A Profile for BGPsec Router Certificates, Certificate Revocation Lists, and Certification Requests
RFC 8209
Document | Type |
RFC - Proposed Standard
(September 2017; No errata)
Updates RFC 6487
|
|
---|---|---|---|
Authors | Mark Reynolds , Sean Turner , Stephen Kent | ||
Last updated | 2017-09-27 | ||
Replaces | draft-turner-sidr-bgpsec-pki-profiles | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized bibtex | ||
Reviews | |||
Stream | WG state | Submitted to IESG for Publication | |
Document shepherd | Chris Morrow | ||
Shepherd write-up | Show (last changed 2016-06-24) | ||
IESG | IESG state | RFC 8209 (Proposed Standard) | |
Action Holders |
(None)
|
||
Consensus Boilerplate | Yes | ||
Telechat date | |||
Responsible AD | Alvaro Retana | ||
Send notices to | "Chris Morrow" <morrowc@ops-netman.net>, aretana@cisco.com | ||
IANA | IANA review state | Version Changed - Review Needed | |
IANA action state | RFC-Ed-Ack |
Internet Engineering Task Force (IETF) M. Reynolds Request for Comments: 8209 IPSw Updates: 6487 S. Turner Category: Standards Track sn3rd ISSN: 2070-1721 S. Kent BBN September 2017 A Profile for BGPsec Router Certificates, Certificate Revocation Lists, and Certification Requests Abstract This document defines a standard profile for X.509 certificates used to enable validation of Autonomous System (AS) paths in the Border Gateway Protocol (BGP), as part of an extension to that protocol known as BGPsec. BGP is the standard for inter-domain routing in the Internet; it is the "glue" that holds the Internet together. BGPsec is being developed as one component of a solution that addresses the requirement to provide security for BGP. The goal of BGPsec is to provide full AS path validation based on the use of strong cryptographic primitives. The end entity (EE) certificates specified by this profile are issued to routers within an AS. Each of these certificates is issued under a Resource Public Key Infrastructure (RPKI) Certification Authority (CA) certificate. These CA certificates and EE certificates both contain the AS Resource extension. An EE certificate of this type asserts that the router or routers holding the corresponding private key are authorized to emit secure route advertisements on behalf of the AS(es) specified in the certificate. This document also profiles the format of certification requests and specifies Relying Party (RP) certificate path validation procedures for these EE certificates. This document extends the RPKI; therefore, this document updates the RPKI Resource Certificates Profile (RFC 6487). Reynolds, et al. Standards Track [Page 1] RFC 8209 BGPsec Router PKI Profile September 2017 Status of This Memo This is an Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc8209. Copyright Notice Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Reynolds, et al. Standards Track [Page 2] RFC 8209 BGPsec Router PKI Profile September 2017 Table of Contents 1. Introduction ....................................................3 1.1. Terminology ................................................4 2. Describing Resources in Certificates ............................4 3. Updates to RFC 6487 .............................................6 3.1. BGPsec Router Certificate Fields ...........................6 3.1.1. Subject .............................................6 3.1.2. Subject Public Key Info .............................6 3.1.3. BGPsec Router Certificate Version 3 Extension Fields ....................................6 3.1.3.1. Basic Constraints ..........................6 3.1.3.2. Extended Key Usage .........................6 3.1.3.3. Subject Information Access .................7 3.1.3.4. IP Resources ...............................7 3.1.3.5. AS Resources ...............................7 3.2. BGPsec Router Certificate Request Profile ..................7 3.3. BGPsec Router Certificate Validation .......................8 3.4. Router Certificates and Signing Functions in the RPKI ......8 4. Design Notes ....................................................9Show full document text