Internet DRAFT - draft-borchert-sidrops-rpki-state-unverified
draft-borchert-sidrops-rpki-state-unverified
Internet Engineering Task Force (IETF) O. Borchert
Internet-Draft D. Montgomery
Updates: 6811, 8097 (if approved) USA NIST
Intended status: Standards Track
Expires: July 19, 2021 January 15, 2021
RPKI Route Origin Validation State Unverified
draft-borchert-sidrops-rpki-state-unverified-04
Abstract
In case operators decide not to evaluate BGP route prefixes according
to RPKI route origin validation (ROV), none of the available states
as specified in RFC 6811 do properly represent this decision. This
document introduces "Unverified" as well-defined validation state
which allows to properly identify route prefixes as not evaluated
according to RPKI route origin validation.
Status of This Memo
This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as
Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/1id-abstracts.html
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html
Borchert & Montgomery Expires July 19, 2021 [Page 1]
�
Internet Draft RPKI ROV Validation State Unverified January 15, 2021
Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
2. Suggested Reading . . . . . . . . . . . . . . . . . . . . . . 3
3. Initializing route prefixes . . . . . . . . . . . . . . . . . 3
3.1. Update to RFC 6811 . . . . . . . . . . . . . . . . . . . . 4
3.2. Update to RFC 8097 . . . . . . . . . . . . . . . . . . . . 4
3. Usage Considerations . . . . . . . . . . . . . . . . . . . . . 5
4. Security Considerations . . . . . . . . . . . . . . . . . . . 5
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5
6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6
6.1. Normative References . . . . . . . . . . . . . . . . . . . 6
8.2. Informative References . . . . . . . . . . . . . . . . . . 6
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . 7
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 7
Borchert & Montgomery Expires July 19, 2021 [Page 2]
�
Internet Draft RPKI ROV Validation State Unverified January 15, 2021
1. Introduction
Prefix origin validation provides well-defined validation states.
Though, there are instances in which no evaluation of a route prefix
is performed, not through RPKI route origin validation [RFC6811],
signaling via the extended community string as specified in
[RFC8097], or operator configuration. In these circumstances RFC 6811
specifies the implementation SHOULD initialize the validation state
of such route to "NotFound". Here, the absence of a well-defined
validation state for a route prefix not evaluated, requires the usage
of a state otherwise reserved as outcome of the evaluation of such.
This "waters" down the meaning of the used state. The specification
of a proper validation state that allows identifying non-evaluated
routes, becomes of essence once an operator decides to write policies
on the validation state "NotFound". A route prefix labeled "NotFound"
cannot be considered same as an unverified route prefix.
Hence, this document updates RFC 6811 and RFC 8097 by adding the
proposed validation state "Unverified".
1.1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
2. Suggested Reading
It is assumed that the reader understands BGP [RFC4271], the RPKI
[RFC6480], Route Origin Authorizations (ROAs) [RFC6482], RPKI-based
Prefix Validation [RFC6811], BGP Prefix Origin Validation State
Extended Community [RFC8097], Clarifications to BGP Origin Validation
Based on Resource Public Key Infrastructure (RPKI) [RFC8481]
3. Initializing route prefixes
This document introduces the validation state "Unverified" to be used
for route prefixes that are not evaluated through either operator
configuration, RPKI route origin validation, or other means such as
receiving a signaled validation state via the extended community
string. To allow proper initialization the following state is
introduced:
o Unverified: Specifies the state of a route prefix on which no
evaluation has been performed.
Borchert & Montgomery Expires July 19, 2021 [Page 3]
�
Internet Draft RPKI ROV Validation State Unverified January 15, 2021
3.1. Update to RFC 6811
RFC 6811 specifies that:
If validation is not performed on a Route, the implementation
SHOULD initialize the validation state of such a route to
"NotFound".
This document specifies that:
If no evaluation of a route prefix is performed in any form, the
implementation MUST initialize the validation state of such a route
to "Unverified".
This removes the necessity to initialize the route with any of the
states "Valid", "Invalid", or "NotFound" and therefore does not
"water-down" the meaning of such.
3.2. Update to RFC 8097
As specified in RFC 8097:
If the router is configured to support the extensions defined in
this document" - (RFC 8097) - ", it SHOULD attach the origin
validation state extended community to BGP UPDATE messages sent to
IBGP peers by mapping the computed validation state in the last
octet of the extended community.
The missing part here is what to do with route prefixes not evaluated
and no validation state was assigned. At this point the only solution
is to omit the extended community for such routes. If the usage of
the extended community would have been negotiated during the BGP OPEN
MESSAGE the receiver would be able to determine that the sender did
not evaluate the route in any form. But this is not the case, so a
receiver does not know if the sender is RPKI capable and chose not to
attach the origin validation state to the BGP UPDATE or the route did
not have any validation state assigned.
Hence, this document specifies for all routes that are labeled as
"Unverified" to attach the "unverified" state extended community to
BGP UPDATE messages send to IBGP peers by mapping the computed
validation state in the last octet of the extended community.
Borchert & Montgomery Expires July 19, 2021 [Page 4]
�
Internet Draft RPKI ROV Validation State Unverified January 15, 2021
AS specified in the table below, this document adds the value
"unverified = 3" to the list of acceptable values.
The value on the protocol
+-------+------------------------------+
| Value | Meaning |
+-------+------------------------------+
| 0 | Lookup result = "valid" |
| 1 | Lookup result = "not found" |
| 2 | Lookup result = "invalid" |
| 3 | Lookup result = "unverified" |
+-------+------------------------------+
3. Usage Considerations
The well-defined validation state "Unverified" allows to distinguish
between evaluated routes and non-evaluated routes. This allows the
operator to create policies to treat such route prefixes different
from route prefixes labeled with one of the validation states
"Valid", "NotFound", or "Invalid".
4. Security Considerations
This document introduces no new security concerns beyond what is
described in [RFC6811] and [RFC8097]
5. IANA Considerations
This document has no IANA actions.
Borchert & Montgomery Expires July 19, 2021 [Page 5]
�
Internet Draft RPKI ROV Validation State Unverified January 15, 2021
6. References
6.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, DOI
10.17487/RFC2119, March 1997, <https://www.rfc-
editor.org/info/rfc2119>.
[RFC6811] Mohapatra, P., Scudder, J., Ward, D., Bush, R., and R.
Austein, "BGP Prefix Origin Validation", RFC 6811, DOI
10.17487/RFC6811, January 2013, <https://www.rfc-
editor.org/info/rfc6811>.
[RFC8097] Mohapatra, P., Patel, K., Scudder, J., Ward, D., and R.
Bush, "BGP Prefix Origin Validation State Extended
Community", RFC 8097, DOI 10.17487/RFC8097, March 2017,
<https://www.rfc-editor.org/info/rfc8097>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in
RFC 2119 Key Words", BCP 14, RFC 8174, DOI
10.17487/RFC8174, May 2017, <https://www.rfc-
editor.org/info/rfc8174>.
8.2. Informative References
[RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A
Border Gateway Protocol 4 (BGP-4)", RFC 4271, DOI
10.17487/RFC4271, January 2006, <https://www.rfc-
editor.org/info/rfc4271>.
[RFC6480] Lepinski, M. and S. Kent, "An Infrastructure to Support
Secure Internet Routing", RFC 6480, DOI 10.17487/RFC6480,
February 2012, <https://www.rfc-editor.org/info/rfc6480>.
[RFC6482] Lepinski, M., Kent, S., and D. Kong, "A Profile for Route
Origin Authorizations (ROAs)", RFC 6482, DOI
10.17487/RFC6482, February 2012, <https://www.rfc-
editor.org/info/rfc6482>.
[RFC8481] Bush, R., "Clarifications to BGP Origin Validation Based
on Resource Public Key Infrastructure (RPKI)", RFC 8481,
DOI 10.17487/RFC8481, September 2018, <https://www.rfc-
editor.org/info/rfc8481>.
Borchert & Montgomery Expires July 19, 2021 [Page 6]
�
Internet Draft RPKI ROV Validation State Unverified January 15, 2021
Acknowledgements
The authors would like to acknowledge the valuable review and
suggestions from K. Sriram on this document.
Authors' Addresses
Oliver Borchert
National Institute of Standards and Technology (NIST)
100 Bureau Drive
Gaithersburg, MD 20899
United States of America
Email: oliver.borchert@nist.gov
Doug Montgomery
National Institute of Standards and Technology (NIST)
100 Bureau Drive
Gaithersburg, MD 20899
United States of America
Email: dougm@nist.gov
Borchert & Montgomery Expires July 19, 2021 [Page 7]
