Tech-invite3GPPspaceIETFspace
959493929190898887868584838281807978777675747372717069686766656463626160595857565554535251504948474645444342414039383736353433323130292827262524232221201918171615141312111009080706050403020100
in Index   Prev   Next

RFC 8205

BGPsec Protocol Specification

Pages: 45
Proposed Standard
Updated by:  8206
Part 2 of 3 – Pages 11 to 29
First   Prev   Next

Top   ToC   RFC8205 - Page 11   prevText

4. BGPsec UPDATE Messages

Section 4.1 provides general guidance on the creation of BGPsec UPDATE messages -- that is, UPDATE messages containing the BGPsec_PATH attribute. Section 4.2 specifies how a BGPsec speaker generates the BGPsec_PATH attribute to include in a BGPsec UPDATE message. Section 4.3 contains special processing instructions for members of an AS confederation [RFC5065]. A BGPsec speaker that is not a member of such a confederation MUST NOT set the Confed_Segment flag in its Secure_Path Segment (i.e., leave the Confed_Segment flag at the default value of 0) in all BGPsec UPDATE messages it sends. Section 4.4 contains instructions for reconstructing the AS_PATH attribute in cases where a BGPsec speaker receives an UPDATE message with a BGPsec_PATH attribute and wishes to propagate the UPDATE message to a peer who does not support BGPsec.

4.1. General Guidance

The information protected by the signature on a BGPsec UPDATE message includes the AS number of the peer to whom the UPDATE message is being sent. Therefore, if a BGPsec speaker wishes to send a BGPsec UPDATE message to multiple BGP peers, it MUST generate a separate BGPsec UPDATE message for each unique peer AS to whom the UPDATE message is sent. A BGPsec UPDATE message MUST advertise a route to only a single prefix. This is because a BGPsec speaker receiving an UPDATE message with multiple prefixes would be unable to construct a valid BGPsec UPDATE message (i.e., valid path signatures) containing a subset of the prefixes in the received update. If a BGPsec speaker wishes to advertise routes to multiple prefixes, then it MUST generate a separate BGPsec UPDATE message for each prefix. Additionally, a BGPsec UPDATE message MUST use the MP_REACH_NLRI attribute [RFC4760] to encode the prefix.
Top   ToC   RFC8205 - Page 12
   The BGPsec_PATH attribute and the AS_PATH attribute are mutually
   exclusive.  That is, any UPDATE message containing the BGPsec_PATH
   attribute MUST NOT contain the AS_PATH attribute.  The information
   that would be contained in the AS_PATH attribute is instead conveyed
   in the Secure_Path portion of the BGPsec_PATH attribute.

   In order to create or add a new signature to a BGPsec UPDATE message
   with a given algorithm suite, the BGPsec speaker MUST possess a
   private key suitable for generating signatures for this algorithm
   suite.  Additionally, this private key must correspond to the public
   key in a valid RPKI end entity certificate whose AS number resource
   extension includes the BGPsec speaker's AS number [RFC8209].  Note
   also that new signatures are only added to a BGPsec UPDATE message
   when a BGPsec speaker is generating an UPDATE message to send to an
   external peer (i.e., when the AS number of the peer is not equal to
   the BGPsec speaker's own AS number).

   The RPKI enables the legitimate holder of IP address prefix(es) to
   issue a signed object, called a Route Origin Authorization (ROA),
   that authorizes a given AS to originate routes to a given set of
   prefixes (see RFC 6482 [RFC6482]).  It is expected that most Relying
   Parties (RPs) will utilize BGPsec in tandem with origin validation
   (see RFC 6483 [RFC6483] and RFC 6811 [RFC6811]).  Therefore, it is
   RECOMMENDED that a BGPsec speaker only originate a BGPsec UPDATE
   message advertising a route for a given prefix if there exists a
   valid ROA authorizing the BGPsec speaker's AS to originate routes to
   this prefix.

   If a BGPsec router has received only a non-BGPsec UPDATE message
   containing the AS_PATH attribute (instead of the BGPsec_PATH
   attribute) from a peer for a given prefix, then it MUST NOT attach a
   BGPsec_PATH attribute when it propagates the UPDATE message.  (Note
   that a BGPsec router may also receive a non-BGPsec UPDATE message
   from an internal peer without the AS_PATH attribute, i.e., with just
   the Network Layer Reachability Information (NLRI) in it.  In that
   case, the prefix is originating from that AS, and if it is selected
   for advertisement, the BGPsec speaker SHOULD attach a BGPsec_PATH
   attribute and send a signed route (for that prefix) to its external
   BGPsec-speaking peers.)

   Conversely, if a BGPsec router has received a BGPsec UPDATE message
   (with the BGPsec_PATH attribute) from a peer for a given prefix and
   it chooses to propagate that peer's route for the prefix, then it
   SHOULD propagate the route as a BGPsec UPDATE message containing the
   BGPsec_PATH attribute.
Top   ToC   RFC8205 - Page 13
   Note that removing BGPsec signatures (i.e., propagating a route
   advertisement without the BGPsec_PATH attribute) has significant
   security ramifications.  (See Section 8 for a discussion of the
   security ramifications of removing BGPsec signatures.)  Therefore,
   when a route advertisement is received via a BGPsec UPDATE message,
   propagating the route advertisement without the BGPsec_PATH attribute
   is NOT RECOMMENDED, unless the message is sent to a peer that did not
   advertise the capability to receive BGPsec UPDATE messages (see
   Section 4.4).

