Network Working GroupInternet Engineering Task Force (IETF) R. BushInternet-DraftRequest for Comments: 8635 IIJ Lab/ Dragon Research Lab Intended status: Best Current Practice& Arrcus Category: Standards Track S. TurnerExpires: November 15, 2019ISSN: 2070-1721 sn3rd K. Patel Arrcus, Inc.May 14,August 2019 Router Keying for BGPsecdraft-ietf-sidrops-rtr-keying-06Abstract BGPsec-speaking routers are provisioned with private keys in order to sign BGPsec announcements. The corresponding public keys are published in theglobalGlobal Resource Public KeyInfrastructure,Infrastructure (RPKI), enabling verification of BGPsec messages. This document describes two methods of generating the public-privatekey-pairs:key pairs: router-driven and operator-driven.Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.Status of This Memo ThisInternet-Draftissubmitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documentsan Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF).Note that other groups may also distribute working documents as Internet-Drafts. The listIt represents the consensus ofcurrent Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents validthe IETF community. It has received public review and has been approved fora maximumpublication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841. Information about the current status ofsix monthsthis document, any errata, and how to provide feedback on it may beupdated, replaced, or obsoleted by other documentsobtained atany time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on January 16, 2017.https://www.rfc-editor.org/info/rfc8635. Copyright Notice Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents(http://trustee.ietf.org/license-info)(https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . ..2 2.Management / Router CommunicationRequirements Language . . . . . . . . . . . . . . . . . . . . 3 3. Management/Router Communication . . . . . . . . . . . . . . . 3 4. Exchange Certificates . . . . . . . . . . . . . . . . . . . . 44. Set-Up5. Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55.6. Generate PKCS#10 . . . . . . . . . . . . . . . . . . . . . ..55.1. Router-Generated6.1. Router-Driven Keys . . . . . . . . . . . . . . . . . . . 55.2. Operator-Generated6.2. Operator-Driven Keys . . . . . . . . . . . . . . . . . . 65.2.1.6.2.1. Using PKCS#8 to Transfer PrivateKey .Keys . . . . . . . . 66.7. Send PKCS#10 and Receive PKCS#7 . . . . . . . . . . . . . . . 77.8. Install Certificate . . . . . . . . . . . . . . . . . . . . . 78.9. Advanced Deployment Scenarios . . . . . . . . . . . . . . . . 89.10. Key Management . . . . . . . . . . . . . . . . . . . . . . ..99.1.10.1. Key Validity . . . . . . . . . . . . . . . . . . . . . .. 9 9.2.10 10.2. KeyRoll-OverRollover . . . . . . . . . . . . . . . . . . . . . . 109.3.10.3. Key Revocation . . . . . . . . . . . . . . . . . . . . .. 10 9.4.11 10.4. Router Replacement . . . . . . . . . . . . . . . . . . ..1110.11. Security Considerations . . . . . . . . . . . . . . . . . . . 1211.12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 1312.13. References . . . . . . . . . . . . . . . . . . . . . . . . . 1312.1.13.1. Normative References . . . . . . . . . . . . . . . . . . 1312.1.13.2. Informative References . . . . . . . . . . . . . . . . . 14 Appendix A. Management/Router Channel Security . . . . . . . . .1617 Appendix B. An Introduction to BGPsec Key Management . . . . . .1618 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . .. 1921 1. Introduction BGPsec-speaking routers are provisioned with private keys, which allow them to digitally sign BGPsec announcements. To verify the signature, the public key, in the form of a certificate [RFC8209], is published in the Resource Public Key Infrastructure (RPKI). This document describes provisioning of BGPsec-speaking routers with the appropriate public-privatekey-pairs.key pairs. There are twomethods,methods: router- driven and operator-driven. These two methods differ in where the keys are generated: on the router in the router-driven method, and elsewhere in theoperator-drivenoperator- driven method. The two methods also differ in who generates the private/public key pair: the operator generates the pair and sends it to the router in the operator-driven method, and the router generates its own pair in therouter-driverouter-driven method. The router-driven method mirrors the model used by traditional PKI subscribers; the private key never leaves trusted storage (e.g., Hardware SecurityModule).Module (HSM)). This is by design and supports classic PKI Certification Policies for (often human) subscriberswhichthat require the private key only ever be controlled by the subscriber to ensure that no one can impersonate the subscriber. For non-humans, this method does not always work. The operator-drivenmodelmethod is motivated by the extreme importance placed on ensuring the continued operation of the network. In some deployments, the same private key needs to be installed in the soon-to-be online router that was used by the soon-to-be offline router, since this "hot-swapping" behavior can result in minimal downtime, especially compared with the normal RPKI procedures to propagate a new key, which can take a day or longer to converge. For example, when an operator wants to support hot-swappable routers, the same private key needs to be installed in the soon-to-be online router that was used by the soon-to-be offline router. This motivated the operator-driven method. Sections23 through78 describe the various steps involved for an operator to use the two methods to provision new and existing routers. The methods described involve the operator configuring the twoend pointsendpoints (i.e., the management station and the router) and acting as the intermediary. Section89 describes another method that requiresmore capablemore-capable routers. Useful References: [RFC8205] describes the details of BGPsec, [RFC8209] specifies the format for the PKCS#10 certification request, and [RFC8208] specifies the algorithms used to generate the PKCS#10 signature. 