draft-ietf-sidrops-bgpsec-rollover-04.txt   rfc8634.txt 
Network Working Group B. Weis Internet Engineering Task Force (IETF) B. Weis
Internet-Draft R. Gagliano Request for Comments: 8634 Independent
Intended status: Best Current Practice Cisco Systems BCP: 224 R. Gagliano
Expires: June 14, 2018 K. Patel Category: Best Current Practice Cisco Systems
ISSN: 2070-1721 K. Patel
Arrcus, Inc. Arrcus, Inc.
December 11, 2017 August 2019
BGPsec Router Certificate Rollover BGPsec Router Certificate Rollover
draft-ietf-sidrops-bgpsec-rollover-04
Abstract Abstract
Certification Authorities (CAs) within the Resource Public Key Certification Authorities (CAs) within the Resource Public Key
Infrastructure (RPKI) manage BGPsec router certificates as well as Infrastructure (RPKI) manage BGPsec router certificates as well as
RPKI certificates. The rollover of BGPsec router certificates must RPKI certificates. The rollover of BGPsec router certificates must
be carefully performed in order to synchronize the distribution of be carefully performed in order to synchronize the distribution of
router public keys with BGPsec Update messages verified with those router public keys with BGPsec UPDATE messages verified with those
router public keys. This document describes a safe rollover process, router public keys. This document describes a safe rollover process,
as well as discussing when and why the rollover of BGPsec router and it discusses when and why the rollover of BGPsec router
certificates are necessary. When this rollover process is followed certificates is necessary. When this rollover process is followed,
the rollover will be performed without routing information being the rollover will be performed without routing information being
lost. lost.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This memo documents an Internet Best Current Practice.
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Further information on
BCPs is available in Section 2 of RFC 7841.
This Internet-Draft will expire on June 14, 2018. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc8634.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Requirements notation . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Requirements Notation . . . . . . . . . . . . . . . . . . . . 4
3. Key rollover in BGPsec . . . . . . . . . . . . . . . . . . . 3 3. Key Rollover in BGPsec . . . . . . . . . . . . . . . . . . . 4
3.1. Rollover Process . . . . . . . . . . . . . . . . . . . . 4 3.1. Rollover Process . . . . . . . . . . . . . . . . . . . . 5
4. BGPsec router key rollover as a measure against replay 4. BGPsec Router Key Rollover as a Measure against Replay
attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
4.1. BGP UPDATE window of exposure requirement . . . . . . . . 6 4.1. BGP UPDATE Window of Exposure Requirement . . . . . . . . 7
4.2. BGPsec key rollover as a mechanism to protect against 4.2. BGPsec Key Rollover as a Mechanism to Protect against
replay attacks . . . . . . . . . . . . . . . . . . . . . 7 Replay Attacks . . . . . . . . . . . . . . . . . . . . . 7
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
6. Security Considerations . . . . . . . . . . . . . . . . . . . 8 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9
7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 9 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 10
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 7.1. Normative References . . . . . . . . . . . . . . . . . . 10
8.1. Normative References . . . . . . . . . . . . . . . . . . 9 7.2. Informative References . . . . . . . . . . . . . . . . . 10
8.2. Informative References . . . . . . . . . . . . . . . . . 9 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11
1. Requirements notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
2. Introduction 1. Introduction
In BGPsec, a key rollover (or re-key) is the process of changing a In BGPsec, a key rollover (or re-key) is the process of changing a
router's BGPsec key pair (or key pairs), issuing the corresponding router's BGPsec key pair (or key pairs), issuing the corresponding
new BGPsec router certificate and (if the old certificate is still new BGPsec router certificate, and (if the old certificate is still
valid) revoking the old certificate. This process will need to valid) revoking the old certificate. This process will need to
happen at regular intervals, normally due to policies of the local happen at regular intervals, normally due to policies of the local
network. This document describes a safe rollover process that network. This document describes a safe rollover process that
results in a BGPsec receiver always having the needed verification results in a BGPsec receiver always having the needed verification
keys. Certificate Practice Statements (CPS) documents may reference keys. Certification Practice Statement (CPS) documents may reference
this memo. This memo only addresses changing of a router's BGPsec this memo. This memo only addresses changing of a router's BGPsec
key pair within the RPKI. Refer to [RFC6489] for a procedure to key pair within the RPKI. Refer to [RFC6489] for a procedure to roll
rollover RPKI Certification Authority key pairs. over RPKI Certification Authority key pairs.
