draft-ietf-sidr-iana-objects-02.txt   draft-ietf-sidr-iana-objects-03.txt 
Network Working Group T. Manderson Network Working Group T. Manderson
Internet-Draft L. Vegoda Internet-Draft L. Vegoda
Intended status: Standards Track ICANN Intended status: Standards Track ICANN
Expires: October 10, 2011 S. Kent Expires: November 12, 2011 S. Kent
BBN BBN
April 8, 2011 May 11, 2011
RPKI Objects issued by IANA RPKI Objects issued by IANA
draft-ietf-sidr-iana-objects-02.txt draft-ietf-sidr-iana-objects-03.txt
Abstract Abstract
This document provides specific direction to IANA as to the Resource This document provides specific direction to IANA as to the Resource
Public Key Infrastructure (RPKI) objects it should issue. Public Key Infrastructure (RPKI) objects it should issue.
Status of this Memo Status of this Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
skipping to change at page 1, line 33 skipping to change at page 1, line 33
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 10, 2011. This Internet-Draft will expire on November 12, 2011.
Copyright Notice Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Requirements Notation . . . . . . . . . . . . . . . . . . . . 3 1. Requirements Notation . . . . . . . . . . . . . . . . . . . . 3
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Suggested Reading . . . . . . . . . . . . . . . . . . . . . . 5 3. Required Reading . . . . . . . . . . . . . . . . . . . . . . . 5
4. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 6 4. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 6
5. Reserved Resources . . . . . . . . . . . . . . . . . . . . . . 7 5. Reserved Resources . . . . . . . . . . . . . . . . . . . . . . 7
6. Unallocated Resources . . . . . . . . . . . . . . . . . . . . 8 6. Unallocated Resources . . . . . . . . . . . . . . . . . . . . 8
7. Special Purpose Registry Resources . . . . . . . . . . . . . . 9 7. Special Purpose Registry Resources . . . . . . . . . . . . . . 9
8. Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . 10 8. Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . 10
9. Informational Objects . . . . . . . . . . . . . . . . . . . . 11 9. Informational Objects . . . . . . . . . . . . . . . . . . . . 11
10. Certificates and CRLs . . . . . . . . . . . . . . . . . . . . 12 10. Certificates and CRLs . . . . . . . . . . . . . . . . . . . . 12
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13
12. Security Considerations . . . . . . . . . . . . . . . . . . . 14 12. Security Considerations . . . . . . . . . . . . . . . . . . . 14
13. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 15 13. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 15
skipping to change at page 4, line 10 skipping to change at page 4, line 10
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
2. Introduction 2. Introduction
An Infrastructure to Support Secure Internet Routing An Infrastructure to Support Secure Internet Routing
[I-D.ietf-sidr-arch] directs IANA [RFC2860] to issue Resource Public [I-D.ietf-sidr-arch] directs IANA [RFC2860] to issue Resource Public
Key Infrastructure (RPKI) objects for which it is authoritative. Key Infrastructure (RPKI) objects for which it is authoritative.
This document describes the objects IANA will issue. This document describes the objects IANA will issue. If IANA is
directed to issue additional RPKI objects in future, this document
will be revised and a new version issued.
The signed objects described here that IANA will issue are the The signed objects described here that IANA will issue are the
unallocated, reserved, special use IPv4 and IPv6 address blocks, and unallocated, reserved, special use IPv4 and IPv6 address blocks, and
reserved Autonomous System numbers. These number resources are the unallocated and reserved Autonomous System numbers. These number
managed by IANA for the IETF, and thus IANA bears the responsibility resources are managed by IANA for the IETF, and thus IANA bears the
of issuing the corresponding RPKI objects. The reader is encouraged responsibility of issuing the corresponding RPKI objects. The reader
to consider the technical effects on the public routing system of the is encouraged to consider the technical effects on the public routing
signed object issuance proposed for IANA in this document. system of the signed object issuance proposed for IANA in this
document.