2.Management / RouterRequirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 3. Management/Router Communication Operators are free to use either the router-driven oroperator-driventhe operator- driven method as supported by the platform. Prudent security practice recommends router-generated keying, if the delay in replacing a router (or router engine) is acceptable to the operator. Regardless of the method chosen, operators first establish a protected channel between the management system and the router; this protected channel prevents eavesdropping, tampering, and messageforgery as well asforgery. It also provides mutual authentication. How this protected channel is established is router-specific and is beyond scope of this document. Though other configuration mechanisms might be used,e.g. NETCONFe.g., the Network Configuration Protocol (NETCONF) (see [RFC6470]), the protected channel used between the management platform and the router is assumed to be an SSH-protected CLI. See Appendix A for security considerations for this protected channel. The previous paragraph assumes themanagement system-to-routermanagement-system-to-router communications are over a network. When the management system has a direct physical connection to the router, e.g., via the craft port, there is no assumption that there is a protected channel between the two. To beclear:clear, for both of these methods, an initialleap-of-faithleap of faith is required because the router has no keying material that it can use to protect communications with anyone or anything. Because of this initial leap of faith, a direct physical connection is safer thanconnecting viaa network connection because there is less chance of amanmonkey in the middle. Once keying material is established on the router, the communications channel must prevent eavesdropping, tampering, and message forgery. This initialleap-of-faithleap of faith will no longer be required once routers are delivered to operators withoperator-trustedoperator- trusted keyingmaterial 3.material. 4. Exchange Certificates A number of options exist for theoperatoroperator's management station to exchange PKI-related information with routers and with the RPKI including:-o Using application/pkcs10 media type [RFC5967] to extract certificate requests and application/pkcs7-mime[I-D.lamps-rfc5751- bis][RFC8551] to return the issued certificate,-o Using FTP or HTTP per [RFC2585], and-o Using the Enrollment over Secure Transport (EST) protocol per [RFC7030]. Despite the fact thatCertificatescertificates are integrity-protected and do not necessarily need additional protection, transports that also provide integrity protection are RECOMMENDED.4. Set-Up5. Setup To start, the operator uses the protected channel to install the appropriate RPKI Trust Anchor's Certificate (TACert)Certificate) in the router. This will later enable the router to validate the router certificate returned in the PKCS#7 certs-only message[I-D.lamps-rfc5751-bis].[RFC8551]. The operator configures the Autonomous System (AS) number to be used in the generated router certificate. This may be the sole AS configured on therouter,router or an operator choice if the router is configured with multipleASs.ASes. A router with multipleASsASes canbe configured withgenerate multiple router certificates by following the processofdescribed in this document for each desired certificate. This configured AS number is also used during verification of keys, if generated by the operator (see Section5.2),6.2), as well as during certificate verification steps (see Sections6,7, 8, and8).9). The operator configures or extracts from the router the BGP Identifier [RFC6286] to be used in the generated router certificate. In the case where the operator has chosen not to use uniqueper-routerper- router certificates, a BGP Identifier of 0 MAY be used. The operator configures the router's access control mechanism to ensure that only authorized users are able to later access the router's configuration.5.6. Generate PKCS#10 The private key, and hence the PKCS#10 certification request, which is sometimes referred to as a Certificate Signing Request (CSR), may be generated by the router or by the operator. Retaining the CSR allows for verifying that the returned public key in the certificate corresponds to the private key used to generate the signature on the CSR. NOTE: The PKCS#10 certification request does not include the AS number or the BGP Identifier for the router certificate. Therefore, the operator transmits the AS it has chosen on the routerandas well as the BGP Identifieras wellwhen it sends the CSR to the CA.5.1. Router-Generated6.1. Router-Driven Keys In therouter-generatedrouter-driven method, once the protected channel is established and the initialSet-Upsetup (Section4)5) performed, the operator issues a command or commands for the router to generate thepublic/privatepublic- private key pair, to generate the