GENWiki

Premier IT Outsourcing and Support Services within the UK

User Tools

Site Tools


rfc:bcp:bcp224

Internet Engineering Task Force (IETF) B. Weis Request for Comments: 8634 Independent BCP: 224 R. Gagliano Category: Best Current Practice Cisco Systems ISSN: 2070-1721 K. Patel

                                                          Arrcus, Inc.
                                                           August 2019
                 BGPsec Router Certificate Rollover

Abstract

 Certification Authorities (CAs) within the Resource Public Key
 Infrastructure (RPKI) manage BGPsec router certificates as well as
 RPKI certificates.  The rollover of BGPsec router certificates must
 be carefully performed in order to synchronize the distribution of
 router public keys with BGPsec UPDATE messages verified with those
 router public keys.  This document describes a safe rollover process,
 and it discusses when and why the rollover of BGPsec router
 certificates is necessary.  When this rollover process is followed,
 the rollover will be performed without routing information being
 lost.

Status of This Memo

 This memo documents an Internet Best Current Practice.
 This document is a product of the Internet Engineering Task Force
 (IETF).  It represents the consensus of the IETF community.  It has
 received public review and has been approved for publication by the
 Internet Engineering Steering Group (IESG).  Further information on
 BCPs is available in Section 2 of RFC 7841.
 Information about the current status of this document, any errata,
 and how to provide feedback on it may be obtained at
 https://www.rfc-editor.org/info/rfc8634.

Weis, et al. Best Current Practice [Page 1] RFC 8634 BGPsec Certificate Rollover August 2019

Copyright Notice

 Copyright (c) 2019 IETF Trust and the persons identified as the
 document authors.  All rights reserved.
 This document is subject to BCP 78 and the IETF Trust's Legal
 Provisions Relating to IETF Documents
 (https://trustee.ietf.org/license-info) in effect on the date of
 publication of this document.  Please review these documents
 carefully, as they describe your rights and restrictions with respect
 to this document.  Code Components extracted from this document must
 include Simplified BSD License text as described in Section 4.e of
 the Trust Legal Provisions and are provided without warranty as
 described in the Simplified BSD License.

Table of Contents

 1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
 2.  Requirements Notation . . . . . . . . . . . . . . . . . . . .   4
 3.  Key Rollover in BGPsec  . . . . . . . . . . . . . . . . . . .   4
   3.1.  Rollover Process  . . . . . . . . . . . . . . . . . . . .   5
 4.  BGPsec Router Key Rollover as a Measure against Replay
     Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . .   7
   4.1.  BGP UPDATE Window of Exposure Requirement . . . . . . . .   7
   4.2.  BGPsec Key Rollover as a Mechanism to Protect against
         Replay Attacks  . . . . . . . . . . . . . . . . . . . . .   7
 5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   9
 6.  Security Considerations . . . . . . . . . . . . . . . . . . .   9
 7.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  10
   7.1.  Normative References  . . . . . . . . . . . . . . . . . .  10
   7.2.  Informative References  . . . . . . . . . . . . . . . . .  10
 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . .  11
 Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  11

1. Introduction

 In BGPsec, a key rollover (or re-key) is the process of changing a
 router's BGPsec key pair (or key pairs), issuing the corresponding
 new BGPsec router certificate, and (if the old certificate is still
 valid) revoking the old certificate.  This process will need to
 happen at regular intervals, normally due to policies of the local
 network.  This document describes a safe rollover process that
 results in a BGPsec receiver always having the needed verification
 keys.  Certification Practice Statement (CPS) documents may reference
 this memo.  This memo only addresses changing of a router's BGPsec
 key pair within the RPKI.  Refer to [RFC6489] for a procedure to roll
 over RPKI Certification Authority key pairs.

Weis, et al. Best Current Practice [Page 2] RFC 8634 BGPsec Certificate Rollover August 2019

 When a router receives or creates a new key pair (using a key
 provisioning mechanism), this key pair will be used to sign new
 BGPsec UPDATE messages [RFC8205] that are originated at or that
 transit through the BGP speaker.  Additionally, the BGP speaker will
 refresh its outbound BGPsec UPDATE messages to include a signature
 using the new key (replacing the old key).  When the rollover process
 finishes, the old BGPsec router certificate (and its key) will no
 longer be valid; thus, any BGPsec UPDATE message that includes a
 signature performed by the old key will be invalid.  Consequently, if
 the router does not refresh its outbound BGPsec UPDATE messages,
 previously sent routing information may be treated as unauthenticated
 after the rollover process is finished.  Therefore, it is extremely
 important that new BGPsec router certificates have been distributed
 throughout the RPKI before the router begins signing BGPsec UPDATE
 messages with a new private key.
 It is also important for an AS to minimize the BGPsec router key-
 rollover interval (i.e., the period between the time when an AS
 distributes a BGPsec router certificate with a new public key and the
 time a BGPsec router begins to use its new private key).  This can be
 due to a need for a BGPsec router to distribute BGPsec UPDATE
 messages signed with a new private key in order to invalidate BGPsec
 UPDATE messages signed with the old private key.  In particular, if
 the AS suspects that a stale BGPsec UPDATE message is being
 distributed instead of the most recently signed attribute, it can
 cause the stale BGPsec UPDATE messages to be invalidated by
 completing a key-rollover procedure.  The BGPsec router rollover
 interval can be minimized when an automated certificate provisioning
 process such as Enrollment over Secure Transport (EST) [RFC7030] is
 used.
 "Security Requirements for BGP Path Validation" [RFC7353] also
 describes the need for protecting against suppression of BGP UPDATE
 messages with Withdrawn Routes or replay of BGP UPDATE messages, such
 as controlling BGPsec's window of exposure to such attacks.  The
 BGPsec router certificate rollover method in this document can be
 used to achieve this goal.
 In [RFC8635], the "operator-driven" method is introduced, in which a
 key pair can be shared among multiple BGP speakers.  In this
 scenario, the rollover of the corresponding BGPsec router certificate
 will impact all the BGP speakers sharing the same private key.

Weis, et al. Best Current Practice [Page 3] RFC 8634 BGPsec Certificate Rollover August 2019

2. Requirements Notation

 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
 "OPTIONAL" in this document are to be interpreted as described in
 BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
 capitals, as shown here.

3. Key Rollover in BGPsec

 A BGPsec router certificate SHOULD be replaced when the following
 events occur, and it can be replaced for any other reason at the
 discretion of the AS responsible for the BGPsec router certificate.
 Scheduled rollover:  BGPsec router certificates have an expiration
       date (NotValidAfter) that requires a frequent rollover process
       to refresh certificates or issue new certificates.  The
       validity period for these certificates is typically expressed
       in the CA's CPS document.
 Router certificate field changes:  Information contained in a BGPsec
       router certificate (such as the Autonomous System Number (ASN)
       or the Subject) may need to be changed.
 Emergency router key rollover:  Some special circumstances (such as a
       compromised key) may require the replacement of a BGPsec router
       certificate.
 Protection against withdrawal suppression and replay attacks:  An AS
       may determine that withdrawn BGPsec UPDATE messages are being
       propagated instead of the most recently propagated BGPsec
       UPDATE messages.  Changing the BGPsec router signing key,
       distributing a new BGPsec router certificate, and revoking the
       old BGPsec router certificate will invalidate the replayed
       BGPsec UPDATE messages.
 In some of these cases, it is possible to generate a new certificate
 without changing the key pair.  This practice simplifies the rollover
 process as the BGP speakers receiving BGPsec UPDATE messages do not
 even need to be aware of the change of certificate.  However, not
 replacing the certificate key for a long period of time increases the
 risk that a compromised router private key may be used by an attacker
 to deliver unauthorized or false BGPsec UPDATE messages.
 Distributing the old public key in a new certificate is NOT
 RECOMMENDED when the rollover event is due to a compromised key or
 when it is suspected that withdrawn BGPsec UPDATE messages are being
 distributed.

Weis, et al. Best Current Practice [Page 4] RFC 8634 BGPsec Certificate Rollover August 2019

