Internet Engineering Task Force (IETF) B. Weis
Request for Comments: 8634 Independent
BCP: 224 R. Gagliano
Category: Best Current Practice Cisco Systems
ISSN: 2070-1721 K. Patel
Arrcus, Inc.
August 2019
Internet Engineering Task Force (IETF) B. Weis
Request for Comments: 8634 Independent
BCP: 224 R. Gagliano
Category: Best Current Practice Cisco Systems
ISSN: 2070-1721 K. Patel
Arrcus, Inc.
August 2019
BGPsec Router Certificate Rollover
BGPsec路由器证书翻转
Abstract
摘要
Certification Authorities (CAs) within the Resource Public Key Infrastructure (RPKI) manage BGPsec router certificates as well as RPKI certificates. The rollover of BGPsec router certificates must be carefully performed in order to synchronize the distribution of router public keys with BGPsec UPDATE messages verified with those router public keys. This document describes a safe rollover process, and it discusses when and why the rollover of BGPsec router certificates is necessary. When this rollover process is followed, the rollover will be performed without routing information being lost.
资源公钥基础设施(RPKI)内的证书颁发机构(CA)管理BGPsec路由器证书以及RPKI证书。必须仔细执行BGPsec路由器证书的滚动,以便将路由器公钥的分发与使用这些路由器公钥验证的BGPsec更新消息同步。本文档描述了一个安全的翻转过程,并讨论了何时以及为什么需要翻转BGPsec路由器证书。遵循此翻转过程时,将在不丢失路由信息的情况下执行翻转。
Status of This Memo
关于下段备忘
This memo documents an Internet Best Current Practice.
本备忘录记录了互联网最佳实践。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on BCPs is available in Section 2 of RFC 7841.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关BCP的更多信息,请参见RFC 7841第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc8634.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问https://www.rfc-editor.org/info/rfc8634.
Copyright Notice
版权公告
Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved.
版权(c)2019 IETF信托基金和被确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(https://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Requirements Notation . . . . . . . . . . . . . . . . . . . . 4
3. Key Rollover in BGPsec . . . . . . . . . . . . . . . . . . . 4
3.1. Rollover Process . . . . . . . . . . . . . . . . . . . . 5
4. BGPsec Router Key Rollover as a Measure against Replay
Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
4.1. BGP UPDATE Window of Exposure Requirement . . . . . . . . 7
4.2. BGPsec Key Rollover as a Mechanism to Protect against
Replay Attacks . . . . . . . . . . . . . . . . . . . . . 7
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
6. Security Considerations . . . . . . . . . . . . . . . . . . . 9
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 10
7.1. Normative References . . . . . . . . . . . . . . . . . . 10
7.2. Informative References . . . . . . . . . . . . . . . . . 10
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Requirements Notation . . . . . . . . . . . . . . . . . . . . 4
3. Key Rollover in BGPsec . . . . . . . . . . . . . . . . . . . 4
3.1. Rollover Process . . . . . . . . . . . . . . . . . . . . 5
4. BGPsec Router Key Rollover as a Measure against Replay
Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
4.1. BGP UPDATE Window of Exposure Requirement . . . . . . . . 7
4.2. BGPsec Key Rollover as a Mechanism to Protect against
Replay Attacks . . . . . . . . . . . . . . . . . . . . . 7
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
6. Security Considerations . . . . . . . . . . . . . . . . . . . 9
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 10
7.1. Normative References . . . . . . . . . . . . . . . . . . 10
7.2. Informative References . . . . . . . . . . . . . . . . . 10
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11
In BGPsec, a key rollover (or re-key) is the process of changing a router's BGPsec key pair (or key pairs), issuing the corresponding new BGPsec router certificate, and (if the old certificate is still valid) revoking the old certificate. This process will need to happen at regular intervals, normally due to policies of the local network. This document describes a safe rollover process that results in a BGPsec receiver always having the needed verification keys. Certification Practice Statement (CPS) documents may reference this memo. This memo only addresses changing of a router's BGPsec key pair within the RPKI. Refer to [RFC6489] for a procedure to roll over RPKI Certification Authority key pairs.