PKCS#10 certification request, and to sign the PKCS#10 certification request with the private key. Once the router has generated the PKCS#10 certification request, it returns it to the operator over the protected channel. The operator includes the chosen AS number and the BGP Identifier when it sends the CSR to the CA. Even if the operator cannot extract the private key from the router, this signature still provides alinkagelink between a private key and a router. That is, the operator can verify the proof of possession (POP), as required by [RFC6484]. NOTE: The CA needs to know that therouter-generatedrouter-driven CSR is authorized. The easiest way to accomplish this is for the operator to mediate the communication with the CA. Other workflows are possible, e.g., where the router sends the CSR to the CA but the operator logs in to the CA independently and is presented with a list of pending requests to approve. See Section89 for an additional workflow. If a routerwerewas to communicate directly with a CA to have the CA certify the PKCS#10 certification request, there would be no way for the CA to authenticate the router. As the operator knows the authenticity of the router, the operator mediates the communication with the CA.5.2. Operator-Generated6.2. Operator-Driven Keys In theoperator-generatedoperator-driven method, the operator generates thepublic/privatepublic- private key pair on a management station and installs the private key into the router over the protected channel. Beware that experience has shown that copy-and-paste from a management station to a router can be unreliable for long texts. The operator then creates and signs the PKCS#10 certification request with the private key; the operator includes the chosen AS number and the BGP Identifier when it sends the CSR to the CA.5.2.1.6.2.1. Using PKCS#8 to Transfer PrivateKeyKeys A private key can be encapsulated in a PKCS#8 Asymmetric Key Package [RFC5958] and SHOULD be further encapsulated in Cryptographic Message Syntax (CMS) SignedData [RFC5652] and signed with theoperators'soperator's End Entity (EE) private key. The router SHOULD verify the signature of the encapsulated PKCS#8 to ensure the returned private key did in fact come from the operator, but this requires that the operator also provision via the CLI or include in the SignedData the RPKI CA certificate and relevant operators' EE certificate(s). The router SHOULD inform the operator whether or not the signature validates to a trust anchor; this notification mechanism is out of scope.6.7. Send PKCS#10 and Receive PKCS#7 The operator uses RPKI management tools to communicate with theglobalGlobal RPKI system to have the appropriate CA validate the PKCS#10 certification request, sign the key in the PKCS#10 (i.e., certifyit) andit), generate a PKCS#7 certs-only message,as well as publishingand publish the certificate in the Global RPKI. External network connectivity may be needed if the certificate is to be published in the Global RPKI. After the CA certifies the key, it does two things: 1. Publishes the certificate in the Global RPKI. The CA must have connectivity to the relevant publication point,whichwhich, inturnturn, must have external network connectivity as it is part of the Global RPKI. 2. Returns the certificate to the operator's management station, packaged in a PKCS#7 certs-only message, using the corresponding method by which it received the certificate request. It SHOULD include the certificate chain below the TA Certificate so that the router can validate the router certificate. In theoperator-generatedoperator-driven method, the operator SHOULD extract the certificate from the PKCS#7 certs-onlymessage,message and verify that the public key the operator holds corresponds to the returned public key in the PKCS#7 certs-only message. If the operator saved thePKCS#10PKCS#10, it can check this correspondence by comparing the public key in the CSR to the public key in the returned certificate. If the operator has not saved the PKCS#10, it can check this correspondence by regenerating the public key from the private key and then verifying that the regenerated public key matches the public key returned in the certificate. In theoperator-generatedoperator-driven method, the operator has already installed the private key in the router (see Section5.2). 7.6.2). 8. Install Certificate The operator provisions the PKCS#7 certs-only message into the router over the protected channel. The router SHOULD extract the certificate from the PKCS#7 certs-only message and verify that the public key corresponds to the stored private key. If the router stored the PKCS#10, it can check this correspondence by comparing the public key in the CSR to the public key in the returned certificate. If the router did not store the PKCS#10, it can check this correspondence by generating a signature on any data and then verifying the signature using the returned certificate. The router SHOULD inform the operator whether it successfully received the certificate and whether or not the keys correspond; the mechanism is out of scope. The router SHOULD also verify that the returned certificate validates back to the installed TA Certificate, i.e., the entire chain from the installed TA Certificate through subordinate CAs to the BGPsec certificate validate. To perform this verification, the CA certificate chain needs to be returned along with the router's certificate in the PKCS#7 certs-only message. The router SHOULD inform the operator