| draft-ietf-sidr-rpki-rtr-rfc6810-bis-08.txt | draft-ietf-sidr-rpki-rtr-rfc6810-bis-09.txt | |||
|---|---|---|---|---|
| Network Working Group R. Bush | Network Working Group R. Bush | |||
| Internet-Draft Internet Initiative Japan | Internet-Draft Internet Initiative Japan | |||
| Intended status: Standards Track R. Austein | Updates: 6810 (if approved) R. Austein | |||
| Expires: July 11, 2017 Dragon Research Labs | Intended status: Standards Track Dragon Research Labs | |||
| January 7, 2017 | Expires: August 21, 2017 February 17, 2017 | |||
| The Resource Public Key Infrastructure (RPKI) to Router Protocol | The Resource Public Key Infrastructure (RPKI) to Router Protocol, | |||
| draft-ietf-sidr-rpki-rtr-rfc6810-bis-08 | Version 1 | |||
| draft-ietf-sidr-rpki-rtr-rfc6810-bis-09 | ||||
| Abstract | Abstract | |||
| In order to verifiably validate the origin Autonomous Systems and | In order to verifiably validate the origin Autonomous Systems and | |||
| Autonomous System Paths of BGP announcements, routers need a simple | Autonomous System Paths of BGP announcements, routers need a simple | |||
| but reliable mechanism to receive Resource Public Key Infrastructure | but reliable mechanism to receive Resource Public Key Infrastructure | |||
| (RFC 6480) prefix origin data and router keys from a trusted cache. | (RFC 6480) prefix origin data and router keys from a trusted cache. | |||
| This document describes a protocol to deliver them. | This document describes a protocol to deliver them. | |||
| This document describes version 1 of the rpki-rtr protocol. RFC 6810 | This document describes version 1 of the rpki-rtr protocol. RFC 6810 | |||
| skipping to change at page 1, line 38 | skipping to change at page 1, line 39 | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on July 11, 2017. | This Internet-Draft will expire on August 21, 2017. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2017 IETF Trust and the persons identified as the | Copyright (c) 2017 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 5, line 29 | skipping to change at page 5, line 29 | |||
| caches with which it has client/server relationships. It is | caches with which it has client/server relationships. It is | |||
| configured with a semi-ordered list of caches, and establishes a | configured with a semi-ordered list of caches, and establishes a | |||
| connection to the most preferred cache, or set of caches, which | connection to the most preferred cache, or set of caches, which | |||
| accept the connections. | accept the connections. | |||
| The router MUST choose the most preferred, by configuration, cache or | The router MUST choose the most preferred, by configuration, cache or | |||
| set of caches so that the operator may control load on their caches | set of caches so that the operator may control load on their caches | |||
| and the Global RPKI. | and the Global RPKI. | |||
| Periodically, the router sends to the cache the most recent Serial | Periodically, the router sends to the cache the most recent Serial | |||
| Number for which it has has received data from that cache, i.e., the | Number for which it has received data from that cache, i.e., the | |||
| router's current Serial Number, in the form of a Serial Query. When | router's current Serial Number, in the form of a Serial Query. When | |||
| a router establishes a new session with a cache, or wishes to reset a | a router establishes a new session with a cache, or wishes to reset a | |||
| current relationship, it sends a Reset Query. | current relationship, it sends a Reset Query. | |||
| The cache responds to the Serial Query with all data changes which | The cache responds to the Serial Query with all data changes which | |||
| took place since the given Serial Number. This may be the null set, | took place since the given Serial Number. This may be the null set, | |||
| in which case the End of Data PDU is still sent. Note that the | in which case the End of Data PDU is still sent. Note that the | |||
| Serial Number comparison used to determine "since the given Serial | Serial Number comparison used to determine "since the given Serial | |||
| Number" MUST take wrap-around into account, see [RFC1982]. | Number" MUST take wrap-around into account, see [RFC1982]. | |||
| skipping to change at page 6, line 26 | skipping to change at page 6, line 26 | |||
| Attestations; see [RFC6480]), which are time dependent, servers' | Attestations; see [RFC6480]), which are time dependent, servers' | |||
| clocks MUST be correct to a tolerance of approximately an hour. | clocks MUST be correct to a tolerance of approximately an hour. | |||
| 5. Protocol Data Units (PDUs) | 5. Protocol Data Units (PDUs) | |||
| The exchanges between the cache and the router are sequences of | The exchanges between the cache and the router are sequences of | |||
| exchanges of the following PDUs according to the rules described in | exchanges of the following PDUs according to the rules described in | |||
| Section 8. | Section 8. | |||
| Reserved fields (marked "zero" in PDU diagrams) MUST be zero on | Reserved fields (marked "zero" in PDU diagrams) MUST be zero on | |||
| transmission, and SHOULD be ignored on receipt. | transmission, and MUST be ignored on receipt. | |||
| 5.1. Fields of a PDU | 5.1. Fields of a PDU | |||
| PDUs contain the following data elements: | PDUs contain the following data elements: | |||
| Protocol Version: An eight-bit unsigned integer, currently 1, | Protocol Version: An eight-bit unsigned integer, currently 1, | |||
| denoting the version of this protocol. | denoting the version of this protocol. | |||
| PDU Type: An eight-bit unsigned integer, denoting the type of the | PDU Type: An eight-bit unsigned integer, denoting the type of the | |||
| PDU, e.g., IPv4 Prefix, etc. | PDU, e.g., IPv4 Prefix, etc. | |||
| skipping to change at page 8, line 21 | skipping to change at page 8, line 21 | |||
| IPv6), the flag indicates whether this PDU announces a new right | IPv6), the flag indicates whether this PDU announces a new right | |||
| to announce the prefix or withdraws a previously announced right; | to announce the prefix or withdraws a previously announced right; | |||
| a withdraw effectively deletes one previously announced Prefix PDU | a withdraw effectively deletes one previously announced Prefix PDU | |||
| with the exact same Prefix, Length, Max-Len, and Autonomous System | with the exact same Prefix, Length, Max-Len, and Autonomous System | |||
| Number (ASN). Similarly, for a Router Key PDU, the flag indicates | Number (ASN). Similarly, for a Router Key PDU, the flag indicates | |||
| whether this PDU announces a new Router Key or deletes one | whether this PDU announces a new Router Key or deletes one | |||
| previously announced Router Key PDU with the exact same AS Number, | previously announced Router Key PDU with the exact same AS Number, | |||
| subjectKeyIdentifier, and subjectPublicKeyInfo. | subjectKeyIdentifier, and subjectPublicKeyInfo. | |||
| The remaining bits in the flags field are reserved for future use. | The remaining bits in the flags field are reserved for future use. | |||
| In protocol version 1, they MUST be 0 on transmission and SHOULD | In protocol version 1, they MUST be 0 on transmission and MUST be | |||
| be ignored on receipt. | ignored on receipt. | |||
| Prefix Length: An 8-bit unsigned integer denoting the shortest | Prefix Length: An 8-bit unsigned integer denoting the shortest | |||
| prefix allowed for the Prefix element. | prefix allowed by the Prefix element. | |||
| Max Length: An 8-bit unsigned integer denoting the longest prefix | Max Length: An 8-bit unsigned integer denoting the longest prefix | |||
| allowed by the Prefix element. This MUST NOT be less than the | allowed by the Prefix element. This MUST NOT be less than the | |||
| Prefix Length element. | Prefix Length element. | |||
| Prefix: The IPv4 or IPv6 prefix of the ROA. | Prefix: The IPv4 or IPv6 prefix of the ROA. | |||
| Autonomous System Number: A 32-bit unsigned integer representing an | Autonomous System Number: A 32-bit unsigned integer representing an | |||
| ASN allowed to announce a prefix or associated with a router key. | ASN allowed to announce a prefix or associated with a router key. | |||
| skipping to change at page 16, line 25 | skipping to change at page 16, line 25 | |||
| Also note that it is possible, albeit very unlikely, for multiple | Also note that it is possible, albeit very unlikely, for multiple | |||
| distinct Subject Public Key values to hash to the same SKI. For this | distinct Subject Public Key values to hash to the same SKI. For this | |||
| reason, implementations MUST compare Subject Public Key values as | reason, implementations MUST compare Subject Public Key values as | |||
| well as SKIs when detecting duplicate PDUs. | well as SKIs when detecting duplicate PDUs. | |||
| 5.11. Error Report | 5.11. Error Report | |||
| This PDU is used by either party to report an error to the other. | This PDU is used by either party to report an error to the other. | |||
| Error reports are only sent as responses to other PDUs, not to report | Error reports are only sent as responses to other PDUs, not to report | |||
| errors in Error Report PDUS. | errors in Error Report PDUs. | |||
| The Error Code is described in Section 12. | The Error Code is described in Section 12. | |||
| If the error is generic (e.g., "Internal Error") and not associated | If the error is generic (e.g., "Internal Error") and not associated | |||
| with the PDU to which it is responding, the Erroneous PDU field MUST | with the PDU to which it is responding, the Erroneous PDU field MUST | |||
| be empty and the Length of Encapsulated PDU field MUST be zero. | be empty and the Length of Encapsulated PDU field MUST be zero. | |||
| An Error Report PDU MUST NOT be sent for an Error Report PDU. If an | An Error Report PDU MUST NOT be sent for an Error Report PDU. If an | |||
| erroneous Error Report PDU is received, the session SHOULD be | erroneous Error Report PDU is received, the session SHOULD be | |||
| dropped. | dropped. | |||
| skipping to change at page 18, line 44 | skipping to change at page 18, line 44 | |||
| Minimum allowed value: 600 seconds (ten minutes). | Minimum allowed value: 600 seconds (ten minutes). | |||
| Maximum allowed value: 172800 seconds (two days). | Maximum allowed value: 172800 seconds (two days). | |||
| Recommended default: 7200 seconds (two hours). | Recommended default: 7200 seconds (two hours). | |||
| If the router has never issued a successful query against a | If the router has never issued a successful query against a | |||
| particular cache, it SHOULD retry periodically using the default | particular cache, it SHOULD retry periodically using the default | |||
| Retry Interval, above. | Retry Interval, above. | |||
| Caches MUST set Expire Interval to a value larger than either Refresh | ||||
| Interval or Retry Interval. | ||||
| 7. Protocol Version Negotiation | 7. Protocol Version Negotiation | |||
| A router MUST start each transport connection by issuing either a | A router MUST start each transport connection by issuing either a | |||
| Reset Query or a Serial Query. This query will tell the cache which | Reset Query or a Serial Query. This query will tell the cache which | |||
| version of this protocol the router implements. | version of this protocol the router implements. | |||
| If a cache which supports version 1 receives a query from a router | If a cache which supports version 1 receives a query from a router | |||
| which specifies version 0, the cache MUST downgrade to protocol | which specifies version 0, the cache MUST downgrade to protocol | |||
| version 0 [RFC6810] or send a version 1 Error Report PDU with Error | version 0 [RFC6810] or send a version 1 Error Report PDU with Error | |||
| Code 4 ("Unsupported Protocol Version") and terminate the connection. | Code 4 ("Unsupported Protocol Version") and terminate the connection. | |||
| End of changes. 9 change blocks. | ||||
| 12 lines changed or deleted | 16 lines changed or added | |||
This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||