Progress Report on APNIC Trial of Certification of IP Addresses and ASes APNIC 22 September 2006 Geoff Huston.

Slides:



Advertisements
Similar presentations
RPKI Standards Activity Geoff Huston APNIC February 2010.
Advertisements

Update on Resource Certification Geoff Huston, APNIC Mark Kosters, ARIN SSAC Meeting, March 2008.
IPv4 Address Transfer proposal APNIC prop-050-v002 Geoff Huston.
The Role of a Registry Certificate Authority Some Steps towards Improving the Resiliency of the Internet Routing System: The Role of a Registry Certificate.
1 APNIC Resource Certification Service Project Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam George Michaelson.
Local TA Management A TA is a public key and associated data used as the starting point for certificate path validation It need not be a self-signed certificate.
RPKI Certificate Policy Status Update Stephen Kent.
Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Nigel Titley. RIPE 54, 9 May 2007, Tallinn, Estonia. 1 RIPE NCC Certification Task Force Update Presented by Nigel Titley RIPE NCC.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC Open Policy Meeting SIG: Whois Database October 2000 APNIC Certificate Authority.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.
RPKI and Routing Security ICANN 44 June Today’s Routing Environment is Insecure Routing is built on mutual trust models Routing auditing requires.
An Introduction to Routing Security (and RPKI Tools) Geoff Huston May 2013.
Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.
Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.
Validation Algorithms for a Secure Internet Routing PKI David Montana Mark Reynolds BBN Technologies.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
RPKI Validation - Revisited draft-huston-rpki-validation-01.txt Geoff Huston George Michaelson APNIC Slide 1/19.
Review of draft-ietf-sidr-arch-01.txt Steve Kent BBN Technologies.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Some Lessons Learned from Designing the Resource PKI Geoff Huston Chief Scientist, APNIC May 2007.
Summary Report on Resource Certification February 2007 Geoff Huston Chief Scientist APNIC.
APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E 36th RIPE Meeting Budapest 2000 APNIC Certificate Authority Status Report.
A PKI For IDR Public Key Infrastructure and Number Resource Certification AUSCERT 2006 Geoff Huston Research Scientist APNIC.
Progress Report on resource certification February 2007 Geoff Huston Chief Scientist APNIC.
Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.
Resource Certification What it means for LIRs Alain P. AINA Special Project Manager.
The Resource Public Key Infrastructure Geoff Huston APNIC.
APNIC eLearning: Intro to RPKI 10 December :30 PM AEST Brisbane (UTC+10)
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E Database SIG APNIC Database Privacy Issues 1 March 2001 APRICOT, Malaysia Fabrina.
Digital Certificates Made Easy Sam Lutgring Director of Informational Technology Services Calhoun Intermediate School District.
1 San Diego, California 25 February Securing Routing: RPKI Overview Mark Kosters Chief Technology Officer.
Trusted Systems Laboratory Hewlett-Packard Laboratories Bristol, UK InfraSec 2002 InfraSec 2002 Bristol, October 2002 Marco Casassa Mont Richard.
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
Using Resource Certificates Progress Report on the Trial of Resource Certification October 2006 Geoff Huston Chief Scientist APNIC.
Attribute Certificate By Ganesh Godavari. Talk About An Internet Attribute Certificate for Authorization -- RFC 3281.
Using Resource Certificates Progress Report on the Trial of Resource Certification October 2006 Geoff Huston APNIC.
Supporting further and higher education The Akenti Authorisation System Alan Robiette, JISC Development Group.
Using Resource Certificates Progress Report on the Trial of Resource Certification November 2006 Geoff Huston APNIC.
1 Madison, Wisconsin 9 September14. 2 Security Overlays on Core Internet Protocols – DNSSEC and RPKI Mark Kosters ARIN Engineering.
Updates to the RPKI Certificate Policy I-D Steve Kent BBN Technologies.
1 APNIC Trial of Certification of IP Addresses and ASes RIPE October 2005 Geoff Huston.
Status Report SIDR and Origination Validation Geoff Huston SIDR WG, IETF 71 March 2008.
Overview of draft-ietf-sidr-roa-00.txt Steve Kent BBN Technologies.
Securing the Internet Backbone: Current activities in the IETF’s Secure InterDomain Routing Working Group Geoff Huston Chief Scientist, APNIC.
1 Auto-Detecting Hijacked Prefixes? Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam Geoff Huston.
Using Resource Certificates Progress Report on the Trial of Resource Certification October 2006 Geoff Huston APNIC.
1 Public Key Infrastructure Rocky K. C. Chang 6 March 2007.
JPNIC UPDATE ~ Personal Data Protection in JPNIC WHOIS ~ Toshiyuki Hosaka Japan Network Information Center (JPNIC) September 7 th, 2005 NIR SIG APNIC
Resource Certificate Provisioning Protocol Geoff Huston IETF 70 December 2007.
Whois & Data Accuracy Across the RIRs. Terms ISP – An Internet Service Provider is allocated address space by an RIR for the purpose of providing connectivity.
Securing BGP: The current state of RPKI
Auto-Detecting Hijacked Prefixes?
Auto-Detecting Hijacked Prefixes?
November 2006 Geoff Huston APNIC
RPKI Trust Anchor Geoff Huston APNIC.
APNIC Trial of Certification of IP Addresses and ASes
APNIC Trial of Certification of IP Addresses and ASes
Resource Certificate Profile
Progress Report on Resource Certification
October 2006 Geoff Huston APNIC
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006
Presentation transcript:

