draft-ietf-sidrops-bgpsec-rollover-02.txt   draft-ietf-sidrops-bgpsec-rollover-03.txt 
Network Working Group B. Weis Network Working Group B. Weis
Internet-Draft R. Gagliano Internet-Draft R. Gagliano
Intended status: Standards Track Cisco Systems Intended status: Standards Track Cisco Systems
Expires: April 6, 2018 K. Patel Expires: April 30, 2018 K. Patel
Arrcus, Inc. Arrcus, Inc.
October 3, 2017 October 27, 2017
BGPsec Router Certificate Rollover BGPsec Router Certificate Rollover
draft-ietf-sidrops-bgpsec-rollover-02 draft-ietf-sidrops-bgpsec-rollover-03
Abstract Abstract
Certificate Authorities (CAs) managing CA certificates and End-Entity Certification Authorities (CAs) within the Resource Public Key
(EE) certificates within the Resource Public Key Infrastructure Infrastructure (RPKI) manage BGPsec router certificates as well as
(RPKI) will also manage BGPsec router certificates. But the rollover RPKI certificates. The rollover of BGPsec router certificates must
of CA and EE certificates BGPsec router certificates have additional be carefully performed in order to synchronize the distribution of
considerations for Normal and emergency rollover processes. The router public keys with BGPsec Update messages verified with those
rollover must be carefully managed in order to synchronize router public keys. This document describes a safe rollover process,
distribution of router public keys and BGPsec routers creating BGPsec as well as discussing when and why the rollover of BGPsec router
Update messages verified with those router public keys. This certificates are necessary. When this rollover process is followed
document provides general recommendations for the rollover process, the rollover will be performed without routing information being
as well as describing reasons why the rollover of BGPsec router lost.
certificates might be necessary. When this rollover process is
followed the rollover should be accomplished without routing
information being lost.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 6, 2018. This Internet-Draft will expire on April 30, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Requirements notation . . . . . . . . . . . . . . . . . . . . 2 1. Requirements notation . . . . . . . . . . . . . . . . . . . . 2
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
3. Key rollover in BGPsec . . . . . . . . . . . . . . . . . . . 4 3. Key rollover in BGPsec . . . . . . . . . . . . . . . . . . . 3
3.1. A proposed process for BGPsec router key rollover . . . . 4 3.1. Rollover Process . . . . . . . . . . . . . . . . . . . . 4
4. BGPsec router key rollover as a measure against replay 4. BGPsec router key rollover as a measure against replay
attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
4.1. BGP UPDATE window of exposure requirement . . . . . . . . 6 4.1. BGP UPDATE window of exposure requirement . . . . . . . . 6
4.2. BGPsec key rollover as a mechanism to protect against 4.2. BGPsec key rollover as a mechanism to protect against
replay attacks . . . . . . . . . . . . . . . . . . . . . 7 replay attacks . . . . . . . . . . . . . . . . . . . . . 7
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
6. Security Considerations . . . . . . . . . . . . . . . . . . . 8 6. Security Considerations . . . . . . . . . . . . . . . . . . . 8
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 9
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 9
8.1. Normative References . . . . . . . . . . . . . . . . . . 9 8.1. Normative References . . . . . . . . . . . . . . . . . . 9
8.2. Informative References . . . . . . . . . . . . . . . . . 9 8.2. Informative References . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10
1. Requirements notation 1. Requirements notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in "OPTIONAL" in this document are to be interpreted as described in
[RFC2119]. [RFC2119].
2. Introduction 2. Introduction
In BGPsec, a key rollover (or re-key) is the process of changing a In BGPsec, a key rollover (or re-key) is the process of changing a
router's key pair (or key pairs), issuing the corresponding new router's BGPsec key pair (or key pairs), issuing the corresponding
BGPsec router certificate and (if the old certificate is still valid) new BGPsec router certificate and (if the old certificate is still
revoking the old certificate. This process will need to happen at valid) revoking the old certificate. This process will need to
regular intervals, normally due to the local policies of a network. happen at regular intervals, normally due to policies of the local
network. This document describes a safe rollover process that
This document provides general recommendations for that process. results in a BGPsec receiver always having the needed verification
Certificate Practice Statements (CPS) documents may reference these keys. Certificate Practice Statements (CPS) documents may reference
recommendations. This memo only addresses changing of a router's key this memo. This memo only addresses changing of a router's BGPsec
pair within the RPKI. Refer to [RFC6489] for a procedure to rollover key pair within the RPKI. Refer to [RFC6489] for a procedure to
RPKI Certificate Authority key pairs. rollover RPKI Certification Authority key pairs.
