From 4bfd864f10b68b71482b35c818559068ef8d5797 Mon Sep 17 00:00:00 2001 From: Thomas Voss Date: Wed, 27 Nov 2024 20:54:24 +0100 Subject: doc: Add RFC documents --- doc/rfc/rfc7115.txt | 619 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 619 insertions(+) create mode 100644 doc/rfc/rfc7115.txt (limited to 'doc/rfc/rfc7115.txt') diff --git a/doc/rfc/rfc7115.txt b/doc/rfc/rfc7115.txt new file mode 100644 index 0000000..b8148e0 --- /dev/null +++ b/doc/rfc/rfc7115.txt @@ -0,0 +1,619 @@ + + + + + + +Internet Engineering Task Force (IETF) R. Bush +Request for Comments: 7115 Internet Initiative Japan +BCP: 185 January 2014 +Category: Best Current Practice +ISSN: 2070-1721 + + + Origin Validation Operation + Based on the Resource Public Key Infrastructure (RPKI) + +Abstract + + Deployment of BGP origin validation that is based on the Resource + Public Key Infrastructure (RPKI) has many operational considerations. + This document attempts to collect and present those that are most + critical. It is expected to evolve as RPKI-based origin validation + continues to be deployed and the dynamics are better understood. + +Status of This Memo + + This memo documents an Internet Best Current Practice. + + This document is a product of the Internet Engineering Task Force + (IETF). It has been approved for publication by the Internet + Engineering Steering Group (IESG). Further information on BCPs is + available in Section 2 of RFC 5741. + + Information about the current status of this document, any errata, + and how to provide feedback on it may be obtained at + http://www.rfc-editor.org/info/rfc7115. + +Copyright Notice + + Copyright (c) 2014 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (http://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. Code Components extracted from this document must + include Simplified BSD License text as described in Section 4.e of + the Trust Legal Provisions and are provided without warranty as + described in the Simplified BSD License. + + + + + + +Bush Best Current Practice [Page 1] + +RFC 7115 RPKI-Based Origin Validation Op January 2014 + + +Table of Contents + + 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 + 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 + 2. Suggested Reading . . . . . . . . . . . . . . . . . . . . . . 3 + 3. RPKI Distribution and Maintenance . . . . . . . . . . . . . . 3 + 4. Within a Network . . . . . . . . . . . . . . . . . . . . . . 6 + 5. Routing Policy . . . . . . . . . . . . . . . . . . . . . . . 6 + 6. Notes and Recommendations . . . . . . . . . . . . . . . . . . 8 + 7. Security Considerations . . . . . . . . . . . . . . . . . . . 9 + 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 10 + 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 + 9.1. Normative References . . . . . . . . . . . . . . . . . . 10 + 9.2. Informative References . . . . . . . . . . . . . . . . . 10 + +1. Introduction + + RPKI-based origin validation relies on widespread deployment of the + Resource Public Key Infrastructure (RPKI) [RFC6480]. How the RPKI is + distributed and maintained globally is a serious concern from many + aspects. + + While the global RPKI is in the early stages of deployment, there is + no single root trust anchor, initial testing is being done by the + Regional Internet Registries (RIRs), and there are technical + testbeds. It is thought that origin validation based on the RPKI + will continue to be deployed incrementally over the next few years. + It is assumed that eventually there must be a single root trust + anchor for the public address space, see [IAB]. + + Origin validation needs to be done only by an AS's border routers and + is designed so that it can be used to protect announcements that are + originated by any network participating in Internet BGP routing: + large providers, upstream and downstream routers, and by edge + networks (e.g., small stub or enterprise networks). + + Origin validation has been designed to be deployed on current routers + without significant hardware upgrades. It should be used in border + routers by operators from large backbones to small stub/enterprise/ + edge networks. + + RPKI-based origin validation has been designed so that, with prudent + local routing policies, there is little risk that what is seen as + today's normal Internet routing is threatened by imprudent deployment + of the global RPKI; see Section 5. + + + + + + +Bush Best Current Practice [Page 2] + +RFC 7115 RPKI-Based Origin Validation Op January 2014 + + +1.1. Requirements Language + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" are to + be interpreted as described in RFC 2119 [RFC2119] only when they + appear in all upper case. They may also appear in lower or mixed + case as English words, without normative meaning. + +2. Suggested Reading + + It is assumed that the reader understands BGP [RFC4271], the RPKI + [RFC6480], the RPKI