Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 San Diego, California 25 February 2014. 2 Securing Routing: RPKI Overview Mark Kosters Chief Technology Officer.

Published byCory Perry Modified over 8 years ago

Similar presentations

Presentation on theme: "1 San Diego, California 25 February 2014. 2 Securing Routing: RPKI Overview Mark Kosters Chief Technology Officer."— Presentation transcript:

1 1 San Diego, California 25 February 2014

2 2 Securing Routing: RPKI Overview Mark Kosters Chief Technology Officer

3 3 Why are DNSSEC and RPKI important? Two of the most critical resources – DNS – Routing Hard to tell when resource is compromised Focus of increased attention globally

4 4 Why DNSSEC? What is it? Standard DNS (forward or reverse) responses are not secure – Easy to spoof – Notable malicious attacks DNSSEC attaches signatures – Validates responses – Can not spoof

5 5 Reverse DNS at ARIN ARIN issues blocks without any working DNS – Registrant must establish delegations after registration – Then employ DNSSEC if desired Authority to manage reverse zones follows SWIP – “Shared Authority” model

6 6 Reverse DNS: Querying ARIN’s Whois Query for the zone directly: whois> 81.147.204.in-addr.arpa Name: 81.147.204.in-addr.arpa. Updated: 2006-05-15 NameServer: AUTHNS2.DNVR.QWEST.NET NameServer: AUTHNS3.STTL.QWEST.NET NameServer: AUTHNS1.MPLS.QWEST.NET Ref: http://whois.arin.net/rest/rdns/81.147.204.in-addr.arpa.

7 7 Changes completed to make DNSSEC work at ARIN Permit by-delegation management Sign in-addr.arpa. and ip6.arpa. delegations that ARIN manages Create entry method for DS Records – ARIN Online – RESTful interface – Not available via templates

8 8 Reverse DNS in ARIN Online First identify the network that you want to put Reverse DNS nameservers on…

9 9 Reverse DNS in ARIN Online …then enter the Reverse DNS nameservers…

10 10 DNSSEC in ARIN Online …then apply DS record to apply to the delegation

11 11 Reverse DNS Management and DNSSEC in ARIN Online Available on ARIN’s website http://www.arin.net/knowledge/dnssec/

12 12 What is RPKI? R esource P ublic K ey I nfrastructure Attaches digital certificates to network resources – AS Numbers – IP Addresses Allows ISPs to associate the two – Route Origin Authorizations (ROAs) – Can follow the address allocation chain to the top

13 13 What does RPKI accomplish? Allows routers or other processes to validate route origins Simplifies validation authority information – Trust Anchor Locator Distributes trusted information – Through repositories

14 14 AFRINICRIPE NCCAPNICARINLACNIC LIR1 ISP2 ISP ISP4ISP Issued Certificates Resource Allocation Hierarchy Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix 192.2.200.0/24” Attachment: Signed, ISP4 Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix 192.2.200.0/24” Attachment: Signed, ISP4 ICANN Resource Cert Validation

15 15 AFRINICRIPE NCCAPNIC ARIN LACNIC LIR1 ISP2 ISP ISP4 ISP Resource Allocation Hierarchy Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix 192.2.200.0/24” Attachment: Signed, ISP4 Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix 192.2.200.0/24” Attachment: Signed, ISP4 1. Did the matching private key sign this text? ICANN Issued Certificates Resource Cert Validation

16 16 AFRINICRIPE NCCAPNIC ARIN LACNIC LIR1 ISP2 ISP Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix 192.2.200.0/24” Attachment: Signed, ISP4 Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix 192.2.200.0/24” Attachment: Signed, ISP4 ISP ISP4 2. Is this certificate valid? ISP Issued Certificates Resource Allocation Hierarchy ICANN Resource Cert Validation