This document does not deal with localized BGP [RFC4271] routing This document does not deal with BGP [RFC4271] routing systems as
systems as those are under the policy controls of the organizations those are under the policy controls of the organizations that operate
that operate them. Readers are directed to Local Trust Anchor them. Readers are directed to Local Trust Anchor Management for the
Management for the Resource Public Key Infrastructure Resource Public Key Infrastructure [I-D.ietf-sidr-ltamgmt] for a
[I-D.ietf-sidr-ltamgmt] for a description of how to locally override description of how to locally override IANA issued objects, e.g. to
IANA issued objects, e.g. to enable use of unallocated, reserved, and enable use of unallocated, reserved, and special use IPv4 and IPv6
special use IPv4 and IPv6 address blocks in a local context. address blocks in a local context.
The direction to IANA contained herein follows the ideal that it The direction to IANA contained herein follows the ideal that it
should represent the perfect technical behavior in registry, and should represent the ideal technical behavior for registry, and
related registry, actions. related registry, actions.
3. Suggested Reading 3. Required Reading
Readers should be familiar with the RPKI, the RPKI Repository Readers should be familiar with the RPKI, the RPKI Repository
Structure, and the various RPKI objects, uses and interpretations Structure, and the various RPKI objects, uses and interpretations
described in the following: [I-D.ietf-sidr-arch], described in the following: [I-D.ietf-sidr-arch],
[I-D.ietf-sidr-res-certs], [I-D.ietf-sidr-roa-format], [I-D.ietf-sidr-res-certs], [I-D.ietf-sidr-roa-format],
[I-D.ietf-sidr-ghostbusters], [I-D.ietf-sidr-ltamgmt], [I-D.ietf-sidr-ghostbusters], [I-D.ietf-sidr-ltamgmt],
[I-D.ietf-sidr-roa-validation], [I-D.ietf-sidr-usecases], [I-D.ietf-sidr-roa-validation], [I-D.ietf-sidr-usecases],
[I-D.ietf-sidr-cp], and [I-D.ietf-sidr-rpki-manifests]. [I-D.ietf-sidr-cp], and [I-D.ietf-sidr-rpki-manifests].
NOTE: The addresses used in this document are not example addresses NOTE: The addresses used in this document are not example addresses
therefore they are not compliant with [RFC3849], [RFC5735], and therefore they are not compliant with [RFC3849], [RFC5735], and
[RFC5771]. This is intentional as the practices described in this [RFC5771]. This is intentional as the practices described in this
document affect real world addresses. document are directed to specific instances of real world addresses.
4. Definitions 4. Definitions
Internet Number Resources (INR): The number identifiers for IPv4 Internet Number Resources (INR): The number identifiers for IPv4
[RFC0791] and IPv6 [RFC2460] addresses, and for Autonomous Systems. [RFC0791] and IPv6 [RFC2460] addresses, and for Autonomous Systems.
IANA: Internet Assigned Numbers Authority (a traditional name, used IANA: Internet Assigned Numbers Authority (a traditional name, used
here to refer to the technical team making and publishing the here to refer to the technical team making and publishing the
assignments of Internet protocol technical parameters). The assignments of Internet protocol technical parameters). The
technical team of IANA is currently a part of ICANN [RFC2860]. technical team of IANA is currently a part of ICANN [RFC2860].
RPKI: Resource Public Key Infrastructure. A Public Key RPKI: Resource Public Key Infrastructure. A Public Key
Infrastructure designed to provide a secure basis for assertions Infrastructure designed to provide a secure basis for assertions
about holdings of Internet numeric resources. Certificates issued about holdings of Internet numeric resources. Certificates issued
under the RPKI contain additional attributes that identify IPv4, under the RPKI contain additional attributes that identify IPv4,
IPv6, and Autonomous System Number (ASN) resources. IPv6, and Autonomous System Number (ASN) resources
[I-D.ietf-sidr-arch].
ROA: Route Origination Authorization. A ROA is an RPKI object that ROA: Route Origination Authorization. A ROA is an RPKI object that
enables the holder of the address prefix to specify an AS that is enables the holder of the address prefix to specify an AS that is
permitted to originate (in BGP) routes for that prefix. permitted to originate (in BGP) routes for that prefix
[I-D.ietf-sidr-roa-format].