Repository Structure [RFC6481], Route Origin + Authorizations (ROAs) [RFC6482], the RPKI to Router Protocol + [RFC6810], RPKI-based Prefix Validation [RFC6811], and Ghostbusters + Records [RFC6493]. + +3. RPKI Distribution and Maintenance + + The RPKI is a distributed database containing certificates, + Certificate Revocation Lists (CRLs), manifests, ROAs, and + Ghostbusters Records as described in [RFC6481]. Policies and + considerations for RPKI object generation and maintenance are + discussed elsewhere. + + The RPKI repository design [RFC6481] anticipated a hierarchic + organization of repositories, as this seriously improves the + performance of relying parties that gather data over a non-hierarchic + organization. Publishing parties MUST implement hierarchic directory + structures. + + A local relying party's valid cache containing all RPKI data may be + gathered from the global distributed database using the rsync + protocol [RFC5781] and a validation tool such as rcynic [rcynic]. + + A validated cache contains all RPKI objects that the RP has verified + to be valid according to the rules for validation RPKI certificates + and signed objects; see [RFC6487] and [RFC6488]. Entities that trust + the cache can use these RPKI objects without further validation. + + Validated caches may also be created and maintained from other + validated caches. Network operators SHOULD take maximum advantage of + this feature to minimize load on the global distributed RPKI + database. Of course, the recipient relying parties should + re-validate the data. + + As Trust Anchor Locators (TALs) [RFC6490] are critical to the RPKI + trust model, operators should be very careful in their initial + selection and vigilant in their maintenance. + + + +Bush Best Current Practice [Page 3] + +RFC 7115 RPKI-Based Origin Validation Op January 2014 + + + Timing of inter-cache synchronization, and synchronization between + caches and the global RPKI, is outside the scope of this document, + and depends on things such as how often routers feed from the caches, + how often the operator feels the global RPKI changes significantly, + etc. + + As inter-cache synchronization within an operator's network does not + impact global RPKI resources, an operator may choose to synchronize + quite frequently. + + To relieve routers of the load of performing certificate validation, + cryptographic operations, etc., the RPKI-Router protocol [RFC6810] + does not provide object-based security to the router. That is, the + router cannot validate the data cryptographically from a well-known + trust anchor. The router trusts the cache to provide correct data + and relies on transport-based security for the data received from the + cache. Therefore, the authenticity and integrity of the data from + the cache should be well protected; see Section 7 of [RFC6810]. + + As RPKI-based origin validation relies on the availability of RPKI + data, operators SHOULD locate RPKI caches close to routers that + require these data and services in order to minimize the impact of + likely failures in local routing, intermediate devices, long + circuits, etc. One should also consider trust boundaries, routing + bootstrap reachability, etc. + + For example, a router should bootstrap from a cache that is reachable + with minimal reliance on other infrastructure such as DNS or routing + protocols. If a router needs its BGP and/or IGP to converge for the + router to reach a cache, once a cache is reachable, the router will + then have to reevaluate prefixes already learned via BGP. Such + configurations should be avoided if reasonably possible. + + If insecure transports are used between an operator's cache and their + router(s), the Transport Security recommendations in [RFC6810] SHOULD + be followed. In particular, operators MUST NOT use insecure + transports between their routers and RPKI caches located in other + Autonomous Systems. + + For redundancy, a router should peer with more than one cache at the + same time. Peering with two or more, at least one local and others + remote, is recommended. + + If an operator trusts upstreams to carry their traffic, they may also + trust the RPKI data those upstreams cache and SHOULD peer with caches + made available to them by those upstreams. Note that this places an + + + + + +Bush Best Current Practice [Page 4] + +RFC 7115 RPKI-Based Origin Validation Op January 2014 + + + obligation on those upstreams to maintain fresh and reliable caches + and to make them available to their customers. And, as usual, the + recipient SHOULD re-validate the data. + + A transit provider or a network with peers SHOULD validate origins in + announcements made by upstreams, downstreams, and peers. They still + should trust the caches provided by their upstreams. + + Before issuing a ROA for a super-block, an operator MUST ensure that + all sub-allocations from that block that