draft-ietf-sidrops-rtr-keying-03.txt   draft-ietf-sidrops-rtr-keying-04.txt 
Network Working Group R. Bush Network Working Group R. Bush
Internet-Draft IIJ Lab / Dragon Research Lab Internet-Draft IIJ Lab / Dragon Research Lab
Intended status: Best Current Practice S. Turner Intended status: Best Current Practice S. Turner
Expires: July 20, 2019 sn3rd Expires: August 31, 2019 sn3rd
K. Patel K. Patel
Arrcus, Inc. Arrcus, Inc.
January 16, 2019 February 27, 2019
Router Keying for BGPsec Router Keying for BGPsec
draft-ietf-sidrops-rtr-keying-03 draft-ietf-sidrops-rtr-keying-04
Abstract Abstract
BGPsec-speaking routers are provisioned with private keys in order to BGPsec-speaking routers are provisioned with private keys in order to
sign BGPsec announcements. The corresponding public keys are sign BGPsec announcements. The corresponding public keys are
published in the global Resource Public Key Infrastructure, enabling published in the global Resource Public Key Infrastructure, enabling
verification of BGPsec messages. This document describes two methods verification of BGPsec messages. This document describes two methods
of generating the public-private key-pairs: router-driven and of generating the public-private key-pairs: router-driven and
operator-driven. operator-driven.
skipping to change at page 2, line 23 skipping to change at page 2, line 23
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Management / Router Communication . . . . . . . . . . . . . . 3 2. Management / Router Communication . . . . . . . . . . . . . . 4
3. Exchange Certificates . . . . . . . . . . . . . . . . . . . . 4 3. Exchange Certificates . . . . . . . . . . . . . . . . . . . . 4
4. Set-Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 4. Set-Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
5. Generate PKCS#10 . . . . . . . . . . . . . . . . . . . . . . . 4 5. Generate PKCS#10 . . . . . . . . . . . . . . . . . . . . . . . 5
5.1. Router-Generated Keys . . . . . . . . . . . . . . . . . . 5 5.1. Router-Generated Keys . . . . . . . . . . . . . . . . . . 5
5.2. Operator-Generated Keys . . . . . . . . . . . . . . . . . 5 5.2. Operator-Generated Keys . . . . . . . . . . . . . . . . . 6
5.2.1. Using PKCS#8 to Transfer Private Key . . . . . . . . . 5 5.2.1. Using PKCS#8 to Transfer Private Key . . . . . . . . . 6
6. Send PKCS#10 and Receive PKCS#7 . . . . . . . . . . . . . . . 6 6. Send PKCS#10 and Receive PKCS#7 . . . . . . . . . . . . . . . 7
7. Install Certificate . . . . . . . . . . . . . . . . . . . . . 6 7. Install Certificate . . . . . . . . . . . . . . . . . . . . . 7
8. Advanced Deployment Scenarios . . . . . . . . . . . . . . . . 7 8. Advanced Deployment Scenarios . . . . . . . . . . . . . . . . 8
9. Key Management . . . . . . . . . . . . . . . . . . . . . . . . 8 9. Key Management . . . . . . . . . . . . . . . . . . . . . . . . 9
9.1. Key Validity . . . . . . . . . . . . . . . . . . . . . . . 8 9.1. Key Validity . . . . . . . . . . . . . . . . . . . . . . . 9
9.2. Key Roll-Over . . . . . . . . . . . . . . . . . . . . . . 9 9.2. Key Roll-Over . . . . . . . . . . . . . . . . . . . . . . 10
9.3. Key Revocation . . . . . . . . . . . . . . . . . . . . . . 9 9.3. Key Revocation . . . . . . . . . . . . . . . . . . . . . . 10
9.4. Router Replacement . . . . . . . . . . . . . . . . . . . . 10 9.4. Router Replacement . . . . . . . . . . . . . . . . . . . . 11
10. Security Considerations . . . . . . . . . . . . . . . . . . . 10 10. Security Considerations . . . . . . . . . . . . . . . . . . . 11
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 13
12.1. Normative References . . . . . . . . . . . . . . . . . . 12 12.1. Normative References . . . . . . . . . . . . . . . . . . 13
12.1. Informative References . . . . . . . . . . . . . . . . . 13 12.1. Informative References . . . . . . . . . . . . . . . . . 14
Appendix A. Management/Router Channel Security . . . . . . . . . 14 Appendix A. Management/Router Channel Security . . . . . . . . . 15
Appendix B. The n00b Guide to BGPsec Key Management . . . . . . . 15 Appendix B. The n00b Guide to BGPsec Key Management . . . . . . . 16
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 18 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 19
1. Introduction 1. Introduction
BGPsec-speaking routers are provisioned with private keys, which BGPsec-speaking routers are provisioned with private keys, which
allow them to digitally sign BGPsec announcements. To verify the allow them to digitally sign BGPsec announcements. To verify the
signature, the public key, in the form of a certificate [RFC8209], is signature, the public key, in the form of a certificate [RFC8209], is
published in the Resource Public Key Infrastructure (RPKI). This published in the Resource Public Key Infrastructure (RPKI). This
document describes provisioning of BGPsec-speaking routers with the document describes provisioning of BGPsec-speaking routers with the
appropriate public-private key-pairs. There are two methods, router- appropriate public-private key-pairs. There are two methods, router-
driven and operator-driven. driven and operator-driven.
