| draft-ietf-sidrops-aspa-profile-00.txt | draft-ietf-sidrops-aspa-profile-01.txt | |||
|---|---|---|---|---|
| Network Working Group A. Azimov | Network Working Group A. Azimov | |||
| Internet-Draft Yandex | Internet-Draft Yandex | |||
| Intended status: Standards Track E. Uskov | Intended status: Standards Track E. Uskov | |||
| Expires: November 18, 2019 Qrator Labs | Expires: May 7, 2020 Qrator Labs | |||
| R. Bush | R. Bush | |||
| Internet Initiative Japan | Internet Initiative Japan | |||
| K. Patel | K. Patel | |||
| Arrcus | Arrcus | |||
| J. Snijders | J. Snijders | |||
| NTT | NTT | |||
| R. Housley | R. Housley | |||
| Vigil Security | Vigil Security | |||
| May 17, 2019 | November 4, 2019 | |||
| A Profile for Autonomous System Provider Authorization | A Profile for Autonomous System Provider Authorization | |||
| draft-ietf-sidrops-aspa-profile-00 | draft-ietf-sidrops-aspa-profile-01 | |||
| Abstract | Abstract | |||
| This document defines a standard profile for Autonomous System | This document defines a standard profile for Autonomous System | |||
| Provider Authorization in the Resource Public Key Infrastructure. An | Provider Authorization in the Resource Public Key Infrastructure. An | |||
| Autonomous System Provider Authorization is a digitally signed object | Autonomous System Provider Authorization is a digitally signed object | |||
| that provides a means of verifying that a Customer Autonomous System | that provides a means of verifying that a Customer Autonomous System | |||
| holder has authorized a Provider Autonomous System to be its upstream | holder has authorized members of Provider set to be its upstream | |||
| provider and for the Provider to send prefixes received from the | providers and for the Providers to send prefixes received from the | |||
| Customer Autonomous System in all directions including providers and | Customer Autonomous System in all directions including providers and | |||
| peers. | peers. | |||
| Requirements Language | Requirements Language | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in BCP | "OPTIONAL" in this document are to be interpreted as described in BCP | |||
| 14 [RFC2119] [RFC8174] when, and only when, they appear in all | 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | capitals, as shown here. | |||
| skipping to change at page 2, line 10 ¶ | skipping to change at page 2, line 10 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on November 18, 2019. | This Internet-Draft will expire on May 7, 2020. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2019 IETF Trust and the persons identified as the | Copyright (c) 2019 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 35 ¶ | skipping to change at page 2, line 35 ¶ | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. The ASPA Content Type . . . . . . . . . . . . . . . . . . . . 3 | 2. The ASPA Content Type . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. The ASPA eContent . . . . . . . . . . . . . . . . . . . . . . 3 | 3. The ASPA eContent . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3.1. version . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 3.1. version . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3.2. AFI . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 3.2. AFI . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3.3. customerASID . . . . . . . . . . . . . . . . . . . . . . 4 | 3.3. customerASID . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3.4. providerASID . . . . . . . . . . . . . . . . . . . . . . 4 | 3.4. providerASSET . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 4. ASPA Validation . . . . . . . . . . . . . . . . . . . . . . . 5 | 4. ASPA Validation . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 5. ASN.1 Module for the ASPA Content Type . . . . . . . . . . . 5 | 5. ASN.1 Module for the ASPA Content Type . . . . . . . . . . . 5 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 7. Security Considerations . . . . . . . . . . . . . . . . . . . 7 | 7. Security Considerations . . . . . . . . . . . . . . . . . . . 7 | |||