When a router receives or creates a new key pair (using a key When a router receives or creates a new key pair (using a key
provisioning mechanism), this key pair will be used to sign new provisioning mechanism), this key pair will be used to sign new
BGPsec updates [RFC8205] that are originated or that transit through BGPsec UPDATE messages [RFC8205] that are originated at or that
the BGP speaker. Additionally, the BGP speaker will refresh its transit through the BGP speaker. Additionally, the BGP speaker will
outbound BGPsec Update messages to include a signature using the new refresh its outbound BGPsec UPDATE messages to include a signature
key (replacing the old key). When the rollover process finishes, the using the new key (replacing the old key). When the rollover process
old BGPsec router certificate (and its key) will no longer be valid, finishes, the old BGPsec router certificate (and its key) will no
and thus any BGPsec Update that includes a signature performed by the longer be valid; thus, any BGPsec UPDATE message that includes a
old key will be invalid. Consequently, if the router does not signature performed by the old key will be invalid. Consequently, if
refresh its outbound BGPsec Update messages, previously sent routing the router does not refresh its outbound BGPsec UPDATE messages,
information may be treated as unauthenticated after the rollover previously sent routing information may be treated as unauthenticated
process is finished. It is therefore extremely important that new after the rollover process is finished. Therefore, it is extremely
BGPsec router certificates have been distributed throughout the RPKI important that new BGPsec router certificates have been distributed
before the router begin signing BGPsec updates with a new private throughout the RPKI before the router begins signing BGPsec UPDATE
key. messages with a new private key.
It is also important for an AS to minimize the BGPsec router key It is also important for an AS to minimize the BGPsec router key-
rollover interval (i.e., the period between the time when an AS rollover interval (i.e., the period between the time when an AS
distributes a BGPsec router certificate with a new public key and the distributes a BGPsec router certificate with a new public key and the
time a BGPsec router begins to use its new private key). This can be time a BGPsec router begins to use its new private key). This can be
due to a need for a BGPsec router to distribute BGPsec updates signed due to a need for a BGPsec router to distribute BGPsec UPDATE
with a new private key in order to invalidate BGPsec updates signed messages signed with a new private key in order to invalidate BGPsec
with the old private key. In particular, if the AS suspects that a UPDATE messages signed with the old private key. In particular, if
stale BGPsec update is being distributed instead of the most recently the AS suspects that a stale BGPsec UPDATE message is being
signed attribute it can cause the stale BGPsec updates to be distributed instead of the most recently signed attribute, it can
invalidated by completing a key rollover procedure. The BGPsec cause the stale BGPsec UPDATE messages to be invalidated by
router rollover interval can be minimized when an automated completing a key-rollover procedure. The BGPsec router rollover
certificate provisioning process such as Enrollment over Secure interval can be minimized when an automated certificate provisioning
Transport (EST) [RFC7030] is used. process such as Enrollment over Secure Transport (EST) [RFC7030] is
used.
The Security Requirements for BGP Path Validation [RFC7353] also "Security Requirements for BGP Path Validation" [RFC7353] also
describes the need for protecting against suppression of BGP WITHDRAW describes the need for protecting against suppression of BGP UPDATE
messages or replay of BGP UPDATE messages, such as controlling messages with Withdrawn Routes or replay of BGP UPDATE messages, such
BGPsec's window of exposure to such attacks. The BGPsec router as controlling BGPsec's window of exposure to such attacks. The
certificate rollover method in this document can be used to achieve BGPsec router certificate rollover method in this document can be
this goal. used to achieve this goal.
In [I-D.ietf-sidr-rtr-keying], the "operator-driven" method is In [RFC8635], the "operator-driven" method is introduced, in which a
introduced, in which a key pair can be shared among multiple BGP key pair can be shared among multiple BGP speakers. In this
speakers. In this scenario, the rollover of the correspondent BGPsec scenario, the rollover of the corresponding BGPsec router certificate
router certificate will impact all the BGP speakers sharing the same will impact all the BGP speakers sharing the same private key.
private key.
3. Key rollover in BGPsec 2. Requirements Notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
3. Key Rollover in BGPsec
A BGPsec router certificate SHOULD be replaced when the following A BGPsec router certificate SHOULD be replaced when the following
events occur, and can be replaced for any other reason at the events occur, and it can be replaced for any other reason at the
discretion of the AS responsible for the BGPsec router certificate. discretion of the AS responsible for the BGPsec router certificate.
Scheduled rollover: BGPsec router certificates have an expiration Scheduled rollover: BGPsec router certificates have an expiration
date (NotValidAfter) that requires a frequent rollover process date (NotValidAfter) that requires a frequent rollover process
to refresh certificates or issue new certificates. The to refresh certificates or issue new certificates. The
validity period for these certificates is typically expressed validity period for these certificates is typically expressed
in the CA's CPS document. in the CA's CPS document.
Router certificate field changes: Information contained in a BGPsec Router certificate field changes: Information contained in a BGPsec
router certificate (such as the ASN or the Subject) may need to router certificate (such as the Autonomous System Number (ASN)
be changed. or the Subject) may need to be changed.
Emergency router key rollover: Some special circumstances (such as a Emergency router key rollover: Some special circumstances (such as a
compromised key) may require the replacement of a BGPsec router compromised key) may require the replacement of a BGPsec router
certificate. certificate.
Protection against withdrawal suppression and replay attacks: An AS Protection against withdrawal suppression and replay attacks: An AS
may determine that withdrawn BGPsec updates are being may determine that withdrawn BGPsec UPDATE messages are being
propagated instead of the most recently propagated BGPsec propagated instead of the most recently propagated BGPsec
updates. Changing the BGPsec router signing key, distributing UPDATE messages. Changing the BGPsec router signing key,
a new BGPsec router certificate, and revoking the old BGPsec distributing a new BGPsec router certificate, and revoking the
router certificate will invalidate the replayed BGPsec updates. old BGPsec router certificate will invalidate the replayed
BGPsec UPDATE messages.
In some of these cases it is possible to generate a new certificate In some of these cases, it is possible to generate a new certificate
without changing the key pair. This practice simplifies the rollover without changing the key pair. This practice simplifies the rollover
process as the BGP speakers receiving BGPsec Updates do not even need process as the BGP speakers receiving BGPsec UPDATE messages do not
to be aware of the change of certificate. However, not replacing the even need to be aware of the change of certificate. However, not
certificate key for a long period of time increases the risk that a replacing the certificate key for a long period of time increases the
compromised router private key may be used by an attacker to deliver risk that a compromised router private key may be used by an attacker
unauthorized or false BGPsec Updates. Distributing the old public to deliver unauthorized or false BGPsec UPDATE messages.
key in a new certificate is NOT RECOMMENDED when the rollover event Distributing the old public key in a new certificate is NOT
is due to a compromised key, or when it is suspected that withdrawn RECOMMENDED when the rollover event is due to a compromised key or
BGPsec updates are being distributed. when it is suspected that withdrawn BGPsec UPDATE messages are being
distributed.
3.1. Rollover Process 3.1. Rollover Process
The key rollover process is dependent on the key provisioning The key-rollover process is dependent on the key provisioning
mechanisms adopted by an AS [I-D.ietf-sidr-rtr-keying]. An automatic mechanisms adopted by an AS [RFC8635]. An automatic provisioning
provisioning mechanism such as EST will allow router key management mechanism such as EST will allow procedures for router key management
procedures to include automatic re-keying methods with minimum to include automatic re-keying methods with minimum development cost.
development cost.
A safe BGPsec router key rollover process is as follows. A safe BGPsec router key-rollover process is as follows.
1. New Certificate Publication: The first step in the rollover 1. New Certificate Publication: The first step in the rollover
mechanism is to publish the new certificate. If required, a new mechanism is to publish the new certificate. If required, a new
key pair will be generated for the BGPsec router. A new key pair will be generated for the BGPsec router. A new
certificate will be generated and the certificate published at certificate will be generated and the certificate will be
the appropriate RPKI repository publication point. The details published at the appropriate RPKI repository publication point.
of this process will vary as they depend on whether the keys are
assigned per-BGPsec speaker or shared among multiple BGPsec The details of this process will vary as they depend on 1)
speakers, whether the keys are generated on each BGPsec speaker whether the keys are assigned per-BGPsec speaker or shared among
or in a central location, and whether the RPKI repository is multiple BGPsec speakers, 2) whether the keys are generated on
locally or externally hosted. each BGPsec speaker or in a central location, and 3) whether the
RPKI repository is locally or externally hosted.
2. Staging Period: A staging period will be required from the time a 2. Staging Period: A staging period will be required from the time a
new certificate is published in the RPKI global repository until new certificate is published in the global RPKI repository until
the time it is fetched by RPKI caches around the globe. The the time it is fetched by RPKI caches around the globe. The
exact minimum staging time will be dictated by the conventional exact minimum staging time will be dictated by the conventional
interval chosen between repository fetches. If rollovers will be interval chosen between repository fetches. If rollovers will be
done more frequently, an administrator can provision two done more frequently, an administrator can provision two
certificates for every router concurrently with different valid certificates for every router concurrently with different valid
start times. In this case when the rollover operation is needed, start times. In this case, when the rollover operation is
the relying parties around the globe would already have the new needed, the relying parties around the globe would already have
router public keys. However, if an administrator has not the new router public keys. However, if an administrator has not
previously provisioned the next certificate then a staging period previously provisioned the next certificate, implementing a
may not be possible to implement during emergency key rollover. staging period may not be possible during emergency key rollover.
If there is no staging period, routing may be disrupted due to If there is no staging period, routing may be disrupted due to
the inability of a BGPsec router to validate BGPsec updates the inability of a BGPsec router to validate BGPsec UPDATE
signed with a new private key. messages signed with a new private key.
3. Twilight: At this moment, the BGPsec speaker holding the rolled- 3. Twilight: In this step, the BGPsec speaker holding the rolled-
over private key will stop using the old key for signing and over private key will stop using the old key for signing and will
start using the new key. Also, the router will generate start using the new key. Also, the router will generate
appropriate refreshed BGPsec updates just as in the typical appropriate refreshed BGPsec UPDATE messages, just as in the
operation of refreshing out-bound BGP polices. This operation typical operation of refreshing outbound BGP polices. This
may generate a great number of BGPsec updates. A BGPsec speaker operation may generate a great number of BGPsec UPDATE messages.
may vary the Twilight moment for every peer in order to A BGPsec speaker may vary the distribution of BGPsec UPDATE
distribute the system load (e.g., skewing the rollover for messages in this step for every peer in order to distribute the
different peers by a few minutes each would be sufficient and system load (e.g., skewing the rollover for different peers by a
effective). few minutes each would be sufficient and effective).
4. Certificate Revocation: This is an optional step, but SHOULD be 4. Certificate Revocation: This is an optional step, but it SHOULD
taken when the goal is to invalidate BGPsec updates signed with be taken when the goal is to invalidate BGPsec UPDATE messages
the old key. Reasons to invalidate old BGPsec updates include: signed with the old key. Reasons to invalidate old BGPsec UPDATE
(a) the AS has reason to believe that the router signing key has messages include (a) the AS has reason to believe that the router
been compromised, and (b) the AS needs to invalidate already signing key has been compromised, and (b) the AS needs to
propagated BGPsec updates signed with the old key. As part of invalidate already-propagated BGPsec UPDATE messages signed with
the rollover process, a CA MAY decide to revoke the old the old key. As part of the rollover process, a CA MAY decide to
certificate by publishing its serial number on the CA's CRL. revoke the old certificate by publishing its serial number on the
Alternatively, the CA will just let the old certificate expire CA's Certificate Revocation List (CRL). Alternatively, the CA
and not revoke it. This choice will depend on the reasons that will just let the old certificate expire and not revoke it. This
motivated the rollover process. choice will depend on the reasons that motivated the rollover
process.
5. RPKI-Router Protocol Withdrawals: At the expiration of the old 5. RPKI-Router Protocol Withdrawals: At the expiration of the old
certificate's validation, the RPKI relying parties around the certificate's validation, the RPKI relying parties around the
globe will need to communicate to their router peers that the old globe will need to communicate to their router peers that the old
certificate's public key is no longer valid (e.g., using the certificate's public key is no longer valid (e.g., using the
RPKI-Router Protocol described in [RFC8210]). A router's RPKI-Router Protocol described in [RFC8210]). A router's
reaction to a message indicating withdrawal of a router key in reaction to a message indicating withdrawal of a router key in
the RPKI-Router Protocol SHOULD include the removal of any RIB the RPKI-Router Protocol SHOULD include the removal of any RIB
entries (i.e., BGPsec updates) signed with that key and the entries (i.e., BGPsec updates) signed with that key and the
generation of the corresponding BGP WITHDRAWALs (either implicit generation of the corresponding BGP UPDATE message with Withdrawn
or explicit). Routes (either implicit or explicit).
This rollover mechanism depends on the existence of an automatic This rollover mechanism depends on the existence of an automatic
provisioning process for BGPsec router certificates. It requires a provisioning process for BGPsec router certificates. It requires a
staging mechanism based on the RPKI propagation time (typically a 24 staging mechanism based on the RPKI propagation time (at the time of
hour period at the time this document was published), and an AS is writing, this is typically a 24-hour period), and an AS is REQUIRED
REQUIRED to re-sign all originated and transited BGPsec updates that to re-sign all originated and transited BGPsec UPDATE messages that
were previously signed with the old key. were previously signed with the old key.
The first two steps (New Certificate Publication and Staging Period) The first two steps (New Certificate Publication and Staging Period)
may happen in advance of the rest of the process. This will allow a may happen in advance of the rest of the process. This will allow a
network operator to perform its subsequent key rollover in an network operator to perform its subsequent key rollover in an
efficient and timely manner. efficient and timely manner.
When a new BGPsec router certificate is generated without changing When a new BGPsec router certificate is generated without changing
its key, steps 3 (Twilight) and 5 (RPKI-Router Protocol Withdrawals) its key, steps 3 (Twilight) and 5 (RPKI-Router Protocol Withdrawals)
SHOULD NOT be executed. SHOULD NOT be executed.
4. BGPsec router key rollover as a measure against replay attacks 4. BGPsec Router Key Rollover as a Measure against Replay Attacks
There are two typical generic measures to mitigate replay attacks in There are two typical generic measures to mitigate replay attacks in
any protocol: the addition of a timestamp or the addition of a serial any protocol: the addition of a timestamp or the addition of a serial
number. However, neither BGP nor BGPsec provide either measure. The number. However, neither BGP nor BGPsec provides these measures.
timestamp approach was originally proposed for BGPsec The timestamp approach was originally proposed for BGPsec
[I-D.sriram-replay-protection-design-discussion] but later dropped in [PROTECTION-DESIGN-DISCUSSION] but was later dropped in favor of the
favor of the key rollover approach. This section discusses the use key-rollover approach. This section discusses the use of key
of using a key rollover as a measure to mitigate replay attacks. rollover as a measure to mitigate replay attacks.
4.1. BGP UPDATE window of exposure requirement 4.1. BGP UPDATE Window of Exposure Requirement
The need to limit the vulnerability to replay attacks is described in The need to limit the vulnerability to replay attacks is described in
[RFC7353] Section 4.3. One important comment is that during a window Section 4.3 of [RFC7353]. One important comment is that during a
of exposure, a replay attack is effective only in very specific window of exposure, a replay attack is effective only in very
circumstances: there is a downstream topology change that makes the specific circumstances: there is a downstream topology change that
signed AS path no longer current, and the topology change makes the makes the signed AS path no longer current, and the topology change
replayed route preferable to the route associated with the new makes the replayed route preferable to the route associated with the
update. In particular, if there is no topology change at all, then new update. In particular, if there is no topology change at all,
no security threat comes from a replay of a BGPsec update because the then no security threat comes from a replay of a BGPsec UPDATE
signed information is still valid. message because the signed information is still valid.
The BGPsec Operational Considerations document [RFC8207] gives some "BGPsec Operational Considerations" [RFC8207] gives some idea of
idea of requirements for the size of the window of exposure to replay requirements for the size of the window of exposure to replay
attacks. It states that the requirement will be in the order of a attacks. It states that the requirement will be in the order of a
day or longer. day or longer.
4.2. BGPsec key rollover as a mechanism to protect against replay 4.2. BGPsec Key Rollover as a Mechanism to Protect against Replay
attacks Attacks
Since the window requirement is on the order of a day (as documented Since the window requirement is on the order of a day (as documented
in [RFC8207]) and the BGP speaker performing re-keying is the edge in [RFC8207]) and the BGP speaker performing re-keying is the edge
router of the origin AS, it is feasible to use key rollover to router of the origin AS, it is feasible to use key rollover to
mitigate replays. In this case it is important to complete the full mitigate replays. In this case, it is important to complete the full
process (i.e., the old and new certificates do not share the same process (i.e., the old and new certificates do not share the same
key). By re-keying, an AS is letting the BGPsec router certificate key). By re-keying, an AS is letting the BGPsec router certificate
validation time be a type of "timestamp" to mitigate replay attacks. validation time be a type of "timestamp" to mitigate replay attacks.
However, the use of frequent key rollovers comes with an additional However, the use of frequent key rollovers comes with an additional
administrative cost and risks if the process fails. As documented administrative cost and risks if the process fails. As documented in
before, re-keying should be supported by automatic tools, and for the [RFC8207], re-keying should be supported by automatic tools, and for
great majority of the Internet it will be done with good lead time to the great majority of the Internet, it will be done with good lead
ensure that the public key corresponding to the new router time to ensure that the public key corresponding to the new router
certificate will be available to validate the corresponding BGPsec certificate will be available to validate the corresponding BGPsec
updates when received. UPDATE messages when received.
If a transit AS also originates BGPsec updates for its own prefixes If a transit AS also originates BGPsec UPDATE messages for its own
and it wishes to mitigate replay attacks on those prefixes, then the prefixes and it wishes to mitigate replay attacks on those prefixes,
transit AS SHOULD be provisioned with two unique key pairs and then the transit AS SHOULD be provisioned with two unique key pairs
certificates. One of the key pairs is used to sign BGPsec updates and certificates. One of the key pairs is used to sign BGPsec UPDATE
for prefixes originated from the transit AS, and can have a replay messages for prefixes originated from the transit AS, and it can have
protection policy applied to it. The other key pair is used to sign a replay protection policy applied to it. The other key pair is used
BGPsec updates in transit and SHOULD NOT have replay protection to sign BGPsec UPDATE messages in transit and SHOULD NOT have a
policy applied to it. Because the transit AS is not likely to know replay protection policy applied to it. Because the transit AS is
or care what is the policy of origin ASes elsewhere, there is no not likely to know or care about the policy of origin ASes elsewhere,
value for the transit AS to perform key rollovers to mitigate replay there is no value gained by the transit AS performing key rollovers
attacks against prefixes originated elsewhere. If the transit AS to mitigate replay attacks against prefixes originated elsewhere. If
were instead to perform replay protection for all updates that it the transit AS were instead to perform replay protection for all
signs, its key rollover process would generate a large number of updates that it signs, its process for key rollovers would generate a
BGPsec UPDATE messages, even in the complete Default Free Zone (DFZ). large number of BGPsec UPDATE messages, even in the complete Default-
Therefore, it is best to let each AS independently manage the replay Free Zone (DFZ). Therefore, it is best to let each AS independently
attack vulnerability window for the prefixes it originates. manage the replay attack vulnerability window for the prefixes it
originates.
Advantages to re-keying as replay attack protection mechanism are as Advantages to re-keying as a replay attack protection mechanism are
follows: as follows:
1. All expiration policies are maintained in the RPKI. 1. All expiration policies are maintained in the RPKI.
2. Much of the additional administrative cost is paid by the 2. Much of the additional administrative cost is paid by the
provider that wants to protect its infrastructure, as it bears provider that wants to protect its infrastructure, as it bears
the cost of creating and initiating distribution of new router the cost of creating and initiating distribution of new router
key pairs and BGPsec router certificates. (It is true that the key pairs and BGPsec router certificates. (It is true that the
cost of relying parties will be affected by the new objects, but cost of relying parties will be affected by the new objects, but
their responses should be completely automated or otherwise their responses should be completely automated or otherwise
routine.) routine.)
3. The re-keying can be implemented in coordination with planned 3. The re-keying can be implemented in coordination with planned
topology changes by either origin ASes or transit ASes (e.g., if topology changes by either origin ASes or transit ASes (e.g., if
an AS changes providers, it completes a key rollover). an AS changes providers, it completes a key rollover).
Disadvantages to Re-keying as replay attack protection mechanism are Disadvantages to re-keying as replay attack protection mechanism are
as follows: as follows:
1. Frequent rollovers add administrative and BGP processing loads, 1. Frequent rollovers add administrative and BGP processing loads,
although the required frequency is not clear. Some initial ideas although the required frequency is not clear. Some initial ideas
are found in [RFC8207]. are found in [RFC8207].
2. The minimum replay vulnerability is bounded by the propagation 2. The minimum replay vulnerability is bounded by the propagation
time for RPKI caches to obtain the new certificate and CRL (2x time for RPKI caches to obtain the new certificate and CRL (2x
propagation time because first the new certificate and then the propagation time because first the new certificate and then the
CRL need to propagate through the RPKI system). If provisioning CRL need to propagate through the RPKI system). If provisioning
is done ahead of time, the minimum replay vulnerability window is done ahead of time, the minimum replay vulnerability window
size is reduced to 1x propagation time (i.e., propagation of the size is reduced to 1x propagation time (i.e., propagation of the
CRL). However, these bounds will be better understood when RPKI CRL). However, these bounds will be better understood when the
and RPs are well deployed, as well as the propagation time for RPKI and RPKI relying party software are well deployed; this will
objects in the RPKI is better understood. also contribute to the propagation time for objects in the RPKI
being better understood.
3. Re-keying increases the dynamics and size of the RPKI repository. 3. Re-keying increases the dynamics and size of the RPKI repository.
5. IANA Considerations 5. IANA Considerations
There are no IANA considerations. This section may be removed upon This document has no IANA actions.
publication.
6. Security Considerations 6. Security Considerations
This document does not contain a protocol update to either the RPKI This document does not contain a protocol update to either the RPKI
or BGPsec. It describes a process for managing BGPsec router or BGPsec. It describes a process for managing BGPsec router
certificates within the RPKI. certificates within the RPKI.
Routers participating in BGPsec will need to rollover their signing Routers participating in BGPsec will need to roll over their signing
keys as part of conventional certificate management processes. keys as part of conventional processing of certificate management.
However, because rolling over signing keys will also have an effect However, because rolling over signing keys will also have the effect
of invalidating BGPsec updates signatures, the rollover process must of invalidating BGPsec UPDATE message signatures, the rollover
be carefully orchestrated to ensure that valid BGPsec updates are not process must be carefully orchestrated to ensure that valid BGPsec
treated as invalid. This situation could affect Internet routing. UPDATE messages are not treated as invalid. This situation could
This document describes a safe method for rolling over BGPsec router affect Internet routing. This document describes a safe method for
certificates. It takes into account both normal and emergency key rolling over BGPsec router certificates. It takes into account both
rollover requirements. normal and emergency key-rollover requirements.
Additionally, the key rollover method described in this document can
be used as a measure to mitigate BGP update replay attacks, in which
an entity in the routing system is suppressing current BGPsec updates
and replaying withdrawn updates. When the key used to sign the
withdrawn updates has been rolled over, the withdrawn updates will be
considered invalid. When certificates containing a new public key
are provisioned ahead of time, the minimum replay vulnerability
window size is reduced to the propagation time of a CRL invalidating
the certificate containing an old public key. For a discussion of
the difficulties deploying a more effectual replay protection
mechanism for BGPSEC, see
[I-D.sriram-replay-protection-design-discussion].
7. Acknowledgments
Randy Bush, Kotikalapudi Sriram, Stephen Kent and Sandy Murphy each
provided valuable suggestions resulting in an improved document.
Kotikalapudi Sriram contributed valuable guidance regarding the use
of key rollovers to mitigate BGP update replay attacks.
8. References Additionally, the key-rollover method described in this document can
be used as a measure to mitigate BGP UPDATE replay attacks, in which
an entity in the routing system is suppressing current BGPsec UPDATE
messages and replaying withdrawn updates. When the key used to sign
the withdrawn updates has been rolled over, the withdrawn updates
will be considered invalid. When certificates containing a new
public key are provisioned ahead of time, the minimum replay
vulnerability window size is reduced to the propagation time of a CRL
invalidating the certificate containing an old public key. For a
discussion of the difficulties deploying a more effectual replay
protection mechanism for BGPSEC, see [PROTECTION-DESIGN-DISCUSSION].
8.1. Normative References 7. References
[I-D.ietf-sidr-rtr-keying] 7.1. Normative References
Bush, R., Turner, S., and K. Patel, "Router Keying for
BGPsec", draft-ietf-sidr-rtr-keying-14 (work in progress),
October 2017.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, <https://www.rfc- DOI 10.17487/RFC2119, March 1997,
editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
8.2. Informative References [RFC8635] Bush, R., Turner, S., and K. Patel, "Router Keying for
BGPsec", RFC 8635, DOI 10.17487/RFC8635, August 2019,
<https://www.rfc-editor.org/info/rfc8635>.
[I-D.sriram-replay-protection-design-discussion] 7.2. Informative References
[PROTECTION-DESIGN-DISCUSSION]
Sriram, K. and D. Montgomery, "Design Discussion and Sriram, K. and D. Montgomery, "Design Discussion and
Comparison of Protection Mechanisms for Replay Attack and Comparison of Protection Mechanisms for Replay Attack and
Withdrawal Suppression in BGPsec", draft-sriram-replay- Withdrawal Suppression in BGPsec", Work in Progress,
protection-design-discussion-09 (work in progress), draft-sriram-replay-protection-design-discussion-12, April
October 2017. 2019.
[RFC6489] Huston, G., Michaelson, G., and S. Kent, "Certification [RFC6489] Huston, G., Michaelson, G., and S. Kent, "Certification
Authority (CA) Key Rollover in the Resource Public Key Authority (CA) Key Rollover in the Resource Public Key
Infrastructure (RPKI)", BCP 174, RFC 6489, Infrastructure (RPKI)", BCP 174, RFC 6489,
DOI 10.17487/RFC6489, February 2012, <https://www.rfc- DOI 10.17487/RFC6489, February 2012,
editor.org/info/rfc6489>. <https://www.rfc-editor.org/info/rfc6489>.
[RFC7030] Pritikin, M., Ed., Yee, P., Ed., and D. Harkins, Ed., [RFC7030] Pritikin, M., Ed., Yee, P., Ed., and D. Harkins, Ed.,
"Enrollment over Secure Transport", RFC 7030, "Enrollment over Secure Transport", RFC 7030,
DOI 10.17487/RFC7030, October 2013, <https://www.rfc- DOI 10.17487/RFC7030, October 2013,
editor.org/info/rfc7030>. <https://www.rfc-editor.org/info/rfc7030>.
[RFC7353] Bellovin, S., Bush, R., and D. Ward, "Security [RFC7353] Bellovin, S., Bush, R., and D. Ward, "Security
Requirements for BGP Path Validation", RFC 7353, Requirements for BGP Path Validation", RFC 7353,
DOI 10.17487/RFC7353, August 2014, <https://www.rfc- DOI 10.17487/RFC7353, August 2014,
editor.org/info/rfc7353>. <https://www.rfc-editor.org/info/rfc7353>.
[RFC8205] Lepinski, M., Ed. and K. Sriram, Ed., "BGPsec Protocol [RFC8205] Lepinski, M., Ed. and K. Sriram, Ed., "BGPsec Protocol
Specification", RFC 8205, DOI 10.17487/RFC8205, September Specification", RFC 8205, DOI 10.17487/RFC8205, September
2017, <https://www.rfc-editor.org/info/rfc8205>. 2017, <https://www.rfc-editor.org/info/rfc8205>.
[RFC8207] Bush, R., "BGPsec Operational Considerations", BCP 211, [RFC8207] Bush, R., "BGPsec Operational Considerations", BCP 211,
RFC 8207, DOI 10.17487/RFC8207, September 2017, RFC 8207, DOI 10.17487/RFC8207, September 2017,
<https://www.rfc-editor.org/info/rfc8207>. <https://www.rfc-editor.org/info/rfc8207>.
[RFC8210] Bush, R. and R. Austein, "The Resource Public Key [RFC8210] Bush, R. and R. Austein, "The Resource Public Key
Infrastructure (RPKI) to Router Protocol, Version 1", Infrastructure (RPKI) to Router Protocol, Version 1",
RFC 8210, DOI 10.17487/RFC8210, September 2017, RFC 8210, DOI 10.17487/RFC8210, September 2017,
<https://www.rfc-editor.org/info/rfc8210>. <https://www.rfc-editor.org/info/rfc8210>.
Acknowledgments
Randy Bush, Kotikalapudi Sriram, Stephen Kent, and Sandy Murphy each
provided valuable suggestions resulting in an improved document.
Kotikalapudi Sriram contributed valuable guidance regarding the use
of key rollovers to mitigate BGP UPDATE replay attacks.
Authors' Addresses Authors' Addresses
Brian Weis Brian Weis
Cisco Systems Independent
170 W. Tasman Drive
San Jose, CA 95134
US
Email: bew@cisco.com Email: bew.stds@gmail.com
Roque Gagliano Roque Gagliano
Cisco Systems Cisco Systems
Avenue des Uttins 5 Avenue des Uttins 5
Rolle, VD 1180 Rolle, VD 1180
Switzerland Switzerland
Email: rogaglia@cisco.com Email: rogaglia@cisco.com
Keyur Patel Keyur Patel
Arrcus, Inc. Arrcus, Inc.
Email: keyur@arrcus.com Email: keyur@arrcus.com
 End of changes. 67 change blocks. 
251 lines changed or deleted 248 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/