   Furthermore, note that when a BGPsec speaker propagates a route
   advertisement with the BGPsec_PATH attribute, it is not attesting to
   the validation state of the UPDATE message it received.  (See
   Section 8 for more discussion of the security semantics of BGPsec
   signatures.)

   If the BGPsec speaker is producing an UPDATE message that would, in
   the absence of BGPsec, contain an AS_SET (e.g., the BGPsec speaker is
   performing proxy aggregation), then the BGPsec speaker MUST NOT
   include the BGPsec_PATH attribute.  In such a case, the BGPsec
   speaker MUST remove any existing BGPsec_PATH in the received
   advertisement(s) for this prefix and produce a traditional
   (non-BGPsec) UPDATE message.  It should be noted that BCP 172
   [RFC6472] recommends against the use of AS_SET and AS_CONFED_SET in
   the AS_PATH of BGP UPDATE messages.

   The case where the BGPsec speaker sends a BGPsec UPDATE message to an
   iBGP (internal BGP) peer is quite simple.  When originating a new
   route advertisement and sending it to a BGPsec-capable iBGP peer, the
   BGPsec speaker omits the BGPsec_PATH attribute.  When originating a
   new route advertisement and sending it to a non-BGPsec iBGP peer, the
   BGPsec speaker includes an empty AS_PATH attribute in the UPDATE
   message.  (An empty AS_PATH attribute is one whose length field
   contains the value 0 [RFC4271].)  When a BGPsec speaker chooses to
   forward a BGPsec UPDATE message to an iBGP peer, the BGPsec_PATH
   attribute SHOULD NOT be removed, unless the peer doesn't support
   BGPsec.  In the case when an iBGP peer doesn't support BGPsec, then a
   BGP UPDATE message with AS_PATH is reconstructed from the BGPsec
   UPDATE message and then forwarded (see Section 4.4).  In particular,
   when forwarding to a BGPsec-capable iBGP (or eBGP) peer, the
   BGPsec_PATH attribute SHOULD NOT be removed even in the case where
   the BGPsec UPDATE message has not been successfully validated.  (See
   Section 5 for more information on validation and Section 8 for the
   security ramifications of removing BGPsec signatures.)
Top   ToC   RFC8205 - Page 14
   All BGPsec UPDATE messages MUST conform to BGP's maximum message
   size.  If the resulting message exceeds the maximum message size,
   then the guidelines in Section 9.2 of RFC 4271 [RFC4271] MUST be
   followed.

4.2. Constructing the BGPsec_PATH Attribute

When a BGPsec speaker receives a BGPsec UPDATE message containing a BGPsec_PATH attribute (with one or more signatures) from an (internal or external) peer, it may choose to propagate the route advertisement by sending it to its other (internal or external) peers. When sending the route advertisement to an internal BGPsec-speaking peer, the BGPsec_PATH attribute SHALL NOT be modified. When sending the route advertisement to an external BGPsec-speaking peer, the following procedures are used to form or update the BGPsec_PATH attribute. To generate the BGPsec_PATH attribute on the outgoing UPDATE message, the BGPsec speaker first generates a new Secure_Path Segment. Note that if the BGPsec speaker is not the origin AS and there is an existing BGPsec_PATH attribute, then the BGPsec speaker prepends its new Secure_Path Segment (places in first position) onto the existing Secure_Path. The AS number in this Secure_Path Segment MUST match the AS number in the Subject field of the RPKI router certificate that will be used to verify the digital signature constructed by this BGPsec speaker (see Section 3.1.1 in [RFC8209] and RFC 6487 [RFC6487]). The pCount field of the Secure_Path Segment is typically set to the value 1. However, a BGPsec speaker may set the pCount field to a value greater than 1. Setting the pCount field to a value greater than 1 has the same semantics as repeating an AS number multiple times in the AS_PATH of a non-BGPsec UPDATE message (e.g., for traffic engineering purposes). To prevent unnecessary processing load in the validation of BGPsec signatures, a BGPsec speaker SHOULD NOT produce multiple consecutive Secure_Path Segments with the same AS number. This means that to achieve the semantics of prepending the same AS number k times, a BGPsec speaker SHOULD produce a single Secure_Path Segment -- with a pCount of k -- and a single corresponding Signature Segment. A route server that participates in the BGP control plane but does not act as a transit AS in the data plane may choose to set pCount to 0. This option enables the route server to participate in BGPsec and obtain the associated security guarantees without increasing the length of the AS path. (Note that BGPsec speakers
Top   ToC   RFC8205 - Page 15
   compute the length of the AS path by summing the pCount values in the
   BGPsec_PATH attribute; see Section 5.)  However, when a route server
   sets the pCount value to 0, it still inserts its AS number into the
   Secure_Path Segment, as this information is needed to validate the
   signature added by the route server.  See [RFC8206] for a discussion
   of setting pCount to 0 to facilitate AS Number migration.  Also, see
   Section 4.3 for the use of pCount=0 in the context of an AS
   confederation.  See Section 7.2 for operational guidance for
   configuring a BGPsec router for setting pCount=0 and/or accepting
   pCount=0 from a peer.

   Next, the BGPsec speaker generates one or two Signature_Blocks.
   Typically, a BGPsec speaker will use only a single algorithm suite
   and thus create only a single Signature_Block in the BGPsec_PATH
   attribute.  However, to ensure backwards compatibility during a
   period of transition from a 'current' algorithm suite to a 'new'
   algorithm suite, it will be necessary to originate UPDATE messages
   that contain a Signature_Block for both the 'current' and the 'new'
   algorithm suites (see Section 6.1).

