draft-ietf-sidrops-bgpsec-algs-rfc8208-bis-01.txt   draft-ietf-sidrops-bgpsec-algs-rfc8208-bis-02.txt 
Internet Engineering Task Force (IETF) S. Turner Internet Engineering Task Force (IETF) S. Turner
Internet-Draft sn3rd Internet-Draft sn3rd
Updates: 8208 (if approved) O. Borchert Updates: 8208 (if approved) O. Borchert
Intended status: Standards Track NIST Intended status: Standards Track NIST
Expires: September 6, 2018 March 5, 2018 Expires: March 9, 2019 September 5, 2018
BGPsec Algorithms, Key Formats, and Signature Formats BGPsec Algorithms, Key Formats, and Signature Formats
draft-ietf-sidrops-bgpsec-algs-rfc8208-bis-01 draft-ietf-sidrops-bgpsec-algs-rfc8208-bis-02
Abstract Abstract
This document specifies the algorithms, algorithm parameters, This document specifies the algorithms, algorithm parameters,
asymmetric key formats, asymmetric key sizes, and signature formats asymmetric key formats, asymmetric key sizes, and signature formats
used in BGPsec (Border Gateway Protocol Security). This document used in BGPsec (Border Gateway Protocol Security). This document
updates RFC 8208 ("BGPsec Algorithms, Key Formats, and Signature updates RFC 8208 ("BGPsec Algorithms, Key Formats, and Signature
Formats") by adding Special-Use Algorithm IDs and correcting the Formats") by adding Special-Use Algorithm IDs and correcting the
range of unassigned algorithms IDs to fill the complete range. range of unassigned algorithms IDs to fill the complete range.
skipping to change at page 2, line 30 skipping to change at page 2, line 30
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Changes from RFC 8208 . . . . . . . . . . . . . . . . . . 4 1.2. Changes from RFC 8208 . . . . . . . . . . . . . . . . . . 4
2. Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1. Algorithm ID Types . . . . . . . . . . . . . . . . . . . . 4 2.1. Algorithm ID Types . . . . . . . . . . . . . . . . . . . . 4
2.2. Signature Algorithms . . . . . . . . . . . . . . . . . . . 5 2.2. Signature Algorithms . . . . . . . . . . . . . . . . . . . 5
2.2.1. Algorithm ID 0x01 - (ECDSA-P256) . . . . . . . . . . . 5 2.2.1. Algorithm ID 0x01 - (ECDSA-P256) . . . . . . . . . . . 5
3. Asymmetric Key Pair Formats . . . . . . . . . . . . . . . . . 6 3. Asymmetric Key Pair Formats . . . . . . . . . . . . . . . . . 6
3.1. Asymmetric Key Pair for Algorithm ID 0x01 - (ECDSA-p256) . 6 3.1. Asymmetric Key Pair for Algorithm ID 0x01 - (ECDSA-P256) . 6
3.1.1. Public Key Format . . . . . . . . . . . . . . . . . . 6 3.1.1. Public Key Format . . . . . . . . . . . . . . . . . . 6
3.1.2. Private Key Format . . . . . . . . . . . . . . . . . . 6 3.1.2. Private Key Format . . . . . . . . . . . . . . . . . . 6
4. Signature Formats . . . . . . . . . . . . . . . . . . . . . . 6 4. Signature Formats . . . . . . . . . . . . . . . . . . . . . . 6
5. Additional Requirements . . . . . . . . . . . . . . . . . . . 6 5. Additional Requirements . . . . . . . . . . . . . . . . . . . 6
6. Security Considerations . . . . . . . . . . . . . . . . . . . 7 6. Security Considerations . . . . . . . . . . . . . . . . . . . 7
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9
8.1. Normative References . . . . . . . . . . . . . . . . . . . 9 8.1. Normative References . . . . . . . . . . . . . . . . . . . 9
8.2. Informative References . . . . . . . . . . . . . . . . . . 11 8.2. Informative References . . . . . . . . . . . . . . . . . . 11
Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 12 Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 12
skipping to change at page 4, line 10 skipping to change at page 4, line 10
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in "OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
1.2. Changes from RFC 8208 1.2. Changes from RFC 8208
This section describes the significant changes between [RFC8208] and This section describes the significant changes between [RFC8208] and
this document. this document.
o Adding section 2.1 of algorithm ID types and what to do when these o Added Section 2.1 of algorithm ID types. Also, the interpretation
IDs are observed. of these IDs is described.
o Restructured Sections 2 and 3 to align with the corresponding o Restructured Sections 2 and 3 to align with the corresponding
algorithm suite identifier value. algorithm suite identifier value.
o Correction of range for unassigned algorithm suite identifier o Correction of range for unassigned algorithm suite identifier
values. values.
o Adding of Special-Use algorithm suite identifier values. o Adding of Special-Use algorithm suite identifier values.
