Network Working Group                                            B. Weis
Internet-Draft                                               R. Gagliano
Intended status: Standards Track                           Cisco Systems
Expires: September 9, 2017 February 15, 2018                                      K. Patel
                                                            Arrcus, Inc.
                                                           March 8,
                                                         August 14, 2017

                   BGPsec Router Certificate Rollover
                 draft-ietf-sidrops-bgpsec-rollover-00
                 draft-ietf-sidrops-bgpsec-rollover-01

Abstract

   BGPsec will need to address the impact from regular and emergency
   rollover processes for the BGPsec end-entity (EE) certificates that
   will be performed by

   Certificate Authorities (CAs) participating at managing CA certificates and End-Entity
   (EE) certificates within the Resource Public Key Infrastructure (RPKI).  Rollovers of
   (RPKI) will also manage BGPsec router certificates.  But the rollover
   of CA and EE certificates BGPsec router certificates have additional
   considerations for Normal and emergency rollover processes.  The
   rollover must be carefully managed in order to synchronize
   distribution of router public keys and the usage of BGPsec routers creating BGPsec
   Update messages verified with those router public keys
   by BGPsec routers. keys.  This memo
   document provides general recommendations for
   that the rollover process,
   as well as describing reasons why the rollover of BGPsec EE router
   certificates might be necessary.  When this rollover process is
   followed the rollover should be accomplished without routing
   information being lost.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on September 9, 2017. February 15, 2018.

Copyright Notice

   Copyright (c) 2017 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Requirements notation . . . . . . . . . . . . . . . . . . . .   2
   2.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   3.  Key rollover in BGPsec  . . . . . . . . . . . . . . . . . . .   3   4
     3.1.  A proposed process for BGPsec router key rollover . . . . . . .   4
   4.  BGPsec router key rollover as a measure against replays replay
       attacks in
       BGPsec . . . . . . . . . . . . . . . . . . . . . . . . . . .   6
     4.1.  BGPsec Replay attack  BGP UPDATE window of exposure requirement . . . . . . . . .   6
     4.2.  BGPsec key rollover as a mechanism to protect against
           replay attacks  . . . . . . . . . . . . . . . . . . . . .   7
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   8
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .   8
   7.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   8   9
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   8   9
     8.1.  Normative References  . . . . . . . . . . . . . . . . . .   8   9
     8.2.  Informative References  . . . . . . . . . . . . . . . . .   9
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   9  10

1.  Requirements notation

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   [RFC2119].

2.  Introduction

   In BGPsec, a key rollover (or re-key) is the process of changing a
   router's key pair (or key pairs), issuing the corresponding new end-
   entity (EE)
   BGPsec router certificate and (if the old certificate is still valid)
   revoking the old certificate.  This process will need to happen at
   regular intervals, normally due to the local policies of a network.

   This document provides general recommendations for that process.
   Certificate Practice Statements (CPS) documents MAY reference these
   recommendations.  This memo only addresses changing of a router's key
   pair within the RPKI.  Refer to [RFC6489] for a procedure to rollover
   RPKI Certificate Authority key pairs.

   When a router receives or creates a new key pair (using a key
   provisioning mechanism), this key pair will be used to sign new
   BGPsec_Path attributes
   BGPsec updates [I-D.ietf-sidr-bgpsec-protocol] that are originated or
   that transit through the BGP speaker.  Additionally, the BGP speaker
   MUST refresh its outbound BGPsec Update messages to include a
   signature using the new key (replacing the replaced old key).  When the
   rollover process finishes, the old BGPsec router certificate (and its
   key) will not no longer be valid, and thus any BGPsec Update that
   includes a BGPsec_Path attribute with a signature performed by the old key will be invalid.
   Consequently, if the router does not refresh its outbound BGPsec
   Update messages, previously sent routing information may be treated
   as unauthenticated after the rollover process is finished.  It is
   therefore extremely important that the BGPsec router key
   rollover be performed in such a way that the probability of new BGPsec router EE certificates
   have been distributed throughout the RPKI before the router begin
   signing BGPsec_Path attributes BGPsec updates with a new private key.

