Internet Engineering Task Force (IETF) R. Bush
Request for Comments: 7128 Internet Initiative Japan
Category: Informational R. Austein
ISSN: 2070-1721 Dragon Research Labs
K. Patel
Cisco Systems
H. Gredler
Juniper Networks, Inc.
M. Waehlisch
FU Berlin
February 2014
Resource Public Key Infrastructure (RPKI) Router Implementation Report
资源公钥基础设施 (RPKI) 路由器实施报告
Abstract
摘要
This document is an implementation report for the Resource Public Key Infrastructure (RPKI) Router protocol as defined in RFC 6810. The authors did not verify the accuracy of the information provided by respondents. The respondents are experts with the implementations they reported on, and their responses are considered authoritative for the implementations for which their responses represent. The respondents were asked to only use the "YES" answer if the feature had at least been tested in the lab.
本文档是 RFC 6810 中定义的资源公钥基础设施 (RPKI) 路由器协议的实施报告。作者并未核实受访者所提供信息的准确性。受访者是他们所报告的实现方面的专家,他们的答复被认为对其所代表的实现具有权威性。受访者被要求至少在实验室测试过该功能后才使用 "是 "的答案。
Status of This Memo
本备忘录的地位
This document is not an Internet Standards Track specification; it is published for informational purposes.
本文件不是互联网标准跟踪规范,仅用于提供信息。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741.
本文件是互联网工程任务组 (IETF) 的成果。它代表了 IETF 社区的共识。它已接受公众审查,并经互联网工程指导小组 (IESG) 批准发布。并非所有经 IESG 批准的文件都能成为任何级别的互联网标准候选文件;请参见 RFC 5741 第 2 节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7128.
有关本文件的当前状态、任何勘误以及如何提供反馈的信息,请访问 http://www.rfc-editor.org/info/rfc7128。
Copyright Notice
版权声明
Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved.
Copyright (c) 2014 IETF Trust 和文件作者。保留所有权利。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文档受 BCP 78 和本文档发布之日有效的 IETF 信托基金《与 IETF 文档有关的法律规定》 (http://trustee.ietf.org/license-info) 的约束。请仔细阅读这些文件,因为它们描述了您对本文档的权利和限制。从本文档中提取的代码组件必须包含信托法律条款第 4.e 节中所述的简化 BSD 许可文本,并且不提供简化 BSD 许可中所述的担保。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Implementation Forms . . . . . . . . . . . . . . . . . . . . 3
3. Protocol Data Units . . . . . . . . . . . . . . . . . . . . . 4
4. Protocol Sequence . . . . . . . . . . . . . . . . . . . . . . 6
5. Protocol Transport . . . . . . . . . . . . . . . . . . . . . 7
6. Error Codes . . . . . . . . . . . . . . . . . . . . . . . . . 7
7. Incremental Updates Support . . . . . . . . . . . . . . . . . 8
8. Session ID Support . . . . . . . . . . . . . . . . . . . . . 8
9. Incremental Session Startup Support . . . . . . . . . . . . . 8
10. Interoperable Implementations . . . . . . . . . . . . . . . . 9
10.1. Cisco Implementation . . . . . . . . . . . . . . . . . . 9
10.2. Juniper Implementation . . . . . . . . . . . . . . . . . 9
10.3. rpki.net Implementation . . . . . . . . . . . . . . . . 9
10.4. RIPE NCC Implementation . . . . . . . . . . . . . . . . 9
10.5. RTRlib Implementation . . . . . . . . . . . . . . . . . 9
10.6. BBN RPSTIR Implementation . . . . . . . . . . . . . . . 9
11. Security Considerations . . . . . . . . . . . . . . . . . . . 9
12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10
13. Normative References . . . . . . . . . . . . . . . . . . . . 10
In order to formally validate the origin Autonomous Systems (ASes) of BGP announcements, routers need a simple but reliable mechanism to receive Resource Public Key Infrastructure (RPKI) [RFC6810] prefix origin data from a trusted cache. The RPKI Router protocol defined in [RFC6810] provides a mechanism to deliver validated prefix origin data to routers.
