draft-ietf-sidr-rpki-rtr-rfc6810-bis-03.txt | draft-ietf-sidr-rpki-rtr-rfc6810-bis-04.txt | |||
---|---|---|---|---|
Network Working Group R. Bush | Network Working Group R. Bush | |||
Internet-Draft Internet Initiative Japan | Internet-Draft Internet Initiative Japan | |||
Intended status: Standards Track R. Austein | Updates: 6810 (if approved) R. Austein | |||
Expires: September 6, 2015 Dragon Research Labs | Intended status: Standards Track Dragon Research Labs | |||
March 5, 2015 | Expires: December 17, 2015 June 15, 2015 | |||
The Resource Public Key Infrastructure (RPKI) to Router Protocol | The Resource Public Key Infrastructure (RPKI) to Router Protocol | |||
draft-ietf-sidr-rpki-rtr-rfc6810-bis-03 | draft-ietf-sidr-rpki-rtr-rfc6810-bis-04 | |||
Abstract | Abstract | |||
In order to verifiably validate the origin Autonomous Systems and | In order to verifiably validate the origin Autonomous Systems and | |||
Autonomous System Paths of BGP announcements, routers need a simple | Autonomous System Paths of BGP announcements, routers need a simple | |||
but reliable mechanism to receive Resource Public Key Infrastructure | but reliable mechanism to receive Resource Public Key Infrastructure | |||
(RFC 6480) prefix origin data and router keys from a trusted cache. | (RFC 6480) prefix origin data and router keys from a trusted cache. | |||
This document describes a protocol to deliver validated prefix origin | This document describes a protocol to deliver validated prefix origin | |||
data and router keys to routers. | data and router keys to routers. | |||
skipping to change at page 1, line 36 | skipping to change at page 1, line 36 | |||
Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
This Internet-Draft will expire on September 6, 2015. | This Internet-Draft will expire on December 17, 2015. | |||
Copyright Notice | Copyright Notice | |||
Copyright (c) 2015 IETF Trust and the persons identified as the | Copyright (c) 2015 IETF Trust and the persons identified as the | |||
document authors. All rights reserved. | document authors. All rights reserved. | |||
This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
(http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
publication of this document. Please review these documents | publication of this document. Please review these documents | |||
skipping to change at page 2, line 13 | skipping to change at page 2, line 13 | |||
include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
described in the Simplified BSD License. | described in the Simplified BSD License. | |||
Table of Contents | Table of Contents | |||
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 | 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 | |||
2. Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
3. Deployment Structure . . . . . . . . . . . . . . . . . . . . 4 | 3. Deployment Structure . . . . . . . . . . . . . . . . . . . . 4 | |||
4. Operational Overview . . . . . . . . . . . . . . . . . . . . 4 | 4. Operational Overview . . . . . . . . . . . . . . . . . . . . 5 | |||
5. Protocol Data Units (PDUs) . . . . . . . . . . . . . . . . . 5 | 5. Protocol Data Units (PDUs) . . . . . . . . . . . . . . . . . 6 | |||
5.1. Fields of a PDU . . . . . . . . . . . . . . . . . . . . . 6 | 5.1. Fields of a PDU . . . . . . . . . . . . . . . . . . . . . 6 | |||
5.2. Serial Notify . . . . . . . . . . . . . . . . . . . . . . 8 | 5.2. Serial Notify . . . . . . . . . . . . . . . . . . . . . . 8 | |||
5.3. Serial Query . . . . . . . . . . . . . . . . . . . . . . 8 | 5.3. Serial Query . . . . . . . . . . . . . . . . . . . . . . 9 | |||
5.4. Reset Query . . . . . . . . . . . . . . . . . . . . . . . 9 | 5.4. Reset Query . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
5.5. Cache Response . . . . . . . . . . . . . . . . . . . . . 9 | 5.5. Cache Response . . . . . . . . . . . . . . . . . . . . . 10 | |||
5.6. IPv4 Prefix . . . . . . . . . . . . . . . . . . . . . . . 10 | 5.6. IPv4 Prefix . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
5.7. IPv6 Prefix . . . . . . . . . . . . . . . . . . . . . . . 11 | 5.7. IPv6 Prefix . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
5.8. End of Data . . . . . . . . . . . . . . . . . . . . . . . 12 | 5.8. End of Data . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
5.9. Cache Reset . . . . . . . . . . . . . . . . . . . . . . . 12 | 5.9. Cache Reset . . . . . . . . . . . . . . . . . . . . . . . 13 | |||
5.10. Router Key . . . . . . . . . . . . . . . . . . . . . . . 13 | 5.10. Router Key . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
5.11. Error Report . . . . . . . . . . . . . . . . . . . . . . 14 | 5.11. Error Report . . . . . . . . . . . . . . . . . . . . . . 15 | |||
6. Protocol Timing Parameters . . . . . . . . . . . . . . . . . 15 | 6. Protocol Timing Parameters . . . . . . . . . . . . . . . . . 16 | |||
7. Protocol Version Negotiation . . . . . . . . . . . . . . . . 16 | 7. Protocol Version Negotiation . . . . . . . . . . . . . . . . 17 | |||
8. Protocol Sequences . . . . . . . . . . . . . . . . . . . . . 17 | 8. Protocol Sequences . . . . . . . . . . . . . . . . . . . . . 19 | |||
8.1. Start or Restart . . . . . . . . . . . . . . . . . . . . 17 | 8.1. Start or Restart . . . . . . . . . . . . . . . . . . . . 19 | |||
8.2. Typical Exchange . . . . . . . . . . . . . . . . . . . . 18 | 8.2. Typical Exchange . . . . . . . . . . . . . . . . . . . . 20 | |||
8.3. No Incremental Update Available . . . . . . . . . . . . . 18 | 8.3. No Incremental Update Available . . . . . . . . . . . . . 20 | |||
8.4. Cache Has No Data Available . . . . . . . . . . . . . . . 19 | 8.4. Cache Has No Data Available . . . . . . . . . . . . . . . 21 | |||
9. Transport . . . . . . . . . . . . . . . . . . . . . . . . . . 20 | 9. Transport . . . . . . . . . . . . . . . . . . . . . . . . . . 21 | |||
9.1. SSH Transport . . . . . . . . . . . . . . . . . . . . . . 21 | 9.1. SSH Transport . . . . . . . . . . . . . . . . . . . . . . 23 | |||
9.2. TLS Transport . . . . . . . . . . . . . . . . . . . . . . 22 | 9.2. TLS Transport . . . . . . . . . . . . . . . . . . . . . . 23 | |||
9.3. TCP MD5 Transport . . . . . . . . . . . . . . . . . . . . 22 | 9.3. TCP MD5 Transport . . . . . . . . . . . . . . . . . . . . 24 | |||
9.4. TCP-AO Transport . . . . . . . . . . . . . . . . . . . . 23 | 9.4. TCP-AO Transport . . . . . . . . . . . . . . . . . . . . 24 | |||
10. Router-Cache Setup . . . . . . . . . . . . . . . . . . . . . 23 | 10. Router-Cache Setup . . . . . . . . . . . . . . . . . . . . . 25 | |||
11. Deployment Scenarios . . . . . . . . . . . . . . . . . . . . 24 | 11. Deployment Scenarios . . . . . . . . . . . . . . . . . . . . 26 | |||
12. Error Codes . . . . . . . . . . . . . . . . . . . . . . . . . 25 | 12. Error Codes . . . . . . . . . . . . . . . . . . . . . . . . . 27 | |||
13. Security Considerations . . . . . . . . . . . . . . . . . . . 26 | 13. Security Considerations . . . . . . . . . . . . . . . . . . . 28 | |||
14. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 27 | 14. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 29 | |||
15. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 28 | 15. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 30 | |||
16. References . . . . . . . . . . . . . . . . . . . . . . . . . 28 | 16. References . . . . . . . . . . . . . . . . . . . . . . . . . 30 | |||
16.1. Normative References . . . . . . . . . . . . . . . . . . 28 | 16.1. Normative References . . . . . . . . . . . . . . . . . . 30 | |||
16.2. Informative References . . . . . . . . . . . . . . . . . 30 | 16.2. Informative References . . . . . . . . . . . . . . . . . 31 | |||
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 30 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 32 | |||
1. Introduction | 1. Introduction | |||
In order to verifiably validate the origin Autonomous Systems (ASes) | In order to verifiably validate the origin Autonomous Systems (ASes) | |||
and AS paths of BGP announcements, routers need a simple but reliable | and AS paths of BGP announcements, routers need a simple but reliable | |||
mechanism to receive cryptographically validated Resource Public Key | mechanism to receive cryptographically validated Resource Public Key | |||
Infrastructure (RPKI) [RFC6480] prefix origin data and router keys | Infrastructure (RPKI) [RFC6480] prefix origin data and router keys | |||
from a trusted cache. This document describes a protocol to deliver | from a trusted cache. This document describes a protocol to deliver | |||