在BGPsec中,密钥翻转(或重新密钥)是指更改路由器的BGPsec密钥对(或密钥对),颁发相应的新BGPsec路由器证书,以及(如果旧证书仍然有效)撤销旧证书的过程。通常由于本地网络的策略,此过程需要定期进行。本文档描述了一种安全翻转过程,该过程可使BGPsec接收器始终具有所需的验证密钥。认证实践声明(CPS)文件可参考本备忘录。此备忘录仅解决RPKI内路由器BGPsec密钥对的更改。请参阅[RFC6489]以了解翻转RPKI证书颁发机构密钥对的过程。
When a router receives or creates a new key pair (using a key provisioning mechanism), this key pair will be used to sign new BGPsec UPDATE messages [RFC8205] that are originated at or that transit through the BGP speaker. Additionally, the BGP speaker will refresh its outbound BGPsec UPDATE messages to include a signature using the new key (replacing the old key). When the rollover process finishes, the old BGPsec router certificate (and its key) will no longer be valid; thus, any BGPsec UPDATE message that includes a signature performed by the old key will be invalid. Consequently, if the router does not refresh its outbound BGPsec UPDATE messages, previously sent routing information may be treated as unauthenticated after the rollover process is finished. Therefore, it is extremely important that new BGPsec router certificates have been distributed throughout the RPKI before the router begins signing BGPsec UPDATE messages with a new private key.
当路由器接收或创建新的密钥对(使用密钥供应机制)时,该密钥对将用于签署新的BGPsec更新消息[RFC8205],这些消息起源于BGP扬声器或通过BGP扬声器传输。此外,BGP扬声器将刷新出站BGPsec更新消息,以包含使用新密钥(替换旧密钥)的签名。滚动过程完成后,旧的BGPsec路由器证书(及其密钥)将不再有效;因此,任何包含由旧密钥执行的签名的BGPsec更新消息都将无效。因此,如果路由器不刷新其出站BGPsec更新消息,则在翻转过程完成后,先前发送的路由信息可能会被视为未经验证。因此,在路由器开始使用新私钥签署BGPsec更新消息之前,在RPKI中分发新的BGPsec路由器证书是非常重要的。
It is also important for an AS to minimize the BGPsec router key-rollover interval (i.e., the period between the time when an AS distributes a BGPsec router certificate with a new public key and the time a BGPsec router begins to use its new private key). This can be due to a need for a BGPsec router to distribute BGPsec UPDATE messages signed with a new private key in order to invalidate BGPsec UPDATE messages signed with the old private key. In particular, if the AS suspects that a stale BGPsec UPDATE message is being distributed instead of the most recently signed attribute, it can cause the stale BGPsec UPDATE messages to be invalidated by completing a key-rollover procedure. The BGPsec router rollover interval can be minimized when an automated certificate provisioning process such as Enrollment over Secure Transport (EST) [RFC7030] is used.
AS还必须最小化BGPsec路由器密钥翻转间隔(即AS分发具有新公钥的BGPsec路由器证书与BGPsec路由器开始使用其新私钥之间的时间段)。这可能是因为BGPsec路由器需要分发使用新私钥签名的BGPsec更新消息,以便使使用旧私钥签名的BGPsec更新消息无效。特别是,如果AS怀疑正在分发过时的BGPsec更新消息,而不是最近签名的属性,则可能会通过完成密钥翻转过程使过时的BGPsec更新消息无效。当使用自动证书设置过程(如通过安全传输注册(EST)[RFC7030]时,BGPsec路由器翻转间隔可以最小化。
"Security Requirements for BGP Path Validation" [RFC7353] also describes the need for protecting against suppression of BGP UPDATE messages with Withdrawn Routes or replay of BGP UPDATE messages, such as controlling BGPsec's window of exposure to such attacks. The BGPsec router certificate rollover method in this document can be used to achieve this goal.
“BGP路径验证的安全要求”[RFC7353]还描述了防止通过撤销路由或重播BGP更新消息抑制BGP更新消息的需要,例如控制BGPsec暴露于此类攻击的窗口。本文档中的BGPsec路由器证书翻转方法可用于实现此目标。
In [RFC8635], the "operator-driven" method is introduced, in which a key pair can be shared among multiple BGP speakers. In this scenario, the rollover of the corresponding BGPsec router certificate will impact all the BGP speakers sharing the same private key.
在[RFC8635]中,引入了“操作员驱动”方法,在该方法中,一个密钥对可以在多个BGP扬声器之间共享。在这种情况下,相应BGPsec路由器证书的滚动将影响共享相同私钥的所有BGP扬声器。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“建议”、“不建议”、“可”和“可选”在所有大写字母出现时(如图所示)应按照BCP 14[RFC2119][RFC8174]所述进行解释。
A BGPsec router certificate SHOULD be replaced when the following events occur, and it can be replaced for any other reason at the discretion of the AS responsible for the BGPsec router certificate.
当发生以下事件时,应更换BGPsec路由器证书,并可根据负责BGPsec路由器证书的AS的判断,出于任何其他原因更换该证书。
Scheduled rollover: BGPsec router certificates have an expiration date (NotValidAfter) that requires a frequent rollover process to refresh certificates or issue new certificates. The validity period for these certificates is typically expressed in the CA's CPS document.
计划滚动:BGPsec路由器证书有一个到期日期(NotValidAfter),需要频繁的滚动过程来刷新证书或颁发新证书。这些证书的有效期通常在CA的CPS文件中表示。
Router certificate field changes: Information contained in a BGPsec router certificate (such as the Autonomous System Number (ASN) or the Subject) may need to be changed.
路由器证书字段更改:可能需要更改BGPsec路由器证书中包含的信息(例如自治系统号(ASN)或主题)。
Emergency router key rollover: Some special circumstances (such as a compromised key) may require the replacement of a BGPsec router certificate.
紧急路由器密钥翻转:某些特殊情况(如密钥泄露)可能需要更换BGPsec路由器证书。
Protection against withdrawal suppression and replay attacks: An AS may determine that withdrawn BGPsec UPDATE messages are being propagated instead of the most recently propagated BGPsec UPDATE messages. Changing the BGPsec router signing key, distributing a new BGPsec router certificate, and revoking the old BGPsec router certificate will invalidate the replayed BGPsec UPDATE messages.
防止撤回抑制和重播攻击:AS可能会确定正在传播撤回的BGPsec更新消息,而不是最近传播的BGPsec更新消息。更改BGPsec路由器签名密钥、分发新的BGPsec路由器证书以及撤销旧的BGPsec路由器证书将使重播的BGPsec更新消息无效。
In some of these cases, it is possible to generate a new certificate without changing the key pair. This practice simplifies the rollover process as the BGP speakers receiving BGPsec UPDATE messages do not even need to be aware of the change of certificate. However, not replacing the certificate key for a long period of time increases the risk that a compromised router private key may be used by an attacker to deliver unauthorized or false BGPsec UPDATE messages. Distributing the old public key in a new certificate is NOT RECOMMENDED when the rollover event is due to a compromised key or when it is suspected that withdrawn BGPsec UPDATE messages are being distributed.
在某些情况下,可以在不更改密钥对的情况下生成新证书。由于接收BGPsec更新消息的BGP扬声器甚至不需要知道证书的更改,因此这种做法简化了滚动过程。但是,长时间不更换证书密钥会增加攻击者使用受损路由器私钥传递未经授权或虚假BGPsec更新消息的风险。如果翻滚事件是由于密钥泄露造成的,或者怀疑正在分发撤回的BGPsec更新消息,则不建议在新证书中分发旧公钥。
The key-rollover process is dependent on the key provisioning mechanisms adopted by an AS [RFC8635]. An automatic provisioning mechanism such as EST will allow procedures for router key management to include automatic re-keying methods with minimum development cost.
密钥翻转过程取决于AS采用的密钥供应机制[RFC8635]。EST等自动配置机制将允许路由器密钥管理程序包括自动密钥重设方法,且开发成本最低。
A safe BGPsec router key-rollover process is as follows.
安全的BGPsec路由器密钥翻转过程如下所示。
1. New Certificate Publication: The first step in the rollover mechanism is to publish the new certificate. If required, a new key pair will be generated for the BGPsec router. A new certificate will be generated and the certificate will be published at the appropriate RPKI repository publication point.
1. 新证书发布:滚动机制的第一步是发布新证书。如果需要,将为BGPsec路由器生成新的密钥对。将生成一个新证书,并在适当的RPKI存储库发布点发布该证书。
The details of this process will vary as they depend on 1) whether the keys are assigned per-BGPsec speaker or shared among multiple BGPsec speakers, 2) whether the keys are generated on each BGPsec speaker or in a central location, and 3) whether the RPKI repository is locally or externally hosted.
此过程的细节将有所不同,因为它们取决于1)密钥是分配给每个BGPsec扬声器还是在多个BGPsec扬声器之间共享,2)密钥是在每个BGPsec扬声器上生成还是在中心位置生成,以及3)RPKI存储库是本地托管还是外部托管。
2. Staging Period: A staging period will be required from the time a new certificate is published in the global RPKI repository until the time it is fetched by RPKI caches around the globe. The exact minimum staging time will be dictated by the conventional interval chosen between repository fetches. If rollovers will be done more frequently, an administrator can provision two certificates for every router concurrently with different valid start times. In this case, when the rollover operation is needed, the relying parties around the globe would already have the new router public keys. However, if an administrator has not previously provisioned the next certificate, implementing a staging period may not be possible during emergency key rollover. If there is no staging period, routing may be disrupted due to the inability of a BGPsec router to validate BGPsec UPDATE messages signed with a new private key.
2. 暂存期:从全局RPKI存储库中发布新证书到全球RPKI缓存获取证书,需要一个暂存期。确切的最短暂存时间将由存储库获取之间选择的常规间隔决定。如果要更频繁地进行滚动,管理员可以为每个路由器同时提供两个证书,并且具有不同的有效启动时间。在这种情况下,当需要滚动操作时,全球的依赖方将已经拥有新的路由器公钥。但是,如果管理员以前没有设置下一个证书,则在紧急密钥翻转期间可能无法实现过渡期。如果没有过渡期,由于BGPsec路由器无法验证使用新私钥签名的BGPsec更新消息,路由可能会中断。
3. Twilight: In this step, the BGPsec speaker holding the rolled-over private key will stop using the old key for signing and will start using the new key. Also, the router will generate appropriate refreshed BGPsec UPDATE messages, just as in the typical operation of refreshing outbound BGP polices. This operation may generate a great number of BGPsec UPDATE messages. A BGPsec speaker may vary the distribution of BGPsec UPDATE messages in this step for every peer in order to distribute the system load (e.g., skewing the rollover for different peers by a few minutes each would be sufficient and effective).
3. 黄昏:在这一步中,持有滚动私钥的BGPsec扬声器将停止使用旧密钥进行签名,并开始使用新密钥。此外,路由器将生成适当的刷新BGPsec更新消息,就像刷新出站BGP策略的典型操作一样。此操作可能会生成大量BGPsec更新消息。在此步骤中,BGPsec演讲者可能会改变BGPsec更新消息在每个对等方的分布,以分配系统负载(例如,将不同对等方的滚动时间倾斜几分钟,每个都足够且有效)。
4. Certificate Revocation: This is an optional step, but it SHOULD be taken when the goal is to invalidate BGPsec UPDATE messages signed with the old key. Reasons to invalidate old BGPsec UPDATE messages include (a) the AS has reason to believe that the router signing key has been compromised, and (b) the AS needs to invalidate already-propagated BGPsec UPDATE messages signed with the old key. As part of the rollover process, a CA MAY decide to revoke the old certificate by publishing its serial number on the CA's Certificate Revocation List (CRL). Alternatively, the CA will just let the old certificate expire and not revoke it. This choice will depend on the reasons that motivated the rollover process.
4. 证书吊销:这是一个可选步骤,但当目标是使使用旧密钥签名的BGPsec更新消息无效时,应采取此步骤。使旧BGPsec更新消息无效的原因包括(a)AS有理由相信路由器签名密钥已被泄露,以及(b)AS需要使已传播的使用旧密钥签名的BGPsec更新消息无效。作为滚动过程的一部分,CA可以通过在CA的证书撤销列表(CRL)上发布其序列号来决定撤销旧证书。或者,CA只让旧证书过期,而不撤销它。这一选择将取决于推动滚动过程的原因。
5. RPKI-Router Protocol Withdrawals: At the expiration of the old certificate's validation, the RPKI relying parties around the globe will need to communicate to their router peers that the old certificate's public key is no longer valid (e.g., using the RPKI-Router Protocol described in [RFC8210]). A router's reaction to a message indicating withdrawal of a router key in the RPKI-Router Protocol SHOULD include the removal of any RIB entries (i.e., BGPsec updates) signed with that key and the generation of the corresponding BGP UPDATE message with Withdrawn Routes (either implicit or explicit).