为了正式验证 BGP 公告的起源自治系统 (ASes),路由器需要一种简单但可靠的机制,以便从可信缓存接收资源公钥基础设施 (RPKI) [RFC6810] 前缀起源数据。RPKI 路由器协议定义于 [RFC6810] 中,它提供了一种向路由器传送经过验证的前缀来源数据的机制。
This document provides an implementation report for the RPKI Router protocol as defined in RFC 6810 [RFC6810].
本文档提供了 RFC 6810 [RFC6810] 中定义的 RPKI 路由器协议的实施报告。
The authors did not verify the accuracy of the information provided by respondents or by any alternative means. The respondents are experts with the implementations they reported on, and their responses are considered authoritative for the implementations for which their responses represent. Respondents were asked to only use the "YES" answer if the feature had at least been tested in the lab.
作者没有核实受访者提供的信息的准确性,也没有通过任何其他方式进行核实。受访者是他们所报告的实施方案的专家,他们的回答被认为对其所代表的实施方案具有权威性。受访者被要求至少在实验室测试过该功能后才使用 "是"。
Contact and implementation information for person filling out this form:
填表人的联系方式和执行信息:
IOS Name: Keyur Patel Email: [email protected] Vendor: Cisco Systems, Inc. Release: IOS Protocol Role: Client
IOS Name:Keyur Patel Email: [email protected] Vendor:思科系统公司版本:IOSIOS 协议角色:客户端
XR Name: Forhad Ahmed Email:[email protected] Vendor: Cisco Systems, Inc. Release: IOS-XR Protocol Role: Client
XR 名称:Forhad Ahmed Email:[email protected] 供应商:思科系统公司版本:IOS-XRIOS-XR 协议角色:客户端
JUNOS Name: Hannes Gredler Email: [email protected] Vendor: Juniper Networks, Inc. Release: JUNOS Protocol Role: Client
JUNOS Name:Hannes Gredler 电子邮件:[email protected] 供应商:瞻博网络公司版本:JUNOSJUNOS 协议角色:客户端
rpki.net
Name: Rob Austein
Email: [email protected]
Vendor: rpki.net project
Release: <http://subvert-rpki.hactrn.net/trunk/>
Protocol Role: Client, Server
NCC
Name: Tim Bruijnzeels
Email: [email protected]
Vendor: RIPE NCC
Release: RIPE NCC validator-app 2.0.0 <https://github.com/RIPE-NCC
/rpki-validator>
Protocol Role: Server
RTRlib
Name: Fabian Holler, Matthias Waehlisch
Email: [email protected]
Vendor: HAW Hamburg, FU Berlin, RTRlib project
Release: RTRlib 0.2 <http://rpki.realmv6.org/>
Protocol Role: Client
BBN
Name: David Mandelberg, Andrew Chi
Email: [email protected]
Vendor: Raytheon/BBN Technologies
Release: RPSTIR 0.2 <http://sourceforge.net/projects/rpstir/>
Protocol Role: Server
Does the implementation support Protocol Data Units (PDUs) as described in Section 5 of [RFC6810]?
实施是否支持 [RFC6810] 第 5 节所述的协议数据单元 (PDU)?
P0: Serial Notify
P0:串行通知
P1: Serial Query
P1: 串行查询
P2: Reset Query
P2:重置查询
P3: Cache Response
P3:缓存响应
P4: IPv4 Prefix
P4: IPv4 前缀
P6: IPv6 Prefix
P6: IPv6 前缀
P7: End of Data P8: Cache Reset
P7:数据结束 P8:高速缓存复位
P10: Error Report
P10:错误报告
+---------+-----+-----+-------+--------+---------+-----+------+-----+
| | IOS | XR | JUNOS | rpki | rpki | NCC | RTR- | BBN |
| | | | | .net | .net | | lib | |
| | | | | clnt | srvr | | | |
+---------+-----+-----+-------+--------+---------+-----+------+-----+
| Rcv.P0 | YES | YES | YES | YES | --- | --- | YES | --- |
| Snd.P0 | --- | --- | --- | --- | YES | YES | --- | YES |
| Rcv.P1 | --- | --- | --- | --- | YES | YES | --- | YES |
| Snd.P1 | YES | YES | YES | YES | --- | --- | YES | --- |
| Rcv.P2 | --- | --- | --- | --- | YES | YES | --- | YES |
| Snd.P2 | YES | YES | YES | YES | --- | --- | YES | --- |
| Rcv.P3 | YES | YES | YES | YES | --- | --- | YES | --- |
| Snd.P3 | --- | --- | --- | --- | YES | YES | --- | YES |
| Rcv.P4 | YES | YES | YES | YES | --- | --- | YES | --- |
| Snd.P4 | --- | --- | --- | --- | YES | YES | --- | YES |
| Rcv.P6 | YES | YES | YES | YES | --- | --- | YES | --- |
| Snd.P6 | --- | --- | --- | --- | YES | YES | --- | YES |
| Rcv.P7 | YES | YES | YES | YES | --- | --- | YES | --- |
| Snd.P7 | --- | --- | --- | --- | YES | YES | --- | YES |
| Rcv.P8 | YES | YES | YES | YES | --- | --- | YES | --- |
| Snd.P8 | --- | --- | --- | --- | YES | YES | --- | YES |
| Rcv.P10 | YES | YES | NO~1 | YES | YES | YES | YES | YES |
| Snd.P10 | YES | NO | NO | YES | YES | YES | YES | YES |
+---------+-----+-----+-------+--------+---------+-----+------+-----+
Note 1: No, Error PDU gets silently ignored.
注 1:否,错误 PDU 会被静默忽略。
Does the RPKI Router protocol implementation follow the four protocol sequences as outlined in Section 6 of [RFC6810]?
RPKI 路由器协议实施是否遵循 [RFC6810] 第 6 节中概述的四个协议序列?
S1: Start or Restart
S1: 启动或重启
S2: Typical Exchange
S2:典型交流
S3: No Incremental Update Available
S3:无增量更新可用
S4: Cache Has No Data Available
S4:缓存中没有可用数据
+----+-----+-----+-------+--------+---------+------+--------+-------+
| | IOS | XR | JUNOS | rpki | rpki | NCC | RTRlib | BBN |
| | | | | .net | .net | | | |
| | | | | clnt | srvr | | | |
+----+-----+-----+-------+--------+---------+------+--------+-------+
| S1 | YES | YES | YES | YES | YES | YES | YES | YES |
| S2 | YES | YES | YES | YES | YES | NO~1 | YES | YES |
| S3 | YES | YES | YES | YES | YES | YES | YES | YES |
| S4 | YES | YES | YES | YES | YES | YES | YES | YES~2 |
+----+-----+-----+-------+--------+---------+------+--------+-------+
Note 1: Does not implement Serial Query, thus Incremental Update is never available, so responds to Serial Query with Cache Reset as described in Section 6.3 of [RFC6810]
注 1:不实现串行查询,因此增量更新永远不可用,所以响应串行查询时要进行 [RFC6810] 第 6.3 节所述的缓存重置。
Note 2: Sends Cache Reset in response to Serial Query when no data; sends Error Report PDU in response to Reset Query when no data.
注 2:无数据时,响应串行查询发送缓存重置;无数据时,响应重置查询发送错误报告 PDU。
Does the RPKI Router protocol implementation support the different protocol transport mechanisms outlined in Section 7 of [RFC6810]?
RPKI 路由器协议实施是否支持 [RFC6810] 第 7 节中概述的不同协议传输机制?
+---------+-----+-----+-------+-------+--------+-----+--------+-----+
| | IOS | XR | JUNOS | rpki | rpki | NCC | RTRlib | BBN |
| | | | | .net | .net | | | |
| | | | | clnt | srvr | | | |
+---------+-----+-----+-------+-------+--------+-----+--------+-----+
| SSH | NO | YES | NO | YES | YES | NO | YES | YES |
| TLS | NO | NO | NO | NO | NO | NO | NO | NO |
| TCP | YES | YES | YES | YES | YES | YES | YES | YES |
| TCP-MD5 | NO | NO | NO | NO | NO | NO | NO | NO |
| TCP-AO | NO | NO | NO | NO | NO | NO | NO | NO |
| IPsec | NO | NO | NO | NO | NO | NO | NO | NO |
+---------+-----+-----+-------+-------+--------+-----+--------+-----+
Does the RPKI Router protocol implementation support the different protocol error codes outlined in Section 10 of [RFC6810]?
RPKI 路由器协议实施是否支持 [RFC6810] 第 10 节中列出的不同协议错误代码?
+-------+-----+-----+-------+-------+--------+-------+--------+-----+
| | IOS | XR | JUNOS | rpki | rpki | NCC | RTRlib | BBN |
| | | | | .net | .net | | | |
| | | | | clnt | srvr | | | |
+-------+-----+-----+-------+-------+--------+-------+--------+-----+
| Rcv.0 | YES | YES | NO | YES | YES | YES | YES | YES |
| Snd.0 | YES | YES | NO | YES | YES | YES | YES | YES |
| Rcv.1 | YES | YES | NO | YES | YES | YES | YES | YES |
| Snd.1 | YES | YES | NO | YES | YES | YES | YES | YES |
| Rcv.2 | YES | YES | NO | YES | --- | --- | YES | --- |
| Snd.2 | --- | --- | --- | --- | YES | YES | --- | YES |
| Rcv.3 | YES | YES | NO | YES | --- | --- | YES | --- |
| Snd.3 | --- | --- | --- | --- | YES | YES | --- | YES |
| Rcv.4 | YES | YES | NO | YES | YES | YES | YES | YES |
| Snd.4 | YES | YES | NO | YES | YES | YES | YES | YES |
| Rcv.5 | YES | YES | NO | YES | YES | YES | YES | YES |
| Snd.5 | YES | YES | NO | YES | YES | YES | YES | YES |
| Rcv.6 | --- | --- | --- | --- | YES | YES~1 | --- | YES |
| Snd.6 | YES | YES | NO | NO | --- | --- | YES | --- |
| Rcv.7 | --- | --- | --- | --- | YES | YES~1 | --- | YES |
| Snd.7 | YES | YES | NO | NO | --- | --- | YES | --- |
+-------+-----+-----+-------+-------+--------+-------+--------+-----+
Note 1: YES, but... fatal, so connection is dropped, but cache does not conclude it's inconsistent.
注 1:是的,但是......致命的,所以连接被中断,但缓存没有得出不一致的结论。
Does the RPKI Router implementation support Incremental Updates as defined in Section 4 of [RFC6810]?
RPKI 路由器实施是否支持 [RFC6810] 第 4 节中定义的增量更新?
+-----+----+-------+-------------+-------------+-----+--------+-----+
| IOS | XR | JUNOS | rpki.net | rpki.net | NCC | RTRlib | BBN |
| | | | clnt | srvr | | | |
+-----+----+-------+-------------+-------------+-----+--------+-----+
| NO | NO | YES | YES | YES | NO | YES | YES |
+-----+----+-------+-------------+-------------+-----+--------+-----+
Session ID is used to indicate that the cache server may have restarted and that the incremental restart may not be possible.
会话 ID 用于指示缓存服务器可能已重新启动,增量重启可能无法进行。
Does the RPKI Router protocol implementation support the Session ID procedures outlined in Section 5.1 of [RFC6810]?
RPKI 路由器协议实施是否支持 [RFC6810] 第 5.1 节中概述的会话 ID 程序?
+-----+-----+-------+------------+------------+------+--------+-----+
| IOS | XR | JUNOS | rpki.net | rpki.net | NCC | RTRlib | BBN |
| | | | clnt | srvr | | | |
+-----+-----+-------+------------+------------+------+--------+-----+
| YES | YES | YES | YES | YES | NO~1 | YES | YES |
+-----+-----+-------+------------+------------+------+--------+-----+
Note 1: NO, using random, but will FIX
注 1:没有,使用随机,但会修复
Does the RPKI Router protocol implementation support Incremental session startups with Serial Number and Session ID as defined in Section 5.3 of [RFC6810]?
RPKI 路由器协议实施是否支持 [RFC6810] 第 5.3 节中定义的带有序列号和会话 ID 的递增会话启动?
+-----+-----+-------+------------+-------------+-----+--------+-----+
| IOS | XR | JUNOS | rpki.net | rpki.net | NCC | RTRlib | BBN |
| | | | clnt | srvr | | | |
+-----+-----+-------+------------+-------------+-----+--------+-----+
| YES | YES | YES | YES | YES | NO | YES | YES |
+-----+-----+-------+------------+-------------+-----+--------+-----+
List other implementations with which you have tested the interoperability of the RPKI Router implementation.
请列出您测试过的 RPKI 路由器互操作性的其他实现。
Cisco: The Cisco IOS and IOS-XR implementation should be interoperable with other vendor RPKI Router Protocol implementations. In particular, we have tested our interoperability with rpki.net's RPKI Router implementation.
