Validation Algorithms for a Secure Internet Routing PKI David Montana Mark Reynolds BBN Technologies.

Slides:



Advertisements
Similar presentations
A Threat Model for BGPSEC
Advertisements

A Threat Model for BGPSEC Steve Kent BBN Technologies.
RPKI Standards Activity Geoff Huston APNIC February 2010.
A Profile for Trust Anchor Material for the Resource Certificate PKI Geoff Huston SIDR WG IETF 74.
1 APNIC Resource Certification Service Project Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam George Michaelson.
Local TA Management A TA is a public key and associated data used as the starting point for certificate path validation It need not be a self-signed certificate.
RPKI Certificate Policy Status Update Stephen Kent.
Nigel Titley. RIPE 54, 9 May 2007, Tallinn, Estonia. 1 RIPE NCC Certification Task Force Update Presented by Nigel Titley RIPE NCC.
APNIC Member Services George Kuo. MyAPNIC 2 What is MyAPNIC A secure Member services website Internet resources management, for example: –Whois updates.
RPKI and Routing Security ICANN 44 June Today’s Routing Environment is Insecure Routing is built on mutual trust models Routing auditing requires.
Extended Validation Models in PKI Alternatives and Implications Marc Branchaud John Linn
Overview of draft-ietf-sidr-roa-format-01.txt Matt Lepinski BBN Technologies.
An Introduction to Routing Security (and RPKI Tools) Geoff Huston May 2013.
Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
RPKI Validation - Revisited draft-huston-rpki-validation-01.txt Geoff Huston George Michaelson APNIC Slide 1/19.
Review of draft-ietf-sidr-arch-01.txt Steve Kent BBN Technologies.
What’s Next: DNSSEC & RPKI Mark Kosters. Why are DNSSEC and RPKI Important Two critical resources – DNS – Routing Hard to tell when it is compromised.
Chapter 5 Network Security Protocols in Practice Part I
Local TA Management In prior WG meetings I presented a model for local management of trust anchors for the RPKI In response to these presentations, a.
Securing the Border Gateway Protocol Using S-BGP Dr. Stephen Kent Chief Scientist - Information Security APNIC Open Policy Meeting Routing.
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.
Summary Report on Resource Certification February 2007 Geoff Huston Chief Scientist APNIC.
APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.
Interdomain Routing Security COS 461: Computer Networks Michael Schapira.
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.
A PKI For IDR Public Key Infrastructure and Number Resource Certification AUSCERT 2006 Geoff Huston Research Scientist APNIC.
CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”
Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.
CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Resource Certification What it means for LIRs Alain P. AINA Special Project Manager.
Progress Report on APNIC Trial of Certification of IP Addresses and ASes APNIC 22 September 2006 Geoff Huston.
The Resource Public Key Infrastructure Geoff Huston APNIC.
14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.
Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.
A PKI for IP Address Space and AS Numbers Stephen Kent.
APNIC eLearning: Intro to RPKI 10 December :30 PM AEST Brisbane (UTC+10)
IETF81 Secure IDR Rollup – TREX Workshop 2011 David Freedman, Claranet.
1 San Diego, California 25 February Securing Routing: RPKI Overview Mark Kosters Chief Technology Officer.
RPKI Tutorial Andy Newton Chief Engineer, ARIN. Agenda Resource Public Key Infrastructure(RPKI) Route Origin Authorizations (ROAs) Certificate Authorities.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.
Routing Security and the Border Gateway Protocol Dr. Stephen Kent Chief Scientist - Information Security.
CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.
A Brief Overview of draft-ietf-sidr-cp-01.txt draft-ietf-sidr-cps-rirs-01.txt draft-ietf-sidr-cps-isp-00.txt Steve Kent BBN Technologies.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
1 Madison, Wisconsin 9 September14. 2 Security Overlays on Core Internet Protocols – DNSSEC and RPKI Mark Kosters ARIN Engineering.
Updates to the RPKI Certificate Policy I-D Steve Kent BBN Technologies.
Manifests (and Destiny?) Stephen Kent BBN Technologies.
1 APNIC Trial of Certification of IP Addresses and ASes RIPE October 2005 Geoff Huston.
Status Report SIDR and Origination Validation Geoff Huston SIDR WG, IETF 71 March 2008.
Overview of draft-ietf-sidr-roa-00.txt Steve Kent BBN Technologies.
1 Auto-Detecting Hijacked Prefixes? Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam Geoff Huston.
Securing BGP Bruce Maggs. BGP Primer AT&T /8 Sprint /16 CMU /16 bmm.pc.cs.cmu.edu Autonomous System Number Prefix.
Wed 24 Mar 2010SIDR IETF 77 Anaheim, CA1 SIDR Working Group IETF 77 Anaheim, CA Wednesday, Mar 24, 2010.
RPKI implementation experiences in the LAC Region Carlos M. Martínez – Arturo Servín LACSEC 2012 – LACNIC XVIII.
Comments on draft-ietf-pkix-rfc3280bis-01.txt IETF PKIX Meeting Paris - August 2005 Denis Pinkas
1 Public Key Infrastructure Dr. Rocky K. C. Chang 25 February, 2002.
BGP Validation Russ White Rule11.us.
Key Rollover for the RPKI Steve Kent (Channeling Geoff Huston )
Resource Public Key Infrastructure
November 2006 Geoff Huston APNIC
RPKI Trust Anchor Geoff Huston APNIC.
APNIC Trial of Certification of IP Addresses and ASes
APNIC Trial of Certification of IP Addresses and ASes
Resource Certificate Profile
Progress Report on Resource Certification
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006
Presentation transcript:

Validation Algorithms for a Secure Internet Routing PKI David Montana Mark Reynolds BBN Technologies

