Update on Resource Certification. Geoff Huston, APNIC Mark Kosters, ARIN IEPG, March 2008

Similar documents
APNIC Trial of Certification of IP Addresses and ASes

APNIC Trial of Certification of IP Addresses and ASes

Problem. BGP is a rumour mill.

Facilitating Secure Internet Infrastructure

Using Resource Certificates Progress Report on the Trial of Resource Certification

RPKI Trust Anchor. Geoff Huston APNIC

A PKI For IDR Public Key Infrastructure and Number Resource Certification

Securing Internet Infrastructure: Route Origin Security using RPKI at ARIN. Mark Kosters CTO

RPKI deployment at AFRINIC Status Update. Alain P. AINA RPKI Project Manager

Overview of the Resource PKI (RPKI) Dr. Stephen Kent VP & Chief Scientist BBN Technologies

Using Resource Certificates Progress Report on the Trial of Resource Certification

Progress Report on APNIC Trial of Certification of IP Addresses and ASes

Securing BGP: The current state of RPKI. Geoff Huston Chief Scientist, APNIC

PKI-An Operational Perspective. NANOG 38 ARIN XVIII October 10, 2006


Some Lessons Learned from Designing the Resource PKI

Securing Routing: RPKI Overview. Mark Kosters Chief Technology Officer

Auto-Detecting Hijacked Prefixes?

Resource Certification

Internet Engineering Task Force (IETF) Category: Informational ISSN: February 2012

Resource Certification A Public Key Infrastructure for IP Addresses and AS's

Resource PKI. NetSec Tutorial. NZNOG Queenstown. 24 Jan 2018

Security Overlays on Core Internet Protocols DNSSEC and RPKI. Mark Kosters ARIN CTO

Madison, Wisconsin 9 September14

RPKI. Resource Pubic Key Infrastructure

ARIN Support for DNSSEC and RPKI. ION San Diego 11 December 2012 Pete Toscano, ARIN

Resource Certification. Alex Band, Product Manager DENIC Technical Meeting

RPKI and Internet Routing Security ~ The regional ISP operator view ~

Life After IPv4 Depletion

Securing the Internet s Foundations: Addresses and Routing

An Operational Perspective on Routing Security

Resource Public Key Infrastructure

IPv4 Run-Out, Trading, and the RPKI

Internet Resource Certification and Inter- Domain Routing Security! Eric Osterweil!

RPKI and Routing Security

Resource Public Key Infrastructure (RPKI) Nurul Islam Roman, APNIC

Securing Core Internet Functions Resource Certification, RPKI. Mark Kosters ARIN CTO

Introducción al RPKI (Resource Public Key Infrastructure)

IPv4 Run-Out, Trading, and the RPKI

Secure Routing with RPKI. APNIC44 Security Workshop

Securing BGP - RPKI. ThaiNOG Bangkok. 21 May Tashi Phuntsho

RPKI Introduction. APNIC Technical Workshop July 5-6, 2018 in Beijing, China. Hosted By:

Misdirection / Hijacking Incidents

APNIC s role in stability and security. Adam Gosling Senior Policy Specialist, APNIC 4th APT Cybersecurity Forum, 3-5 December 2013

BGP Origin Validation

Robust Inter-Domain Routing

APNIC RPKI Report. George Michaelson

An Operational ISP & RIR PKI

Deploying RPKI An Intro to the RPKI Infrastructure

Network Working Group. Intended status: Informational Expires: January 9, 2014 July 8, 2013

The RPKI & Origin Validation

Some Thoughts on Integrity in Routing

Internet Engineering Task Force (IETF) Request for Comments: Category: Standards Track. BBN September 2017

Security Overlays on Core Internet Protocols DNSSEC and RPKI. Mark Kosters ARIN CTO

HD Ratio for IPv4. RIPE 48 May 2004 Amsterdam

IPv4 Address Report. This report generated at 12-Mar :24 UTC. IANA Unallocated Address Pool Exhaustion: 03-Feb-2011

An Operational Perspective on BGP Security. Geoff Huston February 2005

The RPKI and BGP Origin Validation

BGP Routing Security and Deployment Strategies

Local TA Management. In principle, every RP should be able to locally control the set of TAs that it will employ