17 17 AFRINICRIPE NCCAPNIC ARIN LACNIC LIR1 ISP2 ISP Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix 192.2.200.0/24” Attachment: Signed, ISP4 Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix 192.2.200.0/24” Attachment: Signed, ISP4 ISP ISP4 ISP Issued Certificates Resource Allocation Hierarchy ICANN 3. Is there a valid certificate path from a Trust Anchor to this certificate? Resource Cert Validation

18 18 What does RPKI Create? It creates a repository – RFC 3779 (RPKI) Certificates – ROAs – CRLs – Manifest records

19 19 Repository View./ba/03a5be-ddf6-4340-a1f9-1ad3f2c39ee6/1: total 40 -rw-r--r-- 1 143 143 1543 Jun 26 2009 ICcaIRKhGHJ-TgUZv8GRKqkidR4.roa -rw-r--r-- 1 143 143 1403 Jun 26 2009 cKxLCU94umS-qD4DOOkAK0M2US0.cer -rw-r--r-- 1 143 143 485 Jun 26 2009 dSmerM6uJGLWMMQTl2esy4xyUAA.crl -rw-r--r-- 1 143 143 1882 Jun 26 2009 dSmerM6uJGLWMMQTl2esy4xyUAA.mnf -rw-r--r-- 1 143 143 1542 Jun 26 2009 nB0gDFtWffKk4VWgln-12pdFtE8.roa A Repository Directory containing an RFC3779 Certificate, two ROAs, a CRL, and a manifest

20 20 Repository Use Pull down these files using a manifest- validating mechanism Validate the ROAs contained in the repository Communicate with the router marking routes “valid”, “invalid”, “unknown” Up to ISP to use local policy on how to route

21 21 Possible Flow RPKI Web interface -> Repository Repository aggregator -> Validator Validated entries -> Route Checking Route checking results -> local routing decisions (based on local policy)

22 22 How you can use ARIN’s RPKI System? Hosted Hosted using ARIN’s RESTful service Web Delegated Delegated using Up/Down Protocol

23 23 HostedRPKI Pros – Easier to use – ARIN managed Cons – No current support for downstream customers to manage their own space (yet) – Tedious through the IU if you have a large network – We hold your private key

24 24 HostedRPKI with RESTful Interace Pros – Easier to use – ARIN managed – Programatic interface for large networks Cons – No current support for downstream customers to manage their own space (yet) – We hold your private key

25 25 Web Delegated RPKI Pros – Harder than Hosted, Easier than Delegated (Up/Down) – Manage your own RPKI system – Control your own private keys Cons – Need to setup your own RPKI environment – Fairly complex

26 26 Delegated RPKI with Up/Down Pros – Same as web delegated – Follows the IETF up/down protocol Cons – Extremely hard to setup – Need to operate your own RPKI environment

27 27 Hosted RPKI in ARIN Online

28 28 Hosted RPKI in ARIN Online

29 29 Hosted RPKI in ARIN Online

30 30 Hosted RPKI in ARIN Online

31 31 Hosted RPKI in ARIN Online SAMPLE-ORG

32 32 Hosted RPKI in ARIN Online SAMPLE-ORG

33 33 Hosted RPKI in ARIN Online

34 34 Your ROA request is automatically processed and the ROA is placed in ARIN’s repository, accompanied by its certificate and a manifest. Users of the repository can now validate the ROA using RPKI validators.

35 35 Delegated with Up/Down

36 36 Delegated with Up/Down

37 37 Delegated with Up/Down

38 38 Delegated with Up/Down You have to do all the ROA creation Need to setup a CA Have a highly available repository Create a CPS

39 39 Updates within RPKI outside of ARIN The four other RIRs are in production with Hosted CA services ARIN and APNIC have delegated working for the public Major routing vendor support being tested Announcement of public domain routing code support

40 40 ARIN Status Hosted CA deployed 15 Sept 2012 Web Delegated CA deployed 16 Feb 2013 Delegated using “Up/Down” protocol deployed 7 Sept 2013 RESTful interface deployed 1 Feb 2014

41 41 Why is this important? Provides more credibility to identify resource holders Leads to better routing security

42 42 Q&A

Download ppt "1 San Diego, California 25 February 2014. 2 Securing Routing: RPKI Overview Mark Kosters Chief Technology Officer."

Similar presentations

RPKI Standards Activity Geoff Huston APNIC February 2010.

RPKI Standards Activity Geoff Huston APNIC February 2010.
1 APNIC Resource Certification Service Project Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam George Michaelson.

1 APNIC Resource Certification Service Project Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam George Michaelson.
ARIN Update NANOG 55 – 6 June 2012 Mark Kosters Chief Technology Officer, ARIN.

ARIN Update NANOG 55 – 6 June 2012 Mark Kosters Chief Technology Officer, ARIN.
Introduction to ARIN and the Internet Registry System.

Introduction to ARIN and the Internet Registry System.
RPKI Certificate Policy Status Update Stephen Kent.

RPKI Certificate Policy Status Update Stephen Kent.
Managing IP addresses for your private clouds 2013 ASEAN CAS Summit Bangkok, Thailand 7 February 2013 George Kuo Member Services Manager.

Managing IP addresses for your private clouds 2013 ASEAN CAS Summit Bangkok, Thailand 7 February 2013 George Kuo Member Services Manager.
APNIC Member Services George Kuo. MyAPNIC 2 What is MyAPNIC A secure Member services website Internet resources management, for example: –Whois updates.

APNIC Member Services George Kuo. MyAPNIC 2 What is MyAPNIC A secure Member services website Internet resources management, for example: –Whois updates.
Projects Awaiting Prioritization Nate Davis. Planned Functionality Projects underway or next in queue Hosted RPKI (Planned 2012 Q2 Deployment) - RPKI.

Projects Awaiting Prioritization Nate Davis. Planned Functionality Projects underway or next in queue Hosted RPKI (Planned 2012 Q2 Deployment) - RPKI.
RPKI and Routing Security ICANN 44 June 2012. Today’s Routing Environment is Insecure Routing is built on mutual trust models Routing auditing requires.

RPKI and Routing Security ICANN 44 June Today’s Routing Environment is Insecure Routing is built on mutual trust models Routing auditing requires.
An Introduction to Routing Security (and RPKI Tools) Geoff Huston May 2013.

An Introduction to Routing Security (and RPKI Tools) Geoff Huston May 2013.
Introduction to ARIN and the Internet Registry System.

Introduction to ARIN and the Internet Registry System.
Validation Algorithms for a Secure Internet Routing PKI David Montana Mark Reynolds BBN Technologies.

Validation Algorithms for a Secure Internet Routing PKI David Montana Mark Reynolds BBN Technologies.
What’s Next: DNSSEC & RPKI Mark Kosters. Why are DNSSEC and RPKI Important Two critical resources – DNS – Routing Hard to tell when it is compromised.

What’s Next: DNSSEC & RPKI Mark Kosters. Why are DNSSEC and RPKI Important Two critical resources – DNS – Routing Hard to tell when it is compromised.
IPv6: The Future of the Internet? July 27th, 1999 Auug.

IPv6: The Future of the Internet? July 27th, 1999 Auug.
IANA Status Update ARIN XXVI meeting, Atlanta Barbara Roseman October 2010.

IANA Status Update ARIN XXVI meeting, Atlanta Barbara Roseman October 2010.
IANA Update APNIC 31, Hong Kong February 2011. Agenda 2 Addressing DNSSEC Root management Continuity Exercise Business Excellence.

IANA Update APNIC 31, Hong Kong February Agenda 2 Addressing DNSSEC Root management Continuity Exercise Business Excellence.
Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.

Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.
Summary Report on Resource Certification February 2007 Geoff Huston Chief Scientist APNIC.

Summary Report on Resource Certification February 2007 Geoff Huston Chief Scientist APNIC.
APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.

APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.
Progress Report on resource certification February 2007 Geoff Huston Chief Scientist APNIC.

Progress Report on resource certification February 2007 Geoff Huston Chief Scientist APNIC.

Similar presentations

Ads by Google