Network Working Group G. Huston
Internet-Draft G. Michaelson
Intended status: Informational APNIC
Expires: December 9, 2016 C. Martinez
LACNIC
T. Bruijnzeels
RIPE NCC
A. Newton
ARIN
A. Aina
AFRINIC
June 7, 2016
RPKI Validation Reconsidered
draft-ietf-sidr-rpki-validation-reconsidered-04
Abstract
This document proposes an update to the certificate validation
procedure specified in RFC 6487 that reduces aspects of operational
fragility in the management of certificates in the RPKI, while
retaining essential security features.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 9, 2016.
Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
Huston, et al. Expires December 9, 2016 [Page 1]
Internet-Draft RPKI Validation June 2016
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Certificate Validation in the RPKI . . . . . . . . . . . . . 2
3. Operational Considerations . . . . . . . . . . . . . . . . . 3
4. An Amended RPKI Certification Validation Process . . . . . . 4
4.1. Verified Resource Set . . . . . . . . . . . . . . . . . . 4
4.2. Changes to existing standards . . . . . . . . . . . . . . 5
4.2.1. Resource Certificate Path Validation . . . . . . . . 5
4.2.2. ROA Validation . . . . . . . . . . . . . . . . . . . 6
4.2.3. BGPsec Router Certificate Validation . . . . . . . . 6
4.3. An example . . . . . . . . . . . . . . . . . . . . . . . 7
5. Security Considerations . . . . . . . . . . . . . . . . . . . 9
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 9
8.1. Normative References . . . . . . . . . . . . . . . . . . 9
8.2. Informative References . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10
1. Introduction
This document proposes an update to the certificate validation
procedure specified in [RFC6487] that reduces aspects of operational
fragility in the management of certificates in the RPKI, while
retaining essential security features.
2. Certificate Validation in the RPKI
As currently defined in section 7.2 of [RFC6487], validation of PKIX
certificates that conform to the RPKI profile relies on the use of a
path validation process where each certificate in the validation path
is required to meet the certificate validation criteria.
These criteria require in particular that the resources on each
certificate in the validation path are "encompassed" by the resources
on the issuing certificate. The first certificate in the path is
required to be a trust anchor, and its resources are considered valid
by definition.
Huston, et al. Expires December 9, 2016 [Page 2]
Internet-Draft RPKI Validation June 2016
For example, in the following sequence:
Certificate 1 (trust anchor):
Issuer TA,
Subject TA,
Resources 192.0.2.0/24, 198.51.100.0/24,
2001:db8::/32, AS64496-AS64500
Certificate 2:
Issuer TA,
Subject CA1,
Resources 192.0.2.0/24, 198.51.100.0/24, 2001:db8::/32
Certificate 3:
Issuer CA1,
Subject CA2,
Resources 192.0.2.0/24, 2001:db8::/32
ROA 1:
Embedded Certificate 4 (EE certificate):
Issuer CA2,
Subject R1,
Resources 192.0.2.0/24
Prefix 192.0.2.0/24, Max Length 24, ASN 64496
All certificates in this scenario are considered valid in that the
resources on each certificate are encompassed by the issuing
certificate. ROA1 is valid because the specified prefix is
encompassed by the embedded EE certificate, as required by [RFC6482].
3. Operational Considerations
The allocations recorded in the RPKI change as a result of resource
transfers and some types of operational errors. For example, the CAs
involved in transfer might choose to modify CA certificates in an
order that causes some of these certificates to "over-claim"
temporarily. It may also happen that a child CA does not voluntarily
request a shrunk resource certificate when resources are being
transferred or reclaimed by the parent. Furthermore some types of
operational errors that may occur during management of RPKI databases
also may create CA certificates that, temporarily, no longer
encompass all of the resources in subordinate certificates.
