What’s Next: DNSSEC & RPKI Mark Kosters. Why are DNSSEC and RPKI Important Two critical resources – DNS – Routing Hard to tell when it is compromised.

Slides:



Advertisements
Similar presentations
A Threat Model for BGPSEC
Advertisements

RPKI Standards Activity Geoff Huston APNIC February 2010.
Update on Resource Certification Geoff Huston, APNIC Mark Kosters, ARIN SSAC Meeting, March 2008.
Securing the Internets Foundations: Addresses and Routing AUSCERT 2011 Geoff Huston Chief Scientist, APNIC.
The Role of a Registry Certificate Authority Some Steps towards Improving the Resiliency of the Internet Routing System: The Role of a Registry Certificate.
1 APNIC Resource Certification Service Project Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam George Michaelson.
ARIN Update NANOG 55 – 6 June 2012 Mark Kosters Chief Technology Officer, ARIN.
1 Securing BGP using DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
APNIC Member Services George Kuo. MyAPNIC 2 What is MyAPNIC A secure Member services website Internet resources management, for example: –Whois updates.
John Curran APNIC 31 ARIN Update Focus Continue development and integration of web-based system (ARIN Online) Outreach on IPv6 adoption DNSSEC and.
Leslie Nobile APNIC 30 ARIN Update Focus Continue development and integration of web based system (ARIN Online) Outreach on IPv4 depletion and IPv6.
RPKI and Routing Security ICANN 44 June Today’s Routing Environment is Insecure Routing is built on mutual trust models Routing auditing requires.
An Introduction to Routing Security (and RPKI Tools) Geoff Huston May 2013.
Validation Algorithms for a Secure Internet Routing PKI David Montana Mark Reynolds BBN Technologies.
Access control for IP multicast T Petri Jokela
Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.
IANA Update APNIC 31, Hong Kong February Agenda 2 Addressing DNSSEC Root management Continuity Exercise Business Excellence.
Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.
APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.
1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
Progress Report on resource certification February 2007 Geoff Huston Chief Scientist APNIC.
Engineering Report Mark Kosters, CTO. Engineering Theme Continue to work on a surge Lots of work to do Supplementing staff with contractors.
Resource Certification What it means for LIRs Alain P. AINA Special Project Manager.
PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.
Technical Area Report Bryon Ellacott, Technical Area Manager APNIC 28.
1 Securing BGP Large scale trust to build an Internet again Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
The Resource Public Key Infrastructure Geoff Huston APNIC.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Reverse DNS Delegations, Templates and RWS Andy Newton Chief Engineer.
APNIC eLearning: Intro to RPKI 10 December :30 PM AEST Brisbane (UTC+10)
Changes at ARIN—Not your Grandpa’s RIR anymore (RPKI, DNSSEC, etc.) Andy Newton Chief Engineer.
1 San Diego, California 25 February Securing Routing: RPKI Overview Mark Kosters Chief Technology Officer.
RPKI Tutorial Andy Newton Chief Engineer, ARIN. Agenda Resource Public Key Infrastructure(RPKI) Route Origin Authorizations (ROAs) Certificate Authorities.
ARIN Update Aaron Hughes ARIN Board of Trustees Focus Increased focus on customer service – Based on feedback and survey Continued IPv4 to IPv6.
Engineering Report Mark Kosters. Big changes with Engineering Lots of requests for development/operations support The Board heard you Engineering growing.
Infrastructure Attack Vectors and Mitigation Benno Overeinder NLnet Labs.
Technical Area Report Byron Ellacott Technical Area Manager.
Using Resource Certificates Progress Report on the Trial of Resource Certification October 2006 Geoff Huston Chief Scientist APNIC.
Using Resource Certificates Progress Report on the Trial of Resource Certification October 2006 Geoff Huston APNIC.
John Curran APNIC 29 5 March 2010 ARIN Update. 4-byte ASN Stats In 2009 – Received 197 requests for 4-byte ASNs – 140 changed request to 2-byte – ARIN.
Secure Origin BGP: What is (and isn't) in a name? Dan Wendlandt Princeton Routing Security Reading Group.
Using Resource Certificates Progress Report on the Trial of Resource Certification November 2006 Geoff Huston APNIC.
1 Madison, Wisconsin 9 September14. 2 Security Overlays on Core Internet Protocols – DNSSEC and RPKI Mark Kosters ARIN Engineering.
1 LACNIC Update November 4th, Vienna, Austria Luisa Villa y Battenberg Customer Manager.
Engineering Report Mark Kosters. Big changes with Engineering starting at the beginning of 2015 Lots of requests for development/operations support Engineering.
Secure Neighbor Discovery in IPv6 Jari Arkko Ericsson Research James Kempf DoCoMo US Labs.
Services Area Report Sanjaya Services Area Manager.
Pkiuniversity.com. Alice Bob Honest Abe’s CA Simple PKI hierarchy.
Draft Policy ARIN : Remove NRPM section 7.1.
EMU and DANE Jim Schaad August Cellars. EMU TLS Issues Trust Anchor Matching PKIX cert to EMU Server Name Certificate Revocation Checking – CRLs – OCSP.
1 APNIC Trial of Certification of IP Addresses and ASes RIPE October 2005 Geoff Huston.
Status Report SIDR and Origination Validation Geoff Huston SIDR WG, IETF 71 March 2008.
Securing the Internet Backbone: Current activities in the IETF’s Secure InterDomain Routing Working Group Geoff Huston Chief Scientist, APNIC.
Mark Kosters Engineering Status Report. Engineering Theme 2011 success was aided by contractors Lots of work yet to do (but a great deal now done) An.
Securing BGP Bruce Maggs. BGP Primer AT&T /8 Sprint /16 CMU /16 bmm.pc.cs.cmu.edu Autonomous System Number Prefix.
AFRINIC Update Madhvi Gokool Registration Service Manager RIPE66 meeting, Dublin May 2013.
Using Resource Certificates Progress Report on the Trial of Resource Certification October 2006 Geoff Huston APNIC.
Grades update. Homework #1 Count35 Minimum Value47.00 Maximum Value Average
Internet infrastructure 1. Infrastructure Security r User expectations  Reliable service  Reliable endpoints – although we know of spoofing and phishing.
BGP Validation Russ White Rule11.us.
One Hop for RPKI, One Giant Leap for BGP Security Yossi Gilad (Hebrew University) Joint work with Avichai Cohen (Hebrew University), Amir Herzberg (Bar.
DNS Security Advanced Network Security Peter Reiher August, 2014
DNS Security.
November 2006 Geoff Huston APNIC
RPKI Trust Anchor Geoff Huston APNIC.
DNS security.
APNIC Trial of Certification of IP Addresses and ASes
ARIN Update John Curran President and CEO.
Progress Report on Resource Certification
ROA Content Proposal November 2006 Geoff Huston.
Presentation transcript:

What’s Next: DNSSEC & RPKI Mark Kosters

Why are DNSSEC and RPKI Important Two critical resources – DNS – Routing Hard to tell when it is compromised Focus of Government funding - DHS

What is DNSSEC? DNS responses are not secure – Easy to Spoof – Examples of malicious attacks DNSSEC attaches signatures – Validates responses – Can not Spoof

ARIN’s DNSSEC Deployment Working with IANA on signing in-addr.arpa and ip6.arpa ARIN’s /8 zones have been signed since Q2 of 2009 Provisioning networks will be made through ARIN Online Available (estimate) Q3 of 2010 for IPv4 IPv6 delegations will be secured after ip6.arpa signed

What is RPKI? Routing today is insecure – IAB Report calls it “Routing by Rumor” – Multiple occurrences of taking others traffic Pakistani Youtube incident hijacking.html hijacking.html More Recently a root server in China – No evidence that is totally malicious – but it could be in the future

What is RPKI? Attaches certificates to network resources – AS Numbers – IP Addresses Allows ISPs to associate the two – Route Origin Authorizations (ROA’s) – Follow the Allocation chain to the top

What is RPKI? Allows routers to validate Origins Start of validated routing Need minimal bootstrap info – Trust Anchors – Lots of focus on Trust Anchors

Resource Cert Validation AFRINICRIPE NCCAPNICARINLACNIC LIR1ISP2 ISP ISP4ISP Issued Certificates Resource Allocation Hierarchy Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix /24” Attachment: Signed, ISP4 Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix /24” Attachment: Signed, ISP4 IANA

Resource Cert Validation AFRINICRIPE NCCAPNICARINLACNIC LIR1NIR2 ISP ISP4ISP Issued Certificates Resource Allocation Hierarchy Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix /24” Attachment: Signed, ISP4 Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix /24” Attachment: Signed, ISP4 1. Did the matching private key sign this text? IANA

Resource Cert Validation AFRINICRIPE NCCAPNICARINLACNIC LIR1ISP2 ISP ISP4ISP Issued Certificates Resource Allocation Hierarchy Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix /24” Attachment: Signed, ISP4 Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix /24” Attachment: Signed, ISP4 2. Is this certificate valid? IANA

Resource Cert Validation AFRINICRIPE NCCAPNICARINLACNIC LIR1ISP2 ISP ISP4ISP Issued Certificates Resource Allocation Hierarchy Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix /24” Attachment: Signed, ISP4 Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix /24” Attachment: Signed, ISP4 IANA 3. Is there a valid certificate path from a Trust Anchor to this certificate?

Ok, Now what We have a pilot – Get some experience Participate!

RPKI Roadmap to Production - 4 phases Phase 1: Pilot – Operational since 7/2009 Phase 2: Initial Production – End of Q4 of 2010 Phase 3: Global Consistency – Estimate 2011 Phase 4: Single Trust Anchor – Estimate 2011

Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.