RFC 8209

A Profile for BGPsec Router Certificates, Certificate Revocation Lists, and Certification Requests, September 2017

Canonical URL:
https://www.rfc-editor.org/rfc/rfc8209.txt
File formats:
Plain TextPDF
Status:
PROPOSED STANDARD
Updates:
RFC 6487
Authors:
M. Reynolds
S. Turner
S. Kent
Stream:
IETF
Source:
sidr (rtg)

Cite this RFC: TXT  |  XML

DOI:  10.17487/RFC8209

Discuss this RFC: Send questions or comments to sidr@ietf.org

Other actions: Submit Errata  |  Find IPR Disclosures from the IETF


Abstract

This document defines a standard profile for X.509 certificates used to enable validation of Autonomous System (AS) paths in the Border Gateway Protocol (BGP), as part of an extension to that protocol known as BGPsec. BGP is the standard for inter-domain routing in the Internet; it is the "glue" that holds the Internet together. BGPsec is being developed as one component of a solution that addresses the requirement to provide security for BGP. The goal of BGPsec is to provide full AS path validation based on the use of strong cryptographic primitives. The end entity (EE) certificates specified by this profile are issued to routers within an AS. Each of these certificates is issued under a Resource Public Key Infrastructure (RPKI) Certification Authority (CA) certificate. These CA certificates and EE certificates both contain the AS Resource extension. An EE certificate of this type asserts that the router or routers holding the corresponding private key are authorized to emit secure route advertisements on behalf of the AS(es) specified in the certificate. This document also profiles the format of certification requests and specifies Relying Party (RP) certificate path validation procedures for these EE certificates. This document extends the RPKI; therefore, this document updates the RPKI Resource Certificates Profile (RFC 6487).


For the definition of Status, see RFC 2026.

For the definition of Stream, see RFC 4844.


Download PDF Reader