Presentation is loading. Please wait.

Presentation is loading. Please wait.

APNIC eLearning: Intro to RPKI 10 December 2014 12:30 PM AEST Brisbane (UTC+10)

Published byCaroline Richardson Modified over 9 years ago

Similar presentations

Presentation on theme: "APNIC eLearning: Intro to RPKI 10 December 2014 12:30 PM AEST Brisbane (UTC+10)"— Presentation transcript:

1 APNIC eLearning: Intro to RPKI 10 December 2014 12:30 PM AEST Brisbane (UTC+10)

2 Introduction Presenter/s Reminder: Please take time to fill-up the survey Nurul Islam Roman Technical Training Officer nurul@apnic.net Specialties: Routing & Switching IPv6 DNS/DNSSEC Internet Resource Management Network Security

3 Overview What is RPKI? Background of RPKI Right to Resources X.509 Certificates Route Origin Authorizations (ROA) Resource Certification Creating ROA records

4 SIDR Working Group Secure Inter-Domain Routing (SIDR) Its purpose is to “reduce vulnerabilities to the inter-domain routing system” Addresses two vulnerabilities: Is an Autonomous System authorized to originate an IP prefix? Is the AS-Path represented in the route the same as the path through which the NLRI traveled? Projects: PKI, RPKI, BGPsec Source: SIDR WG https://datatracker.ietf.org/wg/sidr/charter/

5 BGP Security (BGPsec) Extension to BGP that provides improved security for BGP routing Currently an IETF Internet draft Implemented via a new optional non-transitive BGP path attribute that contains a digital signature Two things: –BGP Prefix Origin Validation (using RPKI) –BGP Path Validation

6 Three Pieces RPKI – Resource Public Key Infrastructure, the Certificate Infrastructure to Support the other Pieces (deployed at all RIRs) Origin Validation – Using the RPKI to detect and prevent mis-originations of someone else’s prefixes (in deployment) AS-Path Validation / BGPsec – Prevent Path Attacks on BGP (future work)

7 What is RPKI? Resource Public Key Infrastructure (RPKI) A robust security framework for verifying the association between resource holder and their Internet resources Created to address the issues in RFC 4593 Uses X.509 v3 certificates –With RFC3779 extensions

8 What is RPKI? “represents the allocation hierarchy of IP address space and Autonomous Systems (AS) numbers” A system to manage the creation and storage of digital certificates and the associated Route Origin Authorization documents Helps to secure Internet routing by validating routes –Proof that prefix announcements are coming from the legitimate holder of the resource RPKI is in the process of standardization through the Secure Inter-Domain Routing (SIDR) working group

9 RFCs on RPKI RFC 6810 – The Resource Public Key Infrastructure (RPKI) to Router Protocol (January 2013) - Standard RFC 6480 – An Infrastructure to Support Secure Internet Routing (Feb 2012) - informational RFC 6481 – A Profile for Resource Certificate Repository Structure (Feb 2012) - standard RFC 6491 – RPKI Objects Issued by IANA RFC 6493 – The RPKI Ghostbusters Record RFC 6487 – A Profile for X.509 PKIX Resource Certificate

10 A bit of History 1986 – Bellovin & Perlman identify the vulnerability in DNS and Routing 1999 - National Academies study called it out 2000 – S-BGP – X.509 PKI to support Secure BGP - Kent, Lynn, et al. 2003 – NANOG S-BGP Workshop 2006 – RPKI.NET(for ARIN) & APNIC start work on RPKI. RIPE starts in 2008. 2009 – RPKI.NET Open Testbed and running code in test routers

11 Benefits of RPKI - Routing Prevents “Route Hijacking” –when an entity participating in Internet routing announces a prefix without authorization –Reason: malicious attack Prevents mis-origination –A prefix that is originated by an AS which does not own it –Reason: configuration mistake

12 Internet Routing The Internet Traffic 202.12.29.0/24 Announce 202.12.29.0/24 Global Routing Table 4.128/9 60.100/16 60.100.0/20 135.22/16 … Global Routing Table 4.128/9 60.100/16 60.100.0/20 135.22/16 202.12.29.0/24 … 202.12.29.0/24

13 “Right” to Resources ISP gets their resources from the RIR ISP notifies its upstream of the prefixes to be announced Upstream _MUST_ check the Whois database if resource has been delegated to customer ISP. We need to be able to authoritatively prove who owns an IP Prefix and what AS ( s ) may announce it.

14 X.509 Certificate Resource certificates are based on the X.509 certificate format - RFC 5280 Extended by RFC 3779 – this extension binds a list of resources (IP, ASN) to the subject of the certificate

15 X.509 Certificate with 3779 Extension SIA – Subject Information Access; contains a URI that references the directory

16 Two Components Certificate Authority (CA) –Internet Registries (RIR, NIR, Large LIR) –Issue certificates for customers –Allow customers to use the CA’s GUI to issue ROAs for their prefixes Relying Party (RP) –Software which gathers data from CAs

17 Route Origin Authorization (ROA) Certificate holder uses its private key to sign an ROA Verifies that an AS has been given permission by an address block holder to advertise routes to one or more prefixes without that block

18 Resource Certification RIRs have been developing a new service for their members APNIC has now launched Resource Certification for the AP region The goal is to improve the security of inter-domain routing and augmenting the information published in the APNIC Whois Database

19 Resource Certification Benefits Routing information corresponds to properly delegated address resources Resource Certification gives resource holders proof that they hold certain resources Resource holders can attest to those resources when distributing them Resource Certification is a highly robust means of preventing the injection of false information into the Internet's routing system.

