Internet Engineering Task Force (IETF) M. Reynolds
Request for Comments: 8209 IPSw
Updates: 6487 S. Turner
Category: Standards Track sn3rd
ISSN: 2070-1721 S. Kent
BBN
September 2017
A Profile for BGPsec Router Certificates, Certificate Revocation Lists, and Certification Requests
BGPsec 路由器证书、证书吊销列表和认证请求的简介
Abstract
摘要
This document defines a standard profile for X.509 certificates used to enable validation of Autonomous System (AS) paths in the Border Gateway Protocol (BGP), as part of an extension to that protocol known as BGPsec. BGP is the standard for inter-domain routing in the Internet; it is the "glue" that holds the Internet together. BGPsec is being developed as one component of a solution that addresses the requirement to provide security for BGP. The goal of BGPsec is to provide full AS path validation based on the use of strong cryptographic primitives. The end entity (EE) certificates specified by this profile are issued to routers within an AS. Each of these certificates is issued under a Resource Public Key Infrastructure (RPKI) Certification Authority (CA) certificate. These CA certificates and EE certificates both contain the AS Resource extension. An EE certificate of this type asserts that the router or routers holding the corresponding private key are authorized to emit secure route advertisements on behalf of the AS(es) specified in the certificate. This document also profiles the format of certification requests and specifies Relying Party (RP) certificate path validation procedures for these EE certificates. This document extends the RPKI; therefore, this document updates the RPKI Resource Certificates Profile (RFC 6487).
本文档定义了 X.509 证书的标准配置文件,用于验证边界网关协议(BGP)中的自治系统(AS)路径,作为该协议扩展(称为 BGPsec)的一部分。BGP 是互联网域间路由的标准,是互联网的 "粘合剂"。BGPsec 是为满足 BGP 安全性要求而开发的解决方案的一个组成部分。BGPsec 的目标是在使用强加密原语的基础上提供完整的 AS 路径验证。本配置文件规定的终端实体(EE)证书将发放给 AS 内的路由器。每个证书都是在资源公钥基础设施 (RPKI) 认证机构 (CA) 证书下签发的。这些 CA 证书和 EE 证书都包含 AS 资源扩展名。此类 EE 证书证明持有相应私钥的路由器或多个路由器已被授权代表证书中指定的 AS 发布安全路由广告。本文件还概括了认证请求的格式,并规定了这些 EE 证书的依赖方 (RP) 证书路径验证程序。本文件扩展了 RPKI;因此,本文件更新了 RPKI 资源证书简介(RFC 6487)。
Status of This Memo
本备忘录的地位
This is an Internet Standards Track document.
这是一份互联网标准跟踪文件。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.
本文件是互联网工程任务组 (IETF) 的成果。它代表了 IETF 社区的共识。它已接受公众审查,并经互联网工程指导小组 (IESG) 批准发布。有关互联网标准的更多信息,请参见 RFC 7841 第 2 节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc8209.
有关本文件的当前状态、任何勘误以及如何提供反馈的信息,请访问 https://www.rfc-editor.org/info/rfc8209。
Copyright Notice
版权声明
Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有 (c) 2017 IETF 信托基金会和文件作者。保留所有权利。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文档受BCP 78以及本文档发布之日有效的IETF信托基金关于IETF文档的法律规定(https://trustee.ietf.org/license-info)的约束。 请仔细阅读这些文档,因为它们描述了您对本文档的权利和限制。 从本文档中提取的代码组件必须包含信托法律条款第 4.e 节中描述的简化 BSD 许可证文本,并且不提供简化 BSD 许可证中描述的担保。
Table of Contents
目录
1. Introduction ....................................................3
1.1. Terminology ................................................4
2. Describing Resources in Certificates ............................4
3. Updates to RFC 6487 .............................................6
3.1. BGPsec Router Certificate Fields ...........................6
3.1.1. Subject .............................................6
3.1.2. Subject Public Key Info .............................6
3.1.3. BGPsec Router Certificate Version 3
Extension Fields ....................................6
3.1.3.1. Basic Constraints ..........................6
3.1.3.2. Extended Key Usage .........................6
3.1.3.3. Subject Information Access .................7
3.1.3.4. IP Resources ...............................7
3.1.3.5. AS Resources ...............................7
3.2. BGPsec Router Certificate Request Profile ..................7
3.3. BGPsec Router Certificate Validation .......................8
3.4. Router Certificates and Signing Functions in the RPKI ......8
4. Design Notes ....................................................9
5. Implementation Considerations ...................................9
6. Security Considerations ........................................10
7. IANA Considerations ............................................10
8. References .....................................................11
8.1. Normative References ......................................11
8.2. Informative References ....................................12
Appendix A. ASN.1 Module ..........................................14
Acknowledgements ..................................................15
Authors' Addresses ................................................15
This document defines a profile for X.509 end entity (EE) certificates [RFC5280] for use in the context of certification of Autonomous System (AS) paths in the BGPsec protocol. Such certificates are termed "BGPsec Router Certificates". The holder of the private key associated with a BGPsec Router Certificate is authorized to send secure route advertisements (BGPsec UPDATEs) on behalf of the AS(es) named in the certificate. A router holding the private key is authorized to send route advertisements (to its peers) identifying the router's AS number (ASN) as the source of the advertisements. A key property provided by BGPsec is that every AS along the AS path can verify that the other ASes along the path have authorized the advertisement of the given route (to the next AS along the AS path).