When a router receives or creates a new key pair (using a key When a router receives or creates a new key pair (using a key
provisioning mechanism), this key pair will be used to sign new provisioning mechanism), this key pair will be used to sign new
BGPsec updates [RFC8205] that are originated or that transit through BGPsec updates [RFC8205] that are originated or that transit through
the BGP speaker. Additionally, the BGP speaker MUST refresh its the BGP speaker. Additionally, the BGP speaker will refresh its
outbound BGPsec Update messages to include a signature using the new outbound BGPsec Update messages to include a signature using the new
key (replacing the old key). When the rollover process finishes, the key (replacing the old key). When the rollover process finishes, the
old BGPsec router certificate (and its key) will no longer be valid, old BGPsec router certificate (and its key) will no longer be valid,
and thus any BGPsec Update that includes signature performed by the and thus any BGPsec Update that includes a signature performed by the
old key will be invalid. Consequently, if the router does not old key will be invalid. Consequently, if the router does not
refresh its outbound BGPsec Update messages, previously sent routing refresh its outbound BGPsec Update messages, previously sent routing
information may be treated as unauthenticated after the rollover information may be treated as unauthenticated after the rollover
process is finished. It is therefore extremely important that new process is finished. It is therefore extremely important that new
BGPsec router certificates have been distributed throughout the RPKI BGPsec router certificates have been distributed throughout the RPKI
before the router begin signing BGPsec updates with a new private before the router begin signing BGPsec updates with a new private
key. key.
It is also important for an AS to minimize the BGPsec router key It is also important for an AS to minimize the BGPsec router key
rollover interval (i.e., in between the time an AS distributes a rollover interval (i.e., in between the time an AS distributes a
BGPsec router certificate with a new public key and the time a BGPsec BGPsec router certificate with a new public key and the time a BGPsec
router begins to use its new private key). This can be due to a need router begins to use its new private key). This can be due to a need
for a BGPsec router to distribute BGPsec updates signed with a new for a BGPsec router to distribute BGPsec updates signed with a new
private key in order to invalidate BGPsec updates signed with the old private key in order to invalidate BGPsec updates signed with the old
private key. In particular, if the AS suspects that a stale BGPsec private key. In particular, if the AS suspects that a stale BGPsec
updates is being distributed instead of the most recently signed updates is being distributed instead of the most recently signed
attribute it can cause the stale BGPsec updates to be invalidated by attribute it can cause the stale BGPsec updates to be invalidated by
completing a key rollover procedure. The BGPsec router rollover completing a key rollover procedure. The BGPsec router rollover
interval can be minimized when an automated certificate provisioning interval can be minimized when an automated certificate provisioning
process such as Enrollment over Secure Transport (EST) [RFC7030]) is process such as Enrollment over Secure Transport (EST) [RFC7030] is
used. used.
The Security Requirements for BGP Path Validation [RFC7353] also The Security Requirements for BGP Path Validation [RFC7353] also
describes the need for protecting against suppression of BGP WITHDRAW describes the need for protecting against suppression of BGP WITHDRAW
messages or replay of BGP UPDATE messages, such as controlling messages or replay of BGP UPDATE messages, such as controlling
BGPsec's window of exposure to such attacks. The BGPsec router BGPsec's window of exposure to such attacks. The BGPsec router
certificate rollover method in this document can be used to achieve certificate rollover method in this document can be used to achieve
this goal. this goal.
