Secure Inter-Domain Routing (sidr) ---------------------------------- Charter Last Modified: 2008-08-21 Current Status: Active Working Group Chair(s): Geoff Huston Sandra Murphy Routing Area Director(s): Ross Callon David Ward Routing Area Advisor: David Ward Technical Advisor(s): Steven Bellovin Mailing Lists: General Discussion:sidr@ietf.org To Subscribe: sidr-request@ietf.org In Body: In Body: (un)subscribe Archive: http://www.ietf.org/mail-archive/web/sidr/index.html Description of Working Group: One of the areas of vulnerability for large scale Internet environments lies in the area of inter-domain routing. The basic security questions that can be posed regarding routing information are whether the originating Autonomous System is authorized to advertise an address prefix by the holder of that prefix, whether the originating AS is accurately identified by the originating Autonomous System Number in the advertisement, and the validity of both the address prefix and the Autonomous System Number. A related question concerns the level of trust than can be ascribed to attributes of a route object in terms of their authenticity, including consideration of the AS Path attribute. The Routing Protocol Security Group (RPSEC) has been chartered to document the security requirements for routing systems, and, in particular, to produce a document on BGP security requirements. The scope of work in the SIDR working group is to formulate an extensible architecture for an interdomain routing security framework. This framework must be capable of supporting incremental additions of functional components. The SIDR working group will develop security mechanisms which fulfill those requirements which have been agreed on by the RPSEC working group. In developing these mechanisms, the SIDR working group will take practical deployability into consideration. The scope of work will include describing the use of certification objects for supporting the distribution of authorization and authentication information. Both hierarchic and distributed non- hierarchic trust systems are intended to be supported within this framework. The intended support of both forms of trust models is to allow for the use of this framework for routing security in diverse routing environments that have different underlying trust characteristics. The scope of work is limited to inter-domain router-to-router protocols only, for both unicast and multicast systems. The SIDR working group is charged with the following tasks: - Document an extensible interdomain routing security architecture - Document the use of certification objects within this secure routing architecture - Document specific routing functionality modules within this architecture that are designed to address specific secure routing requirements as they are determined by the RPSEC Working Group Goals and Milestones: Done Submit initial draft on inter-domain routing security within this architecture Done Submit initial draft on certificate objects to be used within this architecture Done Submit initial draft on securing origination of routing information Mar 2007 Submit routing security architecture for publication as an Informational RFC May 2007 Submit description of use certificate objects by this architecture as an Informational RFC Jun 2007 Submit secure origination mechanism as a Proposed Standard Aug 2007 Evaluate progress, recharter with new goals or shutdown Internet-Drafts: Posted Revised I-D Title ------ ------- -------------------------------------------- Jun 2006 Nov 2008 A Profile for X.509 PKIX Resource Certificates Oct 2006 Nov 2008 Certificate Policy (CP) for the Resource PKI (RPKI) Oct 2006 Nov 2008 Template for an Internet Registry's Certification Practice Statement (CPS) for the Resource PKI (RPKI) Feb 2007 Nov 2008 Template for an Internet Service Provider's Certification Practice Statement (CPS) for the Resource PKI (RPKI) Feb 2007 Nov 2008 A Profile for Route Origin Authorizations (ROAs) Feb 2007 Nov 2008 An Infrastructure to Support Secure Internet Routing Jan 2008 Feb 2009 A Protocol for Provisioning Resource Certificates Jan 2008 Oct 2008 Manifests for the Resource Public Key Infrastructure Aug 2008 Oct 2008 Validation of Route Origination in BGP using the Resource Certificate PKI Aug 2008 Oct 2008 A Profile for Bogon Origin Attestations (BOAs) Aug 2008 Oct 2008 A Profile for Resource Certificate Repository Structure Dec 2008 Dec 2008 Securing RPSL Objects with RPKI Signatures Request For Comments: None to date.