Validation of Route Origination Using the Resource Certificate Public Key Infrastructure (PKI) and Route Origin Authorizations (ROAs)
RFC 6483
|
| Document |
Type |
|
RFC - Informational
(February 2012; No errata)
|
|
Last updated |
|
2015-10-14
|
|
Replaces |
|
draft-huston-sidr-roa-validation
|
|
Stream |
|
IETF
|
|
Formats |
|
plain text
pdf
html
bibtex
|
|
Reviews |
|
|
| Stream |
WG state
|
|
WG Document
|
|
Document shepherd |
|
No shepherd assigned
|
| IESG |
IESG state |
|
RFC 6483 (Informational)
|
|
Consensus Boilerplate |
|
Unknown
|
|
Telechat date |
|
|
|
Responsible AD |
|
Adrian Farrel
|
|
IESG note |
|
Sandra Murphy (sandra.murphy@sparta.com) is the document shepherd.
|
|
Send notices to |
|
(None)
|
Internet Engineering Task Force (IETF) G. Huston
Request for Comments: 6483 G. Michaelson
Category: Informational APNIC
ISSN: 2070-1721 February 2012
Validation of Route Origination Using
the Resource Certificate Public Key Infrastructure (PKI) and
Route Origin Authorizations (ROAs)
Abstract
This document defines the semantics of a Route Origin Authorization
(ROA) in terms of the context of an application of the Resource
Public Key Infrastructure to validate the origination of routes
advertised in the Border Gateway Protocol.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are a candidate for any level of Internet
Standard; see Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc6483.
Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Huston & Michaelson Informational [Page 1]
RFC 6483 Route Validation February 2012
Table of Contents
1. Introduction ....................................................2
2. ROA Validation Outcomes for a Route .............................3
3. Applying Validation Outcomes to Route Selection .................5
4. Disavowal of Routing Origination ................................6
5. Route Validation Lifetime .......................................6
6. Security Considerations .........................................7
7. Acknowledgements ................................................7
8. References ......................................................8
8.1. Normative References .......................................8
8.2. Informative References .....................................8
1. Introduction
This document defines the semantics of a Route Origin Authorization
(ROA) in terms of the context of an application of the Resource
Public Key Infrastructure (RPKI) [RFC6480] to validate the
origination of routes advertised in the Border Gateway Protocol (BGP)
[RFC4271].
The RPKI is based on a hierarchy of resource certificates that are
aligned to the Internet Number Resource allocation structure.
Resource certificates are X.509 certificates that conform to the PKIX
profile [RFC5280], and to the extensions for IP addresses and AS
identifiers [RFC3779]. A resource certificate describes an action by
an issuer that binds a list of IP address blocks and Autonomous
System (AS) numbers to the subject of a certificate, identified by
the unique association of the subject's private key with the public
key contained in the resource certificate. The RPKI is structured
such that each current resource certificate matches a current
resource allocation or assignment. This is further described in
[RFC6480].
ROAs are digitally signed objects that bind an address to an AS
number, and are signed by the address holder. A ROA provides a means
of verifying that an IP address block holder has authorized a
particular AS to originate routes in the inter-domain routing
environment for that address block. ROAs are described in [RFC6482].
ROAs are intended to fit within the requirements for adding security
to inter-domain routing.
This document describes the semantic interpretation of a ROA, with
particular reference to application in inter-domain routing relating
to the origination of routes, and the intended scope of the authority
that is conveyed in the ROA.
Huston & Michaelson Informational [Page 2]
RFC 6483 Route Validation February 2012
2. ROA Validation Outcomes for a Route
A "route" is unit of information that associates a set of
Show full document text