]> Tiebreaking Resource Public Key Infrastructure (RPKI) Trust Anchors BSD Software Development
Amsterdam The Netherlands job@bsd.nl https://www.bsd.nl
OpenBSD
CH tb@openbsd.org
RIPE NCC
Amsterdam Netherlands tdekock@ripe.net
Operations and Management Area (OPS) SIDROPS RPKI Routing Security BGP X.509 A Trust Anchor (TA) in the RPKI is represented by a self-signed X.509 Certification Authority (CA) certificate. Over time, Relying Parties (RP) may have acquired multiple different issuances of valid TA certificates from the same TA operator. This document proposes a tiebreaking scheme to be used by RPs to select one TA certificate for certification path validation. This document updates RFC 8630.
Introduction In the Resource Public Key Infrastructure (RPKI) hierarchical structure, a Trust Anchor (TA) is an authority for which trust is assumed and not derived. TA operators periodically reissue TA certificates to update the validity period (), the Subject Information Access (SIA) extension (, Certificate Policies extension (), and the Internet Number Resources (INR) (). Relying Parties periodically fetch TA certificates from online locations and verify that the key of the self-signed certificate matches the key embedded in its associated Trust Anchor Locator (TAL) . This transfer may happen via an unauthenticated channel, and the certificate is verified by checking that it is signed by the public key in the TAL. After retrieving a TA certificate Relying Parties have a choice between using a previously retrieved locally cached copy of the TA certificate and the newly-retrieved instance of the TA certificate, provided that both certificates are valid. Periodic reissuance of TA certificates is a way of ensuring that the RPKI remains healthy at its root by avoiding ossification and retaining agility, consequently RPs re-fetch the certificates to adopt changes in the TA's INR and SIA extensions. In the past, some TA certificates were issued with unreasonably long validity periods, in some cases up to a century. Since TA certificates are the root, and thus have no Certificate Revocation List () covering their own scope, TA operators cannot revoke previously issued TA certificates. This means that an on-path adversary or caching network element could present Relying Parties with an older instance of the TA certificate than the TA operator intends Relying Parties to use. This document specifies a tiebreaking scheme for Relying Parties, preferring (1) the 'more recently' issued TA certificate, (2) the TA certificate with the shortest validity period among certificates with equal notBefore, and (3) the 'most recently fetched' instance of the TA certificate among certificates with equal notBefore and equal notAfter. This establishes a preorder over TA certificates issued by the same TA, permitting the issuance of a certificate that is preferred over any previous certificate.
Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.
Related Work It is assumed that the reader is familiar with the terms and concepts described in "" and "" .
Updates to RFC 8630 This section updates .
  • In Section , this paragraph is replaced as follows. OLD
    1. Retrieve the object referenced by (one of) the TA URI(s) contained in the TAL.
    2. Confirm that the retrieved object is a current, self-signed RPKI CA certificate that conforms to the profile as specified in .
    3. Confirm that the public key in the TAL matches the public key in the retrieved object.
    4. Perform other checks, as deemed appropriate (locally), to ensure that the RP is willing to accept the entity publishing this self-signed CA certificate to be a TA. These tests apply to the validity of attestations made in the context of the RPKI relating to all resources described in the INR extension(s) of this certificate.
    NEW
    1. Retrieve the object referenced by (one of) the TA URI(s) contained in the TAL. If this step fails, use the locally cached copy of the TA referenced by the TAL previously retrieved.
    2. Confirm that the retrieved object is a current, validly self-signed RPKI CA certificate that conforms to the profile as specified in . If this step fails, use the locally cached copy of the retrieved TA.
    3. Confirm that the public key in the TAL matches the public key in the retrieved object. If this step fails, use the locally cached copy of the retrieved TA.
    4. Check whether the retrieved object has a more recent notBefore than the locally cached copy of the retrieved TA. If the notBefore of the retrieved object is less recent, use the locally cached copy of the retrieved TA.
    5. If the notBefore dates are equal, check whether the retrieved object has a shorter validity period than the locally cached copy of the retrieved TA. If the validity period of the retrieved object is longer, use the locally cached copy of the retrieved TA.
    6. If the validity period is equal, and the newly-retrieved certificate differs from the cached copy, use the newly-retrieved certificate. In the unlikely event that this step is reached, it seems most likely that TA operators intend for RPs to use the certificate that is currently published.
Security Considerations When Relying Parties inadvertently use a different instance of the TA certificate than that which the TA operator intended for RPs to use, the certification path validation process will yield an unexpected outcome. Some examples of unexpected outcomes are validation failures, or replay attacks. Standardization of a tiebreaking scheme helps both RP and TA operators arrive at deterministic outcomes. The proposed tiebreaking scheme prevents RPs from accepting a previous certificate presented by an on-path adversary in the presence of other TA certificate material.
IANA Considerations This document has no IANA actions.
References Normative References Informative References rpki-client 9.1 rpki-prover
Implementation status This section records the status of known implementations of the protocol defined by this specification at the time of posting of this Internet-Draft, and is based on a proposal described in . The description of implementations in this section is intended to assist the IETF in its decision processes in progressing drafts to RFCs. Please note that the listing of any individual implementation here does not imply endorsement by the IETF. Furthermore, no effort has been spent to verify the information presented here that was supplied by IETF contributors. This is not intended as, and must not be construed to be, a catalog of available implementations or their features. Readers are advised to note that other implementations may exist. According to , "this will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature. It is up to the individual working groups to use this information as they see fit".
  • OpenBSD
  • Mikhail Puzanov's
Acknowledgements The authors wish to thank , , and .