The RPKI & Origin Validation

Problem Statement and Considerations for ROA Mergence. 96 SIDR meeting

Whois & Data Accuracy Across the RIRs

IETF81 Secure IDR Rollup TREX Workshop David Freedman, Claranet

Security in inter-domain routing

BGP Origin Validation (RPKI)

Decentralized Internet Resource Trust Infrastructure

Attacks on routing: IP hijacks

Internet-Draft Intended status: Standards Track July 4, 2014 Expires: January 5, 2015

An Operational ISP & RIR PKI

APNIC & Internet Address Policy in the Asia Pacific

RDAP: A Primer on the Registration Data Access Protocol

Securing BGP. Geoff Huston November 2007

IPv6 HD Ratio. ARIN Public Policy Meeting April Geoff Huston APNIC

IPv6 Allocation and Policy Update. Global IPv6 Summit in China 2007 April 12, 2007 Guangliang Pan

IPv6 HD Ratio. ARIN Public Policy Meeting April Geoff Huston APNIC

Route Security for Inter-domain Routing

Networking 101 ISP/IXP Workshops

<36 th APNIC Meeting, XIAN CHINA> KISA(KRNIC) UPDATE. YOUNGSUN LA Korea Internet & Security Agency

APNIC 26 policy update Shifting landscape

Feedback from RIPE NCC Registration Services. Alex Le Heux - RIPE NCC RIPE62, May 2011, Amsterdam

Internet Engineering Task Force (IETF) Category: Informational ISSN: September 2017

Resource Certification

Inter-domain routing security and the role of Internet Routing Registries. August 1, 2004 Larry Blunk, Merit Network, Inc.

RPKI Deployment Considerations: Problem Analysis and Alternative Solutions. 95 SIDR meeting

Policy Proposal Capturing AS Originations In Templates

Internet Addressing and the RIR system (part 2)

SCION: Scalability, Control and Isolation On Next-Generation Networks

RPKI MIRO & RTRlib. Andreas Reuter, Matthias Wählisch Freie Universität Berlin

Securing the Border Gateway Protocol. Dr. Stephen Kent Chief Scientist - Information Security

Internet Number Resources

Securing Routing Information

9/6/2015. COMP 535 Lecture 6: Routing Security. Agenda. In the News. September 3, 2015 Andrew Chi

FIRMS: a Future InteRnet Mapping System

Network Working Group Request for Comments: 3779 Category: Standards Track BBN Technologies June 2004

IPv4 depletion & IPv6 deployment in the RIPE NCC service region. Kjell Leknes - June 2010

APNIC allocation and policy update. JPNIC OPM July 17, Tokyo, Japan Guangliang Pan

An ARIN Update. Susan Hamlin Director of Communications and Member Services

Network Working Group Request for Comments: 4147 Category: Informational August Proposed Changes to the Format of the IANA IPv6 Registry

Current Policy Topics

Transcription:

Update on Resource Certification Geoff Huston, APNIC Mark Kosters, ARIN IEPG, March 2008

Address and Routing Security What we have had for many years is a relatively insecure interdomain routing system based on mutual trust that is vulnerable to various forms of disruption and subversion And it appears that the operational practice of bogon filters and piecemeal use of routing policy databases are not entirely robust forms of defense against these vulnerabilities So it appears to look at something that is a little more robust and offers a little more in terms of detection of subversion of the routing system From the RIR perspective we ve been looking at this topic for over a decade

Address and Routing Security The basic routing payload security questions that need to be answered are: Is this a valid address prefix? Who injected this address prefix into the network? Did they have the necessary credentials to inject this address prefix? Is the forwarding path to reach this address prefix an acceptable representation of the network s forwarding state? Can these questions be answered reliably, cheaply and quickly?

Laying the Foundation in a PKI Use a dedicated public key infrastructure to allow any relying party to be able to validate attestations about addresses and their use: the authenticity of the address object being advertised authenticity of the origin AS the explicit authority from the address to AS that permits an originating routing announcement

A Starting Point for Routing Security Adoption of some basic security functions into the Internet s routing domain: Injection of reliable trustable data A Resource PKI as the base of validation of network data Explicit verifiable mechanisms for integrity of data distribution Adoption of some form of certified authorization mechanism to support validation of credentials associated with address and routing information

X.509 Extensions for IP Addresses RFC3779 defines extension to the X.509 certificate format for IP addresses & AS number The extension binds a list of IP address blocks and AS numbers to the subject of a certificate These extensions may be used to convey the issuer s authorization of the subject for exclusive use of the IP addresses and autonomous system identifiers contained in the certificate extension The extension is defined as a critical extension Validation includes the requirement that the Issuer s certificate extension must encompass the resource block described in the extension of the certificated being validated

What is being Certified For example: APNIC (the Issuer ) certifies that: the certificate Subject whose public key is contained in the certificate is the current controller of a set of IP address and AS resources that are listed in the certificate extension APNIC does NOT certify the identity of the subject, nor their good (or evil) intentions!

Resource Certificates Resource Allocation Hierarchy AFRINIC RIPE NCC ARIN APNIC LACNIC LIR1 LIR2 ISP ISP ISP ISP ISP ISP ISP

Resource Certificates Resource Allocation Hierarchy AFRINIC RIPE NCC ARIN APNIC LACNIC Issued Certificates match allocation actions NIR1 NIR2 ISP ISP ISP ISP ISP ISP ISP

Resource Certificates Resource Allocation Hierarchy AFRINIC RIPE NCC ARIN APNIC LACNIC Issuer: APNIC Subject: NIR2 Resources: 192.2.0.0/16 Key Info: <nir2-key-pub> NIR1 NIR2 Signed: <apnic-key-priv> Issued Certificates ISP ISP ISP ISP4 ISP ISP ISP

Resource Certificates Resource Allocation Hierarchy AFRINIC RIPE NCC ARIN APNIC LACNIC Issuer: APNIC Subject: NIR2 Resources: 192.2.0.0/16 Key Info: <nir2-key-pub> NIR1 NIR2 Signed: <apnic-key-priv> Issuer: NIR2 Subject: ISP4 Resources: 192.2.200.0/24 Key Info: <isp4-key-pub> ISP Signed: <nir2-key-priv> ISP ISP ISP4 ISP ISP ISP Issued Certificates

Resource Certificates Resource Allocation Hierarchy AFRINIC RIPE NCC ARIN APNIC LACNIC Issuer: APNIC Subject: NIR2 Resources: 192.2.0.0/16 Key Info: <nir2-key> Signed: <apnic-key-priv> NIR1 NIR2 Issuer: NIR2 Subject: ISP4 Resources: Issuer: ISP4 192.2.200.0/22 Key Subject: Info: <isp4-key> ISP4-EE ISP ISP Signed: Resources: <nir2-key-priv> 192.2.200.0/24 ISP ISP4 ISP ISP ISP Key Info: <isp4-ee-key> Signed: <isp4-key-priv> Issued Certificates

What could you do with Resource Certificates? You could sign routing origination authorities or routing requests with your private key, providing an authority for an AS to originate a route for the named prefix. A Relying Party can validate this authority in the RPKI You could use the private key to sign routing information in an Internet Route Registry You could attach a digital signature to a protocol element in a routing protocol You could issue signed derivative certificates for any suballocations of resources

Signed Objects Resource Allocation Hierarchy AFRINIC RIPE NCC ARIN APNIC LACNIC Issued Certificates Route Origination Authority LIR1 ISP4 permits AS65000 to to originate a route for for the the prefix 192.2.200.0/24 NIR2 Attachment: <isp4-ee-cert> ISP ISP ISP ISP4 ISP ISP ISP Signed, ISP4 <isp4-ee-key-priv>

Signed Object Validation Resource Allocation Hierarchy AFRINIC RIPE NCC ARIN APNIC LACNIC Issued Certificates Route Origination Authority LIR1 ISP4 permits AS65000 to to originate a route for for the the prefix 192.2.200.0/24 NIR2 Attachment: <isp4-ee-cert> ISP ISP ISP ISP4 ISP ISP ISP 1. Did the matching private key sign Signed, this text? ISP4 <isp4-ee-key-priv>

Signed Object Validation Resource Allocation Hierarchy AFRINIC RIPE NCC ARIN APNIC LACNIC Issued Certificates Route Origination Authority LIR1 ISP4 permits AS65000 to to originate a route for for the the prefix 192.2.200.0/24 NIR2 Attachment: <isp4-ee-cert> ISP ISP ISP ISP4 ISP ISP ISP Signed, ISP4 <isp4-ee-key-priv> 2. Is this certificate valid?

Signed Object Validation Resource Allocation Hierarchy APNIC Trust Anchor AFRINIC RIPE NCC ARIN APNIC LACNIC Issued Certificates Route Origination Authority LIR1 ISP4 permits AS65000 to to originate a route for for the the prefix 192.2.200.0/24 NIR2 Attachment: <isp4-ee-cert> ISP ISP ISP ISP4 ISP ISP ISP Signed, 3. Is there a valid certificate path from a Trust Anchor ISP4 <isp4-ee-key-priv> to this certificate?

Signed Object Validation Resource Allocation Hierarchy Validation Outcomes RIPE NCC Trust Anchor AFRINIC RIPE NCC ARIN 1. 1. ISP4 RIPE authorized NCC this this LACNIC Authority document 2. 2. 192.2.200.0/24 is is a Issued valid Certificates address, derived from from an an APNIC allocation Route Origination Authority LIR13. 3. ISP4 LIR2 holds a current right-of-use of of ISP4 permits AS65000 to 192.2 to 200.0/24 originate a route for for the the prefix 4. 4. A route object, where AS65000 192.2.200.0/24 originates an an advertisement for for the the address prefix 192.2.200.0/24, has has Attachment: <isp4-ee-cert> the the explicit authority of of ISP4, who who is is ISP ISP the ISP the current ISP4 holder ISP of ISP of this this ISP address Signed, prefix ISP4 <isp4-ee-key-priv>

Managing Resource Certificates Resource Holders enroll for certificates using existing trusted relationship between issuer and holder Exchange of credentials to establish a secure path between issuer and subject Subject and Issuer each operate instances of an RPKI Engine to manage certificate issuance actions Certificate Issuance reflects the current state of the issuer s allocation database

Managing Resource Certificates Certificate management is an automated process driven by the issuer s allocation database state Uses a distributed publication repository system to allow: CA s to publish certificates and CRLs EE s to publish signed objects Relying Parties could maintain a local cache of the publication repository framework to allow local validation operations to be performed efficiently

Progress Report Specifications submitted to the SIDR WG of the IETF: Specification of a profile for Resource certificates Specification of the distributed publication repository framework Specification of the architecture of the RPKI Specification of profiles for Route Origination Authorization objects (ROAs) and Bogon Origination Attestation objects (BOAs) Specification of the Issuer / Subject resource certificate provisioning protocol

Progress Report Implementation Progress Four independent implementation efforts for various aspects of the RPKI are underway at present Tools for Resource Certificate management Requests, Issuance, Revocation, Validation Issuer / Subject certificate provisioning protocol Functional RPKI Engine instance for an RIR integrated into one RIR s production environment Relying Party local cache management RPKI validation tools

Intended Objectives Create underlying framework for route security measures Assist ISP business process accuracy with Peering and Customer Configuration tool support Improve the integrity of published data through the signing and verification capability in Whois, IRR and similar Possibility of removing dependency on where the data was originally published as the derivation of trust in the accuracy of the data, and replace it with the capability to validate the published data, independent of trust in the original publication point, and irrespective of where and how the data has been stored

What this does NOT do Act as a replacement for sbgp, sobgp, pgbgp, It is intended to provide a validation framework that could support these secure BGP proposals Process routing updates and make unvalidated destinations unreachable That s something that is a local policy preference setting

Current Activity ARIN Working through ISC and PSG.NET for code and design work Engine to be placed in the public domain Hope to have pilot service up to test by the end of the year

Current Activity (cont) APNIC Has a working RPKI CA placed into its production platform (Feb 2008) In house development of Perl based implementation of RPKI engine largely complete, with Perl interface to OpenSSL libraries, to be published as an open source software suite Working on hosting services for clients for 2Q 2008 production delivery

Current Activity (cont) BBN Resource certificate validation engine (java implementation) RIPE NCC In house development of CA/RA manager tool suite

Next Technical Steps Tools for hosted RPKI services Allow an ISP or an LIR to outsource Resource Certificate management services to an external agency Tools to manage attestation and authority generation and signing for end entities Relying Party tools to assist in validation functions Tools to support RIR functions Addition of digital signatures to IRR objects? Specification of use of RPKI by BGP speakers?

References IETF SIDR Working Group http://tools.ietf.org/wg/sidr/ Working project documentation at: http://mirin.apnic.net/resourcecerts/wiki/index.php/main_page ISC (funded by ARIN) subversion reference at: http://subvert-rpki.hactrn.net/

Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback