Resource Public Key Infrastructure (RPKI) object profile for Discard Origin Authorizations (DOA)
Fastly
-
to exempt blackhole routes from processing based on ROV status, thus foregoing the benefit of ROV altogether; or
-
to insist that users of the blackhole signalling service create ROAs with a sufficiently large "maxLength" values to accomodate blackhole routes.
This document defines a Cryptographic Message Syntax (CMS) profile for Discard Origin Authorizations (DOAs), for use with the Resource Public Key Infrastructure (RPKI) , along with associated processing rules.
DOAs can be used to validate whether incoming BGP route announcements carrying specific BGP Communities are meant to signify a request to discard IP traffic towards the IP destination carried in the BGP route.
This enhances the concepts of and , and can co-exist with deployed ROV policy.
DOA EncapsulatedContentInfo
DOA follows the Signed Object Template for the RPKI .
ASN.1 Module
The following ASN.1 module specifies the encapContentInfo component for DOA objects:
RpkiDiscardOriginAuthorization-2021
{ iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs9(9) smime(16) mod(0) TBD }
DEFINITIONS EXPLICIT TAGS ::=
BEGIN
IMPORTS
CONTENT-TYPE
FROM CryptographicMessageSyntax-2010 -- in [RFC6268]
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) }
IPAddressOrRange, IPAddressRange, IPAddress, ASId
FROM IPAddrAndASCertExtn -- in [RFC3779]
{ iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) mod(0)
id-mod-ip-addr-and-as-ident(30) } ;
ct-discardOriginAuthorization CONTENT-TYPE ::=
{ TYPE DiscardOriginAuthorization IDENTIFIED BY
id-ct-discardOriginAuthorization }
id-ct-discardOriginAuthorization OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
pkcs-9(9) id-smime(16) id-ct(1) TBD }
DiscardOriginAuthorization ::= SEQUENCE {
version [0] INTEGER DEFAULT 0,
ipAddrBlocks IPListRange,
originAsID ASId,
peerAsIDs [1] SEQUENCE SIZE(1..MAX) OF ASId OPTIONAL,
communities [2] SEQUENCE SIZE(1..MAX) OF Community
}
IPListRange ::= SEQUENCE (SIZE(1..MAX)) OF IPAddressFamilyRange
IPAddressFamilyRange ::= SEQUENCE {
addressFamily OCTET STRING (SIZE(2..3)),
addressOrRange IPAddressOrRange,
prefixLengthRange PrefixLengthRange OPTIONAL -- if omitted, assume hostroutes
}
PrefixLengthRange ::= SEQUENCE {
minLength INTEGER,
maxLength INTEGER
}
Community ::= CHOICE {
bgpCommunity [0] OCTET STRING (SIZE(4)),
bgpLargeCommunity [1] OCTET STRING (SIZE(12))
}
END
The DOA eContentType
The eContentType for a DOA is defined as id-ct-discardOriginAuthorization as specified in .
This OID MUST appear both within the eContentType in the encapContentInfo object as well as the ContentType signed attribute in the signerInfo object (see ).
The DOA eContent
The content of a DOA is formally defined as DiscardOriginAuthorization as specified in
version
The version number of the DiscardOriginAuthorization MUST be 0.
ipAddrBlocks
The IP address prefixes for which the announcement of RTBH routes is authorized.
The IP address resources contained here are the resources used to mark the authorization, and MUST match the set of resources listed by the EE certificate carried in the CMS certificates field.
See Section 3.3 for a similar, but not entirely similar appraoch.
A notable difference is the absense of MaxLength, and instead a PrefixLengthRange is used.
If no PrefixLengthRange is present, only the "host route" prefix length (i.e. 32 for IPv4 and 128 for IPv6) is authorized.
originAsID
The asID field contains the AS number that is authorized to originate RTBH routes for the given IP address prefixes.
The asID does not have to be contained by the resources listed on the EE certificate.
peerAsIDs
The peerAsIDs field contains zero or more AS numbers that are authorized to propagate routes intended to signal an RTBH request for the given IP address prefixes.
The peerAsIDs do not have to be contained by the resources listed on the EE certificate.
Network operators MUST only accept the RTBH request if it was received from any listed peerAsIDs.
The peerAsIDs field allows DOAs to be used to validate RTBH routes with one AS hop between originator and receipient.
communities
The communities field contains the Classic BGP communities or Large BGP Communities which are to be the 'trigger' to start RTBH.
TBD: are communities 'and' or 'or'?
DOA Validation
To validate a DOA the relying party MUST perform all the validation checks specified in as well as the following additional DOA-specific validation step:
-
The IP delegation extension MUST be present in the end-entity certificate (contained in the DOA), and every IP address prefix present in the ipAddrBlocks component of the DOA eContent is contained within the set of IP addresses specified in the EE certificate's IP address delegation extension.
RPKI-RTR protocol extensions
TODO: Seperate document?
BGP Route Matching
TODO: Seperate document?
A BGP speaker MAY assign to each path it receives from its peers one of 3 RTBH request validation states:
-
Matched: a validated DOA object was found covering the prefix of the received path, and matching the contraints of the DOA;
-
Unmatched: a validated DOA object was found covering the prefix of the received path, but the constraints of the DOA were not matched; or
-
NotFound: a validated DOA object covering the prefix of the receieved path was not found.
Where "covering" is used as in its definition in Section 2.
In order for a BGP path to be considered to have matched the constraints of a DOA object, the following conditions MUST be met:
- The route originated from the ASN listed in the ASId.
- The route was received from a PeerAS which is either the ASId or listed in the peerAsIDs field.
- The route's prefix length matches the listed permissible prefix lengths.
- The route is tagged with (TODO: one or more of?) the designated BGP community.
Route Origin Validation Co-Existance
It is important to observe that ROAs and DOAs can and will be issued for the same covered address space, and that the resulting ROV validation state MUST be entirely independent of the resulting DOA validation state.
In particular it is expected that legitimate RTBH routes will commonly receive a DOA validation state of 'Matched' whilst also receiving a ROV validation state of 'Invalid' due to the (likely) longer prefix-length of an RTBH route.
For this reason, it is recommended that operators construct policy so as to act on the DOA validation early in the routing policy application process, such that routes that are 'Matched' may be installed as RTBH routes, and routes that are 'Unmatched' or 'NotFound' can "fall-through" to be processed as "normal" routes, including the possible application of policy based on their ROV validation state.
Critically, in order that operators are able to construct policy according to their needs conforming implementations MUST NOT take any policy action on a route based on either its DOA or ROV validation state by default.
See also .
Exporting RTBH Routes
The guidance of Section 3.2 that, in general, RTBH routes SHOULD NOT be propagated beyond the receiving AS continues to apply to RTBH routes validated in terms of the above mechanisms.
The exception to this guidance is that an operator MAY propagate a received RTBH route to neighboring ASes if its own AS number appears in the peerAsIDs field of the matched DOA, since this indicates a desire by the issuer that neighbors of the local AS honour the route as a legitimate RTBH signal.
To facilitate the construction of routing policies by operators that implemented this behaviour, conforming BGP speaker implementations SHOULD provide a means of distinguishing between 'Matched' routes for which the local AS appears in the peerAsIDs of the matched DOA from those for which it does not.
Operational Considerations
TODO
Security Considerations
TODO
Implementation status
This section records the status of known implementations of the protocol defined by this specification at the time of posting of this Internet-Draft, and is based on a proposal described in RFC 7942.
The description of implementations in this section is intended to assist the IETF in its decision processes in progressing drafts to RFCs.
Please note that the listing of any individual implementation here does not imply endorsement by the IETF.
Furthermore, no effort has been spent to verify the information presented here that was supplied by IETF contributors.
This is not intended as, and must not be construed to be, a catalog of available implementations or their features.
Readers are advised to note that other implementations may exist.
According to RFC 7942, "this will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature.
It is up to the individual working groups to use this information as they see fit".
-
A signer implementation written in Python has been developed by Ben Maddison.
IANA Considerations
SMI Security for S/MIME CMS Module Identifier (1.2.840.113549.1.9.16.0)
The IANA is requested to register the following entry for this document in the "SMI Security for S/MIME CMS Module Identifier (1.2.840.113549.1.9.16.0)" registry:
Upon publication of this document, IANA is requested to reference the RFC publication instead of this draft.
SMI Security for S/MIME CMS Content Type (1.2.840.113549.1.9.16.1)
The IANA is requested to register the following entry for this document in the "SMI Security for S/MIME CMS Content Type (1.2.840.113549.1.9.16.1)" registry:
Upon publication of this document, IANA is requested to reference the RFC publication instead of this draft.
RPKI Signed Objects registry
The IANA is requested to register the OID for the RPKI Discard Origin Authorization in the "RPKI Signed Objects" registry () as follows:
RPKI Repository Name Schemes registry
The IANA is requested to register the RPKI Discard Origin Authorization file extension in the "RPKI Repository Name Schemes" registry () as follows:
Media Types registry
The IANA is requested to register the media type application/rpki-doa in the "Media Types" registry () as follows:
Intended usage: COMMON
Restrictions on usage: None
Author: Job Snijders
Change controller: Job Snijders
]]>
References
Normative References
Key words for use in RFCs to Indicate Requirement Levels
In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.