In [I-D.ietf-sidr-rtr-keying], the "operator-driven" method is In [I-D.ietf-sidr-rtr-keying], the "operator-driven" method is
introduced, in which a key pair can be shared among multiple BGP introduced, in which a key pair can be shared among multiple BGP
speakers. In this scenario, the roll-over of the correspondent speakers. In this scenario, the rollover of the correspondent BGPsec
BGPsec router certificate will impact all the BGP speakers sharing router certificate will impact all the BGP speakers sharing the same
the same private key. private key.
3. Key rollover in BGPsec 3. Key rollover in BGPsec
A BGPsec router certificate SHOULD be replaced when the following A BGPsec router certificate SHOULD be replaced when the following
events occur, and can be replaced for any other reason at the events occur, and can be replaced for any other reason at the
discretion of the AS responsible for the BGPsec router certificate. discretion of the AS responsible for the BGPsec router certificate.
Scheduled rollover: BGPsec router certificates have an expiration Scheduled rollover: BGPsec router certificates have an expiration
date (NotValidAfter) that requires a frequent rollover process date (NotValidAfter) that requires a frequent rollover process
to refresh certificates or issue new certificates. The to refresh certificates or issue new certificates. The
validity period for these certificates is typically expressed validity period for these certificates is typically expressed
in the CA's CPS document. in the CA's CPS document.
Router certificate field changes: Information contained in a BGPsec Router certificate field changes: Information contained in a BGPsec
router certificate (such as the ASN or the Subject) may need to router certificate (such as the ASN or the Subject) may need to
be changed. be changed.
Emergency router key rollover Some special circumstances (such as a Emergency router key rollover: Some special circumstances (such as a
compromised key) may require the replacement of a BGPsec router compromised key) may require the replacement of a BGPsec router
certificate. certificate.
Protection against withdrawal suppression and replay attacks: An AS Protection against withdrawal suppression and replay attacks: An AS
may determine withdrawn BGPsec updates are being propagated may determine withdrawn BGPsec updates are being propagated
instead of the most recently propagated BGPsec updates. instead of the most recently propagated BGPsec updates.
Changing the BGPsec router signing key, distributing a new Changing the BGPsec router signing key, distributing a new
BGPsec router certificate, and revoking the old BGPsec router BGPsec router certificate, and revoking the old BGPsec router
certificate will invalidate the replayed BGPsec updates. certificate will invalidate the replayed BGPsec updates.
In some of these cases it is possible to generate a new certificate In some of these cases it is possible to generate a new certificate
without changing the key pair. This practice simplifies the rollover without changing the key pair. This practice simplifies the rollover
process as the BGP speakers receiving BGPsec Updates do not even need process as the BGP speakers receiving BGPsec Updates do not even need
to be aware of the change of certificate. However, not replacing the to be aware of the change of certificate. However, not replacing the
certificate key for a long period of time increases the risk that a certificate key for a long period of time increases the risk that a
compromised router private key may be used by an attacker to deliver compromised router private key may be used by an attacker to deliver
unauthorized or false BGPsec Updates. Distributing the OLD public unauthorized or false BGPsec Updates. Distributing the old public
key in a new certificate is NOT RECOMMENDED when the rollover event key in a new certificate is NOT RECOMMENDED when the rollover event
is due to a compromised key, or when it is suspected that withdrawn is due to a compromised key, or when it is suspected that withdrawn
BGPsec updates are being distributed. BGPsec updates are being distributed.
3.1. A proposed process for BGPsec router key rollover 3.1. Rollover Process
The key rollover process will be dependent on the key provisioning The key rollover process is dependent on the key provisioning
mechanisms adopted by an AS [I-D.ietf-sidr-rtr-keying]. An automatic mechanisms adopted by an AS [I-D.ietf-sidr-rtr-keying]. An automatic
provisioning mechanism such as EST will allow router key management provisioning mechanism such as EST will allow router key management
procedures to include automatic re-keying methods with minimum procedures to include automatic re-keying methods with minimum
development cost. development cost.
If we work under the assumption that an automatic mechanism will A safe BGPsec router key rollover process is as follows.
exist to rollover a BGPsec router certificate, a RECOMMENDED process
is as follows.
1. New Certificate Publication: The first step in the rollover 1. New Certificate Publication: The first step in the rollover
mechanism is to publish the new public key in a new certificate. mechanism is to publish the new certificate. If required, a new
In order to accomplish this goal, the new key pair and key pair will be generated for the BGPsec router. A new
certificate will need to be generated and the certificate certificate will be generated and the certificate published at
published at the appropriate RPKI repository publication point. the appropriate RPKI repository publication point. The details
The details of this process will vary as they depend on whether of this process will vary as they depend on whether the keys are
the keys are assigned per-BGPsec speaker or shared among multiple assigned per-BGPsec speaker or shared among multiple BGPsec
BGPsec speakers, whether the keys are generated on each BGPsec speakers, whether the keys are generated on each BGPsec speaker
speaker or in a central location, and whether the RPKI repository or in a central location, and whether the RPKI repository is
is locally or externally hosted. locally or externally hosted.
2. Staging Period: A staging period will be required from the time a 2. Staging Period: A staging period will be required from the time a
new certificate is published in the RPKI global repository until new certificate is published in the RPKI global repository until
the time it is fetched by RPKI caches around the globe. The the time it is fetched by RPKI caches around the globe. The
exact minimum staging time will be dictated by the conventional exact minimum staging time will be dictated by the conventional
interval chosen between repository fetches. If rollovers will be interval chosen between repository fetches. If rollovers will be
done more frequently, an administrator can provision two done more frequently, an administrator can provision two
certificates for every router concurrently with different valid certificates for every router concurrently with different valid
start times. In this case when the rollover operation is needed, start times. In this case when the rollover operation is needed,
the relying parties around the globe would already have the new the relying parties around the globe would already have the new
router public keys. However, if an administrator has not router public keys. However, if an administrator has not
previously provisioned the next certificate then a staging period previously provisioned the next certificate then a staging period
may not be possible to implement during emergency key rollover. may not be possible to implement during emergency key rollover.
If there is no staging period, routing may be disrupted due to If there is no staging period, routing may be disrupted due to
the inability of a BGPsec router to validate BGPsec updates the inability of a BGPsec router to validate BGPsec updates
signed with a new private key. signed with a new private key.
3. Twilight: At this moment, the BGPsec speaker holding the rolled- 3. Twilight: At this moment, the BGPsec speaker holding the rolled-
over private key will stop using the OLD key for signing and over private key will stop using the old key for signing and
start using the NEW key. Also, the router will generate start using the new key. Also, the router will generate
appropriate refreshed BGPsec updates just as in the typical appropriate refreshed BGPsec updates just as in the typical
operation of refreshing out-bound BGP polices. This operation operation of refreshing out-bound BGP polices. This operation
may generate a great number of BGPsec updates. A BGPsec speaker may generate a great number of BGPsec updates. A BGPsec speaker
may vary the Twilight moment for every peer in order to may vary the Twilight moment for every peer in order to
distribute the system load (e.g., skewing the rollover for distribute the system load (e.g., skewing the rollover for
different peers by a few minutes each would be sufficient and different peers by a few minutes each would be sufficient and
effective). effective).
4. Certificate Revocation: This is an optional step, but SHOULD be 4. Certificate Revocation: This is an optional step, but SHOULD be
taken when the goal is to invalidate updates signed with the OLD taken when the goal is to invalidate BGPsec updates signed with
key. Reasons to invalidate OLD updates include: (a) the AS has the old key. Reasons to invalidate old BGPsec updates include:
reason to believe that the router signing key has been (a) the AS has reason to believe that the router signing key has
compromised, and (b) the AS needs to invalidate already been compromised, and (b) the AS needs to invalidate already
propagated BGPsec updates signed with the OLD key. As part of propagated BGPsec updates signed with the old key. As part of
the rollover process, a CA MAY decide to revoke the OLD the rollover process, a CA MAY decide to revoke the old
certificate by publishing its serial number on the CA's CRL. certificate by publishing its serial number on the CA's CRL.
Alternatively, the CA will just let the OLD certificate expire Alternatively, the CA will just let the old certificate expire
and not revoke it. This choice will depend on the reasons that and not revoke it. This choice will depend on the reasons that
motivated the rollover process. motivated the rollover process.
