APNIC Trial of Certification of IP Addresses and ASes

Similar documents
APNIC Trial of Certification of IP Addresses and ASes

A PKI For IDR Public Key Infrastructure and Number Resource Certification

Update on Resource Certification. Geoff Huston, APNIC Mark Kosters, ARIN IEPG, March 2008

Progress Report on APNIC Trial of Certification of IP Addresses and ASes

Using Resource Certificates Progress Report on the Trial of Resource Certification

Using Resource Certificates Progress Report on the Trial of Resource Certification

Problem. BGP is a rumour mill.

Some Lessons Learned from Designing the Resource PKI

Auto-Detecting Hijacked Prefixes?

Resource Certification A Public Key Infrastructure for IP Addresses and AS's

Securing BGP: The current state of RPKI. Geoff Huston Chief Scientist, APNIC

Facilitating Secure Internet Infrastructure

PKI-An Operational Perspective. NANOG 38 ARIN XVIII October 10, 2006

RPKI Trust Anchor. Geoff Huston APNIC

An Operational ISP & RIR PKI

Internet Engineering Task Force (IETF) Request for Comments: Category: Standards Track. BBN September 2017

Internet Engineering Task Force (IETF) Category: Informational ISSN: February 2012

Overview of the Resource PKI (RPKI) Dr. Stephen Kent VP & Chief Scientist BBN Technologies

Security Protocols and Infrastructures. Winter Term 2015/2016

Securing Internet Infrastructure: Route Origin Security using RPKI at ARIN. Mark Kosters CTO

Resource PKI. NetSec Tutorial. NZNOG Queenstown. 24 Jan 2018

Security Protocols and Infrastructures

Internet Engineering Task Force (IETF) Request for Comments: 6490 Category: Standards Track. G. Michaelson APNIC. S. Kent BBN February 2012

Introducción al RPKI (Resource Public Key Infrastructure)

Resource Certification

Public Key Infrastructures

Deploying RPKI An Intro to the RPKI Infrastructure

Secure Routing with RPKI. APNIC44 Security Workshop

Securing Routing: RPKI Overview. Mark Kosters Chief Technology Officer

Misdirection / Hijacking Incidents

Network Working Group. Intended status: Informational Expires: January 9, 2014 July 8, 2013

AeroMACS Public Key Infrastructure (PKI) Users Overview

Lecture Notes 14 : Public-Key Infrastructure

Managing Certificates

X.509. CPSC 457/557 10/17/13 Jeffrey Zhu

An Operational ISP & RIR PKI

An Operational Perspective on BGP Security. Geoff Huston February 2005


Internet Resource Certification and Inter- Domain Routing Security! Eric Osterweil!

Server-based Certificate Validation Protocol

PKI Services. Text PKI Definition. PKI Definition #1. Public Key Infrastructure. What Does A PKI Do? Public Key Infrastructures

Securing BGP - RPKI. ThaiNOG Bangkok. 21 May Tashi Phuntsho

RPKI deployment at AFRINIC Status Update. Alain P. AINA RPKI Project Manager

Cryptography and Network Security

Digital Certificates Demystified

Bugzilla ID: Bugzilla Summary:

Securing the Border Gateway Protocol. Dr. Stephen Kent Chief Scientist - Information Security

Certification Practice Statement of the Federal Reserve Banks Services Public Key Infrastructure

APNIC RPKI Report. George Michaelson

Public Key Infrastructures. Using PKC to solve network security problems

Security Overlays on Core Internet Protocols DNSSEC and RPKI. Mark Kosters ARIN CTO

IPv4 Run-Out, Trading, and the RPKI

Madison, Wisconsin 9 September14

RPKI. Resource Pubic Key Infrastructure

Network Security Essentials

Life After IPv4 Depletion

DCCKI Interface Design Specification. and. DCCKI Repository Interface Design Specification

Securing Core Internet Functions Resource Certification, RPKI. Mark Kosters ARIN CTO

Internet Engineering Task Force (IETF) Obsoletes: 6485 Category: Standards Track August 2016 ISSN:

IPv4 Run-Out, Trading, and the RPKI

Security Issues of BGP in Complex Peering and Transit Networks

ARIN Support for DNSSEC and RPKI. ION San Diego 11 December 2012 Pete Toscano, ARIN

RPKI and Routing Security

Securing BGP. Geoff Huston November 2007

Securing the Internet s Foundations: Addresses and Routing

Apple Inc. Certification Authority Certification Practice Statement

Acknowledgments. CSE565: Computer Security Lectures 16 & 17 Authentication & Applications

CSE 565 Computer Security Fall 2018

Local TA Management. In principle, every RP should be able to locally control the set of TAs that it will employ

Resource Public Key Infrastructure (RPKI) Nurul Islam Roman, APNIC

ING Corporate PKI G3 Internal Certificate Policy

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations

Resource Certification

Machine Readable Travel Documents

RPKI and Internet Routing Security ~ The regional ISP operator view ~

BGP Origin Validation

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations Version 1.10 Effective Date: June 10, 2013

TELIA MOBILE ID CERTIFICATE

expires in six months October 1997 Internet Public Key Infrastructure Operational Protocols: FTP and HTTP <draft-ietf-pkix-opp-ftp-http-01.

