Categories
Deploy360 Securing Border Gateway Protocol (BGP)

RFC 7935: Algorithm & Key Size Specifications for RPKI

Securing BGPLast week saw the publication of RFC 7935 that specifies the algorithms, algorithm parameters, asymmetric key formats, asymmetric key size, and signature format used by the Resource Public Key Infrastructure (RPKI). This should be read by RPKI subscribers generating digital signatures for certificates, Certificate Revocation Lists (CRLs), Cryptographic Message Syntax (CMS) signed objects and certification requests, as well as at Relying Parties (RPs) who need to verify these digital signatures.

This RFC updates the key sizes and signature and hash algorithms specified in RFC 6485 in order to maintain an acceptable level of cryptographic security. It also updates the Object Identifier (OID) specification to follow current operational practice instead of requiring compliance with the earlier RFC.

RPKI is a specialised PKI that aims to improve the security of the Internet routing system, specifically the Border Gateway Protocol (BGP). It does this through the issuing of X.509-based resource certificates to holders of IP addresses and AS numbers in order to prove assignment of these resources. These certificates are issued to Local Internet Registries (LIRs) by one of the five Regional Internet Registries (RIRs) – AfriNIC, APNIC, ARIN, LACNIC and RIPE NCC – who have responsibility for allocation and assignment of these resources in their service regions.

Each RIR acts as a Certificate Authority (CA) and trust anchor for the resources assigned within their service regions, and is responsible for issuing a CRL. These are usually generated at a defined intervals, and publish a list of the X.509 resource certificates that have been revoked before their normal expiry date. RPKI signed objects make use of CMS as a standard encapsulation format, as specified in RFC 6488.

Normally we’d point you to our Start Here page for more information, but we’re actually looking for contributors who’d be interested in writing a good overview of RPKI for us. If you can help, please get in touch.

In meantime, please follow the links above to the RPKI information on the RIR websites.