]> China Telecom

Beijing China fuy44@chinatelecom.cn

Huawei

Beijing China gengnan@huawei.com

ops sidrops Internet-Draft Simplified Local Internet Number Resource Management with the RPKI (SLURM) helps operators create a local view of the global RPKI by generating sets of filters and assertions. This document proposes to filter out RPKI data by type based on enhanced SLURM filters. Only the RPKI data types that the network or routers are interested in will appear in the Relying Party's output.

Introduction Relying Party (RP) collects signed RPKI objects from global RPKI publication points. The RPKI data passing RP's validation will appear in RP's output. Then, the RPKI-to-Router (RTR) protocol will synchronize the validated RPKI data from RP to routers. Currently, four types of RPKI data including IPv4 Prefix, IPv6 Prefix, Router Key, and ASPA are supported in the RTR protocol. However, in some cases, routers may be interested in a part of RPKI data types, instead of all. In such cases, synchronizing all types of data to routers is unreasonable. Furthermore, there may be more types of RPKI data in the RPKI repositories and RPs in the future. Ignoring the router's requirements and directly synchronizing all types of data to the router may induce unnecessary and non-negligible transmission and storage overheads. The followings are example types, and some of them may be possibly supported in the RPKI system in the future:

• Secured Routing Policy Specification Language (RPSL)
• Signed Prefix Lists
• Autonomous Systems Cones
• Mapping Origin Authorizations (MOAs)
• Signed SAVNET-Peering Information (SiSPI)
• Path validation with RPKI
• Signed Groupings of Autonomous System Numbers

SLURM provides a simple way to enable an RP to establish a local and customized view of the RPKI (, ). It defines Validation Output Filters to filter out specific RPKI data items and Locally Added Assertions to add RPKI data items. Although SLURM supports filtering out all IPv4 or IPv6 prefixes through the all-zero address prefixes, it does not support filtering out all RPKI data of other specified types. This document proposes enhanced SLURM filters which can filter out RPKI data by type. With enhanced SLURM filters, operators can efficiently select which type of RPKI data need to be synchronized to routers. The proposed method requires some modifications on the SLURM-related process of RP software. Upgrades of the RTR protocol implementations and router software implementations are not involved.

Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Use Case One of use cases is IPv6-only network. Suppose a IPv6-only network wants to enable ROV on BGP border routers. The routers are only interested in IPv6-related BGP validation because the routers can only receive IPv6 routes from neighbor ASes. Therefore, IPv4 Prefix data, Router Key data, and any other data except IPv6 prefix data are not useful for the network. An example of IPv6-only network is New China Education and Research Network (named Future Internet Technology Infrastructure, FITI). |BGP router| |BGP router| |------> | +----------+ +----------+ | | IPv6-only | +------------------------------------+ ]]> As described in Section , there may be more types of RPKI data in the RPKI repositories and RPs. Thus, there will be more use cases where a network does not need all types of RPKI data in the future.

Enhanced SLURM Filters This section proposes two optional designs.

Design 1: Define a "matchAll" member in filters A SLURM file consists of a single JSON object which has the same structure as , except that the "slurmVersion" member MUST be set to 3 (TBD). A new member called "matchAll" is defined for the ROA Prefix filters, BGPsec filters, ASPA filters, and possibly new types of filters defined in the future. The value of the "matchAll" member MUST be "true". To filter out a specific type of RPKI data, the RP can configure exactly one filter of the specific type which includes the "matchAll" member. If a filter includes the "matchAll" member, it may only optionally contain the "comment" member and SHOULD NOT include any other members besides "comment". When a filter containing the "matchAll" member exists, no other filters of the same type should exist—regardless of whether those other filters contain the "matchAll" member or not. Example 1：Filter out all the VRPs with IPv4 and IPv6 Prefixes If one want to filter either IPv4 or IPv6 prefixes, just reuse the existing SLURM mechanism, that is, filtering by using all-zero address prefixes. Example 1.1：Filter out all the VRPs with IPv4 Prefixes Example 1.2：Filter out all the VRPs with IPv6 Prefixes Example 2：Filter out all the Router Keys

Design 2: RPKI Data Type Filters A SLURM file consists of a single JSON object containing the following members:

• A "slurmVersion" member that MUST be set to 3 (TBD), encoded as a number
• A "validationOutputFilters" member whose value is an object. The object MUST contain exactly four members:
  • A "prefixFilters" member, see Section 3.3.1 of
  • A "bgpsecFilters" member, see section 3.3.2 of
  • A "aspaFilters" member, see Section 3.1 of
  • A "typeFilters" member
• A "locallyAddedAssertions" member whose value is an object. The object MUST contain exactly three members:
  • A "prefixAssertions" member, see Section 3.4.1
  • A "bgpsecAssertions" member, see Section 3.4.2
  • A "aspaAssertions" member, see Section 3.2

The following JSON structure with JSON members represents a SLURM file that has no filters or assertions:

RPKI Data Type Filters There are currently four types of RPKI data. More types may be defined in the future.

• IPv4 Prefix
• IPv6 Prefix
• Router Key
• ASPA

The RP can configure zero or at most four RPKI Data Type Filters ("Type Filter" for short). Each Type Filter contains a single 'rpkiDataType' and optionally a single 'comment'.

• The 'rpkiDataType' member MUST be one of the values, i.e., "IPv4 Prefix", "IPv6 Prefix", "Router Key", and "ASPA".
• It is RECOMMENDED that an explanatory comment is included with each Type Filter so that it can be shown to users of the RP software.

Any RPKI data item that matches any configured Type Filter MUST be removed from the RP's output. A RPKI data item is considered to match with a Type Filter if the following condition applies: The item is considered to match if the RPKI data type of the item is equal to the "rpkiDataType" value of Type Filter. The following example JSON structure represents a "typeFilter" member with one object as described above: In the example, all the Router Keys will be filtered out by SLURM.

IANA Considerations This document has no IANA actions.

Security Considerations The security considerations in Section 6 of are also applied to this document.

Acknowledgements Much thanks for the valuable comments or feedback from Job Snijders, Jeff Haas, Ying Wang, and Randy Bush.

References Normative References The Resource Public Key Infrastructure (RPKI) is a global authorization infrastructure that allows the holder of Internet Number Resources (INRs) to make verifiable statements about those resources. Network operators, e.g., Internet Service Providers (ISPs), can use the RPKI to validate BGP route origin assertions. ISPs can also use the RPKI to validate the path of a BGP route. However, ISPs may want to establish a local view of exceptions to the RPKI data in the form of local filters and additions. The mechanisms described in this document provide a simple way to enable INR holders to establish a local, customized view of the RPKI, overriding global RPKI repository data as needed. JavaScript Object Notation (JSON) is a lightweight, text-based, language-independent data interchange format. It was derived from the ECMAScript Programming Language Standard. JSON defines a small set of formatting rules for the portable representation of structured data. This document removes inconsistencies with other specifications of JSON, repairs specification errors, and offers experience-based interoperability guidance. In order to verifiably validate the origin Autonomous Systems of BGP announcements, routers need a simple but reliable mechanism to receive Resource Public Key Infrastructure (RFC 6480) prefix origin data from a trusted cache. This document describes a protocol to deliver validated prefix origin data to routers. [STANDARDS-TRACK] In order to verifiably validate the origin Autonomous Systems and Autonomous System Paths of BGP announcements, routers need a simple but reliable mechanism to receive Resource Public Key Infrastructure (RFC 6480) prefix origin data and router keys from a trusted cache. This document describes a protocol to deliver them. This document describes version 1 of the RPKI-Router protocol. RFC 6810 describes version 0. This document updates RFC 6810. Arrcus, DRL, & IIJ Research Dragon Research Labs Asia Pacific Network Information Centre In order to validate the origin Autonomous Systems (ASes) and Autonomous System relationships behind BGP announcements, routers need a simple but reliable mechanism to receive Resource Public Key Infrastructure (RFC6480) prefix origin data, Router Keys, and ASPA data from a trusted cache. This document describes a protocol to deliver them. This document describes version 2 of the RPKI-Router protocol. [RFC6810] describes version 0, and [RFC8210] describes version 1. This document is compatible with both. Port 179 Ltd ISPs may want to establish a local view of exceptions to the Resource Public Key Infrastructure (RPKI) data in the form of local filters or additional attestations. This document defines an addendum to RFC 8416 by specifying a format for local filters and local assertions for Autonomous System Provider Authorizations (ASPA) for use with the RPKI. In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Informative References This document describes a method that allows parties to electronically sign Routing Policy Specification Language objects and validate such electronic signatures. This allows relying parties to detect accidental or malicious modifications of such objects. It also allows parties who run Internet Routing Registries or similar databases, but do not yet have authentication (based on Routing Policy System Security) of the maintainers of certain objects, to verify that the additions or modifications of such database objects are done by the legitimate holder(s) of the Internet resources mentioned in those objects. This document updates RFCs 2622 and 4012 to add the signature attribute to supported RPSL objects. BGPexpert.com This memo adds the capability to validate the full BGP AS path to the RPKI mechanism. NTT Ltd. Independent Juniper Networks This document describes a way to define groups of Autonomous System numbers in RPKI [RFC6480]. We call them AS-Cones. AS-Cones provide a mechanism to be used by operators for filtering BGP-4 [RFC4271] announcements. Fastly Amazon Web Services This document defines a Cryptographic Message Syntax (CMS) protected content type for use with the Resource Public Key Infrastructure (RPKI) to carry a general-purpose listing of Autonomous System Numbers (ASNs) and/or pointers to other groupings of ASNs, called an ASGroup. Additionally, the document specifies a mechanism for ASN holders to opt-out of being listed in a given ASGroup. The objective is to offer a RPKI-based successor to plain-text RFC 2622 'as-set' class objects. When validated, an ASGroup confirms that the respective ASN holder produced the ASGroup object. BSD Software Development APNIC This document defines a "Signed Prefix List", a Cryptographic Message Syntax (CMS) protected content type for use with the Resource Public Key Infrastructure (RPKI) to carry the complete list of prefixes which an Autonomous System (the subject AS) may originate to all or any of its routing peers. The validation of a Signed Prefix List confirms that the holder of the subject AS produced the object, and that this list is a current, accurate and complete description of address prefixes that may be announced into the routing system originated by the subject AS. China Telecom China Telecom CERNET Center/Tsinghua University APNIC ZDNS This document proposes a new approach by leveraging Resource Public Key Infrastructure (RPKI) architecture to verify the authenticity of the mapping origin of an IPv4 address block. MOA is a newly defined cryptographically signed object that provides a means for the address holder can authorize an IPv6 mapping prefix to originate mapping for one or more IPv4 prefixes. When receiving the MOA objects from the relying parties, PE devices can verify and discard invalid address mapping announcements from unauthorized IPv6 mapping prefixes to prevent IPv4 prefix hijacking. Zhongguancun Laboratory Zhongguancun Laboratory Tsinghua University Zhongguancun Laboratory This document defines a "Signed SAVNET-Peering Information" (SiSPI) object, a Cryptographic Message Syntax (CMS) protected content type included in the Resource Public Key Infrastructure (RPKI). A SiSPI object is a digitally signed object which carries the list of Autonomous Systems (ASes) deploying inter-domain SAVNET. When validated, the eContent of a SiSPI object confirms that the holder of the listed ASN produces the object and the AS has deployed inter- domain SAV and is ready to establish neighbor relationship for preventing source address spoofing.