Secure Inter-Domain Routing D. Mandelberg Internet-Draft BBN Technologies Intended status: Best Current Practice February 10, 2014 Expires: August 14, 2014 Simplified Local internet nUmber Resource Management with the RPKI draft-dseomn-sidr-slurm-00 Abstract The Resource Public Key Infrastructure (RPKI) is a global authorization infrastructure that allows the holder of Internet Number Resources (INRs) to make verifiable statements about those resources. Internet Service Providers (ISPs) can use the RPKI to validate BGP route origination assertions. Some ISPs locally use BGP with private address space or private AS numbers (see RFC6890). These local BGP routes cannot be verified by the global RPKI, and SHOULD be considered invalid based on the global RPKI (see RFC6491). The mechanisms described below provide ISPs with a way to make local assertions about private (reserved) INRs while using the RPKI's assertions about all other INRs. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on August 14, 2014. Copyright Notice Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of Mandelberg Expires August 14, 2014 [Page 1] Internet-Draft SLURM February 2014 publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 2. Validation Output Filtering . . . . . . . . . . . . . . . . . 3 3. Locally Adding Assertions . . . . . . . . . . . . . . . . . . 3 4. Configuring SLURM . . . . . . . . . . . . . . . . . . . . . . 4 5. Combining Mechanisms . . . . . . . . . . . . . . . . . . . . 4 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 7. Security Considerations . . . . . . . . . . . . . . . . . . . 5 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 5 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 9.1. Informative References . . . . . . . . . . . . . . . . . 5 9.2. Normative References . . . . . . . . . . . . . . . . . . 6 Appendix A. Example SLURM File . . . . . . . . . . . . . . . . . 6 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 7 1. Introduction The Resource Public Key Infrastructure (RPKI) is a global authorization infrastructure that allows the holder of Internet Number Resources (INRs) to make verifiable statements about those resources. For example, the holder of a block of IP(v4 or v6) addresses can issue a Route Origination Authorization (ROA) [RFC6482] to authorize an Autonomous System (AS) to originate routes for that block. Internet Service Providers (ISPs) can then use the RPKI to validate BGP routes. However, some ISPs locally use BGP with private address space ([RFC1918], [RFC4193], [RFC6598]) or private AS numbers ([RFC1930], [RFC6996]). These local BGP routes cannot be verified by the global RPKI, and SHOULD be considered invalid when using the RPKI. For example, [RFC6491] recommends the creation of ROAs that would invalidate routes for reserved and unallocated address space. This document specifies two new mechanisms to enable ISPs to make local assertions about private INRs while using the RPKI's assertions about all other INRs. Both mechanisms are specified in terms of abstract sets of assertions. For Origin Validation [RFC6483], an assertion is a tuple of {IP prefix, prefix length, maximum length, AS number} as used by rpki-rtr [RFC6810]. Output Filtering, described Mandelberg Expires August 14, 2014 [Page 2] Internet-Draft SLURM February 2014 in Section 2, filters out any assertions by the RPKI about locally reserved INRs. Locally Adding Assertions, described in Section 3, adds local assertions about locally reserved INRs. Note that both of these mechanisms can later be extended to cover any assertions made by the RPKI for use in BGPSEC [I-D.ietf-sidr-bgpsec-protocol]. In general, the primary output of an RPKI relying party is the data it sends to routers over the rpki-rtr protocol. The rpki-rtr protocol enables routers to query a relying party for all Origin Validation assertions it knows about (Reset Query) or for an update of only the changes in Origin Validation assertions (Serial Query). The mechanisms specified in this document are to be applied to the result set for a Reset Query, and to both the old and new sets that are compared for a Serial Query. Relying party software MAY modify other forms of output in comparable ways, but that is outside the scope of this document. This document is intended to supersede [I-D.ietf-sidr-ltamgmt] while focusing only on local management of private INRs. Another draft [I-D.kent-sidr-suspenders] focuses on the other aspects of local management. 1.1. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 2. Validation Output Filtering To prevent the global RPKI from affecting routes with locally reserved INRs, a relying party is locally configured with a list of IP prefixes and/or AS numbers that are used locally, and taken from the reserved INR spaces. Any Origin Validation assertions where the IP prefix is equal to or subsumed by a locally reserved IP prefix, are removed from the relying party's output. Any Origin Validation assertions where the IP prefix contains a locally reserved IP prefix are removed and the relying party software SHOULD issue a warning. 3. Locally Adding Assertions Each relying party is locally configured with a (possibly empty) list of Origin Validation assertions. This list is added to the relying party's output. Mandelberg Expires August 14, 2014 [Page 3] Internet-Draft SLURM February 2014 4. Configuring SLURM Relying party software SHOULD support the following configuration format for Validation Output Filtering and Locally Adding Assertions. The format is defined using the Augmented Backus-Naur Form (ABNF) notation and core rules from [RFC5234] and the rules and from Appendix A of [RFC3986]. Each command specifies an INR to use for Validation Output Filtering. Each command specifies an assertion to use for Locally Adding Assertions. See Appendix A for an example SLURM file. SLURMFile = header *line header = %x53.4c.55.52.4d SP "1.0" CRLF ; "SLURM 1.0" line = *WSP [comment] CRLF / *WSP command [ 1*WSP [comment] ] CRLF comment = "#" *(VCHAR / WSP) command = add / del add = %x61.64.64 1*WSP IPprefixMaxLen 1*WSP ASnum del = %x64.65.6c 1*WSP inr inr = IPprefix / ASnum IPprefix = IPv4prefix / IPv6prefix IPprefixMaxLen = IPv4prefixMaxLen / IPv6prefixMaxLen IPv4prefix = IPv4address "/" 1*2DIGIT IPv6prefix = IPv6address "/" 1*3DIGIT ; In the following two rules, if the maximum length component is ; missing, it is treated as equal to the prefix length. IPv4prefixMaxLen = IPv4prefix ["-" 1*2DIGIT] IPv6prefixMaxLen = IPv6prefix ["-" 1*3DIGIT] ASnum = 1*DIGIT 5. Combining Mechanisms In the typical use case, a relying party uses both output filtering and locally added assertions. In this case, the resulting assertions MUST be the same as if output filtering were performed before locally Mandelberg Expires August 14, 2014 [Page 4] Internet-Draft SLURM February 2014 adding assertions. I.e., locally added assertions MUST NOT be removed by output filtering. If a relying party chooses to use both SLURM and Suspenders [I-D.kent-sidr-suspenders], the SLURM mechanisms MUST be performed on the output of Suspenders. 6. IANA Considerations TBD 7. Security Considerations The mechanisms described in this document provide an ISP additional control over its own network. Care should be taken in how that control is used. 8. Acknowledgements The author would like to thank Stephen Kent for his guidance and detailed reviews of this document. 9. References 9.1. Informative References [I-D.ietf-sidr-bgpsec-protocol] Lepinski, M., "BGPSEC Protocol Specification", draft-ietf- sidr-bgpsec-protocol-08 (work in progress), November 2013. [I-D.ietf-sidr-ltamgmt] Reynolds, M., Kent, S., and M. Lepinski, "Local Trust Anchor Management for the Resource Public Key Infrastructure", draft-ietf-sidr-ltamgmt-08 (work in progress), April 2013. [I-D.kent-sidr-suspenders] Kent, S. and D. Mandelberg, "Suspenders: A Fail-safe Mechanism for the RPKI", draft-kent-sidr-suspenders-00 (work in progress), September 2013. [RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and E. Lear, "Address Allocation for Private Internets", BCP 5, RFC 1918, February 1996. [RFC1930] Hawkinson, J. and T. Bates, "Guidelines for creation, selection, and registration of an Autonomous System (AS)", BCP 6, RFC 1930, March 1996. Mandelberg Expires August 14, 2014 [Page 5] Internet-Draft SLURM February 2014 [RFC4193] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast Addresses", RFC 4193, October 2005. [RFC6482] Lepinski, M., Kent, S., and D. Kong, "A Profile for Route Origin Authorizations (ROAs)", RFC 6482, February 2012. [RFC6483] Huston, G. and G. Michaelson, "Validation of Route Origination Using the Resource Certificate Public Key Infrastructure (PKI) and Route Origin Authorizations (ROAs)", RFC 6483, February 2012. [RFC6491] Manderson, T., Vegoda, L., and S. Kent, "Resource Public Key Infrastructure (RPKI) Objects Issued by IANA", RFC 6491, February 2012. [RFC6598] Weil, J., Kuarsingh, V., Donley, C., Liljenstolpe, C., and M. Azinger, "IANA-Reserved IPv4 Prefix for Shared Address Space", BCP 153, RFC 6598, April 2012. [RFC6810] Bush, R. and R. Austein, "The Resource Public Key Infrastructure (RPKI) to Router Protocol", RFC 6810, January 2013. [RFC6890] Cotton, M., Vegoda, L., Bonica, R., and B. Haberman, "Special-Purpose IP Address Registries", BCP 153, RFC 6890, April 2013. [RFC6996] Mitchell, J., "Autonomous System (AS) Reservation for Private Use", BCP 6, RFC 6996, July 2013. 9.2. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, January 2005. [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax Specifications: ABNF", STD 68, RFC 5234, January 2008. Appendix A. Example SLURM File Mandelberg Expires August 14, 2014 [Page 6] Internet-Draft SLURM February 2014 SLURM 1.0 # Reserve 192.0.2.0/24 and 2001:DB8::/32 for local use. del 192.0.2.0/24 del 2001:DB8::/32 # Allow either 65536 or 65537 to originate routes to 192.0.2.0/24. add 192.0.2.0/24 65536 add 192.0.2.0/24 65537 add 2001:DB8::/48-52 65536 # 65536 originates 2001:DB8::/48 and # sub-prefixes down to length 52. add 2001:DB8:0:42::/64 65537 # However, 65537 originates # 2001:DB8:0:42::/64. add 2001:DB8:1::/48 65537 # 65537 also originates 2001:DB8:1::/48 Author's Address David Mandelberg BBN Technologies 10 Moulton St. Camridge, MA 02138 US Email: david@mandelberg.org Mandelberg Expires August 14, 2014 [Page 7]