are announced by other ASes, + e.g., customers, have correct ROAs in the RPKI. Otherwise, issuing a + ROA for the super-block will cause the announcements of sub- + allocations with no ROAs to be viewed as Invalid; see [RFC6811]. + While waiting for all recipients of sub-allocations to register ROAs, + the owner of the super-block may use live BGP data to populate ROAs + as a proxy, and then safely issue a ROA for the super-block. + + Use of RPKI-based origin validation removes any need to inject more + specifics into BGP to protect against mis-origination of a less + specific prefix. Having a ROA for the covering prefix will protect + it. + + To aid translation of ROAs into efficient search algorithms in + routers, ROAs should be as precise as possible, i.e., match prefixes + as announced in BGP. For example, software and operators SHOULD + avoid use of excessive max length values in ROAs unless they are + operationally necessary. + + One advantage of minimal ROA length is that the forged origin attack + does not work for sub-prefixes that are not covered by overly long + max length. For example, if, instead of 10.0.0.0/16-24, one issues + 10.0.0.0/16 and 10.0.42.0/24, a forged origin attack cannot succeed + against 10.0.666.0/24. They must attack the whole /16, which is more + likely to be noticed because of its size. + + Therefore, ROA generation software MUST use the prefix length as the + max length if the user does not specify a max length. + + Operators should be conservative in use of max length in ROAs. For + example, if a prefix will have only a few sub-prefixes announced, + multiple ROAs for the specific announcements should be used as + opposed to one ROA with a long max length. + + Operators owning prefix P should issue ROAs for all ASes that may + announce P. If a prefix is legitimately announced by more than one + AS, ROAs for all of the ASes SHOULD be issued so that all are + considered Valid. + + + + +Bush Best Current Practice [Page 5] + +RFC 7115 RPKI-Based Origin Validation Op January 2014 + + + In an environment where private address space is announced in + External BGP (eBGP), the operator may have private RPKI objects that + cover these private spaces. This will require a trust anchor created + and owned by that environment; see [LTA-USE]. + + Operators issuing ROAs may have customers that announce their own + prefixes and ASes into global eBGP, but who do not wish to go though + the work to manage the relevant certificates and ROAs. Operators + SHOULD offer to provision the RPKI data for these customers just as + they provision many other things for them. + + An operator using RPKI data MAY choose any polling frequency they + wish for ensuring they have a fresh RPKI cache. However, if they use + RPKI data as an input to operational routing decisions, they SHOULD + ensure local caches inside their AS are synchronized with each other + at least every four to six hours. + + Operators should use tools that warn them of any impending ROA or + certificate expiry that could affect the validity of their own data. + Ghostbusters Records [RFC6493] can be used to facilitate contact with + upstream Certification Authorities (CAs) to effect repair. + +4. Within a Network + + Origin validation need only be done by edge routers in a network, + those which border other networks or ASes. + + A validating router will use the result of origin validation to + influence local policy within its network; see Section 5. In + deployment, this policy should fit into the AS's existing policy, + preferences, etc. This allows a network to incrementally deploy + validation-capable border routers. + + The operator should be aware that RPKI-based origin validation, as + any other policy change, can cause traffic shifts in their network. + And, as with normal policy shift practice, a prudent operator has + tools and methods to predict, measure, modify, etc. + +5. Routing Policy + + Origin validation based on the RPKI marks a received announcement as + having an origin that is Valid, NotFound, or Invalid; see [RFC6811]. + How this is used in routing should be specified by the operator's + local policy. + + Local policy using relative preference is suggested to manage the + uncertainty associated with a system in early deployment; local + policy can be applied to eliminate the threat of unreachability of + + + +Bush Best Current Practice [Page 6] + +RFC 7115 RPKI-Based Origin Validation Op January 2014 + + + prefixes due to ill-advised certification policies and/or incorrect + certification data. For example, until the community feels + comfortable relying on RPKI data, routing on Invalid origin validity, + though at a low preference, MAY occur. + + Operators should be aware that accepting Invalid announcements, no + matter how de-preferenced, will often be the equivalent of treating + them as fully Valid. Consider having a ROA for AS 42 for