Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 APNIC Resource Certification Service Project Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam George Michaelson.

Published byJulian Blackburn Modified over 10 years ago

Similar presentations

Presentation on theme: "1 APNIC Resource Certification Service Project Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam George Michaelson."— Presentation transcript:

1 1 APNIC Resource Certification Service Project Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam George Michaelson

2 2 Overview Motivation Objectives RFC3779 summary Certificate format Project phases Deliverables Q & A

3 3 Motivation Routing security has become critical in the operation of the Internet Vital need for (automatic) AS/route validity checks RFC3779 has been created to address this problem Defines extension to the X.509 certificate format for IP addresses & AS number The RFC specifies that the certification authority hierarchy should follow the IP address and AS delegation hierarchy Follows IANA -> RIR ->LIR And all their downstream delegations

4 4 Objectives This project establishes a new APNIC service to provide Issuance of RFC3779 compliant certificates to APNIC members Policy and technical infrastructure necessary to deploy and use the certificates by the routing community and general public CPS (Certification practice statement) Certificate repository CRL (Certificate revocation list) Tools and examples (open source) for downstream certification by NIR, LIR and ISP

5 5 RFC3779 summary Abstract This document defines two X.509 v3 certificate extensions The first binds a list of IP address blocks, or prefixes, to the subject of a certificate The second binds a list of autonomous system identifiers to the subject of a certificate These extensions may be used to convey the authorization of the subject to use the IP addresses and autonomous system identifiers contained in the extensions

6 6 RFC3779 summary The certificate chain will reflect the delegation hierarchy, from IANA down to the end users IANA RIR NIR ISP End user RIR ISP LIR ISP End user ISP End user

7 7 Certificate format SERIAL NUMBER v3 C=AU, O=APNIC VERSION 12345 SIGNATURE ALGORITHM RSA with SHA-1 ISSUER VALIDITY 1/1/05 - 1/1/06 SUBJECT C=AU, O=EXAMPLE-AU CN=Examplenet Pty Ltd SUBJECT PUBLIC KEY INFO RSA, 48...321 ISSUER UNIQUE ID ACBDEFGH SUBJECT UNIQUE ID RSTUVWXY EXTENSIONS SIGNATURE KeyUsage (critical if CA) digitalSignature, keyCertSign, and cRLSign IP address 10.0.0.0/8 192.168.0.0/24 2002:14C0::/32 AS identifier AS123 – AS124 Cert Policies OIDs Basic constraints CA bit ON – Allocations CA bit OFF – Assignments

8 8 Project phases Trial – 4Q 2005 Early adopters, s/w developers, router designers Major requirement changes allowed Certificate formats may change Pilot – 1Q 2006 Input from trial used to test service Wider deployment Minor requirement changes allowed Certificate format should be stable Full service – 2Q 2006 General service availability Full policy and procedures in place

9 9 Deliverables Phase 1 – trial RFC3779 compliant certificates issued to selected members Tools and utilities (open source) Requesting certificates Issuing downstream certificates Certificate validation tools –Both online and offline Experiences/Outcomes to be presented at next AMM in Routing SIG May lead to policy proposals

10 10 Q & A FAQ Router community participation? Discussed with Cisco, Juniper, actively seeking participation of other BGP coders in tests Certificate lifetimes? Have to be tied to membership/relationship. Considering options for longer lifetimes subject to suitable agreements APNIC certify LIR sub-delegations? NO. Only warrant relationship with LIR, existance of resource allocation to that LIR from APNIC

11 11 Questions? Thank you!

Download ppt "1 APNIC Resource Certification Service Project Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam George Michaelson."

Similar presentations

DIGITAL CERTIFICATES Prof. Ravi Sandhu. 2 © Ravi Sandhu PUBLIC-KEY CERTIFICATES reliable distribution of public-keys public-key encryption sender needs.

DIGITAL CERTIFICATES Prof. Ravi Sandhu. 2 © Ravi Sandhu PUBLIC-KEY CERTIFICATES reliable distribution of public-keys public-key encryption sender needs.
LACNIC Policy Update Roque Gagliano LACNIC. Current Policies Proposals - LACNIC As a result of the Open Policy Forum at LACNIC XI four policy proposals.

LACNIC Policy Update Roque Gagliano LACNIC. Current Policies Proposals - LACNIC As a result of the Open Policy Forum at LACNIC XI four policy proposals.
RPKI Standards Activity Geoff Huston APNIC February 2010.

RPKI Standards Activity Geoff Huston APNIC February 2010.
1 IPv6 Allocation Status Report IPv6 Technical SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam Srinivas (Sunny) Chendi.

1 IPv6 Allocation Status Report IPv6 Technical SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam Srinivas (Sunny) Chendi.
1 RIR Policy Development Update Policy SIG 8 Sep 2005 APNIC20, Hanoi, Vietnam Save Vocea.

1 RIR Policy Development Update Policy SIG 8 Sep 2005 APNIC20, Hanoi, Vietnam Save Vocea.
Introduction to IP Addressing & IPv6 Deployment Status.

Introduction to IP Addressing & IPv6 Deployment Status.
Local TA Management A TA is a public key and associated data used as the starting point for certificate path validation It need not be a self-signed certificate.

Local TA Management A TA is a public key and associated data used as the starting point for certificate path validation It need not be a self-signed certificate.
Internet Number Resources 1. Internet IPv4 addresses IPv6 addresses Autonomous System number Fully Qualified Domain Name Key Internet resources.

Internet Number Resources 1. Internet IPv4 addresses IPv6 addresses Autonomous System number Fully Qualified Domain Name Key Internet resources.
1 News from APNIC AfriNIC 9 27 November 2008. Coming up Some numbers Some service updates Some policy news 2.

1 News from APNIC AfriNIC 9 27 November Coming up Some numbers Some service updates Some policy news 2.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Kerberos and X.509 Fourth Edition by William Stallings

Kerberos and X.509 Fourth Edition by William Stallings
CSCE 815 Network Security Lecture 10 KerberosX.509 February 13, 2003.

CSCE 815 Network Security Lecture 10 KerberosX.509 February 13, 2003.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Nigel Titley. RIPE 54, 9 May 2007, Tallinn, Estonia. 1 RIPE NCC Certification Task Force Update Presented by Nigel Titley RIPE NCC.

Nigel Titley. RIPE 54, 9 May 2007, Tallinn, Estonia. 1 RIPE NCC Certification Task Force Update Presented by Nigel Titley RIPE NCC.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC Open Policy Meeting SIG: Whois Database October 2000 APNIC Certificate Authority.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC Open Policy Meeting SIG: Whois Database October 2000 APNIC Certificate Authority.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CS5204 – Operating Systems 1 Authentication. CS 5204 – Operating Systems2 Authentication Digital signature validation proves:  message was not altered.

CS5204 – Operating Systems 1 Authentication. CS 5204 – Operating Systems2 Authentication Digital signature validation proves:  message was not altered.
1 Change in the Minimum Allocation Criteria Policy Proposal Proposed by Rajesh Chharia, President – ISPAI Presented by Kusumba S Vice President - ISPAI.

1 Change in the Minimum Allocation Criteria Policy Proposal Proposed by Rajesh Chharia, President – ISPAI Presented by Kusumba S Vice President - ISPAI.
RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.

RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.

Similar presentations

Ads by Google