BGPsec Router Certificate Rollover
RFC 8634
| Document | Type |
RFC - Best Current Practice
(August 2019; No errata)
Also known as BCP 224
|
|
|---|---|---|---|
| Authors | Brian Weis , Roque Gagliano , Keyur Patel | ||
| Last updated | 2019-08-07 | ||
| Replaces | draft-ietf-sidr-bgpsec-rollover | ||
| Stream | IETF | ||
| Formats | plain text html pdf htmlized bibtex | ||
| Reviews | |||
| Stream | WG state | Submitted to IESG for Publication | |
| Document shepherd | Chris Morrow | ||
| Shepherd write-up | Show (last changed 2017-10-03) | ||
| IESG | IESG state | RFC 8634 (Best Current Practice) | |
| Consensus Boilerplate | Yes | ||
| Telechat date | |||
| Responsible AD | Warren Kumari | ||
| Send notices to | Chris Morrow <morrowc@ops-netman.net> | ||
| IANA | IANA review state | Version Changed - Review Needed | |
| IANA action state | No IANA Actions | ||
Internet Engineering Task Force (IETF) B. Weis
Request for Comments: 8634 Independent
BCP: 224 R. Gagliano
Category: Best Current Practice Cisco Systems
ISSN: 2070-1721 K. Patel
Arrcus, Inc.
August 2019
BGPsec Router Certificate Rollover
Abstract
Certification Authorities (CAs) within the Resource Public Key
Infrastructure (RPKI) manage BGPsec router certificates as well as
RPKI certificates. The rollover of BGPsec router certificates must
be carefully performed in order to synchronize the distribution of
router public keys with BGPsec UPDATE messages verified with those
router public keys. This document describes a safe rollover process,
and it discusses when and why the rollover of BGPsec router
certificates is necessary. When this rollover process is followed,
the rollover will be performed without routing information being
lost.
Status of This Memo
This memo documents an Internet Best Current Practice.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
BCPs is available in Section 2 of RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc8634.
Weis, et al. Best Current Practice [Page 1]
RFC 8634 BGPsec Certificate Rollover August 2019
Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Requirements Notation . . . . . . . . . . . . . . . . . . . . 4
3. Key Rollover in BGPsec . . . . . . . . . . . . . . . . . . . 4
3.1. Rollover Process . . . . . . . . . . . . . . . . . . . . 5
4. BGPsec Router Key Rollover as a Measure against Replay
Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
4.1. BGP UPDATE Window of Exposure Requirement . . . . . . . . 7
4.2. BGPsec Key Rollover as a Mechanism to Protect against
Replay Attacks . . . . . . . . . . . . . . . . . . . . . 7
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
6. Security Considerations . . . . . . . . . . . . . . . . . . . 9
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 10
7.1. Normative References . . . . . . . . . . . . . . . . . . 10
7.2. Informative References . . . . . . . . . . . . . . . . . 10
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11
1. Introduction
In BGPsec, a key rollover (or re-key) is the process of changing a
router's BGPsec key pair (or key pairs), issuing the corresponding
new BGPsec router certificate, and (if the old certificate is still
valid) revoking the old certificate. This process will need to
happen at regular intervals, normally due to policies of the local
network. This document describes a safe rollover process that
results in a BGPsec receiver always having the needed verification
keys. Certification Practice Statement (CPS) documents may reference
this memo. This memo only addresses changing of a router's BGPsec
key pair within the RPKI. Refer to [RFC6489] for a procedure to roll
over RPKI Certification Authority key pairs.
Weis, et al. Best Current Practice [Page 2]
RFC 8634 BGPsec Certificate Rollover August 2019
When a router receives or creates a new key pair (using a key
provisioning mechanism), this key pair will be used to sign new
BGPsec UPDATE messages [RFC8205] that are originated at or that
transit through the BGP speaker. Additionally, the BGP speaker will
Show full document text