5. RPKI路由器协议撤销:在旧证书的验证到期时,全球各地的RPKI依赖方将需要向其路由器对等方传达旧证书的公钥不再有效(例如,使用[RFC8210]中描述的RPKI路由器协议)。路由器对RPKI路由器协议中指示撤回路由器密钥的消息的反应应包括删除使用该密钥签名的任何RIB条目(即BGPsec更新),并生成具有撤回路由(隐式或显式)的相应BGP更新消息。
This rollover mechanism depends on the existence of an automatic provisioning process for BGPsec router certificates. It requires a staging mechanism based on the RPKI propagation time (at the time of writing, this is typically a 24-hour period), and an AS is REQUIRED to re-sign all originated and transited BGPsec UPDATE messages that were previously signed with the old key.
这种滚动机制取决于BGPsec路由器证书的自动供应过程的存在。它需要一个基于RPKI传播时间的登台机制(在编写时,这通常是一个24小时的时间段),并且需要一个AS来重新签名以前使用旧密钥签名的所有原始和传输的BGPsec更新消息。
The first two steps (New Certificate Publication and Staging Period) may happen in advance of the rest of the process. This will allow a network operator to perform its subsequent key rollover in an efficient and timely manner.
前两个步骤(新证书发布和暂存期)可能在流程的其余部分之前发生。这将使网络运营商能够高效、及时地执行其随后的密钥翻转。
When a new BGPsec router certificate is generated without changing its key, steps 3 (Twilight) and 5 (RPKI-Router Protocol Withdrawals) SHOULD NOT be executed.
当生成新的BGPsec路由器证书而不更改其密钥时,不应执行步骤3(Twilight)和步骤5(RPKI路由器协议撤回)。
There are two typical generic measures to mitigate replay attacks in any protocol: the addition of a timestamp or the addition of a serial number. However, neither BGP nor BGPsec provides these measures. The timestamp approach was originally proposed for BGPsec [PROTECTION-DESIGN-DISCUSSION] but was later dropped in favor of the key-rollover approach. This section discusses the use of key rollover as a measure to mitigate replay attacks.
在任何协议中,有两种典型的通用措施来缓解重播攻击:添加时间戳或添加序列号。然而,BGP和BGPsec均未提供这些措施。时间戳方法最初是为BGPsec[PROTECTION-DESIGN-DISCUSSION]提出的,但后来被放弃,取而代之的是密钥翻转方法。本节讨论使用密钥翻转作为缓解重播攻击的措施。
The need to limit the vulnerability to replay attacks is described in Section 4.3 of [RFC7353]. One important comment is that during a window of exposure, a replay attack is effective only in very specific circumstances: there is a downstream topology change that makes the signed AS path no longer current, and the topology change makes the replayed route preferable to the route associated with the new update. In particular, if there is no topology change at all, then no security threat comes from a replay of a BGPsec UPDATE message because the signed information is still valid.
[RFC7353]第4.3节描述了限制重放攻击漏洞的必要性。一个重要的评论是,在曝光窗口期间,重播攻击仅在非常特定的情况下有效:下游拓扑更改使签名为路径不再是当前路径,并且拓扑更改使重播路由优于与新更新关联的路由。特别是,如果根本没有拓扑更改,那么BGPsec更新消息的重播不会带来安全威胁,因为签名信息仍然有效。
"BGPsec Operational Considerations" [RFC8207] gives some idea of requirements for the size of the window of exposure to replay attacks. It states that the requirement will be in the order of a day or longer.
“BGPsec操作注意事项”[RFC8207]给出了重放攻击暴露窗口大小的一些要求。它规定,该要求将在一天或更长的时间。
4.2. BGPsec Key Rollover as a Mechanism to Protect against Replay Attacks
4.2. BGPsec密钥翻转作为防止重放攻击的机制
Since the window requirement is on the order of a day (as documented in [RFC8207]) and the BGP speaker performing re-keying is the edge router of the origin AS, it is feasible to use key rollover to mitigate replays. In this case, it is important to complete the full process (i.e., the old and new certificates do not share the same key). By re-keying, an AS is letting the BGPsec router certificate validation time be a type of "timestamp" to mitigate replay attacks. However, the use of frequent key rollovers comes with an additional administrative cost and risks if the process fails. As documented in [RFC8207], re-keying should be supported by automatic tools, and for the great majority of the Internet, it will be done with good lead time to ensure that the public key corresponding to the new router certificate will be available to validate the corresponding BGPsec UPDATE messages when received.
