draft-ietf-sidrops-bgpsec-rollover-00.txt   draft-ietf-sidrops-bgpsec-rollover-01.txt 
Network Working Group B. Weis Network Working Group B. Weis
Internet-Draft R. Gagliano Internet-Draft R. Gagliano
Intended status: Standards Track Cisco Systems Intended status: Standards Track Cisco Systems
Expires: September 9, 2017 K. Patel Expires: February 15, 2018 K. Patel
Arrcus, Inc. Arrcus, Inc.
March 8, 2017 August 14, 2017
BGPsec Router Certificate Rollover BGPsec Router Certificate Rollover
draft-ietf-sidrops-bgpsec-rollover-00 draft-ietf-sidrops-bgpsec-rollover-01
Abstract Abstract
BGPsec will need to address the impact from regular and emergency Certificate Authorities (CAs) managing CA certificates and End-Entity
rollover processes for the BGPsec end-entity (EE) certificates that (EE) certificates within the Resource Public Key Infrastructure
will be performed by Certificate Authorities (CAs) participating at (RPKI) will also manage BGPsec router certificates. But the rollover
the Resource Public Key Infrastructure (RPKI). Rollovers of BGPsec of CA and EE certificates BGPsec router certificates have additional
EE certificates must be carefully managed in order to synchronize considerations for Normal and emergency rollover processes. The
distribution of router public keys and the usage of those public keys rollover must be carefully managed in order to synchronize
by BGPsec routers. This memo provides general recommendations for distribution of router public keys and BGPsec routers creating BGPsec
that process, as well as describing reasons why the rollover of Update messages verified with those router public keys. This
BGPsec EE certificates might be necessary. document provides general recommendations for the rollover process,
as well as describing reasons why the rollover of BGPsec router
certificates might be necessary. When this rollover process is
followed the rollover should be accomplished without routing
information being lost.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 9, 2017. This Internet-Draft will expire on February 15, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Requirements notation . . . . . . . . . . . . . . . . . . . . 2 1. Requirements notation . . . . . . . . . . . . . . . . . . . . 2
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
3. Key rollover in BGPsec . . . . . . . . . . . . . . . . . . . 3 3. Key rollover in BGPsec . . . . . . . . . . . . . . . . . . . 4
3.1. A proposed process for BGPsec key rollover . . . . . . . 4 3.1. A proposed process for BGPsec router key rollover . . . . 4
4. BGPsec key rollover as a measure against replays attacks in 4. BGPsec router key rollover as a measure against replay
BGPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
4.1. BGPsec Replay attack window requirement . . . . . . . . . 6 4.1. BGP UPDATE window of exposure requirement . . . . . . . . 6
4.2. BGPsec key rollover as a mechanism to protect against 4.2. BGPsec key rollover as a mechanism to protect against
replay attacks . . . . . . . . . . . . . . . . . . . . . 7 replay attacks . . . . . . . . . . . . . . . . . . . . . 7
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
6. Security Considerations . . . . . . . . . . . . . . . . . . . 8 6. Security Considerations . . . . . . . . . . . . . . . . . . . 8
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 9
8.1. Normative References . . . . . . . . . . . . . . . . . . 8 8.1. Normative References . . . . . . . . . . . . . . . . . . 9
8.2. Informative References . . . . . . . . . . . . . . . . . 9 8.2. Informative References . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10
1. Requirements notation 1. Requirements notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in "OPTIONAL" in this document are to be interpreted as described in
[RFC2119]. [RFC2119].
2. Introduction 2. Introduction
In BGPsec, a key rollover (or re-key) is the process of changing a In BGPsec, a key rollover (or re-key) is the process of changing a
router's key pair (or key pairs), issuing the corresponding new end- router's key pair (or key pairs), issuing the corresponding new
entity (EE) certificate and (if the old certificate is still valid) BGPsec router certificate and (if the old certificate is still valid)
revoking the old certificate. This process will need to happen at revoking the old certificate. This process will need to happen at
regular intervals, normally due to the local policies of a network. regular intervals, normally due to the local policies of a network.
This document provides general recommendations for that process. This document provides general recommendations for that process.
Certificate Practice Statements (CPS) documents MAY reference these Certificate Practice Statements (CPS) documents MAY reference these
recommendations. This memo only addresses changing of a router's key recommendations. This memo only addresses changing of a router's key
pair within the RPKI. Refer to [RFC6489] for a procedure to rollover pair within the RPKI. Refer to [RFC6489] for a procedure to rollover
RPKI Certificate Authority key pairs. RPKI Certificate Authority key pairs.
When a router receives or creates a new key pair (using a key When a router receives or creates a new key pair (using a key
provisioning mechanism), this key pair will be used to sign new provisioning mechanism), this key pair will be used to sign new
BGPsec_Path attributes [I-D.ietf-sidr-bgpsec-protocol] that are BGPsec updates [I-D.ietf-sidr-bgpsec-protocol] that are originated or
originated or that transit through the BGP speaker. Additionally, that transit through the BGP speaker. Additionally, the BGP speaker
the BGP speaker MUST refresh its outbound BGPsec Update messages to MUST refresh its outbound BGPsec Update messages to include a
include a signature using the new key (replacing the replaced key). signature using the new key (replacing the old key). When the
When the rollover process finishes, the old BGPsec certificate (and rollover process finishes, the old BGPsec router certificate (and its
its key) will not longer be valid, and thus any BGPsec Update that key) will no longer be valid, and thus any BGPsec Update that
includes a BGPsec_Path attribute with a signature performed by the includes signature performed by the old key will be invalid.
old key will be invalid. Consequently, if the router does not Consequently, if the router does not refresh its outbound BGPsec
refresh its outbound BGPsec Update messages, routing information may Update messages, previously sent routing information may be treated
be treated as unauthenticated after the rollover process is finished. as unauthenticated after the rollover process is finished. It is
It is therefore extremely important that the BGPsec router key therefore extremely important that new BGPsec router certificates
rollover be performed in such a way that the probability of new have been distributed throughout the RPKI before the router begin
router EE certificates have been distributed throughout the RPKI signing BGPsec updates with a new private key.
before the router begin signing BGPsec_Path attributes with a new
private key.
It is also important for an AS to minimize the BGPsec router key It is also important for an AS to minimize the BGPsec router key
rollover interval (i.e., in between the time an AS distributes an EE rollover interval (i.e., in between the time an AS distributes a
certificate with a new public key and the time a BGPsec router begins BGPsec router certificate with a new public key and the time a BGPsec
to use its new private key). This can be due to a need for a BGPsec router begins to use its new private key). This can be due to a need
router to distribute BGPsec_Path attributes signed with a new private for a BGPsec router to distribute BGPsec updates signed with a new
key in order to invalidate BGPsec_Path attributes signed with the old private key in order to invalidate BGPsec updates signed with the old
private key. In particular, if the AS suspects that a stale private key. In particular, if the AS suspects that a stale BGPsec
BGPsec_Path attribute is being distributed instead of the most updates is being distributed instead of the most recently signed
recently signed attribute it can cause the stale BGPsec_Path attribute it can cause the stale BGPsec updates to be invalidated by
attribute to be invalidated by completing a key rollover procedure. completing a key rollover procedure. The BGPsec router rollover
The BGPsec rollover interval can be minimized when an automated interval can be minimized when an automated certificate provisioning
certificate provisioning process such as Enrollment over Secure process such as Enrollment over Secure Transport (EST) [RFC7030]) is
Transport (EST) [RFC7030]) is used. used.
The Security Requirements for BGP Path Validation [RFC7353] also The Security Requirements for BGP Path Validation [RFC7353] also
describes the need for protecting against the replay of BGP UPDATE describes the need for protecting against suppression of BGP WITHDRAW
messages, such as controlling BGPsec's window of exposure to replay messages or replay of BGP UPDATE messages, such as controlling
attacks. The BGPsec rollover method in this document can be used to BGPsec's window of exposure to such attacks. The BGPsec router
achieve this goal. certificate rollover method in this document can be used to achieve
this goal.
