| draft-ietf-sidr-rpki-rtr-rfc6810-bis-05.txt | draft-ietf-sidr-rpki-rtr-rfc6810-bis-06.txt | |||
|---|---|---|---|---|
| Network Working Group R. Bush | Network Working Group R. Bush | |||
| Internet-Draft Internet Initiative Japan | Internet-Draft Internet Initiative Japan | |||
| Updates: 6810 (if approved) R. Austein | Obsoletes: 6810 (if approved) R. Austein | |||
| Intended status: Standards Track Dragon Research Labs | Intended status: Standards Track Dragon Research Labs | |||
| Expires: February 1, 2016 July 31, 2015 | Expires: April 8, 2016 October 6, 2015 | |||
| The Resource Public Key Infrastructure (RPKI) to Router Protocol | The Resource Public Key Infrastructure (RPKI) to Router Protocol | |||
| draft-ietf-sidr-rpki-rtr-rfc6810-bis-05 | draft-ietf-sidr-rpki-rtr-rfc6810-bis-06 | |||
| Abstract | Abstract | |||
| In order to verifiably validate the origin Autonomous Systems and | In order to verifiably validate the origin Autonomous Systems and | |||
| Autonomous System Paths of BGP announcements, routers need a simple | Autonomous System Paths of BGP announcements, routers need a simple | |||
| but reliable mechanism to receive Resource Public Key Infrastructure | but reliable mechanism to receive Resource Public Key Infrastructure | |||
| (RFC 6480) prefix origin data and router keys from a trusted cache. | (RFC 6480) prefix origin data and router keys from a trusted cache. | |||
| This document describes a protocol to deliver validated prefix origin | This document describes a protocol to deliver validated prefix origin | |||
| data and router keys to routers. | data and router keys to routers. | |||
| skipping to change at page 1, line 38 | skipping to change at page 1, line 38 | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on February 1, 2016. | This Internet-Draft will expire on April 8, 2016. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2015 IETF Trust and the persons identified as the | Copyright (c) 2015 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 | 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1.2. Changes from RFC 6810 . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . 4 | ||||
| 3. Deployment Structure . . . . . . . . . . . . . . . . . . . . 4 | 3. Deployment Structure . . . . . . . . . . . . . . . . . . . . 4 | |||
| 4. Operational Overview . . . . . . . . . . . . . . . . . . . . 5 | 4. Operational Overview . . . . . . . . . . . . . . . . . . . . 5 | |||
| 5. Protocol Data Units (PDUs) . . . . . . . . . . . . . . . . . 6 | 5. Protocol Data Units (PDUs) . . . . . . . . . . . . . . . . . 6 | |||
| 5.1. Fields of a PDU . . . . . . . . . . . . . . . . . . . . . 6 | 5.1. Fields of a PDU . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 5.2. Serial Notify . . . . . . . . . . . . . . . . . . . . . . 8 | 5.2. Serial Notify . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 5.3. Serial Query . . . . . . . . . . . . . . . . . . . . . . 9 | 5.3. Serial Query . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 5.4. Reset Query . . . . . . . . . . . . . . . . . . . . . . . 10 | 5.4. Reset Query . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 5.5. Cache Response . . . . . . . . . . . . . . . . . . . . . 10 | 5.5. Cache Response . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 5.6. IPv4 Prefix . . . . . . . . . . . . . . . . . . . . . . . 11 | 5.6. IPv4 Prefix . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 5.7. IPv6 Prefix . . . . . . . . . . . . . . . . . . . . . . . 12 | 5.7. IPv6 Prefix . . . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 5.8. End of Data . . . . . . . . . . . . . . . . . . . . . . . 13 | 5.8. End of Data . . . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 5.9. Cache Reset . . . . . . . . . . . . . . . . . . . . . . . 14 | 5.9. Cache Reset . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 5.10. Router Key . . . . . . . . . . . . . . . . . . . . . . . 14 | 5.10. Router Key . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 5.11. Error Report . . . . . . . . . . . . . . . . . . . . . . 15 | 5.11. Error Report . . . . . . . . . . . . . . . . . . . . . . 16 | |||
| 6. Protocol Timing Parameters . . . . . . . . . . . . . . . . . 16 | 6. Protocol Timing Parameters . . . . . . . . . . . . . . . . . 17 | |||
| 7. Protocol Version Negotiation . . . . . . . . . . . . . . . . 17 | 7. Protocol Version Negotiation . . . . . . . . . . . . . . . . 18 | |||
| 8. Protocol Sequences . . . . . . . . . . . . . . . . . . . . . 19 | 8. Protocol Sequences . . . . . . . . . . . . . . . . . . . . . 20 | |||
| 8.1. Start or Restart . . . . . . . . . . . . . . . . . . . . 19 | 8.1. Start or Restart . . . . . . . . . . . . . . . . . . . . 20 | |||
| 8.2. Typical Exchange . . . . . . . . . . . . . . . . . . . . 20 | 8.2. Typical Exchange . . . . . . . . . . . . . . . . . . . . 21 | |||
| 8.3. No Incremental Update Available . . . . . . . . . . . . . 20 | 8.3. No Incremental Update Available . . . . . . . . . . . . . 21 | |||
| 8.4. Cache Has No Data Available . . . . . . . . . . . . . . . 21 | 8.4. Cache Has No Data Available . . . . . . . . . . . . . . . 22 | |||
| 9. Transport . . . . . . . . . . . . . . . . . . . . . . . . . . 21 | 9. Transport . . . . . . . . . . . . . . . . . . . . . . . . . . 22 | |||
| 9.1. SSH Transport . . . . . . . . . . . . . . . . . . . . . . 23 | 9.1. SSH Transport . . . . . . . . . . . . . . . . . . . . . . 24 | |||
| 9.2. TLS Transport . . . . . . . . . . . . . . . . . . . . . . 23 | 9.2. TLS Transport . . . . . . . . . . . . . . . . . . . . . . 24 | |||
| 9.3. TCP MD5 Transport . . . . . . . . . . . . . . . . . . . . 24 | 9.3. TCP MD5 Transport . . . . . . . . . . . . . . . . . . . . 25 | |||
| 9.4. TCP-AO Transport . . . . . . . . . . . . . . . . . . . . 24 | 9.4. TCP-AO Transport . . . . . . . . . . . . . . . . . . . . 25 | |||
| 10. Router-Cache Setup . . . . . . . . . . . . . . . . . . . . . 25 | 10. Router-Cache Setup . . . . . . . . . . . . . . . . . . . . . 26 | |||
| 11. Deployment Scenarios . . . . . . . . . . . . . . . . . . . . 26 | 11. Deployment Scenarios . . . . . . . . . . . . . . . . . . . . 27 | |||
| 12. Error Codes . . . . . . . . . . . . . . . . . . . . . . . . . 27 | 12. Error Codes . . . . . . . . . . . . . . . . . . . . . . . . . 28 | |||
| 13. Security Considerations . . . . . . . . . . . . . . . . . . . 28 | 13. Security Considerations . . . . . . . . . . . . . . . . . . . 29 | |||
| 14. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 29 | 14. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 30 | |||
| 15. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 30 | 15. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 31 | |||
| 16. References . . . . . . . . . . . . . . . . . . . . . . . . . 30 | 16. References . . . . . . . . . . . . . . . . . . . . . . . . . 31 | |||
| 16.1. Normative References . . . . . . . . . . . . . . . . . . 30 | 16.1. Normative References . . . . . . . . . . . . . . . . . . 31 | |||
| 16.2. Informative References . . . . . . . . . . . . . . . . . 31 | 16.2. Informative References . . . . . . . . . . . . . . . . . 32 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 32 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 33 | |||
| 1. Introduction | 1. Introduction | |||
| In order to verifiably validate the origin Autonomous Systems (ASes) | In order to verifiably validate the origin Autonomous Systems (ASes) | |||
| and AS paths of BGP announcements, routers need a simple but reliable | and AS paths of BGP announcements, routers need a simple but reliable | |||
| mechanism to receive cryptographically validated Resource Public Key | mechanism to receive cryptographically validated Resource Public Key | |||
| Infrastructure (RPKI) [RFC6480] prefix origin data and router keys | Infrastructure (RPKI) [RFC6480] prefix origin data and router keys | |||
| from a trusted cache. This document describes a protocol to deliver | from a trusted cache. This document describes a protocol to deliver | |||
| validated prefix origin data and router keys to routers. The design | validated prefix origin data and router keys to routers. The design | |||
| is intentionally constrained to be usable on much of the current | is intentionally constrained to be usable on much of the current | |||
| skipping to change at page 3, line 40 | skipping to change at page 3, line 40 | |||
| this protocol with prefix origin data, see [RFC7128]. | this protocol with prefix origin data, see [RFC7128]. | |||
| 1.1. Requirements Language | 1.1. Requirements Language | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in RFC 2119 [RFC2119] | document are to be interpreted as described in RFC 2119 [RFC2119] | |||
| only when they appear in all upper case. They may also appear in | only when they appear in all upper case. They may also appear in | |||
| lower or mixed case as English words, without special meaning. | lower or mixed case as English words, without special meaning. | |||
| 1.2. Changes from RFC 6810 | ||||
| The protocol described in this document is largely compatible with | ||||
| [RFC6810]. This section summarizes the significant changes. | ||||
| o New Router Key PDU type (Section 5.10) added. | ||||
| o Explicit timing parameters (Section 5.8, Section 6) added. | ||||
| o Protocol version number incremented from zero to one. | ||||
| o Protocol version number negotiation (Section 7) added. | ||||
| 2. Glossary | 2. Glossary | |||
| The following terms are used with special meaning. | The following terms are used with special meaning. | |||
| Global RPKI: The authoritative data of the RPKI are published in a | Global RPKI: The authoritative data of the RPKI are published in a | |||
| distributed set of servers at the IANA, Regional Internet | distributed set of servers at the IANA, Regional Internet | |||
| Registries (RIRs), National Internet Registries (NIRs), and ISPs; | Registries (RIRs), National Internet Registries (NIRs), and ISPs; | |||
| see [RFC6481]. | see [RFC6481]. | |||
| Cache: A coalesced copy of the published Global RPKI data, | Cache: A coalesced copy of the published Global RPKI data, | |||
| skipping to change at page 30, line 19 | skipping to change at page 31, line 19 | |||
| Error | Error | |||
| Code Description | Code Description | |||
| ----- ---------------- | ----- ---------------- | |||
| 8 Unexpected Protocol Version | 8 Unexpected Protocol Version | |||
| 15. Acknowledgments | 15. Acknowledgments | |||
| The authors wish to thank Nils Bars, Steve Bellovin, Tim Bruijnzeels, | The authors wish to thank Nils Bars, Steve Bellovin, Tim Bruijnzeels, | |||
| Rex Fernando, Richard Hansen, Paul Hoffman, Fabian Holler, Russ | Rex Fernando, Richard Hansen, Paul Hoffman, Fabian Holler, Russ | |||
| Housley, Pradosh Mohapatra, Keyur Patel, David Mandelberg, Sandy | Housley, Pradosh Mohapatra, Keyur Patel, David Mandelberg, Sandy | |||
| Murphy, Robert Raszuk, Andreas Reuter, Thomas C. Schmidt, John | Murphy, Robert Raszuk, Andreas Reuter, Thomas C. Schmidt, John | |||
| Scudder, Ruediger Volk, Matthias Waehlisch, and David Ward. | Scudder, Ruediger Volk, Matthias Waehlisch, and David Ward. | |||
| Particular thanks go to Hannes Gredler for showing us the dangers of | Particular thanks go to Hannes Gredler for showing us the dangers of | |||
| unnecessary fields. | unnecessary fields. | |||
| No doubt this list is incomplete. We apologize to any contributor | No doubt this list is incomplete. We apologize to any contributor | |||
| whose name we missed. | whose name we missed. | |||
| 16. References | 16. References | |||
| 16.1. Normative References | 16.1. Normative References | |||
| [I-D.ietf-sidr-bgpsec-algs] | [I-D.ietf-sidr-bgpsec-algs] | |||
| Turner, S., "BGPsec Algorithms, Key Formats, & Signature | Turner, S., "BGPsec Algorithms, Key Formats, & Signature | |||
| Formats", draft-ietf-sidr-bgpsec-algs-10 (work in | Formats", draft-ietf-sidr-bgpsec-algs-11 (work in | |||
| progress), July 2015. | progress), August 2015. | |||
| [RFC1982] Elz, R. and R. Bush, "Serial Number Arithmetic", RFC 1982, | [RFC1982] Elz, R. and R. Bush, "Serial Number Arithmetic", RFC 1982, | |||
| August 1996. | August 1996. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", RFC 2119, BCP 14, March 1997. | Requirement Levels", RFC 2119, BCP 14, March 1997. | |||
| [RFC2385] Heffernan, A., "Protection of BGP Sessions via the TCP MD5 | [RFC2385] Heffernan, A., "Protection of BGP Sessions via the TCP MD5 | |||
| Signature Option", RFC 2385, August 1998. | Signature Option", RFC 2385, August 1998. | |||
| End of changes. 11 change blocks. | ||||
| 34 lines changed or deleted | 48 lines changed or added | |||
This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||