Apple Inc. Certification Authority Certification Practice Statement. Apple Application Integration Sub-CA Apple Application Integration 2 Sub-CA

Apple Inc. Certification Authority Certification Practice Statement

SONERA MOBILE ID CERTIFICATE

Copyright

EXBO e-signing Automated for scanned invoices

RPKI Introduction. APNIC Technical Workshop July 5-6, 2018 in Beijing, China. Hosted By:

Category: Standards Track W. Ford VeriSign D. Solo Citigroup April 2002

ING Public Key Infrastructure Technical Certificate Policy

Network Working Group Request for Comments: 3820 Category: Standards Track. NCSA D. Engert ANL. L. Pearlman USC/ISI M. Thompson LBNL June 2004

Certificate Management in Cisco ISE-PIC

ACGISS Public Employee Certificates

Resource Certification. Alex Band, Product Manager DENIC Technical Meeting

Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

Cryptography and Network Security Chapter 14

KEY DISTRIBUTION AND USER AUTHENTICATION

Problem Statement and Considerations for ROA Mergence. 96 SIDR meeting

August 2007 Intel Pro SSL Addendum to the Comodo Certification Practice Statement v.3.0

SSL Certificates Certificate Policy (CP)

Methods for Detection and Mitigation of BGP Route Leaks

Internet Engineering Task Force (IETF) Category: Informational ISSN: September 2017

Policy Proposal Capturing AS Originations In Templates

Transcription:

APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston

Motivation: Address and Routing Security What we have today is a relatively insecure system that is vulnerable to various forms of deliberate disruption and subversion And it appears that bogon filters and routing policy databases are not, in and of themselves, entirely robust forms of defence against these vulnerabilities

Motivation: Address and Routing Security The (very) basic routing security questions that need to be answered are: Is this a valid address prefix? Who injected this address prefix into the network? Did they have the necessary credentials to inject this address prefix? Can these questions be answered reliably, quickly and cheaply?

What would be good To be able to use a public infrastructure to validate assertions about addresses and their use: the authenticity of the address object being advertised authenticity of the origin AS the explicit authority from the address to AS that permits an original routing announcement to be made by that AS

X.509 Extensions for IP Addresses RFC3779 defines extension to the X.509 certificate format for IP addresses & AS number The extension binds a list of IP address blocks and AS numbers to the subject of a certificate These extensions may be used to convey the issuer s authorization of the subject for exclusive use of the IP addresses and autonomous system identifiers contained in the certificate extension The extension is defined as as a critical extension Validation includes the requirement that the Issuer s certificate extension must encompass the resource block described in the extension of the certificated being validated

APNIC Trial Certificate Format 12345 CN= APNIC CA Trial CN= FC00DEADBEEF VERSION SERIAL NUMBER SIGNATURE ALGORITHM ISSUER v3 SHA-1 with RSA VALIDITY 1/1/05-1/1/06 SUBJECT SUBJECT PUBLIC KEY INFO RSA, 48...321 KeyUsage (critical if CA) digitalsignature, keycertsign, and crlsign Cert Policies OIDs EXTENSIONS Basic constraints CA bit ON Allocations Subject Alt Name Authority Info Access Location: <URI> Subject Info Access Location: <URI> CRL Distribution Point IP address 10.0.0.0/8 192.168.0.0/24 2002:14C0::/32 AS identifier AS123 AS124 SIGNATURE

What is being Certified APNIC (the Issuer ) certifies that: the certificate Subject whose public key is contained in the certificate is the current controller of a set of IP address and AS resources that are listed in the certificate extension APNIC is NOT certifying here the identity of the subject, nor their good (or evil) intentions! This is a simple mechanism of using certificates as a means of validation of title of current resource control

What could you do with Resource Certificates? You could sign routing authorities, routing requests, or IRR submitted objects with your private key The recipient (relying party) can validate this signature against the matching certificate s public key, and can validate the certificate in the PKI You could use the private key to sign routing information that could then be propagated by an inter-domain routing protocol that had validation extensions You could issue signed subordinate resource certificates for any sub-allocations of resources, such as may be seen in a LIR context

APNIC Certificate Trial Trial service provides: Issue of RFC3779 compliant certificates to APNIC members Policy and technical infrastructure necessary to deploy and use the certificates in testing contexts by the routing community and general public CPS (Certification practice statement) Certificate repository CRL (Certificate revocation list) Tools and examples (open source) for downstream certification by NIR, LIR and ISP display of certificate contents encoding certificates

Expected Environment of Use Service interface via APNIC web portal Generate and Sign routing requests Validate signed objects against repository Manage subordinate certificates Local Tools LIR Use Synchronize local repository Validate signed resource objects Generate and lodge certificate objects

Current Status Test Certificates being generated Locally generated key pair Cover all current APNIC membership holdings CRL test Reissue all certificates with explicit revocation on original certificate set Example tools being developed APNIC Trial Certificate Repository: ftp://ftp.apnic.net/pub/test-certs/

Current APNIC Experiment Program Now (2006) Certificate design Tool construction Use modelling Portal Tools and Local Use Tools Next (late 2006) Review and Evaluation Definition of Next Steps

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback