APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.

Slides:



Advertisements
Similar presentations
RPKI Standards Activity Geoff Huston APNIC February 2010.
Advertisements

Update on Resource Certification Geoff Huston, APNIC Mark Kosters, ARIN SSAC Meeting, March 2008.
The Role of a Registry Certificate Authority Some Steps towards Improving the Resiliency of the Internet Routing System: The Role of a Registry Certificate.
1 APNIC Resource Certification Service Project Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam George Michaelson.
RPKI Certificate Policy Status Update Stephen Kent.
Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC Open Policy Meeting SIG: Whois Database October 2000 APNIC Certificate Authority.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
RPKI and Routing Security ICANN 44 June Today’s Routing Environment is Insecure Routing is built on mutual trust models Routing auditing requires.
An Introduction to Routing Security (and RPKI Tools) Geoff Huston May 2013.
Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.
Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.
Validation Algorithms for a Secure Internet Routing PKI David Montana Mark Reynolds BBN Technologies.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
RPKI Validation - Revisited draft-huston-rpki-validation-01.txt Geoff Huston George Michaelson APNIC Slide 1/19.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
Some Lessons Learned from Designing the Resource PKI Geoff Huston Chief Scientist, APNIC May 2007.
Summary Report on Resource Certification February 2007 Geoff Huston Chief Scientist APNIC.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E 36th RIPE Meeting Budapest 2000 APNIC Certificate Authority Status Report.
A PKI For IDR Public Key Infrastructure and Number Resource Certification AUSCERT 2006 Geoff Huston Research Scientist APNIC.
Progress Report on resource certification February 2007 Geoff Huston Chief Scientist APNIC.
Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.
Resource Certification What it means for LIRs Alain P. AINA Special Project Manager.
Progress Report on APNIC Trial of Certification of IP Addresses and ASes APNIC 22 September 2006 Geoff Huston.
The Resource Public Key Infrastructure Geoff Huston APNIC.
A PKI for IP Address Space and AS Numbers Stephen Kent.
APNIC eLearning: Intro to RPKI 10 December :30 PM AEST Brisbane (UTC+10)
Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
1 San Diego, California 25 February Securing Routing: RPKI Overview Mark Kosters Chief Technology Officer.
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
Using Resource Certificates Progress Report on the Trial of Resource Certification October 2006 Geoff Huston Chief Scientist APNIC.
CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.
Using Resource Certificates Progress Report on the Trial of Resource Certification October 2006 Geoff Huston APNIC.
A Brief Overview of draft-ietf-sidr-cp-01.txt draft-ietf-sidr-cps-rirs-01.txt draft-ietf-sidr-cps-isp-00.txt Steve Kent BBN Technologies.
IST E-infrastructure shared between Europe and Latin America ULAGrid Certification Authority Vanessa Hamar Universidad de Los.
Using Resource Certificates Progress Report on the Trial of Resource Certification November 2006 Geoff Huston APNIC.
1 Madison, Wisconsin 9 September14. 2 Security Overlays on Core Internet Protocols – DNSSEC and RPKI Mark Kosters ARIN Engineering.
Updates to the RPKI Certificate Policy I-D Steve Kent BBN Technologies.
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
1 APNIC Trial of Certification of IP Addresses and ASes RIPE October 2005 Geoff Huston.
NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand.
Status Report SIDR and Origination Validation Geoff Huston SIDR WG, IETF 71 March 2008.
Overview of draft-ietf-sidr-roa-00.txt Steve Kent BBN Technologies.
Securing the Internet Backbone: Current activities in the IETF’s Secure InterDomain Routing Working Group Geoff Huston Chief Scientist, APNIC.
1 Auto-Detecting Hijacked Prefixes? Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam Geoff Huston.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
1 Certification Issue : how do we confidently know the public key of a given user? Authentication : a process for confirming or refuting a claim of identity.
Using Resource Certificates Progress Report on the Trial of Resource Certification October 2006 Geoff Huston APNIC.
Auto-Detecting Hijacked Prefixes?
Auto-Detecting Hijacked Prefixes?
November 2006 Geoff Huston APNIC
Cryptography and Network Security
کاربرد گواهی الکترونیکی در سیستمهای کاربردی (امضای دیجیتال)
APNIC Trial of Certification of IP Addresses and ASes
APNIC Trial of Certification of IP Addresses and ASes
Resource Certificate Profile
Progress Report on Resource Certification
October 2006 Geoff Huston APNIC
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006
Presentation transcript:

APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston

Motivation: Address and Routing Security What we have today is a relatively insecure system that is vulnerable to various forms of deliberate disruption and subversion And it appears that bogon filters and routing policy databases are not, in and of themselves, entirely robust forms of defence against these vulnerabilities

Motivation: Address and Routing Security The (very) basic routing security questions that need to be answered are: –Is this a valid address prefix? –Who injected this address prefix into the network? –Did they have the necessary credentials to inject this address prefix? Can these questions be answered reliably, quickly and cheaply?

What would be good … To be able to use a public infrastructure to validate assertions about addresses and their use: – the authenticity of the address object being advertised – authenticity of the origin AS – the explicit authority from the address to AS that permits an original routing announcement to be made by that AS

X.509 Extensions for IP Addresses RFC3779 defines extension to the X.509 certificate format for IP addresses & AS number The extension binds a list of IP address blocks and AS numbers to the subject of a certificate These extensions may be used to convey the issuer’s authorization of the subject for exclusive use of the IP addresses and autonomous system identifiers contained in the certificate extension The extension is defined as as a critical extension –Validation includes the requirement that the Issuer’s certificate extension must encompass the resource block described in the extension of the certificated being validated

APNIC Trial Certificate Format SERIAL NUMBER v3 CN=“APNIC CA Trial” VERSION SIGNATURE ALGORITHM SHA-1 with RSA ISSUER VALIDITY 1/1/05 - 1/1/06 SUBJECT CN=“FC00DEADBEEF” SUBJECT PUBLIC KEY INFO RSA, EXTENSIONS KeyUsage (critical if CA) digitalSignature, keyCertSign, and cRLSign IP address / / :14C0::/32 AS identifier AS123 – AS124 Cert Policies OIDs Basic constraints CA bit ON – Allocations Authority Info Access Location: SIGNATURE Subject Info Access Location: Subject Alt Name CRL Distribution Point

What is being Certified APNIC (the “Issuer”) certifies that: the certificate “Subject” whose public key is contained in the certificate is the current controller of a set of IP address and AS resources that are listed in the certificate extension APNIC is NOT certifying here the identity of the subject, nor their good (or evil) intentions! This is a simple mechanism of using certificates as a means of validation of ‘title’ of current resource control

What could you do with Resource Certificates? You could sign routing authorities, routing requests, or IRR submitted objects with your private key –The recipient (relying party) can validate this signature against the matching certificate’s public key, and can validate the certificate in the PKI You could use the private key to sign routing information that could then be propagated by an inter-domain routing protocol that had validation extensions You could issue signed subordinate resource certificates for any sub-allocations of resources, such as may be seen in a LIR context

APNIC Certificate Trial Trial service provides: –Issue of RFC3779 compliant certificates to APNIC members –Policy and technical infrastructure necessary to deploy and use the certificates in testing contexts by the routing community and general public CPS (Certification practice statement) Certificate repository CRL (Certificate revocation list) –Tools and examples (open source) for downstream certification by NIR, LIR and ISP display of certificate contents encoding certificates

Expected Environment of Use Service interface via APNIC web portal Generate and Sign routing requests Validate signed objects against repository Manage subordinate certificates Local Tools – LIR Use Synchronize local repository Validate signed resource objects Generate and lodge certificate objects

Current Status Test Certificates being generated –Locally generated key pair –Cover all current APNIC membership holdings –CRL test Reissue all certificates with explicit revocation on original certificate set Example tools being developed APNIC Trial Certificate Repository: ftp://ftp.apnic.net/pub/test-certs/

Current APNIC Experiment Program Now (2006) –Certificate design –Tool construction –Use modelling –Portal Tools and Local Use Tools Next (late 2006) –Review and Evaluation –Definition of Next Steps

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.