BGPsec Operational Considerations
RFC 8207
Document | Type |
RFC - Best Current Practice
(September 2017; No errata)
Also known as BCP 211
|
|
---|---|---|---|
Author | Randy Bush | ||
Last updated | 2017-09-27 | ||
Replaces | draft-ymbk-bgpsec-ops | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized bibtex | ||
Reviews | |||
Stream | WG state | Submitted to IESG for Publication | |
Document shepherd | Chris Morrow | ||
Shepherd write-up | Show (last changed 2016-11-13) | ||
IESG | IESG state | RFC 8207 (Best Current Practice) | |
Consensus Boilerplate | Yes | ||
Telechat date | |||
Responsible AD | Alvaro Retana | ||
Send notices to | "Chris Morrow" <morrowc@ops-netman.net>, aretana@cisco.com | ||
IANA | IANA review state | Version Changed - Review Needed | |
IANA action state | No IANA Actions |
Internet Engineering Task Force (IETF) R. Bush Request for Comments: 8207 Internet Initiative Japan BCP: 211 September 2017 Category: Best Current Practice ISSN: 2070-1721 BGPsec Operational Considerations Abstract Deployment of the BGPsec architecture and protocols has many operational considerations. This document attempts to collect and present the most critical and universal. Operational practices are expected to evolve as BGPsec is formalized and initially deployed. Status of This Memo This memo documents an Internet Best Current Practice. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on BCPs is available in Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc8207. Copyright Notice Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Bush Best Current Practice [Page 1] RFC 8207 BGPsec Operational Considerations September 2017 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 2. Suggested Reading . . . . . . . . . . . . . . . . . . . . . . 3 3. RPKI Distribution and Maintenance . . . . . . . . . . . . . . 3 4. AS/Router Certificates . . . . . . . . . . . . . . . . . . . 3 5. Within a Network . . . . . . . . . . . . . . . . . . . . . . 4 6. Considerations for Edge Sites . . . . . . . . . . . . . . . . 4 7. Routing Policy . . . . . . . . . . . . . . . . . . . . . . . 5 8. Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 9. Security Considerations . . . . . . . . . . . . . . . . . . . 7 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 11.1. Normative References . . . . . . . . . . . . . . . . . . 8 11.2. Informative References . . . . . . . . . . . . . . . . . 8 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 10 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 10 1. Introduction Origin validation based on the Resource Public Key Infrastructure (RPKI) [RFC6811] is in its early phases. As BGPsec [RFC8205] may require larger memory and/or more modern CPUs, it expected to be deployed incrementally over a longer time span. BGPsec is a new protocol with many operational considerations that this document attempts to describe. As with most operational practices, they will likely change over time. BGPsec relies on widespread propagation of the RPKI [RFC6480]. How the RPKI is distributed and maintained globally and within an operator's infrastructure may be different for BGPsec than for origin validation. BGPsec needs to be spoken only by an Autonomous System's (AS's) eBGP-speaking border routers. It is designed so that it can be used to protect announcements that are originated by resource-constrained edge routers. This has special operational considerations, see Section 6. Different prefixes may have different timing and replay protection considerations. Bush Best Current Practice [Page 2] RFC 8207 BGPsec Operational Considerations September 2017 1.1. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 2. Suggested Reading It is assumed that the reader understands BGP [RFC4271], BGPsec [RFC8205], the RPKI [RFC6480], the RPKI Repository Structure [RFC6481], and Route Origin Authorizations (ROAs) [RFC6482].Show full document text