RPKI Gray Area: Inheritance? IETF 83, SIDR WG Contributors: Andrew Chi (BBN), Rob Austein (DRL), Tim Bruijnzeels and Miklos Juhasz (RIPE NCC)

Slides:

Advertisements

Similar presentations

RPKI Standards Activity Geoff Huston APNIC February 2010.

Advertisements

A Profile for Trust Anchor Material for the Resource Certificate PKI Geoff Huston SIDR WG IETF 74.

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 70.

BGP-SRx BGP - Secure Routing Extension BRITE BGP Security / RPKI Interoperability Test & Evaluation Doug Montgomery 1IETF 802/12/2014.

Thu 31 Mar 2011SIDR IETF 80 Prague, CZ1 SIDR Working Group IETF 79 Prague, CZ Thursday, March 31, 2011.

Proposal for signaling consent from whacked RPKI objects Sharon Goldberg Danny Cooper, Ethan Heilman, Leonid Reyzin Manifest RC ROA.dead Change Log.

Overview of draft-ietf-sidr-roa-format-01.txt Matt Lepinski BBN Technologies.

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.

Validation Algorithms for a Secure Internet Routing PKI David Montana Mark Reynolds BBN Technologies.

RPKI Validation - Revisited draft-huston-rpki-validation-01.txt Geoff Huston George Michaelson APNIC Slide 1/19.

RPKI Validation - Revisited draft-huston-rpki-validation-00.txt Geoff Huston George Michaelson APNIC.

Review of draft-ietf-sidr-arch-01.txt Steve Kent BBN Technologies.

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.

Wed 28 Jul 2010SIDR IETF 78 Maastricht, NL1 SIDR Working Group IETF 78 Maastricht, NL Wednesday, 28 Jul 2010.

DNS-centric PKI Sean Turner Russ Housley Tim Polk.

14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.

Status Update for Algorithm Transition for the RPKI (draft-ietf-sidr-algorithm-agility) Steve Kent Roque Gagliano Sean Turner.

APNIC eLearning: Intro to RPKI 10 December :30 PM AEST Brisbane (UTC+10)

IETF81 Secure IDR Rollup – TREX Workshop 2011 David Freedman, Claranet.

1 San Diego, California 25 February Securing Routing: RPKI Overview Mark Kosters Chief Technology Officer.

Slide title In CAPITALS 50 pt Slide subtitle 32 pt SEND Certificate Profile draft-krishnan-cgaext-send-cert-eku-02 Suresh Krishnan Ana Kukec Khaja Ahmed.

MPTCP – MULTIPATH TCP Interim meeting #3 20 th October 2011 audio Yoshifumi Nishida Philip Eardley.

Wed 31 Jul & Fri 2 Aug 2013SIDR IETF 87 Berlin, German1 SIDR Working Group IETF 87 Berlin, Germany Wednesday, 31 Jul 2013 Friday, 2 Aug 2013.

BGPSEC Router Key Roll-over draft-rogaglia-sidr-bgpsec-rollover-00 Roque Gagliano Keyur Patel Brian Weis.

1 Madison, Wisconsin 9 September14. 2 Security Overlays on Core Internet Protocols – DNSSEC and RPKI Mark Kosters ARIN Engineering.

The RIPE NCC Update Axel Pawlik Managing Director.

Peering: A Minimalist Approach Rohan Mahy IETF 66 — Speermint WG.

1 IETF 72 SIP WG meeting SIP Identity issues John Elwell et alia.

BGPSEC : A BGP Extension to Support AS-Path Validation Matt Lepinski BBN Technologies.

UTF8String Deployment Status and Migration Plan Akira KANAOKA Challenge PKI Project Japan Network Security Association Sponsored by IT Promotion Agency,

Manifests (and Destiny?) Stephen Kent BBN Technologies.

Draft-huston-sidr-rfc6490-bis Geoff Huston Slide 1/6.

IEEE MEDIA INDEPENDENT HANDOVER DCN: xx-ECDSA Title: Discussion on introducing ECDSA to d for group management Date Submitted: July.

Status Report SIDR and Origination Validation Geoff Huston SIDR WG, IETF 71 March 2008.

Credential Identifiers Group Name: SEC#14.2 Source: Phil Hawkes, Qualcomm Inc, Meeting Date:

News from APNIC German Valdez Communications Area Manager RIPE October 2008.

1 draft-sidr-bgpsec-protocol-05 Open Issues. 2 Overview I received many helpful reviews: Thanks Rob, Sandy, Sean, Randy, and Wes Most issues are minor.

Wed 24 Mar 2010SIDR IETF 77 Anaheim, CA1 SIDR Working Group IETF 77 Anaheim, CA Wednesday, Mar 24, 2010.

Wed 31 Jul & Fri 2 Aug 2013SIDR IETF 87 Berlin, German1 SIDR Working Group IETF 87 Berlin, Germany Wednesday, 31 Jul 2013 Friday, 2 Aug 2013.

RPKI implementation experiences in the LAC Region Carlos M. Martínez – Arturo Servín LACSEC 2012 – LACNIC XVIII.

Draft-ietf-sidr-roa-format draft-ietf-sidr-arch Matt Lepinski BBN Technologies.

Olaf M. Kolkman. IETF58, Minneapolis, November DNSSEC Operational Practices draft-ietf-dnsop-dnssec-operational-practices-00.txt.

Mon 26 Mar & Wed 28 Mar 2012SIDR IETF 83 Paris, France1 SIDR Working Group IETF 83 Paris, France Monday, 26 Mar 2012 Wednesday, 28 Mar 2012.

RPKI Certificate Policy Status Update Stephen Kent.

1 Resource Certification Robert Loomans February 2, 2007.

ECC Design Team: Initial Report Brian Minard, Tolga Acar, Tim Polk November 8, 2006.

Technical Area Priorities and Highlights APNIC 27 Manila, Philippines Byron Ellacott.

Discovery of CRL Signer Certificate Stefan Santesson Microsoft.

Multiplication Find the missing value x __ = 32.

Mon 23 Mar 2015SIDR IETF 92 Dallas, TX, US1 SIDR Working Group IETF 92 Dallas, TX, US Monday, 23 Mar 2015.

Key Rollover for the RPKI Steve Kent (Channeling Geoff Huston )

Fri 24 Jul 2015SIDR IETF 93 Prague, CZ1 SIDR Working Group IETF 93 Prague, CZ Friday, 24 Jul 2015.

PW / VCCV SP Implementation Survey Nick DelRegno PWE3 IETF79, Beijing.

Using BGP to Bind MPLS Labels to Address Prefixes draft-rosen-idr-rfc3107bis-00 Eric Rosen (presented by Ross Callon) IETF 95 MPLS WGdraft-rosen-idr-rfc3107bis-001.

ASN.1: Cryptographic files

STI Interworking with SIP-PBXs

Cryptography and Network Security

IETF 81 Quebec, QC, Canada Thursday, 28 July, 2011

RPKI Trust Anchor Geoff Huston APNIC.

IETF 84 Vancouver, BC, CA Wednesday, 1 Aug 2012

APNIC Trial of Certification of IP Addresses and ASes

APNIC Trial of Certification of IP Addresses and ASes

draft-ietf-ospf-lls-interface-id-01

Resource Certificate Profile

ROA Content Proposal November 2006 Geoff Huston.

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006

News from APNIC ARIN XXII 16 October 2008.

Issuing delegate certs to Customer AF using Cross-Certification

The Curious Case of the Crippling DS record

Presentation transcript:

RPKI Gray Area: Inheritance? IETF 83, SIDR WG Contributors: Andrew Chi (BBN), Rob Austein (DRL), Tim Bruijnzeels and Miklos Juhasz (RIPE NCC)

Gray Areas Discussions at IETF 83 3/26 and 3/27: RPKI validator implementers hashed through some “gray areas.” Topics included: – Multiple access description URIs (e.g. SIA, CRLDP), unknown extensions, OID discrepancies, inheritance, rsync download limits, manual blacklisting, key rollover, manifest errors, what to do if parts of RPKI are temporarily unavailable. – A couple of errata already submitted. Summary will be ed to SIDR list; gray areas should be captured in a doc eventually. We implementers want clarification on inheritance.

Ambiguous Inheritance CA Cert 1 Subject = SP Public Key = KP IPv4 = /16 CA Cert 1 Subject = SP Public Key = KP IPv4 = /16 ROA 1 AS IPv4 = /24 ROA 1 AS IPv4 = /24 Child CA Cert Subject = SC Public Key = KC IPv4 = INHERIT Child CA Cert Subject = SC Public Key = KC IPv4 = INHERIT CA Cert 2 Subject = SP Public Key = KP IPv4 = 203.0/16 CA Cert 2 Subject = SP Public Key = KP IPv4 = 203.0/16 ROA 2 AS IPv4 = /24 ROA 2 AS IPv4 = /24 RFC 3779 “Inherit” in CA certificates permits this. Left ROA is valid via left parent only. Right ROA is valid via right parent only. Validators must remember all possible “inherited” resources (not the union) in order to avoid multiplicative path explosion. Note: Any CA in the RPKI can create an equivalent to CA Cert 2 (though not ROA 2). ROA EE certs are already forbidden to use “Inherit”, so no problem there.

Opinions? What are the your “inherit” use cases? Can we forbid inheritance in CA certs except where it’s absolutely critical? Or: Did we miss a validation approach that is less confusing? Or: “Tough”