[sidr] I-D Action: draft-ietf-sidr-delta-protocol-02.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Secure Inter-Domain Routing of the IETF. Title : RPKI Repository Delta Protocol Authors : Tim Bruijnzeels Oleg Muravskiy Bryan Weber Rob Austein David Mandelberg Filename: draft-ietf-sidr-delta-protocol-02.txt Pages : 18 Date: 2016-03-21 Abstract: In the Resource Public Key Infrastructure (RPKI), certificate authorities publish certificates, including end entity certificates, Certificate Revocation Lists (CRL), and RPKI signed objects to repositories. Relying Parties (RP) retrieve the published information from those repositories. This document specifies a delta protocol which provides relying parties with a mechanism to query a repository for incremental updates, thus enabling the RP to keep its state in sync with the repository. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-sidr-delta-protocol/ There's also a htmlized version available at: https://tools.ietf.org/html/draft-ietf-sidr-delta-protocol-02 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-sidr-delta-protocol-02 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
Re: [sidr] I-D Action: draft-ietf-sidr-delta-protocol-02.txt
Dear working group, We updated this document following discussion at the last IETF and based on experience in implementation. Changes: = The "hash" attribute in the update notification file is back = Publication Server is now allowed to aggregate changes from multiple CAs in a single delta (when implementing we found that we need to avoid having a huge number of deltas so the notification file can be small) = Reworded text - hoping to make it more readable. Let us know if it works for you. Thanks Tim > On 21 Mar 2016, at 13:49, internet-dra...@ietf.org wrote: > > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Secure Inter-Domain Routing of the IETF. > >Title : RPKI Repository Delta Protocol >Authors : Tim Bruijnzeels > Oleg Muravskiy > Bryan Weber > Rob Austein > David Mandelberg > Filename: draft-ietf-sidr-delta-protocol-02.txt > Pages : 18 > Date: 2016-03-21 > > Abstract: > In the Resource Public Key Infrastructure (RPKI), certificate > authorities publish certificates, including end entity certificates, > Certificate Revocation Lists (CRL), and RPKI signed objects to > repositories. Relying Parties (RP) retrieve the published > information from those repositories. This document specifies a delta > protocol which provides relying parties with a mechanism to query a > repository for incremental updates, thus enabling the RP to keep its > state in sync with the repository. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-sidr-delta-protocol/ > > There's also a htmlized version available at: > https://tools.ietf.org/html/draft-ietf-sidr-delta-protocol-02 > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-sidr-delta-protocol-02 > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > ___ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
[sidr] I-D Action: draft-ietf-sidr-rpki-validation-reconsidered-03.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Secure Inter-Domain Routing of the IETF. Title : RPKI Validation Reconsidered Authors : Geoff Huston George Michaelson Carlos M. Martinez Tim Bruijnzeels Andrew Lee Newton Alain Aina Filename: draft-ietf-sidr-rpki-validation-reconsidered-03.txt Pages : 9 Date: 2016-03-21 Abstract: This document proposes and alternative to the certificate validation procedure specified in RFC6487 that reduces aspects of operational fragility in the management of certificates in the RPKI. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-sidr-rpki-validation-reconsidered/ There's also a htmlized version available at: https://tools.ietf.org/html/draft-ietf-sidr-rpki-validation-reconsidered-03 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-sidr-rpki-validation-reconsidered-03 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
Re: [sidr] I-D Action: draft-ietf-sidr-rpki-validation-reconsidered-03.txt
Dear working group, The actual proposal did not change with this version. But following earlier discussion and confusion, this version has been re-worded to explain the proposal from a different angle. We hope this helps. Comments welcome of course. Kind regards, Tim > On 21 Mar 2016, at 14:16, internet-dra...@ietf.org wrote: > > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Secure Inter-Domain Routing of the IETF. > >Title : RPKI Validation Reconsidered >Authors : Geoff Huston > George Michaelson > Carlos M. Martinez > Tim Bruijnzeels > Andrew Lee Newton > Alain Aina > Filename: draft-ietf-sidr-rpki-validation-reconsidered-03.txt > Pages : 9 > Date: 2016-03-21 > > Abstract: > This document proposes and alternative to the certificate validation > procedure specified in RFC6487 that reduces aspects of operational > fragility in the management of certificates in the RPKI. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-sidr-rpki-validation-reconsidered/ > > There's also a htmlized version available at: > https://tools.ietf.org/html/draft-ietf-sidr-rpki-validation-reconsidered-03 > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-sidr-rpki-validation-reconsidered-03 > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > ___ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
[sidr] I-D Action: draft-ietf-sidr-bgpsec-pki-profiles-16.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Secure Inter-Domain Routing of the IETF. Title : A Profile for BGPsec Router Certificates, Certificate Revocation Lists, and Certification Requests Authors : Mark Reynolds Sean Turner Stephen Kent Filename: draft-ietf-sidr-bgpsec-pki-profiles-16.txt Pages : 12 Date: 2016-03-21 Abstract: This document defines a standard profile for X.509 certificates used to enable validation of Autonomous System (AS) paths in the Border Gateway Protocol (BGP), as part of an extension to that protocol known as BGPsec. BGP is the standard for inter-domain routing in the Internet; it is the "glue" that holds the Internet together. BGPsec is being developed as one component of a solution that addresses the requirement to provide security for BGP. The goal of BGPsec is to provide full AS path validation based on the use of strong cryptographic primitives. The end-entity (EE) certificates specified by this profile are issued (to routers within an Autonomous System). Each of these certificates is issued under a Resource Public Key Infrastructure (RPKI) Certification Authority (CA) certificate. These CA certificates and EE certificates both contain the AS Identifier Delegation extension. An EE certificate of this type asserts that the router(s) holding the corresponding private key are authorized to emit secure route advertisements on behalf of the AS(es) specified in the certificate. This document also profiles the format of certification requests, and specifies Relying Party (RP) certificate path validation procedures for these EE certificates. This document extends the RPKI; therefore, this documents updates the RPKI Resource Certificates Profile (RFC 6487). The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-sidr-bgpsec-pki-profiles/ There's also a htmlized version available at: https://tools.ietf.org/html/draft-ietf-sidr-bgpsec-pki-profiles-16 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-sidr-bgpsec-pki-profiles-16 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
Re: [sidr] I-D Action: draft-ietf-sidr-bgpsec-pki-profiles-16.txt
This version includes changes to the BGPsec Router Certificate request section as well as the Design Notes section to address including the SIA/EKU extensions in requests. After looking at it, I also added something about Basic Constraints - CA’s do the right thing and only issue EE certificates. I also noted a internal reference was wrong so I corrected. Comments welcome. spt > On Mar 21, 2016, at 14:00, internet-dra...@ietf.org wrote: > > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Secure Inter-Domain Routing of the IETF. > >Title : A Profile for BGPsec Router Certificates, > Certificate Revocation Lists, and Certification Requests >Authors : Mark Reynolds > Sean Turner > Stephen Kent > Filename: draft-ietf-sidr-bgpsec-pki-profiles-16.txt > Pages : 12 > Date: 2016-03-21 > ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
[sidr] I-D Action: draft-ietf-sidr-bgpsec-rollover-05.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Secure Inter-Domain Routing of the IETF. Title : BGPsec Router Certificate Rollover Authors : Roque Gagliano Keyur Patel Brian Weis Filename: draft-ietf-sidr-bgpsec-rollover-05.txt Pages : 10 Date: 2016-03-21 Abstract: BGPsec will need to address the impact from regular and emergency rollover processes for the BGPsec End-Entity (EE) certificates that will be performed by Certificate Authorities (CAs) participating at the Resource Public Key Infrastructure (RPKI). Rollovers of BGPsec EE certificates must be carefully managed in order to synchronize distribution of router public keys and the usage of those pubic keys by BGPsec routers. This document provides general recommendations for that process, as well as describing reasons why the rollover of BGPsec EE certificates might be necessary. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-sidr-bgpsec-rollover/ There's also a htmlized version available at: https://tools.ietf.org/html/draft-ietf-sidr-bgpsec-rollover-05 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-sidr-bgpsec-rollover-05 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
Re: [sidr] I-D Action: draft-ietf-sidr-bgpsec-rollover-05.txt
This revision is a restore the document as a live draft. There are no substantive changes. Brian On Mar 21, 2016, at 12:21 PM, internet-dra...@ietf.org wrote: > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Secure Inter-Domain Routing of the IETF. > >Title : BGPsec Router Certificate Rollover >Authors : Roque Gagliano > Keyur Patel > Brian Weis > Filename: draft-ietf-sidr-bgpsec-rollover-05.txt > Pages : 10 > Date: 2016-03-21 > > Abstract: > BGPsec will need to address the impact from regular and emergency > rollover processes for the BGPsec End-Entity (EE) certificates that > will be performed by Certificate Authorities (CAs) participating at > the Resource Public Key Infrastructure (RPKI). Rollovers of BGPsec > EE certificates must be carefully managed in order to synchronize > distribution of router public keys and the usage of those pubic keys > by BGPsec routers. This document provides general recommendations > for that process, as well as describing reasons why the rollover of > BGPsec EE certificates might be necessary. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-sidr-bgpsec-rollover/ > > There's also a htmlized version available at: > https://tools.ietf.org/html/draft-ietf-sidr-bgpsec-rollover-05 > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-sidr-bgpsec-rollover-05 > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > ___ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr -- Brian Weis Security, CSG, Cisco Systems Telephone: +1 408 526 4796 Email: b...@cisco.com ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