5. RPKI-Router Protocol Withdrawals: At the expiration of the OLD 5. RPKI-Router Protocol Withdrawals: At the expiration of the old
certificate's validation, the RPKI relying parties around the certificate's validation, the RPKI relying parties around the
globe will need to communicate to their router peers that the OLD globe will need to communicate to their router peers that the old
certificate's public key is no longer valid (e.g., using the certificate's public key is no longer valid (e.g., using the
RPKI-Router Protocol described in [RFC8210]). A router's RPKI-Router Protocol described in [RFC8210]). A router's
reaction to a message indicating withdrawal of a router key in reaction to a message indicating withdrawal of a router key in
the RPKI-Router Protocol SHOULD include the removal of any RIB the RPKI-Router Protocol SHOULD include the removal of any RIB
entries (i.e., BGPsec updates) signed with that key and the entries (i.e., BGPsec updates) signed with that key and the
generation of the corresponding BGP WITHDRAWALs (either implicit generation of the corresponding BGP WITHDRAWALs (either implicit
or explicit). or explicit).
The proposed rollover mechanism will depend on the existence of an This rollover mechanism depends on the existence of an automatic
automatic provisioning process for BGPsec router certificates. It provisioning process for BGPsec router certificates. It requires a
will require a staging mechanism based on the RPKI propagation time staging mechanism based on the RPKI propagation time (typically a 24
(typically a 24 hour period at the time this document was published), hour period at the time this document was published), and an AS is
and it will require re-signing all originated and transited BGPsec REQUIRED to re-sign all originated and transited BGPsec updates that
updates that were previously signed with the OLD key. were previously signed with the old key.
The first two steps (New Certificate Publication and Staging Period) The first two steps (New Certificate Publication and Staging Period)
may happen in advance of the rest of the process. This will allow a may happen in advance of the rest of the process. This will allow a
network operator to perform its subsequent key roll-over in an network operator to perform its subsequent key rollover in an
efficient and timely manner. efficient and timely manner.
When a new BGPsec router certificate is generated without changing When a new BGPsec router certificate is generated without changing
its key, steps 3 (Twilight) and 5 (RPKI-Router Protocol Withdrawals) its key, steps 3 (Twilight) and 5 (RPKI-Router Protocol Withdrawals)
SHOULD NOT be executed. SHOULD NOT be executed.
4. BGPsec router key rollover as a measure against replay attacks 4. BGPsec router key rollover as a measure against replay attacks
There are two typical generic measures to mitigate replay attacks in There are two typical generic measures to mitigate replay attacks in
any protocol: the addition of a timestamp or the addition of a serial any protocol: the addition of a timestamp or the addition of a serial
number. However, neither BGP nor BGPsec provide either measure. The number. However, neither BGP nor BGPsec provide either measure. The
timestamp approach was originally proposed for BGPsec timestamp approach was originally proposed for BGPsec
[I-D.sriram-replay-protection-design-discussion] but later dropped in [I-D.sriram-replay-protection-design-discussion] but later dropped in
favor of the key rollover approach. This section discusses the use favor of the key rollover approach. This section discusses the use
of using a key roll-over as a measure to mitigate replay attacks. of using a key rollover as a measure to mitigate replay attacks.
4.1. BGP UPDATE window of exposure requirement 4.1. BGP UPDATE window of exposure requirement
The need to limit the vulnerability to replay attacks is described in The need to limit the vulnerability to replay attacks is described in
[RFC7353] Section 4.3. One important comment is that during a window [RFC7353] Section 4.3. One important comment is that during a window
of exposure, a replay attack is effective only in very specific of exposure, a replay attack is effective only in very specific
circumstances: there is a downstream topology change that makes the circumstances: there is a downstream topology change that makes the
signed AS path no longer current, and the topology change makes the signed AS path no longer current, and the topology change makes the
replayed route preferable to the route associated with the new replayed route preferable to the route associated with the new
update. In particular, if there is no topology change at all, then update. In particular, if there is no topology change at all, then
skipping to change at page 7, line 23 skipping to change at page 7, line 14
attacks. It states that the requirement will be in the order of a attacks. It states that the requirement will be in the order of a
day or longer. day or longer.
4.2. BGPsec key rollover as a mechanism to protect against replay 4.2. BGPsec key rollover as a mechanism to protect against replay
attacks attacks
Since the window requirement is on the order of a day (as documented Since the window requirement is on the order of a day (as documented
in [RFC8207]) and the BGP speaker performing re-keying is the edge in [RFC8207]) and the BGP speaker performing re-keying is the edge
router of the origin AS, it is feasible to use key rollover to router of the origin AS, it is feasible to use key rollover to
mitigate replays. In this case it is important to complete the full mitigate replays. In this case it is important to complete the full
process (i.e. the OLD and NEW certificates do not share the same process (i.e., the old and new certificates do not share the same
key). By re-keying, an AS is letting the BGPsec router certificate key). By re-keying, an AS is letting the BGPsec router certificate
validation time be a type of "timestamp" to mitigate replay attacks. validation time be a type of "timestamp" to mitigate replay attacks.
However, the use of frequent key rollovers comes with an additional However, the use of frequent key rollovers comes with an additional
administrative cost and risks if the process fails. As documented administrative cost and risks if the process fails. As documented
before, re-keying should be supported by automatic tools, and for the before, re-keying should be supported by automatic tools, and for the
great majority of the Internet it will be done with good lead time to great majority of the Internet it will be done with good lead time to
ensure that the public key corresponding to the NEW router ensure that the public key corresponding to the new router
certificate will be available to validate the corresponding BGPsec certificate will be available to validate the corresponding BGPsec
updates when received. updates when received.
For a transit AS that also originates BGPsec updates for its own For a transit AS that also originates BGPsec updates for its own
prefixes, the key rollover process may generate a large number of prefixes, the key rollover process may generate a large number of
UPDATE messages (even the complete Default Free Zone or DFZ). For UPDATE messages (even the complete Default Free Zone or DFZ). For
this reason, it is recommended that routers in a transit AS that also this reason, it is RECOMMENDED that routers in a transit AS that also
originate BGPsec updates be provisioned with two certificates: one to originate BGPsec updates be provisioned with two certificates: one to
sign BGPsec updates in transit and a second one to sign BGPsec sign BGPsec updates in transit and a second one to sign BGPsec
updates for prefixes originated from its AS. Only the second updates for prefixes originated from its AS. Only the second
certificate (for originating prefixes) should be rolled-over certificate (for originating prefixes) should be rolled-over
frequently as a means of limiting replay attack windows. The router frequently as a means of limiting replay attack windows. The router
certificate used for signing updates in transit is expected to live certificate used for signing updates in transit is expected to live
longer than the one used for signing origination updates. longer than the one used for signing origination updates.
Advantages to re-keying as replay attack protection mechanism are as Advantages to re-keying as replay attack protection mechanism are as
follows: follows:
skipping to change at page 8, line 26 skipping to change at page 8, line 18
Disadvantages to Re-keying as replay attack protection mechanism are Disadvantages to Re-keying as replay attack protection mechanism are
as follows: as follows:
1. Frequent rollovers add administrative and BGP processing loads, 1. Frequent rollovers add administrative and BGP processing loads,
although the required frequency is not clear. Some initial ideas although the required frequency is not clear. Some initial ideas
are found in [RFC8207]. are found in [RFC8207].
2. The minimum replay vulnerability is bounded by the propagation 2. The minimum replay vulnerability is bounded by the propagation
time for RPKI caches to obtain the new certificate and CRL (2x time for RPKI caches to obtain the new certificate and CRL (2x
propagation time because first the NEW certificate and then the propagation time because first the new certificate and then the
CRL need to propagate through the RPKI system). If provisioning CRL need to propagate through the RPKI system). If provisioning
is done ahead of time, the minimum replay vulnerability window is done ahead of time, the minimum replay vulnerability window
size is reduced to 1x propagation time (i.e., propagation of the size is reduced to 1x propagation time (i.e., propagation of the
CRL). However, these bounds will be better understood when RPKI CRL). However, these bounds will be better understood when RPKI
and RPs are well deployed, as well as the propagation time for and RPs are well deployed, as well as the propagation time for
objects in the RPKI is better understood. objects in the RPKI is better understood.