AS0 ROA: Validation of Route Origination using the Resource AS0 ROA: A ROA containing a value of 0 in the ASID field. Validation
Certificate PKI and ROAs [I-D.ietf-sidr-roa-validation] states "A ROA of Route Origination using the Resource Certificate PKI and ROAs
with a subject of AS0 (AS0-ROA) is an attestation by the holder of a [I-D.ietf-sidr-roa-validation] states "A ROA with a subject of AS0
prefix that the prefix described in the ROA, and any more specific (AS0-ROA) is an attestation by the holder of a prefix that the prefix
prefix, should not be used in a routing context." described in the ROA, and any more specific prefix, should not be
used in a routing context."
"Not intended to be (publicly) routed": This phrase refers to "Not intended to be (publicly) routed": This phrase refers to
prefixes that are not meant to be represented in the global Internet prefixes that are not meant to be represented in the global Internet
routing table (for example 192.168/16, [RFC1918]). routing table (for example 192.168/16, [RFC1918]).
5. Reserved Resources 5. Reserved Resources
Reserved IPv4 and IPv6 resources are held back for various reasons by Reserved IPv4 and IPv6 resources are held back for various reasons by
IETF action. Generally such resources are not intended to be IETF action. Generally such resources are not intended to be
globally routed. An example of such a reservation is 127.0.0.0/8 globally routed. An example of such a reservation is 127.0.0.0/8
[RFC5735]. See Appendix A (Appendix A) and B (Appendix B) for IANA [RFC5735]. See Appendix A (Appendix A) and B (Appendix B) for IANA
reserved resources. reserved resources.
IANA SHOULD issue an AS0 ROA for all reserved IPv4 and IPv6 resources IANA SHOULD issue an AS0 ROA for all reserved IPv4 and IPv6 resources
not intended to be routed. not intended to be routed. The selection of the [RFC2119]
terminology is intentional as there may be situations where the ASO
ROA is removed or not issued prior to an IANA registry action. It is
not appropriate to place IANA into a situation where, through normal
interal operations, its bahavior contradicts IETF standards.
There are a small number of reserved resources which are intended to There are a small number of reserved resources that are intended to
be routed, for example 192.88.99.0/24 [RFC3068]. See Appendix A be routed, for example 192.88.99.0/24 [RFC3068]. See Appendix A
(Appendix A) and B (Appendix B) for IANA reserved resources. (Appendix A) and B (Appendix B) for IANA reserved resources.
IANA MUST NOT issue any ROAs (AS0 or otherwise) for reserved IANA MUST NOT issue any ROAs (AS0 or otherwise) for reserved
resources that are expected to be globally routed. resources that are expected to be globally routed.
6. Unallocated Resources 6. Unallocated Resources
Internet Number Resources that have not yet been allocated for Internet Number Resources that have not yet been allocated for
special purposes [RFC5736], to Regional Internet Registries (RIRs), special purposes [RFC5736], to Regional Internet Registries (RIRs),
or to others are considered as not intended to be globally routed. or to others are considered as not intended to be globally routed.
IANA MUST issue an AS0 ROA for all Unallocated Resources. IANA SHOULD issue an AS0 ROA for all Unallocated Resources. The
selection of the [RFC2119] terminology is intentional as there may be
situations where the ASO ROA is removed or not issued prior to an
IANA registry action. It is not appropriate to place IANA into a
situation where, through normal interal operations, its bahavior
contradicts IETF standards.
7. Special Purpose Registry Resources 7. Special Purpose Registry Resources
Special Registry Resources [RFC5736] fall into one of two categories Special Registry Resources [RFC5736] fall into one of two categories
in terms of routing. Either the resource is intended to be seen in in terms of routing. Either the resource is intended to be seen in
the global Internet routing table in some fashion, or it isn't. An the global Internet routing table in some fashion, or it isn't. An
example of a special purpose registry INR that is intended for global example of a special purpose registry INR that is intended for global
routing is 2001:0000::/32 [RFC4380]. An example of an INR not routing is 2001:0000::/32 [RFC4380]. An example of an INR not
intended to be seen would be 2001:002::/48 [RFC5180]. intended to be seen would be 2001:002::/48 [RFC5180].