3.1. Rollover Process

 The key-rollover process is dependent on the key provisioning
 mechanisms adopted by an AS [RFC8635].  An automatic provisioning
 mechanism such as EST will allow procedures for router key management
 to include automatic re-keying methods with minimum development cost.
 A safe BGPsec router key-rollover process is as follows.
 1.  New Certificate Publication: The first step in the rollover
     mechanism is to publish the new certificate.  If required, a new
     key pair will be generated for the BGPsec router.  A new
     certificate will be generated and the certificate will be
     published at the appropriate RPKI repository publication point.
     The details of this process will vary as they depend on 1)
     whether the keys are assigned per-BGPsec speaker or shared among
     multiple BGPsec speakers, 2) whether the keys are generated on
     each BGPsec speaker or in a central location, and 3) whether the
     RPKI repository is locally or externally hosted.
 2.  Staging Period: A staging period will be required from the time a
     new certificate is published in the global RPKI repository until
     the time it is fetched by RPKI caches around the globe.  The
     exact minimum staging time will be dictated by the conventional
     interval chosen between repository fetches.  If rollovers will be
     done more frequently, an administrator can provision two
     certificates for every router concurrently with different valid
     start times.  In this case, when the rollover operation is
     needed, the relying parties around the globe would already have
     the new router public keys.  However, if an administrator has not
     previously provisioned the next certificate, implementing a
     staging period may not be possible during emergency key rollover.
     If there is no staging period, routing may be disrupted due to
     the inability of a BGPsec router to validate BGPsec UPDATE
     messages signed with a new private key.
 3.  Twilight: In this step, the BGPsec speaker holding the rolled-
     over private key will stop using the old key for signing and will
     start using the new key.  Also, the router will generate
     appropriate refreshed BGPsec UPDATE messages, just as in the
     typical operation of refreshing outbound BGP polices.  This
     operation may generate a great number of BGPsec UPDATE messages.
     A BGPsec speaker may vary the distribution of BGPsec UPDATE
     messages in this step for every peer in order to distribute the
     system load (e.g., skewing the rollover for different peers by a
     few minutes each would be sufficient and effective).

Weis, et al. Best Current Practice [Page 5] RFC 8634 BGPsec Certificate Rollover August 2019

 4.  Certificate Revocation: This is an optional step, but it SHOULD
     be taken when the goal is to invalidate BGPsec UPDATE messages
     signed with the old key.  Reasons to invalidate old BGPsec UPDATE
     messages include (a) the AS has reason to believe that the router
     signing key has been compromised, and (b) the AS needs to
     invalidate already-propagated BGPsec UPDATE messages signed with
     the old key.  As part of the rollover process, a CA MAY decide to
     revoke the old certificate by publishing its serial number on the
     CA's Certificate Revocation List (CRL).  Alternatively, the CA
     will just let the old certificate expire and not revoke it.  This
     choice will depend on the reasons that motivated the rollover
     process.
 5.  RPKI-Router Protocol Withdrawals: At the expiration of the old
     certificate's validation, the RPKI relying parties around the
     globe will need to communicate to their router peers that the old
     certificate's public key is no longer valid (e.g., using the
     RPKI-Router Protocol described in [RFC8210]).  A router's
     reaction to a message indicating withdrawal of a router key in
     the RPKI-Router Protocol SHOULD include the removal of any RIB
     entries (i.e., BGPsec updates) signed with that key and the
     generation of the corresponding BGP UPDATE message with Withdrawn
     Routes (either implicit or explicit).
 This rollover mechanism depends on the existence of an automatic
 provisioning process for BGPsec router certificates.  It requires a
 staging mechanism based on the RPKI propagation time (at the time of
 writing, this is typically a 24-hour period), and an AS is REQUIRED
 to re-sign all originated and transited BGPsec UPDATE messages that
 were previously signed with the old key.
 The first two steps (New Certificate Publication and Staging Period)
 may happen in advance of the rest of the process.  This will allow a
 network operator to perform its subsequent key rollover in an
 efficient and timely manner.
 When a new BGPsec router certificate is generated without changing
 its key, steps 3 (Twilight) and 5 (RPKI-Router Protocol Withdrawals)
 SHOULD NOT be executed.

Weis, et al. Best Current Practice [Page 6] RFC 8634 BGPsec Certificate Rollover August 2019

4. BGPsec Router Key Rollover as a Measure against Replay Attacks

 There are two typical generic measures to mitigate replay attacks in
 any protocol: the addition of a timestamp or the addition of a serial
 number.  However, neither BGP nor BGPsec provides these measures.
 The timestamp approach was originally proposed for BGPsec
 [PROTECTION-DESIGN-DISCUSSION] but was later dropped in favor of the
 key-rollover approach.  This section discusses the use of key
 rollover as a measure to mitigate replay attacks.

4.1. BGP UPDATE Window of Exposure Requirement

 The need to limit the vulnerability to replay attacks is described in
 Section 4.3 of [RFC7353].  One important comment is that during a
 window of exposure, a replay attack is effective only in very
 specific circumstances: there is a downstream topology change that
 makes the signed AS path no longer current, and the topology change
 makes the replayed route preferable to the route associated with the
 new update.  In particular, if there is no topology change at all,
 then no security threat comes from a replay of a BGPsec UPDATE
 message because the signed information is still valid.
 "BGPsec Operational Considerations" [RFC8207] gives some idea of
 requirements for the size of the window of exposure to replay
 attacks.  It states that the requirement will be in the order of a
 day or longer.

4.2. BGPsec Key Rollover as a Mechanism to Protect against Replay

    Attacks
 Since the window requirement is on the order of a day (as documented
 in [RFC8207]) and the BGP speaker performing re-keying is the edge
 router of the origin AS, it is feasible to use key rollover to
 mitigate replays.  In this case, it is important to complete the full
 process (i.e., the old and new certificates do not share the same
 key).  By re-keying, an AS is letting the BGPsec router certificate
 validation time be a type of "timestamp" to mitigate replay attacks.
 However, the use of frequent key rollovers comes with an additional
 administrative cost and risks if the process fails.  As documented in
 [RFC8207], re-keying should be supported by automatic tools, and for
 the great majority of the Internet, it will be done with good lead
 time to ensure that the public key corresponding to the new router
 certificate will be available to validate the corresponding BGPsec
 UPDATE messages when received.
 If a transit AS also originates BGPsec UPDATE messages for its own
 prefixes and it wishes to mitigate replay attacks on those prefixes,
 then the transit AS SHOULD be provisioned with two unique key pairs

Weis, et al. Best Current Practice [Page 7] RFC 8634 BGPsec Certificate Rollover August 2019

 and certificates.  One of the key pairs is used to sign BGPsec UPDATE
 messages for prefixes originated from the transit AS, and it can have
 a replay protection policy applied to it.  The other key pair is used
 to sign BGPsec UPDATE messages in transit and SHOULD NOT have a
 replay protection policy applied to it.  Because the transit AS is
 not likely to know or care about the policy of origin ASes elsewhere,
 there is no value gained by the transit AS performing key rollovers
 to mitigate replay attacks against prefixes originated elsewhere.  If
 the transit AS were instead to perform replay protection for all
 updates that it signs, its process for key rollovers would generate a
 large number of BGPsec UPDATE messages, even in the complete Default-
 Free Zone (DFZ).  Therefore, it is best to let each AS independently
 manage the replay attack vulnerability window for the prefixes it
 originates.
 Advantages to re-keying as a replay attack protection mechanism are
 as follows:
 1.  All expiration policies are maintained in the RPKI.
 2.  Much of the additional administrative cost is paid by the
     provider that wants to protect its infrastructure, as it bears
     the cost of creating and initiating distribution of new router
     key pairs and BGPsec router certificates.  (It is true that the
     cost of relying parties will be affected by the new objects, but
     their responses should be completely automated or otherwise
     routine.)
 3.  The re-keying can be implemented in coordination with planned
     topology changes by either origin ASes or transit ASes (e.g., if
     an AS changes providers, it completes a key rollover).
 Disadvantages to re-keying as replay attack protection mechanism are
 as follows:
 1.  Frequent rollovers add administrative and BGP processing loads,
     although the required frequency is not clear.  Some initial ideas
     are found in [RFC8207].
 2.  The minimum replay vulnerability is bounded by the propagation
     time for RPKI caches to obtain the new certificate and CRL (2x
     propagation time because first the new certificate and then the
     CRL need to propagate through the RPKI system).  If provisioning
     is done ahead of time, the minimum replay vulnerability window
     size is reduced to 1x propagation time (i.e., propagation of the
     CRL).  However, these bounds will be better understood when the

Weis, et al. Best Current Practice [Page 8] RFC 8634 BGPsec Certificate Rollover August 2019

     RPKI and RPKI relying party software are well deployed; this will
     also contribute to the propagation time for objects in the RPKI
     being better understood.
 3.  Re-keying increases the dynamics and size of the RPKI repository.

5. IANA Considerations

 This document has no IANA actions.

6. Security Considerations

 This document does not contain a protocol update to either the RPKI
 or BGPsec.  It describes a process for managing BGPsec router
 certificates within the RPKI.
 Routers participating in BGPsec will need to roll over their signing
 keys as part of conventional processing of certificate management.
 However, because rolling over signing keys will also have the effect
 of invalidating BGPsec UPDATE message signatures, the rollover
 process must be carefully orchestrated to ensure that valid BGPsec
 UPDATE messages are not treated as invalid.  This situation could
 affect Internet routing.  This document describes a safe method for
 rolling over BGPsec router certificates.  It takes into account both
 normal and emergency key-rollover requirements.
 Additionally, the key-rollover method described in this document can
 be used as a measure to mitigate BGP UPDATE replay attacks, in which
 an entity in the routing system is suppressing current BGPsec UPDATE
 messages and replaying withdrawn updates.  When the key used to sign
 the withdrawn updates has been rolled over, the withdrawn updates
 will be considered invalid.  When certificates containing a new
 public key are provisioned ahead of time, the minimum replay
 vulnerability window size is reduced to the propagation time of a CRL
 invalidating the certificate containing an old public key.  For a
 discussion of the difficulties deploying a more effectual replay
 protection mechanism for BGPSEC, see [PROTECTION-DESIGN-DISCUSSION].

Weis, et al. Best Current Practice [Page 9] RFC 8634 BGPsec Certificate Rollover August 2019

7. References

7.1. Normative References

 [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
            Requirement Levels", BCP 14, RFC 2119,
            DOI 10.17487/RFC2119, March 1997,
            <https://www.rfc-editor.org/info/rfc2119>.
 [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
            2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
            May 2017, <https://www.rfc-editor.org/info/rfc8174>.
 [RFC8635]  Bush, R., Turner, S., and K. Patel, "Router Keying for
            BGPsec", RFC 8635, DOI 10.17487/RFC8635, August 2019,
            <https://www.rfc-editor.org/info/rfc8635>.

7.2. Informative References

 [PROTECTION-DESIGN-DISCUSSION]
            Sriram, K. and D. Montgomery, "Design Discussion and
            Comparison of Protection Mechanisms for Replay Attack and
            Withdrawal Suppression in BGPsec", Work in Progress,
            draft-sriram-replay-protection-design-discussion-12, April
            2019.
 [RFC6489]  Huston, G., Michaelson, G., and S. Kent, "Certification
            Authority (CA) Key Rollover in the Resource Public Key
            Infrastructure (RPKI)", BCP 174, RFC 6489,
            DOI 10.17487/RFC6489, February 2012,
            <https://www.rfc-editor.org/info/rfc6489>.
 [RFC7030]  Pritikin, M., Ed., Yee, P., Ed., and D. Harkins, Ed.,
            "Enrollment over Secure Transport", RFC 7030,
            DOI 10.17487/RFC7030, October 2013,
            <https://www.rfc-editor.org/info/rfc7030>.
 [RFC7353]  Bellovin, S., Bush, R., and D. Ward, "Security
            Requirements for BGP Path Validation", RFC 7353,
            DOI 10.17487/RFC7353, August 2014,
            <https://www.rfc-editor.org/info/rfc7353>.
 [RFC8205]  Lepinski, M., Ed. and K. Sriram, Ed., "BGPsec Protocol
            Specification", RFC 8205, DOI 10.17487/RFC8205, September
            2017, <https://www.rfc-editor.org/info/rfc8205>.

Weis, et al. Best Current Practice [Page 10] RFC 8634 BGPsec Certificate Rollover August 2019

 [RFC8207]  Bush, R., "BGPsec Operational Considerations", BCP 211,
            RFC 8207, DOI 10.17487/RFC8207, September 2017,
            <https://www.rfc-editor.org/info/rfc8207>.
 [RFC8210]  Bush, R. and R. Austein, "The Resource Public Key
            Infrastructure (RPKI) to Router Protocol, Version 1",
            RFC 8210, DOI 10.17487/RFC8210, September 2017,
            <https://www.rfc-editor.org/info/rfc8210>.

Acknowledgments

 Randy Bush, Kotikalapudi Sriram, Stephen Kent, and Sandy Murphy each
 provided valuable suggestions resulting in an improved document.
 Kotikalapudi Sriram contributed valuable guidance regarding the use
 of key rollovers to mitigate BGP UPDATE replay attacks.

Authors' Addresses

 Brian Weis
 Independent
 Email: bew.stds@gmail.com
 Roque Gagliano
 Cisco Systems
 Avenue des Uttins 5
 Rolle, VD  1180
 Switzerland
 Email: rogaglia@cisco.com
 Keyur Patel
 Arrcus, Inc.
 Email: keyur@arrcus.com

Weis, et al. Best Current Practice [Page 11]

/data/webs/external/dokuwiki/data/pages/rfc/bcp/bcp224.txt · Last modified: 2019/08/07 22:16 by 127.0.0.1

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki