BGPsec Operational Considerations
RFC 8207
| Document | Type |
RFC - Best Current Practice
(September 2017; No errata)
Also known as BCP 211
|
|
|---|---|---|---|
| Last updated | 2017-09-27 | ||
| Replaces | draft-ymbk-bgpsec-ops | ||
| Stream | IETF | ||
| Formats | plain text pdf html bibtex | ||
| Reviews | GENART will not review this version | ||
| Stream | WG state | Submitted to IESG for Publication | |
| Document shepherd | Chris Morrow | ||
| Shepherd write-up | Show (last changed 2016-11-13) | ||
| IESG | IESG state | RFC 8207 (Best Current Practice) | |
| Consensus Boilerplate | Yes | ||
| Telechat date | |||
| Responsible AD | Alvaro Retana | ||
| Send notices to | "Chris Morrow" <morrowc@ops-netman.net>, aretana@cisco.com | ||
| IANA | IANA review state | Version Changed - Review Needed | |
| IANA action state | No IANA Actions | ||
Internet Engineering Task Force (IETF) R. Bush
Request for Comments: 8207 Internet Initiative Japan
BCP: 211 September 2017
Category: Best Current Practice
ISSN: 2070-1721
BGPsec Operational Considerations
Abstract
Deployment of the BGPsec architecture and protocols has many
operational considerations. This document attempts to collect and
present the most critical and universal. Operational practices are
expected to evolve as BGPsec is formalized and initially deployed.
Status of This Memo
This memo documents an Internet Best Current Practice.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
BCPs is available in Section 2 of RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc8207.
Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Bush Best Current Practice [Page 1]
RFC 8207 BGPsec Operational Considerations September 2017
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
2. Suggested Reading . . . . . . . . . . . . . . . . . . . . . . 3
3. RPKI Distribution and Maintenance . . . . . . . . . . . . . . 3
4. AS/Router Certificates . . . . . . . . . . . . . . . . . . . 3
5. Within a Network . . . . . . . . . . . . . . . . . . . . . . 4
6. Considerations for Edge Sites . . . . . . . . . . . . . . . . 4
7. Routing Policy . . . . . . . . . . . . . . . . . . . . . . . 5
8. Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
9. Security Considerations . . . . . . . . . . . . . . . . . . . 7
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 8
11.1. Normative References . . . . . . . . . . . . . . . . . . 8
11.2. Informative References . . . . . . . . . . . . . . . . . 8
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 10
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 10
1. Introduction
Origin validation based on the Resource Public Key Infrastructure
(RPKI) [RFC6811] is in its early phases. As BGPsec [RFC8205] may
require larger memory and/or more modern CPUs, it expected to be
deployed incrementally over a longer time span. BGPsec is a new
protocol with many operational considerations that this document
attempts to describe. As with most operational practices, they will
likely change over time.
BGPsec relies on widespread propagation of the RPKI [RFC6480]. How
the RPKI is distributed and maintained globally and within an
operator's infrastructure may be different for BGPsec than for origin
validation.
BGPsec needs to be spoken only by an Autonomous System's (AS's)
eBGP-speaking border routers. It is designed so that it can be used
to protect announcements that are originated by resource-constrained
edge routers. This has special operational considerations, see
Section 6.
Different prefixes may have different timing and replay protection
considerations.
Bush Best Current Practice [Page 2]
RFC 8207 BGPsec Operational Considerations September 2017
1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
2. Suggested Reading
It is assumed that the reader understands BGP [RFC4271], BGPsec
[RFC8205], the RPKI [RFC6480], the RPKI Repository Structure
[RFC6481], and Route Origin Authorizations (ROAs) [RFC6482].
Show full document text