本文档定义了用于 BGPsec 协议中自治系统 (AS) 路径认证的 X.509 终端实体 (EE) 证书 [RFC5280] 配置文件。此类证书称为 "BGPsec 路由器证书"。与 BGPsec 路由器证书相关的私钥持有者有权代表证书中指定的 AS 发送安全路由广告(BGPsec UPDATE)。持有私人密钥的路由器有权发送路由广告(至其对等方),并将路由器的 AS 编号 (ASN) 标识为广告来源。BGPsec 提供的一个关键特性是,AS 路径上的每个 AS 都可以验证路径上的其他 AS 是否已授权(向 AS 路径上的下一个 AS)发布给定路由广告。
This document is a profile of [RFC6487], which is a profile of [RFC5280]; thus, this document updates [RFC6487]. It establishes requirements imposed on a Resource Certificate that is used as a BGPsec Router Certificate, i.e., it defines constraints for certificate fields and extensions for the certificate to be valid in this context. This document also profiles the certification requests used to acquire BGPsec Router Certificates. Finally, this document specifies the Relying Party (RP) certificate path validation procedures for these certificates.
本文档是[RFC6487]的简介,而[RFC5280]是[RFC5280]的简介;因此,本文档更新了[RFC6487]。它规定了对用作 BGPsec 路由器证书的资源证书的要求,即定义了证书字段和扩展的约束条件,以使证书在此上下文中有效。本文件还介绍了用于获取 BGPsec 路由器证书的认证请求。最后,本文档规定了这些证书的依赖方 (RP) 证书路径验证程序。
It is assumed that the reader is familiar with the terms and concepts described in "A Profile for X.509 PKIX Resource Certificates" [RFC6487], "BGPsec Protocol Specification" [RFC8205], "A Border Gateway Protocol 4 (BGP-4)" [RFC4271], "BGP Security Vulnerabilities Analysis" [RFC4272], "Considerations in Validating the Path in BGP" [RFC5123], and "Capabilities Advertisement with BGP-4" [RFC5492].
假定读者熟悉 "X.509 PKIX 资源证书简介" [RFC6487]、"BGPsec 协议规范" [RFC8205]、"边界网关协议 4 (BGP-4)" [RFC4271] 中描述的术语和概念。[RFC4271]、"BGP 安全漏洞分析"[RFC4272]、"验证 BGP 路径时的注意事项"[RFC5123] 和 "BGP-4 的能力广告"[RFC5492]。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.
本文档中的关键词 "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", 以及 "OPTIONAL" 应按照BCP 14 [RFC2119] [RFC8174]中描述的一样,当且仅当它们以全大写形式出现时进行解释。
Figure 1 depicts some of the entities in the Resource Public Key Infrastructure (RPKI) and some of the products generated by RPKI entities. IANA issues a Certification Authority (CA) certificate to each Regional Internet Registry (RIR). The RIR in turn issues a CA certificate to an Internet Service Provider (ISP). The ISP in turn issues EE certificates to itself to enable verification of signatures on RPKI signed objects. The CA also generates Certificate Revocation Lists (CRLs). These CA and EE certificates are referred to as "Resource Certificates" and are profiled in [RFC6487]. [RFC6480] envisioned using Resource Certificates to enable verification of manifests [RFC6486] and Route Origin Authorizations (ROAs) [RFC6482]. ROAs and manifests include the Resource Certificates used to verify them.
图 1 描述了资源公钥基础设施 (RPKI) 中的一些实体和 RPKI 实体生成的一些产品。IANA 向每个地区互联网注册机构 (RIR) 颁发证书颁发机构 (CA) 证书。区域互联网注册管理机构再向互联网服务提供商 (ISP) 颁发 CA 证书。ISP 再向自己颁发 EE 证书,以验证 RPKI 签名对象上的签名。CA 还会生成证书吊销列表 (CRL)。这些 CA 和 EE 证书被称为 "资源证书",并在 [RFC6487] 中作了说明。[RFC6480]设想使用资源证书来验证清单[RFC6486]和路由起源授权(ROA)[RFC6482]。ROA 和清单包括用于验证它们的资源证书。
+---------+ +------+
| CA Cert |---| IANA |
+---------+ +------+
\
+---------+ +-----+
| CA Cert |---| RIR |
+---------+ +-----+
\
+---------+ +-----+
| CA Cert |---| ISP |
+---------+ +-----+
/ | | |
+-----+ / | | | +-----+
| CRL |--+ | | +---| ROA |
+-----+ | | +-----+
| | +----------+
+----+ | +---| Manifest |
+-| EE |---+ +----------+
| +----+
+-----+
Figure 1
图 1
This document defines another type of Resource Certificate, which is referred to as a "BGPsec Router Certificate". The purpose of this certificate is explained in Section 1 and falls within the scope of appropriate uses defined within [RFC6484]. The issuance of BGPsec Router Certificates has minimal impact on RPKI CAs because the RPKI CA certificate and CRL profile remain unchanged (i.e., they are as specified in [RFC6487]). Further, the algorithms used to generate RPKI CA certificates that issue the BGPsec Router Certificates and the CRLs necessary to check the validity of the BGPsec Router Certificates remain unchanged (i.e., they are as specified in [RFC7935]). The only impact is that RPKI CAs will need to be able to process a profiled certificate request (see Section 3.2) signed with algorithms found in [RFC8208]. BGPsec Router Certificates are used only to verify the signature on the BGPsec certificate request (only CAs process these) and the signature on a BGPsec UPDATE message [RFC8205] (only BGPsec routers process these); BGPsec Router Certificates are not used to process manifests and ROAs or verify signatures on Certificates or CRLs.
本文档定义了另一种资源证书,称为 "BGPsec 路由器证书"。第 1 节解释了该证书的用途,它属于 [RFC6484] 中定义的适当使用范围。BGPsec 路由器证书的签发对 RPKI CA 的影响很小,因为 RPKI CA 证书和 CRL 配置文件保持不变(即与 [RFC6487] 中规定的一样)。此外,用于生成签发 BGPsec 路由证书的 RPKI CA 证书的算法和检查 BGPsec 路由证书有效性所需的 CRL 也保持不变(即 [RFC7935] 中的规定)。唯一的影响是,RPKI CA 需要能够处理用 [RFC8208] 中的算法签名的特征证书请求(见第 3.2 节)。BGPsec 路由器证书仅用于验证 BGPsec 证书请求上的签名(仅 CA 会处理这些签名)和 BGPsec UPDATE 消息 [RFC8205] 上的签名(仅 BGPsec 路由器会处理这些签名);BGPsec 路由器证书不用于处理清单和 ROA 或验证证书或 CRL 上的签名。
This document enumerates only the differences between this profile and the profile in [RFC6487]. Note that BGPsec Router Certificates are EE certificates, and as such there is no impact on the algorithm agility procedure described in [RFC6916].
本文件仅列举本规范与 [RFC6487] 中规范的不同之处。请注意,BGPsec 路由器证书是 EE 证书,因此对 [RFC6916] 中描述的算法敏捷性程序没有影响。
A BGPsec Router Certificate is consistent with the profile in [RFC6487] as modified by the specifications in this section. As such, it is a valid X.509 public key certificate and consistent with the PKIX profile [RFC5280]. The differences between this profile and the profile in [RFC6487] are specified in this section.
BGPsec 路由器证书与 [RFC6487] 中的配置文件一致,并根据本节中的规范进行了修改。因此,它是有效的 X.509 公钥证书,并符合 PKIX 配置文件 [RFC5280]。本节说明了本规范与 [RFC6487] 中规范的不同之处。
Encoding options for the common name that are supported are printableString and UTF8String. For BGPsec Router Certificates, it is RECOMMENDED that the common name attribute contain the literal string "ROUTER-" followed by the 32-bit ASN [RFC3779] encoded as eight hexadecimal digits and that the serial number attribute contain the 32-bit BGP Identifier [RFC4271] (i.e., the router ID) encoded as eight hexadecimal digits. If there is more than one ASN, the choice of which to include in the common name is at the discretion of the Issuer. If the same certificate is issued to more than one router (and hence the private key is shared among these routers), the choice of the router ID used in this name is at the discretion of the Issuer.
支持的通用名称编码选项有 printableString 和 UTF8String。对于 BGPsec 路由器证书,建议通用名称属性包含字面字符串 "ROUTER-",后面跟有编码为八位十六进制数字的 32 位 ASN [RFC3779],序列号属性包含编码为八位十六进制数字的 32 位 BGP 标识符 [RFC4271](即路由器 ID)。如果有一个以上的 ASN,则由签发者决定在通用名称中包含哪个。如果同一证书颁发给一个以上的路由器(因此这些路由器共享私钥),则由签发者自行决定名称中使用的路由器 ID。
Refer to Section 3.1 of [RFC8208].
