Secure Inter-Domain Routing (sidr) ---------------------------------- Charter Last Modified: 2010-03-12 Current Status: Active Working Group Chair(s): Sandra Murphy Chris Morrow Routing Area Director(s): Stewart Bryant Adrian Farrel Routing Area Advisor: Stewart Bryant Technical Advisor(s): Steven Bellovin Mailing Lists: General Discussion:sidr@ietf.org To Subscribe: sidr-request@ietf.org In Body: In Body: (un)subscribe Archive: http://www.ietf.org/mail-archive/web/sidr/index.html Description of Working Group: One of the areas of vulnerability for large scale Internet environments lies in the area of inter-domain routing. The basic security questions that can be posed regarding routing information are whether the originating Autonomous System is authorized to advertise an address prefix by the holder of that prefix, whether the originating AS is accurately identified by the originating Autonomous System Number in the advertisement, and the validity of both the address prefix and the Autonomous System Number. A related question concerns the level of trust than can be ascribed to attributes of a route object in terms of their authenticity, including consideration of the AS Path attribute. The Routing Protocol Security Group (RPSEC) has been chartered to document the security requirements for routing systems, and, in particular, to produce a document on BGP security requirements. The scope of work in the SIDR working group is to formulate an extensible architecture for an interdomain routing security framework. This framework must be capable of supporting incremental additions of functional components. The SIDR working group will develop security mechanisms which fulfill those requirements which have been agreed on by the RPSEC working group. In developing these mechanisms, the SIDR working group will take practical deployability into consideration. The scope of work will include describing the use of certification objects for supporting the distribution of authorization and authentication information. Both hierarchic and distributed non- hierarchic trust systems are intended to be supported within this framework. The intended support of both forms of trust models is to allow for the use of this framework for routing security in diverse routing environments that have different underlying trust characteristics. The scope of work is limited to inter-domain router-to-router protocols only, for both unicast and multicast systems. The SIDR working group is charged with the following tasks: - Document an extensible interdomain routing security architecture - Document the use of certification objects within this secure routing architecture - Document specific routing functionality modules within this architecture that are designed to address specific secure routing requirements as they are determined by the RPSEC Working Group Goals and Milestones: Done Submit initial draft on inter-domain routing security within this architecture Done Submit initial draft on certificate objects to be used within this architecture Done Submit initial draft on securing origination of routing information Mar 2007 Submit routing security architecture for publication as an Informational RFC May 2007 Submit description of use certificate objects by this architecture as an Informational RFC Jun 2007 Submit secure origination mechanism as a Proposed Standard Aug 2007 Evaluate progress, recharter with new goals or shutdown Internet-Drafts: Posted Revised I-D Title ------ ------- -------------------------------------------- Jun 2006 Dec 2010 A Profile for X.509 PKIX Resource Certificates Oct 2006 Dec 2010 Certificate Policy (CP) for the Resource PKI (RPKI Feb 2007 Nov 2010 A Profile for Route Origin Authorizations (ROAs) Feb 2007 Feb 2011 An Infrastructure to Support Secure Internet Routing Jan 2008 Nov 2010 A Protocol for Provisioning Resource Certificates Jan 2008 Nov 2010 Manifests for the Resource Public Key Infrastructure Aug 2008 Nov 2010 Validation of Route Origination using the Resource Certificate PKI and ROAs Aug 2008 Nov 2010 A Profile for Resource Certificate Repository Structure Feb 2009 Nov 2010 Resource Certificate PKI (RPKI) Trust Anchor Locator Aug 2009 Nov 2010 A Profile for Algorithms and Key Sizes for use in the Resource Public Key Infrastructure Jun 2010 Dec 2010 Use Cases and interpretation of RPKI objects for issuers and relying parties Aug 2010 Feb 2011 BGP Prefix Origin Validation Aug 2010 Feb 2011 The RPKI/Router Protocol Sep 2010 Feb 2011 Signed Object Template for the Resource Public Key Infrastructure Sep 2010 Dec 2010 CA Key Rollover in the RPKI Oct 2010 Oct 2010 A Publication Protocol for the Resource Public Key Infrastructure (RPKI) Nov 2010 Nov 2010 Local Trust Anchor Management for the Resource Public Key Infrastructure Nov 2010 Nov 2010 BGP Prefix Origin Validation State Extended Community Jan 2011 Jan 2011 RPKI-Based Origin Validation Operation Jan 2011 Dec 2010 The RPKI Ghostbusters Record Feb 2011 Feb 2011 RPKI Objects issued by IANA Request For Comments: None to date.