[Docs] [txt|pdf] [Tracker] [Email] [Nits]

Versions: 00 01 02 03

Network Working Group                                        S. Krishnan
Internet-Draft                                                  Ericsson
Intended status: Standards Track                       November 02, 2007
Expires: May 5, 2008


           Authorization Certificates for Routers and Proxies
                 draft-krishnan-cgaext-send-cert-eku-00

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on May 5, 2008.

Copyright Notice

   Copyright (C) The IETF Trust (2007).














Krishnan                   Expires May 5, 2008                  [Page 1]


Internet-Draft        Router and Proxy Certificates        November 2007


Abstract

   Secure Neighbor Discovery (SEND) Utilizes X.509v3 certificates for
   performing router authorization.  The certificates that are currently
   recommended can be used for any purpose.  This document specifies the
   extended key usage values for such certificates which explicitly
   states the purpose for which these certificates are used.


Table of Contents

   1.  Requirements notation  . . . . . . . . . . . . . . . . . . . .  3
   2.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
   3.  Extended Key Usage Values  . . . . . . . . . . . . . . . . . .  5
   4.  Security Considerations  . . . . . . . . . . . . . . . . . . .  7
   5.  Normative References . . . . . . . . . . . . . . . . . . . . .  8
   Author's Address . . . . . . . . . . . . . . . . . . . . . . . . .  9
   Intellectual Property and Copyright Statements . . . . . . . . . . 10

































Krishnan                   Expires May 5, 2008                  [Page 2]


Internet-Draft        Router and Proxy Certificates        November 2007


1.  Requirements notation

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].














































Krishnan                   Expires May 5, 2008                  [Page 3]


Internet-Draft        Router and Proxy Certificates        November 2007


2.  Introduction

   Secure Neighbor Discovery [RFC3971] Utilizes X.509v3 certificates for
   performing router authorization.  It uses the X.509 extension for IP
   addresses to verify whether the router is authorized to advertise the
   mentioned IP addresses.  Since the IP addresses extension does not
   mention what functions the node can perform for the IP addresses it
   becomes impossible to know the reason for which the certificate was
   issued.  In order to facilitate issuance of certificates for specific
   functions, we need to utilize the ExtKeyUsageSyntax field of the
   X.509 certificate to mention the purpose for which the certificate
   was issued.  This document specifies two extended key usage values,
   one for routers and one for proxies, for use with SEND.






































Krishnan                   Expires May 5, 2008                  [Page 4]


Internet-Draft        Router and Proxy Certificates        November 2007


3.  Extended Key Usage Values

   The Internet PKI document [RFC3280] specifies the extended key usage
   X.509 certificate extension.  The extension indicates one or more
   purposes for which the certified public key may be used.  The
   extended key usage extension can be used in conjunction with key
   usage extension, which indicates the intended purpose of the
   certified public key.

   The extended key usage extension syntax is repeated here for
   convenience:

     ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId

     KeyPurposeId ::= OBJECT IDENTIFIER

   This specification defines two KeyPurposeId values: one for
   authorizing routers, and one for authorizing proxies.

   The inclusion of the router authorization value indicates that the
   certificate has been issued for allowing the router to advertise
   prefix(es) that are mentioned using the X.509 extensions for IP
   addresses and AS identifiers [RFC3779]

   The inclusion of the proxy authorization value indicates that the
   certificate has been issued for allowing the proxy to perform
   proxying of neighbor discovery messages for the prefix(es) that are
   mentioned using the X.509 extensions for IP addresses and AS
   identifiers [RFC3779]

   Inclusion of both values indicates that the certified public key is
   appropriate for use by a node performing either proxying or
   advertising of prefixes.

     send-kp OBJECT IDENTIFIER ::=
       { iso(1) identified-organization(3) dod(6) internet(1)
         security(5) mechanisms(5) TBA1 }

     id-kp-sendRouter OBJECT IDENTIFIER ::= { send-kp 1 }

     id-kp-sendProxy OBJECT IDENTIFIER ::= { send-kp 2 }

   The extended key usage extension MAY, at the option of the
   certificate issuer, be either critical or non-critical.

   Certificate-using applications MAY require the extended key usage
   extension to be present in a certificate, and they MAY require a
   particular KeyPurposeId value to be present (such as id-kp-sendRouter



Krishnan                   Expires May 5, 2008                  [Page 5]


Internet-Draft        Router and Proxy Certificates        November 2007


   or id-kp-sendProxy) within the extended key usage extension.  If
   multiple KeyPurposeId values are included, the certificate-using
   application need not recognize all of them, as long as the required
   KeyPurposeId value is present.















































Krishnan                   Expires May 5, 2008                  [Page 6]


Internet-Draft        Router and Proxy Certificates        November 2007


4.  Security Considerations

   The certification authority needs to ensure that the correct values
   for the extended key usage are inserted in each certificate that is
   issued.  Relying parties may accept or reject a particular
   certificate for an intended use based on the information provided in
   these extensions.  Incorrect representation of the information in the
   extended key usage field can cause the relying party to reject an
   otherwise appropriate certificate or accept a certificate that ought
   to be rejected.









































Krishnan                   Expires May 5, 2008                  [Page 7]


Internet-Draft        Router and Proxy Certificates        November 2007


5.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC3280]  Housley, R., Polk, W., Ford, W., and D. Solo, "Internet
              X.509 Public Key Infrastructure Certificate and
              Certificate Revocation List (CRL) Profile", RFC 3280,
              April 2002.

   [RFC3779]  Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP
              Addresses and AS Identifiers", RFC 3779, June 2004.

   [RFC3971]  Arkko, J., Kempf, J., Zill, B., and P. Nikander, "SEcure
              Neighbor Discovery (SEND)", RFC 3971, March 2005.




































Krishnan                   Expires May 5, 2008                  [Page 8]


Internet-Draft        Router and Proxy Certificates        November 2007


Author's Address

   Suresh Krishnan
   Ericsson
   8400 Decarie Blvd.
   Town of Mount Royal, QC
   Canada

   Phone: +1 514 345 7900 x42871
   Email: suresh.krishnan@ericsson.com









































Krishnan                   Expires May 5, 2008                  [Page 9]


Internet-Draft        Router and Proxy Certificates        November 2007


Full Copyright Statement

   Copyright (C) The IETF Trust (2007).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.


Acknowledgment

   Funding for the RFC Editor function is provided by the IETF
   Administrative Support Activity (IASA).





Krishnan                   Expires May 5, 2008                 [Page 10]


Html markup produced by rfcmarkup 1.129b, available from https://tools.ietf.org/tools/rfcmarkup/