请参阅 [RFC8208] 第 3.1 节。
BGPsec speakers are EEs; therefore, the Basic Constraints extension must not be present, as per [RFC6487].
BGPsec 发言者是 EE;因此,根据 [RFC6487],基本约束扩展必须不存在。
BGPsec Router Certificates MUST include the Extended Key Usage (EKU) extension. As specified in [RFC6487], this extension must not be marked critical. This document defines one EKU for BGPsec Router Certificates:
BGPsec 路由器证书必须包括扩展密钥使用(EKU)扩展。根据 [RFC6487] 的规定,该扩展不得标记为关键。本文档为 BGPsec 路由器证书定义了一个 EKU:
id-kp OBJECT IDENTIFIER ::=
{ iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) kp(3) }
id-kp-bgpsec-router OBJECT IDENTIFIER ::= { id-kp 30 }
A BGPsec router MUST require the EKU extension be present in a BGPsec Router Certificate it receives. If multiple KeyPurposeId values are included, the BGPsec routers need not recognize all of them, as long as the required KeyPurposeId value is present. BGPsec routers MUST reject certificates that do not contain the BGPsec Router EKU even if they include the anyExtendedKeyUsage OID defined in [RFC5280].
BGPsec 路由器必须要求其收到的 BGPsec 路由器证书中包含 EKU 扩展。如果包含多个 KeyPurposeId 值,只要存在所需的 KeyPurposeId 值,BGPsec 路由器无需识别所有这些值。BGPsec 路由器必须拒绝不包含 BGPsec 路由器 EKU 的证书,即使这些证书包含 [RFC5280] 中定义的 anyExtendedKeyUsage OID。
This extension is not used in BGPsec Router Certificates. It MUST be omitted.
此扩展不用于 BGPsec 路由器证书。必须省略。
This extension is not used in BGPsec Router Certificates. It MUST be omitted.
此扩展不用于 BGPsec 路由器证书。必须省略。
Each BGPsec Router Certificate MUST include the AS Resources extension, as specified in Section 4.8.11 of [RFC6487]. The AS Resources extension MUST include one or more ASNs, and the "inherit" element MUST NOT be specified.
每个 BGPsec 路由器证书必须包括 AS 资源扩展,如 [RFC6487] 第 4.8.11 节所述。AS 资源扩展必须包括一个或多个 ASN,且不得指定 "继承 "元素。
Refer to Section 6 of [RFC6487]. The only differences between this profile and the profile in [RFC6487] are as follows:
请参阅 [RFC6487] 第 6 节。本配置文件与 [RFC6487] 中的配置文件的唯一区别如下:
o The Basic Constraints extension:
o 基本制约扩展:
If included, the CA MUST NOT honor the cA boolean if set to TRUE.
如果包含该布尔值,则 CA 设置为 TRUE 时不得执行 cA 布尔值。
o The EKU extension:
o 东欧大学分校:
If included, id-kp-bgpsec-router MUST be present (see Section 3.1.3.2). If included, the CA MUST honor the request for id-kp-bgpsec-router.
如果包含,则必须有 id-kp-bgpsec-router(见第 3.1.3.2 节)。如果包含,CA 必须接受 id-kp-bgpsec-router 请求。
o The Subject Information Access (SIA) extension:
o 主题信息访问 (SIA) 扩展:
If included, the CA MUST NOT honor the request to include the extension.
如果包含该扩展名,则 CA 不得接受包含该扩展名的请求。
o The SubjectPublicKeyInfo field is specified in [RFC8208].
o SubjectPublicKeyInfo 字段在 [RFC8208] 中指定。
o The request is signed with the algorithms specified in [RFC8208].
o 请求使用 [RFC8208] 中指定的算法签名。
The validation procedure used for BGPsec Router Certificates is identical to the validation procedure described in Section 7 of [RFC6487] (and any RFC that updates that procedure), as modified below. For example, in step 3 (of the criteria listed in Section 7.2 of [RFC6487]), "The certificate contains all fields that MUST be present" refers to the fields that are required by this specification.
BGPsec 路由器证书的验证程序与 [RFC6487] 第 7 节(以及更新该程序的任何 RFC)中描述的验证程序相同,但有如下修改。例如,在第 3 步([RFC6487] 第 7.2 节列出的标准)中,"证书包含所有必须存在的字段 "指的是本规范要求的字段。
The differences are as follows:
区别如下:
o BGPsec Router Certificates MUST include the BGPsec Router EKU defined in Section 3.1.3.2.
o BGPsec 路由器证书必须包括第 3.1.3.2 节中定义的 BGPsec 路由器 EKU。
o BGPsec Router Certificates MUST NOT include the SIA extension.
o BGPsec 路由器证书不得包含 SIA 扩展。
o BGPsec Router Certificates MUST NOT include the IP Resources extension.
o BGPsec 路由器证书不得包含 IP 资源扩展。
o BGPsec Router Certificates MUST include the AS Resources extension.
o BGPsec 路由器证书必须包括 AS 资源扩展。
o BGPsec Router Certificates MUST include the subjectPublicKeyInfo field described in [RFC8208].
o BGPsec 路由器证书必须包括 [RFC8208] 中描述的 subjectPublicKeyInfo 字段。
NOTE: BGPsec RPs will need to support the algorithms in [RFC8208], which are used to validate BGPsec signatures, as well as the algorithms in [RFC7935], which are needed to validate signatures on BGPsec certificates, RPKI CA certificates, and RPKI CRLs.