由于窗口要求大约为一天(如[RFC8207]中所述),且执行重发键控的BGP扬声器是源as的边缘路由器,因此使用键翻转来缓解重播是可行的。在这种情况下,必须完成整个过程(即旧证书和新证书不共享同一密钥)。通过重新设置密钥,AS使BGPsec路由器证书验证时间成为一种“时间戳”,以减轻重播攻击。然而,如果过程失败,频繁使用密钥滚动将带来额外的管理成本和风险。如[RFC8207]中所述,应通过自动工具支持重新设置密钥,并且对于绝大多数互联网而言,重新设置密钥将以良好的提前期完成,以确保与新路由器证书相对应的公钥在收到时可用于验证相应的BGPsec更新消息。
If a transit AS also originates BGPsec UPDATE messages for its own prefixes and it wishes to mitigate replay attacks on those prefixes, then the transit AS SHOULD be provisioned with two unique key pairs
如果传输AS还为其自己的前缀生成BGPsec更新消息,并且希望减轻对这些前缀的重播攻击,则传输AS应配备两个唯一的密钥对
and certificates. One of the key pairs is used to sign BGPsec UPDATE messages for prefixes originated from the transit AS, and it can have a replay protection policy applied to it. The other key pair is used to sign BGPsec UPDATE messages in transit and SHOULD NOT have a replay protection policy applied to it. Because the transit AS is not likely to know or care about the policy of origin ASes elsewhere, there is no value gained by the transit AS performing key rollovers to mitigate replay attacks against prefixes originated elsewhere. If the transit AS were instead to perform replay protection for all updates that it signs, its process for key rollovers would generate a large number of BGPsec UPDATE messages, even in the complete Default-Free Zone (DFZ). Therefore, it is best to let each AS independently manage the replay attack vulnerability window for the prefixes it originates.
和证书。其中一个密钥对用于对源自传输AS的前缀的BGPsec更新消息进行签名,并且可以对其应用重播保护策略。另一个密钥对用于对传输中的BGPsec更新消息进行签名,不应对其应用重播保护策略。由于transit AS不太可能知道或关心其他地方的源代码策略,因此transit执行密钥翻转以减轻对源自其他地方的前缀的重播攻击没有任何价值。如果transit AS转而对其签署的所有更新执行重播保护,则其密钥翻转过程将生成大量BGPsec更新消息,即使在完全默认自由区(DFZ)中也是如此。因此,最好让每个AS独立管理其发起前缀的重播攻击漏洞窗口。
Advantages to re-keying as a replay attack protection mechanism are as follows:
重设密钥作为重播攻击保护机制的优点如下:
1. All expiration policies are maintained in the RPKI.
1. 所有过期策略都在RPKI中维护。
2. Much of the additional administrative cost is paid by the provider that wants to protect its infrastructure, as it bears the cost of creating and initiating distribution of new router key pairs and BGPsec router certificates. (It is true that the cost of relying parties will be affected by the new objects, but their responses should be completely automated or otherwise routine.)
2. 大部分额外的管理成本由希望保护其基础设施的提供商支付,因为它承担了创建和开始分发新的路由器密钥对和BGPsec路由器证书的成本。(确实,依赖方的成本将受到新对象的影响,但其响应应完全自动化或常规化。)
3. The re-keying can be implemented in coordination with planned topology changes by either origin ASes or transit ASes (e.g., if an AS changes providers, it completes a key rollover).
3. 可通过原始ASE或中转ASE(例如,如果AS更改了提供程序,则完成密钥翻转)与计划的拓扑更改协调执行密钥更新。
Disadvantages to re-keying as replay attack protection mechanism are as follows:
作为重放攻击保护机制,重新设置密钥的缺点如下:
1. Frequent rollovers add administrative and BGP processing loads, although the required frequency is not clear. Some initial ideas are found in [RFC8207].
1. 频繁的滚动增加了管理和BGP处理负载,尽管所需的频率尚不清楚。[RFC8207]中有一些初步想法。
2. The minimum replay vulnerability is bounded by the propagation time for RPKI caches to obtain the new certificate and CRL (2x propagation time because first the new certificate and then the CRL need to propagate through the RPKI system). If provisioning is done ahead of time, the minimum replay vulnerability window size is reduced to 1x propagation time (i.e., propagation of the CRL). However, these bounds will be better understood when the
2. 最小重播漏洞受RPKI缓存获取新证书和CRL的传播时间限制(传播时间为2倍,因为首先是新证书,然后是CRL需要通过RPKI系统传播)。如果提前完成配置,则最小重播漏洞窗口大小将减少到1x传播时间(即CRL的传播)。然而,当
RPKI and RPKI relying party software are well deployed; this will also contribute to the propagation time for objects in the RPKI being better understood.
RPKI和RPKI依赖方软件部署良好;这也有助于更好地理解RPKI中对象的传播时间。
3. Re-keying increases the dynamics and size of the RPKI repository.
3. 重新设置关键帧会增加RPKI存储库的动态性和大小。
This document has no IANA actions.
本文档没有IANA操作。
This document does not contain a protocol update to either the RPKI or BGPsec. It describes a process for managing BGPsec router certificates within the RPKI.
本文件不包含RPKI或BGPsec的协议更新。它描述了在RPKI中管理BGPsec路由器证书的过程。
Routers participating in BGPsec will need to roll over their signing keys as part of conventional processing of certificate management. However, because rolling over signing keys will also have the effect of invalidating BGPsec UPDATE message signatures, the rollover process must be carefully orchestrated to ensure that valid BGPsec UPDATE messages are not treated as invalid. This situation could affect Internet routing. This document describes a safe method for rolling over BGPsec router certificates. It takes into account both normal and emergency key-rollover requirements.
作为证书管理常规处理的一部分,参与BGPsec的路由器将需要滚动其签名密钥。但是,由于滚动签名密钥也会使BGPsec更新消息签名无效,因此必须仔细安排滚动过程,以确保有效的BGPsec更新消息不会被视为无效。这种情况可能会影响Internet路由。本文档描述了一种用于滚动BGPsec路由器证书的安全方法。它同时考虑了正常和紧急钥匙翻转要求。
Additionally, the key-rollover method described in this document can be used as a measure to mitigate BGP UPDATE replay attacks, in which an entity in the routing system is suppressing current BGPsec UPDATE messages and replaying withdrawn updates. When the key used to sign the withdrawn updates has been rolled over, the withdrawn updates will be considered invalid. When certificates containing a new public key are provisioned ahead of time, the minimum replay vulnerability window size is reduced to the propagation time of a CRL invalidating the certificate containing an old public key. For a discussion of the difficulties deploying a more effectual replay protection mechanism for BGPSEC, see [PROTECTION-DESIGN-DISCUSSION].
此外,本文档中描述的密钥翻转方法可作为缓解BGP更新重放攻击的措施,其中路由系统中的实体正在抑制当前BGPsec更新消息并重放撤回的更新。当用于签署撤回的更新的密钥被滚动时,撤回的更新将被视为无效。如果提前设置了包含新公钥的证书,则最小重播漏洞窗口大小将减小到CRL的传播时间,从而使包含旧公钥的证书无效。有关为BGPSEC部署更有效的重播保护机制的困难的讨论,请参阅[protection-DESIGN-discussion]。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,DOI 10.17487/RFC2119,1997年3月<https://www.rfc-editor.org/info/rfc2119>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8174]Leiba,B.,“RFC 2119关键词中大写与小写的歧义”,BCP 14,RFC 8174,DOI 10.17487/RFC8174,2017年5月<https://www.rfc-editor.org/info/rfc8174>.
[RFC8635] Bush, R., Turner, S., and K. Patel, "Router Keying for BGPsec", RFC 8635, DOI 10.17487/RFC8635, August 2019, <https://www.rfc-editor.org/info/rfc8635>.
[RFC8635]Bush,R.,Turner,S.,和K.Patel,“BGPsec的路由器键控”,RFC 8635,DOI 10.17487/RFC86352019年8月<https://www.rfc-editor.org/info/rfc8635>.
[PROTECTION-DESIGN-DISCUSSION] Sriram, K. and D. Montgomery, "Design Discussion and Comparison of Protection Mechanisms for Replay Attack and Withdrawal Suppression in BGPsec", Work in Progress, draft-sriram-replay-protection-design-discussion-12, April 2019.