思科思科 IOS 和 IOS-XR 实现应能与其他供应商的 RPKI 路由器协议实现互操作。特别是,我们已经测试了与 rpki.net 的 RPKI 路由器实现的互操作性。
Juniper: The Juniper Networks, Inc. JUNOS implementation should be interoperable with other vendor RPKI Router Protocol implementations. In particular, we have tested our interoperability with rpki.net's and NCC's RPKI Router Cache implementation.
瞻博网络瞻博网络(Juniper Networks, Inc.JUNOS 实现应能与其他供应商的 RPKI 路由器协议实现互操作。特别是,我们已经测试了与 rpki.net 和 NCC 的 RPKI 路由器缓存实现的互操作性。
rpki.net: The rpki.net implementation should operate with other rpki-rtr implementations. In particular, we have tested our rpki-rtr server's interoperability with Cisco IOS, Cisco IOS-XR, and Juniper.
rpki.net:rpki.net 实现应能与其他 rpkii-rtr 实现一起运行。特别是,我们已经测试了 rpkii-rtr 服务器与 Cisco IOS、Cisco IOS-XR 和 Juniper 的互操作性。
RIPE NCC: The RIPE NCC validator has been tested by us with other rpki-rtr implementations. In particular, we have tested with RTRlib and CISCO IOS. We received positive feedback from close contacts who tested our validator with JUNOS and Quagga.
RIPE NCC:RIPE NCC 验证器已通过我们与其他 rpkii-rtr 实现的测试。特别是,我们使用 RTRlib 和 CISCO IOS 进行了测试。我们收到了来自密切接触者的积极反馈,他们用 JUNOS 和 Quagga 测试了我们的验证器。
RTRlib: The RTRlib has been tested by us with other rpki-rtr implementations. In particular, we have tested with rtr-origin from rpki.net and RIPE NCC Validator.
RTRlib:我们已与其他 rpkii-rtr 实现对 RTRlib 进行了测试。特别是,我们使用 rpki.net 的 rtr-origin 和 RIPE NCC Validator 进行了测试。
BBN RPSTIR: We have not yet tested with any other implementations.
BBN RPSTIR: 我们尚未与任何其他实施方案进行测试。
No new security issues are introduced to the RPKI Router protocol defined in [RFC6810].
RPKI 路由器协议 [RFC6810] 中定义的 RPKI 路由器协议没有引入新的安全问题。
The authors would like to thank Andrew Chi, David Mandelberg, Fabian Holler, Forhad Ahmed, and Tim Bruijnzeels for their contributions to this document.
作者感谢 Andrew Chi、David Mandelberg、Fabian Holler、Forhad Ahmed 和 Tim Bruijnzeels 对本文档的贡献。
[RFC6810] Bush, R. and R. Austein, "The Resource Public Key Infrastructure (RPKI) to Router Protocol", RFC 6810, January 2013.
[RFC6810] Bush, R. and R. Austein, "The Resource Public Key Infrastructure (RPKI) to Router Protocol", RFC 6810, January 2013.
Authors' Addresses
作者地址
Randy Bush Internet Initiative Japan 5147 Crystal Springs Bainbridge Island, Washington 98110 US
Randy Bush Internet Initiative Japan 5147 Crystal Springs Bainbridge Island, Washington 98110 US
EMail: [email protected]
Rob Austein Dragon Research Labs
Rob Austein 龙研究实验室
EMail: [email protected]
Keyur Patel Cisco Systems 170 West Tasman Drive San Jose, California 95134 US
Keyur Patel 思科系统公司 加利福尼亚州圣何塞市西塔斯曼大道 170 号 95134 美国
EMail: [email protected]
Hannes Gredler Juniper Networks, Inc. 1194 N. Mathilda Ave. Sunnyvale, California 94089 US
Hannes Gredler 瞻博网络公司1194 N. Mathilda Ave.美国加利福尼亚州桑尼维尔市 94089
EMail: [email protected]
Matthias Waehlisch FU Berlin Takustr. 9 Berlin 14195 Germany
Matthias Waehlisch FU Berlin Takustr.9 Berlin 14195 Germany
EMail: [email protected] URI: http://www.inf.fu-berlin.de/~waehl