注意:BGPsec RP 需要支持 [RFC8208] 中用于验证 BGPsec 签名的算法,以及 [RFC7935] 中用于验证 BGPsec 证书、RPKI CA 证书和 RPKI CRL 上签名的算法。
As described in Section 1, the primary function of BGPsec Router Certificates in the RPKI is for use in the context of certification of AS paths in the BGPsec protocol.
如第 1 节所述,RPKI 中 BGPsec 路由器证书的主要功能是用于 BGPsec 协议中 AS 路径的认证。
The private key associated with a router EE certificate may be used multiple times in generating signatures in multiple instances of the BGPsec_PATH attribute Signature Segments [RFC8205]. That is, the BGPsec Router Certificate is used to validate multiple signatures.
与路由器 EE 证书关联的私钥可多次用于在 BGPsec_PATH 属性签名段 [RFC8205] 的多个实例中生成签名。也就是说,BGPsec 路由器证书可用于验证多个签名。
BGPsec Router Certificates are stored in the issuing CA's repository, where a repository following [RFC6481] MUST use a .cer filename extension for the certificate file.
BGPsec 路由器证书存储在签发 CA 的存储库中,遵循 [RFC6481] 的存储库必须为证书文件使用 .cer 文件扩展名。
The BGPsec Router Certificate profile is based on the Resource Certificate profile as specified in [RFC6487]. As a result, many of the design choices herein are a reflection of the design choices that were taken in that prior work. The reader is referred to [RFC6484] for a fuller discussion of those choices.
BGPsec 路由器证书配置文件基于 [RFC6487] 中指定的资源证书配置文件。因此,此处的许多设计选择反映了先前工作中的设计选择。读者可参阅 [RFC6484],了解有关这些选择的更全面讨论。
CAs are required by the Certificate Policy (CP) [RFC6484] to issue properly formed BGPsec Router Certificates regardless of what is present in the certificate request, so there is some flexibility permitted in the certificate requests:
证书策略 (CP) [RFC6484] 要求 CA 签发格式正确的 BGPsec 路由器证书,无论证书请求中包含什么内容,因此证书请求中允许有一定的灵活性:
o BGPsec Router Certificates are always EE certificates; therefore, requests to issue a CA certificate result in EE certificates;
o BGPsec 路由器证书始终是 EE 证书;因此,请求签发 CA 证书会产生 EE 证书;
o BGPsec Router Certificates are always EE certificates; therefore, requests for Key Usage extension values keyCertSign and cRLSign result in certificates with neither of these values;
o BGPsec 路由器证书始终是 EE 证书;因此,请求密钥使用扩展值 keyCertSign 和 cRLSign 时,生成的证书不会包含这两个值;
o BGPsec Router Certificates always include the BGPsec Router EKU value; therefore, requests without the value result in certificates with the value; and,
o BGPsec 路由器证书始终包含 BGPsec 路由器 EKU 值;因此,不包含该值的请求将产生包含该值的证书;以及、
o BGPsec Router Certificates never include the SIA extension; therefore, requests with this extension result in certificates without the extension.
o BGPsec 路由器证书从不包含 SIA 扩展名;因此,包含该扩展名的请求会产生不包含该扩展名的证书。
Note that this behavior is similar to the CA including the AS Resources extension in issued BGPsec Router Certificates, despite the fact that it is not present in the request.
请注意,这种行为类似于 CA 在签发的 BGPsec 路由器证书中包含 AS 资源扩展,尽管请求中并不存在该扩展。
This document permits the operator to include a list of ASNs in a BGPsec Router Certificate. In that case, the router certificate would become invalid if any one of the ASNs is removed from any superior CA certificate along the path to a trust anchor. Operators could choose to avoid this possibility by issuing a separate BGPsec Router Certificate for each distinct ASN, so that the router certificates for ASNs that are retained in the superior CA certificate would remain valid.
本文件允许操作员在 BGPsec 路由器证书中包含 ASN 列表。在这种情况下,如果在通往信任锚的路径上有任何一个 ASN 从任何上级 CA 证书中被删除,路由器证书就会失效。运营商可选择为每个不同的 ASN 签发单独的 BGPsec 路由器证书来避免这种可能性,这样上级 CA 证书中保留的 ASN 的路由器证书将继续有效。
The security considerations of [RFC6487] apply.
适用 [RFC6487] 中的安全考虑因素。
A BGPsec Router Certificate will fail RPKI validation as defined in [RFC6487] because the cryptographic algorithms used are different. Consequently, an RP needs to identify the EKU to determine the appropriate Validation constraint.
由于所使用的加密算法不同,BGPsec 路由器证书将无法通过 [RFC6487] 中定义的 RPKI 验证。因此,RP 需要识别 EKU 以确定适当的验证约束。
A BGPsec Router Certificate is an extension of the RPKI [RFC6480] to encompass routers. It is a building block of BGPsec and is used to validate signatures on BGPsec Signature Segment origination of signed path segments [RFC8205]. Thus, its essential security function is the secure binding of one or more ASNs to a public key, consistent with the RPKI allocation/assignment hierarchy.
BGPsec 路由器证书是 RPKI [RFC6480] 的扩展,将路由器包括在内。它是 BGPsec 的一个构件,用于验证已签名路径段的 BGPsec 签名段发端签名 [RFC8205]。因此,它的基本安全功能是将一个或多个 ASN 与公钥安全绑定,并与 RPKI 分配/指定层次结构保持一致。
Hash functions [RFC8208] are used when generating the two key identifier extensions (i.e., Subject Key Identifier and Issuer Key Identifier) included in BGPsec certificates. However, as noted in [RFC6818], collision resistance is not a required property of one-way hash functions when used to generate key identifiers. Regardless, hash collisions are unlikely, but they are possible, and if detected an operator should be alerted. A Subject Key Identifier collision might cause the incorrect certificate to be selected from the cache, resulting in a failed signature validation.
散列函数 [RFC8208] 用于生成 BGPsec 证书中的两个密钥标识符扩展(即主体密钥标识符和签发者密钥标识符)。但是,如 [RFC6818] 所述,单向散列函数用于生成密钥标识符时,抗碰撞性并不是必须的属性。无论如何,散列碰撞的可能性不大,但还是有可能发生,如果检测到,操作员应立即报警。主题密钥标识符碰撞可能会导致从缓存中选择不正确的证书,从而导致签名验证失败。
This document makes use of two OIDs in the SMI registry for PKIX. One is for the ASN.1 module [X680] [X690] in Appendix A, and it comes from the "SMI Security for PKIX Module Identifier" IANA registry (id-mod-bgpsec-eku). The other is for the BGPsec Router EKU defined in Section 3.1.3.2 and Appendix A, and it comes from the "SMI Security for PKIX Extended Key Purpose" IANA registry (id-kp-bgpsec-router). These OIDs were assigned before management of the PKIX Arc was handed to IANA. The references in those registries have been updated to point to this document.
本文档使用了 PKIX SMI 注册表中的两个 OID。一个是附录 A 中的 ASN.1 模块 [X680] [X690],它来自 "SMI Security for PKIX 模块标识符 "IANA 注册表 (id-mod-bgpsec-eku)。另一个是第 3.1.3.2 节和附录 A 中定义的 BGPsec 路由器 EKU,它来自 "SMI Security for PKIX 扩展密钥用途 "IANA 注册表(id-kp-bgpsec-router)。这些 OID 是在 PKIX Arc 的管理权移交给 IANA 之前分配的。这些注册表中的引用已更新为指向本文档。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>.
[RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP Addresses and AS Identifiers", RFC 3779, DOI 10.17487/RFC3779, June 2004, <https://www.rfc-editor.org/info/rfc3779>.
[RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP Addresses and AS Identifiers", RFC 3779, DOI 10.17487/RFC3779, June 2004, <https://www.rfc-editor.org/info/rfc3779>.
[RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A Border Gateway Protocol 4 (BGP-4)", RFC 4271, DOI 10.17487/RFC4271, January 2006, <https://www.rfc-editor.org/info/rfc4271>.
[RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A Border Gateway Protocol 4 (BGP-4)", RFC 4271, DOI 10.17487/RFC4271, January 2006, <https://www.rfc-editor.org/info/rfc4271>.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, <https://www.rfc-editor.org/info/rfc5280>.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, <https://www.rfc-editor.org/info/rfc5280>.
[RFC6481] Huston, G., Loomans, R., and G. Michaelson, "A Profile for Resource Certificate Repository Structure", RFC 6481, DOI 10.17487/RFC6481, February 2012, <https://www.rfc-editor.org/info/rfc6481>.