IANA MUST NOT issue any ROAs (AS0 or otherwise) for Special Purpose IANA MUST NOT issue any ROAs (AS0 or otherwise) for Special Purpose
Registry Resources that are intended to be globally routed. Registry Resources that are intended to be globally routed.
IANA MUST issue an AS0 ROA for Special Purpose Registry Resources IANA SHOULD issue an AS0 ROA for Special Purpose Registry Resources
that are not intended to be globally routed. that are not intended to be globally routed.
8. Multicast 8. Multicast
Within the IPv4 Multicast [RFC5771] and IPv6 Multicast [RFC4291] Within the IPv4 Multicast [RFC5771] and IPv6 Multicast [RFC4291]
registries there are a number of Multicast registrations that are not registries there are a number of Multicast registrations that are not
intended to be globally routed. intended to be globally routed.
IANA MUST issue an AS0 ROA covering the following IPv4 and IPv6 IANA MUST issue an AS0 ROA covering the following IPv4 and IPv6
multicast INRs: multicast INRs:
skipping to change at page 12, line 7 skipping to change at page 12, line 7
One informational object that can exist at a publication point of an One informational object that can exist at a publication point of an
RPKI repository is the Ghostbusters Record RPKI repository is the Ghostbusters Record
[I-D.ietf-sidr-ghostbusters]. [I-D.ietf-sidr-ghostbusters].
IANA MUST issue a ghostbusters object appropriate in content for the IANA MUST issue a ghostbusters object appropriate in content for the
resources IANA maintains. resources IANA maintains.
10. Certificates and CRLs 10. Certificates and CRLs
Before IANA can issue a ROA it MUST first establish a RPKI Before IANA can issue a ROA it MUST first establish an RPKI
Certificate Authority (CA) that covers unallocated, reserved, and Certification Authority (CA) that covers unallocated, reserved, and
special use INRs by containing RFC 3379 extensions [RFC3779] for special use INRs. A CA that covers these INRs MUST contain contain
those corresponding number resources in the CA Certificate. This CA RFC 3379 extensions [RFC3779] for those corresponding number
MUST issue single use End Entity (EE) certificates for each ROA. The resources in its Certificate. This CA MUST issue single-use End
EE certificate will conform to the Resource Certificate Profile Entity (EE) certificates for each ROA that it generates. The EE
certificate will conform to the Resource Certificate Profile
[I-D.ietf-sidr-res-certs] and the additional constraints specified in [I-D.ietf-sidr-res-certs] and the additional constraints specified in
[I-D.ietf-sidr-roa-format]. IANA MUST maintain a publication point [I-D.ietf-sidr-roa-format]. IANA MUST maintain a publication point
for this CA's use and publish manifests for this CA's use and MIUST publish manifests
[I-D.ietf-sidr-rpki-manifests] (with its corresponding EE [I-D.ietf-sidr-rpki-manifests] (with its corresponding EE
certificate). A Certificate Revocation List (CRL) will be issued certificate) for this publication point. IANA MUST issue a
under this CA certificate. All objects issued by this CA will Certificate Revocation List (CRL) under this CA certificate for the
conform to a published Certificate Policy [I-D.ietf-sidr-cp]. EE certificates noted above. All objects issued by this CA will
conform to the RPKI Certificate Policy [I-D.ietf-sidr-cp].
11. IANA Considerations 11. IANA Considerations
This document directs IANA to issue, or refrain from issuing, the This document directs IANA to issue, or refrain from issuing, the
specific objects described here for the current set of reserved, specific RPKI objects described here for the current set of reserved,
unallocated, and special registry Internet Number Resources. Further unallocated, and special registry Internet Number Resources. Further
it MUST notify all other INR registries that RPKI objects have been IANA MUST notify all other INR registries that RPKI objects have been
issued for specific Internet Number Resources to avoid duplicates issued for the Internet Number Resources described in this document
being issued thus reducing the burden on any relying party. to avoid the potential for issuance of duplicate objects that might
confuse relying parties.
12. Security Considerations 12. Security Considerations
This document does not alter the security profile of the RPKI from This document does not alter the security profile of the RPKI from
that already discussed in SIDR-WG documents. that already discussed in SIDR-WG documents.
