idnits 2.17.00 (12 Aug 2021) /tmp/idnits62430/draft-ietf-sidr-rpsl-sig-10.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). (Using the creation date from RFC2622, updated by this document, for RFC5378 checks: 1998-11-19) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (March 10, 2016) is 2263 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '6' on line 498 Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 SIDR R. Kisteleki 3 Internet-Draft RIPE NCC 4 Updates: 2622, 4012 (if approved) B. Haberman 5 Intended status: Standards Track JHU APL 6 Expires: September 11, 2016 March 10, 2016 8 Securing RPSL Objects with RPKI Signatures 9 draft-ietf-sidr-rpsl-sig-10.txt 11 Abstract 13 This document describes a method to allow parties to electronically 14 sign Routing Policy Specification Language objects and validate such 15 electronic signatures. This allows relying parties to detect 16 accidental or malicious modifications on such objects. It also 17 allows parties who run Internet Routing Registries or similar 18 databases, but do not yet have Routing Policy System Security-based 19 authentication of the maintainers of certain objects, to verify that 20 the additions or modifications of such database objects are done by 21 the legitimate holder(s) of the Internet resources mentioned in those 22 objects. This document updates RFC 2622 and RFC 4012 to add the 23 signature attribute to supported RPSL objects. 25 Status of This Memo 27 This Internet-Draft is submitted in full conformance with the 28 provisions of BCP 78 and BCP 79. 30 Internet-Drafts are working documents of the Internet Engineering 31 Task Force (IETF). Note that other groups may also distribute 32 working documents as Internet-Drafts. The list of current Internet- 33 Drafts is at http://datatracker.ietf.org/drafts/current/. 35 Internet-Drafts are draft documents valid for a maximum of six months 36 and may be updated, replaced, or obsoleted by other documents at any 37 time. It is inappropriate to use Internet-Drafts as reference 38 material or to cite them other than as "work in progress." 40 This Internet-Draft will expire on September 11, 2016. 42 Copyright Notice 44 Copyright (c) 2016 IETF Trust and the persons identified as the 45 document authors. All rights reserved. 47 This document is subject to BCP 78 and the IETF Trust's Legal 48 Provisions Relating to IETF Documents 49 (http://trustee.ietf.org/license-info) in effect on the date of 50 publication of this document. Please review these documents 51 carefully, as they describe your rights and restrictions with respect 52 to this document. Code Components extracted from this document must 53 include Simplified BSD License text as described in Section 4.e of 54 the Trust Legal Provisions and are provided without warranty as 55 described in the Simplified BSD License. 57 Table of Contents 59 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 60 2. Signature Syntax and Semantics . . . . . . . . . . . . . . . 3 61 2.1. General Attributes, Meta Information . . . . . . . . . . 3 62 2.2. Signed Attributes . . . . . . . . . . . . . . . . . . . . 5 63 2.3. Storage of the Signature Data . . . . . . . . . . . . . . 5 64 2.4. Number Resource Coverage . . . . . . . . . . . . . . . . 5 65 2.5. Validity Time of the Signature . . . . . . . . . . . . . 6 66 3. Signature Creation and Validation Steps . . . . . . . . . . . 6 67 3.1. Canonicalization . . . . . . . . . . . . . . . . . . . . 6 68 3.2. Signature Creation . . . . . . . . . . . . . . . . . . . 8 69 3.3. Signature Validation . . . . . . . . . . . . . . . . . . 9 70 4. Signed Object Types, Set of Signed Attributes . . . . . . . . 10 71 5. Keys and Certificates used for Signature and Verification . . 12 72 6. Security Considerations . . . . . . . . . . . . . . . . . . . 12 73 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 74 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 13 75 9. Normative References . . . . . . . . . . . . . . . . . . . . 13 76 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 78 1. Introduction 80 Objects stored in resource databases, like the RIPE DB, are generally 81 protected by an authentication mechanism: anyone creating or 82 modifying an object in the database has to have proper authorization 83 to do so, and therefore has to go through an authentication procedure 84 (provide a password, certificate, e-mail signature, etc.) However, 85 for objects transferred between resource databases, the 86 authentication is not guaranteed. This means when downloading a 87 Routing Policy Specification Language (RPSL) object stored in this 88 database, one can reasonably safely claim that the object is 89 authentic, but for an imported object one cannot. Also, once such an 90 object is downloaded from the database, it becomes a simple (but 91 still structured) text file with no integrity protection. More 92 importantly, the authentication and integrity guarantees associated 93 with these objects do not always ensure that the entity that 94 generated them is authorized to make the assertions implied by the 95 data contained in the objects. 