Consider the following sequence:
Huston, et al. Expires December 9, 2016 [Page 3]
Internet-Draft RPKI Validation June 2016
Certificate 1 (trust anchor):
Issuer TA,
Subject TA,
Resources 192.0.2.0/24, 198.51.100.0/24,
2001:db8::/32, AS64496-AS64500
Certificate 2:
Issuer TA,
Subject CA1,
Resources 192.0.2.0/24, 2001:db8::/32
Certificate 3 (invalid):
Issuer CA1,
Subject CA2,
Resources 192.0.2.0/24, 198.51.100.0/24, 2001:db8::/32
ROA 1 (invalid):
Embedded Certificate 4 (EE certificate):
Issuer CA2,
Subject R1,
Resources 192.0.2.0/24
Prefix 192.0.2.0/24, Max Length 24, ASN 64496
Here Certificate 2 from the previous example was re-issued by TA to
CA1 and the prefix 198.51.100.0/24 was removed. However, CA1 failed
to re-issue a new Certificate 3 to CA2. As a result Certificate 3 is
now over-claiming and considered invalid, and by recursion the
embedded Certificate 4 used for ROA1 is also invalid. And ROA1 is
invalid because the specified prefix is no longer encompassed by a
valid embedded EE certificate, as required by [RFC6482]
However, it should be noted that ROA1 does not make use of any of the
address resources that were removed from CA1's certificate, and thus
it would be desirable if ROA1 could still be viewed as valid.
Technically CA1 could re-issue a Certificate 3 to CA2 without
198.51.100.0/24, and then ROA1 would be considered valid according to
[RFC6482]. But as long as CA1 does not take this action, ROA1
remains invalid. It would be preferable if ROA1 could be considered
valid.
4. An Amended RPKI Certification Validation Process
4.1. Verified Resource Set
The problem described above can be considered as a low probability
problem today. However the potential impact on routing security
would be high if an overclaim occurred near the apex of the RPKI
Huston, et al. Expires December 9, 2016 [Page 4]
Internet-Draft RPKI Validation June 2016
hierarchy and would invalidate the entirety of the sub-tree located
below this point.
The changes proposed here to the validation procedure in [RFC6487] do
not change the probability of this problem, but limit the impact to
just the overclaimed resources. This approach is intended to avoid
causing CA certificates to be treated as completely invalid as a
result of overclaims. However, these changes are designed to not
degrade the security offered by the RPKI. Specifically, no ROAs or
router certificates will be treated as valid if they contain only
resources that are not encompassed by all superior certificates along
a path to a trust anchor.
The way this is achieved conceptually is by maintaining a set of
verified resources for each certificate that is separate from the set
of resources found in the [RFC3779] resource extension on a
certificate.
4.2. Changes to existing standards
4.2.1. Resource Certificate Path Validation
Step 6 of the Resource Certification Path Validation defined in
section 7.2 of [RFC6487] currently has the following on the
validation of resources contained in the [RFC3779] resource extension
of certificates:
o The resource extension data is "encompassed" by the resource
extension data contained in a valid certificate where this issuer
is the subject (the previous certificate in the context of the
ordered sequence defined by the certification path).
The following is an amended specification to be used in place of this
text.
o The Relying Party MUST keep a Verified Resource Set for the
certificate independent of the RFC3779 extension itself, that is
built up using the following approach:
* If the certificate under test is chosen as a Trust Anchor, then
the Verified Resource Set of this certificate is equal to the
RFC3779 resource extensions.
* If the certificate under test not chosen as a Trust Anchor, the
Verified Resource Set is found by comparing this certificate to
its parent certificate (the previous certificate in the context
of the ordered sequence defined by the certification path) in
the following way:
Huston, et al. Expires December 9, 2016 [Page 5]
Internet-Draft RPKI Validation June 2016
+ For any of the resource extensions that use the "inherit"
element as described in sections 2.2.3.5 and 3.2.3.3 of RFC
3779, the corresponding resources of this type should be
taken from the parent certificate.
+ For resource extensions that do no use the "inherit"
element, the intersection of the resources on this
certificate and the Verified Resource Set of the parent
certificate MUST be used. If any resources on this
certificate are not encompassed by the Verified Resource Set
of the parent certificate, a warning SHOULD be issued to
help operators rectify this situation.
+ If the Verified Resource Set obtained this way is empty for
all resource classes (IPv4, IPv6 and AS), then the
certificate MUST be considered invalid.
4.2.2. ROA Validation
Section 4 of [RFC6482] currently has the following text on the
validation of resources on a ROA:
o The IP address delegation extension [RFC3779] is present in the
end-entity (EE) certificate (contained within the ROA), and each
IP address prefix(es) in the ROA is contained within the set of IP
addresses specified by the EE certificate's IP address delegation
extension.
The following is an amended specification to be used in place of this
text.
o The Verified Resource Set of the end-entity (EE) certificate
(contained within the ROA), contains each IP address prefix(es) in
the ROA.
4.2.3. BGPsec Router Certificate Validation
BGPsec Router Certificate Validation is defined in section 3.3 of
[I-D.ietf-sidr-bgpsec-pki-profiles]. Path validation defined section
7 of [RFC6487] is used as the first step in validation, and a number
of additional constraints are applied.
We propose that the text of the following two additions:
o BGPsec Router Certificates MUST NOT include the IP Resource
extension.
Huston, et al. Expires December 9, 2016 [Page 6]
Internet-Draft RPKI Validation June 2016
o BGPsec Router Certificates MUST include the AS Resource Identifier
Delegation extension.
Is updated to the following:
o The Validated Resource Set of BGPsec Router Certificates MUST NOT
include IP Resources.
o BGPsec Router Certificates MUST include the AS Resource Identifier
Delegation extension and all AS resources included on this MUST be
encompassed by the Validated Resource Set of the BGPsec Router
Certificates.
4.3. An example
Consider the following example under the amended approach:
Certificate 1 (trust anchor):
Issuer TA,
Subject TA,
Resources 192.0.2.0/24, 198.51.100.0/24,
2001:db8::/32, AS64496-AS64500
Verified Resource Set: 192.0.2.0/24, 198.51.100.0/24,
2001:db8::/32, AS64496-AS64500
Warnings: none
Certificate 2:
Issuer TA,
Subject CA1,
Resources 192.0.2.0/24, 2001:db8::/32, AS64496
Verified Resource Set: 192.0.2.0/24,
2001:db8::/32, AS64496
Warnings: none
Certificate 3:
Issuer CA1,
Subject CA2,
Resources 192.0.2.0/24, 198.51.100.0/24, AS64496
Verified Resource Set: 192.0.2.0/24, AS64496
Warnings: overclaim for 198.51.100.0/24
ROA 1 (valid):
Embedded Certificate 4 (EE certificate):
Issuer CA2,
Subject R1,
Huston, et al. Expires December 9, 2016 [Page 7]
Internet-Draft RPKI Validation June 2016
Resources 192.0.2.0/24
Verified resources: 192.0.2.0/24
Warnings: none
Prefix 192.0.2.0/24, Max Length 24, ASN 64496
ROA1 is considered valid because the prefix matches the Verified
Resource Set on the embedded EE certificate, as required by
RFC 6482.
ROA 2 (invalid):
Embedded Certificate 5 (EE certificate):
Issuer CA2,
Subject R2,
Resources 198.51.100.0/24
Verified resources: none
Warnings: overclaim for 198.51.100.0/24
Prefix 198.51.100.0/24, Max Length 24, ASN 64496
ROA2 is considered invalid because the prefix does not match the
Verified Resource Set on the embedded EE certificate. The amended
approach therefore cannot lead to ROAs showing up as valid for
resources that are not verified on the full path from the Trust
Anchor down to the ROA.
BGPSec Certificate 1 (valid):
Issuer CA2
Subject ROUTER-64496
Resources AS64496
Verified resources: AS64496
Warnings: none
BGPSec Certificate 2 (invalid):
Issuer CA2
Subject ALL-ROUTERS
Resources AS64496-AS64497
Verified resources: AS64496
Warnings: overclaim for AS64497
BGPSec Certificate 2 is considered invalid because not ALL
resources are part of the Verified Resource Set of this
certificate. This problem can be mitigated by issuing separate
certificates for each AS number.
Huston, et al. Expires December 9, 2016 [Page 8]
Internet-Draft RPKI Validation June 2016
5. Security Considerations
As far as the authors can see there are no real new problems
introduced by this approach.
6. IANA Considerations
No updates to the registries are suggested by this document.
7. Acknowledgements
TBA.
8. References
8.1. Normative References
[I-D.ietf-sidr-bgpsec-pki-profiles]
Reynolds, M. and S. Kent, "A Profile for BGPsec Router
Certificates, Certificate Revocation Lists, and
Certification Requests", draft-ietf-sidr-bgpsec-pki-
profiles-17 (work in progress), June 2016.
[RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP
Addresses and AS Identifiers", RFC 3779,
DOI 10.17487/RFC3779, June 2004,
<http://www.rfc-editor.org/info/rfc3779>.
[RFC6482] Lepinski, M., Kent, S., and D. Kong, "A Profile for Route
Origin Authorizations (ROAs)", RFC 6482,
DOI 10.17487/RFC6482, February 2012,
<http://www.rfc-editor.org/info/rfc6482>.
[RFC6487] Huston, G., Michaelson, G., and R. Loomans, "A Profile for
X.509 PKIX Resource Certificates", RFC 6487,
DOI 10.17487/RFC6487, February 2012,
<http://www.rfc-editor.org/info/rfc6487>.
8.2. Informative References
[RFC3849] Huston, G., Lord, A., and P. Smith, "IPv6 Address Prefix
Reserved for Documentation", RFC 3849,
DOI 10.17487/RFC3849, July 2004,
<http://www.rfc-editor.org/info/rfc3849>.
[RFC5398] Huston, G., "Autonomous System (AS) Number Reservation for
Documentation Use", RFC 5398, DOI 10.17487/RFC5398,
December 2008, <http://www.rfc-editor.org/info/rfc5398>.
Huston, et al. Expires December 9, 2016 [Page 9]
Internet-Draft RPKI Validation June 2016
[RFC5737] Arkko, J., Cotton, M., and L. Vegoda, "IPv4 Address Blocks
Reserved for Documentation", RFC 5737,
DOI 10.17487/RFC5737, January 2010,
<http://www.rfc-editor.org/info/rfc5737>.
Authors' Addresses
Geoff Huston
Asia Pacific Network Information Centre
6 Cordelia St
South Brisbane, QLD 4101
Australia
Phone: +61 7 3858 3100
Email: gih@apnic.net
George Michaelson
Asia Pacific Network Information Centre
6 Cordelia St
South Brisbane, QLD 4101
Australia
Phone: +61 7 3858 3100
Email: ggm@apnic.net
Carlos M. Martinez
Latin American and Caribbean IP Address Regional Registry
Rambla Mexico 6125
Montevideo 11400
Uruguay
Phone: +598 2604 2222
Email: carlos@lacnic.net
Tim Bruijnzeels
RIPE Network Coordination Centre
Singel 258
Amsterdam 1016 AB
The Netherlands
Email: tim@ripe.net
Huston, et al. Expires December 9, 2016 [Page 10]
Internet-Draft RPKI Validation June 2016
Andrew Lee Newton
American Registry for Internet Numbers
3635 Concorde Parkway
Chantilly, VA 20151
USA
Email: andy@arin.net
Alain Aina
African Network Information Centre (AFRINIC)
11th Floor, Raffles Tower
Cybercity, Ebene
Mauritius
Phone: +230 403 51 00
Email: aalain@afrinic.net
Huston, et al. Expires December 9, 2016 [Page 11]