draft-ietf-sidr-bgpsec-ops-06.txt   draft-ietf-sidr-bgpsec-ops-07.txt 
Network Working Group R. Bush Network Working Group R. Bush
Internet-Draft Internet Initiative Japan Internet-Draft Internet Initiative Japan
Intended status: Best Current Practice July 3, 2015 Intended status: Best Current Practice December 15, 2015
Expires: January 4, 2016 Expires: June 17, 2016
BGPsec Operational Considerations BGPsec Operational Considerations
draft-ietf-sidr-bgpsec-ops-06 draft-ietf-sidr-bgpsec-ops-07
Abstract Abstract
Deployment of the BGPsec architecture and protocols has many Deployment of the BGPsec architecture and protocols has many
operational considerations. This document attempts to collect and operational considerations. This document attempts to collect and
present the most critical and universal. It is expected to evolve as present the most critical and universal. It is expected to evolve as
BGPsec is formalized and initially deployed. BGPsec is formalized and initially deployed.
Requirements Language Requirements Language
skipping to change at page 1, line 41 skipping to change at page 1, line 41
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 4, 2016. This Internet-Draft will expire on June 17, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 22 skipping to change at page 2, line 22
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Suggested Reading . . . . . . . . . . . . . . . . . . . . . . 3 2. Suggested Reading . . . . . . . . . . . . . . . . . . . . . . 3
3. RPKI Distribution and Maintenance . . . . . . . . . . . . . . 3 3. RPKI Distribution and Maintenance . . . . . . . . . . . . . . 3
4. AS/Router Certificates . . . . . . . . . . . . . . . . . . . 3 4. AS/Router Certificates . . . . . . . . . . . . . . . . . . . 3
5. Within a Network . . . . . . . . . . . . . . . . . . . . . . 3 5. Within a Network . . . . . . . . . . . . . . . . . . . . . . 3
6. Considerations for Edge Sites . . . . . . . . . . . . . . . . 4 6. Considerations for Edge Sites . . . . . . . . . . . . . . . . 4
7. Routing Policy . . . . . . . . . . . . . . . . . . . . . . . 4 7. Routing Policy . . . . . . . . . . . . . . . . . . . . . . . 4
8. Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 8. Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
9. Security Considerations . . . . . . . . . . . . . . . . . . . 6 9. Security Considerations . . . . . . . . . . . . . . . . . . . 7
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 7
11.1. Normative References . . . . . . . . . . . . . . . . . . 7 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 7
11.2. Informative References . . . . . . . . . . . . . . . . . 7 12.1. Normative References . . . . . . . . . . . . . . . . . . 7
12.2. Informative References . . . . . . . . . . . . . . . . . 8
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 8 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 8
1. Introduction 1. Introduction
BGPsec, [I-D.ietf-sidr-bgpsec-overview], is a new protocol with many BGPsec, [I-D.ietf-sidr-bgpsec-overview], is a new protocol with many
operational considerations. It is expected to be deployed operational considerations. It is expected to be deployed
incrementally over a number of years. As core BGPsec-capable routers incrementally over a number of years. As core BGPsec-capable routers
may require large memory and/or modern CPUs, it is thought that may require large memory and/or modern CPUs, it is thought that
origin validation based on the RPKI, [RFC6811], will occur over the origin validation based on the RPKI, [RFC6811], will occur over the
next twp to three years and that BGPsec will start to deploy well next twp to three years and that BGPsec will start to deploy well
skipping to change at page 5, line 47 skipping to change at page 5, line 47
otherwise, a signed path learned via iBGP MAY be Invalid. If needed, otherwise, a signed path learned via iBGP MAY be Invalid. If needed,
the validation state should be signaled by normal local policy the validation state should be signaled by normal local policy
mechanisms such as communities or metrics. mechanisms such as communities or metrics.
On the other hand, local policy on the eBGP edge might preclude iBGP On the other hand, local policy on the eBGP edge might preclude iBGP
or eBGP announcement of signed AS Paths which are Invalid. or eBGP announcement of signed AS Paths which are Invalid.
A BGPsec speaker receiving a path SHOULD perform origin validation A BGPsec speaker receiving a path SHOULD perform origin validation
per [RFC6811] and [RFC7115]. per [RFC6811] and [RFC7115].
A route server is usually 'transparent', most importantly not
inserting its own AS into the AS_Path, to not lengthen the AS hop
count and thereby reduce the likelihood of best path selection. See
2.2.2 of [I-D.ietf-idr-ix-bgp-route-server]. A BGPsec-aware route
server needs to validate the incoming BGPSEC_Path, and to forward
updates which can be validated by clients which know the route
server's AS. The route server uses pCount of zero to not increase
the effective AS hop count.
If it is known that a BGPsec neighbor is not a transparent route If it is known that a BGPsec neighbor is not a transparent route
server, and the router provides a knob to disallow a received pCount server, and the router provides a knob to disallow a received pCount
(prepend count, zero for transparent route servers) of zero, that (prepend count, zero for transparent route servers) of zero, that
knob SHOULD be applied. Routers should default to this knob knob SHOULD be applied. Routers should default to this knob
disallowing pCount 0. disallowing pCount 0.
To prevent exposure of the internals of BGP Confederations [RFC5065], To prevent exposure of the internals of BGP Confederations [RFC5065],
a BGPsec speaker which is a Member-AS of a Confederation MUST NOT a BGPsec speaker which is a Member-AS of a Confederation MUST NOT
sign updates sent to another Member-AS of the same Confederation. sign updates sent to another Member-AS of the same Confederation.
skipping to change at page 7, line 5 skipping to change at page 7, line 14
9. Security Considerations 9. Security Considerations
The major security considerations for the BGPsec protocol are The major security considerations for the BGPsec protocol are
described in [I-D.ietf-sidr-bgpsec-protocol]. described in [I-D.ietf-sidr-bgpsec-protocol].
10. IANA Considerations 10. IANA Considerations
This document has no IANA Considerations. This document has no IANA Considerations.
11. References 11. Acknowledgments
11.1. Normative References The author wishes to thank the BGPsec design group, Thomas King, and
Arnold Nipper.
12. References
12.1. Normative References
[I-D.ietf-sidr-bgpsec-overview] [I-D.ietf-sidr-bgpsec-overview]
Lepinski, M. and S. Turner, "An Overview of BGPSEC", Lepinski, M. and S. Turner, "An Overview of BGPSEC",
draft-ietf-sidr-bgpsec-overview-02 (work in progress), May draft-ietf-sidr-bgpsec-overview-02 (work in progress), May
2012. 2012.
[I-D.ietf-sidr-bgpsec-protocol] [I-D.ietf-sidr-bgpsec-protocol]
Lepinski, M., "BGPSEC Protocol Specification", draft-ietf- Lepinski, M., "BGPSEC Protocol Specification", draft-ietf-
sidr-bgpsec-protocol-07 (work in progress), February 2013. sidr-bgpsec-protocol-07 (work in progress), February 2013.
skipping to change at page 7, line 35 skipping to change at page 7, line 49
Resource Certificate Repository Structure", RFC 6481, Resource Certificate Repository Structure", RFC 6481,
February 2012. February 2012.
[RFC6482] Lepinski, M., Kent, S., and D. Kong, "A Profile for Route [RFC6482] Lepinski, M., Kent, S., and D. Kong, "A Profile for Route
Origin Authorizations (ROAs)", RFC 6482, February 2012. Origin Authorizations (ROAs)", RFC 6482, February 2012.
[RFC6493] Bush, R., "The Resource Public Key Infrastructure (RPKI) [RFC6493] Bush, R., "The Resource Public Key Infrastructure (RPKI)
Ghostbusters Record", RFC 6493, February 2012. Ghostbusters Record", RFC 6493, February 2012.
[RFC7115] Bush, R., "Origin Validation Operation Based on the [RFC7115] Bush, R., "Origin Validation Operation Based on the
Resource Public Key Infrastructure (RPKI)", BCP 185, RFC Resource Public Key Infrastructure (RPKI)", BCP 185,
7115, January 2014. RFC 7115, DOI 10.17487/RFC7115, January 2014,
<http://www.rfc-editor.org/info/rfc7115>.
11.2. Informative References 12.2. Informative References
[I-D.ietf-idr-ix-bgp-route-server]
Jasinska, E., Hilliard, N., Raszuk, R., and N. Bakker,
"Internet Exchange Route Server", draft-ietf-idr-ix-bgp-
route-server-02 (work in progress), February 2013.
[I-D.ietf-sidr-bgpsec-rollover] [I-D.ietf-sidr-bgpsec-rollover]
Gagliano, R., Patel, K., and B. Weis, "BGPSEC router key Gagliano, R., Patel, K., and B. Weis, "BGPSEC router key
rollover as an alternative to beaconing", draft-ietf-sidr- rollover as an alternative to beaconing", draft-ietf-sidr-
bgpsec-rollover-01 (work in progress), October 2012. bgpsec-rollover-01 (work in progress), October 2012.
[I-D.ietf-sidr-rtr-keying] [I-D.ietf-sidr-rtr-keying]
Turner, S., Patel, K., and R. Bush, "Router Keying for Turner, S., Patel, K., and R. Bush, "Router Keying for
BGPsec", draft-ietf-sidr-rtr-keying-01 (work in progress), BGPsec", draft-ietf-sidr-rtr-keying-01 (work in progress),
February 2013. February 2013.
skipping to change at page 8, line 18 skipping to change at page 8, line 38
[RFC5905] Mills, D., Martin, J., Burbank, J., and W. Kasch, "Network [RFC5905] Mills, D., Martin, J., Burbank, J., and W. Kasch, "Network
Time Protocol Version 4: Protocol and Algorithms Time Protocol Version 4: Protocol and Algorithms
Specification", RFC 5905, June 2010. Specification", RFC 5905, June 2010.
[RFC6811] Mohapatra, P., Scudder, J., Ward, D., Bush, R., and R. [RFC6811] Mohapatra, P., Scudder, J., Ward, D., Bush, R., and R.
Austein, "BGP Prefix Origin Validation", RFC 6811, January Austein, "BGP Prefix Origin Validation", RFC 6811, January
2013. 2013.
[RFC6916] Gagliano, R., Kent, S., and S. Turner, "Algorithm Agility [RFC6916] Gagliano, R., Kent, S., and S. Turner, "Algorithm Agility
Procedure for the Resource Public Key Infrastructure Procedure for the Resource Public Key Infrastructure
(RPKI)", BCP 182, RFC 6916, April 2013. (RPKI)", BCP 182, RFC 6916, DOI 10.17487/RFC6916, April
2013, <http://www.rfc-editor.org/info/rfc6916>.
Author's Address Author's Address
Randy Bush Randy Bush
Internet Initiative Japan Internet Initiative Japan
5147 Crystal Springs 5147 Crystal Springs
Bainbridge Island, Washington 98110 Bainbridge Island, Washington 98110
US US
Email: randy@psg.com Email: randy@psg.com
 End of changes. 10 change blocks. 
15 lines changed or deleted 37 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/