Internet Engineering Task Force (IETF) M. Reynolds
Request for Comments: 8209 IPSw
Updates: 6487 S. Turner
Category: Standards Track sn3rd
ISSN: 2070-1721 S. Kent
BBN
September 2017
Internet Engineering Task Force (IETF) M. Reynolds
Request for Comments: 8209 IPSw
Updates: 6487 S. Turner
Category: Standards Track sn3rd
ISSN: 2070-1721 S. Kent
BBN
September 2017
A Profile for BGPsec Router Certificates, Certificate Revocation Lists, and Certification Requests
BGPsec路由器证书、证书吊销列表和证书请求的配置文件
Abstract
摘要
This document defines a standard profile for X.509 certificates used to enable validation of Autonomous System (AS) paths in the Border Gateway Protocol (BGP), as part of an extension to that protocol known as BGPsec. BGP is the standard for inter-domain routing in the Internet; it is the "glue" that holds the Internet together. BGPsec is being developed as one component of a solution that addresses the requirement to provide security for BGP. The goal of BGPsec is to provide full AS path validation based on the use of strong cryptographic primitives. The end entity (EE) certificates specified by this profile are issued to routers within an AS. Each of these certificates is issued under a Resource Public Key Infrastructure (RPKI) Certification Authority (CA) certificate. These CA certificates and EE certificates both contain the AS Resource extension. An EE certificate of this type asserts that the router or routers holding the corresponding private key are authorized to emit secure route advertisements on behalf of the AS(es) specified in the certificate. This document also profiles the format of certification requests and specifies Relying Party (RP) certificate path validation procedures for these EE certificates. This document extends the RPKI; therefore, this document updates the RPKI Resource Certificates Profile (RFC 6487).
本文档定义了X.509证书的标准配置文件,用于验证边界网关协议(BGP)中的自治系统(AS)路径,作为该协议扩展(称为BGPsec)的一部分。BGP是Internet域间路由的标准;正是“胶水”将互联网连接在一起。BGPsec是作为解决方案的一个组成部分开发的,该解决方案满足了为BGP提供安全性的要求。BGPsec的目标是基于强密码原语的使用提供完整的AS路径验证。此配置文件指定的终端实体(EE)证书将颁发给AS中的路由器。每个证书都是在资源公钥基础设施(RPKI)证书颁发机构(CA)证书下颁发的。这些CA证书和EE证书都包含AS资源扩展。这种类型的EE证书声明持有相应私钥的路由器被授权代表证书中指定的AS发出安全路由播发。本文件还概述了认证请求的格式,并规定了这些EE证书的依赖方(RP)证书路径验证程序。本文件扩展了RPKI;因此,本文档更新了RPKI资源证书配置文件(RFC 6487)。
Status of This Memo
关于下段备忘
This is an Internet Standards Track document.
这是一份互联网标准跟踪文件。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 7841第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc8209.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问https://www.rfc-editor.org/info/rfc8209.
Copyright Notice
版权公告
Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2017 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(https://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
目录
1. Introduction ....................................................3
1.1. Terminology ................................................4
2. Describing Resources in Certificates ............................4
3. Updates to RFC 6487 .............................................6
3.1. BGPsec Router Certificate Fields ...........................6
3.1.1. Subject .............................................6
3.1.2. Subject Public Key Info .............................6
3.1.3. BGPsec Router Certificate Version 3
Extension Fields ....................................6
3.1.3.1. Basic Constraints ..........................6
3.1.3.2. Extended Key Usage .........................6
3.1.3.3. Subject Information Access .................7
3.1.3.4. IP Resources ...............................7
3.1.3.5. AS Resources ...............................7
3.2. BGPsec Router Certificate Request Profile ..................7
3.3. BGPsec Router Certificate Validation .......................8
3.4. Router Certificates and Signing Functions in the RPKI ......8
4. Design Notes ....................................................9
5. Implementation Considerations ...................................9
6. Security Considerations ........................................10
7. IANA Considerations ............................................10
8. References .....................................................11
8.1. Normative References ......................................11
8.2. Informative References ....................................12
Appendix A. ASN.1 Module ..........................................14
Acknowledgements ..................................................15
Authors' Addresses ................................................15
1. Introduction ....................................................3
1.1. Terminology ................................................4
2. Describing Resources in Certificates ............................4
3. Updates to RFC 6487 .............................................6
3.1. BGPsec Router Certificate Fields ...........................6
3.1.1. Subject .............................................6
3.1.2. Subject Public Key Info .............................6
3.1.3. BGPsec Router Certificate Version 3
Extension Fields ....................................6
3.1.3.1. Basic Constraints ..........................6
3.1.3.2. Extended Key Usage .........................6
3.1.3.3. Subject Information Access .................7
3.1.3.4. IP Resources ...............................7
3.1.3.5. AS Resources ...............................7
3.2. BGPsec Router Certificate Request Profile ..................7
3.3. BGPsec Router Certificate Validation .......................8
3.4. Router Certificates and Signing Functions in the RPKI ......8
4. Design Notes ....................................................9
5. Implementation Considerations ...................................9
6. Security Considerations ........................................10
7. IANA Considerations ............................................10
8. References .....................................................11
8.1. Normative References ......................................11
8.2. Informative References ....................................12
Appendix A. ASN.1 Module ..........................................14
Acknowledgements ..................................................15
Authors' Addresses ................................................15
This document defines a profile for X.509 end entity (EE) certificates [RFC5280] for use in the context of certification of Autonomous System (AS) paths in the BGPsec protocol. Such certificates are termed "BGPsec Router Certificates". The holder of the private key associated with a BGPsec Router Certificate is authorized to send secure route advertisements (BGPsec UPDATEs) on behalf of the AS(es) named in the certificate. A router holding the private key is authorized to send route advertisements (to its peers) identifying the router's AS number (ASN) as the source of the advertisements. A key property provided by BGPsec is that every AS along the AS path can verify that the other ASes along the path have authorized the advertisement of the given route (to the next AS along the AS path).
