Network Working Group | R.G.M. Gagliano |
Internet-Draft | K.P. Patel |
Intended status: Standards Track | B.W. Weis |
Expires: August 31, 2012 | Cisco Systems |
March 2012 |
BGPSEC router key roll-over as an alternative to beaconing
draft-rogaglia-sidr-bgpsec-rollover-00
The current BGPSEC draft documents do not specifies a key roll-over process for routers. This document describes a possible key roll-over process and explores its impact to mitigate replay attacks and eliminate the need for beaconing in BGPSEC.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 31, 2012.
Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
In BGPSEC, a key roll-over (or re-keying) is the process of changing the router's key pair, issuing the correspondent new End-Entity certificates and revoke the old one. This process will need to happen at regular intervals normally due to local policies at each network.
During a roll-over process, a router needs to generate BGP UPDATE messages in order to signal the new key to be used to its neighbors. So, intuitively, a frequent key roll-over process has similar effects as the beaconing process proposed by the BGPSEC base documents to protect a BGPSEC attribute against a re-play attack. However, there are a number of operational details to be considered if the expire time field in the BGPSEC attribute is removed.
This document details a possible key roll-over process in BGPSEC and explores the operational environment where key roll-overs could be used as a protection against a re-play attach against BGPSEC
The key roll-over process in BGPSEC has not been well defined yet. However, this will be a mandatory process due to some of the following causes:
It should be clear at this point that a key roll-over process is required for BGPSEC. The next section describes how this process may be implemented.
The BGPSEC key roll-over process should be very tighten to the key provisioning mechanisms that would be in place. The key provisioning mechanisms for BGPSEC are not yet documented. We will assume that such an automatic provisioning mechanism will be in place (a possible provisioning mechanism when the private key lives only inside the BGP speaker is the Enrollment over Secure Transport (EST). This protocol will allow BGPSEC code to include automatic re-keying scripts with minimum development cost.
When the same private key is shared by different routers, a mechanism to distribute the private key will need to be implemented. A possible solution may include the transmission of the private key over a secure channel. The PKIX WG has started work on this sense by adopting [I-D.ietf-pkix-cmc-serverkeygeneration]
If we work under the assumption that an automatic mechanism will exist to rollover a BGPSEC certificate, a possible process could be:
To conclude this section, we can say that the proposed rollover mechanism will depend on the existence of an automatic provisioning process for BGPSEC certificates, that it will required a staging mechanism given by RPKI propagation time of around 24hours and that it will generate BGP UPDATES for all prefixes in the router been re-keying.
There are two typical measures to mitigate replay attacks: addition of a timestamp or addition of a serial number. Currently BGPSEC offers a timestamp (expiration time) as a protection against re-play attacks of BGPSEC messages. The process requires all BGP Speakers that originate a BGP UPDATE to beaconing the message before its expiration time. This requirement changes a long standing BGP operation practice and the community have been searching for alternatives.
To be completed
The BGPSEC Ops document give some ideas of requirements for the re-play attack in BGPSEC. For the vast majority of the prefixes, the requirement will be in the order of days or weeks. For a very small fraction, but critical, of the prefixes, the requirement may be in the order of hours.
The question we would like to ask is: can key rollover provide us a similar protection against re-play attacks without the need for beaconing?
The answer is that YES when the window requirement is in the order of days and the router re-keying is the edge router of the origin AS. By using re-keying, you are letting the BGPSEC certificate validation time as your timestamp against replay attacks. However, the use of frequent key rollovers comes with an additional administrative cost and risks if the process fails. As documented before, re-keying should be supported by automatic tools and for the great majority of the Internet it will be done with good lead time to correct any inconvenient in the process.
For a transit AS that also originates its BGP UPDATES for its own prefixes, the key rollover process may generate a large number of UPDATE messages (even the complete DFZ). For this reason, it is recommended that routers in this scenario been provisioned with two certificates: one to sign BGP UPDATES in transit and a second one to sign BGP UPDATE for prefixes originated in its AS. Only the second certificate should be frequently rolled-over.
Advantage of Re-keying as re-play attack protection mechanism:
Disadvantage of Re-keying as re-play attack protection mechanism:
No IANA considerations
No security considerations.
None yet
[RFC2119] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. |
[RFC4271] | Rekhter, Y., Li, T. and S. Hares, "A Border Gateway Protocol 4 (BGP-4)", RFC 4271, January 2006. |
[RFC5101] | Claise, B., "Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information", RFC 5101, January 2008. |
[RFC5102] | Quittek, J., Bryant, S., Claise, B., Aitken, P. and J. Meyer, "Information Model for IP Flow Information Export", RFC 5102, January 2008. |
[RFC5226] | Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 5226, May 2008. |
[I-D.ietf-pkix-cmc-serverkeygeneration] | Schaad, J, Timmel, P and S Turner, "CMC Extensions: Server Key Generation", Internet-Draft draft-ietf-pkix-cmc-serverkeygeneration-00, January 2012. |
[I-D.ietf-sidr-origin-validation-signaling] | Mohapatra, P, Patel, K, Scudder, J, Ward, D and R Bush, "BGP Prefix Origin Validation State Extended Community", Internet-Draft draft-ietf-sidr-origin-validation-signaling-00, November 2010. |
[I-D.ietf-sidr-pfx-validate] | Mohapatra, P, Scudder, J, Ward, D, Bush, R and R Austein, "BGP Prefix Origin Validation", Internet-Draft draft-ietf-sidr-pfx-validate-01, February 2011. |