Skip to main content

Resource Public Key Infrastructure (RPKI) object profile for Discard Origin Authorizations (DOA)
draft-spaghetti-sidrops-rpki-doa-00

Document Type Active Internet-Draft (individual)
Authors Job Snijders , Mikael Abrahamsson , Ben Maddison
Last updated 2022-03-07
Stream (None)
Intended RFC status (None)
Formats
Additional resources GitHub Repository
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date (None)
Responsible AD (None)
Send notices to (None)
draft-spaghetti-sidrops-rpki-doa-00
Network Working Group                                        J. Snijders
Internet-Draft                                                    Fastly
Intended status: Standards Track                          M. Abrahamsson
Expires: 8 September 2022                                            NTT
                                                             B. Maddison
                                                              Workonline
                                                            7 March 2022

  Resource Public Key Infrastructure (RPKI) object profile for Discard
                      Origin Authorizations (DOA)
                  draft-spaghetti-sidrops-rpki-doa-00

Abstract

   This document defines a Cryptographic Message Syntax (CMS) profile
   for Discard Origin Authorizations (DOAs), for use with the Resource
   Public Key Infrastructure (RPKI).  A DOA is a digitally signed object
   that provides a means of verifying that an IP address block holder
   has authorized an Autonomous System (AS) to originate routes to one
   or more prefixes within the address block tagged with a specific set
   of Border Gateway Protocol (BGP) Communities, to signal a request to
   discard IP traffic destined towards the tagged IP prefix.

Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in BCP
   14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 8 September 2022.

Snijders, et al.        Expires 8 September 2022                [Page 1]
Internet-Draft                  RPKI DOA                      March 2022

Copyright Notice

   Copyright (c) 2022 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  DOA EncapsulatedContentInfo . . . . . . . . . . . . . . . . .   3
     2.1.  ASN.1 Module  . . . . . . . . . . . . . . . . . . . . . .   3
     2.2.  The DOA eContentType  . . . . . . . . . . . . . . . . . .   5
     2.3.  The DOA eContent  . . . . . . . . . . . . . . . . . . . .   5
       2.3.1.  version . . . . . . . . . . . . . . . . . . . . . . .   5
       2.3.2.  ipAddrBlocks  . . . . . . . . . . . . . . . . . . . .   5
       2.3.3.  originAsID  . . . . . . . . . . . . . . . . . . . . .   5
       2.3.4.  peerAsIDs . . . . . . . . . . . . . . . . . . . . . .   6
       2.3.5.  communities . . . . . . . . . . . . . . . . . . . . .   6
   3.  DOA Validation  . . . . . . . . . . . . . . . . . . . . . . .   6
   4.  RPKI-RTR protocol extensions  . . . . . . . . . . . . . . . .   6
   5.  BGP Route Matching  . . . . . . . . . . . . . . . . . . . . .   6
   6.  Route Origin Validation Co-Existance  . . . . . . . . . . . .   7
   7.  Exporting RTBH Routes . . . . . . . . . . . . . . . . . . . .   8
   8.  Operational Considerations  . . . . . . . . . . . . . . . . .   8
   9.  Security Considerations . . . . . . . . . . . . . . . . . . .   8
   10. Implementation status . . . . . . . . . . . . . . . . . . . .   8
   11. IANA Considerations . . . . . . . . . . . . . . . . . . . . .   9
     11.1.  SMI Security for S/MIME CMS Module Identifier
            (1.2.840.113549.1.9.16.0)  . . . . . . . . . . . . . . .   9
     11.2.  SMI Security for S/MIME CMS Content Type
            (1.2.840.113549.1.9.16.1)  . . . . . . . . . . . . . . .   9
     11.3.  RPKI Signed Objects registry . . . . . . . . . . . . . .   9
     11.4.  RPKI Repository Name Schemes registry  . . . . . . . . .  10
     11.5.  Media Types registry . . . . . . . . . . . . . . . . . .  10
   12. References  . . . . . . . . . . . . . . . . . . . . . . . . .  10
     12.1.  Normative References . . . . . . . . . . . . . . . . . .  11
     12.2.  Informative References . . . . . . . . . . . . . . . . .  11
   Appendix A.  Acknowledgements . . . . . . . . . . . . . . . . . .  12
   Appendix B.  Document Changelog . . . . . . . . . . . . . . . . .  12
     B.1.  Individual Submission Phase . . . . . . . . . . . . . . .  12

Snijders, et al.        Expires 8 September 2022                [Page 2]
Internet-Draft                  RPKI DOA                      March 2022

   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  12

1.  Introduction

   Internet operators commonly provide a means for adjacent networks to
   advertise routes in BGP with the intention that traffic matching such
   a route be discarded, rather than being forwarded towards the
   advertising network.  This is referred to as Remotely Triggered
   Blackholing (RTBH), and is typically acheived through the use of a
   BGP Community [RFC1997].  [RFC7999] defines a "well known" community
   value for this purpose.  The route used to signal an RTBH request is
   referred to as an RTBH route.