prefix + 10.0.0.0/16-24. A BGP announcement for 10.0.666.0/24 from AS 666 + would be Invalid. But if policy is not configured to discard it, + then longest-match forwarding will send packets toward AS 666, no + matter the value of local preference. + + As origin validation will be rolled out incrementally, coverage will + be incomplete for a long time. Therefore, routing on NotFound + validity state SHOULD be done for a long time. As the transition + moves forward, the number of BGP announcements with validation state + NotFound should decrease. Hence, an operator's policy should not be + overly strict and should prefer Valid announcements; it should attach + a lower preference to, but still use, NotFound announcements, and + drop or give a very low preference to Invalid announcements. Merely + de-preferencing Invalid announcements is ill-advised; see previous + paragraph. + + Some providers may choose to set Local-Preference based on the RPKI + validation result. Other providers may not want the RPKI validation + result to be more important than AS_PATH length -- these providers + would need to map the RPKI validation result to some BGP attribute + that is evaluated in BGP's path selection process after the AS_PATH + is evaluated. Routers implementing RPKI-based origin validation MUST + provide such options to operators. + + Local-Preference may be used to carry both the validity state of a + prefix along with its traffic engineering (TE) characteristic(s). It + is likely that an operator already using Local-Preference will have + to change policy so they can encode these two separate + characteristics in the same BGP attribute without negative impact or + opening privilege escalation attacks. For example, do not encode + validation state in higher bits than used for TE. + + When using a metric that is also influenced by other local policy, an + operator should be careful not to create privilege-upgrade + vulnerabilities. For example, if Local Pref is set depending on + validity state, peer community signaling SHOULD NOT upgrade an + Invalid announcement to Valid or better. + + Announcements with Valid origins should be preferred over those with + NotFound or Invalid origins, if Invalid origins are accepted at all. + + + +Bush Best Current Practice [Page 7] + +RFC 7115 RPKI-Based Origin Validation Op January 2014 + + + Announcements with NotFound origins should be preferred over those + with Invalid origins. + + Announcements with Invalid origins SHOULD NOT be used, but may be + used to meet special operational needs. In such circumstances, the + announcement should have a lower preference than that given to Valid + or NotFound. + + When first deploying origin validation, it may be prudent not to drop + announcements with Invalid origins until inspection of logs, SNMP, or + other data indicates that the correct result would be obtained. + + Validity state signaling SHOULD NOT be accepted from a neighbor AS. + The validity state of a received announcement has only local scope + due to issues such as scope of trust, RPKI synchrony, and management + of local trust anchors [LTA-USE]. + +6. Notes and Recommendations + + Like the DNS, the global RPKI presents only a loosely consistent + view, depending on timing, updating, fetching, etc. Thus, one cache + or router may have different data about a particular prefix than + another cache or router. There is no 'fix' for this, it is the + nature of distributed data with distributed caches. + + Operators should beware that RPKI caches are loosely synchronized, + even within a single AS. Thus, changes to the validity state of + prefixes could be different within an operator's network. In + addition, there is no guaranteed interval from when an RPKI cache is + updated to when that new information may be pushed or pulled into a + set of routers via this protocol. This may result in sudden shifts + of traffic in the operator's network, until all of the routers in the + AS have reached equilibrium with the validity state of prefixes + reflected in all of the RPKI caches. + + It is hoped that testing and deployment will produce advice on cache + loading and timing for relying parties. + + There is some uncertainty about the origin AS of aggregates and what, + if any, ROA can be used. The long-range solution to this is the + deprecation of AS_SETs; see [RFC6472]. + + As reliable access to the global RPKI and an operator's caches (and + possibly other hosts, e.g., DNS root servers) is important, an + operator should take advantage of relying-party tools that report + changes in BGP or RPKI data that would negatively affect validation + of such prefixes. + + + + +Bush Best Current Practice [Page 8] + +RFC 7115 RPKI-Based Origin Validation Op January 2014 + + + Operators should be aware that there is a trade-off in placement of + an RPKI repository in address space for which the repository's + content