Presentation is loading. Please wait.

Presentation is loading. Please wait.

RPKI Validation - Revisited draft-huston-rpki-validation-00.txt Geoff Huston George Michaelson APNIC.

Published byDustin Reginald Taylor Modified over 9 years ago

Similar presentations

Presentation on theme: "RPKI Validation - Revisited draft-huston-rpki-validation-00.txt Geoff Huston George Michaelson APNIC."— Presentation transcript:

1 RPKI Validation - Revisited draft-huston-rpki-validation-00.txt Geoff Huston George Michaelson APNIC

2 RPKI Validation RFC3779 defined validation recursively For a certificate to be “valid”: the certificate must satisfy a number of criteria, Syntax correctness, validity dates, etc and there must exist an ordered sequence of certificates (1..n) where: – Certificate 1 is issued by a trust anchor – Certificate x’s Subject Name value matches Certificate x+1’s Issuer Name value – Certificate ‘n’ is the certificate to be validated – Certificates 1 through n-1 are also “valid” according to this same criteria draft-huston-rpki-validation Slide 2/20

3 RPKI Validation RFC6487 referenced the validation criteria for the RFC3779 Number Resource extension: draft-huston-rpki-validation Slide 3/20

4 This is Valid Issuer: A Subject: B Resources: 192.0.2.0/24, AS64496-AS6500 Issuer: B Subject: C Resources: 192.0.2.0/25, AS64496-AS6500 Issuer: C Subject: D Resources: 192.0.2.0/25 Local Trust Anchor Certificate being Tested for validity draft-huston-rpki-validation Slide 4/20

5 This is not Valid Issuer: A Subject: B Resources: 192.0.2.0/24, AS64496-AS6500 Issuer: B Subject: C Resources: 192.0.2.0/25, AS64496-AS6511 Issuer: C Subject: D Resources: 192.0.2.0/25 Local Trust Anchor Certificate being Tested for validity draft-huston-rpki-validation Slide 5/20

6 Implications How to maintain validity of certified resources during a process of movement of resources between CA’s (registries) A B C D E 192.0.2.0/24 draft-huston-rpki-validation Slide 6/20

7 Implications How to maintain validity of certified resources during a process of movement of resources between CA’s (registries) A B C D E 192.0.2.0/24 1. Add 192.0.2.0/24 to a reissued certificate draft-huston-rpki-validation Slide 7/20

8 Implications How to maintain validity of certified resources during a process of movement of resources between CA’s (registries) A B C D E 192.0.2.0/24 1. Add 192.0.2.0/24 to a reissued certificate 2. Add 192.0.2.0/24 to a reissued certificate 192.0.2.0/24 draft-huston-rpki-validation Slide 8/20

9 Implications How to maintain validity of certified resources during a process of movement of resources between CA’s (registries) A B C D E 1. Add 192.0.2.0/24 to a reissued certificate 2. Add 192.0.2.0/24 to a reissued certificate 3. remove 192.0.2.0/24 from a reissued certificate 192.0.2.0/24 draft-huston-rpki-validation Slide 9/20

10 Implications How to maintain validity of certified resources during a process of movement of resources between CA’s (registries) A B C D E 1. Add 192.0.2.0/24 to a reissued certificate 2. Add 192.0.2.0/24 to a reissued certificate 192.0.2.0/24 4. remove 192.0.2.0/24 from a reissued certificate 3. remove 192.0.2.0/24 from a reissued certificate 192.0.2.0/24 draft-huston-rpki-validation Slide 10/20

11 Implications How to maintain validity of certified resources during a process of movement of resources between CA’s (registries) A B C D E 1. Add 192.0.2.0/24 to a reissued certificate 2. Add 192.0.2.0/24 to a reissued certificate 3. remove 192.0.2.0/24 from a reissued certificate 192.0.2.0/24 5. revoke the previously issued certificate 4. remove 192.0.2.0/24 from a reissued certificate draft-huston-rpki-validation Slide 11/20

12 Implications How to maintain validity of certified resources during a process of movement of resources between CA’s (registries) A B C D E 1. Add 192.0.2.0/24 to a reissued certificate 2. Add 192.0.2.0/24 to a reissued certificate 3. remove 192.0.2.0/24 from a reissued certificate 192.0.2.0/24 5. revoke the previously issued certificate 4. remove 192.0.2.0/24 from a reissued certificate 6. revoke the previously issued certificate draft-huston-rpki-validation Slide 12/20

13 Operational Synchronisation The “receiving side” uses a top down sequence of certificate re-issuance The “sending side” uses a bottom up sequence of certificate reissuance in order to avoid the side effect of unintended invalidity – But this requires careful synchronisation of issuance actions between CA’s draft-huston-rpki-validation Slide 13/20

14 An Alternative Validity Test Replace “Is this certificate valid?” with “Is this certificate valid for these resources?” i.e. add a specific set of resources to the validity question 6. The resources specified in the validity test are "encompassed" by the resource extension data contained in all certificates that form the validation path. draft-huston-rpki-validation Slide 14/20

15 This is Valid for 192.0.2.0/25 Issuer: A Subject: B Resources: 192.0.2.0/24, AS64496-AS6500 Issuer: B Subject: C Resources: 192.0.2.0/25, AS64496-AS6511 Issuer: C Subject: D Resources: 192.0.2.0/25 Local Trust Anchor Certificate being Tested for validity with the resource 192.0.2.0/25 draft-huston-rpki-validation Slide 15/20

16 What about Resource Movement? No synchronisation of CA actions is necessary – Each CA can re-issue augmented or reduced subordinate certificates without needing to synchronise their actions with other Cas draft-huston-rpki-validation Slide 16/20

17 What else changes? Not much! – A ROA is valid if the certificate used to sign the ROA is valid against the resources listed in the ROA – Similar refinements can be used in other cases of RPKI certificate use draft-huston-rpki-validation Slide 17/20

18 What about local cache operation? If you need to specify a resource to undertake a validity test for a certificate then what about local cache operation? How can you pre- determine “valid” certificates in the local cache? draft-huston-rpki-validation Slide 18/20

19 A revised Local Cache Management Approach Perform top-down local cache construction Add a data object to the local cache of each certificate – This object holds the intersection of the resources listed in the associated certificate and the resources in the data object associated with the “parent” certificate Use the resources in the associated data object instead of the resources listed in the certificate in all cases where “resources certified by this certificate” are used draft-huston-rpki-validation Slide 19/20

20 Where is this draft going? It may be useful Or it may not As of right now,its just an idea But we are interested to see if there are any flaws in our logic here. Have we missed something critical in contemplating this refinement to the RPKI validity process? This subtly different RPKI validation process could make the operational issues of CA coordination a lot easier, and thereby reduce some of the fragility in the operation of the RPKI and its potential application in secure routing. draft-huston-rpki-validation Slide 20/20

Download ppt "RPKI Validation - Revisited draft-huston-rpki-validation-00.txt Geoff Huston George Michaelson APNIC."

Similar presentations

RPKI Standards Activity Geoff Huston APNIC February 2010.

RPKI Standards Activity Geoff Huston APNIC February 2010.
A Profile for Trust Anchor Material for the Resource Certificate PKI Geoff Huston SIDR WG IETF 74.

A Profile for Trust Anchor Material for the Resource Certificate PKI Geoff Huston SIDR WG IETF 74.
Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 70.

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 70.
Local TA Management A TA is a public key and associated data used as the starting point for certificate path validation It need not be a self-signed certificate.

Local TA Management A TA is a public key and associated data used as the starting point for certificate path validation It need not be a self-signed certificate.
RPKI Certificate Policy Status Update Stephen Kent.

RPKI Certificate Policy Status Update Stephen Kent.
RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.

RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.
Extended Validation Models in PKI Alternatives and Implications Marc Branchaud John Linn

Extended Validation Models in PKI Alternatives and Implications Marc Branchaud John Linn
An Introduction to Routing Security (and RPKI Tools) Geoff Huston May 2013.

An Introduction to Routing Security (and RPKI Tools) Geoff Huston May 2013.
CRL Processing Rules Santosh Chokhani November 2004.

CRL Processing Rules Santosh Chokhani November 2004.
Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.
Validation Algorithms for a Secure Internet Routing PKI David Montana Mark Reynolds BBN Technologies.

Validation Algorithms for a Secure Internet Routing PKI David Montana Mark Reynolds BBN Technologies.
COEN 350 Public Key Infrastructure. PKI Task: Securely distribute public keys. Certificates. Repository for retrieving certificates. Method for revoking.

COEN 350 Public Key Infrastructure. PKI Task: Securely distribute public keys. Certificates. Repository for retrieving certificates. Method for revoking.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
RPKI Validation - Revisited draft-huston-rpki-validation-01.txt Geoff Huston George Michaelson APNIC Slide 1/19.

RPKI Validation - Revisited draft-huston-rpki-validation-01.txt Geoff Huston George Michaelson APNIC Slide 1/19.
Public Key Management and X.509 Certificates

Public Key Management and X.509 Certificates
Review of draft-ietf-sidr-arch-01.txt Steve Kent BBN Technologies.

Review of draft-ietf-sidr-arch-01.txt Steve Kent BBN Technologies.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Local TA Management In prior WG meetings I presented a model for local management of trust anchors for the RPKI In response to these presentations, a.

Local TA Management In prior WG meetings I presented a model for local management of trust anchors for the RPKI In response to these presentations, a.
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

Similar presentations

Ads by Google