validated prefix origin data and router keys to routers. The design | validated prefix origin data and router keys to routers. The design | |||
is intentionally constrained to be usable on much of the current | is intentionally constrained to be usable on much of the current | |||
skipping to change at page 3, line 29 | skipping to change at page 3, line 29 | |||
sequences are described in Section 8. The transport protocol options | sequences are described in Section 8. The transport protocol options | |||
are described in Section 9. Section 10 details how routers and | are described in Section 9. Section 10 details how routers and | |||
caches are configured to connect and authenticate. Section 11 | caches are configured to connect and authenticate. Section 11 | |||
describes likely deployment scenarios. The traditional security and | describes likely deployment scenarios. The traditional security and | |||
IANA considerations end the document. | IANA considerations end the document. | |||
The protocol is extensible in order to support new PDUs with new | The protocol is extensible in order to support new PDUs with new | |||
semantics, if deployment experience indicates they are needed. PDUs | semantics, if deployment experience indicates they are needed. PDUs | |||
are versioned should deployment experience call for change. | are versioned should deployment experience call for change. | |||
For an implementation (not interoperability) report on use of this | For an implementation (not interoperability) report on the use of | |||
protocol with prefix origin data, see [RFC7128]. | this protocol with prefix origin data, see [RFC7128]. | |||
1.1. Requirements Language | 1.1. Requirements Language | |||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
document are to be interpreted as described in RFC 2119 [RFC2119] | document are to be interpreted as described in RFC 2119 [RFC2119] | |||
only when they appear in all upper case. They may also appear in | only when they appear in all upper case. They may also appear in | |||
lower or mixed case as English words, without special meaning. | lower or mixed case as English words, without special meaning. | |||
2. Glossary | 2. Glossary | |||
The following terms are used with special meaning. | The following terms are used with special meaning. | |||
Global RPKI: The authoritative data of the RPKI are published in a | Global RPKI: The authoritative data of the RPKI are published in a | |||
distributed set of servers at the IANA, Regional Internet | distributed set of servers at the IANA, Regional Internet | |||
Registries (RIRs), National Internet Registries (NIRs), and ISPs; | Registries (RIRs), National Internet Registries (NIRs), and ISPs; | |||
see [RFC6481]. | see [RFC6481]. | |||
Cache: A coalesced copy of the RPKI, which is periodically fetched/ | Cache: A coalesced copy of the published Global RPKI data, | |||
refreshed directly or indirectly from the Global RPKI using the | periodically fetched or refreshed, directly or indirectly, using | |||
[RFC5781] protocol/tools. Relying party software is used to | the [RFC5781] protocol or some successor protocol. Relying party | |||
gather and validate the distributed data of the RPKI into a cache. | software is used to gather and validate the distributed data of | |||
the RPKI into a cache. Trusting this cache further is a matter | ||||
Trusting this cache further is a matter between the provider of | between the provider of the cache and a relying party. | |||
the cache and a relying party. | ||||
Serial Number: A 32-bit strictly increasing unsigned integer which | Serial Number: A 32-bit strictly increasing unsigned integer which | |||
wraps from 2^32-1 to 0. It denotes the logical version of a | wraps from 2^32-1 to 0. It denotes the logical version of a | |||
cache. A cache increments the value when it successfully updates | cache. A cache increments the value when it successfully updates | |||
its data from a parent cache or from primary RPKI data. As a | its data from a parent cache or from primary RPKI data. While a | |||
cache is receiving, new incoming data and implicit deletes are | cache is receiving updates, new incoming data and implicit deletes | |||
associated with the new serial but MUST NOT be sent until the | are associated with the new serial but MUST NOT be sent until the | |||
fetch is complete. A Serial Number is not commensurate between | fetch is complete. A Serial Number is not commensurate between | |||
caches, nor need it be maintained across resets of the cache | different caches or different protocol versions, nor need it be | |||
server. See [RFC1982] on DNS Serial Number Arithmetic for too | maintained across resets of the cache server. See [RFC1982] on | |||
much detail on the topic. | DNS Serial Number Arithmetic for too much detail on the topic. | |||
Session ID: When a cache server is started, it generates a session | Session ID: When a cache server is started, it generates a session | |||
identifier to uniquely identify the instance of the cache and to | identifier to uniquely identify the instance of the cache and to | |||
bind it to the sequence of Serial Numbers that cache instance will | bind it to the sequence of Serial Numbers that cache instance will | |||
generate. This allows the router to restart a failed session | generate. This allows the router to restart a failed session | |||
knowing that the Serial Number it is using is commensurate with | knowing that the Serial Number it is using is commensurate with | |||
that of the cache. | that of the cache. | |||
Payload PDU: A protocol message which contains data for use by the | ||||
router, as opposed to a PDU which just conveys the semantics of | ||||
this protocol. Prefixes and Router Keys are examples of payload | ||||
PDUs. | ||||
3. Deployment Structure | 3. Deployment Structure | |||
Deployment of the RPKI to reach routers has a three-level structure | Deployment of the RPKI to reach routers has a three-level structure | |||
as follows: | as follows: | |||
Global RPKI: The authoritative data of the RPKI are published in a | Global RPKI: The authoritative data of the RPKI are published in a | |||
distributed set of servers, RPKI publication repositories, e.g., | distributed set of servers, RPKI publication repositories, e.g., | |||
the IANA, RIRs, NIRs, and ISPs, see [RFC6481]. | by the IANA, RIRs, NIRs, and ISPs (see [RFC6481]). | |||
Local Caches: A local set of one or more collected and verified | Local Caches: A local set of one or more collected and verified | |||
caches. A relying party, e.g., router or other client, MUST have | caches. A relying party, e.g., router or other client, MUST have | |||
a trust relationship with, and a trusted transport channel to, any | a trust relationship with, and a trusted transport channel to, any | |||
authoritative cache(s) it uses. | cache(s) it uses. | |||
Routers: A router fetches data from a local cache using the protocol | Routers: A router fetches data from a local cache using the protocol | |||
described in this document. It is said to be a client of the | described in this document. It is said to be a client of the | |||
cache. There MAY be mechanisms for the router to assure itself of | cache. There MAY be mechanisms for the router to assure itself of | |||
the authenticity of the cache and to authenticate itself to the | the authenticity of the cache and to authenticate itself to the | |||
cache. | cache. | |||
4. Operational Overview | 4. Operational Overview | |||
A router establishes and keeps open a connection to one or more | A router establishes and keeps open a connection to one or more | |||
skipping to change at page 5, line 11 | skipping to change at page 5, line 19 | |||
configured with a semi-ordered list of caches, and establishes a | configured with a semi-ordered list of caches, and establishes a | |||
connection to the most preferred cache, or set of caches, which | connection to the most preferred cache, or set of caches, which | |||
accept the connections. | accept the connections. | |||
The router MUST choose the most preferred, by configuration, cache or | The router MUST choose the most preferred, by configuration, cache or | |||
set of caches so that the operator may control load on their caches | set of caches so that the operator may control load on their caches | |||
and the Global RPKI. | and the Global RPKI. | |||