2 Outline The Resource PKI (RPKI) Challenges in the RPKI Relying Party Software Design Status & Future Work

3 The Resource PKI: Motivation Border Gateway Protocol (BGP) is the inter- domain routing protocol in the public Internet –“The glue that holds the Internet together” BGP is woefully insecure Address space hijacking is becoming increasingly common –Pakistan Telecom’s recent unintentional hijacking of YouTube Making BGP secure is challenging –Changes to router software/hardware would be a financial burden for ISPs and router vendors –Must allow for incremental deployment (no flag day)

4 The Resource PKI: Strategy Enable ISPs to generate BGP route filters (an offline activity) using data authenticated by this RPKI Create an infrastructure that is a prerequisite for securing BGP without changing BGP itself Use an X.509-based PKI to bind resources to resource holders –IP address blocks –Autonomous System numbers (AS#)

5 Address Allocation Hierarchy Subscriber Organization Regional Registry ISP IANA Subscriber Organization National Registry ISP Subscriber Organization

6 AS Number Assignment Hierarchy Subscriber Organization Regional Registry ISP IANA National Registry Subscriber Organization ISP

7 RPKI Top Tiers ARINAPNICAFRINICLACNICRIPE JPNICCNNICTWNICKRNICAPJII IANA Reserved allocations NICBRNICMX

8 Association of Addresses to AS#s Create a new type of digitally signed object, a Route Origin Authorization (ROA) Every ROA is signed by an address space holder and contains –The AS# of the ISP –The IP address block(s) –An expiration date ROA allows an address space holder to identify an AS number that is authorized to originate a route for one or more IP address blocks

9 ROAs & Certificates ISP (CA) ISP (EE) Public key used to verify certificates issued by the ISP An ISP will usually create a distinct EE certificate per ROA, to make ROA revocation easy ROA Signed objects authorizing route origination ISP (EE) Public key used to verify a ROA generated by the ISP

10 Certificate Chain Example Issuer = IANASubject = APNICAddr: W,X,Y,Z, …ASN: A,B,C,D, … Issuer = APNICSubject = JPNICAddr: W,X,YASN: A,B Issuer = JPNICSubject = ISPAddr: X,Y Issuer = ISPSubject = SubscriberAddr: X ASN: A (self signed root certificate) Issuer = IANASubject = IANAAddr: 0/0ASN: 0…

11 Validation in the RPKI Typical PKI application context –A relying party (RP) receives an End Entity (EE) certificate which must be validated –It discovers a certification path to a trust anchor (TA) –Only a small fraction of all the certificates in the PKI will need to be validated in a given time interval by a given RP Resource PKI context –The complete collection of valid ROAs is needed in order to generate BGP routing filters –Every relying party must validate every certificate within a given time interval (nominally 1 day) –Each ROA needs a certification path to a TA in order to be validated –This is an authorization PKI, not an identification PKI

12 RPKI Software Architecture aa Remote Repositories Local RepositoryRPKI DatabaseBGP Filters Certs CRLs ROAs AS# Addr APNIC RIPE APNIC Root RIPE rsyncloadtranslateprune RemoteLocal

13 Individual Object Validation Syntax check Expiration check (certificates and ROAs) Staleness check (certificate revocation lists) Revocation check (certificates) Deferred validation –If an object’s parent is present in the database, check its signature –If an object’s parent is not present in the database, then label it as in the NO CHAIN state Deferred validation is necessary because we are fetching from multiple remote repositories in parallel. For a given object a certification path to a TA may not be present in our local repository at any given time.

14 State Change Propagation in the Database If a previously valid certificate or ROA expires, delete it from the database and recursively examine all descendents to see if they can be reparented, otherwise put them in the NO CHAIN state If a previously valid certificate is revoked, proceed as above If a Certificate Revocation List (CRL) has not been replaced by its nextUpdate time, that CRL and all the descendents of the issuer of that CRL enter the STALE state If a new certificate arrives, see if it is the parent of any object in the NO CHAIN state If a new CRL arrives, see if it replaces a previously STALE one Database changes propagate downward, path discovery propagates upward

15 ROA Processing To be valid a ROA: –Must have a complete, validated, non-expired, non-revoked chain to a trust anchor –Can optionally include or exclude ROAs that have a STALE object in their chain In the current Internet, the set of all route filter entries may depend on ~1,000,000 objects We can initialize the database with that number of objects in < 10 hours Daily processing of route filter updates is incremental –Processing a few thousand objects –Total processing time << 1 hour

16 Status APNIC, RIPE, ARIN and LACNIC are all producing software that will allow them at act as CAs and repositories in the RPKI ARIN has sponsored development of software that ISPs can use as CAs and relying parties IETF Secure Inter-Domain Routing (SIDR) working group is in place producing standards for the RPKI –Certificate and CRL Profile –Certificate Policy –Certification Practices Statement –Infrastructure Architecture –ROA format & semantics –Manifest format & semantics –Repository system Initial operational capability by the end of 2008 by some of the RIRs The RPKI Wiki is at: – The software is at: –svn://mirin.apnic.net/bbn-svn/BBN_RPKI_software/trunk –Thanks to George Michaelson of APNIC for hosting our software –This work funded by US DHS contract FA C-0006

17 Future Work The current implementation is a solid foundation for future efforts to make BGP more secure The infrastructure is extensible V2 of the software is currently under development –Cache validation results on partial chains –Directly generate Routing Policy Specification Language (RPSL) to offer ISPs an authenticated input compatible with the inputs they already use for route filter generation –Incorporate processing for another new digitally signed object, a Manifest, which provides cryptographic validation of the contents of a repository Detect Man-In-The-Middle (MITM) attacks Detect missing objects

18 Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.