   Inter-AS RTBH signalling, however, is in tension with the deployment
   of Route Origin Validation (ROV) based on the Resource Public Key
   Infrastructure (RPKI) [RFC6811].  Because a blackhole route is likely
   to have a prefix length greater than permitted in any covering ROA,
   an operator wishing to deploy routing policy to discard BGP paths
   with an ROV status of "Invalid", and simultaneously maintain a
   blackhole signalling service must choose either:

   1.  to exempt blackhole routes from processing based on ROV status,
       thus foregoing the benefit of ROV altogether; or

   2.  to insist that users of the blackhole signalling service create
       ROAs with a sufficiently large "maxLength" values to accomodate
       blackhole routes.

   This document defines a Cryptographic Message Syntax (CMS) [RFC5652]
   profile for Discard Origin Authorizations (DOAs), for use with the
   Resource Public Key Infrastructure (RPKI) [RFC6480], along with
   associated processing rules.

   DOAs can be used to validate whether incoming BGP route announcements
   carrying specific BGP Communities are meant to signify a request to
   discard IP traffic towards the IP destination carried in the BGP
   route.  This enhances the concepts of [RFC3882] and [RFC7999], and
   can co-exist with deployed ROV policy.

2.  DOA EncapsulatedContentInfo

   DOA follows the Signed Object Template for the RPKI [RFC6488].

2.1.  ASN.1 Module

   The following ASN.1 module specifies the encapContentInfo component
   for DOA objects:

Snijders, et al.        Expires 8 September 2022                [Page 3]
Internet-Draft                  RPKI DOA                      March 2022

   RpkiDiscardOriginAuthorization-2021
    { iso(1) member-body(2) us(840) rsadsi(113549)
      pkcs(1) pkcs9(9) smime(16) mod(0) TBD }

   DEFINITIONS EXPLICIT TAGS ::=
   BEGIN

   IMPORTS
    CONTENT-TYPE
    FROM CryptographicMessageSyntax-2010 -- in [RFC6268]
      { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
        pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) }

    IPAddressOrRange, IPAddressRange, IPAddress, ASId
    FROM IPAddrAndASCertExtn -- in [RFC3779]
      { iso(1) identified-organization(3) dod(6) internet(1)
        security(5) mechanisms(5) pkix(7) mod(0)
        id-mod-ip-addr-and-as-ident(30) } ;

   ct-discardOriginAuthorization CONTENT-TYPE ::=
      { TYPE DiscardOriginAuthorization IDENTIFIED BY
        id-ct-discardOriginAuthorization }

   id-ct-discardOriginAuthorization OBJECT IDENTIFIER ::=
      { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
        pkcs-9(9) id-smime(16) id-ct(1) TBD }

   DiscardOriginAuthorization ::= SEQUENCE {
      version             [0] INTEGER DEFAULT 0,
      ipAddrBlocks        IPListRange,
      originAsID          ASId,
      peerAsIDs           [1] SEQUENCE SIZE(1..MAX) OF ASId OPTIONAL,
      communities         [2] SEQUENCE SIZE(1..MAX) OF Community
   }

   IPListRange ::= SEQUENCE (SIZE(1..MAX)) OF IPAddressFamilyRange

   IPAddressFamilyRange ::= SEQUENCE {
      addressFamily        OCTET STRING (SIZE(2..3)),
      addressOrRange       IPAddressOrRange,
      prefixLengthRange    PrefixLengthRange OPTIONAL -- if omitted, assume hostroutes
   }

   PrefixLengthRange ::= SEQUENCE {
      minLength            INTEGER,
      maxLength            INTEGER
   }

Snijders, et al.        Expires 8 September 2022                [Page 4]
Internet-Draft                  RPKI DOA                      March 2022

   Community ::= CHOICE {
      bgpCommunity        [0] OCTET STRING (SIZE(4)),
      bgpLargeCommunity   [1] OCTET STRING (SIZE(12))
   }

   END

2.2.  The DOA eContentType

   The eContentType for a DOA is defined as id-ct-
   discardOriginAuthorization as specified in Section 2.1.

   This OID MUST appear both within the eContentType in the
   encapContentInfo object as well as the ContentType signed attribute
   in the signerInfo object (see [RFC6488]).

2.3.  The DOA eContent

   The content of a DOA is formally defined as
   DiscardOriginAuthorization as specified in Section 2.1

2.3.1.  version

   The version number of the DiscardOriginAuthorization MUST be 0.

2.3.2.  ipAddrBlocks

   The IP address prefixes for which the announcement of RTBH routes is
   authorized.  The IP address resources contained here are the
   resources used to mark the authorization, and MUST match the set of
   resources listed by the EE certificate carried in the CMS
   certificates field.  See [RFC6482] Section 3.3 for a similar, but not
   entirely similar appraoch.  A notable difference is the absense of
   MaxLength, and instead a PrefixLengthRange is used.  If no
   PrefixLengthRange is present, only the "host route" prefix length
   (i.e. 32 for IPv4 and 128 for IPv6) is authorized.

2.3.3.  originAsID

   The asID field contains the AS number that is authorized to originate
   RTBH routes for the given IP address prefixes.  The asID does not
   have to be contained by the resources listed on the EE certificate.

Snijders, et al.        Expires 8 September 2022                [Page 5]
Internet-Draft                  RPKI DOA                      March 2022

2.3.4.  peerAsIDs

   The peerAsIDs field contains zero or more AS numbers that are
   authorized to propagate routes intended to signal an RTBH request for
   the given IP address prefixes.  The peerAsIDs do not have to be
   contained by the resources listed on the EE certificate.  Network
   operators MUST only accept the RTBH request if it was received from
   any listed peerAsIDs.  The peerAsIDs field allows DOAs to be used to
   validate RTBH routes with one AS hop between originator and
   receipient.

2.3.5.  communities

   The communities field contains the Classic BGP communities or Large
   BGP Communities which are to be the 'trigger' to start RTBH.  TBD:
   are communities 'and' or 'or'?

3.  DOA Validation

   To validate a DOA the relying party MUST perform all the validation
   checks specified in [RFC6488] as well as the following additional
   DOA-specific validation step:

   *  The IP delegation extension [RFC3779] MUST be present in the end-
      entity certificate (contained in the DOA), and every IP address
      prefix present in the ipAddrBlocks component of the DOA eContent
      is contained within the set of IP addresses specified in the EE
      certificate's IP address delegation extension.

4.  RPKI-RTR protocol extensions

   TODO: Seperate document?

5.  BGP Route Matching

   TODO: Seperate document?

   A BGP speaker MAY assign to each path it receives from its peers one
   of 3 RTBH request validation states:

   *  Matched: a validated DOA object was found covering the prefix of
      the received path, and matching the contraints of the DOA;

   *  Unmatched: a validated DOA object was found covering the prefix of
      the received path, but the constraints of the DOA were not
      matched; or

Snijders, et al.        Expires 8 September 2022                [Page 6]
Internet-Draft                  RPKI DOA                      March 2022

   *  NotFound: a validated DOA object covering the prefix of the
      receieved path was not found.

   Where "covering" is used as in its definition in Section 2 [RFC6811].

   In order for a BGP path to be considered to have matched the
   constraints of a DOA object, the following conditions MUST be met:

   *  The route originated from the ASN listed in the ASId.

   *  The route was received from a PeerAS which is either the ASId or
      listed in the peerAsIDs field.

   *  The route's prefix length matches the listed permissible prefix
      lengths.

   *  The route is tagged with (TODO: one or more of?) the designated
      BGP community.

6.  Route Origin Validation Co-Existance

   It is important to observe that ROAs and DOAs can and will be issued
   for the same covered address space, and that the resulting ROV
   validation state MUST be entirely independent of the resulting DOA
   validation state.

   In particular it is expected that legitimate RTBH routes will
   commonly receive a DOA validation state of 'Matched' whilst also
   receiving a ROV validation state of 'Invalid' due to the (likely)
   longer prefix-length of an RTBH route.

   For this reason, it is recommended that operators construct policy so
   as to act on the DOA validation early in the routing policy
   application process, such that routes that are 'Matched' may be
   installed as RTBH routes, and routes that are 'Unmatched' or
   'NotFound' can "fall-through" to be processed as "normal" routes,
   including the possible application of policy based on their ROV
   validation state.

   Critically, in order that operators are able to construct policy
   according to their needs conforming implementations MUST NOT take any
   policy action on a route based on either its DOA or ROV validation
   state by default.  See also [RFC8481].

Snijders, et al.        Expires 8 September 2022                [Page 7]
Internet-Draft                  RPKI DOA                      March 2022

7.  Exporting RTBH Routes

   The guidance of Section 3.2 [RFC7999] that, in general, RTBH routes
   SHOULD NOT be propagated beyond the receiving AS continues to apply
   to RTBH routes validated in terms of the above mechanisms.

   The exception to this guidance is that an operator MAY propagate a
   received RTBH route to neighboring ASes if its own AS number appears
   in the peerAsIDs field of the matched DOA, since this indicates a
   desire by the issuer that neighbors of the local AS honour the route
   as a legitimate RTBH signal.

   To facilitate the construction of routing policies by operators that
   implemented this behaviour, conforming BGP speaker implementations
   SHOULD provide a means of distinguishing between 'Matched' routes for
   which the local AS appears in the peerAsIDs of the matched DOA from
   those for which it does not.

8.  Operational Considerations

   TODO

9.  Security Considerations

   TODO

10.  Implementation status

   This section is to be removed before publishing as an RFC.

   This section records the status of known implementations of the
   protocol defined by this specification at the time of posting of this
   Internet-Draft, and is based on a proposal described in RFC 7942.
   The description of implementations in this section is intended to
   assist the IETF in its decision processes in progressing drafts to
   RFCs.  Please note that the listing of any individual implementation
   here does not imply endorsement by the IETF.  Furthermore, no effort
   has been spent to verify the information presented here that was
   supplied by IETF contributors.  This is not intended as, and must not
   be construed to be, a catalog of available implementations or their
   features.  Readers are advised to note that other implementations may
   exist.

Snijders, et al.        Expires 8 September 2022                [Page 8]
Internet-Draft                  RPKI DOA                      March 2022

   According to RFC 7942, "this will allow reviewers and working groups
   to assign due consideration to documents that have the benefit of
   running code, which may serve as evidence of valuable experimentation
   and feedback that have made the implemented protocols more mature.
   It is up to the individual working groups to use this information as
   they see fit".

   *  A signer implementation [rpkimancer-doa] written in Python has
      been developed by Ben Maddison.

11.  IANA Considerations

11.1.  SMI Security for S/MIME CMS Module Identifier
       (1.2.840.113549.1.9.16.0)

   The IANA is requested to register the following entry for this
   document in the "SMI Security for S/MIME CMS Module Identifier
   (1.2.840.113549.1.9.16.0)" registry:

   Decimal   Description                      References
   -----------------------------------------------------------------------------
   [TBD]     id-mod-rpkiDOA                   [draft-spaghetti-sidrops-rpki-doa]

   Upon publication of this document, IANA is requested to reference the
   RFC publication instead of this draft.

11.2.  SMI Security for S/MIME CMS Content Type
       (1.2.840.113549.1.9.16.1)

   The IANA is requested to register the following entry for this
   document in the "SMI Security for S/MIME CMS Content Type
   (1.2.840.113549.1.9.16.1)" registry:

   Decimal   Description                      References
   -----------------------------------------------------------------------------
   [TBD]     id-ct-discardOriginAuthorization   [draft-spaghetti-sidrops-rpki-doa]

   Upon publication of this document, IANA is requested to reference the
   RFC publication instead of this draft.

11.3.  RPKI Signed Objects registry

   The IANA is requested to register the OID for the RPKI Discard Origin
   Authorization in the "RPKI Signed Objects" registry ([RFC6488]) as
   follows:

Snijders, et al.        Expires 8 September 2022                [Page 9]
Internet-Draft                  RPKI DOA                      March 2022

      Name          OID                          Reference
      ----------------------------------------------------
      DOA           1.2.840.113549.1.9.16.1.TBD  [RFC-TBD]

11.4.  RPKI Repository Name Schemes registry

   The IANA is requested to register the RPKI Discard Origin
   Authorization file extension in the "RPKI Repository Name Schemes"
   registry ([RFC6481]) as follows:

      Filename Extension  RPKI Object                  Reference
      ----------------------------------------------------------
      .doa                Discard Origin Authorization   [RFC-TBD]

11.5.  Media Types registry

   The IANA is requested to register the media type application/rpki-doa
   in the "Media Types" registry ([RFC6838]) as follows:

   Type name: application
   Subtype name: rpki-doa
   Required parameters: None
   Optional parameters: None
   Encoding considerations: binary
   Security considerations: Carries an RPKI Discard Origin Authorization
                            [RFC-TBD].
   Interoperability considerations: None
   Published specification: This document.
   Applications that use this media type: RPKI operators.
   Additional information:
     Content: This media type is a signed object, as defined
              in [RFC6488], which contains a payload of a set of matching
              criteria as defined above in [RFC-TBD].
     Magic number(s): None
     File extension(s): .doa
     Macintosh file type code(s):
   Person & email address to contact for further information:
     Job Snijders <job@fastly.com>
   Intended usage: COMMON
   Restrictions on usage: None
   Author: Job Snijders <job@fastly.com>
   Change controller: Job Snijders <job@fastly.com>

12.  References

Snijders, et al.        Expires 8 September 2022               [Page 10]
Internet-Draft                  RPKI DOA                      March 2022

12.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC3779]  Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP
              Addresses and AS Identifiers", RFC 3779,
              DOI 10.17487/RFC3779, June 2004,
              <https://www.rfc-editor.org/info/rfc3779>.