[RFC6481] Huston, G., Loomans, R., and G. Michaelson, "A Profile for Resource Certificate Repository Structure", RFC 6481, DOI 10.17487/RFC6481, February 2012, <https://www.rfc-editor.org/info/rfc6481>。
[RFC6486] Austein, R., Huston, G., Kent, S., and M. Lepinski, "Manifests for the Resource Public Key Infrastructure (RPKI)", RFC 6486, DOI 10.17487/RFC6486, February 2012, <https://www.rfc-editor.org/info/rfc6486>.
[RFC6486] Austein, R., Huston, G., Kent, S., and M. Lepinski, "Manifests for the Resource Public Key Infrastructure (RPKI)", RFC 6486, DOI 10.17487/RFC6486, February 2012, <https://www.rfc-editor.org/info/rfc6486>。
[RFC6487] Huston, G., Michaelson, G., and R. Loomans, "A Profile for X.509 PKIX Resource Certificates", RFC 6487, DOI 10.17487/RFC6487, February 2012, <https://www.rfc-editor.org/info/rfc6487>.
[RFC6487] Huston, G., Michaelson, G., and R. Loomans, "A Profile for X.509 PKIX Resource Certificates", RFC 6487, DOI 10.17487/RFC6487, February 2012, <https://www.rfc-editor.org/info/rfc6487>。
[RFC7935] Huston, G. and G. Michaelson, Ed., "The Profile for Algorithms and Key Sizes for Use in the Resource Public Key Infrastructure", RFC 7935, DOI 10.17487/RFC7935, August 2016, <https://www.rfc-editor.org/info/rfc7935>.
[RFC7935] Huston, G. and G. Michaelson, Ed., "The Profile for Algorithms and Key Sizes for Use in the Resource Public Key Infrastructure", RFC 7935, DOI 10.17487/RFC7935, August 2016, <https://www.rfc-editor.org/info/rfc7935>。
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, <https://www.rfc-editor.org/info/rfc8174>。
[RFC8205] Lepinski, M., Ed., and K. Sriram, Ed., "BGPsec Protocol Specification", RFC 8205, DOI 10.17487/RFC8205, September 2017, <https://www.rfc-editor.org/info/rfc8205>.
[RFC8205] Lepinski, M., Ed., and K. Sriram, Ed., "BGPsec Protocol Specification", RFC 8205, DOI 10.17487/RFC8205, September 2017, <https://www.rfc-editor.org/info/rfc8205>。
[RFC8208] Turner, S. and O. Borchert, "BGP Algorithms, Key Formats, and Signature Formats", RFC 8208, DOI 10.17487/RFC8208, September 2017, <https://www.rfc-editor.org/info/rfc8208>.
[RFC8208] Turner, S. and O. Borchert, "BGP 算法、密钥格式和签名格式",RFC 8208, DOI 10.17487/RFC8208, September 2017, <https://www.rfc-editor.org/info/rfc8208>。
[X680] ITU-T, "Information technology - Abstract Syntax Notation One (ASN.1): Specification of basic notation", ITU-T Recommendation X.680, ISO/IEC 8824-1, August 2015, <https://www.itu.int/rec/T-REC-X.680/en>.
[X680] ITU-T,"信息技术--抽象语法符号一(ASN.1):基本符号规范",ITU-T 建议 X.680,ISO/IEC 8824-1,2015 年 8 月,<https://www.itu.int/rec/T-REC-X.680/en>。
[X690] ITU-T, "Information technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)", ITU-T Recommendation X.690, ISO/IEC 8825-1, August 2015, <https://www.itu.int/rec/T-REC-X.690/en>.
[X690] ITU-T,"信息技术 - ASN.1 编码规则:基本编码规则(BER)、规范编码规则(CER)和区分编码规则(DER)的规范",ITU-T 建议 X.690,ISO/IEC 8825-1,2015 年 8 月,<https://www.itu.int/rec/T-REC-X.690/en>。
[RFC4272] Murphy, S., "BGP Security Vulnerabilities Analysis", RFC 4272, DOI 10.17487/RFC4272, January 2006, <https://www.rfc-editor.org/info/rfc4272>.
[RFC4272] Murphy, S., "BGP 安全漏洞分析",RFC 4272,DOI 10.17487/RFC4272,2006 年 1 月,<https://www.rfc-editor.org/info/rfc4272>。
[RFC5123] White, R. and B. Akyol, "Considerations in Validating the Path in BGP", RFC 5123, DOI 10.17487/RFC5123, February 2008, <https://www.rfc-editor.org/info/rfc5123>.
[RFC5123] White, R. and B. Akyol, "Considerations in Validating the Path in BGP", RFC 5123, DOI 10.17487/RFC5123, February 2008, <https://www.rfc-editor.org/info/rfc5123>.
[RFC5492] Scudder, J. and R. Chandra, "Capabilities Advertisement with BGP-4", RFC 5492, DOI 10.17487/RFC5492, February 2009, <https://www.rfc-editor.org/info/rfc5492>.
[RFC5492] Scudder, J. and R. Chandra, "Capabilities Advertisement with BGP-4", RFC 5492, DOI 10.17487/RFC5492, February 2009, <https://www.rfc-editor.org/info/rfc5492>。
[RFC6480] Lepinski, M. and S. Kent, "An Infrastructure to Support Secure Internet Routing", RFC 6480, DOI 10.17487/RFC6480, February 2012, <https://www.rfc-editor.org/info/rfc6480>.
[RFC6480] Lepinski, M. and S. Kent, "An Infrastructure to Support Secure Internet Routing", RFC 6480, DOI 10.17487/RFC6480, February 2012, <https://www.rfc-editor.org/info/rfc6480>。
[RFC6482] Lepinski, M., Kent, S., and D. Kong, "A Profile for Route Origin Authorizations (ROAs)", RFC 6482, DOI 10.17487/RFC6482, February 2012, <https://www.rfc-editor.org/info/rfc6482>.
[RFC6482] Lepinski, M., Kent, S., and D. Kong, "A Profile for Route Origin Authorizations (ROAs)", RFC 6482, DOI 10.17487/RFC6482, February 2012, <https://www.rfc-editor.org/info/rfc6482>。
[RFC6484] Kent, S., Kong, D., Seo, K., and R. Watro, "Certificate Policy (CP) for the Resource Public Key Infrastructure (RPKI)", BCP 173, RFC 6484, DOI 10.17487/RFC6484, February 2012, <https://www.rfc-editor.org/info/rfc6484>.
[RFC6484] Kent, S., Kong, D., Seo, K., and R. Watro, "Certificate Policy (CP) for the Resource Public Key Infrastructure (RPKI)", BCP 173, RFC 6484, DOI 10.17487/RFC6484, February 2012, <https://www.rfc-editor.org/info/rfc6484>。
[RFC6818] Yee, P., "Updates to the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 6818, DOI 10.17487/RFC6818, January 2013, <https://www.rfc-editor.org/info/rfc6818>.
[RFC6818] Yee, P., "Updates to the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 6818, DOI 10.17487/RFC6818, January 2013, <https://www.rfc-editor.org/info/rfc6818>.
[RFC6916] Gagliano, R., Kent, S., and S. Turner, "Algorithm Agility Procedure for the Resource Public Key Infrastructure (RPKI)", BCP 182, RFC 6916, DOI 10.17487/RFC6916, April 2013, <https://www.rfc-editor.org/info/rfc6916>.
[RFC6916] Gagliano, R., Kent, S., and S. Turner, "Algorithm Agility Procedure for the Resource Public Key Infrastructure (RPKI)", BCP 182, RFC 6916, DOI 10.17487/RFC6916, April 2013, <https://www.rfc-editor.org/info/rfc6916>。
BGPSECEKU { iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-bgpsec-eku(84) }
DEFINITIONS EXPLICIT TAGS ::=
BEGIN
开始
-- EXPORTS ALL --
-- 全部出口
-- IMPORTS NOTHING --
-- 没有进口
-- OID Arc --
-- OID Arc --
id-kp OBJECT IDENTIFIER ::= {
iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) kp(3) }
-- BGPsec Router Extended Key Usage --
-- BGPsec 路由器扩展密钥的使用 --
id-kp-bgpsec-router OBJECT IDENTIFIER ::= { id-kp 30 }
END
结束
Acknowledgements
致谢
We would like to thank Geoff Huston, George Michaelson, and Robert Loomans for their work on [RFC6487], which this work is based on. In addition, the efforts of Matt Lepinski were instrumental in preparing this work. Additionally, we'd like to thank Rob Austein, Roque Gagliano, Richard Hansen, Geoff Huston, David Mandelberg, Sandra Murphy, and Sam Weiler for their reviews and comments.
我们要感谢 Geoff Huston、George Michaelson 和 Robert Loomans 在[RFC6487]方面所做的工作,这项工作正是基于[RFC6487]。此外,Matt Lepinski 的努力对本工作的准备起到了重要作用。此外,我们还要感谢 Rob Austein、Roque Gagliano、Richard Hansen、Geoff Huston、David Mandelberg、Sandra Murphy 和 Sam Weiler 的审阅和评论。
Authors' Addresses
作者地址
Mark Reynolds Island Peak Software 328 Virginia Road Concord, MA 01742 United States of America
Mark Reynolds Island Peak Software 328 Virginia Road Concord, MA 01742 美利坚合众国
Email: [email protected]
Sean Turner sn3rd
Sean Turner sn3rd
Email: [email protected]
Stephen Kent Raytheon BBN Technologies 10 Moulton St. Cambridge, MA 02138 United States of America
Stephen Kent Raytheon BBN Technologies 10 Moulton St.
Email: [email protected]