These two methods differ in where the keys are generated: on the These two methods differ in where the keys are generated: on the
router in the router-driven method, and elsewhere in the router in the router-driven method, and elsewhere in the
operator-driven method. Routers are required to support at least one operator-driven method. Routers are required to support at least one
of the methods in order to work in various deployment environments. of the methods in order to work in various deployment environments.
Some routers may not allow the private key to be off-loaded while Some routers may not allow the private key to be exported while
others may. While off-loading private keys would ease swapping of others may. While exporting private keys would ease swapping of
routing engines, exposure of private keys is a well known security routing engines, exposure of private keys is a well known security
risk. risk.
In the operator-driven method, the operator generates the In the operator-driven method, the operator generates the
private/public key-pair and sends it to the router. private/public key-pair and sends it to the router.
In the router-driven method, the router generates its own In the router-driven method, the router generates its own
public/private key-pair. public/private key-pair.
The router-driven method mirrors the model used by traditional PKI The router-driven method mirrors the model used by traditional PKI
subscribers; the private key never leaves trusted storage (e.g., subscribers; the private key never leaves trusted storage (e.g.,
Hardware Security Module). This is by design and supports classic Hardware Security Module). This is by design and supports classic
PKI Certification Policies for (often human) subscribers which PKI Certification Policies for (often human) subscribers which
require the private key only ever be controlled by the subscriber to require the private key only ever be controlled by the subscriber to
ensure that no one can impersonate the subscriber. For non-humans, ensure that no one can impersonate the subscriber. For non-humans,
this method does not always work. For example, when an operator this method does not always work. The operator-driven model is
wants to support hot-swappable routers, the same private key needs to motivated by the extreme importance placed on ensuring the continued
be installed in the soon-to-be online router that was used by the the operation of the network. In some deployments, the same private key
soon-to-be offline router. This motivated the operator-driven needs to be installed in the soon-to-be online router that was used
method. by the soon-to-be offline router, since this "hot-swapping" behavior
can result in minimal downtime, especially compared with the normal
RPKI procedures to propagate a new key, which can take a day or
longer to converge.
For example, when an operator wants to support hot-swappable routers,
the same private key needs to be installed in the soon-to-be online
router that was used by the soon-to-be offline router. This
motivated the operator-driven method.
Sections 2 through 7 describe the various steps involved for an Sections 2 through 7 describe the various steps involved for an
operator to use the two methods to provision new and existing operator to use the two methods to provision new and existing
routers. The methods described involve the operator configuring the routers. The methods described involve the operator configuring the
two end points (i.e., the management station and the router) and two end points (i.e., the management station and the router) and
acting as the intermediary. Section 8 describes another method that acting as the intermediary. Section 8 describes another method that
requires more capable routers. requires more capable routers.
Useful References: [RFC8205] describes gritty details, [RFC8209] Useful References: [RFC8205] describes details of BGPsec, [RFC8209]
specifies the format for the PKCS#10 certification request, and specifies the format for the PKCS#10 certification request, and
[RFC8208] specifies the algorithms used to generate the PKCS#10's [RFC8208] specifies the algorithms used to generate the PKCS#10
signature. signature.
2. Management / Router Communication 2. Management / Router Communication
Operators are free to use either the router-driven or operator-driven Operators are free to use either the router-driven or operator-driven
method as supported by the platform. Regardless of the method method as supported by the platform. Prudent security practice
chosen, operators first establish a protected channel between the recommends router-generated keying, if the delay in replacing a
management system and the router. How this protected channel is router (or router engine) is acceptable to the operator. Regardless
of the method chosen, operators first establish a protected channel
between the management system and the router; this protected channel
prevents eavesdropping, tampering, and message forgery as well as
provides mutual authentication. How this protected channel is
established is router-specific and is beyond scope of this document. established is router-specific and is beyond scope of this document.
Though other configuration mechanisms might be used, e.g. NetConf Though other configuration mechanisms might be used, e.g. NETCONF
(see [RFC6470]), the protected the protected channel between the (see [RFC6470]), the protected channel used between the management
management platform and the router is assumed to be an SSH-protected platform and the router is assumed to be an SSH-protected CLI. See
CLI. See Appendix A for security considerations for this protected Appendix A for security considerations for this protected channel.
channel.
The previous paragraph assumes the management system-to-router
communications are over a network. When the management system has a
direct physical connection to the router, e.g., via the craft port,
there is no assumption that there is a protected channel between the
two.
3. Exchange Certificates 3. Exchange Certificates
A number of options exist for the operator management station to A number of options exist for the operator management station to
exchange PKI-related information with routers and with the RPKI exchange PKI-related information with routers and with the RPKI
including: including:
- Using application/pkcs10 media type [RFC5967] to extract - Using application/pkcs10 media type [RFC5967] to extract
certificate requests and application/pkcs7-mime [I-D.lamps-rfc5751- certificate requests and application/pkcs7-mime [I-D.lamps-rfc5751-
bis] to return the issued certificate, bis] to return the issued certificate,
- Using FTP or HTTP per [RFC2585], and - Using FTP or HTTP per [RFC2585], and
- Using Enrollment over Secure Transport (EST) protocol per - Using Enrollment over Secure Transport (EST) protocol per
[RFC7030]. [RFC7030].