   If the received BGPsec UPDATE message contains two Signature_Blocks
   and the BGPsec speaker supports both of the corresponding algorithm
   suites, then the new UPDATE message generated by the BGPsec speaker
   MUST include both of the Signature_Blocks.  If the received BGPsec
   UPDATE message contains two Signature_Blocks and the BGPsec speaker
   only supports one of the two corresponding algorithm suites, then the
   BGPsec speaker MUST remove the Signature_Block corresponding to the
   algorithm suite that it does not understand.  If the BGPsec speaker
   does not support the algorithm suites in any of the Signature_Blocks
   contained in the received UPDATE message, then the BGPsec speaker
   MUST NOT propagate the route advertisement with the BGPsec_PATH
   attribute.  (That is, if it chooses to propagate this route
   advertisement at all, it MUST do so as an unsigned BGP UPDATE
   message.  See Section 4.4 for more information on converting to an
   unsigned BGP UPDATE message.)

   Note that in the case where the BGPsec_PATH has two Signature_Blocks
   (corresponding to different algorithm suites), the validation
   algorithm (see Section 5.2) deems a BGPsec UPDATE message to be
   'Valid' if there is at least one supported algorithm suite (and
   corresponding Signature_Block) that is deemed 'Valid'.  This means
   that a 'Valid' BGPsec UPDATE message may contain a Signature_Block
   that is not deemed 'Valid' (e.g., contains signatures that BGPsec
   does not successfully verify).  Nonetheless, such Signature_Blocks
   MUST NOT be removed.  (See Section 8 for a discussion of the security
   ramifications of this design choice.)
Top   ToC   RFC8205 - Page 16
   For each Signature_Block corresponding to an algorithm suite that the
   BGPsec speaker does support, the BGPsec speaker MUST add a new
   Signature Segment to the Signature_Block.  This Signature Segment is
   prepended to the list of Signature Segments (placed in the first
   position) so that the list of Signature Segments appears in the same
   order as the corresponding Secure_Path Segments.  The BGPsec speaker
   populates the fields of this new Signature Segment as follows.

   The Subject Key Identifier field in the new segment is populated with
   the identifier contained in the Subject Key Identifier extension of
   the RPKI router certificate corresponding to the BGPsec speaker
   [RFC8209].  This Subject Key Identifier will be used by recipients of
   the route advertisement to identify the proper certificate to use in
   verifying the signature.

   The Signature field in the new segment contains a digital signature
   that binds the prefix and BGPsec_PATH attribute to the RPKI router
   certificate corresponding to the BGPsec speaker.  The digital
   signature is computed as follows:

   o  For clarity, let us number the Secure_Path and corresponding
      Signature Segments from 1 to N, as follows.  Let Secure_Path
      Segment 1 and Signature Segment 1 be the segments produced by the
      origin AS.  Let Secure_Path Segment 2 and Signature Segment 2 be
      the segments added by the next AS after the origin.  Continue this
      method of numbering, and ultimately let Secure_Path Segment N and
      Signature Segment N be those that are being added by the current
      AS.  The current AS (Nth AS) is signing and forwarding the UPDATE
      message to the next AS (i.e., the (N+1)th AS) in the chain of ASes
      that form the AS path.

   o  In order to construct the digital signature for Signature
      Segment N (the Signature Segment being produced by the current
      AS), first construct the sequence of octets to be hashed as shown
      in Figure 8.  This sequence of octets includes all the data that
      the Nth AS attests to by adding its digital signature in the
      UPDATE message that is being forwarded to a BGPsec speaker in the
      (N+1)th AS.  (For the design rationale for choosing the specific
      structure in Figure 8, please see [Borchert].)
Top   ToC   RFC8205 - Page 17
               +------------------------------------+
               | Target AS Number                   |
               +------------------------------------+----\
               | Signature Segment   : N-1          |     \
               +------------------------------------+     |
               | Secure_Path Segment : N            |     |
               +------------------------------------+     \
                      ...                                  >  Data from
               +------------------------------------+     /   N Segments
               | Signature Segment   : 1            |     |
               +------------------------------------+     |
               | Secure_Path Segment : 2            |     |
               +------------------------------------+     /
               | Secure_Path Segment : 1            |    /
               +------------------------------------+---/
               | Algorithm Suite Identifier         |
               +------------------------------------+
               | AFI                                |
               +------------------------------------+
               | SAFI                               |
               +------------------------------------+
               | NLRI                               |
               +------------------------------------+

                 Figure 8: Sequence of Octets to Be Hashed

      The elements in this sequence (Figure 8) MUST be ordered exactly
      as shown.  The 'Target AS Number' is the AS to whom the BGPsec
      speaker intends to send the UPDATE message.  (Note that the
      'Target AS Number' is the AS number announced by the peer in the
      OPEN message of the BGP session within which the UPDATE message is
      sent.)  The Secure_Path and Signature Segments (1 through N-1) are
      obtained from the BGPsec_PATH attribute.  Finally, the Address
      Family Identifier (AFI), Subsequent Address Family Identifier
      (SAFI), and NLRI fields are obtained from the MP_REACH_NLRI
      attribute [RFC4760].  Additionally, in the Prefix field within the
      NLRI field (see Section 5 in RFC 4760 [RFC4760]), all of the
      trailing bits MUST be set to 0 when constructing this sequence.

   o  Apply to this octet sequence (in Figure 8) the digest algorithm
      (for the algorithm suite of this Signature_Block) to obtain a
      digest value.

   o  Apply to this digest value the signature algorithm (for the
      algorithm suite of this Signature_Block) to obtain the digital
      signature.  Then populate the Signature field (in Figure 7) with
      this digital signature.
Top   ToC   RFC8205 - Page 18
   The Signature Length field (in Figure 7) is populated with the length
   (in octets) of the value in the Signature field.

