diff --git a/draft-ietf-sidrops-8210bis.xml b/draft-ietf-sidrops-8210bis.xml index 84f739e..e3d3718 100644 --- a/draft-ietf-sidrops-8210bis.xml +++ b/draft-ietf-sidrops-8210bis.xml @@ -10,7 +10,7 @@ - + @@ -54,7 +54,7 @@ This document describes version 2 of the RPKI-Router protocol. RFC 6810 describes version 0, and RFC 8210 describes version 1. - This document updates and replaces RFC 8210. + This document is compatible with both. @@ -65,17 +65,24 @@
In order to verifiably validate the origin Autonomous Systems - (ASs) and AS paths of BGP announcements, routers need a - simple but reliable mechanism to receive cryptographically - validated Resource Public Key Infrastructure (RPKI) - prefix origin data and router keys - from a trusted cache. This document describes a protocol to - deliver them. The design is intentionally constrained to be - usable on much of the current generation of ISP router - platforms. + (ASes) and AS paths of BGP announcements, routers need a simple + but reliable mechanism to receive cryptographically validated + Resource Public Key Infrastructure (RPKI) prefix origin data and router keys from a + trusted cache. This document describes a protocol to deliver + them. The design is intentionally constrained to be usable on + much of the current generation of ISP router platforms. - This document updates . + + This specification documents version 2 of the RPKI-RTR protocol. + Earlier versions are documented in and + . Though this version is, of course, + preferred, the earlier versions are expected to continue to be + productively deployed indefinitely, and + details how to downgrade from this version to earlier versions + as needed in order to interoperate. + describes the deployment structure, and @@ -122,13 +129,14 @@ A small has been added to handle - two ROA (Route Origination Authorization) PDU race - conditions, Break Before Make and Shorter Prefix First. + two possible ROA (Route Origination Authorization) PDU + race conditions, Break Before Make and Shorter Prefix + First. The protocol version number incremented from 1 (one) to 2 - (two) and has been - updated accordingly. + (two) and has been updated + accordingly. @@ -236,12 +244,12 @@ on their caches and the Global RPKI. - Periodically, the router sends to the cache the most recent - Serial Number for which it has received data from that - cache, i.e., the router's current Serial Number, in the form of a - Serial Query. When a router establishes a new session with a - cache or wishes to reset a current relationship, it sends a - Reset Query. + Periodically, the router sends a Serial Query to the cache the + most recent Serial Number for which it has received data from + that cache, i.e., the router's current Serial Number, in the + form of a Serial Query. When a router establishes a new session + with a cache or wishes to reset a current relationship, it sends + a Reset Query. The cache responds to the Serial Query with all data changes @@ -293,7 +301,7 @@ Should a transport connection be lost for unknown reasons, the router SHOULD try to reestablish one; being careful to not abuse - the cache with twoo many failed requests. + the cache with two many failed requests.
@@ -321,7 +329,7 @@ e.g., IPv4 Prefix. - A 32-bit unsigned integer serializing the RPKI cache epoc + A 32-bit unsigned integer serializing the RPKI cache epoch when this set of PDUs was received from an upstream cache server or gathered from the Global RPKI. A cache increments its Serial Number when completing a validated @@ -438,7 +446,7 @@ announce a prefix or associated with a router key. - The 20-bit Subject Key Identifier (SKI) value of a router + The 20-octet Subject Key Identifier (SKI) value of a router key, as described in . @@ -474,7 +482,7 @@ The 32-bit AS number of the Autonomous System that authorizes the upstream providers listed in the Provider Autonomous System list to propagate prefixes of the - specified address family other ASes. + specified address family to other ASes. The set of 32-bit AS numbers authorized to propagate @@ -686,7 +694,7 @@ - This PDU carries an Vidated ROA + This PDU carries an Validated ROA Payload (VRP) for an IPv4 ROA. @@ -751,7 +759,7 @@ - This PDU carries an Vidated ROA + This PDU carries an Validated ROA Payload (VRP) for an IPv6 ROA. @@ -945,9 +953,10 @@ MAY be truncated. - The Arbitrary Bytes field is optional; if not present, the - Length of Arbitrary Bytes field MUST be zero. If Arbitrary - Bytes are present, they are, as named, arbitrary values. + The Arbitrary Text field is optional; if not present, the + Length of Arbitrary text field MUST be zero. If Arbitrary + Text is present, it MUST be a string in UTF-8 encoding (see + ) in the Queen's English.
@@ -970,13 +979,13 @@ | | +-------------------------------------------+ | | -| Length of Arbitrary Bytes | +| Length of Arbitrary Text | | | +-------------------------------------------+ | | -| Arbitrary Bytes | -| of | -~ Error Diagnostic ~ +| Arbitrary Text | +~ of ~ +| Error Diagnostic Message | | | `-------------------------------------------' @@ -1015,20 +1024,17 @@ The ASPA PDU supports . An ASPA PDU - represents one single customer AS and its provider ASs for a + represents one single customer AS and its provider ASes for a particular Address Family. Receipt of an ASPA PDU announcement (announce/withdraw flag == 1) when the router already has an ASPA PDU with the same Customer Autonomous System Number and the same Address Family (see AFI Flags - field), replaces the previous one. This is to avoid a race - condition when a BGP announcement is received between a - withdrawn ASPA PDU and a newly announced ASPA PDU. Therefore, - the cache MUST deliver the complete data of an ASPA record in - a single ASPA PDU. + field), replaces the previous one. The cache MUST deliver the + complete data of an ASPA record in a single ASPA PDU. - The router should see at most one ASPA for a given AFI from a + The router MUST see at most one ASPA for a given AFI from a cache for a particular Customer Autonomous System Number active at any time. As a number of conditions in the global RPKI may present multiple valid ASPA RPKI records for a single @@ -1057,18 +1063,9 @@ - The AFI Flags field is defined as follows: + The AFI Flags field is defined in . -
- - Bit Bit Name - ---- ------------------- - 0 AFI (IPv4 == 0, IPv6 == 1) - 1-7 Reserved, MUST be zero - -
- The Provider AS Count is the number of 32-bit Provider Autonomous System Numbers in the PDU. @@ -1076,10 +1073,10 @@ The Customer Autonomous System Number is the 32-bit Autonomous - System Number of the customer which authenticated the PDU. - For a given AFI, there MUST be one and only one ASPA for a - Customer Autonomous System Number active in the router at any - time. + System Number of the customer which authenticated the ASPA + RPKI data. For a given AFI, there MUST be one and only one + ASPA for a Customer Autonomous System Number active in the + router at any time. @@ -1171,18 +1168,16 @@ the highest version of this protocol the router implements. - If a cache which supports version N receives a query from a - router which specifies its highest supported version Q < N, - the cache MUST downgrade to protocol version Q or or send a version - 2 Error Report PDU with Error Code 4 ("Unsupported Protocol - Version") and terminate the connection; in which case the - Arbitrary Bytes field of the Error Report PDU MUST be a list of - one octet binary integers indicating the version numbers the - cache supports. The router MUST choose the highest mutally - supported version. If there are none, the router MUST abort the - session, sending a version 2 Error Report PDU with Error Code 4 - ("Unsupported Protocol Version"). + If a cache which supports version N receives a Reset Query with + Version Q < N, the cache MUST downgrade to protocol version Q + or . If the + router's Reset Request was Q > N, the cache MUST send a + version 2 Error Report PDU with Error Code 4 ("Unsupported + Protocol Version"), and the router MUST send another Reset Query + with a lower Version Q. Yjis MAY repeat. If the router + requests Q == 0 and it still fails, then the router MUST abort + the session, sending a version 2 Error Report PDU with Error + Code 4 ("Unsupported Protocol Version"). If a router which supports version N sends a query to a cache @@ -1204,7 +1199,7 @@ In any of the downgraded combinations above, the new features of - the higher version will not be available, and all PDUs will have + the higher version will not be available, and all PDUs MUST have the negotiated lower version number in their version fields. @@ -1277,16 +1272,16 @@ Cache Router When a transport connection is first established, the router MUST send either a Reset Query or a Serial Query. A Serial - Query would be appropriate if the router has significant - unexpired data from a broken session with the same cache and - remembers the Session ID of that session, in which case a - Serial Query containing the Session ID from the previous - session will allow the router to bring itself up to date - while ensuring that the Serial Numbers are commensurate and - that the router and cache are speaking compatible versions - of the protocol. In all other cases, the router lacks the - necessary data for fast resynchronization and therefore - MUST fall back to a Reset Query. + Query would be appropriate if the router has unexpired data + from a broken session with the same cache and remembers the + Session ID of that session, in which case a Serial Query + containing the Session ID from the previous session will allow + the router to bring itself up to date while ensuring that the + Serial Numbers are commensurate and that the router and cache + are speaking compatible versions of the protocol. In all + other cases, the router lacks the necessary data for fast + resynchronization and therefore MUST fall back to a Reset + Query. The Reset Query sequence is also used when the router @@ -1588,8 +1583,9 @@ Cache Router . - The client router MUST set its "reference identifier" to - the DNS name of the rpki-rtr cache. + The client router MUST set its "reference identifier" (see + Section 6.2 of ) to the DNS name + of the rpki-rtr cache. @@ -1636,7 +1632,7 @@ Cache Router and a cache may be configured to support a selection of routers. Each must have the name of, and authentication data for, each peer. In addition, in a router, this list has a non-unique - preference value for each server. This preference is intended + preference value for each cache. This preference is intended to be based on proximity, a la RTT, not trust, preferred belief, et cetera. The client router attempts to establish a session with each potential serving cache in preference order and then @@ -1902,7 +1898,7 @@ Cache Router to a cache. - Reliable transport protocols (i.e. not raw TCP) will + Authenticating transport protocols (i.e. not raw TCP) will authenticate the identity of the cache server to the router client, and vice versa, before any data are exchanged. @@ -1959,6 +1955,24 @@ Cache Router 0-2 255 Reserved
+ + + This document requests the IANA to create a registry for ASPA + AFI Flags 0 to 7. The name of the registry should be + rpki-rtr-afi. The policy for adding to the registry is Expert + Review per , where the responsible IESG + area director should appoint the Expert Reviewer. The initial + entries should be as follows: +
+ + Bit Bit Name + ---- ------------------- + 0 AFI (IPv4 == 0, IPv6 == 1) + 1-7 Reserved, MUST be zero + +
+ + @@ -1982,6 +1996,7 @@ Cache Router +