| 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 7 | 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . 7 | 9.1. Normative References . . . . . . . . . . . . . . . . . . 7 | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . 8 | 9.2. Informative References . . . . . . . . . . . . . . . . . 8 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 1. Introduction | 1. Introduction | |||
| The primary purpose of the Resource Public Key Infrastructure (RPKI) | The primary purpose of the Resource Public Key Infrastructure (RPKI) | |||
| is to improve routing security. (See [RFC6480] for more | is to improve routing security. (See [RFC6480] for more | |||
| information.) As part of this infrastructure, a mechanism is needed | information.) As part of this infrastructure, a mechanism is needed | |||
| to verify that a Provider AS (PAS) has permission from a Customer AS | to verify that a AS has permission from a Customer AS (CAS) holder to | |||
| (CAS) holder to send routes in all directions. The digitally signed | send routes in all directions. The digitally signed Autonomous | |||
| Autonomous System Provider Authorization (ASPA) object provides this | System Provider Authorization (ASPA) object provides this | |||
| verification mechanism. | verification mechanism. | |||
| The ASPA uses the template for RPKI digitally signed objects | The ASPA uses the template for RPKI digitally signed objects | |||
| [RFC6488], which defines a Cryptographic Message Syntax (CMS) | [RFC6488], which defines a Cryptographic Message Syntax (CMS) | |||
| [RFC5652] wrapper for the ASPA content as well as a generic | [RFC5652] wrapper for the ASPA content as well as a generic | |||
| validation procedure for RPKI signed objects. As ASPAs need to be | validation procedure for RPKI signed objects. As ASPAs need to be | |||
| validated with RPKI certificates issued by the current | validated with RPKI certificates issued by the current | |||
| infrastructure, we assume the mandatory-to-implement algorithms in | infrastructure, we assume the mandatory-to-implement algorithms in | |||
| [RFC6485], or its successor. | [RFC6485], or its successor. | |||
| skipping to change at page 3, line 41 ¶ | skipping to change at page 3, line 41 ¶ | |||
| The content-type for an ASPA is defined as id-cct-ASPA, which has the | The content-type for an ASPA is defined as id-cct-ASPA, which has the | |||
| numerical value of 1.2.840.113549.1.9.16.1.TBD. This OID MUST appear | numerical value of 1.2.840.113549.1.9.16.1.TBD. This OID MUST appear | |||
| both within the eContentType in the encapContentInfo structure as | both within the eContentType in the encapContentInfo structure as | |||
| well as the content-type signed attribute within the signerInfo | well as the content-type signed attribute within the signerInfo | |||
| structure (see [RFC6488]). | structure (see [RFC6488]). | |||
| 3. The ASPA eContent | 3. The ASPA eContent | |||
| The content of an ASPA identifies the Customer AS (CAS) as well as | The content of an ASPA identifies the Customer AS (CAS) as well as | |||
| the Provider AS (PAS) that is authorized to further propagate | the Set of Provider ASes (SPAS) that are authorized to further | |||
| announcements received from the customer. If customer has multiple | propagate announcements received from the customer. If customer has | |||
| providers, it issues multiple ASPAs, one for each provider AS. An | multiple providers they SHOULD be registered in a single ASPA object. | |||
| ASPA is formally defined as: | An ASPA is formally defined as: | |||
| ct-ASPA CONTENT-TYPE ::= | ct-ASPA CONTENT-TYPE ::= | |||
| { ASProviderAttestation IDENTIFIED BY id-ct-ASPA } | { ASProviderAttestation IDENTIFIED BY id-ct-ASPA } | |||
| id-ct-ASPA OBJECT IDENTIFIER ::= { id-ct TBD } | id-ct-ASPA OBJECT IDENTIFIER ::= { id-ct TBD } | |||
| ASProviderAttestation ::= SEQUENCE { | ASProviderAttestation ::= SEQUENCE { | |||
| version [0] ASPAVersion DEFAULT v0, | version [0] ASPAVersion DEFAULT v0, | |||
| AFI AddressFamilyIdentifier, | AFI AddressFamilyIdentifier, | |||
| customerASID ASID, | customerASID ASID, | |||
| providerASID ASID } | providerASSET SEQUENCE (SIZE(1..MAX)) OF ASID } | |||
| ASPAVersion ::= INTEGER { v0(0) } | ASPAVersion ::= INTEGER { v0(0) } | |||
| AddressFamilyIdentifier ::= INTEGER | AddressFamilyIdentifier ::= INTEGER | |||
| ASID ::= INTEGER | ASID ::= INTEGER | |||
| Note that this content appears as the eContent within the | Note that this content appears as the eContent within the | |||
| encapContentInfo as specified in [RFC6488]. | encapContentInfo as specified in [RFC6488]. | |||
| skipping to change at page 4, line 39 ¶ | skipping to change at page 4, line 39 ¶ | |||
| 3.2. AFI | 3.2. AFI | |||
| The AFI field contains Address Family Identifier for which the | The AFI field contains Address Family Identifier for which the | |||
| relation between customer and provider ASes is authorized. Presently | relation between customer and provider ASes is authorized. Presently | |||
| defined values for the Address Family Identifier field are specified | defined values for the Address Family Identifier field are specified | |||
| in the IANA's Address Family Numbers registry [IANA-AF]. | in the IANA's Address Family Numbers registry [IANA-AF]. | |||
| 3.3. customerASID | 3.3. customerASID | |||
| The customerASID field contains the AS number of the Autonomous | The customerASID field contains the AS number of the Autonomous | |||
| System that authorizes an upstream provider (listed in the | System that authorizes an upstream providers (listed in the | |||
| providerASId) to propagate prefixes in the specified address family | providerASSET) to propagate prefixes in the specified address family | |||
| other ASes. | other ASes. | |||
| 3.4. providerASID | 3.4. providerASSET | |||
| The providerASID contains the AS number that is authorized to further | The providerASSET contains the sequence (set) of AS numbers that are | |||
| propagate announcements in the specified address family received from | authorized to further propagate announcements in the specified | |||
| the customer. | address family received from the customer. | |||
| 4. ASPA Validation | 4. ASPA Validation | |||
| Before a relying party can use an ASPA to validate a routing | Before a relying party can use an ASPA to validate a routing | |||
| announcement, the relying party MUST first validate the ASPA object | announcement, the relying party MUST first validate the ASPA object | |||
| itself. To validate an ASPA, the relying party MUST perform all the | itself. To validate an ASPA, the relying party MUST perform all the | |||
| validation checks specified in [RFC6488] as well as the following | validation checks specified in [RFC6488] as well as the following | |||
| additional ASPA-specific validation step. | additional ASPA-specific validation step. | |||
| o The autonomous system identifier delegation extension [RFC3779] is | o The autonomous system identifier delegation extension [RFC3779] is | |||
| skipping to change at page 6, line 36 ¶ | skipping to change at page 6, line 36 ¶ | |||
| id-ct-ASPA OBJECT IDENTIFIER ::= { id-ct TBD } | id-ct-ASPA OBJECT IDENTIFIER ::= { id-ct TBD } | |||
| ct-ASPA CONTENT-TYPE ::= | ct-ASPA CONTENT-TYPE ::= | |||
| { TYPE ASProviderAttestation IDENTIFIED BY id-ct-ASPA } | { TYPE ASProviderAttestation IDENTIFIED BY id-ct-ASPA } | |||
| ASProviderAttestation ::= SEQUENCE { | ASProviderAttestation ::= SEQUENCE { | |||
| version [0] ASPAVersion DEFAULT v0, | version [0] ASPAVersion DEFAULT v0, | |||
| AFI AddressFamilyIdentifier, | AFI AddressFamilyIdentifier, | |||
| customerASID ASID, | customerASID ASID, | |||
| providerASID ASID } | providerASSET SEQUENCE (SIZE(1..MAX)) OF ASID } | |||
| ASPAVersion ::= INTEGER { v0(0) } | ASPAVersion ::= INTEGER { v0(0) } | |||
| AddressFamilyIdentifier ::= INTEGER | AddressFamilyIdentifier ::= INTEGER | |||
| ASID ::= INTEGER | ASID ::= INTEGER | |||
| END | END | |||
| 6. IANA Considerations | 6. IANA Considerations | |||
| End of changes. 13 change blocks. | ||||
| 22 lines changed or deleted | 22 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||