   It is also important for an AS to minimize the BGPsec router key
   rollover interval (i.e., in between the time an AS distributes an EE a
   BGPsec router certificate with a new public key and the time a BGPsec
   router begins to use its new private key).  This can be due to a need
   for a BGPsec router to distribute BGPsec_Path attributes BGPsec updates signed with a new
   private key in order to invalidate BGPsec_Path attributes BGPsec updates signed with the old
   private key.  In particular, if the AS suspects that a stale
   BGPsec_Path attribute BGPsec
   updates is being distributed instead of the most recently signed
   attribute it can cause the stale BGPsec_Path
   attribute BGPsec updates to be invalidated by
   completing a key rollover procedure.  The BGPsec router rollover
   interval can be minimized when an automated certificate provisioning
   process such as Enrollment over Secure Transport (EST) [RFC7030]) is
   used.

   The Security Requirements for BGP Path Validation [RFC7353] also
   describes the need for protecting against the suppression of BGP WITHDRAW
   messages or replay of BGP UPDATE messages, such as controlling
   BGPsec's window of exposure to replay such attacks.  The BGPsec router
   certificate rollover method in this document can be used to achieve
   this goal.

   In [I-D.ietf-sidr-rtr-keying], the "operator-driven" method is
   introduced, in which a key pair can be shared among different multiple BGP
   Speakers.
   speakers.  In this scenario, the roll-over of the correspondent
   BGPsec router certificate will impact all the BGP Speakers speakers sharing
   the same private key.

3.  Key rollover in BGPsec

   An BGPsec EE router certificate SHOULD be replaced when the following
   events occur, and can be replaced for any other reason at the
   discretion of the AS responsible for the EE certificate. BGPsec scheduled router certificate.

   Scheduled rollover:  BGPsec router certificates have an expiration
         date (NotValidAfter) that requires a frequent rollover process. process
         to refresh certificates or issue new certificates.  The
         validity period for these certificates is typically expressed at
         in the CA's CPS document.

   BGPsec

   Router certificate fields field changes:  Information contained in a BGPsec
         router certificate (such as the ASN or the Subject) may need to
         be changed.

   BGPsec emergency

   Emergency router key rollover  Some special circumstances (such as a
         compromised key) may require the replacement of a BGPsec router
         certificate.

   BGPsec signature anti-replay protection

   Protection against withdrawel supporession and replay attacks:  An AS
         may determine stale
         BGPsec_Path attributes signed by the AS withdrawn BGPsec updates are being propagated
         instead of the most recently signed BGPsec_Path attributes. propagated BGPsec updates.
         Changing the BGPsec router signing key, distributing a new
         BGPsec EE certificate for the router, router certificate, and revoking the old BGPsec EE router
         certificate will invalidate the replayed BGPsec_Path
         attributes. BGPsec updates.

   In some of these cases it is possible to generate a new certificate
   without changing the key pair.  This practice simplifies the rollover
   process as the corresponding BGP speakers receiving BGPsec Updates do not even need
   to be aware of the changes to its correspondent change of certificate.  However, not replacing the
   certificate key for a long period of time increases the risk that a
   compromised router private key may be used by an attacker to deliver
   unauthorized or false BGPsec Updates.  Distributing the OLD public
   key in a new certificate is NOT RECOMMENDED when the rollover event
   is due to the key being compromised, a compromised key, or when stale BGPsec_Path
   attribute signatures it is suspected that withdrawn
   BGPsec updates are being distributed.

3.1.  A proposed process for BGPsec router key rollover

   The BGPsec key rollover process will be dependent on the key provisioning
   mechanisms that are adopted by an AS.  The key
   provisioning mechanisms for BGPsec are not yet fully documented (see
   [I-D.ietf-sidr-rtr-keying] as a work in progress document).  An
   automatic AS [I-D.ietf-sidr-rtr-keying].  An automatic
   provisioning mechanism such as EST will allow BGPsec code router key management
   procedures to include automatic re-keying scripts methods with minimum
   development cost.

   If we work under the assumption that an automatic mechanism will
   exist to rollover a BGPsec router certificate, a RECOMMENDED process
   is as follows.

   1.  New Certificate Publication: The first step in the rollover
       mechanism is to publish the new public key in a new certificate.
       In order to accomplish this goal, the new key pair and
       certificate will need to be generated and the certificate
       published at the appropriate RPKI repository publication point.
       The details of this process will vary as they depend on whether
       the keys are assigned per-BGP per-BGPsec speaker or shared, shared among multiple
       BGPsec speakers, whether the keys are generated on each BGP BGPsec
       speaker or in a central location, and whether the RPKI repository
       is locally or externally hosted.

   2.  Staging Period: A staging period will be required from the time a
       new certificate is published in the RPKI global repository until
       the time it is fetched by RPKI caches around the globe.  The
       exact minimum staging time will be dictated by the conventional
       interval chosen between repository fetches.  If rollovers will be
       done more frequently, an administrator can provision two
       certificates for every router concurrently with different valid
       start times.  In this case when the rollover operation is needed,
       the relying parties around the globe would already have the new
       router public keys.  A  However, If an administrator has not
       previously provisioned the next certificate then a staging period
       may not be possible to implement during emergency key rollover, in which case rollover.
       If there is no staging period, routing information may be lost.

   3.  Twilight: At this moment, the BGP BGPsec speaker that holds holding the rolled-
       over private key that has been rolled-over will stop using the OLD key for signing and
       start using the NEW key.  Also, the router will generate
       appropriate BGPsec_Path attributes refreshed BGPsec updates just as in the typical
       operation of refreshing out-bound BGP polices.  This operation
       may generate a great number of BGPsec_Path attributes
       (due to the need to refresh BGP outbound policies).  In any given
       BGP SPEAKER, BGPsec updates.  A BGPsec speaker
       may vary the Twilight moment may be different for every peer in order to
       distribute the system load (probably in (e.g., skewing the order of rollover for
       different peers by a few minutes to avoid reaching any expiration time). each would be sufficient and
       effective).

   4.  Certificate Revocation: This is an optional step, but SHOULD be
       taken when the goal is to invalidate signatures used updates signed with the OLD
       key.  Reasons to invalidate OLD signatures updates include: when (a) the AS has
       reason to believe that the router signing key has been
       compromised, and when (b) the AS needs to invalidate BGPsec_Path
       attribute signatures used already
       propagated BGPsec updates signed with this the OLD key.  As part of
       the rollover process, a CA MAY decide to revoke the OLD
       certificate by publishing its serial number on the CA's CRL.

       Alternatively, the CA will just let the OLD certificate to expire
       and not revoke it.  This choice will depend on the reasons that
       motivated the rollover process.

   5.  RPKI-Router Protocol Withdrawals: At the expiration of the OLD
       certificate's validation, the RPKI relying parties around the
       globe will need to communicate to their router peers that the OLD
       certificate's public key is not no longer valid (e.g., using the
       RPKI-Router Protocol described in [RFC6810]).
       [I-D.ietf-sidr-rpki-rtr-rfc6810-bis]).  A router's reaction to a
       message indicating withdrawal of a prefix router key in the RPKI-Router
       Protocol SHOULD include the removal of any RIB entry
       that includes a entries (i.e.,
       BGPsec attribute updates) signed with that key and the generation of the correspondent
       corresponding BGP WITHDRAWALs (either implicit or explicit).

   The proposed rollover mechanism will depend on the existence of an
   automatic provisioning process for BGPsec router certificates.  It
   will require a staging mechanism based on the RPKI propagation time of
   around
   (typically a 24 hours, hour period at the time this document was published),
   and it will generate BGPsec_Path attributes for require re-signing all
   prefixes in originated and transited BGPsec
   updates that were previously signed with the router been re-keyed. OLD key.

   The first two steps (New Certificate Publication and Staging Period)
   may happen in advance of the rest of the process.  This will allow a
   network operator to accelerate perform its subsequent key roll-over. roll-over in an
   efficient and timely manner.

   When a new BGPsec router certificate is generated without changing
   its key, steps 3 (Twilight) and 5 (RPKI-Router Protocol Withdrawals)
   SHOULD NOT be executed.

4.  BGPsec router key rollover as a measure against replays replay attacks in BGPsec

   There are two typical generic measures to mitigate replay attacks in
   any protocol: the addition of a timestamp or the addition of a serial
   number.  However  However, neither BGP nor BGPsec provide either measure.  The
   timestamp approach was originally proposed for BGPsec
   [I-D.sriram-replay-protection-design-discussion] but later dropped in
   favor of the key rollover approach.  This section discusses the use
   of BGPsec Rollover using a key roll-over as a measure to mitigate replay attacks.

4.1.  BGPsec Replay attack  BGP UPDATE window of exposure requirement

   In [RFC7353] Section 4.3, the

   The need to limit the vulnerability to replay attacks is described. described in
   [RFC7353] Section 4.3.  One important comment is that during a window
   of exposure, a replay attack is effective only in very specific
   circumstances: there is a downstream topology change that makes the
   signed AS path no longer current, and the topology change makes the
   replayed route preferable to the route associated with the new
   update.  In particular, if there have been is no topology change at all, then
   no security threat comes from a replay of a BGPsec_Path
   attribute BGPsec update because the
   signed information is still valid.

   The BGPsec Ops Operational Considerations document
   [I-D.ietf-sidr-bgpsec-ops] gives some idea of requirements for the
   size of the BGPsec windows window of exposure to replay attacks.  It states that the
   requirement will be in the order of a day or longer.

4.2.  BGPsec key rollover as a mechanism to protect against replay
      attacks

   Since the window requirement is in on the order of a day (as documented
   in [I-D.ietf-sidr-bgpsec-ops]) and the BGP speaker re-keying performing re-
   keying is the edge router of the origin AS, it is feasible for a BGPsec Rollover to use key
   rollover to mitigate replays.  In this case it is important to
   complete the full process (i.e. the OLD and NEW certificate certificates do not
   share the same key).  By re-keying re-keying, an AS is letting the BGPsec
   router certificate validation time be a type of "timestamp" against to
   mitigate replay attacks.  However, the use of frequent key rollovers
   comes with an additional administrative cost and risks if the process
   fails.  As documented before, re-keying should be supported by
   automatic tools tools, and for the great majority of the Internet it will
   be done with good lead time to correct any risk. ensure that the public key
   corresponding to the NEW router certificate will be available to
   validate the corresponding BGPsec updates when received.

   For a transit AS that also originates BGPsec_Path attributes BGPsec updates for its own
   prefixes, the key rollover process may generate a large number of
   UPDATE messages (even the complete Default Free Zone or DFZ).  For
   this reason, it is recommended that routers in a transit AS that also
   originate BGPsec_Path attributes BGPsec updates be provisioned with two certificates: one to
   sign BGPsec_Path attributes BGPsec updates in transit and a second one to sign an BGPsec_Path attribute BGPsec
   updates for prefixes originated
   in from its AS.  Only the second
   certificate (for prefixes originated in
   its AS) originating prefixes) should be rolled-over
   frequently as a means of limiting replay attack windows.  The transit BGPsec router
   certificate used for signing updates in transit is expected to live
   longer than the origin BGPsec certificate.

   Advantage of Re-keying as replay attack protection mechanism: one used for signing origination updates.

   Advantages to re-keying as replay attack protection mechanism are as
   follows:

   1.  All expiration policies are maintained in the RPKI RPKI.

   2.  Much of the additional administrative cost is paid by the
       provider that wants to protect its infrastructure, as it bears
       the human cost of creating and initiating distribution of new router
       key pairs and BGPsec router EE certificates.  (It is true that the
       cost of relying parties will be affected by the new objects, but
       their responses should be completely automated or otherwise
       routine.)

   3.  The re-keying can be implemented in coordination with planned
       topology changes by either origin ASes or transit ASes (e.g., if
       an AS changes providers, it completes a BGP Rollover)

   Disadvantage of key rollover).

   Disadvantages to Re-keying as replay attack protection mechanism: mechanism are
   as follows:

   1.  There is more  Frequent rollovers add administrative load due to frequent rollover, and BGP processing loads,
       although how frequent the required frequency is still not clear.  Some initial ideas
       are found in [I-D.ietf-sidr-bgpsec-ops] [I-D.ietf-sidr-bgpsec-ops].

   2.  The minimum window size replay vulnerability is bounded by the propagation
       time for RPKI caches to obtain the new certificate and CRL (2x
       propagation
       time). time because first the NEW certificate and then the
       CRL need to propagate through the RPKI system).  If provisioning
       is done ahead of time, the minimum replay vulnerability window
       size is reduced to 1x propagation time for (i.e., propagation of the CRL.
       CRL).  However, these bounds will be better understood when RPKI
       and RPs are well
       deployed. deployed, as well as the propagation time for
       objects in the RPKI is better understood.

   3.  Re-keying increases the dynamics and size of the RPKI repository.

5.  IANA Considerations

   There are no IANA considerations.  This section may be removed upon
   publication.

6.  Security Considerations

   Several possible reasons can cause routers

   This document does not contain a protocol update to either the RPKI
   or BGPsec.  It describes a process for managing BGPsec router
   certificates within the RPKI.

   Routers participating in BGPsec will need to rollover their signing keys, which
   keys as part of conventional certificate management processes.
   However, because rolling over signing keys will also has the have an effect
   of invalidating BGPsec_Path attributes signatures using BGPsec updates signatures, the current
   signature verification key.  Conventional key management operations
   my dicate a re-key (e.g.,key exposure, change of certificate
   attributes, rollover policy).  BGPsec routers also may need process must
   be carefully orchestrated to change
   their signing keys and associated certificate as an anti-replay
   protection.

   The ensure that valid BGPsec Rollover updates are not
   treated as invalid.  This situation could affect Internet routing.
   This document describes a safe method allows for an expedient rollover process
   when rolling over BGPsec router certificates are distributed through
   certificates.  It takes into account both normal and emergency key
   rollover requirements.

   Additionally, the key rollover method described in this document can
   be used as a measure to mitigate BGP update replay attacks, in which
   an entity in the RPKI, but
   without causing routing failures due system is suppressing current BGPsec updates
   and replaying withdrawn updates.  When the key used to sign the
   withdrawn updates has been rolled over, the withdrawn updates will be
   considered invalid.  When certificates containing a receiving router not being
   able new public key
   are provisioning ahead of time, the minimum replay vulnerability
   window size is reduced to validate a BGPsec_Path attribute created by the propagation time of a router that is CRL invalidating
   the subject certificate containing an old public key.  For a discussion of
   the rollover. difficulties deploying a more effectual replay protection
   mechanism for BGPSEC, see
   [I-D.sriram-replay-protection-design-discussion].

7.  Acknowledgements

   We would like to acknowledge

   Randy Bush, Sriram Kotikalapudi, Kotikalapudi Sriram, Stephen Kent and Sandy Murphy. Murphy each
   provided valuable suggestions resulting in an improved document.

8.  References

8.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <http://www.rfc-editor.org/info/rfc2119>.

8.2.  Informative References

   [I-D.ietf-sidr-bgpsec-ops]
              Bush, R., "BGPsec Operational Considerations", draft-ietf-
              sidr-bgpsec-ops-16 (work in progress), January 2017.

   [I-D.ietf-sidr-bgpsec-protocol]
              Lepinski, M. and K. Sriram, "BGPsec Protocol
              Specification", draft-ietf-sidr-bgpsec-protocol-22 draft-ietf-sidr-bgpsec-protocol-23 (work
              in progress), January April 2017.

   [I-D.ietf-sidr-rpki-rtr-rfc6810-bis]
              Bush, R. and R. Austein, "The Resource Public Key
              Infrastructure (RPKI) to Router Protocol, Version 1",
              draft-ietf-sidr-rpki-rtr-rfc6810-bis-09 (work in
              progress), February 2017.

   [I-D.ietf-sidr-rtr-keying]
              Bush, R., Turner, S., and K. Patel, "Router Keying for
              BGPsec", draft-ietf-sidr-rtr-keying-12 draft-ietf-sidr-rtr-keying-13 (work in progress),
              April 2017.

   [I-D.sriram-replay-protection-design-discussion]
              Sriram, K. and D. Montgomery, "Design Discussion and
              Comparison of Protection Mechanisms for Replay Attack and
              Withdrawal Suppression in BGPsec", draft-sriram-replay-
              protection-design-discussion-08 (work in progress),
              June 2016. April
              2017.

   [RFC6489]  Huston, G., Michaelson, G., and S. Kent, "Certification
              Authority (CA) Key Rollover in the Resource Public Key
              Infrastructure (RPKI)", BCP 174, RFC 6489,
              DOI 10.17487/RFC6489, February 2012,
              <http://www.rfc-editor.org/info/rfc6489>.

   [RFC6810]  Bush, R. and R. Austein, "The Resource Public Key
              Infrastructure (RPKI) to Router Protocol", RFC 6810,
              DOI 10.17487/RFC6810, January 2013,
              <http://www.rfc-editor.org/info/rfc6810>.

   [RFC7030]  Pritikin, M., Ed., Yee, P., Ed., and D. Harkins, Ed.,
              "Enrollment over Secure Transport", RFC 7030,
              DOI 10.17487/RFC7030, October 2013,
              <http://www.rfc-editor.org/info/rfc7030>.

   [RFC7353]  Bellovin, S., Bush, R., and D. Ward, "Security
              Requirements for BGP Path Validation", RFC 7353,
              DOI 10.17487/RFC7353, August 2014,
              <http://www.rfc-editor.org/info/rfc7353>.

Authors' Addresses

   Brian Weis
   Cisco Systems
   170 W. Tasman Drive
   San Jose, CA  95134
   CA
   US

   Email: bew@cisco.com

   Roque Gagliano
   Cisco Systems
   Avenue des Uttins 5
   Rolle, VD  1180
   Switzerland

   Email: rogaglia@cisco.com

   Keyur Patel
   Arrcus, Inc.

   Email: keyur@arrcus.com