[sidr] I-D Action: draft-ietf-sidr-rpki-tree-validation-00.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Secure Inter-Domain Routing of the IETF. Title : RPKI Certificate Tree Validation by a Relying Party Tool Authors : Oleg Muravskiy Tim Bruijnzeels Filename: draft-ietf-sidr-rpki-tree-validation-00.txt Pages : 11 Date: 2016-03-21 Abstract: This document currently describes the approach to validate the content of the RPKI certificate tree, as used by the RIPE NCC RPKI Validator. This approach is independent of a particular object retrieval mechanism. This allows it to be used with repositories available over the rsync protocol, the RPKI Repository Delta Protocol, and repositories that use a mix of both. This algorithm does not rely on content of repository directories, but uses the Authority Key Identifier (AKI) field of a manifest and a certificate revocation list (CRL) objects to discover manifest and CRL objects issued by a particular Certificate Authority (CA). It further uses the hashes of manifest entries to discover other objects issued by the CA. If the working group finds that algorithm outlined here is useful for other implementations, we may either update future revisions of this document to be less specific to the RIPE NCC RPKI Validator implementation, or we may use this document as a starting point of a generic validation document and keep this as a detailed description of the actual RIPE NCC RPKI Validator implementation. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-sidr-rpki-tree-validation/ There's also a htmlized version available at: https://tools.ietf.org/html/draft-ietf-sidr-rpki-tree-validation-00 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
Re: [sidr] wglc for draft-ietf-sidr-rfc6485bis-05
A nagging reminder. There has been no comment, pro or con. It’s a short draft. Please do review and say whether you want the draft to progress or not. If you want to see the differences in this latest version, one way is to look at the tools page for the draft: draft page: https://tools.ietf.org/html/draft-ietf-sidr-rfc6485bis-05 side-by-side diff: https://tools.ietf.org/rfcdiff?url2=draft-ietf-sidr-rfc6485bis-05.txt —Sandy, speaking as one of the wg co-chair On Mar 9, 2016, at 6:28 AM, Sandra Murphy wrote: > As discussed in December, a new version for draft-ietf-sidr-rfc6485bis was > required to deal with an IESG comment on the Security Considerations section. > > The authors have submitted a new version and ask for a working group last > call. > > This starts the wglc which will end on 23 Mar 2016. Please review the draft > for its readiness for publication and provide comments to the list. > > Positive support is needed in order to judge consensus for publication, so > please do comment on the list. > > The draft is available at: > https://tools.ietf.org/html/draft-ietf-sidr-rfc6485bis-05. > > —Sandy, speaking as one of the wg co-chairs > ___ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr signature.asc Description: Message signed with OpenPGP using GPGMail ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
Re: [sidr] I-D Action: draft-ietf-sidr-rpki-tree-validation-00.txt
This is a WG-adopted version of the previous individual submission ID draft-tbruijnzeels-sidr-validation-local-cache-02. It includes feedback submitted so far, and some sections that were missing in the previous version. Please read and comment! Oleg On 21 Mar 2016, at 21:29, internet-dra...@ietf.org wrote: > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Secure Inter-Domain Routing of the IETF. > >Title : RPKI Certificate Tree Validation by a Relying Party > Tool >Authors : Oleg Muravskiy > Tim Bruijnzeels > Filename: draft-ietf-sidr-rpki-tree-validation-00.txt > Pages : 11 > Date: 2016-03-21 > > Abstract: > This document currently describes the approach to validate the > content of the RPKI certificate tree, as used by the RIPE NCC RPKI > Validator. This approach is independent of a particular object > retrieval mechanism. This allows it to be used with repositories > available over the rsync protocol, the RPKI Repository Delta > Protocol, and repositories that use a mix of both. > > This algorithm does not rely on content of repository directories, > but uses the Authority Key Identifier (AKI) field of a manifest and a > certificate revocation list (CRL) objects to discover manifest and > CRL objects issued by a particular Certificate Authority (CA). It > further uses the hashes of manifest entries to discover other objects > issued by the CA. > > If the working group finds that algorithm outlined here is useful for > other implementations, we may either update future revisions of this > document to be less specific to the RIPE NCC RPKI Validator > implementation, or we may use this document as a starting point of a > generic validation document and keep this as a detailed description > of the actual RIPE NCC RPKI Validator implementation. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-sidr-rpki-tree-validation/ > > There's also a htmlized version available at: > https://tools.ietf.org/html/draft-ietf-sidr-rpki-tree-validation-00 > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > ___ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr > Cheers, Oleg ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