whether or not the signature validates to a trust anchor; this notification mechanism is out of scope. NOTE: The signature on the PKCS#8 and Certificate need not be made by the same entity. Signing the PKCS#8 permitsmore advancedmore-advanced configurations where the entity that generates the keys is not the direct CA.8.9. Advanced Deployment Scenarios More PKI-capable routers can take advantage of increased functionality and lighten the operator's burden. Typically, these routers include eitherpre-installed manufacturer-generatedpreinstalled manufacturer-driven certificates (e.g., IEEE 802.1 AR[802.1AR])[IEEE802-1AR]) orpre-installed manufacturer-generatedpreinstalled manufacturer- driven Pre-Shared Keys(PSK)(PSKs) as well as PKI-enrollment functionality and transport protocol, e.g., CMC's "Secure Transport" [RFC7030] or the original CMC transportprotocol'sprotocols [RFC5273]. When the operator first establishes a protected channel between the management system and the router, thispre-installedpreinstalled key material is used to authenticate the router. The operator's burden shifts here to include: 1. Securely communicating the router's authentication material to the CA prior to the operator initiating the router's CSR. CAs use authentication material to determine whether the router is eligible to receive a certificate.Authentication material atAt aminimumminimum, authentication material includes the router's AS number and BGP Identifier as well as the router's key material, but it can also include additional information. Authentication material can be communicated to the CA (i.e., CSRs signed by this key material are issued certificates with this AS and BGP Identifier) or to the router (i.e., the operator uses the vendor-supplied management interface to include the AS number and BGP Identifier in therouter-generatedrouter-driven CSR). The CA stores this authentication material in an account entry for the router so that it can later be compared against the CSR prior to the CA issuing a certificate to the router. 2. Enabling the router to communicate with the CA. While the router-to-CA communications are operator-initiated, the operator's management interface need not be involved in the communications path. Enabling the router-to-CA connectivityrequiresmay require connections to external networks (i.e., through firewalls, NATs, etc.). 3. Ensuring the cryptographic chain of custody from the manufacturer. For thepre-installedpreinstalled key material, the operator needs guarantees that either no one has accessed the private key or an authenticated log of those who have accessed ithas beenMUST be provided to the operator. Once configured, the operator can begin the process of enrolling the router. Because the router is communicating directly with the CA, there is no need for the operator to retrieve the PKCS#10 certification request from the router as in Section56 or return the PKCS#7 certs-only message to the router as in Section6.7. Note that the checks performed by the router in Section7, namely8 (namely, extracting the certificate from the PKCS#7 certs-only message, verifying that the public key corresponds to the private key, and verifying that the returned certificate validated back to an installed trustanchor,anchor) SHOULD be performed. Likewise, the router SHOULD notify the operator if any of these fail, but this notification mechanism is out of scope. When a router is so configured, the communication with the CA SHOULD be automatically re-established by the router at future times to renew the certificate automatically when necessary(See(see Section9).10). This further reduces the tasks required of the operator.9.10. Key Management Key managementdoesnot onlyincludeincludes key generation, key provisioning, certificate issuance, and certificatedistribution. Itdistribution, it also includes assurance of key validity, keyroll-over,rollover, and key preservation during router replacement. All of these responsibilities persist for as long as the operator wishes to operate the BGPsec-speaking router.9.1.10.1. Key Validity It is critical that a BGPsec-speaking router is signing with a valid private key at all times. To this end, the operator needs to ensure the router always hasa non-expiredan unexpired certificate.I.e.That is, the key used to sign BGPsec announcements always has an associated certificate whose expiry time is after the current time. Ensuring this is not terribly difficult but requires that either: 1. The routerhavehas a mechanism to notify the operator that the certificate has an impending expiration, and/or 2. The operatornotenotes the expiry time of the certificate and uses a calendaring program to remind them of the expiry time, and/or 3. The RPKI CAwarnwarns the operator of pending expiration, and/or 4. The operatoruseuses some other kind of automated process to search for and track the expiry times of router certificates. It is advisable that expiration warnings happen well in advance of the actual expiry time. Regardless of the technique used to track router certificate expiry times,it is advisable to notifyadditional operators in the same organization should be notified as the expiry time approaches, thereby ensuring that the forgetfulness of one operator does not affect the entire organization. Depending on inter-operatorrelationship,relationships, it may be helpful to notify a peer operator that one or more of their certificates are about to expire.9.2.10.2. KeyRoll-OverRollover Routers that support multiple private keys also greatly increase the chance that routers can continuously speak BGPsec because the new private key and certificate can be obtained and distributed prior to expiration of the operational key. Obviously, the router needs to know when to start using the new key. Once the new key is being used, having thealready distributedalready-distributed certificate ensures continuous operation. More information on how to proceed with aKey Roll-Overkey rollover is described in[I-D.sidrops-bgpsec-rollover]. 