Internet Engineering Task Force (IETF)                       O. Borchert
Internet-Draft                                             D. Montgomery
Updates: 8205 (if approved)                                     USA NIST
Intended status: Standards Track
Expires: July 19, 2021                                  January 15, 2021

                   BGPsec Validation State Unverified
           draft-borchert-sidrops-bgpsec-state-unverified-04

Abstract

   In case operators decide to delay BGPsec path validation, none of the
   available states do properly represent this decision. This document
   introduces "Unverified" as a well-defined validation state which
   allows to properly identify a non-evaluated BGPsec routes as not
   verified.

Status of This Memo

   This Internet-Draft is submitted to IETF in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as
   Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/1id-abstracts.html

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html














Borchert & Montgomery    Expires July 19, 2021                  [Page 1]


Internet Draft     BGPsec Validation State Unverified   January 15, 2021


Copyright Notice

   Copyright (c) 2021 IETF Trust and the persons identified as the
   document authors. All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document. Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document. Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
     1.1.  Terminology  . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Suggested Reading  . . . . . . . . . . . . . . . . . . . . . .  3
   3.  Initializing BGPsec route  . . . . . . . . . . . . . . . . . .  3
     3.1. Changes to RFC 8205 . . . . . . . . . . . . . . . . . . . .  4
   3.  Usage Considerations . . . . . . . . . . . . . . . . . . . . .  4
   4.  Security Considerations  . . . . . . . . . . . . . . . . . . .  4
   5.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . .  4
   6.  References . . . . . . . . . . . . . . . . . . . . . . . . . .  5
     6.1.  Normative References . . . . . . . . . . . . . . . . . . .  5
     8.2.  Informative References . . . . . . . . . . . . . . . . . .  5
   Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . .  5
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . .  6





















Borchert & Montgomery    Expires July 19, 2021                  [Page 2]


Internet Draft     BGPsec Validation State Unverified   January 15, 2021


1.  Introduction

   BGPsec path validation [RFC8205] provides well defined validation
   states. Though, there are instances in which BGPsec routes are not
   immediately validated upon receiving them. This could be due to
   configuration where the operator chose to perform "Lazy Evaluation"
   or due to instances where router configuration could enable the
   operator to delay route validation during situations of unexpectedly
   high loads such as DDOS attacks or others. Here, the absence of a
   well-defined initialization state requires to use a validation state,
   that is otherwise well-defined and therefore "waters" down the
   meaning of that state.

   Hence, this document updates the RFC 8205 by adding the proposed
   validation state "Unverified".

1.1.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

2.  Suggested Reading

   It is assumed that the reader understands BGP [RFC4271] and BGPsec
   Protocol Specification [RFC8205]

3.  Initializing BGPsec route

   This document introduces the validation state "Unverified" to be used
   for BGPsec routes that are not evaluated otherwise.

   To allow proper initialization the following state is introduced:

   o  Unverified: Specifies the state of a BGPsec route where no
      evaluation has been performed.













Borchert & Montgomery    Expires July 19, 2021                  [Page 3]


Internet Draft     BGPsec Validation State Unverified   January 15, 2021


3.1. Changes to RFC 8205

   The BGPsec protocol specification as specified in [RFC8205] suffers
   the limitation described above in this document. [Section 5.1] of
   RFC 8205 specifies two states for BGPsec path validation:

      The validation procedure results in one of two states:
         'Valid' and 'Not Valid'.

   Also, [Section 5.1] makes it clear that:

      BGPsec validation need only be performed at the eBGP edge.

   This document updates RFC 8205 in such that:

   BGPsec routes MUST be initialized using the BGPsec validation state
   "Unverified" until proper evaluation of the BGPsec route has been
   performed.


3.  Usage Considerations

   The validation state "Unverified" allows to distinguish between
   evaluated BGPsec routes and non-evaluated BGPsec routes. This allows
   the operator to create policies to treat such routes different from
   routes labeled with either validation state "Valid" or "Not Valid"

4.  Security Considerations

   This document introduces no new security concerns beyond what is
   described in [RFC8205]

5.  IANA Considerations

   This document has no IANA actions.
















Borchert & Montgomery    Expires July 19, 2021                  [Page 4]


Internet Draft     BGPsec Validation State Unverified   January 15, 2021


6.  References

6.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, DOI
              10.17487/RFC2119, March 1997, <https://www.rfc-
              editor.org/info/rfc2119>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in
              RFC 2119 Key Words", BCP 14, RFC 8174, DOI
              10.17487/RFC8174, May 2017, <https://www.rfc-
              editor.org/info/rfc8174>.

   [RFC8205]  Lepinski, M., Ed., and K. Sriram, Ed., "BGPsec Protocol
              Specification", RFC 8205, DOI 10.17487/RFC8205, September
              2017, <https://www.rfc-editor.org/info/rfc8205>.


8.2.  Informative References

   [RFC4271]  Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A
              Border Gateway Protocol 4 (BGP-4)", RFC 4271, DOI
              10.17487/RFC4271, January 2006, <https://www.rfc-
              editor.org/info/rfc4271>.


Acknowledgements

   The authors would like to acknowledge the valuable review and
   suggestions from K. Sriram on this document.




















Borchert & Montgomery    Expires July 19, 2021                  [Page 5]


Internet Draft     BGPsec Validation State Unverified   January 15, 2021


Authors' Addresses

   Oliver Borchert
   National Institute of Standards and Technology (NIST)
   100 Bureau Drive
   Gaithersburg, MD  20899
   United States of America

   Email: oliver.borchert@nist.gov



   Doug Montgomery
   National Institute of Standards and Technology (NIST)
   100 Bureau Drive
   Gaithersburg, MD  20899
   United States of America

   Email: dougm@nist.gov
































Borchert & Montgomery    Expires July 19, 2021                  [Page 6]