INTERNET-DRAFT R. Housley
Internet Engineering Task Force (IETF) Vigil Security
Intended Status: Standards Track T. Polk
Expires: 4 June 2014 4 December 2013
Database of Long-Lived Symmetric Cryptographic Keys
This document specifies the information contained in a conceptual
database of long-lived cryptographic keys used by many different
routing protocols for message security. The database is designed to
support both manual and automated key management. In addition to
describing the schema for the database, this document describes the
operations that can be performed on the database as well as the
requirements for the routing protocols that wish to use the database.
In many typical scenarios, the protocols do not directly use the
long-lived key, but rather a key derivation function is used to
derive a short-lived key from a long-lived key.
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
The list of Internet-Draft Shadow Directories can be accessed at
Housley, et al [Page 1]INTERNET-DRAFT 4 December 2013Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
This document specifies the information that needs to be included in
a database of long-lived cryptographic keys in order to key the
cryptographic authentication of routing protocols. This conceptual
database is designed to separate protocol-specific aspects from both
manual and automated key management. The intent is to allow many
different implementation approaches to the specified cryptographic
key database, while simplifying specification and heterogeneous
deployments. This conceptual database avoids the need to build
knowledge of any security protocol into key management protocols. It
minimizes protocol-specific knowledge in operational/management
interfaces, but it constrains where that knowledge can appear.
Textual conventions are provided for the representation of keys and
other identifiers. These conventions should be used when presenting
keys and identifiers to operational/management interfaces or reading
keys/identifiers from these interfaces. This satisfies the
operational requirement that all implementations represent the keys
and key identifiers in the same way so that cross-vendor
configuration instructions can be provided.
Routing protocols can employ the services of more generic security
protocols such as TCP-AO [RFC5925]. Implementations of routing
protocols may need to supply keys to databases specific to these
security protocols as the associated entries in this document's
conceptual database are manipulated.
In many instances, the long-lived keys are not used directly in
security protocols, but rather a key derivation function is used to
derive short-lived keys from the long-lived key in the database. In