9.3.[RFC8634]. 10.3. Key Revocation In certain circumstances, a router's BGPsec certificate may need to be revoked. When this occurs, the operator needs to use the RPKI CA system to revoke the certificate by placing the router's BGPsec certificate on the Certificate Revocation List (CRL) as well asre-keyingre- keying the router's certificate.WhenThe process of revoking an active router keyis to be revoked, the processconsists of requesting theCA to revoke,revocation from theprocess ofCA, the CA actually revoking the router's certificate,and thentheprocess ofre-keying/renewing of the router'scertificate, (possiblycertificate (possibly) distributing a new key and certificate to therouter),router, and distributing thestatus, takesstatus. During the timeduring whichthis process takes, the operator must decide how they wish to maintain continuity ofoperations, withoperation (with or without the compromised privatekey,key) or whether they wish to bring the router offline to address the compromise. Keeping the router operational and BGPsec-speaking is the ideal goal; but, if operational practices do not allow this, then reconfiguring the router to disable BGPsec is likely preferred to bringing the router offline. Routerswhichthat support more than one private key, where one is operational and other(s) are soon-to-be-operational, facilitate revocation events because the operator can configure the router to make a soon-to-be-operational key operational, request revocation of the compromised key, and then make a next generationsoon-to-be-operationalsoon-to-be- operational key. Hopefully, all this can be done without needing to take the router offline or rebootthe router.it. For routerswhichthat support only one operational key, the operators should create or install the new privatekey,key and then request revocation of the certificate corresponding to the compromised private key.9.4.10.4. Router ReplacementCurrentlyAt the time of writing, routers often generate private keys for uses such asSSH,Secure Shell (SSH), and the private keys may not be seen or exported from the router. While this is good security, it creates difficulties when a routing engine or whole router must be replaced in the field and all softwarewhichthat accesses the router must be updated with the new keys. Also, anynetwork basednetwork-based initial contact with a new routing engine requires trust in the public key presented on first contact. To allow operators to quickly replace routers without requiring update and distribution of the corresponding public keys in the RPKI, routers SHOULD allow the private BGPsec key to be inserted via a protected channel, e.g., SSH,NetConfNETCONF (see [RFC6470]), and SNMP. This lets the operator escrow the old private key via the mechanism used foroperator-generated keys, seeoperator-driven keys (see Section5.2,6.2), such that it can bere- insertedreinserted into a replacement router. The router MAY allow the private key to beto beexported via the protected channel after key generation, but this SHOULD be paired with functionality that sets the newly generated key into a permanent non-exportable state to ensure that it is not exported at a future time by unauthorized operations.10.11. Security Considerations The router's manual will describewhether the router supports one, the other, or bothwhich of thekey generationkey-generation options discussed in the earlier sections of thisdraft as well asdocument a router supports or if it supports both of them. The manual will also describe other importantsecurity- relatedsecurity-related information (e.g., how to SSH to the router). Afterfamiliarizing one's selfbecoming familiar with the capabilities of the router, an operator is encouraged to ensure that the router is patched with the latest software updates available from the manufacturer. This document defines no protocols. So, in some sense, it introduces no new security considerations. However, it relies on manyothersother protocols, and the security considerations in the referenced documents should be consulted; notably,those documentthe documents listed in Section 1 should be consulted first. PKI-relying protocols, of which BGPsec is one, have many issues to consider--- so many, in fact, entire books have been written to addressthem;them -- so listing allPKI-relatedPKI- related security considerations is neither useful nor helpful. Regardless, someboot- strapping-relatedbootstrapping-related issuesare listed herethat are worthrepeating: Public-Privaterepeating are listed here: o Public-private key pair generation: Mistakes here are, forall,all practicalpurposespurposes, catastrophic because PKIs rely on the pairing of adifficult to generatedifficult-to-generate public-private key pair with a signer; all key pairs MUST be generated from a good source of non- deterministic random input [RFC4086]. o Private key protection at rest: Mistakes here are, for all, practicalpurposespurposes, catastrophic because disclosure of the private key allows another entity to masquerade as (i.e., impersonate) the signer; all private keys MUST be protected when at rest in a secure fashion. Obviously, how each router protects private keys is implementation specific. Likewise, the local storage format for the private key is justthat,that: a local matter. o Private key protection in transit: Mistakes here are, forall,all practicalpurposespurposes, catastrophic because disclosure of the private key allows another entity to masquerade as (i.e., impersonate) the signer; therefore, transport security isthereforestrongly RECOMMENDED. The level of security provided by the transport layer's security mechanism SHOULD be at least as good as the strength of the BGPsec key; there's no point in spending time and energy to generate an excellent public-private key pair and then transmit the private key in the clear or with a known-to-be-broken algorithm, as it just undermines trust that the private key has been kept private. Additionally, operators SHOULD ensure the transport security mechanism is up to date, in order toaddressesaddress all known implementation bugs. Though the CA's certificate is installed on the router and used to verify that the returned certificate is in fact signed by the CA, the revocation status of the CA's certificate is rarely checked as the router may not have global connectivity or CRL-aware software. The operator MUST ensure that the installed CA certificate is valid.11.12. IANA Considerations This document has no IANAConsiderations. 12.actions. 13. References12.1.13.1. Normative References[I-D.sidrops-bgpsec-rollover] Weis, B, R. Gagliano,[IEEE802-1AR] IEEE, "IEEE Standard for Local andK. Patel, "BGPsec Router Certificate Rollover", draft-ietf-sidrops-bgpsec- rollover (work in progress), December 2017. [I-D.lamps-rfc5751-bis] Schaad, J., Ramsdell, B, S. Turner, "Secure/Multipurpose Internet Mail Extension (S/MIME) Version 4.0", draft-ietf-lamps-rfc5751- bis (work in progress), July 2018.Metropolitan Area Networks - Secure Device Identity", IEEE Std 802.1AR, <https://standards.ieee.org/standard/802_1AR-2018.html>. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997,<https://www.rfc- editor.org/info/rfc2119>.<https://www.rfc-editor.org/info/rfc2119>. [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, "Randomness Requirements for Security", BCP 106, RFC 4086, DOI 10.17487/RFC4086, June 2005,<https://www.rfc- editor.org/info/rfc4086>.<https://www.rfc-editor.org/info/rfc4086>. [RFC4253] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) Transport Layer Protocol", RFC 4253, DOI 10.17487/RFC4253, January 2006, <https://www.rfc-editor.org/info/rfc4253>. [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, RFC 5652, DOI 10.17487/RFC5652, September 2009, <https://www.rfc-editor.org/info/rfc5652>. [RFC5958] Turner, S., "Asymmetric Key Packages", RFC 5958, DOI 10.17487/RFC5958, August 2010,<https://www.rfc- editor.org/info/rfc5958>.<https://www.rfc-editor.org/info/rfc5958>. [RFC6286] Chen, E. and J. Yuan, "Autonomous-System-Wide Unique BGP Identifier for BGP-4", RFC 6286, DOI 10.17487/RFC6286, June 2011, <https://www.rfc-editor.org/info/rfc6286>. [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017,<https://www.rfc- editor.org/info/rfc8174>.<https://www.rfc-editor.org/info/rfc8174>. [RFC8208] Turner, S. and O. Borchert, "BGPsec Algorithms, Key Formats, and Signature Formats", RFC 8208, DOI 10.17487/RFC8208, September 2017,<https://www.rfc- editor.org/info/rfc8208>.<https://www.rfc-editor.org/info/rfc8208>. [RFC8209] Reynolds, M., Turner, S., and S. Kent, "A Profile for BGPsec Router Certificates, Certificate Revocation Lists, and Certification Requests", RFC 8209, DOI 10.17487/RFC8209, September 2017,<https://www.rfc- editor.org/info/rfc8209>. [802.1AR] IEEE SA-Standards Board, "IEEE Standard for Local<https://www.rfc-editor.org/info/rfc8209>. [RFC8551] Schaad, J., Ramsdell, B., andmetropolitan area networks - Secure Device Identity", December 2009, <http://standards.ieee.org/findstds/standard/802.1AR- 2009.html>. 12.1.S. Turner, "Secure/ Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 Message Specification", RFC 8551, DOI 10.17487/RFC8551, April 2019, <https://www.rfc-editor.org/info/rfc8551>. [RFC8634] Weis, B., Gagliano, R., and K. Patel, "BGPsec Router Certificate Rollover", BCP 224, RFC 8634, DOI 10.17487/RFC8634, August 2019, <https://www.rfc-editor.org/info/rfc8634>. 13.2. Informative References [RFC2585] Housley, R. and P. Hoffman, "Internet X.509 Public Key Infrastructure Operational Protocols: FTP and HTTP", RFC 2585, DOI 10.17487/RFC2585, May 1999, <https://www.rfc-editor.org/info/rfc2585>. [RFC3766] Orman, H. and P. Hoffman, "Determining Strengths For Public Keys Used For Exchanging Symmetric Keys", BCP 86, RFC 3766, DOI 10.17487/RFC3766, April 2004, <https://www.rfc-editor.org/info/rfc3766>. [RFC5273] Schaad, J. and M. Myers, "Certificate Management over CMS (CMC): Transport Protocols", RFC 5273, DOI 10.17487/RFC5273, June 2008,<https://www.rfc- editor.org/info/rfc5273>.<https://www.rfc-editor.org/info/rfc5273>. [RFC5480] Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk, "Elliptic Curve Cryptography Subject Public Key Information", RFC 5480, DOI 10.17487/RFC5480, March 2009, <https://www.rfc-editor.org/info/rfc5480>. [RFC5647] Igoe, K. and J. Solinas, "AES Galois Counter Mode for the Secure Shell Transport Layer Protocol", RFC 5647, DOI 10.17487/RFC5647, August 2009,<https://www.rfc- editor.org/info/rfc5647>.<https://www.rfc-editor.org/info/rfc5647>. [RFC5656] Stebila, D. and J. Green, "Elliptic Curve Algorithm Integration in the Secure Shell Transport Layer", RFC 5656, DOI 10.17487/RFC5656, December 2009, <https://www.rfc-editor.org/info/rfc5656>. [RFC5967] Turner, S., "The application/pkcs10 Media Type", RFC 5967, DOI 10.17487/RFC5967, August 2010,<https://www.rfc- editor.org/info/rfc5967>.<https://www.rfc-editor.org/info/rfc5967>. [RFC6187] Igoe, K. and D. Stebila, "X.509v3 Certificates for Secure Shell Authentication", RFC 6187, DOI 10.17487/RFC6187, March 2011, <https://www.rfc-editor.org/info/rfc6187>. [RFC6470] Bierman, A., "Network Configuration Protocol (NETCONF) Base Notifications", RFC 6470, DOI 10.17487/RFC6470, February 2012, <https://www.rfc-editor.org/info/rfc6470>. [RFC6484] Kent, S., Kong, D., Seo, K., and R. Watro, "Certificate Policy (CP) for the Resource Public Key Infrastructure (RPKI)", BCP 173, RFC 6484, DOI 10.17487/RFC6484, February 2012, <https://www.rfc-editor.org/info/rfc6484>. [RFC6668] Bider, D. and M. Baushke, "SHA-2 Data Integrity Verification for the Secure Shell (SSH) Transport Layer Protocol", RFC 6668, DOI 10.17487/RFC6668, July 2012, <https://www.rfc-editor.org/info/rfc6668>. [RFC7030] Pritikin, M., Ed., Yee, P., Ed., and D. Harkins, Ed., "Enrollment over Secure Transport", RFC 7030, DOI 10.17487/RFC7030, October 2013,<https://www.rfc- editor.org/info/rfc7030>.<https://www.rfc-editor.org/info/rfc7030>. [RFC8205] Lepinski, M.,Ed.,Ed. and K. Sriram, Ed., "BGPsec Protocol Specification", RFC 8205, DOI 10.17487/RFC8205, September 2017, <https://www.rfc-editor.org/info/rfc8205>. [SP800-57] National Institute of Standards and Technology (NIST),Special Publication 800-57: Recommendation"Recommendation for Key Management - Part1 (Revised), March 2007.1: General", NIST Special Publication 800-57 Revision 4, DOI 10.6028/NIST.SP.800-57pt1r4, January 2016, <https://nvlpubs.nist.gov/nistpubs/SpecialPublications/ NIST.SP.800-57pt1r4.pdf>. Appendix A. Management/Router Channel Security Encryption, integrity, authentication, andkey exchangekey-exchange algorithms used by the protected channel should be of equal or greater strength than the BGPsec keys they protect, which for the algorithm specified in [RFC8208] is128-bit;128 bits; see [RFC5480] andby reference[SP800-57] for information about this strength claim as well as [RFC3766] for "how to determine the length of an asymmetric key as a function of a symmetric key strengthrequirement."requirement". In other words, for the encryption algorithm, do not use export grade crypto (40-56 bits of security), and do not useTriple DESTriple-DES (112 bits of security). Suggested minimum algorithms would beAES-128:AES-128, specifically the following: o aes128-cbc [RFC4253] and AEAD_AES_128_GCM [RFC5647] for encryption, o hmac-sha2-256 [RFC6668] or AESAD_AES_128_GCM [RFC5647] for integrity, o ecdsa-sha2-nistp256 [RFC5656] for authentication, and o ecdh-sha2-nistp256 [RFC5656] for key exchange. Some routers support the use of public key certificates and SSH. The certificates used for the SSH session are different than the certificates used for BGPsec. The certificates used with SSH should also enable a level of security at least as good as the security offered byththe BGPsec keys; x509v3-ecdsa-sha2-nistp256 [RFC6187] could be used for authentication. The protected channel must provide confidentiality, authentication, and integrity and replay protection. Appendix B. An Introduction to BGPsec Key Management This appendix is informative. It attempts to explain some of the PKIlingo in plainer language.jargon. BGPsec speakers send signed BGPsec updates that are verified by other BGPsec speakers. In PKI parlance, the senders are referred to assigners"signers", and the receivers are referred to asrelying parties."relying parties". The signers with which we are concerned here are routers signing BGPsec updates. Signers use private keys tosignsign, and relying parties use the corresponding public keys, in the form of X.509 public key certificates, to verify signatures. The third party involved is the entity that issues the X.509 public key certificate, the Certification Authority (CA). Key management is all about making these key pairs and the certificates, as well as ensuring that the relying parties trust that the certified public keys in fact correspond to the signers' private keys. The specifics of key management greatly depend on the routers as well as management interfaces provided by the routers' vendor. Because of these differences, it is hard to write a definitive "howto,"to", but this guide is intended to arm operators with enough information to ask the right questions. The other aspect that makes this guide informative is that the steps for the do-it-yourself (DIY) approach involve arcane commands while the GUI-based vendor-assisted management console approach will likely hide all of those commands behind some button clicks. Regardless, the operator will end up with a BGPsec-enabled router. Initially, we focus on the DIY approach and then follow up with some information about the GUI-based approach. The first step in the DIY approach is to generate a privatekey; butkey. However, infactfact, what you do is create a keypair;pair: onepart, thepart (the privatekey,key) is kept veryprivateprivate, and the otherpart, thepart (the publickey,key) is given out to verify whatever is signed. The two methods for how to create the key pair are the subject of this document, but it boils down to either doing it on-router (router-driven) or off-router(operator- driven).(operator-driven). If you are generating keys on the router (router-driven), then you will need to access the router. Again, how you access the router is router-specific, but generally the DIY approachusesinvolves using the CLI and accessing the router either directly via the router's craft port or over the network on an administrative interface. If accessing the router over thenetworknetwork, be sure to do it securely (i.e., use SSHv2). Once logged into the router, issue a command or a series of commands that will generate the key pair for the algorithms referenced in the main body of this document; consult your router's documentation for the specific commands. Thekey generationkey-generation process will yield one or more files containing the private key and the public key; the file format varies dependingonon, among other things, the arcane commandyou issued, but generallythe operator issued; however, the files areDERgenerally DER- or PEM-encoded. The second step is to generate the certification request, which is often referred to as acertificate signing requestCertificate Signing Request (CSR) or PKCS#10 certification request, and to send it to the CA to be signed. To generate the CSR,you issuethe operator issues some more arcane commands while logged into the router; using the private key just generated to sign the certification request with the algorithms referenced in the main body of this document; the CSR is signed to prove to the CA that the router has possession of the private key (i.e., the signature is the proof-of-possession). The output of the command is the CSR file; the file format varies depending on the arcane command you issued, but generally the files areDERDER- or PEM-encoded. The third step is to retrieve the signed CSR from the router and send it to the CA. But before sending it, you need to also send the CA the subject name (i.e., "ROUTER-" followed by the AS number) and serial number (i.e., the 32-bit BGP Identifier) for the router. The CA needs this information to issue the certificate. How you get the CSR to theCA,CA is beyond the scope of this document. While you are still connected to the router, install theTrust Anchor (TA)trust anchor for the root of the PKI. At this point, you no longer need access to the router for BGPsec-related initiation purposes. The fourth step is for the CA to issue the certificate based on the CSR yousent; thesent. The certificate will include the subject name, serial number, public key, and otherfields as well as beingfields; it will also be signed by the CA. After the CA issues the certificate, the CA returns thecertificate,certificate and posts the certificate to the RPKI repository. Check that the certificate corresponds to the public key contained in the certificate by verifying the signature on the CSR sent to the CA; this is just a check to make sure that the CA issued a certificate that includes a public key that is the pair of the private key (i.e., the math will work when verifying a signature generated by the private key with the returned certificate). If generating the keys off-router (operator-driven), then the same steps are used asthewith on-router keygeneration,generation (possibly with the same arcane commands as those used in the on-routerapproach), butapproach). However, no access to the router isneededneeded, and the first three steps are done on an administrative workstation:oStep 1: Generate keypair; opair. Step 2: Create CSR and sign CSR with privatekey, and; okey. Step 3: Send CSR file with the subject name and serial number to CA. After the CA has returned the certificate and you have checked the certificate, you need to put the private key andTAtrust anchor in the router. Assuming the DIY approach, you will be using the CLI and accessing the router either directly via the router's craft port or over the network on an admin interface; if accessing the router over thenetworknetwork, make doubly sure it is done securely (i.e., use SSHv2) because the private key is being moved over the network. At this point, access to the router is no longer needed for BGPsec-related initiation purposes. NOTE: Regardless of the approach taken, the first three steps could trivially be collapsed by a vendor-provided script to yield the private key and the signed CSR. Given a GUI-based vendor-assisted management console,thenall of these steps will likely be hidden behind pointing and clicking the way through BGPsec-enabling the router. The scenarios described above require the operator to access each router, which does not scale well to large networks. An alternative would be to create an image, perform the necessary steps to get the private key and trust anchor on the image, and then install the image via a management protocol. One final word ofadvice;advice: certificates include a notAfter field that unsurprisingly indicates when relying parties should no longer trust the certificate. To avoid having routers with expiredcertificatescertificates, follow the recommendations in the Certification Policy (CP) [RFC6484] and make sure to renew the certificate at least one week prior to the notAfter date. Set a calendar reminder in order not to forget! Authors' Addresses Randy Bush IIJ/ Dragon Research Labs& Arrcus 5147 Crystal Springs Bainbridge Island, Washington 98110USUnited States of America Email: randy@psg.com Sean Turner sn3rd Email: sean@sn3rd.com Keyur Patel Arrcus, Inc. Email: keyur@arrcus.com