idnits 2.17.00 (12 Aug 2021) /tmp/idnits7847/draft-ietf-sidr-iana-objects-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 2 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. == There are 4 instances of lines with multicast IPv4 addresses in the document. If these are generic example addresses, they should be changed to use the 233.252.0.x range defined in RFC 5771 == There are 1 instance of lines with non-RFC3849-compliant IPv6 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (February 8, 2011) is 4119 days in the past. Is this intentional? Checking references for intended status: Best Current Practice ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: draft-ietf-sidr-arch has been published as RFC 6480 ** Downref: Normative reference to an Informational draft: draft-ietf-sidr-arch (ref. 'I-D.ietf-sidr-arch') == Outdated reference: draft-ietf-sidr-cp has been published as RFC 6484 == Outdated reference: draft-ietf-sidr-ghostbusters has been published as RFC 6493 == Outdated reference: A later version (-08) exists of draft-ietf-sidr-ltamgmt-00 == Outdated reference: draft-ietf-sidr-res-certs has been published as RFC 6487 == Outdated reference: draft-ietf-sidr-roa-format has been published as RFC 6482 == Outdated reference: draft-ietf-sidr-roa-validation has been published as RFC 6483 ** Downref: Normative reference to an Informational draft: draft-ietf-sidr-roa-validation (ref. 'I-D.ietf-sidr-roa-validation') == Outdated reference: draft-ietf-sidr-rpki-manifests has been published as RFC 6486 == Outdated reference: draft-ietf-sidr-usecases has been published as RFC 6907 ** Downref: Normative reference to an Informational draft: draft-ietf-sidr-usecases (ref. 'I-D.ietf-sidr-usecases') ** Downref: Normative reference to an Informational RFC: RFC 2860 ** Obsolete normative reference: RFC 3068 (Obsoleted by RFC 7526) ** Downref: Normative reference to an Informational RFC: RFC 5180 ** Obsolete normative reference: RFC 5735 (Obsoleted by RFC 6890) ** Obsolete normative reference: RFC 5736 (Obsoleted by RFC 6890) Summary: 8 errors (**), 0 flaws (~~), 13 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group T. Manderson 3 Internet-Draft L. Vegoda 4 Intended status: BCP ICANN 5 Expires: August 12, 2011 S. Kent 6 BBN 7 February 8, 2011 9 RPKI Objects issued by IANA 10 draft-ietf-sidr-iana-objects-00.txt 12 Abstract 14 This document provides specific direction to IANA as to the RPKI 15 objects it should issue. 17 Status of this Memo 19 This Internet-Draft is submitted in full conformance with the 20 provisions of BCP 78 and BCP 79. 22 Internet-Drafts are working documents of the Internet Engineering 23 Task Force (IETF). Note that other groups may also distribute 24 working documents as Internet-Drafts. The list of current Internet- 25 Drafts is at http://datatracker.ietf.org/drafts/current/. 27 Internet-Drafts are draft documents valid for a maximum of six months 28 and may be updated, replaced, or obsoleted by other documents at any 29 time. It is inappropriate to use Internet-Drafts as reference 30 material or to cite them other than as "work in progress." 32 This Internet-Draft will expire on August 12, 2011. 34 Copyright Notice 36 Copyright (c) 2011 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal 40 Provisions Relating to IETF Documents 41 (http://trustee.ietf.org/license-info) in effect on the date of 42 publication of this document. Please review these documents 43 carefully, as they describe your rights and restrictions with respect 44 to this document. Code Components extracted from this document must 45 include Simplified BSD License text as described in Section 4.e of 46 the Trust Legal Provisions and are provided without warranty as 47 described in the Simplified BSD License. 49 Table of Contents 51 1. Requirements Notation . . . . . . . . . . . . . . . . . . . . 3 52 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 53 3. Suggested Reading . . . . . . . . . . . . . . . . . . . . . . 5 54 4. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 6 55 5. Reserved Resources . . . . . . . . . . . . . . . . . . . . . . 7 56 6. Unallocated Resources . . . . . . . . . . . . . . . . . . . . 8 57 7. Special Purpose Registry Resources . . . . . . . . . . . . . . 9 58 8. Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . 10 59 9. Informational Objects . . . . . . . . . . . . . . . . . . . . 11 60 10. Certificates and CRLs . . . . . . . . . . . . . . . . . . . . 12 61 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 62 12. Security Considerations . . . . . . . . . . . . . . . . . . . 14 63 13. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 15 64 14. Normative References . . . . . . . . . . . . . . . . . . . . . 16 65 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 18 67 1. Requirements Notation 69 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 70 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 71 document are to be interpreted as described in [RFC2119]. 73 2. Introduction 75 An Infrastructure to Support Secure Internet Routing 76 [I-D.ietf-sidr-arch] directs IANA [RFC2860] to issue RPKI objects for 77 which it is authoritative. This document describes the objects IANA 78 will issue. 80 The signed objects described here that IANA will issue are the 81 unallocated, reserved, special use IPv4 and IPv6 address blocks, and 82 reserved Autonomous System numbers. These number resources are 83 managed by IANA for the IETF, and thus IANA bears the responsibility 84 of issuing the corresponding RPKI objects. The reader is encouraged 85 to consider the technical effects on the public routing system of the 86 signed object issuance proposed for IANA in this document. 88 This document does not deal with localized BGP [RFC4271] routing 89 systems as those are under the policy controls of the organizations 90 that operate them. Readers are directed to Local Trust Anchor 91 Management for the Resource Public Key Infrastructure 92 [I-D.ietf-sidr-ltamgmt] for a description od how to locally override 93 IANA issued objects, e.g. to enable use of unallocated, reserved, and 94 special use IPv4 and IPv6 address blocks in a local context. 96 The direction to IANA contained herein follows the ideal that it 97 should represent the perfect technical behavior in registry, and 98 related registry, actions. 100 3. Suggested Reading 102 Readers should be familiar with the RPKI, the RPKI Repository 103 Structure, and the various RPKI objects, uses and interpretations 104 described in the following: [I-D.ietf-sidr-arch], 105 [I-D.ietf-sidr-res-certs], [I-D.ietf-sidr-roa-format], 106 [I-D.ietf-sidr-ghostbusters], [I-D.ietf-sidr-ltamgmt], 107 [I-D.ietf-sidr-roa-validation], [I-D.ietf-sidr-usecases], 108 [I-D.ietf-sidr-cp], [I-D.ietf-sidr-rpki-manifests]. 110 4. Definitions 112 Internet Number Resources (INR): The number identifiers for IPv4 and 113 IPv6 addresses, and for Autonomous Systems. 115 IANA: Internet Assigned Numbers Authority (a traditional name, used 116 here to refer to the technical team making and publishing the 117 assignments of Internet protocol technical parameters). The 118 technical team of IANA is currently a part of ICANN [RFC2860]. 120 RPKI: Resource Public Key Infrastructure. A Public Key 121 Infrastructure designed to provide a secure basis for assertions 122 about holdings of Internet numeric resources. Certificates issued 123 under the RPKI contain additional attributes that identify IPv4, 124 IPv6, and Autonomous System Number (ASN) resources. 126 ROA: Route Origination Authorization. A ROA is an RPKI object that 127 enables the holder of the address prefix to specify an AS that is 128 permitted to originate (in BGP) routes for that prefix. 130 AS0 ROA: Validation of Route Origination using the Resource 131 Certificate PKI and ROAs [I-D.ietf-sidr-roa-validation] states "A ROA 132 with a subject of AS0 (AS0-ROA) is an attestation by the holder of a 133 prefix that the prefix described in the ROA, and any more specific 134 prefix, should not be used in a routing context." 136 "Not intended to be (publicly) routed": This phrase refers to 137 prefixes that are not meant to be represented in the global Internet 138 routing table (for example 192.168/16, [RFC1918]). 140 5. Reserved Resources 142 Reserved IPv4 and IPv6 resources are held back for various reasons by 143 IETF action. Generally such resources are not intended to be 144 globally routed. An example of such a reservation is 127.0.0.0/8 145 [RFC5735] 147 IANA should issue an AS0 ROA for all reserved IPv4 and IPv6 resources 148 not intended to be routed 150 There are a small number of reserved resources which are intended to 151 be routed, for example 192.88.99.0/24 [RFC3068] 153 IANA MUST refrain from issuing any ROAs (AS0 or otherwise) for 154 reserved resources that are expected to be globally routed. 156 6. Unallocated Resources 158 Internet Number Resources that have not yet been allocated for 159 special purposes [RFC5736], to Regional Internet Registries (RIRs), 160 or to others are considered as not intended to be globally routed. 162 IANA MUST issue an AS0 ROA for all Unallocated Resources. 164 7. Special Purpose Registry Resources 166 Special Registry Resources [RFC5736] fall into one of two categories 167 in terms of routing. Either the resource is intended to be seen in 168 the global Internet routing table in some fashion, or it isn't. An 169 example of a special purpose registry INR that is intended for global 170 routing is 2001:0000::/32 [RFC4380]. An example of an INR not 171 intended to be seen would be 2001:002::/48 [RFC5180] 173 IANA MUST refrain from issuing any ROAs (AS0 or otherwise) for 174 Special Purpose Registry Resources that are intended to be globally 175 routed. 177 IANA MUST issue an AS0 ROA for Special Purpose Registry Resources 178 that are not intended to be globally routed. 180 8. Multicast 182 Within the IPv4 Multicast [RFC5771] and IPv6 Multicast [RFC4291] 183 registries there are a number of Multicast registrations that are not 184 intended to be globally routed. 186 IANA MUST issue an AS0 ROA covering the following IPv4 and IPv6 187 multicast INRs: 189 IPv4: 190 - Local Network Control Block 191 224.0.0.0 - 224.0.0.255 (224.0.0/24) 192 - IANA Reserved portions of RESERVED 193 224.1.0.0-224.1.255.255 (224.1/16) 194 - RESERVED 195 224.5.0.0-224.251.255.255 (251 /16s) 196 225.0.0.0-231.255.255.255 (7 /8s) 198 IPv6: 199 - Node-Local Scope Multicast Addresses 200 - Link-Local Scope Multicast Addresses 202 IANA MUST refrain from issuing any ROAs (AS0 or otherwise) for any 203 other multicast addresses unless directed. 205 9. Informational Objects 207 One informational object that can exist at a publication point of an 208 RPKI repository is the Ghostbusters Record 209 [I-D.ietf-sidr-ghostbusters]. 211 IANA MUST issue a ghostbusters object appropriate in content for the 212 resources IANA maintains. 214 10. Certificates and CRLs 216 Before IANA can issue a ROA it MUST first establish a RPKI 217 Certificate Authority (CA) that covers unallocated, reserved, and 218 special use INRs by containing RFC 3379 extensions [RFC3779] for 219 those corresponding number resources in the CA Certificate. This CA 220 MUST issue single use End Entity (EE) certificates for each ROA. The 221 EE certificate will conform to the Resource Certificate Profile 222 [I-D.ietf-sidr-res-certs] and the additional constraints specified in 223 [I-D.ietf-sidr-roa-format]. IANA MUST maintain a publication point 224 for this CA's use and publish manifests 225 [I-D.ietf-sidr-rpki-manifests] (with its corresponding EE 226 certificate). A Certificate Revocation List (CRL) will be issued 227 under this CA certificate. All objects issued by this CA will 228 conform to a published Certificate Policy [I-D.ietf-sidr-cp]. 230 11. IANA Considerations 232 This document directs IANA to issue, or refrain from issuing, the 233 specific objects described here for the current set of reserved, 234 unallocated, and special registry Internet Number Resources. Further 235 it MUST notify all other INR registries that RPKI objects have been 236 issued for specific Internet Number Resources to avoid duplicates 237 being issued thus reducing the burden on any relying party. 239 12. Security Considerations 241 This document does not alter the security profile of the RPKI from 242 that already discussed in SIDR-WG documents. 244 13. Acknowledgements 246 The authors acknowledge Dave Meyer for helpful direction with regard 247 to multicast assignments. 249 14. Normative References 251 [I-D.ietf-sidr-arch] 252 Lepinski, M. and S. Kent, "An Infrastructure to Support 253 Secure Internet Routing", draft-ietf-sidr-arch-11 (work in 254 progress), September 2010. 256 [I-D.ietf-sidr-cp] 257 Kent, S., Kong, D., Seo, K., and R. Watro, "Certificate 258 Policy (CP) for the Resource PKI (RPKI", 259 draft-ietf-sidr-cp-16 (work in progress), December 2010. 261 [I-D.ietf-sidr-ghostbusters] 262 Bush, R., "The RPKI Ghostbusters Record", 263 draft-ietf-sidr-ghostbusters-00 (work in progress), 264 December 2010. 266 [I-D.ietf-sidr-ltamgmt] 267 Kent, S. and M. Reynolds, "Local Trust Anchor Management 268 for the Resource Public Key Infrastructure", 269 draft-ietf-sidr-ltamgmt-00 (work in progress), 270 November 2010. 272 [I-D.ietf-sidr-res-certs] 273 Huston, G., Michaelson, G., and R. Loomans, "A Profile for 274 X.509 PKIX Resource Certificates", 275 draft-ietf-sidr-res-certs-21 (work in progress), 276 December 2010. 278 [I-D.ietf-sidr-roa-format] 279 Lepinski, M., Kent, S., and D. Kong, "A Profile for Route 280 Origin Authorizations (ROAs)", 281 draft-ietf-sidr-roa-format-09 (work in progress), 282 November 2010. 284 [I-D.ietf-sidr-roa-validation] 285 Huston, G. and G. Michaelson, "Validation of Route 286 Origination using the Resource Certificate PKI and ROAs", 287 draft-ietf-sidr-roa-validation-10 (work in progress), 288 November 2010. 290 [I-D.ietf-sidr-rpki-manifests] 291 Austein, R., Huston, G., Kent, S., and M. Lepinski, 292 "Manifests for the Resource Public Key Infrastructure", 293 draft-ietf-sidr-rpki-manifests-09 (work in progress), 294 November 2010. 296 [I-D.ietf-sidr-usecases] 297 Manderson, T., Sriram, K., and R. White, "Use Cases and 298 interpretation of RPKI objects for issuers and relying 299 parties", draft-ietf-sidr-usecases-01 (work in progress), 300 December 2010. 302 [RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and 303 E. Lear, "Address Allocation for Private Internets", 304 BCP 5, RFC 1918, February 1996. 306 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 307 Requirement Levels", BCP 14, RFC 2119, March 1997. 309 [RFC2860] Carpenter, B., Baker, F., and M. Roberts, "Memorandum of 310 Understanding Concerning the Technical Work of the 311 Internet Assigned Numbers Authority", RFC 2860, June 2000. 313 [RFC3068] Huitema, C., "An Anycast Prefix for 6to4 Relay Routers", 314 RFC 3068, June 2001. 316 [RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP 317 Addresses and AS Identifiers", RFC 3779, June 2004. 319 [RFC4271] Rekhter, Y., Li, T., and S. Hares, "A Border Gateway 320 Protocol 4 (BGP-4)", RFC 4271, January 2006. 322 [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing 323 Architecture", RFC 4291, February 2006. 325 [RFC4380] Huitema, C., "Teredo: Tunneling IPv6 over UDP through 326 Network Address Translations (NATs)", RFC 4380, 327 February 2006. 329 [RFC5180] Popoviciu, C., Hamza, A., Van de Velde, G., and D. 330 Dugatkin, "IPv6 Benchmarking Methodology for Network 331 Interconnect Devices", RFC 5180, May 2008. 333 [RFC5735] Cotton, M. and L. Vegoda, "Special Use IPv4 Addresses", 334 BCP 153, RFC 5735, January 2010. 336 [RFC5736] Huston, G., Cotton, M., and L. Vegoda, "IANA IPv4 Special 337 Purpose Address Registry", RFC 5736, January 2010. 339 [RFC5771] Cotton, M., Vegoda, L., and D. Meyer, "IANA Guidelines for 340 IPv4 Multicast Address Assignments", BCP 51, RFC 5771, 341 March 2010. 343 Authors' Addresses 345 Terry Manderson 346 ICANN 348 Email: terry.manderson@icann.org 350 Leo Vegoda 351 ICANN 353 Email: leo.vegoda@icann.org 355 Steve Kent 356 BBN 358 Email: kent@bbn.com