[sidr] I-D Action: draft-ietf-sidr-publication-08.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Secure Inter-Domain Routing of the IETF. Title : A Publication Protocol for the Resource Public Key Infrastructure (RPKI) Authors : Samuel Weiler Anuja Sonalker Rob Austein Filename: draft-ietf-sidr-publication-08.txt Pages : 17 Date: 2016-03-21 Abstract: This document defines a protocol for publishing Resource Public Key Infrastructure (RPKI) objects. Even though the RPKI will have many participants issuing certificates and creating other objects, it is operationally useful to consolidate the publication of those objects. This document provides the protocol for doing so. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-sidr-publication/ There's also a htmlized version available at: https://tools.ietf.org/html/draft-ietf-sidr-publication-08 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-sidr-publication-08 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
Re: [sidr] I-D Action: draft-ietf-sidr-publication-08.txt
Protocol simplification (!) per discussion with Oleg. My co-author Sam Weiler did the heavy lifting on this revision, I just came in at the last minute to whack RelaxNG and example XML. Thank Sam for the good bits, blame me for the mistakes :) ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
[sidr] New Version Notification for draft-ymbk-idr-bgp-open-policy-00.txt
A new version of I-D, draft-ymbk-idr-bgp-open-policy-00.txt has been successfully submitted by Randy Bush and posted to the IETF repository. Name: draft-ymbk-idr-bgp-open-policy Revision: 00 Title: Route Leak Detection and Filtering using Roles in Update and Open messages Document date: 2016-03-21 Group: Individual Submission Pages: 8 URL: https://www.ietf.org/internet-drafts/draft-ymbk-idr-bgp-open-policy-00.txt Status: https://datatracker.ietf.org/doc/draft-ymbk-idr-bgp-open-policy/ Htmlized: https://tools.ietf.org/html/draft-ymbk-idr-bgp-open-policy-00 Abstract: Route Leaks are propagation of BGP prefixes which violate assumptions of BGP topology relationships; e.g. passing a route learned from one peer to another peer or to a transit provider, passing a route learned from one transit provider to another transit provider or to a peer. Today, approaches to leak prevention rely on marking routes according to some configuration options without any check of the configuration corresponds to that of the BGP neighbor, or enforcement that the two BGP speakers agree on the relationship. This document enhances BGP Open to establish agreement of the (peer, customer, provider, internal) relationship of two BGP neighboring speakers to enforce appropriate configuration on both sides. Propagated routes are then marked with a flag according to agreed relationship allowing detection and mitigation of route leaks. ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
Re: [sidr] wglc for draft-ietf-sidr-rfc6485bis-05
Since RFC6916 was the algorithm agility procedures RFC we’d all been waiting for, it makes sense to now point to it directly from the 6485bis. It’s an informative reference to RFC6919, but RFC6916 is a BCP so it’s probably fine. Let’s progress this one. spt > On Mar 21, 2016, at 17:20, Sandra Murphy wrote: > > A nagging reminder. There has been no comment, pro or con. > > It’s a short draft. Please do review and say whether you want the draft to > progress or not. > > If you want to see the differences in this latest version, one way is to look > at the tools page for the draft: > > draft page: https://tools.ietf.org/html/draft-ietf-sidr-rfc6485bis-05 > side-by-side diff: > https://tools.ietf.org/rfcdiff?url2=draft-ietf-sidr-rfc6485bis-05.txt > > —Sandy, speaking as one of the wg co-chair > > On Mar 9, 2016, at 6:28 AM, Sandra Murphy wrote: > >> As discussed in December, a new version for draft-ietf-sidr-rfc6485bis was >> required to deal with an IESG comment on the Security Considerations section. >> >> The authors have submitted a new version and ask for a working group last >> call. >> >> This starts the wglc which will end on 23 Mar 2016. Please review the draft >> for its readiness for publication and provide comments to the list. >> >> Positive support is needed in order to judge consensus for publication, so >> please do comment on the list. >> >> The draft is available at: >> https://tools.ietf.org/html/draft-ietf-sidr-rfc6485bis-05. >> >> —Sandy, speaking as one of the wg co-chairs >> ___ >> sidr mailing list >> sidr@ietf.org >> https://www.ietf.org/mailman/listinfo/sidr > > ___ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
