YD/T 4620-2023
BGPsec technical requirements Router key management (English Version)

Standard No.
YD/T 4620-2023
Language
Chinese, Available in English version
Release Date
2023
Published By
Professional Standard - Post and Telecommunication  CN  /  YD
Latest
YD/T 4620-2023
 
Introduction

Overview of BGPsec Router Key Management Standards

As a core component of the BGPsec series of standards, this technical specification focuses on solving the key lifecycle management issues of border routers in the BGPsec environment. The standard is based on international specifications such as RFC8635 and combines the characteristics of my country's network infrastructure to propose a dual-track key management solution:

Management method Key generation location Typical application scenarios Security level
Router driver Router HSM module High security requirement network ★★★★★
Operator driver Management center Hot replacement scenario ★★★★

Core Management Process Analysis

5.1

The standard requires the use of AES-128-GCM and above encryption algorithms to build a management channel. The specific configuration must meet the following requirements:

  • Encryption algorithm: AEAD AES 128 GCM is preferred
  • Integrity check: hmac-sha2-256 or equivalent
  • Identity authentication: ecdsa-sha2-nistp256 certificate

5.4 Key steps for key generation

Typical case: A provincial ISP executes the following process through the CLI in router driver mode:

  1. Connect to the ASBR router through SSHv2
  2. Call the HSM module to generate an ECDSA key pair (P-256 curve)
  3. Automatically create a PKCS#8 key package that complies with RFC5958
  4. Generate a CSR request containing a BGP identifier

Technical highlights of advanced deployment solutions

The advanced solution proposed in Chapter 6 of the standard is implemented by pre-setting IEEE 802.1AR device certificates:

Components Traditional Solution Advanced Solution
Initial Authentication Manual Configuration Manufacturer Certificate
Certificate Renewal Manual Trigger Automatic EST Protocol
Management Overhead High Reduce by 60%

Key Lifecycle Management

7.3 Key Rotation Mechanism

The standard recommends the use of the dual-key parallel mechanism described in RFC8634:

  • Deploy new keys 30 days in advance
  • Set a grace-period transition period (recommended ≥72 hours)
  • Control the rotation cycle through the maximum validity period of ROA

7.5 Router Replacement Process

Key Control Points:

  1. Export PKCS#8 encrypted key package from the old router
  2. Securely transfer to the new device via SCP
  3. Verify the matching of the key and certificate chain
  4. Immediately revoke the old device management certificate

Implementation Recommendations

Best Practices:

  • Use router-driven mode for core PE routers
  • Establish a certificate expiration warning system (15 days in advance)
  • Regularly verify CRL revocation status (weekly recommended)
  • Maintain min-validity=50% overlap period when rotating keys

YD/T 4620-2023 Referenced Document

  • RFC 2585 Internet X.509 Public Key Infrastructure Operational Protocols: FTP and HTTP
  • RFC 4253 The Secure Shell (SSH) Transport Layer Protocol
  • RFC 5652 Cryptographic Message Syntax (CMS) (Part of Std 70;Obsoletes: 3852)
  • RFC 8209 A Profile for BGPsec Router Certificates@ Certificate Revocation Lists@ and Certification Requests

YD/T 4620-2023 history

  • 2023 YD/T 4620-2023 BGPsec technical requirements Router key management
BGPsec technical requirements Router key management

Standard and Specification

YD/T 4619-2023 BGPsec technical requirements Router certificate rotation YD/T 4964-2024 BGPsec Technical Requirements BGPsec Protocol


Copyright ©2026 All Rights Reserved
Update: Thu, 28 May 2026 23:47:40 +0000