Periodically, the router sends to the cache the Serial Number of the | Periodically, the router sends to the cache the Serial Number of the | |||
highest numbered data it has received from that cache, i.e., the | highest numbered data it has received from that cache, i.e., the | |||
router's current Serial Number. When a router establishes a new | router's current Serial Number, in the form of a Serial Query. When | |||
connection to a cache, or wishes to reset a current relationship, it | a router establishes a new connection to a cache, or wishes to reset | |||
sends a Reset Query. | a current relationship, it sends a Reset Query. | |||
The Cache responds with all data records which have Serial Numbers | The cache responds to the Serial Query with all data records which | |||
greater than that in the router's query. This may be the null set, | have Serial Numbers greater than that in the router's query. This | |||
in which case the End of Data PDU is still sent. Note that 'greater' | may be the null set, in which case the End of Data PDU is still sent. | |||
must take wrap-around into account, see [RFC1982]. | Note that "greater" MUST take wrap-around into account, see | |||
[RFC1982]. | ||||
When the router has received all data records from the cache, it sets | When the router has received all data records from the cache, it sets | |||
its current Serial Number to that of the Serial Number in the End of | its current Serial Number to that of the Serial Number in the End of | |||
Data PDU. | Data PDU. | |||
When the cache updates its database, it sends a Notify message to | When the cache updates its database, it sends a Notify message to | |||
every currently connected router. This is a hint that now would be a | every currently connected router. This is a hint that now would be a | |||
good time for the router to poll for an update, but is only a hint. | good time for the router to poll for an update, but is only a hint. | |||
The protocol requires the router to poll for updates periodically in | The protocol requires the router to poll for updates periodically in | |||
any case. | any case. | |||
skipping to change at page 6, line 5 | skipping to change at page 6, line 15 | |||
As a cache server must evaluate certificates and ROAs (Route Origin | As a cache server must evaluate certificates and ROAs (Route Origin | |||
Attestations; see [RFC6480]), which are time dependent, servers' | Attestations; see [RFC6480]), which are time dependent, servers' | |||
clocks MUST be correct to a tolerance of approximately an hour. | clocks MUST be correct to a tolerance of approximately an hour. | |||
5. Protocol Data Units (PDUs) | 5. Protocol Data Units (PDUs) | |||
The exchanges between the cache and the router are sequences of | The exchanges between the cache and the router are sequences of | |||
exchanges of the following PDUs according to the rules described in | exchanges of the following PDUs according to the rules described in | |||
Section 8. | Section 8. | |||
Fields with unspecified content MUST be zero on transmission and MAY | Reserved fields (marked "zero" in PDU diagrams) MUST be zero on | |||
be ignored on receipt. | transmission, and SHOULD be ignored on receipt. | |||
5.1. Fields of a PDU | 5.1. Fields of a PDU | |||
PDUs contain the following data elements: | PDUs contain the following data elements: | |||
Protocol Version: An eight-bit unsigned integer, currently 1, | Protocol Version: An eight-bit unsigned integer, currently 1, | |||
denoting the version of this protocol. | denoting the version of this protocol. | |||
PDU Type: An eight-bit unsigned integer, denoting the type of the | PDU Type: An eight-bit unsigned integer, denoting the type of the | |||
PDU, e.g., IPv4 Prefix, etc. | PDU, e.g., IPv4 Prefix, etc. | |||
Serial Number: The Serial Number of the RPKI Cache when this set of | Serial Number: The Serial Number of the RPKI Cache when this set of | |||
PDUs was received from an upstream cache server or gathered from | PDUs was received from an upstream cache server or gathered from | |||
the Global RPKI. A cache increments its Serial Number when | the Global RPKI. A cache increments its Serial Number when | |||
completing a rigorously validated update from a parent cache or | completing a rigorously validated update from a parent cache or | |||
the Global RPKI. | the Global RPKI. | |||
Session ID: When a cache server is started, it generates a Session | Session ID: A 16-bit unsigned integer. When a cache server is | |||
ID to identify the instance of the cache and to bind it to the | started, it generates a Session ID to identify the instance of the | |||
sequence of Serial Numbers that cache instance will generate. | cache and to bind it to the sequence of Serial Numbers that cache | |||
This allows the router to restart a failed session knowing that | instance will generate. This allows the router to restart a | |||
the Serial Number it is using is commensurate with that of the | failed session knowing that the Serial Number it is using is | |||
cache. If, at any time, either the router or the cache finds the | commensurate with that of the cache. If, at any time, either the | |||
value of the session identifier is not the same as the other's, | router or the cache finds the value of the session identifier is | |||
they MUST completely drop the session and the router MUST flush | not the same as the other's, they MUST completely drop the session | |||
all data learned from that cache. | and the router MUST flush all data learned from that cache. | |||
Note that sessions are specific to a particular protocol version. | ||||
That is: if a cache server supports multiple versions of this | ||||
protocol, happens to use the same Session ID value for multiple | ||||
protocol versions, and further happens to use the same Serial | ||||
Number values for two or more sessions using the same Session ID | ||||
but different Protocol Version values, the serial numbers are not | ||||
commensurate. The full test for whether serial numbers are | ||||
commensurate requires comparing Protocol Version, Session ID, and | ||||
Serial Number. To reduce the risk of confusion, cache servers | ||||
SHOULD NOT use the same Session ID across multiple protocol | ||||
versions, but even if they do, routers MUST treat sessions with | ||||
different Protocol Version fields as separate sessions even if | ||||
they do happen to have the same Session ID. | ||||
Should a cache erroneously reuse a Session ID so that a router | Should a cache erroneously reuse a Session ID so that a router | |||
does not realize that the session has changed (old session ID and | does not realize that the session has changed (old Session ID and | |||
new session ID have same numeric value), the router may become | new Session ID have same numeric value), the router may become | |||
confused as to the content of the cache. The time it takes the | confused as to the content of the cache. The time it takes the | |||
router to discover it is confused will depend on whether the | router to discover it is confused will depend on whether the | |||
Serial Numbers are also reused. If the Serial Numbers in the old | Serial Numbers are also reused. If the Serial Numbers in the old | |||
and new sessions are different enough, the cache will respond to | and new sessions are different enough, the cache will respond to | |||
the router's Serial Query with a Cache Reset, which will solve the | the router's Serial Query with a Cache Reset, which will solve the | |||
problem. If, however, the Serial Numbers are close, the cache may | problem. If, however, the Serial Numbers are close, the cache may | |||
respond with a Cache Response, which may not be enough to bring | respond with a Cache Response, which may not be enough to bring | |||
the router into sync. In such cases, it's likely but not certain | the router into sync. In such cases, it's likely but not certain | |||
that the router will detect some discrepancy between the state | that the router will detect some discrepancy between the state | |||
that the cache expects and its own state. For example, the Cache | that the cache expects and its own state. For example, the Cache | |||
skipping to change at page 7, line 27 | skipping to change at page 8, line 5 | |||
announcement and 0 for a withdrawal. For a Prefix PDU (IPv4 or | announcement and 0 for a withdrawal. For a Prefix PDU (IPv4 or | |||
IPv6), the flag indicates whether this PDU announces a new right | IPv6), the flag indicates whether this PDU announces a new right | |||
to announce the prefix or withdraws a previously announced right; | to announce the prefix or withdraws a previously announced right; | |||
a withdraw effectively deletes one previously announced Prefix PDU | a withdraw effectively deletes one previously announced Prefix PDU | |||
with the exact same Prefix, Length, Max-Len, and Autonomous System | with the exact same Prefix, Length, Max-Len, and Autonomous System | |||
Number (ASN). Similarly, for a Router Key PDU, the flag indicates | Number (ASN). Similarly, for a Router Key PDU, the flag indicates | |||
whether this PDU announces a new Router Key or deletes one | whether this PDU announces a new Router Key or deletes one | |||
previously announced Router Key PDU with the exact same AS Number, | previously announced Router Key PDU with the exact same AS Number, | |||
subjectKeyIdentifier, and subjectPublicKeyInfo. | subjectKeyIdentifier, and subjectPublicKeyInfo. | |||
The remaining bits in the flags field are reserved for future use. | ||||
In protocol version 1, they MUST be 0 on transmission and SHOULD | ||||
be ignored on receipt. | ||||
Prefix Length: An 8-bit unsigned integer denoting the shortest | Prefix Length: An 8-bit unsigned integer denoting the shortest | |||
prefix allowed for the prefix. | prefix allowed for the prefix. | |||
Max Length: An 8-bit unsigned integer denoting the longest prefix | Max Length: An 8-bit unsigned integer denoting the longest prefix | |||
allowed by the prefix. This MUST NOT be less than the Prefix | allowed by the prefix. This MUST NOT be less than the Prefix | |||
Length element. | Length element. | |||
Prefix: The IPv4 or IPv6 prefix of the ROA. | Prefix: The IPv4 or IPv6 prefix of the ROA. | |||
Autonomous System Number: A 32-bit unsigned integer representing an | Autonomous System Number: A 32-bit unsigned integer representing an | |||
ASN allowed to announce a prefix or associated with a router key. | ASN allowed to announce a prefix or associated with a router key. | |||
Subject Key Identifier: 20-octet Subject Key Identifier (SKI) value | Subject Key Identifier: 20-octet Subject Key Identifier (SKI) value | |||
of a router key, as described in [RFC6487]. | of a router key, as described in [RFC6487]. | |||
Subject Public Key Info: a router key's subjectPublicKeyInfo value, | Subject Public Key Info: a router key's subjectPublicKeyInfo value, | |||
as described in [I-D.ietf-sidr-bgpsec-algs]. This is the full | as described in [I-D.ietf-sidr-bgpsec-algs]. This is the full | |||
ASN.1 DER encoding of the subjectPublicKeyInfo, including the | ASN.1 DER encoding of the subjectPublicKeyInfo, including the | |||
ASN.1 tag and length values of the subjectPublicKeyInfo SEQUENCE. | ASN.1 tag and length values of the subjectPublicKeyInfo SEQUENCE. | |||
Zero: Fields shown as zero or reserved MUST be zero. The value of | Zero: Fields shown as zero MUST be zero on transmission. The value | |||
such a field MUST be ignored on receipt. | of such a field SHOULD be ignored on receipt. | |||
5.2. Serial Notify | 5.2. Serial Notify | |||
The cache notifies the router that the cache has new data. | The cache notifies the router that the cache has new data. | |||
The Session ID reassures the router that the Serial Numbers are | The Session ID reassures the router that the Serial Numbers are | |||
commensurate, i.e., the cache session has not been changed. | commensurate, i.e., the cache session has not been changed. | |||
Upon receipt of a Serial Notify PDU, the router MAY issue an | Upon receipt of a Serial Notify PDU, the router MAY issue an | |||
immediate Serial Query or Reset Query without waiting for the Refresh | immediate Serial Query or Reset Query without waiting for the Refresh | |||
Interval timer to expire. | Interval timer (see Section 6) to expire. | |||
Serial Notify is the only message that the cache can send that is not | Serial Notify is the only message that the cache can send that is not | |||
in response to a message from the router. | in response to a message from the router. | |||
If the router receives a Serial Notify PDU during the initial start- | ||||
up period where the router and cache are still negotiating to agree | ||||
on a protocol version, the router SHOULD simply ignore the Serial | ||||
Notify PDU, even if the Serial Notify PDU is for an unexpected | ||||
protocol version. See Section 7 for details. | ||||
0 8 16 24 31 | 0 8 16 24 31 | |||
.-------------------------------------------. | .-------------------------------------------. | |||
| Protocol | PDU | | | | Protocol | PDU | | | |||
| Version | Type | Session ID | | | Version | Type | Session ID | | |||
| 1 | 0 | | | | 1 | 0 | | | |||
+-------------------------------------------+ | +-------------------------------------------+ | |||
| | | | | | |||
| Length=12 | | | Length=12 | | |||
| | | | | | |||
+-------------------------------------------+ | +-------------------------------------------+ | |||
| | | | | | |||
| Serial Number | | | Serial Number | | |||
| | | | | | |||
`-------------------------------------------' | `-------------------------------------------' | |||
5.3. Serial Query | 5.3. Serial Query | |||
Serial Query: The router sends Serial Query to ask the cache for all | Serial Query: The router sends Serial Query to ask the cache for all | |||
payload PDUs which have Serial Numbers higher than the Serial Number | all announcements and withdrawals which have occurred since the | |||
in the Serial Query. | Serial Number specified in the Serial Query. | |||
The cache replies to this query with a Cache Response PDU | The cache replies to this query with a Cache Response PDU | |||
(Section 5.5) if the cache has a, possibly null, record of the | (Section 5.5) if the cache has a, possibly null, record of the | |||
changes since the Serial Number specified by the router. If there | changes since the Serial Number specified by the router, followed by | |||
have been no changes since the router last queried, the cache sends | zero or more payload PDUs and an End Of Data PDU. | |||
an End Of Data PDU. | ||||
If the cache does not have the data needed to update the router, | If the cache does not have the data needed to update the router, | |||
perhaps because its records do not go back to the Serial Number in | perhaps because its records do not go back to the Serial Number in | |||
the Serial Query, then it responds with a Cache Reset PDU | the Serial Query, then it responds with a Cache Reset PDU | |||
(Section 5.9). | (Section 5.9). | |||
The Session ID tells the cache what instance the router expects to | The Session ID tells the cache what instance the router expects to | |||
ensure that the Serial Numbers are commensurate, i.e., the cache | ensure that the Serial Numbers are commensurate, i.e., the cache | |||
session has not been changed. | session has not been changed. | |||
skipping to change at page 9, line 33 | skipping to change at page 10, line 29 | |||
5.4. Reset Query | 5.4. Reset Query | |||
Reset Query: The router tells the cache that it wants to receive the | Reset Query: The router tells the cache that it wants to receive the | |||
total active, current, non-withdrawn database. The cache responds | total active, current, non-withdrawn database. The cache responds | |||
with a Cache Response PDU (Section 5.5). | with a Cache Response PDU (Section 5.5). | |||
0 8 16 24 31 | 0 8 16 24 31 | |||
.-------------------------------------------. | .-------------------------------------------. | |||
| Protocol | PDU | | | | Protocol | PDU | | | |||
| Version | Type | reserved = zero | | | Version | Type | zero | | |||
| 1 | 2 | | | | 1 | 2 | | | |||
+-------------------------------------------+ | +-------------------------------------------+ | |||
| | | | | | |||
| Length=8 | | | Length=8 | | |||
| | | | | | |||
`-------------------------------------------' | `-------------------------------------------' | |||
5.5. Cache Response | 5.5. Cache Response | |||
Cache Response: The cache responds with zero or more payload PDUs. | The cache responds with zero or more payload PDUs. When replying to | |||
When replying to a Serial Query request (Section 5.3), the cache | a Serial Query request (Section 5.3), the cache sends the set of | |||
sends the set of all data records it has with Serial Numbers greater | announcements and withdrawals that have occurred since the Serial | |||
than that sent by the client router. When replying to a Reset Query, | Number sent by the client router. When replying to a Reset Query, | |||
the cache sends the set of all data records it has; in this case, the | the cache sends the set of all data records it has; in this case, the | |||
withdraw/announce field in the payload PDUs MUST have the value 1 | withdraw/announce field in the payload PDUs MUST have the value 1 | |||
(announce). | (announce). | |||
In response to a Reset Query, the new value of the Session ID tells | In response to a Reset Query, the new value of the Session ID tells | |||
the router the instance of the cache session for future confirmation. | the router the instance of the cache session for future confirmation. | |||
In response to a Serial Query, the Session ID being the same | In response to a Serial Query, the Session ID being the same | |||
reassures the router that the Serial Numbers are commensurate, i.e., | reassures the router that the Serial Numbers are commensurate, i.e., | |||
the cache session has not changed. | the cache session has not changed. | |||
0 8 16 24 31 | 0 8 16 24 31 | |||
.-------------------------------------------. | .-------------------------------------------. | |||
| Protocol | PDU | | | | Protocol | PDU | | | |||
| Version | Type | Session ID | | | Version | Type | Session ID | | |||
| 1 | 3 | | | | 1 | 3 | | | |||
+-------------------------------------------+ | +-------------------------------------------+ | |||
skipping to change at page 10, line 25 | skipping to change at page 11, line 21 | |||
| | | | | | |||
| Length=8 | | | Length=8 | | |||
| | | | | | |||
`-------------------------------------------' | `-------------------------------------------' | |||
5.6. IPv4 Prefix | 5.6. IPv4 Prefix | |||
0 8 16 24 31 | 0 8 16 24 31 | |||
.-------------------------------------------. | .-------------------------------------------. | |||
| Protocol | PDU | | | | Protocol | PDU | | | |||
| Version | Type | reserved = zero | | | Version | Type | zero | | |||
| 1 | 4 | | | | 1 | 4 | | | |||
+-------------------------------------------+ | +-------------------------------------------+ | |||
| | | | | | |||
| Length=20 | | | Length=20 | | |||
| | | | | | |||
+-------------------------------------------+ | +-------------------------------------------+ | |||
| | Prefix | Max | | | | | Prefix | Max | | | |||
| Flags | Length | Length | zero | | | Flags | Length | Length | zero | | |||
| | 0..32 | 0..32 | | | | | 0..32 | 0..32 | | | |||
+-------------------------------------------+ | +-------------------------------------------+ | |||
skipping to change at page 11, line 25 | skipping to change at page 12, line 19 | |||
ASN} at any one point in time. Should the router client receive an | ASN} at any one point in time. Should the router client receive an | |||
IPvX PDU with a {Prefix, Len, Max-Len, ASN} identical to one it | IPvX PDU with a {Prefix, Len, Max-Len, ASN} identical to one it | |||
already has active, it SHOULD raise a Duplicate Announcement Received | already has active, it SHOULD raise a Duplicate Announcement Received | |||
error. | error. | |||
5.7. IPv6 Prefix | 5.7. IPv6 Prefix | |||
0 8 16 24 31 | 0 8 16 24 31 | |||
.-------------------------------------------. | .-------------------------------------------. | |||
| Protocol | PDU | | | | Protocol | PDU | | | |||
| Version | Type | reserved = zero | | | Version | Type | zero | | |||
| 1 | 6 | | | | 1 | 6 | | | |||
+-------------------------------------------+ | +-------------------------------------------+ | |||
| | | | | | |||
| Length=32 | | | Length=32 | | |||
| | | | | | |||
+-------------------------------------------+ | +-------------------------------------------+ | |||
| | Prefix | Max | | | | | Prefix | Max | | | |||
| Flags | Length | Length | zero | | | Flags | Length | Length | zero | | |||
| | 0..128 | 0..128 | | | | | 0..128 | 0..128 | | | |||
+-------------------------------------------+ | +-------------------------------------------+ | |||
skipping to change at page 12, line 10 | skipping to change at page 13, line 5 | |||
| | | | | | |||
`-------------------------------------------' | `-------------------------------------------' | |||
Analogous to the IPv4 Prefix PDU, it has 96 more bits and no magic. | Analogous to the IPv4 Prefix PDU, it has 96 more bits and no magic. | |||
5.8. End of Data | 5.8. End of Data | |||
End of Data: The cache tells the router it has no more data for the | End of Data: The cache tells the router it has no more data for the | |||
request. | request. | |||
The Session ID MUST be the same as that of the corresponding Cache | The Session ID and Protocol Version MUST be the same as that of the | |||
Response which began the, possibly null, sequence of data PDUs. | corresponding Cache Response which began the, possibly null, sequence | |||
of data PDUs. | ||||
0 8 16 24 31 | 0 8 16 24 31 | |||
.-------------------------------------------. | .-------------------------------------------. | |||
| Protocol | PDU | | | | Protocol | PDU | | | |||
| Version | Type | Session ID | | | Version | Type | Session ID | | |||
| 1 | 7 | | | | 1 | 7 | | | |||
+-------------------------------------------+ | +-------------------------------------------+ | |||
| | | | | | |||
| Length=24 | | | Length=24 | | |||
| | | | | | |||
skipping to change at page 13, line 8 | skipping to change at page 14, line 8 | |||
5.9. Cache Reset | 5.9. Cache Reset | |||
The cache may respond to a Serial Query informing the router that the | The cache may respond to a Serial Query informing the router that the | |||
cache cannot provide an incremental update starting from the Serial | cache cannot provide an incremental update starting from the Serial | |||
Number specified by the router. The router must decide whether to | Number specified by the router. The router must decide whether to | |||
issue a Reset Query or switch to a different cache. | issue a Reset Query or switch to a different cache. | |||
0 8 16 24 31 | 0 8 16 24 31 | |||
.-------------------------------------------. | .-------------------------------------------. | |||
| Protocol | PDU | | | | Protocol | PDU | | | |||
| Version | Type | reserved = zero | | | Version | Type | zero | | |||
| 1 | 8 | | | | 1 | 8 | | | |||
+-------------------------------------------+ | +-------------------------------------------+ | |||
| | | | | | |||
| Length=8 | | | Length=8 | | |||
| | | | | | |||
`-------------------------------------------' | `-------------------------------------------' | |||
5.10. Router Key | 5.10. Router Key | |||
0 8 16 24 31 | 0 8 16 24 31 | |||
.-------------------------------------------. | .-------------------------------------------. | |||
| Protocol | PDU | | | | | Protocol | PDU | | | | |||
| Version | Type | Flags | zero | | | Version | Type | Flags | zero | | |||
| 1 | 9 | | | | | 1 | 9 | | | | |||
+-------------------------------------------+ | +-------------------------------------------+ | |||
| | | | | | |||
| Length | | | Length | | |||
| | | | | | |||
+-------------------------------------------+ | +-------------------------------------------+ | |||
| | | | | | |||
+--- ---+ | ||||
| Subject Key Identifier | | | Subject Key Identifier | | |||
| 20 octets | | +--- ---+ | |||
| | | ||||
+--- ---+ | ||||
| (20 octets) | | ||||
+--- ---+ | ||||
| | | | | | |||
+-------------------------------------------+ | +-------------------------------------------+ | |||
| | | | | | |||
| AS Number | | | AS Number | | |||
| | | | | | |||
+-------------------------------------------+ | +-------------------------------------------+ | |||
| | | | | | |||
| Subject Public Key Info | | | Subject Public Key Info | | |||
| | | | | | |||
`-------------------------------------------' | `-------------------------------------------' | |||
The lowest order bit of the Flags field is 1 for an announcement and | ||||
0 for a withdrawal. | ||||
The cache server MUST ensure that it has told the router client to | The cache server MUST ensure that it has told the router client to | |||
have one and only one Router Key PDU for a unique {SKI, ASN, Subject | have one and only one Router Key PDU for a unique {SKI, ASN, Subject | |||
Public Key} at any one point in time. Should the router client | Public Key} at any one point in time. Should the router client | |||
receive a Router Key PDU with a {SKI, ASN, Subject Public Key} | receive a Router Key PDU with a {SKI, ASN, Subject Public Key} | |||