is authoritative. On one hand, an operator will wish to + maximize control over the repository. On the other hand, if there + are reachability problems to the address space, changes in the + repository to correct them may not be easily accessed by others. + + Operators who manage certificates should associate RPKI Ghostbusters + Records (see [RFC6493]) with each publication point they control. + These are publication points holding the CRL, ROAs, and other signed + objects issued by the operator, and made available to other ASes in + support of routing on the public Internet. + + Routers that perform RPKI-based origin validation must support Four- + octet AS Numbers (see [RFC6793]), as, among other things, it is not + reasonable to generate ROAs for AS 23456. + + Software that produces filter lists or other control forms for + routers where the target router does not support Four-octet AS + Numbers (see [RFC6793]) must be prepared to accept four-octet AS + Numbers and generate the appropriate two-octet output. + + As a router must evaluate certificates and ROAs that are time + dependent, routers' clocks MUST be correct to a tolerance of + approximately an hour. + + Servers should provide time service, such as NTPv4 [RFC5905], to + client routers. + +7. Security Considerations + + As the BGP origin AS of an update is not signed, origin validation is + open to malicious spoofing. Therefore, RPKI-based origin validation + is expected to deal only with inadvertent mis-advertisement. + + Origin validation does not address the problem of AS_PATH validation. + Therefore, paths are open to manipulation, either malicious or + accidental. + + As BGP does not ensure that traffic will flow via the paths it + advertises, the data plane may not follow the control plane. + + Be aware of the class of privilege escalation issues discussed in + Section 5 above. + + + + + + + +Bush Best Current Practice [Page 9] + +RFC 7115 RPKI-Based Origin Validation Op January 2014 + + +8. Acknowledgments + + The author wishes to thank Shane Amante, Rob Austein, Steve Bellovin, + Jay Borkenhagen, Wes George, Seiichi Kawamura, Steve Kent, Pradosh + Mohapatra, Chris Morrow, Sandy Murphy, Eric Osterweil, Keyur Patel, + Heather and Jason Schiller, John Scudder, Kotikalapudi Sriram, + Maureen Stillman, and Dave Ward. + +9. References + +9.1. Normative References + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, March 1997. + + [RFC6481] Huston, G., Loomans, R., and G. Michaelson, "A Profile for + Resource Certificate Repository Structure", RFC 6481, + February 2012. + + [RFC6482] Lepinski, M., Kent, S., and D. Kong, "A Profile for Route + Origin Authorizations (ROAs)", RFC 6482, February 2012. + + [RFC6490] Huston, G., Weiler, S., Michaelson, G., and S. Kent, + "Resource Public Key Infrastructure (RPKI) Trust Anchor + Locator", RFC 6490, February 2012. + + [RFC6493] Bush, R., "The Resource Public Key Infrastructure (RPKI) + Ghostbusters Record", RFC 6493, February 2012. + + [RFC6793] Vohra, Q. and E. Chen, "BGP Support for Four-Octet + Autonomous System (AS) Number Space", RFC 6793, December + 2012. + + [RFC6810] Bush, R. and R. Austein, "The Resource Public Key + Infrastructure (RPKI) to Router Protocol", RFC 6810, + January 2013. + + [RFC6811] Mohapatra, P., Scudder, J., Ward, D., Bush, R., and R. + Austein, "BGP Prefix Origin Validation", RFC 6811, January + 2013. + +9.2. Informative References + + [LTA-USE] Bush, R., "RPKI Local Trust Anchor Use Cases", Work in + Progress, September 2013. + + [RFC4271] Rekhter, Y., Li, T., and S. Hares, "A Border Gateway + Protocol 4 (BGP-4)", RFC 4271, January 2006. + + + +Bush Best Current Practice [Page 10] + +RFC 7115 RPKI-Based Origin Validation Op January 2014 + + + [RFC5781] Weiler, S., Ward, D., and R. Housley, "The rsync URI + Scheme", RFC 5781, February 2010. + + [RFC5905] Mills, D., Martin, J., Burbank, J., and W. Kasch, "Network + Time Protocol Version 4: Protocol and Algorithms + Specification", RFC 5905, June 2010. + + [RFC6472] Kumari, W. and K. Sriram, "Recommendation for Not Using + AS_SET and AS_CONFED_SET in BGP", BCP 172, RFC 6472, + December 2011. + + [RFC6480] Lepinski, M. and S. Kent, "An Infrastructure to Support + Secure Internet Routing", RFC 6480, February 2012. + + [RFC6487] Huston, G., Michaelson, G., and R. Loomans, "A Profile for + X.509 PKIX Resource Certificates", RFC 6487, February + 2012. + + [RFC6488] Lepinski, M., Chi, A., and S. Kent, "Signed Object + Template for the Resource Public Key Infrastructure + (RPKI)", RFC 6488, February 2012. + + [IAB] IAB, "IAB statement on the RPKI", January 2010, + . + + [rcynic] "rcynic RPKI validator", November 2013, + . + +Author's Address + + Randy Bush + Internet Initiative Japan + 5147 Crystal Springs + Bainbridge Island, Washington 98110 + US + + EMail: randy@psg.com + + + + + + + + + + + + +Bush Best Current Practice [Page 11] + -- cgit v1.2.3