BGPsec Router Certificate Rollover
RFC 8634
Document | Type |
RFC - Best Current Practice
(August 2019; No errata)
Also known as BCP 224
|
|
---|---|---|---|
Authors | Brian Weis , Roque Gagliano , Keyur Patel | ||
Last updated | 2019-08-07 | ||
Replaces | draft-ietf-sidr-bgpsec-rollover | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized bibtex | ||
Reviews | |||
Stream | WG state | Submitted to IESG for Publication | |
Document shepherd | Chris Morrow | ||
Shepherd write-up | Show (last changed 2017-10-03) | ||
IESG | IESG state | RFC 8634 (Best Current Practice) | |
Consensus Boilerplate | Yes | ||
Telechat date | |||
Responsible AD | Warren Kumari | ||
Send notices to | Chris Morrow <morrowc@ops-netman.net> | ||
IANA | IANA review state | Version Changed - Review Needed | |
IANA action state | No IANA Actions |
Internet Engineering Task Force (IETF) B. Weis Request for Comments: 8634 Independent BCP: 224 R. Gagliano Category: Best Current Practice Cisco Systems ISSN: 2070-1721 K. Patel Arrcus, Inc. August 2019 BGPsec Router Certificate Rollover Abstract Certification Authorities (CAs) within the Resource Public Key Infrastructure (RPKI) manage BGPsec router certificates as well as RPKI certificates. The rollover of BGPsec router certificates must be carefully performed in order to synchronize the distribution of router public keys with BGPsec UPDATE messages verified with those router public keys. This document describes a safe rollover process, and it discusses when and why the rollover of BGPsec router certificates is necessary. When this rollover process is followed, the rollover will be performed without routing information being lost. Status of This Memo This memo documents an Internet Best Current Practice. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on BCPs is available in Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc8634. Weis, et al. Best Current Practice [Page 1] RFC 8634 BGPsec Certificate Rollover August 2019 Copyright Notice Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Requirements Notation . . . . . . . . . . . . . . . . . . . . 4 3. Key Rollover in BGPsec . . . . . . . . . . . . . . . . . . . 4 3.1. Rollover Process . . . . . . . . . . . . . . . . . . . . 5 4. BGPsec Router Key Rollover as a Measure against Replay Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 4.1. BGP UPDATE Window of Exposure Requirement . . . . . . . . 7 4.2. BGPsec Key Rollover as a Mechanism to Protect against Replay Attacks . . . . . . . . . . . . . . . . . . . . . 7 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 7.1. Normative References . . . . . . . . . . . . . . . . . . 10 7.2. Informative References . . . . . . . . . . . . . . . . . 10 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 11 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 1. Introduction In BGPsec, a key rollover (or re-key) is the process of changing a router's BGPsec key pair (or key pairs), issuing the corresponding new BGPsec router certificate, and (if the old certificate is still valid) revoking the old certificate. This process will need to happen at regular intervals, normally due to policies of the local network. This document describes a safe rollover process that results in a BGPsec receiver always having the needed verification keys. Certification Practice Statement (CPS) documents may reference this memo. This memo only addresses changing of a router's BGPsec key pair within the RPKI. Refer to [RFC6489] for a procedure to roll over RPKI Certification Authority key pairs. Weis, et al. Best Current Practice [Page 2] RFC 8634 BGPsec Certificate Rollover August 2019 When a router receives or creates a new key pair (using a key provisioning mechanism), this key pair will be used to sign new BGPsec UPDATE messages [RFC8205] that are originated at or that transit through the BGP speaker. Additionally, the BGP speaker willShow full document text