[sidr] IPv4 examples for draft-ietf-sidr-bgpsec-pki-algs
"Borchert, Oliver (Fed)" <oliver.borchert@nist.gov> Wed, 11 January 2017 16:31 UTC
Return-Path: <oliver.borchert@nist.gov>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE451129F2B for <sidr@ietfa.amsl.com>; Wed, 11 Jan 2017 08:31:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.595
X-Spam-Level:
X-Spam-Status: No, score=-0.595 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, TRACKER_ID=1.306] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O-Qwamx8fXDj for <sidr@ietfa.amsl.com>; Wed, 11 Jan 2017 08:31:12 -0800 (PST)
Received: from gcc01-CY1-obe.outbound.protection.outlook.com (mail-cy1gcc01on0090.outbound.protection.outlook.com [23.103.200.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 866A0129F2F for <sidr@ietf.org>; Wed, 11 Jan 2017 08:31:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=ufrup9X4uLW46lbgFj+wtDgE+GBE/L5X6LpexWc4PfI=; b=QDkfX8RkE9w4NLnCznlJW+26sG3q/kSPfWZYfwoL9ySoYf2LZYbc08B5ErNJPoUXD0yC8yTbflZbN8lZyMKmFjSsuyYeUJspe3+AArPGS8IenVWufuVeFQJZlnwA9dqcHa0mLLePfdmnP8U78x5az6cETYhjJim3TJpSbma8nVs=
Received: from BL2PR09MB0996.namprd09.prod.outlook.com (10.167.102.15) by BL2PR09MB0994.namprd09.prod.outlook.com (10.167.102.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.829.7; Wed, 11 Jan 2017 16:31:06 +0000
Received: from BL2PR09MB0996.namprd09.prod.outlook.com ([10.167.102.15]) by BL2PR09MB0996.namprd09.prod.outlook.com ([10.167.102.15]) with mapi id 15.01.0829.017; Wed, 11 Jan 2017 16:31:06 +0000
From: "Borchert, Oliver (Fed)" <oliver.borchert@nist.gov>
To: sidr list <sidr@ietf.org>
Thread-Topic: IPv4 examples for draft-ietf-sidr-bgpsec-pki-algs
Thread-Index: AQHSbCgbzrHhXkAXSUqZuVZbpiHo6g==
Date: Wed, 11 Jan 2017 16:31:06 +0000
Message-ID: <2459DA8D-593F-4B75-9C74-619DDBA907E4@nist.gov>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.1d.0.161209
authentication-results: spf=none (sender IP is ) smtp.mailfrom=oliver.borchert@nist.gov;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [129.6.140.59]
x-microsoft-exchange-diagnostics: 1; BL2PR09MB0994; 7:Y9RayX8DyGGNHzGPmMipmQ7pqS5xKzRGNVZR0a+cJDMIJLCwcsPcPdRcNsRZaA9c1moUm5Ut5whRAt4YjhDB8iTRh0pCgDQbChaFDHf1gN/f4dbffmd4oDwpBHLbqmt2pAbB/xaG/ab+KFw2vAN6KkGrJ8e+8bWZZGp8Q+NIFM4MS7eRkiAiuPICAe+O38URxqvbYotAoQF0EYXS9oCTuo+v2s3qNhDTpSji0UY9fK3X1EAtdBgDkF5sRw7doq7TzhJl5rh7riIiX02zic1fEXHlCrOlmSJ9ezB6DDfbRI5nul1CGCTBJpkmrDkoWmapQxcTGCUg3LMX1qjlVdh6nLbVjY+6rNi5J6LWFZcJ01ZHCEBwgot2Y46uICQ8PeUOTW8TIUuDBj9P2geUVCiB1dbUvinYY/T7KcmOIGkzZ5pvoAmA9q6WrtBN4fj3vJbDtBG8ijnws4H4DeltpQxR+A==