In [I-D.ietf-sidr-rtr-keying], the "operator-driven" method is In [I-D.ietf-sidr-rtr-keying], the "operator-driven" method is
introduced, in which a key pair can be shared among different BGP introduced, in which a key pair can be shared among multiple BGP
Speakers. In this scenario, the roll-over of the correspondent speakers. In this scenario, the roll-over of the correspondent
BGPsec certificate will impact all the BGP Speakers sharing the same BGPsec router certificate will impact all the BGP speakers sharing
private key. the same private key.
3. Key rollover in BGPsec 3. Key rollover in BGPsec
An BGPsec EE certificate SHOULD be replaced when the following events An BGPsec router certificate SHOULD be replaced when the following
occur, and can be replaced for any other reason at the discretion of events occur, and can be replaced for any other reason at the
the AS responsible for the EE certificate. discretion of the AS responsible for the BGPsec router certificate.
BGPsec scheduled rollover: BGPsec certificates have an expiration Scheduled rollover: BGPsec router certificates have an expiration
date (NotValidAfter) that requires a frequent rollover process. date (NotValidAfter) that requires a frequent rollover process
The validity period for these certificates is typically to refresh certificates or issue new certificates. The
expressed at the CA's CPS document. validity period for these certificates is typically expressed
in the CA's CPS document.
BGPsec certificate fields changes: Information contained in a BGPsec Router certificate field changes: Information contained in a BGPsec
certificate (such as the ASN or the Subject) may need to be router certificate (such as the ASN or the Subject) may need to
changed. be changed.
BGPsec emergency rollover Some special circumstances (such as a Emergency router key rollover Some special circumstances (such as a
compromised key) may require the replacement of a BGPsec compromised key) may require the replacement of a BGPsec router
certificate. certificate.
BGPsec signature anti-replay protection An AS may determine stale Protection against withdrawel supporession and replay attacks: An AS
BGPsec_Path attributes signed by the AS are being propagated may determine withdrawn BGPsec updates are being propagated
instead of the most recently signed BGPsec_Path attributes. instead of the most recently propagated BGPsec updates.
Changing the BGPsec router signing key, distributing a new Changing the BGPsec router signing key, distributing a new
BGPsec EE certificate for the router, and revoking the old BGPsec router certificate, and revoking the old BGPsec router
BGPsec EE certificate will invalidate the replayed BGPsec_Path certificate will invalidate the replayed BGPsec updates.
attributes.
In some of these cases it is possible to generate a new certificate In some of these cases it is possible to generate a new certificate
without changing the key pair. This practice simplifies the rollover without changing the key pair. This practice simplifies the rollover
process as the corresponding BGP speakers do not even need to be process as the BGP speakers receiving BGPsec Updates do not even need
aware of the changes to its correspondent certificate. However, not to be aware of the change of certificate. However, not replacing the
replacing the certificate key for a long period of time increases the certificate key for a long period of time increases the risk that a
risk that a compromised router private key may be used by an attacker compromised router private key may be used by an attacker to deliver
to deliver unauthorized BGPsec Updates. Distributing the OLD public unauthorized or false BGPsec Updates. Distributing the OLD public
key in a new certificate is NOT RECOMMENDED when the rollover event key in a new certificate is NOT RECOMMENDED when the rollover event
is due to the key being compromised, or when stale BGPsec_Path is due to a compromised key, or when it is suspected that withdrawn
attribute signatures are being distributed. BGPsec updates are being distributed.
3.1. A proposed process for BGPsec key rollover 3.1. A proposed process for BGPsec router key rollover
The BGPsec key rollover process will be dependent on the key The key rollover process will be dependent on the key provisioning
provisioning mechanisms that are adopted by an AS. The key mechanisms adopted by an AS [I-D.ietf-sidr-rtr-keying]. An automatic
provisioning mechanisms for BGPsec are not yet fully documented (see provisioning mechanism such as EST will allow router key management
[I-D.ietf-sidr-rtr-keying] as a work in progress document). An procedures to include automatic re-keying methods with minimum
automatic provisioning mechanism such as EST will allow BGPsec code development cost.
to include automatic re-keying scripts with minimum development cost.
