BGPsec Router Certificate Rollover
RFC 8634

Document Type RFC - Best Current Practice (August 2019; No errata)
Also known as BCP 224
Last updated 2019-08-07
Replaces draft-ietf-sidr-bgpsec-rollover
Stream IETF
Formats plain text pdf htmlized bibtex
Reviews
Stream WG state Submitted to IESG for Publication
Document shepherd Chris Morrow
Shepherd write-up Show (last changed 2017-10-03)
IESG IESG state RFC 8634 (Best Current Practice)
Consensus Boilerplate Yes
Telechat date
Responsible AD Warren Kumari
Send notices to Chris Morrow <morrowc@ops-netman.net>
IANA IANA review state Version Changed - Review Needed
IANA action state No IANA Actions
Internet Engineering Task Force (IETF)                           B. Weis
Request for Comments: 8634                                   Independent
BCP: 224                                                     R. Gagliano
Category: Best Current Practice                            Cisco Systems
ISSN: 2070-1721                                                 K. Patel
                                                            Arrcus, Inc.
                                                             August 2019

                   BGPsec Router Certificate Rollover

Abstract

   Certification Authorities (CAs) within the Resource Public Key
   Infrastructure (RPKI) manage BGPsec router certificates as well as
   RPKI certificates.  The rollover of BGPsec router certificates must
   be carefully performed in order to synchronize the distribution of
   router public keys with BGPsec UPDATE messages verified with those
   router public keys.  This document describes a safe rollover process,
   and it discusses when and why the rollover of BGPsec router
   certificates is necessary.  When this rollover process is followed,
   the rollover will be performed without routing information being
   lost.

Status of This Memo

   This memo documents an Internet Best Current Practice.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   BCPs is available in Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   https://www.rfc-editor.org/info/rfc8634.

Weis, et al.              Best Current Practice                 [Page 1]
RFC 8634               BGPsec Certificate Rollover           August 2019

Copyright Notice

   Copyright (c) 2019 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Requirements Notation . . . . . . . . . . . . . . . . . . . .   4
   3.  Key Rollover in BGPsec  . . . . . . . . . . . . . . . . . . .   4
     3.1.  Rollover Process  . . . . . . . . . . . . . . . . . . . .   5
   4.  BGPsec Router Key Rollover as a Measure against Replay
       Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . .   7
     4.1.  BGP UPDATE Window of Exposure Requirement . . . . . . . .   7
     4.2.  BGPsec Key Rollover as a Mechanism to Protect against
           Replay Attacks  . . . . . . . . . . . . . . . . . . . . .   7
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   9
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .   9
   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  10
     7.1.  Normative References  . . . . . . . . . . . . . . . . . .  10
     7.2.  Informative References  . . . . . . . . . . . . . . . . .  10
   Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . .  11
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  11

1.  Introduction

   In BGPsec, a key rollover (or re-key) is the process of changing a
   router's BGPsec key pair (or key pairs), issuing the corresponding
   new BGPsec router certificate, and (if the old certificate is still
   valid) revoking the old certificate.  This process will need to
   happen at regular intervals, normally due to policies of the local
   network.  This document describes a safe rollover process that
   results in a BGPsec receiver always having the needed verification
   keys.  Certification Practice Statement (CPS) documents may reference
   this memo.  This memo only addresses changing of a router's BGPsec
   key pair within the RPKI.  Refer to [RFC6489] for a procedure to roll
   over RPKI Certification Authority key pairs.

Weis, et al.              Best Current Practice                 [Page 2]
RFC 8634               BGPsec Certificate Rollover           August 2019

   When a router receives or creates a new key pair (using a key
   provisioning mechanism), this key pair will be used to sign new
   BGPsec UPDATE messages [RFC8205] that are originated at or that
   transit through the BGP speaker.  Additionally, the BGP speaker will
Show full document text