A Profile for BGPsec Router Certificates, Certificate Revocation Lists, and Certification Requests
RFC 8209

Document Type RFC - Proposed Standard (September 2017; No errata)
Updates RFC 6487
Last updated 2017-09-27
Replaces draft-turner-sidr-bgpsec-pki-profiles
Stream IETF
Formats plain text pdf html bibtex
Reviews GENART will not review this version
Stream WG state Submitted to IESG for Publication
Document shepherd Chris Morrow
Shepherd write-up Show (last changed 2016-06-24)
IESG IESG state RFC 8209 (Proposed Standard)
Consensus Boilerplate Yes
Telechat date
Responsible AD Alvaro Retana
Send notices to "Chris Morrow" <morrowc@ops-netman.net>, aretana@cisco.com
IANA IANA review state Version Changed - Review Needed
IANA action state RFC-Ed-Ack
Internet Engineering Task Force (IETF)                       M. Reynolds
Request for Comments: 8209                                          IPSw
Updates: 6487                                                  S. Turner
Category: Standards Track                                          sn3rd
ISSN: 2070-1721                                                  S. Kent
                                                                     BBN
                                                          September 2017

               A Profile for BGPsec Router Certificates,
        Certificate Revocation Lists, and Certification Requests

Abstract

   This document defines a standard profile for X.509 certificates used
   to enable validation of Autonomous System (AS) paths in the Border
   Gateway Protocol (BGP), as part of an extension to that protocol
   known as BGPsec.  BGP is the standard for inter-domain routing in the
   Internet; it is the "glue" that holds the Internet together.  BGPsec
   is being developed as one component of a solution that addresses the
   requirement to provide security for BGP.  The goal of BGPsec is to
   provide full AS path validation based on the use of strong
   cryptographic primitives.  The end entity (EE) certificates specified
   by this profile are issued to routers within an AS.  Each of these
   certificates is issued under a Resource Public Key Infrastructure
   (RPKI) Certification Authority (CA) certificate.  These CA
   certificates and EE certificates both contain the AS Resource
   extension.  An EE certificate of this type asserts that the router or
   routers holding the corresponding private key are authorized to emit
   secure route advertisements on behalf of the AS(es) specified in the
   certificate.  This document also profiles the format of certification
   requests and specifies Relying Party (RP) certificate path validation
   procedures for these EE certificates.  This document extends the
   RPKI; therefore, this document updates the RPKI Resource Certificates
   Profile (RFC 6487).

Reynolds, et al.             Standards Track                    [Page 1]
RFC 8209                BGPsec Router PKI Profile         September 2017

Status of This Memo

   This is an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   https://www.rfc-editor.org/info/rfc8209.

Copyright Notice

   Copyright (c) 2017 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Reynolds, et al.             Standards Track                    [Page 2]
RFC 8209                BGPsec Router PKI Profile         September 2017

Table of Contents

   1. Introduction ....................................................3
      1.1. Terminology ................................................4
   2. Describing Resources in Certificates ............................4
   3. Updates to RFC 6487 .............................................6
      3.1. BGPsec Router Certificate Fields ...........................6
           3.1.1. Subject .............................................6
           3.1.2. Subject Public Key Info .............................6
           3.1.3. BGPsec Router Certificate Version 3
                  Extension Fields ....................................6
                  3.1.3.1. Basic Constraints ..........................6
                  3.1.3.2. Extended Key Usage .........................6
                  3.1.3.3. Subject Information Access .................7
                  3.1.3.4. IP Resources ...............................7
                  3.1.3.5. AS Resources ...............................7
      3.2. BGPsec Router Certificate Request Profile ..................7
      3.3. BGPsec Router Certificate Validation .......................8
Show full document text