[PROTECTION-DESIGN-DISCUSSION]Sriram,K.和D.Montgomery,“BGPsec中重放攻击和撤回抑制保护机制的设计讨论和比较”,正在进行的工作,草稿-Sriram-Replay-PROTECTION-DESIGN-DISCUSSION-12,2019年4月。
[RFC6489] Huston, G., Michaelson, G., and S. Kent, "Certification Authority (CA) Key Rollover in the Resource Public Key Infrastructure (RPKI)", BCP 174, RFC 6489, DOI 10.17487/RFC6489, February 2012, <https://www.rfc-editor.org/info/rfc6489>.
[RFC6489]Huston,G.,Michaelson,G.,和S.Kent,“资源公钥基础设施(RPKI)中的证书颁发机构(CA)密钥滚动”,BCP 174,RFC 6489,DOI 10.17487/RFC6489,2012年2月<https://www.rfc-editor.org/info/rfc6489>.
[RFC7030] Pritikin, M., Ed., Yee, P., Ed., and D. Harkins, Ed., "Enrollment over Secure Transport", RFC 7030, DOI 10.17487/RFC7030, October 2013, <https://www.rfc-editor.org/info/rfc7030>.
[RFC7030]Pritikin,M.,Ed.,Yee,P.,Ed.,和D.Harkins,Ed.,“安全传输的注册”,RFC 7030,DOI 10.17487/RFC7030,2013年10月<https://www.rfc-editor.org/info/rfc7030>.
[RFC7353] Bellovin, S., Bush, R., and D. Ward, "Security Requirements for BGP Path Validation", RFC 7353, DOI 10.17487/RFC7353, August 2014, <https://www.rfc-editor.org/info/rfc7353>.
[RFC7353]Bellovin,S.,Bush,R.,和D.Ward,“BGP路径验证的安全要求”,RFC 7353,DOI 10.17487/RFC7353,2014年8月<https://www.rfc-editor.org/info/rfc7353>.
[RFC8205] Lepinski, M., Ed. and K. Sriram, Ed., "BGPsec Protocol Specification", RFC 8205, DOI 10.17487/RFC8205, September 2017, <https://www.rfc-editor.org/info/rfc8205>.
[RFC8205]Lepinski,M.,Ed.和K.Sriram,Ed.,“BGPsec协议规范”,RFC 8205,DOI 10.17487/RFC8205,2017年9月<https://www.rfc-editor.org/info/rfc8205>.
[RFC8207] Bush, R., "BGPsec Operational Considerations", BCP 211, RFC 8207, DOI 10.17487/RFC8207, September 2017, <https://www.rfc-editor.org/info/rfc8207>.
[RFC8207]布什,R.,“BGPsec运营考虑”,BCP 211,RFC 8207,DOI 10.17487/RFC8207,2017年9月<https://www.rfc-editor.org/info/rfc8207>.
[RFC8210] Bush, R. and R. Austein, "The Resource Public Key Infrastructure (RPKI) to Router Protocol, Version 1", RFC 8210, DOI 10.17487/RFC8210, September 2017, <https://www.rfc-editor.org/info/rfc8210>.
[RFC8210]Bush,R.和R.Austein,“资源公钥基础设施(RPKI)到路由器协议,版本1”,RFC 8210,DOI 10.17487/RFC8210,2017年9月<https://www.rfc-editor.org/info/rfc8210>.
Acknowledgments
致谢
Randy Bush, Kotikalapudi Sriram, Stephen Kent, and Sandy Murphy each provided valuable suggestions resulting in an improved document. Kotikalapudi Sriram contributed valuable guidance regarding the use of key rollovers to mitigate BGP UPDATE replay attacks.
Randy Bush、Kotikalapudi Sriram、Stephen Kent和Sandy Murphy都提供了宝贵的建议,从而改进了文件。Kotikalapudi Sriram就使用密钥翻转来缓解BGP更新重播攻击提供了宝贵的指导。
Authors' Addresses
作者地址
Brian Weis Independent
布莱恩·韦恩是独立的
Email: bew.stds@gmail.com
Email: bew.stds@gmail.com
Roque Gagliano Cisco Systems Avenue des Uttins 5 Rolle, VD 1180 Switzerland
Roque Gagliano思科系统大道des Uttins 5号,瑞士罗勒市,邮编1180
Email: rogaglia@cisco.com
Email: rogaglia@cisco.com
Keyur Patel Arrcus, Inc.
凯乌尔·帕特尔·阿卡斯公司。
Email: keyur@arrcus.com
Email: keyur@arrcus.com