97 A potential use for resource certificates [RFC6487] is to use them to 98 secure such (both imported and downloaded) database objects, by 99 applying a digital signature over the object contents. A maintainer 100 of such signed database objects MUST possess a relevant resource 101 certificate, which shows him/her as the legitimate holder of an 102 Internet number resource. This mechanism allows the users of such 103 database objects to verify that the contents are in fact produced by 104 the legitimate holder(s) of the Internet resources mentioned in those 105 objects. It also allows the signatures to cover whole RPSL objects, 106 or just selected attributes of them. In other words, a digital 107 signature created using the private key associated with a resource 108 certificate can offer object security in addition to the channel 109 security already present in most of such databases. Object security 110 in turn allows such objects to be hosted in different databases and 111 still be independently verifiable. 113 The capitalized key words "MUST", "MUST NOT", "REQUIRED", "SHALL", 114 "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and 115 "OPTIONAL" in this document are to be interpreted as described in 116 [RFC2119]. 118 2. Signature Syntax and Semantics 120 When signing an RPSL object [RFC2622][RFC4012], the input for the 121 signature process is transformed into a sequence of strings of 122 (ASCII) data. The approach is similar to the one used in DKIM 123 (Domain Key Identified Mail) [RFC6376]. In the case of RPSL, the 124 object-to-be-signed closely resembles an SMTP header, so it seems 125 reasonable to adapt DKIM's relevant features. 127 2.1. General Attributes, Meta Information 129 The digital signature associated with an RPSL object is itself a new 130 attribute named "signature". It consists of mandatory and optional 131 fields. These fields are structured in a sequence of name and value 132 pairs, separated by a semicolon ";" and a white space. Collectively 133 these fields make up the value for the new "signature" attribute. 134 The "name" part of such a component is always a single ASCII 135 character that serves as an identifier; the value is an ASCII string 136 the contents of which depend on the field type. Mandatory fields 137 must appear exactly once, whereas optional fields MUST appear at most 138 once. 140 Mandatory fields of the "signature" attribute: 142 o Version of the signature (field "v"). This field MUST be set to 143 "rpkiv1". The signature format described in this document applies 144 when the version field is set to "rpkiv1". All the rest of the 145 signature attributes are defined by the value of version field. 147 o Reference to the certificate corresponding to the private key used 148 to sign this object (field "c"). The value of this field MUST be 149 a URL of type "rsync" or "http(s)" that points to a specific 150 resource certificate in an RPKI repository [RFC6481]. Any non 151 URL-safe characters (including semicolon ";" and plus "+") must be 152 URL encoded. 154 o Signature method (field "m"): what hash and signature algorithms 155 were used to create the signature. The allowed algorithms which 156 can be used for the signature are specified in Section 5 of RFC 157 4055 [RFC4055]. More specifically, this version of RPSL 158 signatures supports the following hash algorithms: 160 * sha224WithRSAEncryption 162 * sha256WithRSAEncryption 164 * sha384WithRSAEncryption 166 * sha512WithRSAEncryption 168 The algorithms are referenced witin the signature attribute by the 169 ASCII names of the algorithms. 171 o Time of signing (field "t"). The format of the value of this 172 field MUST be in the Internet Date/Time format [RFC3339]. All 173 times MUST be converted to Universal Coordinated Time (UTC) 175 o The signed attributes (field "a"). This is a list of attribute 176 names, separated by an ASCII "+" character (if more than one 177 attribute is enumerated). The list must include any attribute at 178 most once. 180 o The signature itself (field "b"). This MUST be the last field in 181 the list. The signature is the output of the signature algorithm 182 using the appropriate private key and the calculated hash value of 183 the object as inputs. The value of this field is the digital 184 signature in base64 encoding [RFC4648]. 186 Optional fields of the "signature" attribute: 188 o Signature expiration time (field "x"). The format of the value of 189 this field MUST be in the Internet Date/Time format [RFC3339]. 190 All times MUST be represented in UTC. 192 2.2. Signed Attributes 194 One can look at an RPSL object as an (ordered) set of attributes, 195 each having a "key: value" syntax. Understanding this structure can 196 help in developing more flexible methods for applying digital 197 signatures. 