3. Re-keying increases the dynamics and size of the RPKI repository. 3. Re-keying increases the dynamics and size of the RPKI repository.
5. IANA Considerations 5. IANA Considerations
skipping to change at page 9, line 22 skipping to change at page 9, line 13
and replaying withdrawn updates. When the key used to sign the and replaying withdrawn updates. When the key used to sign the
withdrawn updates has been rolled over, the withdrawn updates will be withdrawn updates has been rolled over, the withdrawn updates will be
considered invalid. When certificates containing a new public key considered invalid. When certificates containing a new public key
are provisioned ahead of time, the minimum replay vulnerability are provisioned ahead of time, the minimum replay vulnerability
window size is reduced to the propagation time of a CRL invalidating window size is reduced to the propagation time of a CRL invalidating
the certificate containing an old public key. For a discussion of the certificate containing an old public key. For a discussion of
the difficulties deploying a more effectual replay protection the difficulties deploying a more effectual replay protection
mechanism for BGPSEC, see mechanism for BGPSEC, see
[I-D.sriram-replay-protection-design-discussion]. [I-D.sriram-replay-protection-design-discussion].
7. Acknowledgements 7. Acknowledgments
Randy Bush, Kotikalapudi Sriram, Stephen Kent and Sandy Murphy each Randy Bush, Kotikalapudi Sriram, Stephen Kent and Sandy Murphy each
provided valuable suggestions resulting in an improved document. provided valuable suggestions resulting in an improved document.
8. References 8. References
8.1. Normative References 8.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, <https://www.rfc- DOI 10.17487/RFC2119, March 1997, <https://www.rfc-
editor.org/info/rfc2119>. editor.org/info/rfc2119>.
8.2. Informative References 8.2. Informative References
[I-D.ietf-sidr-rtr-keying] [I-D.ietf-sidr-rtr-keying]
Bush, R., Turner, S., and K. Patel, "Router Keying for Bush, R., Turner, S., and K. Patel, "Router Keying for
BGPsec", draft-ietf-sidr-rtr-keying-13 (work in progress), BGPsec", draft-ietf-sidr-rtr-keying-14 (work in progress),
April 2017. October 2017.
[I-D.sriram-replay-protection-design-discussion] [I-D.sriram-replay-protection-design-discussion]
Sriram, K. and D. Montgomery, "Design Discussion and Sriram, K. and D. Montgomery, "Design Discussion and
Comparison of Protection Mechanisms for Replay Attack and Comparison of Protection Mechanisms for Replay Attack and
Withdrawal Suppression in BGPsec", draft-sriram-replay- Withdrawal Suppression in BGPsec", draft-sriram-replay-
protection-design-discussion-08 (work in progress), April protection-design-discussion-09 (work in progress),
2017. October 2017.
[RFC6489] Huston, G., Michaelson, G., and S. Kent, "Certification [RFC6489] Huston, G., Michaelson, G., and S. Kent, "Certification
Authority (CA) Key Rollover in the Resource Public Key Authority (CA) Key Rollover in the Resource Public Key
Infrastructure (RPKI)", BCP 174, RFC 6489, Infrastructure (RPKI)", BCP 174, RFC 6489,
DOI 10.17487/RFC6489, February 2012, <https://www.rfc- DOI 10.17487/RFC6489, February 2012, <https://www.rfc-
editor.org/info/rfc6489>. editor.org/info/rfc6489>.
[RFC7030] Pritikin, M., Ed., Yee, P., Ed., and D. Harkins, Ed., [RFC7030] Pritikin, M., Ed., Yee, P., Ed., and D. Harkins, Ed.,
"Enrollment over Secure Transport", RFC 7030, "Enrollment over Secure Transport", RFC 7030,
DOI 10.17487/RFC7030, October 2013, <https://www.rfc- DOI 10.17487/RFC7030, October 2013, <https://www.rfc-
 End of changes. 33 change blocks. 
80 lines changed or deleted 75 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/