本文件定义了X.509终端实体(EE)证书[RFC5280]的配置文件,用于BGPsec协议中自治系统(AS)路径的认证。此类证书称为“BGPsec路由器证书”。与BGPsec路由器证书相关联的私钥持有人有权代表证书中指定的AS发送安全路由公告(BGPsec更新)。持有私钥的路由器被授权(向其对等方)发送路由通告,将路由器的AS号(ASN)标识为通告的来源。BGPsec提供的一个关键属性是,AS路径上的每个AS都可以验证路径上的其他AS是否已授权发布给定路由(到AS路径上的下一个AS)。
This document is a profile of [RFC6487], which is a profile of [RFC5280]; thus, this document updates [RFC6487]. It establishes requirements imposed on a Resource Certificate that is used as a BGPsec Router Certificate, i.e., it defines constraints for certificate fields and extensions for the certificate to be valid in this context. This document also profiles the certification requests used to acquire BGPsec Router Certificates. Finally, this document specifies the Relying Party (RP) certificate path validation procedures for these certificates.
本文件是[RFC6487]的概要文件,是[RFC5280]的概要文件;因此,本文件更新了[RFC6487]。它建立了对用作BGPsec路由器证书的资源证书的要求,也就是说,它定义了证书字段和扩展的约束,以使证书在此上下文中有效。本文档还概述了用于获取BGPsec路由器证书的认证请求。最后,本文档指定了这些证书的依赖方(RP)证书路径验证过程。
It is assumed that the reader is familiar with the terms and concepts described in "A Profile for X.509 PKIX Resource Certificates" [RFC6487], "BGPsec Protocol Specification" [RFC8205], "A Border Gateway Protocol 4 (BGP-4)" [RFC4271], "BGP Security Vulnerabilities Analysis" [RFC4272], "Considerations in Validating the Path in BGP" [RFC5123], and "Capabilities Advertisement with BGP-4" [RFC5492].
假设读者熟悉“X.509 PKIX资源证书配置文件”[RFC6487]、“BGPsec协议规范”[RFC8205]、“边界网关协议4(BGP-4)”[RFC4271]、“BGP安全漏洞分析”[RFC4272]、“验证BGP中路径的注意事项”[RFC5123]中描述的术语和概念,以及“BGP-4的功能广告”[RFC5492]。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“建议”、“不建议”、“可”和“可选”在所有大写字母出现时(如图所示)应按照BCP 14[RFC2119][RFC8174]所述进行解释。
Figure 1 depicts some of the entities in the Resource Public Key Infrastructure (RPKI) and some of the products generated by RPKI entities. IANA issues a Certification Authority (CA) certificate to each Regional Internet Registry (RIR). The RIR in turn issues a CA certificate to an Internet Service Provider (ISP). The ISP in turn issues EE certificates to itself to enable verification of signatures on RPKI signed objects. The CA also generates Certificate Revocation Lists (CRLs). These CA and EE certificates are referred to as "Resource Certificates" and are profiled in [RFC6487]. [RFC6480] envisioned using Resource Certificates to enable verification of manifests [RFC6486] and Route Origin Authorizations (ROAs) [RFC6482]. ROAs and manifests include the Resource Certificates used to verify them.
图1描述了资源公钥基础设施(RPKI)中的一些实体以及由RPKI实体生成的一些产品。IANA向每个区域互联网注册中心(RIR)颁发证书颁发机构(CA)证书。RIR向互联网服务提供商(ISP)颁发CA证书。ISP反过来向自己颁发EE证书,以验证RPKI签名对象上的签名。CA还生成证书吊销列表(CRL)。这些CA和EE证书称为“资源证书”,并在[RFC6487]中进行了分析。[RFC6480]设想使用资源证书来验证清单[RFC6486]和路由来源授权(ROA)[RFC6482]。ROA和清单包括用于验证它们的资源证书。
+---------+ +------+
| CA Cert |---| IANA |
+---------+ +------+
\
+---------+ +-----+
| CA Cert |---| RIR |
+---------+ +-----+
\
+---------+ +-----+
| CA Cert |---| ISP |
+---------+ +-----+
/ | | |
+-----+ / | | | +-----+
| CRL |--+ | | +---| ROA |
+-----+ | | +-----+
| | +----------+
+----+ | +---| Manifest |
+-| EE |---+ +----------+
| +----+
+-----+
+---------+ +------+
| CA Cert |---| IANA |
+---------+ +------+
\
+---------+ +-----+
| CA Cert |---| RIR |
+---------+ +-----+
\
+---------+ +-----+
| CA Cert |---| ISP |
+---------+ +-----+
/ | | |
+-----+ / | | | +-----+
| CRL |--+ | | +---| ROA |
+-----+ | | +-----+
| | +----------+
+----+ | +---| Manifest |
+-| EE |---+ +----------+
| +----+
+-----+
Figure 1
图1
This document defines another type of Resource Certificate, which is referred to as a "BGPsec Router Certificate". The purpose of this certificate is explained in Section 1 and falls within the scope of appropriate uses defined within [RFC6484]. The issuance of BGPsec Router Certificates has minimal impact on RPKI CAs because the RPKI CA certificate and CRL profile remain unchanged (i.e., they are as specified in [RFC6487]). Further, the algorithms used to generate RPKI CA certificates that issue the BGPsec Router Certificates and the CRLs necessary to check the validity of the BGPsec Router Certificates remain unchanged (i.e., they are as specified in [RFC7935]). The only impact is that RPKI CAs will need to be able to process a profiled certificate request (see Section 3.2) signed with algorithms found in [RFC8208]. BGPsec Router Certificates are used only to verify the signature on the BGPsec certificate request (only CAs process these) and the signature on a BGPsec UPDATE message [RFC8205] (only BGPsec routers process these); BGPsec Router Certificates are not used to process manifests and ROAs or verify signatures on Certificates or CRLs.
本文档定义了另一种类型的资源证书,称为“BGPsec路由器证书”。本证书的目的在第1节中有说明,属于[RFC6484]中定义的适当用途范围。BGPsec路由器证书的颁发对RPKI CA的影响最小,因为RPKI CA证书和CRL配置文件保持不变(即,它们如[RFC6487]中的规定)。此外,用于生成RPKI CA证书(颁发BGPsec路由器证书)的算法以及检查BGPsec路由器证书有效性所需的CRL保持不变(即,它们如[RFC7935]中所述)。唯一的影响是,RPKI CA需要能够处理使用[RFC8208]中的算法签名的配置文件证书请求(见第3.2节)。BGPsec路由器证书仅用于验证BGPsec证书请求上的签名(仅CA处理这些签名)和BGPsec更新消息[RFC8205]上的签名(仅BGPsec路由器处理这些签名);BGPsec路由器证书不用于处理清单和ROA或验证证书或CRL上的签名。
This document enumerates only the differences between this profile and the profile in [RFC6487]. Note that BGPsec Router Certificates are EE certificates, and as such there is no impact on the algorithm agility procedure described in [RFC6916].
本文档仅列举了此配置文件与[RFC6487]中配置文件之间的差异。请注意,BGPsec路由器证书是EE证书,因此不会影响[RFC6916]中描述的算法敏捷性过程。
A BGPsec Router Certificate is consistent with the profile in [RFC6487] as modified by the specifications in this section. As such, it is a valid X.509 public key certificate and consistent with the PKIX profile [RFC5280]. The differences between this profile and the profile in [RFC6487] are specified in this section.
BGPsec路由器证书与本节规范修改的[RFC6487]中的配置文件一致。因此,它是有效的X.509公钥证书,并且与PKIX配置文件[RFC5280]一致。本节规定了此配置文件与[RFC6487]中配置文件之间的差异。
Encoding options for the common name that are supported are printableString and UTF8String. For BGPsec Router Certificates, it is RECOMMENDED that the common name attribute contain the literal string "ROUTER-" followed by the 32-bit ASN [RFC3779] encoded as eight hexadecimal digits and that the serial number attribute contain the 32-bit BGP Identifier [RFC4271] (i.e., the router ID) encoded as eight hexadecimal digits. If there is more than one ASN, the choice of which to include in the common name is at the discretion of the Issuer. If the same certificate is issued to more than one router (and hence the private key is shared among these routers), the choice of the router ID used in this name is at the discretion of the Issuer.
支持的通用名称编码选项有printableString和UTF8String。对于BGPsec路由器证书,建议公共名称属性包含文字字符串“Router-”,后跟编码为八位十六进制数字的32位ASN[RFC3779],序列号属性包含编码为八位十六进制数字的32位BGP标识符[RFC4271](即路由器ID)。如果存在多个ASN,则发行人可自行决定在通用名称中包含哪一个ASN。如果同一证书颁发给多个路由器(因此私钥在这些路由器之间共享),则此名称中使用的路由器ID的选择由颁发者自行决定。
Refer to Section 3.1 of [RFC8208].
参考[RFC8208]第3.1节。
BGPsec speakers are EEs; therefore, the Basic Constraints extension must not be present, as per [RFC6487].
BGPsec发言人是EEs;因此,根据[RFC6487],基本约束扩展不得存在。
BGPsec Router Certificates MUST include the Extended Key Usage (EKU) extension. As specified in [RFC6487], this extension must not be marked critical. This document defines one EKU for BGPsec Router Certificates:
BGPsec路由器证书必须包括扩展密钥使用(EKU)扩展。按照[RFC6487]中的规定,此扩展不得标记为关键。本文件为BGPsec路由器证书定义了一个EKU:
id-kp OBJECT IDENTIFIER ::=
{ iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) kp(3) }
id-kp OBJECT IDENTIFIER ::=
{ iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) kp(3) }
id-kp-bgpsec-router OBJECT IDENTIFIER ::= { id-kp 30 }
id-kp-bgpsec-router OBJECT IDENTIFIER ::= { id-kp 30 }
A BGPsec router MUST require the EKU extension be present in a BGPsec Router Certificate it receives. If multiple KeyPurposeId values are included, the BGPsec routers need not recognize all of them, as long as the required KeyPurposeId value is present. BGPsec routers MUST reject certificates that do not contain the BGPsec Router EKU even if they include the anyExtendedKeyUsage OID defined in [RFC5280].
BGPsec路由器必须要求其收到的BGPsec路由器证书中存在EKU扩展。如果包含多个KeyPurposeId值,BGPsec路由器不需要识别所有这些值,只要存在所需的KeyPurposeId值。BGPsec路由器必须拒绝不包含BGPsec路由器EKU的证书,即使它们包含[RFC5280]中定义的anyExtendedKeyUsage OID。
This extension is not used in BGPsec Router Certificates. It MUST be omitted.
此扩展不用于BGPsec路由器证书。必须省略它。
This extension is not used in BGPsec Router Certificates. It MUST be omitted.
此扩展不用于BGPsec路由器证书。必须省略它。
Each BGPsec Router Certificate MUST include the AS Resources extension, as specified in Section 4.8.11 of [RFC6487]. The AS Resources extension MUST include one or more ASNs, and the "inherit" element MUST NOT be specified.
每个BGPsec路由器证书必须包括[RFC6487]第4.8.11节规定的AS资源扩展。AS资源扩展必须包括一个或多个ASN,并且不能指定“继承”元素。
Refer to Section 6 of [RFC6487]. The only differences between this profile and the profile in [RFC6487] are as follows:
参考[RFC6487]第6节。此配置文件与[RFC6487]中的配置文件之间的唯一区别如下:
o The Basic Constraints extension:
o 基本约束扩展:
If included, the CA MUST NOT honor the cA boolean if set to TRUE.
如果包含,则如果将CA布尔值设置为TRUE,则CA不得接受该值。
o The EKU extension:
o EKU扩展:
If included, id-kp-bgpsec-router MUST be present (see Section 3.1.3.2). If included, the CA MUST honor the request for id-kp-bgpsec-router.
如果包括,id kp bgpsec路由器必须存在(见第3.1.3.2节)。如果包括,CA必须满足id kp bgpsec路由器的请求。
o The Subject Information Access (SIA) extension:
o 主题信息访问(SIA)扩展:
If included, the CA MUST NOT honor the request to include the extension.
如果包含,CA不得接受包含扩展的请求。
o The SubjectPublicKeyInfo field is specified in [RFC8208].
o [RFC8208]中指定了SubjectPublicKeyInfo字段。
o The request is signed with the algorithms specified in [RFC8208].
o 使用[RFC8208]中指定的算法对请求进行签名。
The validation procedure used for BGPsec Router Certificates is identical to the validation procedure described in Section 7 of [RFC6487] (and any RFC that updates that procedure), as modified below. For example, in step 3 (of the criteria listed in Section 7.2 of [RFC6487]), "The certificate contains all fields that MUST be present" refers to the fields that are required by this specification.
用于BGPsec路由器证书的验证程序与[RFC6487]第7节(以及更新该程序的任何RFC)中描述的验证程序相同,修改如下。例如,在步骤3(属于[RFC6487]第7.2节列出的标准)中,“证书包含所有必须存在的字段”指的是本规范要求的字段。
The differences are as follows:
区别如下:
o BGPsec Router Certificates MUST include the BGPsec Router EKU defined in Section 3.1.3.2.
o BGPsec路由器证书必须包括第3.1.3.2节中定义的BGPsec路由器EKU。
o BGPsec Router Certificates MUST NOT include the SIA extension.
o BGPsec路由器证书不得包含SIA扩展。
o BGPsec Router Certificates MUST NOT include the IP Resources extension.
o BGPsec路由器证书不得包含IP资源扩展。
o BGPsec Router Certificates MUST include the AS Resources extension.
o BGPsec路由器证书必须包括AS资源扩展。
o BGPsec Router Certificates MUST include the subjectPublicKeyInfo field described in [RFC8208].
o BGPsec路由器证书必须包括[RFC8208]中描述的subjectPublicKeyInfo字段。
NOTE: BGPsec RPs will need to support the algorithms in [RFC8208], which are used to validate BGPsec signatures, as well as the algorithms in [RFC7935], which are needed to validate signatures on BGPsec certificates, RPKI CA certificates, and RPKI CRLs.
注:BGPsec RPs需要支持[RFC8208]中用于验证BGPsec签名的算法,以及[RFC7935]中用于验证BGPsec证书、RPKI CA证书和RPKI CRL上签名的算法。
As described in Section 1, the primary function of BGPsec Router Certificates in the RPKI is for use in the context of certification of AS paths in the BGPsec protocol.
如第1节所述,RPKI中BGPsec路由器证书的主要功能用于BGPsec协议中As路径的认证。
The private key associated with a router EE certificate may be used multiple times in generating signatures in multiple instances of the BGPsec_PATH attribute Signature Segments [RFC8205]. That is, the BGPsec Router Certificate is used to validate multiple signatures.
在BGPsec_路径属性签名段的多个实例中生成签名时,可以多次使用与路由器EE证书相关联的私钥[RFC8205]。也就是说,BGPsec路由器证书用于验证多个签名。
BGPsec Router Certificates are stored in the issuing CA's repository, where a repository following [RFC6481] MUST use a .cer filename extension for the certificate file.
BGPsec路由器证书存储在颁发CA的存储库中,其中[RFC6481]后面的存储库必须为证书文件使用.cer文件扩展名。
The BGPsec Router Certificate profile is based on the Resource Certificate profile as specified in [RFC6487]. As a result, many of the design choices herein are a reflection of the design choices that were taken in that prior work. The reader is referred to [RFC6484] for a fuller discussion of those choices.
BGPsec路由器证书配置文件基于[RFC6487]中指定的资源证书配置文件。因此,本文中的许多设计选择反映了先前工作中的设计选择。读者可参考[RFC6484]对这些选择进行更全面的讨论。
CAs are required by the Certificate Policy (CP) [RFC6484] to issue properly formed BGPsec Router Certificates regardless of what is present in the certificate request, so there is some flexibility permitted in the certificate requests:
证书策略(CP)[RFC6484]要求CA颁发格式正确的BGPsec路由器证书,而不管证书请求中存在什么,因此证书请求中允许一定的灵活性:
o BGPsec Router Certificates are always EE certificates; therefore, requests to issue a CA certificate result in EE certificates;
o BGPsec路由器证书始终是EE证书;因此,请求颁发CA证书会导致EE证书;
o BGPsec Router Certificates are always EE certificates; therefore, requests for Key Usage extension values keyCertSign and cRLSign result in certificates with neither of these values;
o BGPsec路由器证书始终是EE证书;因此,对密钥使用扩展值keyCertSign和cRLSign的请求会导致证书中没有这两个值;
o BGPsec Router Certificates always include the BGPsec Router EKU value; therefore, requests without the value result in certificates with the value; and,
o BGPsec路由器证书始终包含BGPsec路由器EKU值;因此,不带值的请求将生成带值的证书;和
o BGPsec Router Certificates never include the SIA extension; therefore, requests with this extension result in certificates without the extension.
o BGPsec路由器证书从不包括SIA扩展;因此,具有此扩展名的请求将生成没有扩展名的证书。
Note that this behavior is similar to the CA including the AS Resources extension in issued BGPsec Router Certificates, despite the fact that it is not present in the request.
请注意,此行为类似于CA,包括已颁发的BGPsec路由器证书中的AS资源扩展,尽管请求中不存在该扩展。
This document permits the operator to include a list of ASNs in a BGPsec Router Certificate. In that case, the router certificate would become invalid if any one of the ASNs is removed from any superior CA certificate along the path to a trust anchor. Operators could choose to avoid this possibility by issuing a separate BGPsec Router Certificate for each distinct ASN, so that the router certificates for ASNs that are retained in the superior CA certificate would remain valid.
本文件允许运营商在BGPsec路由器证书中包含ASN列表。在这种情况下,如果任何一个ASN沿着到信任锚点的路径从任何高级CA证书中删除,路由器证书将变得无效。运营商可以选择为每个不同的ASN颁发单独的BGPsec路由器证书来避免这种可能性,以便保留在高级CA证书中的ASN路由器证书保持有效。
The security considerations of [RFC6487] apply.
[RFC6487]的安全注意事项适用。
A BGPsec Router Certificate will fail RPKI validation as defined in [RFC6487] because the cryptographic algorithms used are different. Consequently, an RP needs to identify the EKU to determine the appropriate Validation constraint.
