RPKI Validation Reconsidered
draft-ietf-sidr-rpki-validation-reconsidered-08

Document Type Active Internet-Draft (sidr WG)
Last updated 2017-08-15 (latest revision 2017-06-26)
Replaces draft-huston-rpki-validation
Stream IETF
Intended RFC status Proposed Standard
Formats plain text xml pdf html bibtex
Reviews TSVART will not review this version
Stream WG state Submitted to IESG for Publication
Document shepherd Chris Morrow
Shepherd write-up Show (last changed 2016-10-26)
IESG IESG state Waiting for Writeup
Consensus Boilerplate Yes
Telechat date On agenda of 2017-08-31 IESG telechat
Responsible AD Alvaro Retana
Send notices to "Chris Morrow" <morrowc@ops-netman.net>, aretana@cisco.com
IANA IANA review state IANA - Not OK
IANA action state None
Network Working Group                                          G. Huston
Internet-Draft                                             G. Michaelson
Intended status: Standards Track                                   APNIC
Expires: December 27, 2017                                   C. Martinez
                                                                  LACNIC
                                                          T. Bruijnzeels
                                                                RIPE NCC
                                                               A. Newton
                                                                    ARIN
                                                                 D. Shaw
                                                                 AFRINIC
                                                           June 25, 2017

                      RPKI Validation Reconsidered
            draft-ietf-sidr-rpki-validation-reconsidered-08

Abstract

   This document specifies an alternative to the certificate validation
   procedure specified in RFC 6487 that reduces aspects of operational
   fragility in the management of certificates in the RPKI, while
   retaining essential security features.

   The use of this updated procedure is signalled by form of a set of
   alternative Object Identifiers (OIDs) indicating that the alternative
   version of RFC 3779 X.509 Extensions for IP Addresses and AS
   Identifiers, and certificate policy for the Resource Public Key
   Infrastructure (RFC 6484) defined in this document should be used.

   Furthermore this document provides an alternative to ROA (RFC 6482),
   and BGPSec Router Certificate (BGPSec PKI Profiles - publication
   requested) validation.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

Huston, et al.          Expires December 27, 2017               [Page 1]
Internet-Draft               RPKI Validation                   June 2017

   This Internet-Draft will expire on December 27, 2017.

Copyright Notice

   Copyright (c) 2017 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Requirements notation . . . . . . . . . . . . . . . . . . . .   3
   2.  Certificate Validation in the RPKI  . . . . . . . . . . . . .   3
   3.  Operational Considerations  . . . . . . . . . . . . . . . . .   4
   4.  An Amended RPKI Certification Validation Process  . . . . . .   5
     4.1.  Verified Resource Sets  . . . . . . . . . . . . . . . . .   5
     4.2.  Differences with existing standards . . . . . . . . . . .   5
       4.2.1.  Certificate Policy (CP) for use with validation
               reconsidered in the Resource PKI (RPKI) . . . . . . .   5
       4.2.2.  An alternative to RFC3779 X.509 Extensions for IP
               Addresses and AS Identifiers  . . . . . . . . . . . .   6
       4.2.3.  Addendum to RFC6268 . . . . . . . . . . . . . . . . .  11
       4.2.4.  An alternative to RFC6487 Profile for X.509 PKIX
               Resource Certificates . . . . . . . . . . . . . . . .  13
       4.2.5.  An alternative ROA validation RFC6482 . . . . . . . .  16
       4.2.6.  An alternative to BGPSec Router Certificate
               Validation  . . . . . . . . . . . . . . . . . . . . .  17
     4.3.  An example  . . . . . . . . . . . . . . . . . . . . . . .  17
   5.  Deployment Considerations . . . . . . . . . . . . . . . . . .  19
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .  19
   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  19
   8.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  20
Show full document text