4.3. Processing Instructions for Confederation Members

Members of AS confederations [RFC5065] MUST additionally follow the instructions in this section for processing BGPsec UPDATE messages. When a BGPsec speaker in an AS confederation receives a BGPsec UPDATE message from a peer that is external to the confederation and chooses to propagate the UPDATE message within the confederation, it first adds a signature signed to its own Member-AS (i.e., the 'Target AS Number' is the BGPsec speaker's Member-AS Number). In this internally modified UPDATE message, the newly added Secure_Path Segment contains the public AS number (i.e., Confederation Identifier), the segment's pCount value is set to 0, and Confed_Segment flag is set to 1. Setting pCount=0 in this case helps ensure that the AS path length is not unnecessarily incremented. The newly added signature is generated using a private key corresponding to the public AS number of the confederation. The BGPsec speaker propagates the modified UPDATE message to its peers within the confederation. Any BGPsec_PATH modifications mentioned below in the context of propagation of the UPDATE message within the confederation are in addition to the modification described above (i.e., with pCount=0). When a BGPsec speaker sends a BGPsec UPDATE message to a peer that belongs within its own Member-AS, the confederation member SHALL NOT modify the BGPsec_PATH attribute. When a BGPsec speaker sends a BGPsec UPDATE message to a peer that is within the same confederation but in a different Member-AS, the BGPsec speaker puts its Member-AS Number in the AS Number field of the Secure_Path Segment that it adds to the BGPsec UPDATE message. Additionally, in this case, the Member-AS that generates the Secure_Path Segment sets the Confed_Segment flag to 1. Further, the signature is generated with a private key corresponding to the BGPsec speaker's Member-AS Number. (Note: In this document, intra-Member-AS peering is regarded as iBGP, and inter-Member-AS peering is regarded as eBGP. The latter is also known as confederation-eBGP.) Within a confederation, the verification of BGPsec signatures added by other members of the confederation is optional. Note that if a confederation chooses not to verify digital signatures within the confederation, then BGPsec is not able to provide any assurances about the integrity of the Member-AS Numbers placed in Secure_Path Segments where the Confed_Segment flag is set to 1.
Top   ToC   RFC8205 - Page 19
   When a confederation member receives a BGPsec UPDATE message from a
   peer within the confederation and propagates it to a peer outside the
   confederation, it needs to remove all of the Secure_Path Segments
   added by confederation members as well as the corresponding Signature
   Segments.  To do this, the confederation member propagating the route
   outside the confederation does the following:

   o  First, starting with the most recently added Secure_Path Segment,
      remove all of the consecutive Secure_Path Segments that have the
      Confed_Segment flag set to 1.  Stop this process once a
      Secure_Path Segment that has its Confed_Segment flag set to 0 is
      reached.  Keep a count of the number of segments removed in this
      fashion.

   o  Second, starting with the most recently added Signature Segment,
      remove a number of Signature Segments equal to the number of
      Secure_Path Segments removed in the previous step.  (That is,
      remove the K most recently added Signature Segments, where K is
      the number of Secure_Path Segments removed in the previous step.)

   o  Finally, add a Secure_Path Segment containing, in the AS field,
      the AS Confederation Identifier (the public AS number of the
      confederation) as well as a corresponding Signature Segment.  Note
      that all fields other than the AS field are populated as per
      Section 4.2.

   Finally, as discussed above, an AS confederation MAY optionally
   decide that its members will not verify digital signatures added by
   members.  In such a confederation, when a BGPsec speaker runs the
   algorithm in Section 5.2, the BGPsec speaker, during the process of
   signature verifications, first checks whether the Confed_Segment flag
   in a Secure_Path Segment is set to 1.  If the flag is set to 1, the
   BGPsec speaker skips the verification for the corresponding signature
   and immediately moves on to the next Secure_Path Segment.  Note that
   as specified in Section 5.2, it is an error when a BGPsec speaker
   receives, from a peer who is not in the same AS confederation, a
   BGPsec UPDATE message containing a Confed_Segment flag set to 1.

4.4. Reconstructing the AS_PATH Attribute

BGPsec UPDATE messages do not contain the AS_PATH attribute. However, the AS_PATH attribute can be reconstructed from the BGPsec_PATH attribute. This is necessary in the case where a route advertisement is received via a BGPsec UPDATE message and then propagated to a peer via a non-BGPsec UPDATE message (e.g., because the latter peer does not support BGPsec). Note that there may be additional cases where an implementation finds it useful to perform this reconstruction. Before attempting to reconstruct an AS_PATH for
Top   ToC   RFC8205 - Page 20
   the purpose of forwarding an unsigned (non-BGPsec) UPDATE message to
   a peer, a BGPsec speaker MUST perform the basic integrity checks
   listed in Section 5.2 to ensure that the received BGPsec UPDATE
   message is properly formed.

   The AS_PATH attribute can be constructed from the BGPsec_PATH
   attribute as follows.  Starting with a blank AS_PATH attribute,
   process the Secure_Path Segments in order from least recently added
   (corresponding to the origin) to most recently added.  For each
   Secure_Path Segment, perform the following steps:

   1.  If the Secure_Path Segment has pCount=0, then do nothing (i.e.,
       move on to process the next Secure_Path Segment).

   2.  If the Secure_Path Segment has pCount greater than 0 and the
       Confed_Segment flag is set to 1, then look at the most recently
       added segment in the AS_PATH.

       *  In the case where the AS_PATH is blank or in the case where
          the most recently added segment is of type AS_SEQUENCE, add
          (prepend to the AS_PATH) a new AS_PATH segment of type
          AS_CONFED_SEQUENCE.  This segment of type AS_CONFED_SEQUENCE
          shall contain a number of elements equal to the pCount field
          in the current Secure_Path Segment.  Each of these elements
          shall be the AS number contained in the current Secure_Path
          Segment.  (That is, if the pCount field is X, then the segment
          of type AS_CONFED_SEQUENCE contains X copies of the
          Secure_Path Segment's AS Number field.)

       *  In the case where the most recently added segment in the
          AS_PATH is of type AS_CONFED_SEQUENCE, then add (prepend to
          the segment) a number of elements equal to the pCount field in
          the current Secure_Path Segment.  The value of each of these
          elements shall be the AS number contained in the current
          Secure_Path Segment.  (That is, if the pCount field is X, then
          add X copies of the Secure_Path Segment's AS Number field to
          the existing AS_CONFED_SEQUENCE.)

   3.  If the Secure_Path Segment has pCount greater than 0 and the
       Confed_Segment flag is set to 0, then look at the most recently
       added segment in the AS_PATH.

       *  In the case where the AS_PATH is blank or in the case where
          the most recently added segment is of type AS_CONFED_SEQUENCE,
          add (prepend to the AS_PATH) a new AS_PATH segment of type
          AS_SEQUENCE.  This segment of type AS_SEQUENCE shall contain a
          number of elements equal to the pCount field in the current
          Secure_Path Segment.  Each of these elements shall be the AS
Top   ToC   RFC8205 - Page 21
          number contained in the current Secure_Path Segment.  (That
          is, if the pCount field is X, then the segment of type
          AS_SEQUENCE contains X copies of the Secure_Path Segment's AS
          Number field.)

       *  In the case where the most recently added segment in the
          AS_PATH is of type AS_SEQUENCE, then add (prepend to the
          segment) a number of elements equal to the pCount field in the
          current Secure_Path Segment.  The value of each of these
          elements shall be the AS number contained in the current
          Secure_Path Segment.  (That is, if the pCount field is X, then
          add X copies of the Secure_Path Segment's AS Number field to
          the existing AS_SEQUENCE.)

   As part of the procedure described above, the following additional
   actions are performed in order not to exceed the size limitations of
   AS_SEQUENCE and AS_CONFED_SEQUENCE.  While adding the next
   Secure_Path Segment (with its prepends, if any) to the AS_PATH being
   assembled, if it would cause the AS_SEQUENCE (or AS_CONFED_SEQUENCE)
   at hand to exceed the limit of 255 AS numbers per segment [RFC4271]
   [RFC5065], then the BGPsec speaker would follow the recommendations
   in RFC 4271 [RFC4271] and RFC 5065 [RFC5065] of creating another
   segment of the same type (AS_SEQUENCE or AS_CONFED_SEQUENCE) and
   continue filling that.

   Finally, one special case of reconstruction of AS_PATH is when the
   BGPsec_PATH attribute is absent.  As explained in Section 4.1, when a
   BGPsec speaker originates a prefix and sends it to a BGPsec-capable
   iBGP peer, the BGPsec_PATH is not attached.  So, when received from a
   BGPsec-capable iBGP peer, no BGPsec_PATH attribute in a BGPsec UPDATE
   message is equivalent to an empty AS_PATH [RFC4271].

5. Processing a Received BGPsec UPDATE Message

Upon receiving a BGPsec UPDATE message from an external (eBGP) peer, a BGPsec speaker SHOULD validate the message to determine the authenticity of the path information contained in the BGPsec_PATH attribute. Typically, a BGPsec speaker will also wish to perform origin validation (see RFC 6483 [RFC6483] and RFC 6811 [RFC6811]) on an incoming BGPsec UPDATE message, but such validation is independent of the validation described in this section. Section 5.1 provides an overview of BGPsec validation, and Section 5.2 provides a specific algorithm for performing such validation. (Note that an implementation need not follow the specific algorithm in Section 5.2 as long as the input/output behavior of the validation is identical to that of the algorithm in Section 5.2.) During exceptional conditions (e.g., the BGPsec
Top   ToC   RFC8205 - Page 22
   speaker receives an incredibly large number of UPDATE messages at
   once), a BGPsec speaker MAY temporarily defer validation of incoming
   BGPsec UPDATE messages.  The treatment of such BGPsec UPDATE
   messages, whose validation has been deferred, is a matter of local
   policy.  However, an implementation SHOULD ensure that deferment of
   validation and status of deferred messages is visible to the
   operator.

   The validity of BGPsec UPDATE messages is a function of the current
   RPKI state.  When a BGPsec speaker learns that the RPKI state has
   changed (e.g., from an RPKI validating cache via the RPKI-Router
   protocol [RFC8210]), the BGPsec speaker MUST rerun validation on all
   affected UPDATE messages stored in its Adj-RIB-In [RFC4271].  For
   example, when a given RPKI router certificate ceases to be valid
   (e.g., it expires or is revoked), all UPDATE messages containing a
   signature whose SKI matches the SKI in the given certificate MUST be
   reassessed to determine if they are still valid.  If this
   reassessment determines that the validity state of an UPDATE message
   has changed, then, depending on local policy, it may be necessary to
   rerun best path selection.

   BGPsec UPDATE messages do not contain an AS_PATH attribute.  The
   Secure_Path contains AS path information for the BGPsec UPDATE
   message.  Therefore, a BGPsec speaker MUST utilize the AS path
   information in the Secure_Path in all cases where it would otherwise
   use the AS path information in the AS_PATH attribute.  The only
   exception to this rule is when AS path information must be updated in
   order to propagate a route to a peer (in which case the BGPsec
   speaker follows the instructions in Section 4).  Section 4.4 provides
   an algorithm for constructing an AS_PATH attribute from a BGPsec_PATH
   attribute.  Whenever the use of AS path information is called for
   (e.g., loop detection or the use of the AS path length in best path
   selection), the externally visible behavior of the implementation
   shall be the same as if the implementation had run the algorithm in
   Section 4.4 and used the resulting AS_PATH attribute as it would for
   a non-BGPsec UPDATE message.

5.1. Overview of BGPsec Validation

Validation of a BGPsec UPDATE message makes use of data from RPKI router certificates. In particular, it is necessary that the recipient have access to the following data obtained from valid RPKI router certificates: the AS Number, Public Key, and Subject Key Identifier from each valid RPKI router certificate. Note that the BGPsec speaker could perform the validation of RPKI router certificates on its own and extract the required data, or it could receive the same data from a trusted cache that performs RPKI
Top   ToC   RFC8205 - Page 23
   validation on behalf of (some set of) BGPsec speakers.  (For example,
   the trusted cache could deliver the necessary validity information to
   the BGPsec speaker by using the Router Key PDU (Protocol Data Unit)
   for the RPKI-Router protocol [RFC8210].)

   To validate a BGPsec UPDATE message containing the BGPsec_PATH
   attribute, the recipient performs the validation steps specified in
   Section 5.2.  The validation procedure results in one of two states:
   'Valid' and 'Not Valid'.

   It is expected that the output of the validation procedure will be
   used as an input to BGP route selection.  That said, BGP route
   selection, and thus the handling of the validation states, is a
   matter of local policy and is handled using local policy mechanisms.
   Implementations SHOULD enable operators to set such local policy on a
   per-session basis.  (That is, it is expected that some operators will
   choose to treat BGPsec validation status differently for UPDATE
   messages received over different BGP sessions.)

   BGPsec validation need only be performed at the eBGP edge.  The
   validation status of a BGP signed/unsigned UPDATE message MAY be
   conveyed via iBGP from an ingress edge router to an egress edge
   router via some mechanism, according to local policy within an AS.
   As discussed in Section 4, when a BGPsec speaker chooses to forward a
   (syntactically correct) BGPsec UPDATE message, it SHOULD be forwarded
   with its BGPsec_PATH attribute intact (regardless of the validation
   state of the UPDATE message).  Based entirely on local policy, an
   egress router receiving a BGPsec UPDATE message from within its own
   AS MAY choose to perform its own validation.

5.2. Validation Algorithm

This section specifies an algorithm for validation of BGPsec UPDATE messages. A conformant implementation MUST include a BGPsec update validation algorithm that is functionally equivalent to the externally visible behavior of this algorithm. First, the recipient of a BGPsec UPDATE message performs a check to ensure that the message is properly formed. Both syntactical and protocol violation errors are checked. The BGPsec_PATH attribute MUST be present when a BGPsec UPDATE message is received from an external (eBGP) BGPsec peer and also when such an UPDATE message is propagated to an internal (iBGP) BGPsec peer (see Section 4.2). The error checks specified in Section 6.3 of [RFC4271] are performed, except that for BGPsec UPDATE messages the checks on the AS_PATH attribute do not apply and instead the following checks on the BGPsec_PATH attribute are performed:
Top   ToC   RFC8205 - Page 24
   1.  Check to ensure that the entire BGPsec_PATH attribute is
       syntactically correct (conforms to the specification in this
       document).

   2.  Check that the AS number in the most recently added Secure_Path
       Segment (i.e., the one corresponding to the eBGP peer from which
       the UPDATE message was received) matches the AS number of that
       peer as specified in the BGP OPEN message.  (Note: This check is
       performed only at an ingress BGPsec router where the UPDATE
       message is first received from a peer AS.)

   3.  Check that each Signature_Block contains one Signature Segment
       for each Secure_Path Segment in the Secure_Path portion of the
       BGPsec_PATH attribute.  (Note that the entirety of each
       Signature_Block MUST be checked to ensure that it is well formed,
       even though the validation process may terminate before all
       signatures are cryptographically verified.)

   4.  Check that the UPDATE message does not contain an AS_PATH
       attribute.

   5.  If the UPDATE message was received from a BGPsec peer that is not
       a member of the BGPsec speaker's AS confederation, check to
       ensure that none of the Secure_Path Segments contain a Flags
       field with the Confed_Segment flag set to 1.

   6.  If the UPDATE message was received from a BGPsec peer that is a
       member of the BGPsec speaker's AS confederation, check to ensure
       that the Secure_Path Segment corresponding to that peer contains
       a Flags field with the Confed_Segment flag set to 1.

   7.  If the UPDATE message was received from a peer that is not
       expected to set pCount=0 (see Sections 4.2 and 4.3), then check
       to ensure that the pCount field in the most recently added
       Secure_Path Segment is not equal to 0.  (Note: See Section 7.2
       for router configuration guidance related to this item.)

   8.  Using the equivalent of AS_PATH corresponding to the Secure_Path
       in the UPDATE message (see Section 4.4), check that the local AS
       number is not present in the AS path (i.e., rule out an AS loop).

   If any of these checks fail, it is an error in the BGPsec_PATH
   attribute.  BGPsec speakers MUST handle any syntactical or protocol
   errors in the BGPsec_PATH attribute by using the "treat-as-withdraw"
   approach as defined in RFC 7606 [RFC7606].  (Note: Since the AS
   number of a transparent route server does appear in the Secure_Path
   with pCount=0, the route server MAY check to see if its local AS is
Top   ToC   RFC8205 - Page 25
   listed in the Secure_Path, and this check MAY be included in the
   loop-detection check listed above.)

   Next, the BGPsec speaker examines the Signature_Blocks in the
   BGPsec_PATH attribute.  A Signature_Block corresponding to an
   algorithm suite that the BGPsec speaker does not support is not
   considered in the validation process.  If there is no Signature_Block
   corresponding to an algorithm suite that the BGPsec speaker supports,
   then in order to consider the UPDATE message in the route selection
   process, the BGPsec speaker MUST strip the Signature_Block(s),
   reconstruct the AS_PATH from the Secure_Path (see Section 4.4), and
   treat the UPDATE message as if it were received as an unsigned BGP
   UPDATE message.

   For each remaining Signature_Block (corresponding to an algorithm
   suite supported by the BGPsec speaker), the BGPsec speaker iterates
   through the Signature Segments in the Signature_Block, starting with
   the most recently added segment (and concluding with the
   least recently added segment).  Note that there is a one-to-one
   correspondence between Signature Segments and Secure_Path Segments
   within the BGPsec_PATH attribute.  The following steps make use of
   this correspondence:

   o  Step 1: Let there be K AS hops in a received BGPsec_PATH attribute
      that is to be validated.  Let AS(1), AS(2), ..., AS(K+1) denote
      the sequence of AS numbers from the origin AS to the validating
      AS.  Let Secure_Path Segment N and Signature Segment N in the
      BGPsec_PATH attribute refer to those corresponding to AS(N) (where
      N = 1, 2, ..., K).  The BGPsec speaker that is processing and
      validating the BGPsec_PATH attribute resides in AS(K+1).  Let
      Signature Segment N be the Signature Segment that is currently
      being verified.

   o  Step 2: Locate the public key needed to verify the signature (in
      the current Signature Segment).  To do this, consult the valid
      RPKI router certificate data and look up all valid (AS Number,
      Public Key, Subject Key Identifier) triples in which the AS
      matches the AS number in the corresponding Secure_Path Segment.
      Of these triples that match the AS number, check whether there is
      an SKI that matches the value in the Subject Key Identifier field
      of the Signature Segment.  If this check finds no such matching
      SKI value, then mark the entire Signature_Block as 'Not Valid' and
      proceed to the next Signature_Block.

   o  Step 3: Compute the digest function (for the given algorithm
      suite) on the appropriate data.
Top   ToC   RFC8205 - Page 26
      In order to verify the digital signature in Signature Segment N,
      construct the sequence of octets to be hashed as shown in Figure 9
      (using the notations defined in Step 1).  (Note that this sequence
      is the same sequence that was used by AS(N) that created the
      Signature Segment N (see Section 4.2 and Figure 8).)

         +------------------------------------+
         | Target AS Number                   |
         +------------------------------------+----\
         | Signature Segment   : N-1          |     \
         +------------------------------------+     |
         | Secure_Path Segment : N            |     |
         +------------------------------------+     \
                ...                                  >  Data from
         +------------------------------------+     /   N Segments
         | Signature Segment   : 1            |     |
         +------------------------------------+     |
         | Secure_Path Segment : 2            |     |
         +------------------------------------+     /
         | Secure_Path Segment : 1            |    /
         +------------------------------------+---/
         | Algorithm Suite Identifier         |
         +------------------------------------+
         | AFI                                |
         +------------------------------------+
         | SAFI                               |
         +------------------------------------+
         | NLRI                               |
         +------------------------------------+

   Figure 9: Sequence of Octets to Be Hashed for Signature Verification
     of Signature Segment N; N = 1,2, ..., K, Where K Is the Number of
                   AS Hops in the BGPsec_PATH Attribute

      The elements in this sequence (Figure 9) MUST be ordered exactly
      as shown.  For the first segment to be processed (the
      most recently added segment (i.e., N = K) given that there are K
      hops in the Secure_Path), the 'Target AS Number' is AS(K+1), the
      AS number of the BGPsec speaker validating the UPDATE message.
      Note that if a BGPsec speaker uses multiple AS Numbers (e.g., the
      BGPsec speaker is a member of a confederation), the AS number used
      here MUST be the AS number announced in the OPEN message for the
      BGP session over which the BGPsec UPDATE message was received.

      For each other Signature Segment (N smaller than K), the 'Target
      AS Number' is AS(N+1), the AS number in the Secure_Path Segment
      that corresponds to the Signature Segment added immediately after
      the one being processed (that is, in the Secure_Path Segment that
Top   ToC   RFC8205 - Page 27
      corresponds to the Signature Segment that the validator just
      finished processing).

      The Secure_Path and Signature Segment are obtained from the
      BGPsec_PATH attribute.  The AFI, SAFI, and NLRI fields are
      obtained from the MP_REACH_NLRI attribute [RFC4760].
      Additionally, in the Prefix field within the NLRI field (see
      Section 5 in RFC 4760 [RFC4760]), all of the trailing bits MUST be
      set to 0 when constructing this sequence.

   o  Step 4: Use the signature validation algorithm (for the given
      algorithm suite) to verify the signature in the current segment.
      That is, invoke the signature validation algorithm on the
      following three inputs: the value of the Signature field in the
      current segment, the digest value computed in Step 3 above, and
      the public key obtained from the valid RPKI data in Step 2 above.
      If the signature validation algorithm determines that the
      signature is invalid, then mark the entire Signature_Block as
      'Not Valid' and proceed to the next Signature_Block.  If the
      signature validation algorithm determines that the signature is
      valid, then continue processing Signature Segments (within the
      current Signature_Block).

   If all Signature Segments within a Signature_Block pass validation
   (i.e., all segments are processed and the Signature_Block has not yet
   been marked 'Not Valid'), then the Signature_Block is marked as
   'Valid'.

   If at least one Signature_Block is marked as 'Valid', then the
   validation algorithm terminates and the BGPsec UPDATE message is
   deemed 'Valid'.  (That is, if a BGPsec UPDATE message contains two
   Signature_Blocks, then the UPDATE message is deemed 'Valid' if the
   first Signature_Block is marked 'Valid' OR the second Signature_Block
   is marked 'Valid'.)

6. Algorithms and Extensibility

6.1. Algorithm Suite Considerations

Note that there is currently no support for bilateral negotiation (using BGP capabilities) between BGPsec peers to use a particular (digest and signature) algorithm suite. This is because the algorithm suite used by the sender of a BGPsec UPDATE message MUST be understood not only by the peer to whom it is directly sending the message but also by all BGPsec speakers to whom the route advertisement is eventually propagated. Therefore, selection of an algorithm suite cannot be a local matter negotiated by BGP peers but instead must be coordinated throughout the Internet.
Top   ToC   RFC8205 - Page 28
   To this end, [RFC8208] specifies a mandatory-to-use 'current'
   algorithm suite for use by all BGPsec speakers.

   It is anticipated that, in the future, [RFC8208] or its successor
   will be updated to specify a transition from the 'current' algorithm
   suite to a 'new' algorithm suite.  During the period of transition,
   all BGPsec UPDATE messages SHOULD simultaneously use both the
   'current' algorithm suite and the 'new' algorithm suite.  (Note that
   Sections 3 and 4 specify how the BGPsec_PATH attribute can contain
   signatures, in parallel, for two algorithm suites.)  Once the
   transition is complete, the use of the old 'current' algorithm will
   be deprecated, the use of the 'new' algorithm will be mandatory, and
   a subsequent 'even newer' algorithm suite may be specified as
   "recommended to implement".  Once the transition has successfully
   been completed in this manner, BGPsec speakers SHOULD include only a
   single Signature_Block (corresponding to the 'new' algorithm).

6.2. Considerations for the SKI Size

Depending on the method of generating key identifiers [RFC7093], the size of the SKI in an RPKI router certificate may vary. The SKI field in the BGPsec_PATH attribute has a fixed size of 20 octets (see Figure 7). If the SKI is longer than 20 octets, then use the leftmost 20 octets of the SKI (excluding the tag and length) [RFC7093]. If the SKI value is shorter than 20 octets, then pad the SKI (excluding the tag and length) to the right (least significant octets) with octets having "0" values.

6.3. Extensibility Considerations

This section discusses potential changes to BGPsec that would require substantial changes to the processing of the BGPsec_PATH and thus necessitate a new version of BGPsec. Examples of such changes include: o A new type of signature algorithm that produces signatures of variable length o A new type of signature algorithm for which the number of signatures in the Signature_Block is not equal to the number of ASes in the Secure_Path (e.g., aggregate signatures) o Changes to the data that is protected by the BGPsec signatures (e.g., attributes other than the AS path) In the case that such a change to BGPsec were deemed desirable, it is expected that a subsequent version of BGPsec would be created and that this version of BGPsec would specify a new BGP path attribute --
Top   ToC   RFC8205 - Page 29
   let's call it "BGPsec_PATH_Two" -- that is designed to accommodate
   the desired changes to BGPsec.  In such a case, [RFC8208] or its
   successor would be updated to specify algorithm suites appropriate
   for the new version of BGPsec.

   At this point, a transition would begin that is analogous to the
   algorithm transition discussed in Section 6.1.  During the transition
   period, all BGPsec speakers SHOULD simultaneously include both the
   BGPsec_PATH attribute and the new BGPsec_PATH_Two attribute.  Once
   the transition is complete, the use of BGPsec_PATH could then be
   deprecated, at which point BGPsec speakers should include only the
   new BGPsec_PATH_Two attribute.  Such a process could facilitate a
   transition to a new BGPsec semantics in a backwards-compatible
   fashion.



(page 29 continued on part 3)

Next Section