If we work under the assumption that an automatic mechanism will If we work under the assumption that an automatic mechanism will
exist to rollover a BGPsec certificate, a RECOMMENDED process is as exist to rollover a BGPsec router certificate, a RECOMMENDED process
follows. is as follows.
1. New Certificate Publication: The first step in the rollover 1. New Certificate Publication: The first step in the rollover
mechanism is to publish the new public key in a new certificate. mechanism is to publish the new public key in a new certificate.
In order to accomplish this goal, the new key pair and In order to accomplish this goal, the new key pair and
certificate will need to be generated and the certificate certificate will need to be generated and the certificate
published at the appropriate RPKI repository publication point. published at the appropriate RPKI repository publication point.
The details of this process will vary as they depend on whether The details of this process will vary as they depend on whether
the keys are assigned per-BGP speaker or shared, whether the keys the keys are assigned per-BGPsec speaker or shared among multiple
are generated on each BGP speaker or in a central location, and BGPsec speakers, whether the keys are generated on each BGPsec
whether the RPKI repository is locally or externally hosted. speaker or in a central location, and whether the RPKI repository
is locally or externally hosted.
2. Staging Period: A staging period will be required from the time a 2. Staging Period: A staging period will be required from the time a
new certificate is published in the RPKI global repository until new certificate is published in the RPKI global repository until
the time it is fetched by RPKI caches around the globe. The the time it is fetched by RPKI caches around the globe. The
exact minimum staging time will be dictated by the conventional exact minimum staging time will be dictated by the conventional
interval chosen between repository fetches. If rollovers will be interval chosen between repository fetches. If rollovers will be
done more frequently, an administrator can provision two done more frequently, an administrator can provision two
certificates for every router concurrently with different valid certificates for every router concurrently with different valid
start times. In this case when the rollover operation is needed, start times. In this case when the rollover operation is needed,
the relying parties around the globe would already have the new the relying parties around the globe would already have the new
router public keys. A staging period may not be possible to router public keys. However, If an administrator has not
implement during emergency key rollover, in which case routing previously provisioned the next certificate then a staging period
information may be lost. may not be possible to implement during emergency key rollover.
If there is no staging period, routing information may be lost.
3. Twilight: At this moment, the BGP speaker that holds the private 3. Twilight: At this moment, the BGPsec speaker holding the rolled-
key that has been rolled-over will stop using the OLD key for over private key will stop using the OLD key for signing and
signing and start using the NEW key. Also, the router will start using the NEW key. Also, the router will generate
generate appropriate BGPsec_Path attributes just as in the appropriate refreshed BGPsec updates just as in the typical
typical operation of refreshing out-bound BGP polices. This operation of refreshing out-bound BGP polices. This operation
operation may generate a great number of BGPsec_Path attributes may generate a great number of BGPsec updates. A BGPsec speaker
(due to the need to refresh BGP outbound policies). In any given may vary the Twilight moment for every peer in order to
BGP SPEAKER, the Twilight moment may be different for every peer distribute the system load (e.g., skewing the rollover for
in order to distribute the system load (probably in the order of different peers by a few minutes each would be sufficient and
minutes to avoid reaching any expiration time). effective).
4. Certificate Revocation: This is an optional step, but SHOULD be 4. Certificate Revocation: This is an optional step, but SHOULD be
taken when the goal is to invalidate signatures used with the OLD taken when the goal is to invalidate updates signed with the OLD
key. Reasons to invalidate OLD signatures include: when the AS key. Reasons to invalidate OLD updates include: (a) the AS has
has reason to believe that the router signing key has been reason to believe that the router signing key has been
compromised, and when the AS needs to invalidate BGPsec_Path compromised, and (b) the AS needs to invalidate already
attribute signatures used with this key. As part of the rollover propagated BGPsec updates signed with the OLD key. As part of
process, a CA MAY decide to revoke the OLD certificate by the rollover process, a CA MAY decide to revoke the OLD
publishing its serial number on the CA's CRL. Alternatively, the certificate by publishing its serial number on the CA's CRL.
CA will just let the OLD certificate to expire and not revoke it.
This choice will depend on the reasons that motivated the Alternatively, the CA will just let the OLD certificate expire
rollover process. and not revoke it. This choice will depend on the reasons that
motivated the rollover process.
5. RPKI-Router Protocol Withdrawals: At the expiration of the OLD 5. RPKI-Router Protocol Withdrawals: At the expiration of the OLD
certificate's validation, the RPKI relying parties around the certificate's validation, the RPKI relying parties around the
globe will need to communicate to their router peers that the OLD globe will need to communicate to their router peers that the OLD
certificate's public key is not longer valid (e.g., using the certificate's public key is no longer valid (e.g., using the
RPKI-Router Protocol described in [RFC6810]). A router's RPKI-Router Protocol described in
reaction to a message indicating withdrawal of a prefix in the [I-D.ietf-sidr-rpki-rtr-rfc6810-bis]). A router's reaction to a
RPKI-Router Protocol SHOULD include the removal of any RIB entry message indicating withdrawal of a router key in the RPKI-Router
that includes a BGPsec attribute signed with that key and the Protocol SHOULD include the removal of any RIB entries (i.e.,
generation of the correspondent BGP WITHDRAWALs (either implicit BGPsec updates) signed with that key and the generation of the
or explicit). corresponding BGP WITHDRAWALs (either implicit or explicit).
The proposed rollover mechanism will depend on the existence of an The proposed rollover mechanism will depend on the existence of an
automatic provisioning process for BGPsec certificates. It will automatic provisioning process for BGPsec router certificates. It
require a staging mechanism based on the RPKI propagation time of will require a staging mechanism based on the RPKI propagation time
around 24 hours, and it will generate BGPsec_Path attributes for all (typically a 24 hour period at the time this document was published),
prefixes in the router been re-keyed. and it will require re-signing all originated and transited BGPsec
updates that were previously signed with the OLD key.
The first two steps (New Certificate Publication and Staging Period) The first two steps (New Certificate Publication and Staging Period)
may happen in advance of the rest of the process. This will allow a may happen in advance of the rest of the process. This will allow a
network operator to accelerate its subsequent key roll-over. network operator to perform its subsequent key roll-over in an
efficient and timely manner.
When a new BGPsec certificate is generated without changing its key, When a new BGPsec router certificate is generated without changing
steps 3 (Twilight) and 5 (RPKI-Router Protocol Withdrawals) SHOULD its key, steps 3 (Twilight) and 5 (RPKI-Router Protocol Withdrawals)
NOT be executed. SHOULD NOT be executed.
4. BGPsec key rollover as a measure against replays attacks in BGPsec 4. BGPsec router key rollover as a measure against replay attacks
There are two typical generic measures to mitigate replay attacks in There are two typical generic measures to mitigate replay attacks in
any protocol: the addition of a timestamp or the addition of a serial any protocol: the addition of a timestamp or the addition of a serial
number. However neither BGP nor BGPsec provide either measure. This number. However, neither BGP nor BGPsec provide either measure. The
section discusses the use of BGPsec Rollover as a measure to mitigate timestamp approach was originally proposed for BGPsec
replay attacks. [I-D.sriram-replay-protection-design-discussion] but later dropped in
favor of the key rollover approach. This section discusses the use
of using a key roll-over as a measure to mitigate replay attacks.
4.1. BGPsec Replay attack window requirement 4.1. BGP UPDATE window of exposure requirement
In [RFC7353] Section 4.3, the need to limit the vulnerability to The need to limit the vulnerability to replay attacks is described in
replay attacks is described. One important comment is that during a [RFC7353] Section 4.3. One important comment is that during a window
window of exposure, a replay attack is effective only in very of exposure, a replay attack is effective only in very specific
specific circumstances: there is a downstream topology change that circumstances: there is a downstream topology change that makes the
makes the signed AS path no longer current, and the topology change signed AS path no longer current, and the topology change makes the
makes the replayed route preferable to the route associated with the replayed route preferable to the route associated with the new
new update. In particular, if there have been no topology change at update. In particular, if there is no topology change at all, then
all, then no security threat comes from a replay of a BGPsec_Path no security threat comes from a replay of a BGPsec update because the
attribute because the signed information is still valid. signed information is still valid.
The BGPsec Ops document [I-D.ietf-sidr-bgpsec-ops] gives some idea of The BGPsec Operational Considerations document
requirements for the size of the BGPsec windows of exposure to replay [I-D.ietf-sidr-bgpsec-ops] gives some idea of requirements for the
attacks. It states that the requirement will be in the order of a size of the window of exposure to replay attacks. It states that the
day or longer. requirement will be in the order of a day or longer.
4.2. BGPsec key rollover as a mechanism to protect against replay 4.2. BGPsec key rollover as a mechanism to protect against replay
attacks attacks
Since the window requirement is in the order of a day (as documented Since the window requirement is on the order of a day (as documented
in [I-D.ietf-sidr-bgpsec-ops]) and the BGP speaker re-keying is the in [I-D.ietf-sidr-bgpsec-ops]) and the BGP speaker performing re-
edge router of the origin AS, it is feasible for a BGPsec Rollover to keying is the edge router of the origin AS, it is feasible to use key
mitigate replays. In this case it is important to complete the full rollover to mitigate replays. In this case it is important to
process (i.e. the OLD and NEW certificate do not share the same key). complete the full process (i.e. the OLD and NEW certificates do not
By re-keying an AS is letting the BGPsec certificate validation time share the same key). By re-keying, an AS is letting the BGPsec
be a type of "timestamp" against replay attacks. However, the use of router certificate validation time be a type of "timestamp" to
frequent key rollovers comes with an additional administrative cost mitigate replay attacks. However, the use of frequent key rollovers
and risks if the process fails. As documented before, re-keying comes with an additional administrative cost and risks if the process
should be supported by automatic tools and for the great majority of fails. As documented before, re-keying should be supported by
the Internet it will be done with good lead time to correct any risk. automatic tools, and for the great majority of the Internet it will
be done with good lead time to ensure that the public key
corresponding to the NEW router certificate will be available to
validate the corresponding BGPsec updates when received.
For a transit AS that also originates BGPsec_Path attributes for its For a transit AS that also originates BGPsec updates for its own
own prefixes, the key rollover process may generate a large number of prefixes, the key rollover process may generate a large number of
UPDATE messages (even the complete Default Free Zone or DFZ). For UPDATE messages (even the complete Default Free Zone or DFZ). For
this reason, it is recommended that routers in a transit AS that also this reason, it is recommended that routers in a transit AS that also
originate BGPsec_Path attributes be provisioned with two originate BGPsec updates be provisioned with two certificates: one to
certificates: one to sign BGPsec_Path attributes in transit and a sign BGPsec updates in transit and a second one to sign BGPsec
second one to sign an BGPsec_Path attribute for prefixes originated updates for prefixes originated from its AS. Only the second
in its AS. Only the second certificate (for prefixes originated in certificate (for originating prefixes) should be rolled-over
its AS) should be rolled-over frequently as a means of limiting frequently as a means of limiting replay attack windows. The router
replay attack windows. The transit BGPsec certificate is expected to certificate used for signing updates in transit is expected to live
live longer than the origin BGPsec certificate. longer than the one used for signing origination updates.
Advantage of Re-keying as replay attack protection mechanism: Advantages to re-keying as replay attack protection mechanism are as
follows:
1. All expiration policies are maintained in the RPKI 1. All expiration policies are maintained in the RPKI.
2. Much of the additional administrative cost is paid by the 2. Much of the additional administrative cost is paid by the
provider that wants to protect its infrastructure, as it bears provider that wants to protect its infrastructure, as it bears
the human cost of creating and initiating distribution of new the cost of creating and initiating distribution of new router
router key pairs and router EE certificates. (It is true that key pairs and BGPsec router certificates. (It is true that the
the cost of relying parties will be affected by the new objects, cost of relying parties will be affected by the new objects, but
but their responses should be completely automated or otherwise their responses should be completely automated or otherwise
routine.) routine.)
3. The re-keying can be implemented in coordination with planned 3. The re-keying can be implemented in coordination with planned
topology changes by either origin ASes or transit ASes (e.g., if topology changes by either origin ASes or transit ASes (e.g., if
an AS changes providers, it completes a BGP Rollover) an AS changes providers, it completes a key rollover).