199 Some of these attributes are automatically added by the database, 200 some are database-dependent, yet others do not carry operationally 201 important information. This specification allows the maintainer of 202 such an object to decide which attributes are important (signed) and 203 which are not (not signed), from among all the attributes of the 204 object; in other words, we define a way of including important 205 attributes while excluding irrelevant ones. Allowing the maintainer 206 of an object to select the attributes that are covered by the digital 207 signature achieves the goals established in Section 1. 209 The type of the object determines the minimum set of attributes that 210 MUST be signed. The signer MAY choose to sign additional attributes, 211 in order to provide integrity protection for those attributes too. 213 When verifying the signature of an object, the verifier has to check 214 whether the signature itself is valid, and whether all the specified 215 attributes are referenced in the signature. If not, the verifier 216 MUST reject the signature and threat the object as a regular, non- 217 signed RPSL object. 219 2.3. Storage of the Signature Data 221 The result of applying the signature mechanism once is exactly one 222 new attribute for the object. As an illustration, the structure of a 223 signed RPSL object is as follows: 225 attribute1: value1 226 attribute2: value2 227 attribute3: value3 228 ... 229 signature: v=rpkiv1; c=rsync://.....; m=sha256WithRSAEncryption; 230 t=2014-12-31T23:59:60Z; 231 a=attribute1+attribute2+attribute3+...; 232 b= 234 2.4. Number Resource Coverage 236 Even if the signature(s) over the object are valid according to the 237 signature validation rules, they may not be relevant to the object; 238 they also need to cover the relevant Internet number resources 239 mentioned in the object. 241 Therefore the Internet number resources present in [RFC3779] 242 extensions of the certificate referred to in the "c" field of the 243 signature MUST cover the resources in the primary key of the object 244 (e.g., value of the "aut-num:" attribute of an aut-num object, value 245 of the "inetnum:" attribute of an inetnum object, values of "route:" 246 and "origin:" attributes of a route object, etc.). 248 2.5. Validity Time of the Signature 250 The validity time interval of a signature is the intersection of the 251 validity time of the certificate used to verify the signature, the 252 "not before" time specified by the "t" field of the signature, and 253 the optional "not after" time specified by the "x" field of the 254 signature. 256 When checking multiple signatures, these checks are applied to each 257 signature, individually. 259 3. Signature Creation and Validation Steps 261 3.1. Canonicalization 263 The notion of canonicalization is essential to digital signature 264 generation and validation whenever data representations may change 265 between a signer and one or more signature verifiers. 266 Canonicalization defines how one transforms a representation of data 267 into a series of bits for signature generation and verification. The 268 task of canonicalization is to make irrelevant differences in 269 representations of the same object, which would otherwise cause 270 signature verification to fail. Examples of this could be: 272 o data transformations applied by the databases that host these 273 objects (such as notational changes for IPv4/IPv6 prefixes, 274 automatic addition/modification of "changed" attributes, etc.) 276 o the difference of line terminators across different systems. 278 This means that the destination database might change parts of the 279 submitted data after it was signed, which would cause signature 280 verification to fail. This document specifies strict 281 canonicalization rules to overcome this problem. 283 The following steps MUST be applied in order to achieve canonicalized 284 representation of an object, before the actual signature 285 (verification) process can begin: 287 1. Comments (anything beginning with a "#") MUST be omitted. 289 2. Any trailing white space MUST be omitted. 291 3. A multi-line attribute MUST be converted into its single-line 292 equivalent. This is accomplished by: 294 * Converting all line endings to a single blank space. 296 * Concatenating all lines into a single line. 298 * Replacing the trailing blank space with a single new line 299 ("\n"). 301 4. Numerical fields MUST be converted to canonical representations. 302 These include: 304 * Date and time fields MUST be converted to UTC and MUST be 305 represented in the Internet Date/Time format [RFC3339]. 307 * AS numbers MUST be converted to ASPLAIN syntax [RFC5396]. 309 * IPv6 addresses MUST be canonicalized as defined in [RFC5952]. 311 * IPv4 addresses MUST be represented as the ipv4-address type 312 defined by RPSL [RFC2622] 314 * All IP prefixes (IPv4 and IPv6) MUST be represented in CIDR 315 notation [RFC4632]. 317 5. All ranges, lists, or sets of numerical fields are represented 318 using the appropriate RPSL attribute and each numerical element 319 contained within those attributes MUST conform to the 320 canonicalization rules in this document. 322 6. The name of each attribute MUST be converted into lower case, and 323 MUST be kept as part of the attribute line. 325 7. Tab characters ("\t") MUST be converted to spaces. 327 8. Multiple whitespaces MUST be collapsed into a single space (" ") 328 character. 330 9. All line endings MUST be converted to a singe new line ("\n") 331 character (thus avoiding CR vs. CRLF differences). 333 3.2. Signature Creation 335 Given an RPSL object, in order to create the digital signature, the 336 following steps MUST be performed: 338 1. For each signature, a new public/private key pair and certificate 339 SHOULD be used. Therefore the signer SHOULD create a single-use 340 key pair and end-entity resource certificate (see [RFC6487]). 341 The private key is used for signing this object this time. 343 2. Create a list of attribute names referring to the attributes that 344 will be signed (contents of the "a" field). The minimum set of 345 these attributes is determined by the object type; the signer MAY 346 select additional attributes. 348 3. Arrange the selected attributes according to the selection 349 sequence specified in the "a" field as above, omitting all 350 attributes that will not be signed. 352 4. Construct the new "signature" attribute, with all its fields, 353 leaving the value of the "b" field empty. 355 5. Apply canonicalization rules to the result (including the 356 "signature" attribute). 358 6. Create the signature over the results of the canonicalization 359 process (according to the signature and hash algorithms specified 360 in the "m" field of the signature attribute). 362 7. Insert the base64 encoded value of the signature as the value of 363 the "b" field. 365 8. Append the resulting "signature" attribute to the original 366 object. 368 3.3. Signature Validation 370 In order to validate a signature over such an object, the following 371 steps MUST be performed: 373 1. Verify the syntax of the "signature" attribute (i.e., whether it 374 contains the mandatory and optional components and the syntax of 375 these fields matches the specification as described in section 376 2.1.) 378 2. Fetch the certificate referred to in the "c" field of the 379 "signature" attribute, and check its validity using the steps 380 described in [RFC6487]. 382 3. Extract the list of attributes that were signed using the signer 383 from the "a" field of the "signature" attribute. 385 4. Verify that the list of signed attributes includes the minimum 386 set of attributes for that object type. 388 5. Arrange the selected attributes according to the selection 389 sequence provided in the value of the "a" field, omitting all 390 non-signed attributes. 392 6. Replace the value of the signature field "b" of the "signature" 393 attribute with an empty string. 395 7. Apply the canonicalization procedure to the selected attributes 396 (including the "signature" attribute). 398 8. Check the validity of the signature using the signature algorithm 399 specified in the "m" field of the signature attribute, the public 400 key contained in the certificate mentioned in the "c" field of 401 the signature, the signature value specified in the "b" field of 402 the signature attribute, and the output of the canonicalization 403 process. 405 4. Signed Object Types, Set of Signed Attributes 407 This section describes a list of object types that MAY signed using 408 this approach. For each object type, the set of attributes that MUST 409 be signed for these object types (the minimum set noted in 410 Section Section 3.3 is enumerated. 412 This list generally excludes attributes that are used to maintain 413 referential integrity in the databases that carry these objects, 414 since these usually make sense only within the context of such a 415 database, whereas the scope of the signatures is only one specific 416 object. Since the attributes in the referred object (such as mnt-by, 417 admin-c, tech-c, ...) can change without any modifications to the 418 signed object, signing such attributes could lead to false sense of 419 security in terms of the contents of the signed data; therefore 420 including such attributes should only be done in order to provide 421 full integrity protection of the object itself. 423 The newly constructed "signature" attribute is always included in the 424 list. 426 as-block: 428 * as-block 430 * org 432 * signature 434 aut-num: 436 * aut-num 438 * as-name 440 * member-of 442 * import 444 * mp-import 445 * export 447 * mp-export 449 * default 451 * mp-default 453 * signature 455 inet[6]num: 457 * inet[6]num 459 * netname 461 * country 463 * org 465 * status 467 * signature 469 route[6]: 471 * route[6] 473 * origin 475 * holes 477 * org 479 * member-of 481 * signature 483 For each signature, the RFC3779 extension appearing in the 484 certificate used to verify the signature MUST include a resource 485 entry that is equivalent to, or covers ("less specific" than) the 486 following resources mentioned in the object the signature is attached 487 to: 489 o For the as-block object type: the resource in the "as-block" 490 attribute. 492 o For the aut-num object type: the resource in the "aut-num" 493 attribute. 495 o For the inet[6]num object type: the resource in the "inet[6]num" 496 attribute. 498 o For the route[6] object type: the resource in the "route[6]" or 499 "origin" (or both) attributes. 501 5. Keys and Certificates used for Signature and Verification 503 The certificate that is referred to in the signature (in the "c" 504 field): 506 o MUST be an end-entity (ie. non-CA) certificate 508 o MUST conform to the X.509 PKIX Resource Certificate profile 509 [RFC6487] 511 o MUST have an [RFC3779] extension that covers the Internet number 512 resource included in a signed attribute. 514 o SHOULD NOT be used to verify more than one signed object (ie. 515 should be a "single-use" EE certificate, as defined in [RFC6487]). 517 6. Security Considerations 519 RPSL objects stored in the IRR databases are public, and as such 520 there is no need for confidentiality. Each signed RPSL object can 521 have its integrity and authenticity verified using the supplied 522 digital signature and the referenced certificate. 524 Since the RPSL signature approach leverages X.509 extensions, the 525 security considerations in [RFC3779] apply here as well. 527 The maintainer of an object has the ability to include attributes in 528 the signature that are not included in the resource certificate used 529 to create the signature. Potentially, a maintainer may include 530 attributes that reference resources the maintainer is not authorized 531 to use. 533 7. IANA Considerations 535 [Note to IANA, to be removed prior to publication: there are no IANA 536 considerations stated in this version of the document.] 538 8. Acknowledgements 540 The authors would like to acknowledge the valued contributions from 541 Jos Boumans, Steve Kent, Sean Turner, Geoff Huston, and Stephen 542 Farrell in preparation of this document. 544 9. Normative References 546 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 547 Requirement Levels", BCP 14, RFC 2119, 548 DOI 10.17487/RFC2119, March 1997, 549 . 551 [RFC2622] Alaettinoglu, C., Villamizar, C., Gerich, E., Kessens, D., 552 Meyer, D., Bates, T., Karrenberg, D., and M. Terpstra, 553 "Routing Policy Specification Language (RPSL)", RFC 2622, 554 DOI 10.17487/RFC2622, June 1999, 555 . 557 [RFC3339] Klyne, G. and C. Newman, "Date and Time on the Internet: 558 Timestamps", RFC 3339, DOI 10.17487/RFC3339, July 2002, 559 . 561 [RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP 562 Addresses and AS Identifiers", RFC 3779, 563 DOI 10.17487/RFC3779, June 2004, 564 . 566 [RFC4012] Blunk, L., Damas, J., Parent, F., and A. Robachevsky, 567 "Routing Policy Specification Language next generation 568 (RPSLng)", RFC 4012, DOI 10.17487/RFC4012, March 2005, 569 . 571 [RFC4055] Schaad, J., Kaliski, B., and R. Housley, "Additional 572 Algorithms and Identifiers for RSA Cryptography for use in 573 the Internet X.509 Public Key Infrastructure Certificate 574 and Certificate Revocation List (CRL) Profile", RFC 4055, 575 DOI 10.17487/RFC4055, June 2005, 576 . 578 [RFC4632] Fuller, V. and T. Li, "Classless Inter-domain Routing 579 (CIDR): The Internet Address Assignment and Aggregation 580 Plan", BCP 122, RFC 4632, DOI 10.17487/RFC4632, August 581 2006, . 583 [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data 584 Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, 585 . 587 [RFC5396] Huston, G. and G. Michaelson, "Textual Representation of 588 Autonomous System (AS) Numbers", RFC 5396, 589 DOI 10.17487/RFC5396, December 2008, 590 . 592 [RFC5952] Kawamura, S. and M. Kawashima, "A Recommendation for IPv6 593 Address Text Representation", RFC 5952, 594 DOI 10.17487/RFC5952, August 2010, 595 . 597 [RFC6376] Crocker, D., Ed., Hansen, T., Ed., and M. Kucherawy, Ed., 598 "DomainKeys Identified Mail (DKIM) Signatures", STD 76, 599 RFC 6376, DOI 10.17487/RFC6376, September 2011, 600 . 602 [RFC6481] Huston, G., Loomans, R., and G. Michaelson, "A Profile for 603 Resource Certificate Repository Structure", RFC 6481, 604 DOI 10.17487/RFC6481, February 2012, 605 . 607 [RFC6487] Huston, G., Michaelson, G., and R. Loomans, "A Profile for 608 X.509 PKIX Resource Certificates", RFC 6487, 609 DOI 10.17487/RFC6487, February 2012, 610 . 612 Authors' Addresses 614 Robert Kisteleki 616 Email: robert@ripe.net 617 URI: http://www.ripe.net 619 Brian Haberman 620 Johns Hopkins University Applied Physics Lab 622 Email: brian@innovationslab.net