| draft-ietf-sidr-rpki-oob-setup-06.txt | draft-ietf-sidr-rpki-oob-setup-07.txt | |||
|---|---|---|---|---|
| Network Working Group R. Austein | Network Working Group R. Austein | |||
| Internet-Draft Dragon Research Labs | Internet-Draft Dragon Research Labs | |||
| Intended status: Standards Track January 10, 2017 | Intended status: Standards Track February 17, 2017 | |||
| Expires: July 14, 2017 | Expires: August 21, 2017 | |||
| An Out-Of-Band Setup Protocol For RPKI Production Services | An Out-Of-Band Setup Protocol For RPKI Production Services | |||
| draft-ietf-sidr-rpki-oob-setup-06 | draft-ietf-sidr-rpki-oob-setup-07 | |||
| Abstract | Abstract | |||
| This note describes a simple out-of-band protocol to ease setup of | This note describes a simple out-of-band protocol to ease setup of | |||
| the RPKI provisioning and publication protocols between two parties. | the RPKI provisioning and publication protocols between two parties. | |||
| The protocol is encoded in a small number of XML messages, which can | The protocol is encoded in a small number of XML messages, which can | |||
| be passed back and forth by any mutually agreeable secure means. | be passed back and forth by any mutually agreeable means which | |||
| provides acceptable data integrity and authentication. | ||||
| This setup protocol is not part of the provisioning or publication | This setup protocol is not part of the provisioning or publication | |||
| protocol, rather, it is intended to simplify configuration of these | protocol, rather, it is intended to simplify configuration of these | |||
| protocols by setting up relationships and exchanging keying material | protocols by setting up relationships and exchanging keying material | |||
| used to authenticate those relationships. | used to authenticate those relationships. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| skipping to change at page 1, line 38 | skipping to change at page 1, line 39 | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on July 14, 2017. | This Internet-Draft will expire on August 21, 2017. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2017 IETF Trust and the persons identified as the | Copyright (c) 2017 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 8, line 26 | skipping to change at page 8, line 26 | |||
| identity, a self-signed X.509 BPKI certificate. | identity, a self-signed X.509 BPKI certificate. | |||
| This certificate is the issuer of the BPKI EE certificates | This certificate is the issuer of the BPKI EE certificates | |||
| corresponding to private keys that the parent will use to sign | corresponding to private keys that the parent will use to sign | |||
| provisioning protocol messages to the child. | provisioning protocol messages to the child. | |||
| offer: If an <offer/> element is present, the parent is offering | offer: If an <offer/> element is present, the parent is offering | |||
| publication service to the child. The <offer/> element, if | publication service to the child. The <offer/> element, if | |||
| present, is empty. | present, is empty. | |||
| referral: If <referral/> elements are present, they suggests third- | referral: If <referral/> elements are present, they suggest third- | |||
| party publication services which the child might use, and contain: | party publication services which the child might use, and contain: | |||
| referrer: A referrer attribute, containing the handle by which | referrer: A referrer attribute, containing the handle by which | |||
| the publication repository knows the parent, | the publication repository knows the parent, | |||
| contact_uri: An optional contact_uri attribute that the child may | contact_uri: An optional contact_uri attribute that the child may | |||
| be able to follow for more information, and | be able to follow for more information, and | |||
| Authorization token: The text of the <referral/> element is the | Authorization token: The text of the <referral/> element is the | |||
| Base64 encoding of a signed authorization token granting the | Base64 encoding of a signed authorization token granting the | |||
| skipping to change at page 9, line 39 | skipping to change at page 9, line 39 | |||
| <referral | <referral | |||
| referrer="Alice/Bob-42"> | referrer="Alice/Bob-42"> | |||
| R28sIGxlbW1pbmdzLCBnbyE= | R28sIGxlbW1pbmdzLCBnbyE= | |||
| </referral> | </referral> | |||
| </parent_response> | </parent_response> | |||
| --------------------------------------------------------------------- | --------------------------------------------------------------------- | |||
| 5.2.3. <publisher_request/> | 5.2.3. <publisher_request/> | |||
| The <publisher_request/> message is a setup request from a publisher | The <publisher_request/> message is a setup request from a publisher | |||
| to a repository. | to a repository. Generally this will not take place until after the | |||
| publisher has set up the provisioning protocol via a <child_request/> | ||||
| / <parent_response/> exchange: in particular, the <referral> sub- | ||||
| element here requires an <authorization/> token provided by the | ||||
| provisioning protocol exchange. | ||||
| Fields in the <publisher_request/> message: | Fields in the <publisher_request/> message: | |||
| version: The version attribute specifies the protocol version. This | version: The version attribute specifies the protocol version. This | |||
| note describes protocol version 1. | note describes protocol version 1. | |||
| tag: The publisher MAY include a "tag" attribute in the request | tag: The publisher MAY include a "tag" attribute in the request | |||
| message. | message. | |||
| publisher_handle: The publisher_handle attribute is the publisher's | publisher_handle: The publisher_handle attribute is the publisher's | |||
| skipping to change at page 13, line 44 | skipping to change at page 13, line 44 | |||
| 6. Protocol Walk-Through | 6. Protocol Walk-Through | |||
| This section walks through a few simple examples of the protocol in | This section walks through a few simple examples of the protocol in | |||
| use, and stars our old friends, Alice, Bob, and Carol. In this | use, and stars our old friends, Alice, Bob, and Carol. In this | |||
| example, Alice is the root of a RPKI tree, Bob wants to get address | example, Alice is the root of a RPKI tree, Bob wants to get address | |||
| and ASN resources from Alice, and Carol wants to get some of those | and ASN resources from Alice, and Carol wants to get some of those | |||
| resources in turn from Bob. Alice offers publication service, which | resources in turn from Bob. Alice offers publication service, which | |||
| is used by all three. | is used by all three. | |||
| Alice, Bob, and Carol each generates his or her own self-signed BPKI | Alice, Bob, and Carol each generate his or her own self-signed BPKI | |||
| certificate. | certificate. | |||
| Bob constructs a <child_request/> message and sends it to Alice: | Bob constructs a <child_request/> message and sends it to Alice: | |||
| --------------------------------------------------------------------- | --------------------------------------------------------------------- | |||
| <child_request | <child_request | |||
| xmlns="http://www.hactrn.net/uris/rpki/rpki-setup/" | xmlns="http://www.hactrn.net/uris/rpki/rpki-setup/" | |||
| version="1" | version="1" | |||
| child_handle="Bob"> | child_handle="Bob"> | |||
| <child_bpki_ta> | <child_bpki_ta> | |||
| skipping to change at page 19, line 19 | skipping to change at page 19, line 19 | |||
| Seiichi Kawamura, Tim Bruijnzeels, and anybody else who helped along | Seiichi Kawamura, Tim Bruijnzeels, and anybody else who helped along | |||
| the way but whose name the author has temporarily forgotten. | the way but whose name the author has temporarily forgotten. | |||
| 10. References | 10. References | |||
| 10.1. Normative References | 10.1. Normative References | |||
| [I-D.ietf-sidr-delta-protocol] | [I-D.ietf-sidr-delta-protocol] | |||
| Bruijnzeels, T., Muravskiy, O., Weber, B., and R. Austein, | Bruijnzeels, T., Muravskiy, O., Weber, B., and R. Austein, | |||
| "RPKI Repository Delta Protocol", draft-ietf-sidr-delta- | "RPKI Repository Delta Protocol", draft-ietf-sidr-delta- | |||
| protocol-04 (work in progress), September 2016. | protocol-07 (work in progress), February 2017. | |||
| [I-D.ietf-sidr-publication] | [I-D.ietf-sidr-publication] | |||
| Weiler, S., Sonalker, A., and R. Austein, "A Publication | Weiler, S., Sonalker, A., and R. Austein, "A Publication | |||
| Protocol for the Resource Public Key Infrastructure | Protocol for the Resource Public Key Infrastructure | |||
| (RPKI)", draft-ietf-sidr-publication-09 (work in | (RPKI)", draft-ietf-sidr-publication-10 (work in | |||
| progress), September 2016. | progress), January 2017. | |||
| [RelaxNG] Clark, J., "RELAX NG Compact Syntax", OASIS , November | [RelaxNG] Clark, J., "RELAX NG Compact Syntax", OASIS , November | |||
| 2002, <https://www.oasis-open.org/committees/relax-ng/ | 2002, <https://www.oasis-open.org/committees/relax-ng/ | |||
| compact-20021121.html>. | compact-20021121.html>. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", RFC 2119, BCP 14, March 1997. | Requirement Levels", RFC 2119, BCP 14, March 1997. | |||
| [RFC6492] Huston, G., Loomans, R., Ellacott, B., and R. Austein, "A | [RFC6492] Huston, G., Loomans, R., Ellacott, B., and R. Austein, "A | |||
| Protocol for Provisioning Resource Certificates", | Protocol for Provisioning Resource Certificates", | |||
| End of changes. 9 change blocks. | ||||
| 11 lines changed or deleted | 16 lines changed or added | |||
This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||