BGPsec路由器证书将无法通过[RFC6487]中定义的RPKI验证,因为使用的加密算法不同。因此,RP需要识别EKU以确定适当的验证约束。
A BGPsec Router Certificate is an extension of the RPKI [RFC6480] to encompass routers. It is a building block of BGPsec and is used to validate signatures on BGPsec Signature Segment origination of signed path segments [RFC8205]. Thus, its essential security function is the secure binding of one or more ASNs to a public key, consistent with the RPKI allocation/assignment hierarchy.
BGPsec路由器证书是RPKI[RFC6480]的扩展,以涵盖路由器。它是BGPsec的构建块,用于验证签名路径段的BGPsec签名段发起上的签名[RFC8205]。因此,其基本安全功能是将一个或多个ASN安全绑定到公钥,与RPKI分配/分配层次结构一致。
Hash functions [RFC8208] are used when generating the two key identifier extensions (i.e., Subject Key Identifier and Issuer Key Identifier) included in BGPsec certificates. However, as noted in [RFC6818], collision resistance is not a required property of one-way hash functions when used to generate key identifiers. Regardless, hash collisions are unlikely, but they are possible, and if detected an operator should be alerted. A Subject Key Identifier collision might cause the incorrect certificate to be selected from the cache, resulting in a failed signature validation.
哈希函数[RFC8208]用于生成BGPsec证书中包含的两个密钥标识符扩展(即,使用者密钥标识符和颁发者密钥标识符)。然而,如[RFC6818]中所述,当用于生成密钥标识符时,抗冲突性不是单向散列函数的必需属性。无论如何,哈希冲突不太可能发生,但它们是可能的,如果检测到,应该向操作员发出警报。主题密钥标识符冲突可能会导致从缓存中选择不正确的证书,从而导致签名验证失败。
This document makes use of two OIDs in the SMI registry for PKIX. One is for the ASN.1 module [X680] [X690] in Appendix A, and it comes from the "SMI Security for PKIX Module Identifier" IANA registry (id-mod-bgpsec-eku). The other is for the BGPsec Router EKU defined in Section 3.1.3.2 and Appendix A, and it comes from the "SMI Security for PKIX Extended Key Purpose" IANA registry (id-kp-bgpsec-router). These OIDs were assigned before management of the PKIX Arc was handed to IANA. The references in those registries have been updated to point to this document.
本文档使用了用于PKIX的SMI注册表中的两个OID。一个用于附录A中的ASN.1模块[X680][X690],它来自“PKIX模块标识符的SMI安全性”IANA注册表(id mod bgpsec eku)。另一个用于第3.1.3.2节和附录A中定义的BGPsec路由器EKU,它来自“用于PKIX扩展密钥目的的SMI安全”IANA注册表(id kp BGPsec路由器)。这些OID是在PKIX Arc的管理移交给IANA之前分配的。这些登记册中的参考资料已经更新,指向本文件。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,DOI 10.17487/RFC2119,1997年3月<https://www.rfc-editor.org/info/rfc2119>.
[RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP Addresses and AS Identifiers", RFC 3779, DOI 10.17487/RFC3779, June 2004, <https://www.rfc-editor.org/info/rfc3779>.
[RFC3779]Lynn,C.,Kent,S.,和K.Seo,“IP地址和AS标识符的X.509扩展”,RFC 3779,DOI 10.17487/RFC3779,2004年6月<https://www.rfc-editor.org/info/rfc3779>.
[RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A Border Gateway Protocol 4 (BGP-4)", RFC 4271, DOI 10.17487/RFC4271, January 2006, <https://www.rfc-editor.org/info/rfc4271>.
[RFC4271]Rekhter,Y.,Ed.,Li,T.,Ed.,和S.Hares,Ed.,“边境网关协议4(BGP-4)”,RFC 4271,DOI 10.17487/RFC4271,2006年1月<https://www.rfc-editor.org/info/rfc4271>.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, <https://www.rfc-editor.org/info/rfc5280>.
[RFC5280]Cooper,D.,Santesson,S.,Farrell,S.,Boeyen,S.,Housley,R.,和W.Polk,“Internet X.509公钥基础设施证书和证书撤销列表(CRL)配置文件”,RFC 5280,DOI 10.17487/RFC5280,2008年5月<https://www.rfc-editor.org/info/rfc5280>.
[RFC6481] Huston, G., Loomans, R., and G. Michaelson, "A Profile for Resource Certificate Repository Structure", RFC 6481, DOI 10.17487/RFC6481, February 2012, <https://www.rfc-editor.org/info/rfc6481>.
[RFC6481]Huston,G.,Loomans,R.,和G.Michaelson,“资源证书存储库结构的配置文件”,RFC 6481,DOI 10.17487/RFC6481,2012年2月<https://www.rfc-editor.org/info/rfc6481>.
[RFC6486] Austein, R., Huston, G., Kent, S., and M. Lepinski, "Manifests for the Resource Public Key Infrastructure (RPKI)", RFC 6486, DOI 10.17487/RFC6486, February 2012, <https://www.rfc-editor.org/info/rfc6486>.
[RFC6486]Austein,R.,Huston,G.,Kent,S.,和M.Lepinski,“资源公钥基础设施(RPKI)清单”,RFC 6486,DOI 10.17487/RFC6486,2012年2月<https://www.rfc-editor.org/info/rfc6486>.
[RFC6487] Huston, G., Michaelson, G., and R. Loomans, "A Profile for X.509 PKIX Resource Certificates", RFC 6487, DOI 10.17487/RFC6487, February 2012, <https://www.rfc-editor.org/info/rfc6487>.
[RFC6487]Huston,G.,Michaelson,G.,和R.Loomans,“X.509 PKIX资源证书的配置文件”,RFC 6487,DOI 10.17487/RFC6487,2012年2月<https://www.rfc-editor.org/info/rfc6487>.
[RFC7935] Huston, G. and G. Michaelson, Ed., "The Profile for Algorithms and Key Sizes for Use in the Resource Public Key Infrastructure", RFC 7935, DOI 10.17487/RFC7935, August 2016, <https://www.rfc-editor.org/info/rfc7935>.
[RFC7935]Huston,G.和G.Michaelson,编辑,“用于资源公钥基础设施的算法和密钥大小的配置文件”,RFC 7935,DOI 10.17487/RFC7935,2016年8月<https://www.rfc-editor.org/info/rfc7935>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8174]Leiba,B.,“RFC 2119关键词中大写与小写的歧义”,BCP 14,RFC 8174,DOI 10.17487/RFC8174,2017年5月<https://www.rfc-editor.org/info/rfc8174>.
[RFC8205] Lepinski, M., Ed., and K. Sriram, Ed., "BGPsec Protocol Specification", RFC 8205, DOI 10.17487/RFC8205, September 2017, <https://www.rfc-editor.org/info/rfc8205>.
[RFC8205]Lepinski,M.,Ed.,和K.Sriram,Ed.,“BGPsec协议规范”,RFC 8205,DOI 10.17487/RFC8205,2017年9月<https://www.rfc-editor.org/info/rfc8205>.
[RFC8208] Turner, S. and O. Borchert, "BGP Algorithms, Key Formats, and Signature Formats", RFC 8208, DOI 10.17487/RFC8208, September 2017, <https://www.rfc-editor.org/info/rfc8208>.
[RFC8208]Turner,S.和O.Borchert,“BGP算法、密钥格式和签名格式”,RFC 8208,DOI 10.17487/RFC8208,2017年9月<https://www.rfc-editor.org/info/rfc8208>.
[X680] ITU-T, "Information technology - Abstract Syntax Notation One (ASN.1): Specification of basic notation", ITU-T Recommendation X.680, ISO/IEC 8824-1, August 2015, <https://www.itu.int/rec/T-REC-X.680/en>.
[X680]ITU-T,“信息技术-抽象语法符号1(ASN.1):基本符号规范”,ITU-T建议X.680,ISO/IEC 8824-12015年8月<https://www.itu.int/rec/T-REC-X.680/en>.
[X690] ITU-T, "Information technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)", ITU-T Recommendation X.690, ISO/IEC 8825-1, August 2015, <https://www.itu.int/rec/T-REC-X.690/en>.
[X690]ITU-T,“信息技术-ASN.1编码规则:基本编码规则(BER)、规范编码规则(CER)和区分编码规则(DER)规范”,ITU-T建议X.690,ISO/IEC 8825-12015年8月<https://www.itu.int/rec/T-REC-X.690/en>.
[RFC4272] Murphy, S., "BGP Security Vulnerabilities Analysis", RFC 4272, DOI 10.17487/RFC4272, January 2006, <https://www.rfc-editor.org/info/rfc4272>.
[RFC4272]Murphy,S.,“BGP安全漏洞分析”,RFC 4272,DOI 10.17487/RFC4272,2006年1月<https://www.rfc-editor.org/info/rfc4272>.
[RFC5123] White, R. and B. Akyol, "Considerations in Validating the Path in BGP", RFC 5123, DOI 10.17487/RFC5123, February 2008, <https://www.rfc-editor.org/info/rfc5123>.
[RFC5123]White,R.和B.Akyol,“验证BGP中路径的注意事项”,RFC 5123,DOI 10.17487/RFC5123,2008年2月<https://www.rfc-editor.org/info/rfc5123>.
[RFC5492] Scudder, J. and R. Chandra, "Capabilities Advertisement with BGP-4", RFC 5492, DOI 10.17487/RFC5492, February 2009, <https://www.rfc-editor.org/info/rfc5492>.
[RFC5492]Scudder,J.和R.Chandra,“BGP-4的能力广告”,RFC 5492,DOI 10.17487/RFC5492,2009年2月<https://www.rfc-editor.org/info/rfc5492>.
