This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||