Progress Report on APNIC Trial of Certification of IP Addresses and ASes APNIC 22 September 2006 Geoff Huston

Motivation: Address and Routing Security What we have today is a relatively insecure system that is highly vulnerable to various forms of deliberate disruption and subversion And it appears that bogon filters and routing policy databases are not, in and of themselves, entirely robust forms of defence against these vulnerabilities

Motivation: Address and Routing Security The (very) basic routing security questions that need to be answered are: –Is this a valid address prefix? –Who injected this address prefix into the network? –Did they have the necessary credentials to inject this address prefix? Can these questions be answered reliably, quickly and cheaply?

What would be good … To be able to use a public key infrastructure to validate assertions about addresses and their use: –Allow third parties to authenticate that an address or routing assertion was made by the holder of the address resource –Confirm that the asserted information is complete and unaltered from the original –Convey routing authorities from the resource holder to a nominated party that cannot be altered or forged

General Approach of the Trial Use existing technologies as much as possible Leverage on existing open source software tools and deployed systems Develop open source solutions Contribute to open standards Use X.509 Public Key Certificates with IP address extensions, with OpenSSL as the tool foundation

Resource Public Key Certificates The certificate’s Issuer certifies that: the certificate’s Subject whose public key is contained in the certificate is the current controller of a collection of IP address and AS resources that are listed in the certificate’s resource extension –The certificate issuer is NOT certifying here the identity of the subject, nor their good (or evil) intentions! –This is a simple mechanism of using certificates as a means of validation of a “right-of-use” of a resource collection

What could you do with Resource Certificates? Sign routing authorities, routing requests, or WHOIS objects or IR objects with your private key –The recipient (relying party) can authenticate the signed object, and then validate this signature against the matching certificate’s public key, and can validate the certificate in the context of the Resource PKI Issue signed subordinate resource certificates for any sub- allocations of resources, such as may be seen in a LIR context Validate signed objects Authentication: Did the resource holder really produce this document or object? Authenticity: Is the document or object in exactly the same state as it was when originally signed? Validity: Is the document valid today?

Potential Scenarios Service interface via APNIC web portal: Generate and Sign routing-related objects Validate signed objects against the PKI Manage subordinate certificate issuance Local Tools – LIR Use Local repository management Resource object signing Generate and lodge certificate objects

Example of a signed object route-set: RS-TELSTRA-AU-EX1 descr: Example routes for customer with space under apnic members: , /24 tech-c: GM85-AP admin-c: GM85-AP notify: mnt-by: MAINT-AU-TELSTRA-AP sigcert: rsync://repository.apnic.net/TELSTRA-AU-IANA/cbh3Sk-iwj8Yd8uqaB5 Ck010p5Q/Hc4yxwhTamNXW-cDWtQcmvOVGjU.cer sigblk: -----BEGIN PKCS MIIBdQYJKoZIhvcNAQcCoIIBZjCCAWICAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3 DQEHATGCAUEwggE9AgEBMBowFTETMBEGA1UEAxMKdGVsc3RyYS1hdQIBATAJBgUr DgMCGgUAMA0GCSqGSIb3DQEBAQUABIIBAEZGI2dAG3lAAGi+mAK/S5bsNrgEHOmN 1leJF9aqM+jVO+tiCvRHyPMeBMiP6yoCm2h5RCR/avP40U4CC3QMhU98tw2Bq0TY HZvqXfAOVhjD4Apx4KjiAyr8tfeC7ZDhO+fpvsydV2XXtHIvjwjcL4GvM/gES6dJ KJYFWWlrPqQnfTFMm5oLWBUhNjuX2E89qyQf2YZVizITTNg3ly1nwqBoAqmmDhDy +nsRVAxax7II2iQDTr/pjI2VWfe4R36gbT8oxyvJ9xz7I9IKpB8RTvPV02I2HbMI 1SvRXMx5nQOXyYG3Pcxo/PAhbBkVkgfudLki/IzB3j+4M8KemrnVMRo= -----END PKCS changed: source: APNIC

Signer’s certificate Version: 3 (0x3) Serial: 1 (0x1) Issuer: CN=telstra-au Validity: Not Before: Fri Aug 18 04:46: GMT Validity: Not After: Sat Aug 18 04:46: GMT Subject: CN=An example sub-space from Telstra IANA, Subject Key Identifier g(SKI): Hc4yxwhTamNXW-cDWtQcmvOVGjU Subject Info Access: caRepository – rsync://repository.apnic.net/TELSTRA-AU-IANA/cbh3Sk-iwj8Yd8uqaB5 Ck010p5Q/Hc4yxwhTamNXW-cDWtQcmvOVGjU Key Usage: DigitalSignature, nonRepudiation CRL Distribution Points: rsync://repository.apnic.net/TELSTRA-AU-IANA/cbh3Sk-iwj8Yd8uqaB5 Ck010p5Q.crl Authority Info Access: caIssuers – rsync://repository.apnic.net/TELSTRA-AU-IANA/cbh3Sk-iwj8Yd8uqaB5 Ck010p5Q.cer Authority Key Identifier: Key Identifier g(AKI): cbh3Sk-iwj8Yd8uqaB5Ck010p5Q Certificate Policies: IPv4: , /24

Resource Signing Tool Resources can be subdivided into “collections” and each collection can be named. This section of the portal provides tools to manage resource collections A resource collection is used to sign a document (or any other digital object)

Resource Signing Tool Documents can be signed with a resource collection, and associated validity dates. Signed objects can also be reissued and deleted The underlying resource certificate generation and management tasks are not directly exposed in this form of the signing tool

Resource Certificate Trial Program üSpecification of X.509 Resource Certificates üGeneration of resource certificate repositories aligned with existing resource allocations and assignments üTools for Registration Authority / Certificate Authority interaction (undertaken by RIPE NCC) üTools to perform validation of resource certificates Current Activities ­Extensions to OpenSSL for Resource Certificates (activity supported by ARIN) ­Tools for resource collection management, object signing and signed object validation ­LIR / ISP Tools for certificate management ­Operational service profile specification

Next Steps Complete current trial activities Review –Does this approach meet the objectives? –What are the implications of this form of certification of resources? –Impact assessment Service infrastructure, operational procedures Utility of the authentication model Policy considerations –Recommendations for production deployment

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.