20 APNIC Resource Certification A robust security framework for verifying the association between resource holders and their Internet resources. Initiative from APNIC aimed at –improving the security of inter-domain routing, and –augmenting the information published in the Whois database Verifies a holder’s current “right-of-use” over an Internet resource

21 How it Works

22 Resource Certification (APNIC) Verify signed data using the signer’s public key Verify public key through a chain of interlocking certificates that connect a Trust Anchor to the signer’s public key certificate. –This is what we refer to as RPKI Why it’s important: –Routing advertisements is now verifiable

23 Creating ROA Records Login to MyAPNIC, then Resources -> Certification

24 Adding ROA Records

25 Deleting ROA Records

26 RPKI Validation RPKI-capable routers can fetch the validated ROA dataset from a trust anchor BGP states: – VALID if a matching VRP* was found – INVALID a VRP was found, but ASN did not match – UNKNOWN if no matching or covering VRP was found

27 Questions Please remember to fill out the feedback form –http://surveymonkey.com/s/apnic- 20141210-eL1 Slide handouts will be available after completing the survey

28 APNIC Helpdesk Chat

29 Thank You! End of Session

Download ppt "APNIC eLearning: Intro to RPKI 10 December 2014 12:30 PM AEST Brisbane (UTC+10)"

Similar presentations

A Threat Model for BGPSEC

A Threat Model for BGPSEC
A Threat Model for BGPSEC Steve Kent BBN Technologies.

A Threat Model for BGPSEC Steve Kent BBN Technologies.
RPKI Standards Activity Geoff Huston APNIC February 2010.

RPKI Standards Activity Geoff Huston APNIC February 2010.
The Role of a Registry Certificate Authority Some Steps towards Improving the Resiliency of the Internet Routing System: The Role of a Registry Certificate.

The Role of a Registry Certificate Authority Some Steps towards Improving the Resiliency of the Internet Routing System: The Role of a Registry Certificate.
1 APNIC Resource Certification Service Project Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam George Michaelson.

1 APNIC Resource Certification Service Project Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam George Michaelson.
Introduction to ARIN and the Internet Registry System.

Introduction to ARIN and the Internet Registry System.
Local TA Management A TA is a public key and associated data used as the starting point for certificate path validation It need not be a self-signed certificate.

Local TA Management A TA is a public key and associated data used as the starting point for certificate path validation It need not be a self-signed certificate.
RPKI Certificate Policy Status Update Stephen Kent.

RPKI Certificate Policy Status Update Stephen Kent.
Managing IP addresses for your private clouds 2013 ASEAN CAS Summit Bangkok, Thailand 7 February 2013 George Kuo Member Services Manager.

Managing IP addresses for your private clouds 2013 ASEAN CAS Summit Bangkok, Thailand 7 February 2013 George Kuo Member Services Manager.
APNIC Member Services George Kuo. MyAPNIC 2 What is MyAPNIC A secure Member services website Internet resources management, for example: –Whois updates.

APNIC Member Services George Kuo. MyAPNIC 2 What is MyAPNIC A secure Member services website Internet resources management, for example: –Whois updates.
RPKI and Routing Security ICANN 44 June 2012. Today’s Routing Environment is Insecure Routing is built on mutual trust models Routing auditing requires.

RPKI and Routing Security ICANN 44 June Today’s Routing Environment is Insecure Routing is built on mutual trust models Routing auditing requires.
Overview of draft-ietf-sidr-roa-format-01.txt Matt Lepinski BBN Technologies.

Overview of draft-ietf-sidr-roa-format-01.txt Matt Lepinski BBN Technologies.
An Introduction to Routing Security (and RPKI Tools) Geoff Huston May 2013.

An Introduction to Routing Security (and RPKI Tools) Geoff Huston May 2013.
Introduction to ARIN and the Internet Registry System.

Introduction to ARIN and the Internet Registry System.
Validation Algorithms for a Secure Internet Routing PKI David Montana Mark Reynolds BBN Technologies.

Validation Algorithms for a Secure Internet Routing PKI David Montana Mark Reynolds BBN Technologies.
Review of draft-ietf-sidr-arch-01.txt Steve Kent BBN Technologies.

Review of draft-ietf-sidr-arch-01.txt Steve Kent BBN Technologies.
What’s Next: DNSSEC & RPKI Mark Kosters. Why are DNSSEC and RPKI Important Two critical resources – DNS – Routing Hard to tell when it is compromised.

What’s Next: DNSSEC & RPKI Mark Kosters. Why are DNSSEC and RPKI Important Two critical resources – DNS – Routing Hard to tell when it is compromised.
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.

Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.
Summary Report on Resource Certification February 2007 Geoff Huston Chief Scientist APNIC.

Summary Report on Resource Certification February 2007 Geoff Huston Chief Scientist APNIC.

Similar presentations

Ads by Google