X.509 Extensions for IP Addresses and AS Identifiers
This document defines two X.509 v3 certificate extensions. The first binds a list of IP address blocks, or prefixes, to the subject of a certificate. The second binds a list of autonomous system identifiers to the subject of a certificate. These extensions may be used to convey the authorization of the subject to use the IP addresses and autonomous system identifiers contained in the extensions. [STANDARDS-TRACK]
Configuring BGP to Block Denial-of-Service Attacks
This document describes an operational technique that uses BGP communities to remotely trigger black-holing of a particular destination network to block denial-of-service attacks. Black-holing can be applied on a selection of routers rather than all BGP-speaking routers in the network. The document also describes a sinkhole tunnel technique using BGP communities and tunnels to pull traffic into a sinkhole router for analysis. This memo provides information for the Internet community.
Cryptographic Message Syntax (CMS)
This document describes the Cryptographic Message Syntax (CMS). This syntax is used to digitally sign, digest, authenticate, or encrypt arbitrary message content. [STANDARDS-TRACK]
A Profile for Resource Certificate Repository Structure
This document defines a profile for the structure of the Resource Public Key Infrastructure (RPKI) distributed repository. Each individual repository publication point is a directory that contains files that correspond to X.509/PKIX Resource Certificates, Certificate Revocation Lists and signed objects. This profile defines the object (file) naming scheme, the contents of repository publication points (directories), and a suggested internal structure of a local repository cache that is intended to facilitate synchronization across a distributed collection of repository publication points and to facilitate certification path construction. [STANDARDS-TRACK]
Signed Object Template for the Resource Public Key Infrastructure (RPKI)
This document defines a generic profile for signed objects used in the Resource Public Key Infrastructure (RPKI). These RPKI signed objects make use of Cryptographic Message Syntax (CMS) as a standard encapsulation format. [STANDARDS-TRACK]
Media Type Specifications and Registration Procedures
This document defines procedures for the specification and registration of media types for use in HTTP, MIME, and other Internet protocols. This memo documents an Internet Best Current Practice.
BLACKHOLE Community
This document describes the use of a well-known Border Gateway Protocol (BGP) community for destination-based blackholing in IP networks. This well-known advisory transitive BGP community named "BLACKHOLE" allows an origin Autonomous System (AS) to specify that a neighboring network should discard any traffic destined towards the tagged IP prefix.
Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words
RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.
Informative References
BGP Communities Attribute
This document describes an extension to BGP which may be used to pass additional information to both neighboring and remote BGP peers. [STANDARDS-TRACK]
An Infrastructure to Support Secure Internet Routing
This document describes an architecture for an infrastructure to support improved security of Internet routing. The foundation of this architecture is a Resource Public Key Infrastructure (RPKI) that represents the allocation hierarchy of IP address space and Autonomous System (AS) numbers; and a distributed repository system for storing and disseminating the data objects that comprise the RPKI, as well as other signed objects necessary for improved routing security. As an initial application of this architecture, the document describes how a legitimate holder of IP address space can explicitly and verifiably authorize one or more ASes to originate routes to that address space. Such verifiable authorizations could be used, for example, to more securely construct BGP route filters. This document is not an Internet Standards Track specification; it is published for informational purposes.
A Profile for Route Origin Authorizations (ROAs)
This document defines a standard profile for Route Origin Authorizations (ROAs). A ROA is a digitally signed object that provides a means of verifying that an IP address block holder has authorized an Autonomous System (AS) to originate routes to one or more prefixes within the address block. [STANDARDS-TRACK]
BGP Prefix Origin Validation
To help reduce well-known threats against BGP including prefix mis- announcing and monkey-in-the-middle attacks, one of the security requirements is the ability to validate the origination Autonomous System (AS) of BGP routes. More specifically, one needs to validate that the AS number claiming to originate an address prefix (as derived from the AS_PATH attribute of the BGP route) is in fact authorized by the prefix holder to do so. This document describes a simple validation mechanism to partially satisfy this requirement. [STANDARDS-TRACK]
Clarifications to BGP Origin Validation Based on Resource Public Key Infrastructure (RPKI)
Deployment of BGP origin validation based on Resource Public Key Infrastructure (RPKI) is hampered by, among other things, vendor misimplementations in two critical areas: which routes are validated and whether policy is applied when not specified by configuration. This document is meant to clarify possible misunderstandings causing those misimplementations; it thus updates RFC 6811 by clarifying that all prefixes should have their validation state set and that policy must not be applied without operator configuration.
rpkimancer-doa
Workonline
Document Changelog
Individual Submission Phase