[RFC6480] Lepinski, M. and S. Kent, "An Infrastructure to Support Secure Internet Routing", RFC 6480, DOI 10.17487/RFC6480, February 2012, <https://www.rfc-editor.org/info/rfc6480>.
[RFC6480]Lepinski,M.和S.Kent,“支持安全互联网路由的基础设施”,RFC 6480,DOI 10.17487/RFC6480,2012年2月<https://www.rfc-editor.org/info/rfc6480>.
[RFC6482] Lepinski, M., Kent, S., and D. Kong, "A Profile for Route Origin Authorizations (ROAs)", RFC 6482, DOI 10.17487/RFC6482, February 2012, <https://www.rfc-editor.org/info/rfc6482>.
[RFC6482]Lepinski,M.,Kent,S.,和D.Kong,“路线原产地授权(ROA)的概要”,RFC 6482,DOI 10.17487/RFC6482,2012年2月<https://www.rfc-editor.org/info/rfc6482>.
[RFC6484] Kent, S., Kong, D., Seo, K., and R. Watro, "Certificate Policy (CP) for the Resource Public Key Infrastructure (RPKI)", BCP 173, RFC 6484, DOI 10.17487/RFC6484, February 2012, <https://www.rfc-editor.org/info/rfc6484>.
[RFC6484]Kent,S.,Kong,D.,Seo,K.,和R.Watro,“资源公钥基础设施(RPKI)的证书政策(CP)”,BCP 173,RFC 6484,DOI 10.17487/RFC64842012年2月<https://www.rfc-editor.org/info/rfc6484>.
[RFC6818] Yee, P., "Updates to the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 6818, DOI 10.17487/RFC6818, January 2013, <https://www.rfc-editor.org/info/rfc6818>.
[RFC6818]Yee,P.,“互联网X.509公钥基础设施证书和证书撤销列表(CRL)配置文件的更新”,RFC 6818,DOI 10.17487/RFC6818,2013年1月<https://www.rfc-editor.org/info/rfc6818>.
[RFC6916] Gagliano, R., Kent, S., and S. Turner, "Algorithm Agility Procedure for the Resource Public Key Infrastructure (RPKI)", BCP 182, RFC 6916, DOI 10.17487/RFC6916, April 2013, <https://www.rfc-editor.org/info/rfc6916>.
[RFC6916]Gagliano,R.,Kent,S.和S.Turner,“资源公钥基础设施(RPKI)的算法敏捷程序”,BCP 182,RFC 6916,DOI 10.17487/RFC6916,2013年4月<https://www.rfc-editor.org/info/rfc6916>.
BGPSECEKU { iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-bgpsec-eku(84) }
BGPSECEKU { iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-bgpsec-eku(84) }
DEFINITIONS EXPLICIT TAGS ::=
DEFINITIONS EXPLICIT TAGS ::=
BEGIN
开始
-- EXPORTS ALL --
--全部出口--
-- IMPORTS NOTHING --
--什么也不进口--
-- OID Arc --
--弧线--
id-kp OBJECT IDENTIFIER ::= {
iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) kp(3) }
id-kp OBJECT IDENTIFIER ::= {
iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) kp(3) }
-- BGPsec Router Extended Key Usage --
--BGPsec路由器扩展密钥使用--
id-kp-bgpsec-router OBJECT IDENTIFIER ::= { id-kp 30 }
id-kp-bgpsec-router OBJECT IDENTIFIER ::= { id-kp 30 }
END
终止
Acknowledgements
致谢
We would like to thank Geoff Huston, George Michaelson, and Robert Loomans for their work on [RFC6487], which this work is based on. In addition, the efforts of Matt Lepinski were instrumental in preparing this work. Additionally, we'd like to thank Rob Austein, Roque Gagliano, Richard Hansen, Geoff Huston, David Mandelberg, Sandra Murphy, and Sam Weiler for their reviews and comments.
我们要感谢Geoff Huston、George Michaelson和Robert Loomans在[RFC6487]上所做的工作,这项工作就是基于他们的工作。此外,马特·莱宾斯基的努力有助于这项工作的准备。此外,我们还要感谢Rob Austein、Roque Gagliano、Richard Hansen、Geoff Huston、David Mandelberg、Sandra Murphy和Sam Weiler的评论和评论。
Authors' Addresses
作者地址
Mark Reynolds Island Peak Software 328 Virginia Road Concord, MA 01742 United States of America
美国马萨诸塞州康科德市弗吉尼亚路328号马克·雷诺兹岛山顶软件公司01742
Email: mcr@islandpeaksoftware.com
Email: mcr@islandpeaksoftware.com
Sean Turner sn3rd
肖恩·特纳
Email: sean@sn3rd.com
Email: sean@sn3rd.com
Stephen Kent Raytheon BBN Technologies 10 Moulton St. Cambridge, MA 02138 United States of America
Stephen Kent Raytheon BBN Technologies美国马萨诸塞州剑桥莫尔顿街10号,邮编02138
Email: kent@alum.mit.edu
Email: kent@alum.mit.edu