x-forefront-antispam-report: SFV:SKI; SCL:-1SFV:NSPM; SFS:(10019020)(6009001)(7916002)(39850400002)(39860400002)(39450400003)(39840400002)(39410400002)(40224003)(30584003)(199003)(189002)(101416001)(66066001)(50986999)(54356999)(99936001)(122556002)(86362001)(5890100001)(575784001)(36756003)(83506001)(83716003)(230783001)(82746002)(4001350100001)(97736004)(107886002)(189998001)(33656002)(105586002)(106116001)(106356001)(6512007)(99286003)(6306002)(38730400001)(6506006)(25786008)(77096006)(6486002)(54906002)(6436002)(8676002)(6916009)(92566002)(54896002)(4001430100002)(8936002)(81156014)(81166006)(3280700002)(2906002)(7736002)(3660700001)(4326007)(3846002)(6116002)(102836003)(110136003)(68736007)(2900100001)(5660300001)(104396002); DIR:OUT; SFP:1102; SCL:1; SRVR:BL2PR09MB0994; H:BL2PR09MB0996.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
x-ms-office365-filtering-correlation-id: 87593b82-9502-4295-52d9-08d43a3f3e0c
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:BL2PR09MB0994;
x-microsoft-antispam-prvs: <BL2PR09MB099443997FF427FACC3445AE98660@BL2PR09MB0994.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415395)(6040375)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6055026)(6041248)(20161123562025)(20161123555025)(20161123564025)(20161123560025)(6072148); SRVR:BL2PR09MB0994; BCL:0; PCL:0; RULEID:; SRVR:BL2PR09MB0994;
x-forefront-prvs: 01842C458A
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/mixed; boundary="_004_2459DA8D593F4B759C74619DDBA907E4nistgov_"
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Jan 2017 16:31:06.3477 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL2PR09MB0994
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/eJdWwuwTHT6DVS-MPbMQh8z6iH8>
Subject: [sidr] IPv4 examples for draft-ietf-sidr-bgpsec-pki-algs
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Jan 2017 16:31:15 -0000
This email contains some test vectors for draft-ietf-sidr-bgpsec-pki-algs that were generated as a result of IESG/author discussions; Stephen suggested that the draft could use some examples and he’s right so we’d like to include this as an IPv4 example. In case the example is victim to some crazy line wrapping or for nice formatted reading, I also attached the example as text file to this email. Thanks, Oliver ----snip----snip----snip----snip---- Topology: AS(64496)----AS(65536)----AS(65537) Prefix Announcement: AS(64496), 192.0.2.0/24 For this example the ECDSA algorithm was provided with a static k to make the result deterministic. The k used for all signature operations was taken from RFC 6979, chapter A.2.5 “Signatures With SHA-256, message 'sample'”. k = A6E3C57DD01ABE90086538398355DD4C3B17AA873382B0F24D6129493D8AAD60 Keys of AS64496: ================ ski: AB4D910F55CAE71A215EF3CAFE3ACC45B5EEC154 private key: x = D8AA4DFBE2478F86E88A7451BF075565709C575AC1C136D081C540254CA440B9 public key: Ux = 7391BABB92A0CB3BE10E59B19EBFFB214E04A91E0CBA1B139A7D38D90F77E55A Uy = A05B8E695678E0FA16904B55D9D4F5C0DFC58895EE50BC4F75D205A25BD36FF5 Router Key Certificate example using OpenSSL 1.0.1e-fips 11 Feb 2013 -------------------------------------------------------------------- Certificate: Data: Version: 3 (0x2) Serial Number: 3148234511 (0xbba63f0f) Signature Algorithm: ecdsa-with-SHA256 Issuer: CN=ROUTER-0000FBF0 Validity Not Before: Jan 10 19:55:44 2017 GMT Not After : Oct 25 19:55:44 2290 GMT Subject: CN=ROUTER-0000FBF0 Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:73:91:ba:bb:92:a0:cb:3b:e1:0e:59:b1:9e:bf: fb:21:4e:04:a9:1e:0c:ba:1b:13:9a:7d:38:d9:0f: 77:e5:5a:a0:5b:8e:69:56:78:e0:fa:16:90:4b:55: d9:d4:f5:c0:df:c5:88:95:ee:50:bc:4f:75:d2:05: a2:5b:d3:6f:f5 ASN1 OID: prime256v1 X509v3 extensions: X509v3 Key Usage: Digital Signature X509v3 Subject Key Identifier: AB:4D:91:0F:55:CA:E7:1A:21:5E:F3:CA:FE:3A:CC:45:B5:EE:C1:54 X509v3 Extended Key Usage: 1.3.6.1.5.5.7.3.30 sbgp-autonomousSysNum: critical Autonomous System Numbers: 64496 Routing Domain Identifiers: inherit Signature Algorithm: ecdsa-with-SHA256 30:46:02:21:00:cb:48:19:7a:67:fd:98:a5:0c:e3:ab:0e:59: fd:fb:1d:6f:6a:4c:fc:f7:e7:d7:77:3a:2c:33:82:02:57:cc: 70:02:21:00:ea:f1:2c:08:05:b9:df:48:8f:94:8d:e0:cf:23: e8:8e:71:56:13:4e:44:b2:35:62:9b:cd:a1:9c:9d:04:0f:dc -----BEGIN CERTIFICATE----- MIIBjTCCATKgAwIBAgIFALumPw8wCgYIKoZIzj0EAwIwGjEYMBYGA1UEAwwPUk9V VEVSLTAwMDBGQkYwMCAXDTE3MDExMDE5NTU0NFoYDzIyOTAxMDI1MTk1NTQ0WjAa MRgwFgYDVQQDDA9ST1VURVItMDAwMEZCRjAwWTATBgcqhkjOPQIBBggqhkjOPQMB BwNCAARzkbq7kqDLO+EOWbGev/shTgSpHgy6GxOafTjZD3flWqBbjmlWeOD6FpBL VdnU9cDfxYiV7lC8T3XSBaJb02/1o2MwYTALBgNVHQ8EBAMCB4AwHQYDVR0OBBYE FKtNkQ9VyucaIV7zyv46zEW17sFUMBMGA1UdJQQMMAoGCCsGAQUFBwMeMB4GCCsG AQUFBwEIAQH/BA8wDaAHMAUCAwD78KECBQAwCgYIKoZIzj0EAwIDSQAwRgIhAMtI GXpn/ZilDOOrDln9+x1vakz89+fXdzosM4ICV8xwAiEA6vEsCAW530iPlI3gzyPo jnFWE05EsjVim82hnJ0ED9w= -----END CERTIFICATE----- Keys of AS(65636): ================== ski: 47F23BF1AB2F8A9D26864EBBD8DF2711C74406EC private key: x = 6CB2E931B112F24554BCDCAAFD9553A9519A9AF33C023B60846A21FC95583172 public key: Ux = 28FC5FE9AFCF5F4CAB3F5F85CB212FC1E9D0E0DBEAEE425BD2F0D3175AA0E989 Uy = EA9B603E38F35FB329DF495641F2BA040F1C3AC6138307F257CBA6B8B588F41F Router Key Certificate example using OpenSSL 1.0.1e-fips 11 Feb 2013 -------------------------------------------------------------------- Certificate: Data: Version: 3 (0x2) Serial Number: 1572726268 (0x5dbde5fc) Signature Algorithm: ecdsa-with-SHA256 Issuer: CN=ROUTER-00010000 Validity Not Before: Jan 10 19:55:50 2017 GMT Not After : Oct 25 19:55:50 2290 GMT Subject: CN=ROUTER-00010000 Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:28:fc:5f:e9:af:cf:5f:4c:ab:3f:5f:85:cb:21: 2f:c1:e9:d0:e0:db:ea:ee:42:5b:d2:f0:d3:17:5a: a0:e9:89:ea:9b:60:3e:38:f3:5f:b3:29:df:49:56: 41:f2:ba:04:0f:1c:3a:c6:13:83:07:f2:57:cb:a6: b8:b5:88:f4:1f ASN1 OID: prime256v1 X509v3 extensions: X509v3 Key Usage: Digital Signature X509v3 Subject Key Identifier: 47:F2:3B:F1:AB:2F:8A:9D:26:86:4E:BB:D8:DF:27:11:C7:44:06:EC X509v3 Extended Key Usage: 1.3.6.1.5.5.7.3.30 sbgp-autonomousSysNum: critical Autonomous System Numbers: 65536 Routing Domain Identifiers: inherit Signature Algorithm: ecdsa-with-SHA256 30:46:02:21:00:b0:38:bf:4a:ae:c9:1e:e1:cd:b1:17:84:33: f8:32:d3:c4:ba:44:6a:1a:15:3b:c0:b2:8d:61:9e:6e:7f:1f: 14:02:21:00:c0:8b:b8:b8:9f:a4:f5:b9:54:68:98:0e:bf:96: a0:fc:2b:6e:eb:41:2e:ec:1d:83:20:8c:72:2c:ac:df:13:58 -----BEGIN CERTIFICATE----- MIIBjDCCATGgAwIBAgIEXb3l/DAKBggqhkjOPQQDAjAaMRgwFgYDVQQDDA9ST1VU RVItMDAwMTAwMDAwIBcNMTcwMTEwMTk1NTUwWhgPMjI5MDEwMjUxOTU1NTBaMBox GDAWBgNVBAMMD1JPVVRFUi0wMDAxMDAwMDBZMBMGByqGSM49AgEGCCqGSM49AwEH A0IABCj8X+mvz19Mqz9fhcshL8Hp0ODb6u5CW9Lw0xdaoOmJ6ptgPjjzX7Mp30lW QfK6BA8cOsYTgwfyV8umuLWI9B+jYzBhMAsGA1UdDwQEAwIHgDAdBgNVHQ4EFgQU R/I78asvip0mhk672N8nEcdEBuwwEwYDVR0lBAwwCgYIKwYBBQUHAx4wHgYIKwYB BQUHAQgBAf8EDzANoAcwBQIDAQAAoQIFADAKBggqhkjOPQQDAgNJADBGAiEAsDi/ Sq7JHuHNsReEM/gy08S6RGoaFTvAso1hnm5/HxQCIQDAi7i4n6T1uVRomA6/lqD8 K27rQS7sHYMgjHIsrN8TWA== -----END CERTIFICATE----- BGPSec Update from AS(65536) to AS(65537): =========================================== Binary Form of BGPSec Update (TCP-DUMP): FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 01 00 02 00 00 00 E9 40 01 01 02 80 04 04 00 00 00 00 80 0E 0D 00 01 01 04 C6 33 64 64 00 18 C0 00 02 90 1E 00 CA 00 0E 01 00 00 01 00 00 01 00 00 00 FB F0 00 BC 01 47 F2 3B F1 AB 2F 8A 9D 26 86 4E BB D8 DF 27 11 C7 44 06 EC 00 46 30 44 02 20 72 14 BC 96 47 16 0B BD 39 FF 2F 80 53 3F 5D C6 DD D7 0D DF 86 BB 81 56 61 E8 05 D5 D4 E6 F2 7C 02 20 2D DC 00 3C 64 BE 7B 29 C9 EB DB C8 A4 97 ED 66 28 5E E9 22 76 83 E6 C1 78 CE 8D E6 D3 59 5F 41 AB 4D 91 0F 55 CA E7 1A 21 5E F3 CA FE 3A CC 45 B5 EE C1 54 00 47 30 45 02 20 72 14 BC 96 47 16 0B BD 39 FF 2F 80 53 3F 5D C6 DD D7 0D DF 86 BB 81 56 61 E8 05 D5 D4 E6 F2 7C 02 21 00 C6 17 19 34 07 43 06 3B 8A 5C CD 54 16 39 0B 31 21 1D 3C 52 48 07 95 87 D0 13 13 7B 41 CD 23 E2 Signature From AS(64496) to AS(65536): --------------------------------------- Digest: 21 33 E5 CA A0 26 BE 07 3D 9C 1B 4E FE B9 B9 77 9F 20 F8 F5 DE 29 FA 98 40 00 9F 60 Signature: 30 45 02 20 72 14 BC 96 47 16 0B BD 39 FF 2F 80 53 3F 5D C6 DD D7 0D DF 86 BB 81 56 61 E8 05 D5 D4 E6 F2 7C 02 21 00 C6 17 19 34 07 43 06 3B 8A 5C CD 54 16 39 0B 31 21 1D 3C 52 48 07 95 87 D0 13 13 7B 41 CD 23 E2 Signature From AS(65536) to AS(65537): -------------------------------------- Digest: 46 4B 57 CE B1 2D 18 B0 FD 1A 1A 35 94 17 3A 4A 09 88 E5 F4 ED ED 2F 3D 83 08 5A A8 Signature: 30 44 02 20 72 14 BC 96 47 16 0B BD 39 FF 2F 80 53 3F 5D C6 DD D7 0D DF 86 BB 81 56 61 E8 05 D5 D4 E6 F2 7C 02 20 2D DC 00 3C 64 BE 7B 29 C9 EB DB C8 A4 97 ED 66 28 5E E9 22 76 83 E6 C1 78 CE 8D E6 D3 59 5F 41 The human readable output is produced using bgpsec-io, a bgpsec traffic generator that uses a wireshark like printout. Send Update Message +--marker: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +--length: 256 +--type: 2 (UPDATE) +--withdrawn_routes_length: 0 +--total_path_attr_length: 233 +--ORIGIN: INCOMPLETE (4 bytes) | +--Flags: 0x40 (Well-Known, Transitive, Complete) | +--Type Code: ORIGIN (1) | +--Length: 1 byte | +--Origin: INCOMPLETE (1) +--MULTI_EXIT_DISC (7 bytes) | +--Flags: 0x80 (Optional, Complete) | +--Type Code: MULTI_EXIT_DISC (4) | +--Length: 4 bytes | +--data: 00 00 00 00 +--MP_REACH_NLRI (16 bytes) | +--Flags: 0x80 (Optional, Complete) | +--Type Code: MP_REACH_NLRI (14) | +--Length: 13 bytes | +--data: 00 01 01 04 C6 33 64 64 00 18 C0 00 02 +--BGPSEC Path Attribute (206 bytes) +--Flags: 0x90 (Optional, Complete, Extended Length) +--Type Code: BGPSEC Path Attribute (30) +--Length: 202 bytes +--Secure Path (14 bytes) | +--Length: 14 bytes | +--Secure Path Segment: (6 bytes) | | +--pCount: 1 | | +--Flags: 0 | | +--AS number: 65536 (1.0) | +--Secure Path Segment: (6 bytes) | +--pCount: 1 | +--Flags: 0 | +--AS number: 64496 (0.64496) +--Signature Block (188 bytes) +--Length: 188 bytes +--Algo ID: 1 +--Signature Segment: (92 bytes) | +--SKI: 47F23BF1AB2F8A9D26864EBBD8DF2711C74406EC | +--Length: 70 bytes | +--Signature: 30 44 02 20 72 14 BC 96 47 16 0B BD 39 FF 2F 80 | 53 3F 5D C6 DD D7 0D DF 86 BB 81 56 61 E8 05 D5 | D4 E6 F2 7C 02 20 2D DC 00 3C 64 BE 7B 29 C9 EB | DB C8 A4 97 ED 66 28 5E E9 22 76 83 E6 C1 78 CE | 8D E6 D3 59 5F 41 +--Signature Segment: (93 bytes) +--SKI: AB4D910F55CAE71A215EF3CAFE3ACC45B5EEC154 +--Length: 71 bytes +--Signature: 30 45 02 20 72 14 BC 96 47 16 0B BD 39 FF 2F 80 53 3F 5D C6 DD D7 0D DF 86 BB 81 56 61 E8 05 D5 D4 E6 F2 7C 02 21 00 C6 17 19 34 07 43 06 3B 8A 5C CD 54 16 39 0B 31 21 1D 3C 52 48 07 95 87 D0 13 13 7B 41 CD 23 E2 ----snip----snip----snip----snip---- ------------------------------------------------------------- Oliver Borchert, Computer Scientist National Institute of Standards and Technology (Phone) 301.975.4856 , (Fax) 301.975.6238
- [sidr] IPv4 examples for draft-ietf-sidr-bgpsec-p… Borchert, Oliver (Fed)
- Re: [sidr] IPv4 examples for draft-ietf-sidr-bgps… Randy Bush
- Re: [sidr] IPv4 examples for draft-ietf-sidr-bgps… Borchert, Oliver (Fed)
- Re: [sidr] IPv4 examples for draft-ietf-sidr-bgps… Borchert, Oliver (Fed)
- Re: [sidr] IPv4 examples for draft-ietf-sidr-bgps… Randy Bush
- Re: [sidr] IPv4 examples for draft-ietf-sidr-bgps… Sean Turner
- Re: [sidr] IPv4 examples for draft-ietf-sidr-bgps… Borchert, Oliver (Fed)
- Re: [sidr] IPv4 examples for draft-ietf-sidr-bgps… Borchert, Oliver (Fed)
- Re: [sidr] IPv4 examples for draft-ietf-sidr-bgps… Sean Turner