identical to one it already has active, it SHOULD raise a Duplicate | identical to one it already has active, it SHOULD raise a Duplicate | |||
Announcement Received error. | Announcement Received error. | |||
Note that a particular ASN may appear in multiple Router Key PDUs | Note that a particular ASN may appear in multiple Router Key PDUs | |||
with different Subject Public Key values, while a particular Subject | with different Subject Public Key values, while a particular Subject | |||
Public Key value may appear in multiple Router Key PDUs with | Public Key value may appear in multiple Router Key PDUs with | |||
skipping to change at page 16, line 15 | skipping to change at page 17, line 15 | |||
containing End Of Data PDU. | containing End Of Data PDU. | |||
Minimum allowed value: 1 second. | Minimum allowed value: 1 second. | |||
Maximum allowed value: 86400 seconds (one day). | Maximum allowed value: 86400 seconds (one day). | |||
Recommended default: 3600 seconds (one hour). | Recommended default: 3600 seconds (one hour). | |||
Retry Interval: This parameter tells the router how long to wait | Retry Interval: This parameter tells the router how long to wait | |||
before retrying a failed Serial Query or Reset Query. The router | before retrying a failed Serial Query or Reset Query. The router | |||
SHOULD NOT retry sooner than indicated by this parameter. | SHOULD NOT retry sooner than indicated by this parameter. Note | |||
that a protocol version mismatch overrides this interval: if the | ||||
router needs to downgrade to a lower protocol version number, it | ||||
MAY send the first Serial Query or Reset Query immediately. | ||||
Countdown for this timer starts upon failure of the query, and | Countdown for this timer starts upon failure of the query, and | |||
restarts after each subsequent failure until a query succeeds. | restarts after each subsequent failure until a query succeeds. | |||
Minimum allowed value: 1 second. | Minimum allowed value: 1 second. | |||
Maximum allowed value: 7200 seconds (two hours). | Maximum allowed value: 7200 seconds (two hours). | |||
Recommended default: 600 seconds (ten minutes). | Recommended default: 600 seconds (ten minutes). | |||
Expire Interval: This parameter tells the router how long it can | Expire Interval: This parameter tells the router how long it can | |||
skipping to change at page 17, line 19 | skipping to change at page 18, line 23 | |||
Error Report PDU. In this case the router MAY retry the | Error Report PDU. In this case the router MAY retry the | |||
connection using protocol version 0. | connection using protocol version 0. | |||
2. The cache may reply with a version 0 response. In this case the | 2. The cache may reply with a version 0 response. In this case the | |||
router MUST either downgrade to version 0 or terminate the | router MUST either downgrade to version 0 or terminate the | |||
connection. | connection. | |||
In any of the downgraded combinations above, the new features of | In any of the downgraded combinations above, the new features of | |||
version 1 will not be available. | version 1 will not be available. | |||
If either party receives a PDU containing an unrecognized Protocol | ||||
Version (neither 0 nor 1) during this negotiation, it MUST either | ||||
downgrade to a known version or terminate the connection, with an | ||||
Error Report PDU unless the received PDU is itself an Error Report | ||||
PDU. | ||||
The router MUST ignore any Serial Notify PDUs it might receive from | ||||
the cache during this initial start-up period, regardless of the | ||||
Protocol Version field in the Serial Notify PDU. Since Session ID | ||||
and Serial Number values are specific to a particular protocol | ||||
version, the values in the notification are not useful to the router. | ||||
Even if these values were meaningful, the only effect that processing | ||||
the notification would have would be to trigger exactly the same | ||||
Reset Query or Serial Query that the router has already sent as part | ||||
of the not-yet-complete version negotiation process, so there is | ||||
nothing to be gained by processing notifications until version | ||||
negotiation completes. | ||||
Caches SHOULD NOT send Serial Notify PDUs before version negotiation | ||||
completes. Note, however, that routers must handle such | ||||
notifications (by ignoring them) for backwards compatibility with | ||||
caches serving protocol version 0. | ||||
Once the cache and router have agreed upon a Protocol Version via the | ||||
negotiation process above, that version is stable for the life of the | ||||
session. See Section 5.1 for a discussion of the interaction between | ||||
Protocol Version and Session ID. | ||||
If either party receives a PDU for a different Protocol Version once | ||||
the above negotiation completes, that party MUST drop the session; | ||||
unless the PDU containing the unexpected Protocol Version was itself | ||||
an Error Report PDU, the party dropping the session SHOULD send an | ||||
Error Report with an error code of 8 ("Unexpected Protocol Version"). | ||||
8. Protocol Sequences | 8. Protocol Sequences | |||
The sequences of PDU transmissions fall into three conversations as | The sequences of PDU transmissions fall into three conversations as | |||
follows: | follows: | |||
8.1. Start or Restart | 8.1. Start or Restart | |||
Cache Router | Cache Router | |||
~ ~ | ~ ~ | |||
| <----- Reset Query -------- | R requests data (or Serial Query) | | <----- Reset Query -------- | R requests data (or Serial Query) | |||
skipping to change at page 21, line 5 | skipping to change at page 22, line 39 | |||
If unprotected TCP is the transport, the cache and routers MUST be on | If unprotected TCP is the transport, the cache and routers MUST be on | |||
the same trusted and controlled network. | the same trusted and controlled network. | |||
If available to the operator, caches and routers MUST use one of the | If available to the operator, caches and routers MUST use one of the | |||
following more protected protocols. | following more protected protocols. | |||
Caches and routers SHOULD use TCP-AO transport [RFC5925] over the | Caches and routers SHOULD use TCP-AO transport [RFC5925] over the | |||
rpki-rtr port. | rpki-rtr port. | |||
Caches and routers MAY use SSHv2 transport [RFC4252] using a the | Caches and routers MAY use SSHv2 transport [RFC4252] using the normal | |||
normal SSH port. For an example, see Section 9.1. | SSH port. For an example, see Section 9.1. | |||
Caches and routers MAY use TCP MD5 transport [RFC2385] using the | Caches and routers MAY use TCP MD5 transport [RFC2385] using the | |||
rpki-rtr port. Note that TCP MD5 has been obsoleted by TCP-AO | rpki-rtr port. Note that TCP MD5 has been obsoleted by TCP-AO | |||
[RFC5925]. | [RFC5925]. | |||
Caches and routers MAY use IPsec transport [RFC4301] using the rpki- | Caches and routers MAY use TCP over IPsec transport [RFC4301] using | |||
rtr port. | the rpki-rtr port. | |||
Caches and routers MAY use TLS transport [RFC5246] using a port, | Caches and routers MAY use TLS transport [RFC5246] using a port, | |||
rpki-rtr-tls (324); see Section 14. | rpki-rtr-tls (324); see Section 14. | |||
9.1. SSH Transport | 9.1. SSH Transport | |||
To run over SSH, the client router first establishes an SSH transport | To run over SSH, the client router first establishes an SSH transport | |||
connection using the SSHv2 transport protocol, and the client and | connection using the SSHv2 transport protocol, and the client and | |||
server exchange keys for message integrity and encryption. The | server exchange keys for message integrity and encryption. The | |||
client then invokes the "ssh-userauth" service to authenticate the | client then invokes the "ssh-userauth" service to authenticate the | |||
skipping to change at page 24, line 18 | skipping to change at page 26, line 5 | |||
When a more preferred cache becomes available, if resources allow, it | When a more preferred cache becomes available, if resources allow, it | |||
would be prudent for the client to start fetching from that cache. | would be prudent for the client to start fetching from that cache. | |||
The client SHOULD attempt to maintain at least one set of data, | The client SHOULD attempt to maintain at least one set of data, | |||
regardless of whether it has chosen a different cache or established | regardless of whether it has chosen a different cache or established | |||
a new connection to the previous cache. | a new connection to the previous cache. | |||
A client MAY drop the data from a particular cache when it is fully | A client MAY drop the data from a particular cache when it is fully | |||
in sync with one or more other caches. | in sync with one or more other caches. | |||
A client SHOULD delete the data from a cache when it has been unable | See Section 6 for details on what to do when the client is not able | |||
to refresh from that cache for a configurable timer value. The | to refresh from a particular cache. | |||
default for that value is twice the polling period for that cache. | ||||
If a client loses connectivity to a cache it is using, or otherwise | If a client loses connectivity to a cache it is using, or otherwise | |||
decides to switch to a new cache, it SHOULD retain the data from the | decides to switch to a new cache, it SHOULD retain the data from the | |||
previous cache until it has a full set of data from one or more other | previous cache until it has a full set of data from one or more other | |||
caches. Note that this may already be true at the point of | caches. Note that this may already be true at the point of | |||
connection loss if the client has connections to more than one cache. | connection loss if the client has connections to more than one cache. | |||
11. Deployment Scenarios | 11. Deployment Scenarios | |||
For illustration, we present three likely deployment scenarios. | For illustration, we present three likely deployment scenarios. | |||
skipping to change at page 25, line 24 | skipping to change at page 27, line 14 | |||
12. Error Codes | 12. Error Codes | |||
This section contains a preliminary list of error codes. The authors | This section contains a preliminary list of error codes. The authors | |||
expect additions to the list during development of the initial | expect additions to the list during development of the initial | |||
implementations. There is an IANA registry where valid error codes | implementations. There is an IANA registry where valid error codes | |||
are listed; see Section 14. Errors which are considered fatal SHOULD | are listed; see Section 14. Errors which are considered fatal SHOULD | |||
cause the session to be dropped. | cause the session to be dropped. | |||
0: Corrupt Data (fatal): The receiver believes the received PDU to | 0: Corrupt Data (fatal): The receiver believes the received PDU to | |||
be corrupt in a manner not specified by other error codes. | be corrupt in a manner not specified by another error code. | |||
1: Internal Error (fatal): The party reporting the error experienced | 1: Internal Error (fatal): The party reporting the error experienced | |||
some kind of internal error unrelated to protocol operation (ran | some kind of internal error unrelated to protocol operation (ran | |||
out of memory, a coding assertion failed, et cetera). | out of memory, a coding assertion failed, et cetera). | |||
2: No Data Available: The cache believes itself to be in good | 2: No Data Available: The cache believes itself to be in good | |||
working order, but is unable to answer either a Serial Query or a | working order, but is unable to answer either a Serial Query or a | |||
Reset Query because it has no useful data available at this time. | Reset Query because it has no useful data available at this time. | |||
This is likely to be a temporary error, and most likely indicates | This is likely to be a temporary error, and most likely indicates | |||
that the cache has not yet completed pulling down an initial | that the cache has not yet completed pulling down an initial | |||
skipping to change at page 26, line 10 | skipping to change at page 27, line 48 | |||
6: Withdrawal of Unknown Record (fatal): The received PDU has Flag=0 | 6: Withdrawal of Unknown Record (fatal): The received PDU has Flag=0 | |||
but a matching record ({Prefix, Len, Max-Len, ASN} tuple for an | but a matching record ({Prefix, Len, Max-Len, ASN} tuple for an | |||
IPvX PDU, {SKI, ASN, Subject Public Key} tuple for a Router Key | IPvX PDU, {SKI, ASN, Subject Public Key} tuple for a Router Key | |||
PDU) does not exist in the receiver's database. | PDU) does not exist in the receiver's database. | |||
7: Duplicate Announcement Received (fatal): The received PDU has | 7: Duplicate Announcement Received (fatal): The received PDU has | |||
Flag=1 but a matching record ({Prefix, Len, Max-Len, ASN} tuple | Flag=1 but a matching record ({Prefix, Len, Max-Len, ASN} tuple | |||
for an IPvX PDU, {SKI, ASN, Subject Public Key} tuple for a Router | for an IPvX PDU, {SKI, ASN, Subject Public Key} tuple for a Router | |||
Key PDU) is already active in the router. | Key PDU) is already active in the router. | |||
8: Unexpected Protocol Version (fatal): The received PDU has a | ||||
Protocol Version field that differs from the protocol version | ||||
negotiated in Section 7. | ||||
13. Security Considerations | 13. Security Considerations | |||
As this document describes a security protocol, many aspects of | As this document describes a security protocol, many aspects of | |||
security interest are described in the relevant sections. This | security interest are described in the relevant sections. This | |||
section points out issues which may not be obvious in other sections. | section points out issues which may not be obvious in other sections. | |||
Cache Validation: In order for a collection of caches as described | Cache Validation: In order for a collection of caches as described | |||
in Section 11 to guarantee a consistent view, they need to be | in Section 11 to guarantee a consistent view, they need to be | |||
given consistent trust anchors to use in their internal validation | given consistent trust anchors to use in their internal validation | |||
process. Distribution of a consistent trust anchor is assumed to | process. Distribution of a consistent trust anchor is assumed to | |||
skipping to change at page 26, line 36 | skipping to change at page 28, line 31 | |||
be established, as the authorization keys would not match. | be established, as the authorization keys would not match. | |||
Transport Security: The RPKI relies on object, not server or | Transport Security: The RPKI relies on object, not server or | |||
transport, trust. That is, the IANA root trust anchor is | transport, trust. That is, the IANA root trust anchor is | |||
distributed to all caches through some out-of-band means, and can | distributed to all caches through some out-of-band means, and can | |||
then be used by each cache to validate certificates and ROAs all | then be used by each cache to validate certificates and ROAs all | |||
the way down the tree. The inter-cache relationships are based on | the way down the tree. The inter-cache relationships are based on | |||
this object security model; hence, the inter-cache transport can | this object security model; hence, the inter-cache transport can | |||
be lightly protected. | be lightly protected. | |||
But, this protocol document assumes that the routers cannot do the | However, this protocol document assumes that the routers cannot do | |||
validation cryptography. Hence, the last link, from cache to | the validation cryptography. Hence, the last link, from cache to | |||
router, is secured by server authentication and transport-level | router, is secured by server authentication and transport-level | |||
security. This is dangerous, as server authentication and | security. This is dangerous, as server authentication and | |||
transport have very different threat models than object security. | transport have very different threat models than object security. | |||
So, the strength of the trust relationship and the transport | So the strength of the trust relationship and the transport | |||
between the router(s) and the cache(s) are critical. You're | between the router(s) and the cache(s) are critical. You're | |||
betting your routing on this. | betting your routing on this. | |||
While we cannot say the cache must be on the same LAN, if only due | While we cannot say the cache must be on the same LAN, if only due | |||
to the issue of an enterprise wanting to off-load the cache task | to the issue of an enterprise wanting to off-load the cache task | |||
to their upstream ISP(s), locality, trust, and control are very | to their upstream ISP(s), locality, trust, and control are very | |||
critical issues here. The cache(s) really SHOULD be as close, in | critical issues here. The cache(s) really SHOULD be as close, in | |||
the sense of controlled and protected (against DDoS, MITM) | the sense of controlled and protected (against DDoS, MITM) | |||
transport, to the router(s) as possible. It also SHOULD be | transport, to the router(s) as possible. It also SHOULD be | |||
topologically close so that a minimum of validated routing data | topologically close so that a minimum of validated routing data | |||
skipping to change at page 27, line 22 | skipping to change at page 29, line 16 | |||
integrity (see Section 9) must rely on network design and | integrity (see Section 9) must rely on network design and | |||
operational controls to provide protection against spoofing/ | operational controls to provide protection against spoofing/ | |||
corruption attacks. As pointed out in Section 9, TCP-AO is the | corruption attacks. As pointed out in Section 9, TCP-AO is the | |||
long-term plan. Protocols which provide integrity and | long-term plan. Protocols which provide integrity and | |||
authenticity SHOULD be used, and if they cannot, i.e., TCP is used | authenticity SHOULD be used, and if they cannot, i.e., TCP is used | |||
as the transport, the router and cache MUST be on the same | as the transport, the router and cache MUST be on the same | |||
trusted, controlled network. | trusted, controlled network. | |||
14. IANA Considerations | 14. IANA Considerations | |||
IANA has assigned "well-known" TCP Port Numbers to the RPKI-Router | This section only discusses updates required in the existing IANA | |||
Protocol for the following, see Section 9: | protocol registries to accommodate version 1 of this protocol. See | |||
[RFC6810] for IANA Considerations from the original (version 0) | ||||
protocol. | ||||
rpki-rtr | All existing entries in the IANA "rpki-rtr-pdu" registry remain valid | |||
rpki-rtr-tls | for protocol version 0. All of the PDU types allowed in protocol | |||
version 0 are also allowed in protocol version 1, with the addition | ||||
of the new Router Key PDU. To reduce the likelihood of confusion, | ||||
the PDU number used by the Router Key PDU in protocol version 1 is | ||||
hereby registered as reserved (and unused) in protocol version 0. | ||||
IANA has created a registry for tuples of Protocol Version / PDU | The policy for adding to the registry is RFC Required per [RFC5226], | |||
Type, each of which may range from 0 to 255. The name of the | either Standards Track or Experimental. | |||
registry is "rpki-rtr-pdu". The policy for adding to the registry is | ||||
RFC Required per [RFC5226], either Standards Track or Experimental. | Assuming that the registry allows range notation in the Protocol | |||
The initial entries are as follows: | Version field, the updated "rpki-rtr-pdu" registry will be: | |||
Protocol PDU | Protocol PDU | |||
Version Type Description | Version Type Description | |||
-------- ---- --------------- | -------- ---- --------------- | |||
0 0 Serial Notify | 0-1 0 Serial Notify | |||
0 1 Serial Query | 0-1 1 Serial Query | |||
0 2 Reset Query | 0-1 2 Reset Query | |||
0 3 Cache Response | 0-1 3 Cache Response | |||
0 4 IPv4 Prefix | 0-1 4 IPv4 Prefix | |||
0 6 IPv6 Prefix | 0-1 6 IPv6 Prefix | |||
0 7 End of Data | 0-1 7 End of Data | |||
0 8 Cache Reset | 0-1 8 Cache Reset | |||
0 10 Error Report | 0 9 Reserved | |||
0 255 Reserved | 1 9 Router Key | |||
0-1 10 Error Report | ||||
0-1 255 Reserved | ||||
IANA has created a registry for Error Codes 0 to 255. The name of | All exiting entries in the IANA "rpki-rtr-error" registry remain | |||
the registry is "rpki-rtr-error". The policy for adding to the | valid for all protocol versions. Protocol version 1 adds one new | |||
registry is Expert Review per [RFC5226], where the responsible IESG | error code: | |||
Area Director should appoint the Expert Reviewer. The initial | ||||
entries are as follows: | ||||
Error | Error | |||
Code Description | Code Description | |||
----- ---------------- | ----- ---------------- | |||
0 Corrupt Data | 8 Unexpected Protocol Version | |||
1 Internal Error | ||||
2 No Data Available | ||||
3 Invalid Request | ||||
4 Unsupported Protocol Version | ||||
5 Unsupported PDU Type | ||||
6 Withdrawal of Unknown Record | ||||
7 Duplicate Announcement Received | ||||
255 Reserved | ||||
IANA has added an SSH Connection Protocol Subsystem Name, as defined | ||||
in [RFC4250], of "rpki-rtr". | ||||
15. Acknowledgments | 15. Acknowledgments | |||
The authors wish to thank Nils Bars, Steve Bellovin, Tim Bruijnzeels, | The authors wish to thank Nils Bars, Steve Bellovin, Tim Bruijnzeels, | |||
Rex Fernando, Paul Hoffman, Fabian Holler, Russ Housley, Pradosh | Rex Fernando, Richard Hansen, Paul Hoffman, Fabian Holler, Russ | |||
Mohapatra, Keyur Patel, David Mandelberg, Sandy Murphy, Robert | Housley, Pradosh Mohapatra, Keyur Patel, David Mandelberg, Sandy | |||
Raszuk, Andreas Reuter, Thomas C. Schmidt, John Scudder, Ruediger | Murphy, Robert Raszuk, Andreas Reuter, Thomas C. Schmidt, John | |||
Volk, Matthias Waehlisch, and David Ward. Particular thanks go to | Scudder, Ruediger Volk, Matthias Waehlisch, and David Ward. | |||
Hannes Gredler for showing us the dangers of unnecessary fields. | Particular thanks go to Hannes Gredler for showing us the dangers of | |||
unnecessary fields. | ||||
No doubt this list is incomplete. We apologize to any contributor | ||||
whose name we missed. | ||||
16. References | 16. References | |||
16.1. Normative References | 16.1. Normative References | |||
[I-D.ietf-sidr-bgpsec-algs] | [I-D.ietf-sidr-bgpsec-algs] | |||
Turner, S., "BGP Algorithms, Key Formats, & Signature | Turner, S., "BGP Algorithms, Key Formats, & Signature | |||
Formats", draft-ietf-sidr-bgpsec-algs-09 (work in | Formats", draft-ietf-sidr-bgpsec-algs-09 (work in | |||
progress), January 2015. | progress), January 2015. | |||
skipping to change at page 29, line 9 | skipping to change at page 30, line 45 | |||
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
Requirement Levels", RFC 2119, BCP 14, March 1997. | Requirement Levels", RFC 2119, BCP 14, March 1997. | |||
[RFC2385] Heffernan, A., "Protection of BGP Sessions via the TCP MD5 | [RFC2385] Heffernan, A., "Protection of BGP Sessions via the TCP MD5 | |||
Signature Option", RFC 2385, August 1998. | Signature Option", RFC 2385, August 1998. | |||
[RFC3269] Kermode, R. and L. Vicisano, "Author Guidelines for | [RFC3269] Kermode, R. and L. Vicisano, "Author Guidelines for | |||
Reliable Multicast Transport (RMT) Building Blocks and | Reliable Multicast Transport (RMT) Building Blocks and | |||
Protocol Instantiation documents", RFC 3269, April 2002. | Protocol Instantiation documents", RFC 3269, April 2002. | |||
[RFC4250] Lehtinen, S. and C. Lonvick, "The Secure Shell (SSH) | ||||
Protocol Assigned Numbers", RFC 4250, January 2006. | ||||
[RFC4252] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) | [RFC4252] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) | |||
Authentication Protocol", RFC 4252, January 2006. | Authentication Protocol", RFC 4252, January 2006. | |||
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the | [RFC4301] Kent, S. and K. Seo, "Security Architecture for the | |||
Internet Protocol", RFC 4301, December 2005. | Internet Protocol", RFC 4301, December 2005. | |||
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an | [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an | |||
IANA Considerations Section in RFCs", RFC 5226, BCP 26, | IANA Considerations Section in RFCs", RFC 5226, BCP 26, | |||
May 2008. | May 2008. | |||
skipping to change at page 30, line 35 | skipping to change at page 32, line 21 | |||
Router Implementation Report", RFC 7128, February 2014. | Router Implementation Report", RFC 7128, February 2014. | |||
Authors' Addresses | Authors' Addresses | |||
Randy Bush | Randy Bush | |||
Internet Initiative Japan | Internet Initiative Japan | |||
5147 Crystal Springs | 5147 Crystal Springs | |||
Bainbridge Island, Washington 98110 | Bainbridge Island, Washington 98110 | |||
US | US | |||
Phone: +1 206 780 0431 x1 | ||||
Email: randy@psg.com | Email: randy@psg.com | |||
Rob Austein | Rob Austein | |||
Dragon Research Labs | Dragon Research Labs | |||
Email: sra@hactrn.net | Email: sra@hactrn.net | |||
End of changes. 52 change blocks. | ||||
151 lines changed or deleted | 222 lines changed or added | |||
This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |