datatracker.ietf.org
Sign in
Version 5.7.4, 2014-11-12
Report a bug

Validation of Route Origination Using the Resource Certificate Public Key Infrastructure (PKI) and Route Origin Authorizations (ROAs)
RFC 6483

Internet Engineering Task Force (IETF)                         G. Huston
Request for Comments: 6483                                 G. Michaelson
Category: Informational                                            APNIC
ISSN: 2070-1721                                            February 2012

                 Validation of Route Origination Using
      the Resource Certificate Public Key Infrastructure (PKI) and
                   Route Origin Authorizations (ROAs)

Abstract

   This document defines the semantics of a Route Origin Authorization
   (ROA) in terms of the context of an application of the Resource
   Public Key Infrastructure to validate the origination of routes
   advertised in the Border Gateway Protocol.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Not all documents
   approved by the IESG are a candidate for any level of Internet
   Standard; see Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc6483.

Copyright Notice

   Copyright (c) 2012 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Huston & Michaelson           Informational                     [Page 1]
RFC 6483                    Route Validation               February 2012

Table of Contents

   1. Introduction ....................................................2
   2. ROA Validation Outcomes for a Route .............................3
   3. Applying Validation Outcomes to Route Selection .................5
   4. Disavowal of Routing Origination ................................6
   5. Route Validation Lifetime .......................................6
   6. Security Considerations .........................................7
   7. Acknowledgements ................................................7
   8. References ......................................................8
      8.1. Normative References .......................................8
      8.2. Informative References .....................................8

1.  Introduction

   This document defines the semantics of a Route Origin Authorization
   (ROA) in terms of the context of an application of the Resource
   Public Key Infrastructure (RPKI) [RFC6480] to validate the
   origination of routes advertised in the Border Gateway Protocol (BGP)
   [RFC4271].

   The RPKI is based on a hierarchy of resource certificates that are
   aligned to the Internet Number Resource allocation structure.
   Resource certificates are X.509 certificates that conform to the PKIX
   profile [RFC5280], and to the extensions for IP addresses and AS
   identifiers [RFC3779].  A resource certificate describes an action by
   an issuer that binds a list of IP address blocks and Autonomous
   System (AS) numbers to the subject of a certificate, identified by
   the unique association of the subject's private key with the public
   key contained in the resource certificate.  The RPKI is structured
   such that each current resource certificate matches a current
   resource allocation or assignment.  This is further described in
   [RFC6480].

   ROAs are digitally signed objects that bind an address to an AS
   number, and are signed by the address holder.  A ROA provides a means
   of verifying that an IP address block holder has authorized a
   particular AS to originate routes in the inter-domain routing
   environment for that address block.  ROAs are described in [RFC6482].
   ROAs are intended to fit within the requirements for adding security
   to inter-domain routing.

   This document describes the semantic interpretation of a ROA, with
   particular reference to application in inter-domain routing relating
   to the origination of routes, and the intended scope of the authority
   that is conveyed in the ROA.

Huston & Michaelson           Informational                     [Page 2]

[include full document text]