Despite the fact that Certificates are integrity-protected and do not
necessarily need additional protection, transports that also provide
integrity protection are RECOMMENDED.
4. Set-Up 4. Set-Up
To start, the operator uses the protected channel to install the To start, the operator uses the protected channel to install the
appropriate RPKI Trust Anchor's Certificate (TA Cert) in the router. appropriate RPKI Trust Anchor's Certificate (TA Cert) in the router.
This will later enable the router to validate the router certificate This will later enable the router to validate the router certificate
returned in the PKCS#7 certs-only message [I-D.lamps-rfc5751-bis]. returned in the PKCS#7 certs-only message [I-D.lamps-rfc5751-bis].
The operator also configures the Autonomous System (AS) number to be The operator configures the Autonomous System (AS) number to be used
used in the generated router certificate. This may be the sole AS in the generated router certificate. This may be the sole AS
configured on the router, or an operator choice if the router is configured on the router, or an operator choice if the router is
configured with multiple ASs. A router with multiple ASs can be configured with multiple ASs. A router with multiple ASs can be
configured with multiple router certificates by following the process configured with multiple router certificates by following the process
of this document for each desired certificate. of this document for each desired certificate. This configured AS
number is also used during verification of keys, if generated by the
operator (see Section 5.2), as well as during certificate
verification steps (see Sections 6, 7, and 8).
The operator configures or extracts from the router the BGP The operator configures or extracts from the router the BGP
Identifier [RFC4271] to be used in the generated router certificate. Identifier [RFC6286] to be used in the generated router certificate.
In the case where the operator has chosen not to use unique In the case where the operator has chosen not to use unique
per-router certificates, a BGP Identifier of 0 MAY be used. per-router certificates, a BGP Identifier of 0 MAY be used.
The operator configures the router's access control mechanism to
ensure that only authorized users are able to later access the
router's configuration.
5. Generate PKCS#10 5. Generate PKCS#10
The private key, and hence the PKCS#10 certification request, which The private key, and hence the PKCS#10 certification request, which
is sometimes referred to as a Certificate Signing Request (CSR), may is sometimes referred to as a Certificate Signing Request (CSR), may
be generated by the router or by the operator. be generated by the router or by the operator.
The PKCS#10 request SHOULD be saved to enable verifying that the Retaining the CSR allows for verifying that the returned public key
returned public key in the certificate corresponds to the private in the certificate corresponds to the private key used to generate
used to generate the signature on the CSR. the signature on the CSR.
NOTE: The PKCS#10 certification request does not include the AS NOTE: The PKCS#10 certification request does not include the AS
number or the BGP Identifier for the router certificate. Therefore, number or the BGP Identifier for the router certificate. Therefore,
the operator transmits the AS it has chosen on the router and the BGP the operator transmits the AS it has chosen on the router and the BGP
Identifier as well when it sends the CSR to the CA. Identifier as well when it sends the CSR to the CA.
5.1. Router-Generated Keys 5.1. Router-Generated Keys
In the router-generated method, once the protected channel is In the router-generated method, once the protected channel is
established and the initial Set-Up (Section 4) performed, the established and the initial Set-Up (Section 4) performed, the
operator issues a command or commands for the router to generate the operator issues a command or commands for the router to generate the
public/private key pair, to generate the PKCS#10 certification public/private key pair, to generate the PKCS#10 certification
request, and to sign the PKCS#10 certification request with the request, and to sign the PKCS#10 certification request with the
private key. Once the router has generated the PKCS#10 certification private key. Once the router has generated the PKCS#10 certification
request, it returns it to the operator over the protected channel. request, it returns it to the operator over the protected channel.
The operator includes the chosen AS number and the BGP Identifier The operator includes the chosen AS number and the BGP Identifier
when it sends the CSR to the CA. when it sends the CSR to the CA.
NOTE: If a router were to communicate directly with a CA to have the Even if the operator cannot extract the private key from the router,
CA certify the PKCS#10 certification request, there would be no way this signature still provides a linkage between a private key and a
for the CA to authenticate the router. As the operator knows the router. That is, the operator can verify the proof of possession
(POP), as required by [RFC6484].
NOTE: The CA needs to know that the router-generated CSR is
authorized. The easiest way to accomplish this for the operator to
mediate the communication with the CA. Other workflows are possible,
e.g., where the router sends the CSR to the CA but the operator logs
in to the CA independently and is presented with a list of pending
requests to approve. See Section 8 for an additional workflow.
If a router were to communicate directly with a CA to have the CA
certify the PKCS#10 certification request, there would be no way for
the CA to authenticate the router. As the operator knows the
authenticity of the router, the operator mediates the communication authenticity of the router, the operator mediates the communication
with the CA. with the CA.
5.2. Operator-Generated Keys 5.2. Operator-Generated Keys
In the operator-generated method, the operator generates the In the operator-generated method, the operator generates the
public/private key pair on a management station and installs the public/private key pair on a management station and installs the
private key into the router over the protected channel. Beware that private key into the router over the protected channel. Beware that
experience has shown that copy-and-paste from a management station to experience has shown that copy-and-paste from a management station to
a router can be unreliable for long texts. a router can be unreliable for long texts.
The operator then creates and signs the PKCS#10 certification request The operator then creates and signs the PKCS#10 certification request
with the private key; the operator includes the chosen AS number and with the private key; the operator includes the chosen AS number and
the BGP Identifier when it sends the CSR to the CA. the BGP Identifier when it sends the CSR to the CA.
Even if the operator cannot extract the private key from the router,
this signature still provides a linkage between a private key and a
router. That is, the operator can verify the proof of possession
(POP), as required by [RFC6484].
5.2.1. Using PKCS#8 to Transfer Private Key 5.2.1. Using PKCS#8 to Transfer Private Key
A private key can be encapsulated in a PKCS#8 Asymmetric Key Package A private key can be encapsulated in a PKCS#8 Asymmetric Key Package
[RFC5958] and SHOULD be further encapsulated in Cryptographic Message
[RFC5958] and should be further encapsulated in Cryptographic Message
Syntax (CMS) SignedData [RFC5652] and signed with the operators's End Syntax (CMS) SignedData [RFC5652] and signed with the operators's End
Entity (EE) private key. Entity (EE) private key.
The router SHOULD verify the signature of the encapsulated PKCS#8 to The router SHOULD verify the signature of the encapsulated PKCS#8 to
ensure the returned private key did in fact come from the operator, ensure the returned private key did in fact come from the operator,
but this requires that the operator also provision via the CLI or but this requires that the operator also provision via the CLI or
include in the SignedData the RPKI CA certificate and relevant include in the SignedData the RPKI CA certificate and relevant
operator's EE certificate(s). The router should inform the operator operator's EE certificate(s). The router SHOULD inform the operator
whether or not the signature validates to a trust anchor; this whether or not the signature validates to a trust anchor; this
notification mechanism is out of scope. notification mechanism is out of scope.
6. Send PKCS#10 and Receive PKCS#7 6. Send PKCS#10 and Receive PKCS#7
The operator uses RPKI management tools to communicate with the The operator uses RPKI management tools to communicate with the
global RPKI system to have the appropriate CA validate the PKCS#10 global RPKI system to have the appropriate CA validate the PKCS#10
certification request, sign the key in the PKCS#10 (i.e., certify it) certification request, sign the key in the PKCS#10 (i.e., certify it)
and generate a PKCS#7 certs-only message, as well as publishing the and generate a PKCS#7 certs-only message, as well as publishing the
certificate in the Global RPKI. External network connectivity may be certificate in the Global RPKI. External network connectivity may be
skipping to change at page 6, line 41 skipping to change at page 7, line 29
Global RPKI. Global RPKI.
2. Returns the certificate to the operator's management station, 2. Returns the certificate to the operator's management station,
packaged in a PKCS#7 certs-only message, using the corresponding packaged in a PKCS#7 certs-only message, using the corresponding
method by which it received the certificate request. It SHOULD method by which it received the certificate request. It SHOULD
include the certificate chain below the TA Certificate so that include the certificate chain below the TA Certificate so that
the router can validate the router certificate. the router can validate the router certificate.
In the operator-generated method, the operator SHOULD extract the In the operator-generated method, the operator SHOULD extract the
certificate from the PKCS#7 certs-only message, and verify that the certificate from the PKCS#7 certs-only message, and verify that the
private key it holds corresponds to the returned public key. If the public key the operator holds corresponds to the returned public key
operator saved the PKCS#10 it can check this correspondence by in the PKCS#7 certs-only message. If the operator saved the PKCS#10
comparing the public key in the CSR to the public key in the returned it can check this correspondence by comparing the public key in the
certificate. If the operator has not saved the PKCS#10, it can check CSR to the public key in the returned certificate. If the operator
this correspondence by generating a signature on any data and then has not saved the PKCS#10, it can check this correspondence by
verifying the signature using the returned certificate. regenerating the public key from the private key and then verifying
that the regenerated public key matches the public key returned in
the certificate.
In the operator-generated method, the operator has already installed In the operator-generated method, the operator has already installed
the private key in the router (see Section 5.2). the private key in the router (see Section 5.2).
7. Install Certificate 7. Install Certificate
The operator provisions the PKCS#7 certs-only message into the router The operator provisions the PKCS#7 certs-only message into the router
over the protected channel. over the protected channel.
The router SHOULD extract the certificate from the PKCS#7 certs-only The router SHOULD extract the certificate from the PKCS#7 certs-only
message and verify that the public key corresponds to the stored message and verify that the public key corresponds to the stored
private key. If the router stored the PKCS#10, it can check this private key. If the router stored the PKCS#10, it can check this
correspondence by comparing the public key in the CSR to the public correspondence by comparing the public key in the CSR to the public
key in the returned certificate. If the router did not store the key in the returned certificate. If the router did not store the
PKCS#10, it can check this correspondence by generating a signature PKCS#10, it can check this correspondence by generating a signature
on any data and then verifying the signature using the returned on any data and then verifying the signature using the returned
skipping to change at page 7, line 34 skipping to change at page 8, line 24
inform the operator whether or not the signature validates to a trust inform the operator whether or not the signature validates to a trust
anchor; this notification mechanism is out of scope. anchor; this notification mechanism is out of scope.
NOTE: The signature on the PKCS#8 and Certificate need not be made by NOTE: The signature on the PKCS#8 and Certificate need not be made by
the same entity. Signing the PKCS#8 permits more advanced the same entity. Signing the PKCS#8 permits more advanced
configurations where the entity that generates the keys is not the configurations where the entity that generates the keys is not the
direct CA. direct CA.
8. Advanced Deployment Scenarios 8. Advanced Deployment Scenarios
More PKI-capable routers can take advantage of this increased More PKI-capable routers can take advantage of increased
functionality and lighten the operator's burden. Typically, these functionality and lighten the operator's burden. Typically, these
routers include either pre-installed manufacturer-generated routers include either pre-installed manufacturer-generated
certificates (e.g., IEEE 802.1 AR [802.1AR]) or pre-installed certificates (e.g., IEEE 802.1 AR [802.1AR]) or pre-installed
manufacturer-generated Pre-Shared Keys (PSK) as well as manufacturer-generated Pre-Shared Keys (PSK) as well as
PKI-enrollment functionality and transport protocol, e.g., CMC's PKI-enrollment functionality and transport protocol, e.g., CMC's
"Secure Transport" [RFC7030] or the original CMC transport protocol's "Secure Transport" [RFC7030] or the original CMC transport protocol's
[RFC5273]. When the operator first establishes a protected channel [RFC5273]. When the operator first establishes a protected channel
between the management system and the router, this pre-installed key between the management system and the router, this pre-installed key
material is used to authenticate the router. material is used to authenticate the router.
skipping to change at page 8, line 15 skipping to change at page 9, line 5
additional information. Authentication material can be additional information. Authentication material can be
communicated to the CA (i.e., CSRs signed by this key material communicated to the CA (i.e., CSRs signed by this key material
are issued certificates with this AS and BGP Identifier) or to are issued certificates with this AS and BGP Identifier) or to
the router (i.e., the operator uses the vendor-supplied the router (i.e., the operator uses the vendor-supplied
management interface to include the AS number and BGP Identifier management interface to include the AS number and BGP Identifier
in the router-generated CSR). in the router-generated CSR).
2. Enabling the router to communicate with the CA. While the 2. Enabling the router to communicate with the CA. While the
router-to-CA communications are operator-initiated, the router-to-CA communications are operator-initiated, the
operator's management interface need not be involved in the operator's management interface need not be involved in the
communications path. Enabling the router-to-CA connectivity MAY communications path. Enabling the router-to-CA connectivity
require connections to external networks (i.e., through requires connections to external networks (i.e., through
firewalls, NATs, etc.). firewalls, NATs, etc.).
3. Ensuring the cryptographic chain of custody from the
manufacturer. For the pre-installed key material, the operator
needs guarantees that either no one has accessed the private key
or an authenticated log of those who have accessed it has been
provided to the operator.
Once configured, the operator can begin the process of enrolling the Once configured, the operator can begin the process of enrolling the
router. Because the router is communicating directly with the CA, router. Because the router is communicating directly with the CA,
there is no need for the operator to retrieve the PKCS#10 there is no need for the operator to retrieve the PKCS#10
certification request from the router as in Section 5 or return the certification request from the router as in Section 5 or return the
PKCS#7 certs-only message to the router as in Section 6. Note that PKCS#7 certs-only message to the router as in Section 6. Note that
the checks performed by the router in Section 7, namely extracting the checks performed by the router in Section 7, namely extracting
the certificate from the PKCS#7 certs-only message, verifying the the certificate from the PKCS#7 certs-only message, verifying the
public key corresponds to the private key, and that the returned public key corresponds to the private key, and that the returned
certificate validated back to an installed trust anchor, SHOULD be certificate validated back to an installed trust anchor, SHOULD be
performed. Likewise, the router SHOULD notify the operator if any of performed. Likewise, the router SHOULD notify the operator if any of
these fail, but this notification mechanism is out of scope. these fail, but this notification mechanism is out of scope.
When a router is so configured, the communication with the CA SHOULD When a router is so configured, the communication with the CA SHOULD
be automatically re-established by the router at future times to be automatically re-established by the router at future times to
renew or rekey the certificate automatically when necessary (See renew the certificate automatically when necessary (See Section 9).
Section 9). This further reduces the tasks required of the operator. This further reduces the tasks required of the operator.
9. Key Management 9. Key Management
Key management does not only include key generation, key Key management does not only include key generation, key
provisioning, certificate issuance, and certificate distribution. It provisioning, certificate issuance, and certificate distribution. It
also includes assurance of key validity, key roll-over, and key also includes assurance of key validity, key roll-over, and key
preservation during router replacement. All of these preservation during router replacement. All of these
responsibilities persist for as long as the operator wishes to responsibilities persist for as long as the operator wishes to
operate the BGPsec-speaking router. operate the BGPsec-speaking router.
skipping to change at page 10, line 32 skipping to change at page 11, line 29
the compromised key, and then make a next generation the compromised key, and then make a next generation
soon-to-be-operational key. Hopefully, all this can be done without soon-to-be-operational key. Hopefully, all this can be done without
needing to take offline or reboot the router. For routers which needing to take offline or reboot the router. For routers which
support only one operational key, the operators should create or support only one operational key, the operators should create or
install the new private key, and then request revocation of the install the new private key, and then request revocation of the
certificate corresponding to the compromised private key. certificate corresponding to the compromised private key.
9.4. Router Replacement 9.4. Router Replacement
Currently routers often generate private keys for uses such as SSH, Currently routers often generate private keys for uses such as SSH,
and the private keys may not be seen or off-loaded from the router. and the private keys may not be seen or exported from the router.
While this is good security, it creates difficulties when a routing While this is good security, it creates difficulties when a routing
engine or whole router must be replaced in the field and all software engine or whole router must be replaced in the field and all software
which accesses the router must be updated with the new keys. Also, which accesses the router must be updated with the new keys. Also,
any network based initial contact with a new routing engine requires any network based initial contact with a new routing engine requires
trust in the public key presented on first contact. trust in the public key presented on first contact.
To allow operators to quickly replace routers without requiring To allow operators to quickly replace routers without requiring
update and distribution of the corresponding public keys in the RPKI, update and distribution of the corresponding public keys in the RPKI,
routers SHOULD allow the private BGPsec key to be inserted via a routers SHOULD allow the private BGPsec key to be inserted via a
protected channel, e.g., SSH, NetConf (see [RFC6470]), SNMP. This protected channel, e.g., SSH, NetConf (see [RFC6470]), SNMP. This
lets the operator escrow the old private key via the mechanism used lets the operator escrow the old private key via the mechanism used
for operator-generated keys, see Section 5.2, such that it can be re- for operator-generated keys, see Section 5.2, such that it can be re-
inserted into a replacement router. The router MAY allow the private inserted into a replacement router. The router MAY allow the private
key to be to be off-loaded via the protected channel, but this SHOULD key to be to be exported via the protected channel after key
be paired with functionality that sets the key into a permanent non- generation, but this SHOULD be paired with functionality that sets
exportable state to ensure that it is not off-loaded at a future time the newly generated key into a permanent non-exportable state to
by unauthorized operations. ensure that it is not exported at a future time by unauthorized
operations.
10. Security Considerations 10. Security Considerations
The router's manual will describe whether the router supports one, The router's manual will describe whether the router supports one,
the other, or both of the key generation options discussed in the the other, or both of the key generation options discussed in the
earlier sections of this draft as well as other important security- earlier sections of this draft as well as other important security-
related information (e.g., how to SSH to the router). After related information (e.g., how to SSH to the router). After
familiarizing one's self with the capabilities of the router, an familiarizing one's self with the capabilities of the router, an
operator is encouraged to ensure that the router is patched with the operator is encouraged to ensure that the router is patched with the
latest software updates available from the manufacturer. latest software updates available from the manufacturer.
This document defines no protocols. So, in some sense, it introduces This document defines no protocols. So, in some sense, it introduces
no new security considerations. However, it relies on many others no new security considerations. However, it relies on many others
skipping to change at page 11, line 41 skipping to change at page 12, line 40
all private keys MUST be protected when at rest in a secure all private keys MUST be protected when at rest in a secure
fashion. Obviously, how each router protects private keys is fashion. Obviously, how each router protects private keys is
implementation specific. Likewise, the local storage format for implementation specific. Likewise, the local storage format for
the private key is just that, a local matter. the private key is just that, a local matter.
Private key protection in transit: Mistakes here are, for all, Private key protection in transit: Mistakes here are, for all,
practical purposes catastrophic because disclosure of the private practical purposes catastrophic because disclosure of the private
key allows another entity to masquerade as (i.e., impersonate) the key allows another entity to masquerade as (i.e., impersonate) the
signer; transport security is therefore strongly RECOMMENDED. The signer; transport security is therefore strongly RECOMMENDED. The
level of security provided by the transport layer's security level of security provided by the transport layer's security
mechanism SHOULD be commensurate with the strength of the BGPsec mechanism SHOULD be at least as good as the strength of the BGPsec
key; there's no point in spending time and energy to generate an key; there's no point in spending time and energy to generate an
excellent public-private key pair and then transmit the private excellent public-private key pair and then transmit the private
key in the clear or with a known-to-be-broken algorithm, as it key in the clear or with a known-to-be-broken algorithm, as it
just undermines trust that the private key has been kept private. just undermines trust that the private key has been kept private.
Additionally, operators SHOULD ensure the transport security Additionally, operators SHOULD ensure the transport security
mechanism is up to date, in order to addresses all known mechanism is up to date, in order to addresses all known
implementation bugs. implementation bugs.
Though the CA's certificate is installed on the router and used to Though the CA's certificate is installed on the router and used to
verify that the returned certificate is in fact signed by the CA, the verify that the returned certificate is in fact signed by the CA, the
skipping to change at page 12, line 41 skipping to change at page 13, line 40
[RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker,
"Randomness Requirements for Security", BCP 106, RFC 4086, "Randomness Requirements for Security", BCP 106, RFC 4086,
DOI 10.17487/RFC4086, June 2005, <https://www.rfc- DOI 10.17487/RFC4086, June 2005, <https://www.rfc-
editor.org/info/rfc4086>. editor.org/info/rfc4086>.
[RFC4253] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) [RFC4253] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH)
Transport Layer Protocol", RFC 4253, DOI 10.17487/RFC4253, Transport Layer Protocol", RFC 4253, DOI 10.17487/RFC4253,
January 2006, <https://www.rfc-editor.org/info/rfc4253>. January 2006, <https://www.rfc-editor.org/info/rfc4253>.
[RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A
Border Gateway Protocol 4 (BGP-4)", RFC 4271, DOI
10.17487/RFC4271, January 2006, <https://www.rfc-
editor.org/info/rfc4271>.
[RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70,
RFC 5652, DOI 10.17487/RFC5652, September 2009, RFC 5652, DOI 10.17487/RFC5652, September 2009,
<https://www.rfc-editor.org/info/rfc5652>. <https://www.rfc-editor.org/info/rfc5652>.
[RFC5958] Turner, S., "Asymmetric Key Packages", RFC 5958, DOI [RFC5958] Turner, S., "Asymmetric Key Packages", RFC 5958, DOI
10.17487/RFC5958, August 2010, <https://www.rfc- 10.17487/RFC5958, August 2010, <https://www.rfc-
editor.org/info/rfc5958>. editor.org/info/rfc5958>.
[RFC6286] Chen, E. and J. Yuan, "Autonomous-System-Wide Unique BGP
Identifier for BGP-4", RFC 6286, DOI 10.17487/RFC6286,
June 2011, <https://www.rfc-editor.org/info/rfc6286>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in
RFC 2119 Key Words", BCP 14, RFC 8174, DOI RFC 2119 Key Words", BCP 14, RFC 8174, DOI
10.17487/RFC8174, May 2017, <https://www.rfc- 10.17487/RFC8174, May 2017, <https://www.rfc-
editor.org/info/rfc8174>. editor.org/info/rfc8174>.
[RFC8208] Turner, S. and O. Borchert, "BGPsec Algorithms, Key [RFC8208] Turner, S. and O. Borchert, "BGPsec Algorithms, Key
Formats, and Signature Formats", RFC 8208, DOI Formats, and Signature Formats", RFC 8208, DOI
10.17487/RFC8208, September 2017, <https://www.rfc- 10.17487/RFC8208, September 2017, <https://www.rfc-
editor.org/info/rfc8208>. editor.org/info/rfc8208>.
skipping to change at page 15, line 4 skipping to change at page 15, line 49
Specification", RFC 8205, DOI 10.17487/RFC8205, September Specification", RFC 8205, DOI 10.17487/RFC8205, September
2017, <https://www.rfc-editor.org/info/rfc8205>. 2017, <https://www.rfc-editor.org/info/rfc8205>.
[SP800-57] National Institute of Standards and Technology (NIST), [SP800-57] National Institute of Standards and Technology (NIST),
Special Publication 800-57: Recommendation for Key Special Publication 800-57: Recommendation for Key
Management - Part 1 (Revised), March 2007. Management - Part 1 (Revised), March 2007.
Appendix A. Management/Router Channel Security Appendix A. Management/Router Channel Security
Encryption, integrity, authentication, and key exchange algorithms Encryption, integrity, authentication, and key exchange algorithms
used by the protected channel SHOULD be of equal or greater strength used by the protected channel should be of equal or greater strength
than the BGPsec keys they protect, which for the algorithm specified than the BGPsec keys they protect, which for the algorithm specified
in [RFC8208] is 128-bit; see [RFC5480] and by reference [SP800-57] in [RFC8208] is 128-bit; see [RFC5480] and by reference [SP800-57]
for information about this strength claim as well as [RFC3766] for for information about this strength claim as well as [RFC3766] for
"how to determine the length of an asymmetric key as a function of a "how to determine the length of an asymmetric key as a function of a
symmetric key strength requirement." In other words, for the symmetric key strength requirement." In other words, for the
encryption algorithm, do not use export grade crypto (40-56 bits of encryption algorithm, do not use export grade crypto (40-56 bits of
security), do not use Triple DES (112 bits of security). Suggested security), do not use Triple DES (112 bits of security). Suggested
minimum algorithms would be AES-128: aes128-cbc [RFC4253] and minimum algorithms would be AES-128: aes128-cbc [RFC4253] and
AEAD_AES_128_GCM [RFC5647] for encryption, hmac-sha2-256 [RFC6668] or AEAD_AES_128_GCM [RFC5647] for encryption, hmac-sha2-256 [RFC6668] or
AESAD_AES_128_GCM [RFC5647] for integrity, ecdsa-sha2-nistp256 AESAD_AES_128_GCM [RFC5647] for integrity, ecdsa-sha2-nistp256
skipping to change at page 15, line 30 skipping to change at page 16, line 28
certificates used for BGPsec. The certificates used with SSH should certificates used for BGPsec. The certificates used with SSH should
also enable a level of security commensurate with BGPsec keys; also enable a level of security commensurate with BGPsec keys;
x509v3-ecdsa-sha2-nistp256 [RFC6187] could be used for x509v3-ecdsa-sha2-nistp256 [RFC6187] could be used for
authentication. authentication.
The protected channel must provide confidentiality, authentication, The protected channel must provide confidentiality, authentication,
and integrity and replay protection. and integrity and replay protection.
Appendix B. The n00b Guide to BGPsec Key Management Appendix B. The n00b Guide to BGPsec Key Management
This appendix is informative. It attempts to explain all of the PKI This appendix is informative. It attempts to explain some of the PKI
technobabble in plainer language. lingo in plainer language.
BGPsec speakers send signed BGPsec updates that are verified by other BGPsec speakers send signed BGPsec updates that are verified by other
BGPsec speakers. In PKI parlance, the senders are referred to as BGPsec speakers. In PKI parlance, the senders are referred to as
signers and the receivers are referred to as relying parties. The signers and the receivers are referred to as relying parties. The
signers with which we are concerned here are routers signing BGPsec signers with which we are concerned here are routers signing BGPsec
updates. Signers use private keys to sign and relying parties use updates. Signers use private keys to sign and relying parties use
the corresponding public keys, in the form of X.509 public key the corresponding public keys, in the form of X.509 public key
certificates, to verify signatures. The third party involved is the certificates, to verify signatures. The third party involved is the
entity that issues the X.509 public key certificate, the entity that issues the X.509 public key certificate, the
Certification Authority (CA). Key management is all about making Certification Authority (CA). Key management is all about making
skipping to change at page 16, line 27 skipping to change at page 17, line 25
If you are generating keys on the router (router-driven), then you If you are generating keys on the router (router-driven), then you
will need to access the router. Again, how you access the router is will need to access the router. Again, how you access the router is
router-specific, but generally the DIY approach uses the CLI and router-specific, but generally the DIY approach uses the CLI and
accessing the router either directly via the router's craft port or accessing the router either directly via the router's craft port or
over the network on an administrative interface. If accessing the over the network on an administrative interface. If accessing the
router over the network be sure to do it securely (i.e., use SSHv2). router over the network be sure to do it securely (i.e., use SSHv2).
Once logged into the router, issue a command or a series of commands Once logged into the router, issue a command or a series of commands
that will generate the key pair for the algorithms referenced in the that will generate the key pair for the algorithms referenced in the
main body of this document; consult your router's documentation for main body of this document; consult your router's documentation for
the specific commands. The key generation process will yield the specific commands. The key generation process will yield one or
multiple files: the private key and the public key; the file format more files the private key and the public key; the file format varies
varies depending on the arcane command you issued, but generally the depending on the arcane command you issued, but generally the files
files are DER or PEM-encoded. are DER or PEM-encoded.
The second step is to generate the certification request, which is The second step is to generate the certification request, which is
often referred to as a certificate signing request (CSR) or PKCS#10 often referred to as a certificate signing request (CSR) or PKCS#10
certification request, and to send it to the CA to be signed. To certification request, and to send it to the CA to be signed. To
generate the CSR, you issue some more arcane commands while logged generate the CSR, you issue some more arcane commands while logged
into the router; using the private key just generated to sign the into the router; using the private key just generated to sign the
certification request with the algorithms referenced in the main body certification request with the algorithms referenced in the main body
of this document; the CSR is signed to prove to the CA that the of this document; the CSR is signed to prove to the CA that the
router has possession of the private key (i.e., the signature is the router has possession of the private key (i.e., the signature is the
proof-of-possession). The output of the command is the CSR file; the proof-of-possession). The output of the command is the CSR file; the
skipping to change at page 17, line 11 skipping to change at page 18, line 10
CSR to the CA, is beyond the scope of this document. While you are CSR to the CA, is beyond the scope of this document. While you are
still connected to the router, install the Trust Anchor (TA) for the still connected to the router, install the Trust Anchor (TA) for the
root of the PKI. At this point, you no longer need access to the root of the PKI. At this point, you no longer need access to the
router for BGPsec-related initiation purposes. router for BGPsec-related initiation purposes.
The fourth step is for the CA to issue the certificate based on the The fourth step is for the CA to issue the certificate based on the
CSR you sent; the certificate will include the subject name, serial CSR you sent; the certificate will include the subject name, serial
number, public key, and other fields as well as being signed by the number, public key, and other fields as well as being signed by the
CA. After the CA issues the certificate, the CA returns the CA. After the CA issues the certificate, the CA returns the
certificate, and posts the certificate to the RPKI repository. Check certificate, and posts the certificate to the RPKI repository. Check
that the certificate corresponds to the private key by verifying the that the certificate corresponds to the pubic key contained in the
signature on the CSR sent to the CA; this is just a check to make certificate by verifying the signature on the CSR sent to the CA;
sure that the CA issued a certificate that includes a public key that this is just a check to make sure that the CA issued a certificate
is the pair of the private key (i.e., the math will work when that includes a public key that is the pair of the private key (i.e.,
verifying a signature generated by the private with the returned the math will work when verifying a signature generated by the
certificate). private with the returned certificate).
If generating the keys off-router (operator-driven), then the same If generating the keys off-router (operator-driven), then the same
steps are used as the on-router key generation, (possibly with the steps are used as the on-router key generation, (possibly with the
same arcane commands as those used in the on-router approach), but no same arcane commands as those used in the on-router approach), but no
access to the router is needed the first three steps are done on an access to the router is needed the first three steps are done on an
administrative workstation: o Step 1: Generate key pair; o Step 2: administrative workstation: o Step 1: Generate key pair; o Step 2:
Create CSR and sign CSR with private key, and; o Step 3: Send CSR Create CSR and sign CSR with private key, and; o Step 3: Send CSR
file with the subject name and serial number to CA. file with the subject name and serial number to CA.
After the CA has returned the certificate and you have checked the After the CA has returned the certificate and you have checked the
 End of changes. 38 change blocks. 
94 lines changed or deleted 138 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/