Disadvantage of Re-keying as replay attack protection mechanism: Disadvantages to Re-keying as replay attack protection mechanism are
as follows:
1. There is more administrative load due to frequent rollover, 1. Frequent rollovers add administrative and BGP processing loads,
although how frequent is still not clear. Some initial ideas are although the required frequency is not clear. Some initial ideas
found in [I-D.ietf-sidr-bgpsec-ops] are found in [I-D.ietf-sidr-bgpsec-ops].
2. The minimum window size is bounded by the propagation time for 2. The minimum replay vulnerability is bounded by the propagation
RPKI caches to obtain the new certificate and CRL (2x propagation time for RPKI caches to obtain the new certificate and CRL (2x
time). If provisioning is done ahead of time, the minimum window propagation time because first the NEW certificate and then the
size is reduced to 1x propagation time for the CRL. However, CRL need to propagate through the RPKI system). If provisioning
these bounds will be better understood when RPKI and RPs are well is done ahead of time, the minimum replay vulnerability window
deployed. size is reduced to 1x propagation time (i.e., propagation of the
CRL). However, these bounds will be better understood when RPKI
and RPs are well deployed, as well as the propagation time for
objects in the RPKI is better understood.
3. Re-keying increases the dynamics and size of RPKI repository. 3. Re-keying increases the dynamics and size of the RPKI repository.
5. IANA Considerations 5. IANA Considerations
There are no IANA considerations. This section may be removed upon There are no IANA considerations. This section may be removed upon
publication. publication.
6. Security Considerations 6. Security Considerations
Several possible reasons can cause routers participating in BGPsec to This document does not contain a protocol update to either the RPKI
rollover their signing keys, which also has the effect of or BGPsec. It describes a process for managing BGPsec router
invalidating BGPsec_Path attributes signatures using the current certificates within the RPKI.
signature verification key. Conventional key management operations
my dicate a re-key (e.g.,key exposure, change of certificate
attributes, rollover policy). BGPsec routers also may need to change
their signing keys and associated certificate as an anti-replay
protection.
The BGPsec Rollover method allows for an expedient rollover process Routers participating in BGPsec will need to rollover their signing
when router certificates are distributed through the RPKI, but keys as part of conventional certificate management processes.
without causing routing failures due to a receiving router not being However, because rolling over signing keys will also have an effect
able to validate a BGPsec_Path attribute created by a router that is of invalidating BGPsec updates signatures, the rollover process must
the subject of the rollover. be carefully orchestrated to ensure that valid BGPsec updates are not
treated as invalid. This situation could affect Internet routing.
This document describes a safe method for rolling over BGPsec router
certificates. It takes into account both normal and emergency key
rollover requirements.
Additionally, the key rollover method described in this document can
be used as a measure to mitigate BGP update replay attacks, in which
an entity in the routing system is suppressing current BGPsec updates
and replaying withdrawn updates. When the key used to sign the
withdrawn updates has been rolled over, the withdrawn updates will be
considered invalid. When certificates containing a new public key
are provisioning ahead of time, the minimum replay vulnerability
window size is reduced to the propagation time of a CRL invalidating
the certificate containing an old public key. For a discussion of
the difficulties deploying a more effectual replay protection
mechanism for BGPSEC, see
[I-D.sriram-replay-protection-design-discussion].
7. Acknowledgements 7. Acknowledgements
We would like to acknowledge Randy Bush, Sriram Kotikalapudi, Stephen Randy Bush, Kotikalapudi Sriram, Stephen Kent and Sandy Murphy each
Kent and Sandy Murphy. provided valuable suggestions resulting in an improved document.
8. References 8. References
8.1. Normative References 8.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
8.2. Informative References 8.2. Informative References
[I-D.ietf-sidr-bgpsec-ops] [I-D.ietf-sidr-bgpsec-ops]
Bush, R., "BGPsec Operational Considerations", draft-ietf- Bush, R., "BGPsec Operational Considerations", draft-ietf-
sidr-bgpsec-ops-16 (work in progress), January 2017. sidr-bgpsec-ops-16 (work in progress), January 2017.