13. Acknowledgements 13. Acknowledgements
The authors acknowledge Dave Meyer for helpful direction with regard The authors acknowledge Dave Meyer for helpful direction with regard
to multicast assignments. to multicast assignments.
skipping to change at page 16, line 17 skipping to change at page 16, line 17
14.1. Normative References 14.1. Normative References
[I-D.ietf-sidr-arch] [I-D.ietf-sidr-arch]
Lepinski, M. and S. Kent, "An Infrastructure to Support Lepinski, M. and S. Kent, "An Infrastructure to Support
Secure Internet Routing", draft-ietf-sidr-arch-12 (work in Secure Internet Routing", draft-ietf-sidr-arch-12 (work in
progress), February 2011. progress), February 2011.
[I-D.ietf-sidr-cp] [I-D.ietf-sidr-cp]
Kent, S., Kong, D., Seo, K., and R. Watro, "Certificate Kent, S., Kong, D., Seo, K., and R. Watro, "Certificate
Policy (CP) for the Resource PKI (RPKI", Policy (CP) for the Resource PKI (RPKI",
draft-ietf-sidr-cp-16 (work in progress), December 2010. draft-ietf-sidr-cp-17 (work in progress), April 2011.
[I-D.ietf-sidr-ghostbusters] [I-D.ietf-sidr-ghostbusters]
Bush, R., "The RPKI Ghostbusters Record", Bush, R., "The RPKI Ghostbusters Record",
draft-ietf-sidr-ghostbusters-03 (work in progress), draft-ietf-sidr-ghostbusters-03 (work in progress),
March 2011. March 2011.
[I-D.ietf-sidr-res-certs] [I-D.ietf-sidr-res-certs]
Huston, G., Michaelson, G., and R. Loomans, "A Profile for Huston, G., Michaelson, G., and R. Loomans, "A Profile for
X.509 PKIX Resource Certificates", X.509 PKIX Resource Certificates",
draft-ietf-sidr-res-certs-21 (work in progress), draft-ietf-sidr-res-certs-22 (work in progress), May 2011.
December 2010.
[I-D.ietf-sidr-roa-format] [I-D.ietf-sidr-roa-format]
Lepinski, M., Kent, S., and D. Kong, "A Profile for Route Lepinski, M., Kent, S., and D. Kong, "A Profile for Route
Origin Authorizations (ROAs)", Origin Authorizations (ROAs)",
draft-ietf-sidr-roa-format-10 (work in progress), draft-ietf-sidr-roa-format-12 (work in progress),
February 2011. May 2011.
[I-D.ietf-sidr-roa-validation] [I-D.ietf-sidr-roa-validation]
Huston, G. and G. Michaelson, "Validation of Route Huston, G. and G. Michaelson, "Validation of Route
Origination using the Resource Certificate PKI and ROAs", Origination using the Resource Certificate PKI and ROAs",
draft-ietf-sidr-roa-validation-10 (work in progress), draft-ietf-sidr-roa-validation-10 (work in progress),
November 2010. November 2010.
[I-D.ietf-sidr-rpki-manifests] [I-D.ietf-sidr-rpki-manifests]
Austein, R., Huston, G., Kent, S., and M. Lepinski, Austein, R., Huston, G., Kent, S., and M. Lepinski,
"Manifests for the Resource Public Key Infrastructure", "Manifests for the Resource Public Key Infrastructure",
draft-ietf-sidr-rpki-manifests-09 (work in progress), draft-ietf-sidr-rpki-manifests-11 (work in progress),
November 2010. May 2011.
14.2. Informative References 14.2. Informative References
[I-D.ietf-sidr-ltamgmt] [I-D.ietf-sidr-ltamgmt]
Kent, S. and M. Reynolds, "Local Trust Anchor Management Kent, S. and M. Reynolds, "Local Trust Anchor Management
for the Resource Public Key Infrastructure", for the Resource Public Key Infrastructure",
draft-ietf-sidr-ltamgmt-00 (work in progress), draft-ietf-sidr-ltamgmt-00 (work in progress),
November 2010. November 2010.
[I-D.ietf-sidr-usecases] [I-D.ietf-sidr-usecases]
 End of changes. 27 change blocks. 
53 lines changed or deleted 70 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/