Path validation with RPKI

Document Type Active Internet-Draft (individual)
Last updated 2019-06-20
Stream (None)
Intended RFC status (None)
Formats plain text xml pdf html bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
SIDR Operations                                           I. van Beijnum
Updates: RFC 3779, RFC 8210 (if                            June 20, 2019
Intended status: Experimental
Expires: December 22, 2019

                       Path validation with RPKI


   This memo adds the capability to validate the full BGP AS path to the
   RPKI mechanism.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on December 22, 2019.

Copyright Notice

   Copyright (c) 2019 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   ( in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Van Beijnum             Expires December 22, 2019               [Page 1]
Internet-Draft          Path validation with RPKI              June 2019

1.  Introduction

   With RPKI, it's possible for BGP routers to validate the origin AS
   found in the BGP AS path attribute for a given IP prefix.  However,
   RPKI can't validat the rest of the AS path, allowing for route leaks
   types 1 - 4 as described in RFC 7908 [RFC7908].

   This specification extends RPKI to allow for validating the full BGP
   AS path, based on the observation that each AS in a valid AS path has
   either a trust relation with the origin AS or has a trust relation
   with the local AS (the AS performing validation).  I.e., each
   intermediary AS provides transit service to either the origin AS or
   the local AS.

   An extension to RFC 3779 [RFC3779] allows for binding a list of
   allowed transit ASes to a set of IP addresses.  Operators of RPKI
   [RFC6480] relying party software add to this their list of locally
   allowed transit ASes through manual configuration.  An update to the
   RPKI-router protocol [RFC8210] lets relying party software propagate
   the thus created list of allowed ASes for the prefix(es) in question
   so BGP routers can validate the corresponding AS paths.

1.1.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   document are to be interpreted as described in RFC 2119 [RFC2119].

2.  Changes to the ROA certificate format

   RFC 3779 [RFC3779] specifies an extension to X.509 certificates that
   contains a set of AS numbers: id-pe-autonomousSysIds.  This is the
   set of valid origin ASes for a given set of IP addresses.

   This memo adds another extension to X.509 certificates with the name
   id-pe-autonomousSysIdsPath.  id-pe-autonomousSysIdsPath is identical
   in syntax to the existing id-pe-autonomousSysIds, allowing for code

   An explicit specification of the id-pe-autonomousSysIdsPath extension
   will be added to a later version of this document.

3.  Changes to the RPKI-router protocol

   This memo updates the RPKI-router protocol [RFC8210] by adding
   version 2 of the RPKI-router protocol.  Version 2 is a superset of
   version 1; all implemenations that support version 2 MUST also
   support version 1.  Version negotiation is performed as specified in

Van Beijnum             Expires December 22, 2019               [Page 2]
Internet-Draft          Path validation with RPKI              June 2019

   RFC 8210 [RFC8210], with the addition that version 2 may now be
   advertised and used if advertised by both sides.

   Version 2 extends the IPv4 Prefix PDU and IPv6 Prefix PDU.  All
   version 1 PDUs (including the IPv4 and IPv6 Prefix PDUs) may also be
   used without changes by version 2, and are transmitted with version
   number 1.

   The format of the version 2 IPv4 Prefix PDU is as follows:

      0          8          16         24        31
Show full document text