[I-D.ietf-sidr-bgpsec-protocol] [I-D.ietf-sidr-bgpsec-protocol]
Lepinski, M. and K. Sriram, "BGPsec Protocol Lepinski, M. and K. Sriram, "BGPsec Protocol
Specification", draft-ietf-sidr-bgpsec-protocol-22 (work Specification", draft-ietf-sidr-bgpsec-protocol-23 (work
in progress), January 2017. in progress), April 2017.
[I-D.ietf-sidr-rpki-rtr-rfc6810-bis]
Bush, R. and R. Austein, "The Resource Public Key
Infrastructure (RPKI) to Router Protocol, Version 1",
draft-ietf-sidr-rpki-rtr-rfc6810-bis-09 (work in
progress), February 2017.
[I-D.ietf-sidr-rtr-keying] [I-D.ietf-sidr-rtr-keying]
Bush, R., Turner, S., and K. Patel, "Router Keying for Bush, R., Turner, S., and K. Patel, "Router Keying for
BGPsec", draft-ietf-sidr-rtr-keying-12 (work in progress), BGPsec", draft-ietf-sidr-rtr-keying-13 (work in progress),
June 2016. April 2017.
[I-D.sriram-replay-protection-design-discussion]
Sriram, K. and D. Montgomery, "Design Discussion and
Comparison of Protection Mechanisms for Replay Attack and
Withdrawal Suppression in BGPsec", draft-sriram-replay-
protection-design-discussion-08 (work in progress), April
2017.
[RFC6489] Huston, G., Michaelson, G., and S. Kent, "Certification [RFC6489] Huston, G., Michaelson, G., and S. Kent, "Certification
Authority (CA) Key Rollover in the Resource Public Key Authority (CA) Key Rollover in the Resource Public Key
Infrastructure (RPKI)", BCP 174, RFC 6489, Infrastructure (RPKI)", BCP 174, RFC 6489,
DOI 10.17487/RFC6489, February 2012, DOI 10.17487/RFC6489, February 2012,
<http://www.rfc-editor.org/info/rfc6489>. <http://www.rfc-editor.org/info/rfc6489>.
[RFC6810] Bush, R. and R. Austein, "The Resource Public Key
Infrastructure (RPKI) to Router Protocol", RFC 6810,
DOI 10.17487/RFC6810, January 2013,
<http://www.rfc-editor.org/info/rfc6810>.
[RFC7030] Pritikin, M., Ed., Yee, P., Ed., and D. Harkins, Ed., [RFC7030] Pritikin, M., Ed., Yee, P., Ed., and D. Harkins, Ed.,
"Enrollment over Secure Transport", RFC 7030, "Enrollment over Secure Transport", RFC 7030,
DOI 10.17487/RFC7030, October 2013, DOI 10.17487/RFC7030, October 2013,
<http://www.rfc-editor.org/info/rfc7030>. <http://www.rfc-editor.org/info/rfc7030>.
[RFC7353] Bellovin, S., Bush, R., and D. Ward, "Security [RFC7353] Bellovin, S., Bush, R., and D. Ward, "Security
Requirements for BGP Path Validation", RFC 7353, Requirements for BGP Path Validation", RFC 7353,
DOI 10.17487/RFC7353, August 2014, DOI 10.17487/RFC7353, August 2014,
<http://www.rfc-editor.org/info/rfc7353>. <http://www.rfc-editor.org/info/rfc7353>.
Authors' Addresses Authors' Addresses
Brian Weis Brian Weis
Cisco Systems Cisco Systems
170 W. Tasman Drive 170 W. Tasman Drive
San Jose, CA 95134 San Jose, CA 95134
CA US
Email: bew@cisco.com Email: bew@cisco.com
Roque Gagliano Roque Gagliano
Cisco Systems Cisco Systems
Avenue des Uttins 5 Avenue des Uttins 5
Rolle, VD 1180 Rolle, VD 1180
Switzerland Switzerland
Email: rogaglia@cisco.com Email: rogaglia@cisco.com
Keyur Patel Keyur Patel
Arrcus, Inc. Arrcus, Inc.
 End of changes. 57 change blocks. 
215 lines changed or deleted 254 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/