   [RFC3882]  Turk, D., "Configuring BGP to Block Denial-of-Service
              Attacks", RFC 3882, DOI 10.17487/RFC3882, September 2004,
              <https://www.rfc-editor.org/info/rfc3882>.

   [RFC5652]  Housley, R., "Cryptographic Message Syntax (CMS)", STD 70,
              RFC 5652, DOI 10.17487/RFC5652, September 2009,
              <https://www.rfc-editor.org/info/rfc5652>.

   [RFC6481]  Huston, G., Loomans, R., and G. Michaelson, "A Profile for
              Resource Certificate Repository Structure", RFC 6481,
              DOI 10.17487/RFC6481, February 2012,
              <https://www.rfc-editor.org/info/rfc6481>.

   [RFC6488]  Lepinski, M., Chi, A., and S. Kent, "Signed Object
              Template for the Resource Public Key Infrastructure
              (RPKI)", RFC 6488, DOI 10.17487/RFC6488, February 2012,
              <https://www.rfc-editor.org/info/rfc6488>.

   [RFC6838]  Freed, N., Klensin, J., and T. Hansen, "Media Type
              Specifications and Registration Procedures", BCP 13,
              RFC 6838, DOI 10.17487/RFC6838, January 2013,
              <https://www.rfc-editor.org/info/rfc6838>.

   [RFC7999]  King, T., Dietzel, C., Snijders, J., Doering, G., and G.
              Hankins, "BLACKHOLE Community", RFC 7999,
              DOI 10.17487/RFC7999, October 2016,
              <https://www.rfc-editor.org/info/rfc7999>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

12.2.  Informative References

Snijders, et al.        Expires 8 September 2022               [Page 11]
Internet-Draft                  RPKI DOA                      March 2022

   [RFC1997]  Chandra, R., Traina, P., and T. Li, "BGP Communities
              Attribute", RFC 1997, DOI 10.17487/RFC1997, August 1996,
              <https://www.rfc-editor.org/info/rfc1997>.

   [RFC6480]  Lepinski, M. and S. Kent, "An Infrastructure to Support
              Secure Internet Routing", RFC 6480, DOI 10.17487/RFC6480,
              February 2012, <https://www.rfc-editor.org/info/rfc6480>.

   [RFC6482]  Lepinski, M., Kent, S., and D. Kong, "A Profile for Route
              Origin Authorizations (ROAs)", RFC 6482,
              DOI 10.17487/RFC6482, February 2012,
              <https://www.rfc-editor.org/info/rfc6482>.

   [RFC6811]  Mohapatra, P., Scudder, J., Ward, D., Bush, R., and R.
              Austein, "BGP Prefix Origin Validation", RFC 6811,
              DOI 10.17487/RFC6811, January 2013,
              <https://www.rfc-editor.org/info/rfc6811>.

   [RFC8481]  Bush, R., "Clarifications to BGP Origin Validation Based
              on Resource Public Key Infrastructure (RPKI)", RFC 8481,
              DOI 10.17487/RFC8481, September 2018,
              <https://www.rfc-editor.org/info/rfc8481>.

   [rpkimancer-doa]
              Maddison, B., "rpkimancer-doa", June 2021,
              <https://pypi.org/project/rpkimancer-doa/>.

Appendix A.  Acknowledgements

   TODO

Appendix B.  Document Changelog

   This section is to be removed before publishing as an RFC.

B.1.  Individual Submission Phase

Authors' Addresses

   Job Snijders
   Fastly
   Amsterdam
   Netherlands
   Email: job@fastly.com

Snijders, et al.        Expires 8 September 2022               [Page 12]
Internet-Draft                  RPKI DOA                      March 2022

   Mikael Abrahamsson
   NTT Ltd.
   Stockholm
   Sweden
   Email: mikael@swm.pp.se

   Ben Maddison
   Workonline Communications
   Cape Town
   South Africa
   Email: benm@workonline.africa

Snijders, et al.        Expires 8 September 2022               [Page 13]