2. Algorithms 2. Algorithms
skipping to change at page 5, line 26 skipping to change at page 5, line 26
Special-Use algorithm IDs span from 0xFA (250) to 0xFE (254). To Special-Use algorithm IDs span from 0xFA (250) to 0xFE (254). To
allow documentation and experimentation to accurately describe allow documentation and experimentation to accurately describe
deployment examples, the use of publicly assigned algorithm IDs is deployment examples, the use of publicly assigned algorithm IDs is
inappropriate, and a reserved block of Special-Use algorithm IDs inappropriate, and a reserved block of Special-Use algorithm IDs
is required. This ensures that documentation and experimentation is required. This ensures that documentation and experimentation
does not clash with assigned algorithm IDs in deployed networks, does not clash with assigned algorithm IDs in deployed networks,
and mitigates the risks to operational integrity of the network and mitigates the risks to operational integrity of the network
through inappropriate use of documentation to perform literal through inappropriate use of documentation to perform literal
configuration of routing elements on production systems. A router configuration of routing elements on production systems. A router
that encounters an algorithm ID of this type outside of an that encounters an algorithm ID of this type outside of an
experimental network, SHOULD treat these type same as experimental network, SHOULD treat it the same as
"unsupported algorithm" as specified in Section 5.2 of [RFC8205]. "unsupported algorithm" as specified in Section 5.2 of [RFC8205].
2.2. Signature Algorithms 2.2. Signature Algorithms
2.2.1. Algorithm ID 0x01 - (ECDSA-P256) 2.2.1. Algorithm ID 0x01 - (ECDSA-P256)
o The signature algorithm used MUST be the Elliptic Curve Digital o The signature algorithm used MUST be the Elliptic Curve Digital
Signature Algorithm (ECDSA) with curve P-256 [RFC6090] [DSS]. Signature Algorithm (ECDSA) with curve P-256 [RFC6090] [DSS].
o The hash algorithm used MUST be SHA-256 [SHS]. o The hash algorithm used MUST be SHA-256 [SHS].
skipping to change at page 6, line 12 skipping to change at page 6, line 12
identifier value 0x01 (see Section 7) is included in the identifier value 0x01 (see Section 7) is included in the
Signature_Block List's Algorithm Suite Identifier field. Signature_Block List's Algorithm Suite Identifier field.
3. Asymmetric Key Pair Formats 3. Asymmetric Key Pair Formats
The key formats used to compute signatures on CA certificates, BGPsec The key formats used to compute signatures on CA certificates, BGPsec
Router Certificates, and CRLs are as specified in Section 3 of Router Certificates, and CRLs are as specified in Section 3 of
[RFC7935]. This section addresses key formats found in the BGPsec [RFC7935]. This section addresses key formats found in the BGPsec
Router Certificate requests and in BGPsec Router Certificates. Router Certificate requests and in BGPsec Router Certificates.
3.1. Asymmetric Key Pair for Algorithm ID 0x01 - (ECDSA-p256) 3.1. Asymmetric Key Pair for Algorithm ID 0x01 - (ECDSA-P256)
The ECDSA private keys used to compute signatures for certificate The ECDSA private keys used to compute signatures for certificate
requests and BGPsec UPDATE messages MUST be associated with the P-256 requests and BGPsec UPDATE messages MUST be associated with the P-256
curve domain parameters [RFC5480]. The public key pair MUST use the curve domain parameters [RFC5480]. The public key pair MUST use the
uncompressed form. uncompressed form.
3.1.1. Public Key Format 3.1.1. Public Key Format
The Subject's public key is included in subjectPublicKeyInfo The Subject's public key is included in subjectPublicKeyInfo
[RFC5280]. It has two sub-fields: algorithm and subjectPublicKey. [RFC5280]. It has two sub-fields: algorithm and subjectPublicKey.
skipping to change at page 7, line 41 skipping to change at page 7, line 41
IANA is asked to modify the previously registered "Unassigned" IANA is asked to modify the previously registered "Unassigned"
address space. address space.
Algorithm Digest Signature Specification Algorithm Digest Signature Specification
Suite Algorithm Algorithm Pointer Suite Algorithm Algorithm Pointer
Identifier Identifier
+------------+---------------+--------------+-----------------------+ +------------+---------------+--------------+-----------------------+
| 0x2-0xEF | Unassigned | Unassigned | | | 0x2-0xEF | Unassigned | Unassigned | |
+------------+---------------+--------------+-----------------------+ +------------+---------------+--------------+-----------------------+
To be modified into: To be modified to:
Algorithm Digest Signature Specification Algorithm Digest Signature Specification
Suite Algorithm Algorithm Pointer Suite Algorithm Algorithm Pointer
Identifier Identifier
+------------+---------------+--------------+-----------------------+ +------------+---------------+--------------+-----------------------+
| 0x2-0xFA | Unassigned | Unassigned | | | 0x2-0xFA | Unassigned | Unassigned | |
+------------+---------------+--------------+-----------------------+ +------------+---------------+--------------+-----------------------+
In addition IANA is asked to register the following address space for In addition IANA is asked to register the following address space for
"Special-Use": "Special-Use":
 End of changes. 7 change blocks. 
8 lines changed or deleted 8 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/