EREG: an Intelligent Network capability set for User and Infrastructure ENUM Tony Rutkowski VeriSign Switzerland Andrew Newton VeriSign Labs ETSI 1 st ENUM Workshop Sophia Antipolis, France Feb 2004 V Jan-04

Outline Overview of EREG – the ENUM Registry “Intelligent Network” Reference models and interfaces Security and authentication Applications Policy developments Activities and status

Capability Sets PSTN Intelligent Network (IN) Capability Sets  definable provider relationships and access arrangements  protocol suite for discovery and query of distributed subscriber data among telecom providers ENUM Internet Registry Information Service (IRIS) EREG  definable provider relationships and access arrangements  protocol suite for discovery and query of distributed ENUM registration data among ENUM registries

Internet Registry Information Service (IRIS) Developed in IETF to provide capability sets existing in telecom Intelligent Network environment Text based protocol designed to allow registries of Internet resources  to express query and result types specific to their needs  while providing a framework for authentication, structured data, entity references and search continuations Encompasses the following  a decentralized system using DNS hierarchies where possible for location  built upon standard Internet building blocks  does not impose any informational trees or matrices  may be used with multiple application transports, including BEEP

IRIS Status Prime focus of CRISP (Cross Registry Information Service Protocol) working group of the IETF Chaired by April Marine and George Michaelson A new specification for use by registries of Internet resources globally  Requirements are done  Protocol selection is done  Now refining IRIS for publication as a standard Applying what we have learned about operating services over the Internet from the 20 intervening years to the problems of today Implementation tool sets available as freeware and for plugtest demonstrations

IRIS attributes XML based Internationalization  Localization of data tags and content  Identifying contact equivalences  Support of Internationalized Domain Names Unified Service  Structured queries and results

IRIS General Concepts Each kind of Internet registry is identified by a registry type  The identifier for a registry type is a URI used within the XML instances to identify the XML schema formally describing the set of queries, results, and entity classes allowed within that type of registry The structure of these URN's makes no assumptions or restrictions on the type of registries  IRIS may support multiple registry types of disparate or similar nature; it is only a matter of definition  a single registry type may be defined for domain name registries while multiple registry types may be defined for the various IP address registries A registry information server may handle queries and serve results for multiple registry types  Each registry type that a particular registry operator serves is a registry service instance IRIS and the XML schema are independent of the registry service maintenance systems  IRIS is a specification for a framework with which these registries can be defined, used, and interoperate  The framework merely specifies the elements for registry identification and the elements which must be used to derive queries and results Allows a registry type to define its own structure for naming, entities, queries, etc. through the use of XML namespaces and XML schemas  a registry type is identified by the same URI that identifies its XML namespace. Framework defines certain structures common to all registry types  references to entities, search continuations, entity classes, and more  registry type may declare its own definitions for all of these, or it may mix its derived definitions with the base definitions IRIS defines two types of referrals, an entity reference and a search continuation  An entity reference indicates specific knowledge about an individual entity  A search continuation allows for distributed searches  Both referrals may span differing registry types and instances  No assumptions or specifications are made about roots, bases, or meshes of entities

IRIS Framework Registry-Specific :: Defines queries, results, and entity classes of a specific type of registry. Each specific type of registry is identified by a URN Common-Registry :: Defines base operations and semantics common to all registry types such as referrals, entity references, etc. It also defines the syntaxes for talking about specific registry types. Application-Transport :: Defines the mechanisms for authentication, message passing, connection and session management, etc. It also defines the URI syntax specific to the application-transport mechanism. However, because of the separation of the layers, other transports can be used and have been defined. IRIS [any defined transport] Registry-Specific Common-Registry Application-Transport DomainAddressetc

ENUM Registry Information Service (EREG) An IRIS implementation developed specifically for infrastructure and user ENUM Meets requirements in Secs. 10.2,10.4, C.2 of ETSI TS V1.1.1 ( ), ENUM Administration in Europe Provides WHOIS/NICNAME equivalent requirements in Sec. 3 of ETSI TS V1.1.1 ( ), Services and Protocols for Advanced Networks (SPAN); Minimum requirements for interoperability of European ENUM trials Meets requirements in ETSI TS V1.1.1 ( ), Telecommunications security; Lawful Interception (LI); Requirements of Law Enforcement Agencies Allows potential IN-like capabilities such as caller-id or fraud checking

EREG Framework EREG Model Tier 0 Registry Tier 1 Registry ENUM Tier 2 Nameserver Provider ENUM Registrar Registrant (ENUM End User) Applications Validation function

EREG Security Designed for distributed data that occurs in ENUM architectures, with defined methods for finding the right server Ability to control who gets the info Critical need for network administration and law enforcement $iris kosters.net Kosters, Mark US $iris –cert fbi.cert kosters.net Kosters, Mark Fox Shadow Lane Clifton, VA US

Authentication and Authorization Distinction  Authentication – the process used to verify the identity of a user  Authorization – the access policies applied to a user based on authentication Authentication mechanisms facilitate authorization schemes  Authentication mechanisms passwords, one-time passwords, digital certificates, references  Authorization schemes user-based, sequence-based, chain-based, attribute-based, time-based, referee-based

Digital Certificates Use a branch of mathematics called public key cryptography to conduct authentication.  Used in conjunction with TLS, they also allow for server authentication and session encryption. Facilitate the following authorization schemes:  user-based  chain-based  attribute-based  time-based

Certificate Chains Authorization can be based on one of the certificates in the chain. Example:  If the certificate is signed by the “lea CA” Allow access to all contact data  If the certificate is signed by the “regr CA” Allow access only to all domain and registrant data

Attributes in Certificates Information attributes in certificates are cryptographically secure. Example:  If the “Type” attribute in the certificate equals “LEA” Allow access to all contact data  If the “Type” attribute in the certificate equals “Registrar” Allow access only to all domain and registrant data

EREG Referrals The IRIS protocol allows a server to pass extra information via a client to a referent server. This information may contain authentication data, thus allowing a referee-based authorization policy.

EREG Navigation of Servers and Data Navigation of DNS to help find an authoritative server. Query Distribution with entity references and search continuations. Relay bags to enable common index servers. Structured queries and results give clients the knowledge to display relationships.

EREG: query types and elements  finds ENUMs by searches on fields associated with a registrant  Allowable search fields include,,,,  Provides optional elements containing language tags Query  Includes host name, host handle, IPv4 address, or IPv6 address of the name server

EREG: enum result elements  status  - permanently inactive  - normal state  - new delegation  - dispute  - database purge pending 

EREG: other result types Error results 

EREG XML Schema

EREG Policy Developments Operational  EREG provides critical capabilities among providers to securely maintain the basic services to troubleshoot to create new applications and offerings to subscribers such as callerID, fraud detection, etc  EREG allows providers to define policies and contractual obligations among themselves and express them as access rights  EREG can support multiple transport layer options and different subscriber maintenance systems Governmental  EREG provides capabilities long demanded of communication service providers by national regulators and law enforcement authorities to maintain authoritative subscriber information to produce subscriber information quickly upon lawful order  EREG is an open protocol based on XML that is being supported by eGovernment initiatives in Europe and worldwide

Extensive open source software and information available by VeriSign Labs for PlugTests dregquery

EREG Implementations and Interoperability Underway at providers and university testbeds - Q Plugtest interoperability demonstrations for EREG in conjunction with infrastructure and user ENUM - Q3 2004

Additional Links and Information See A. Newton, IRIS - An ENUM Registry (ereg) Type for the Internet Registry Information Service, draft-newton-iris-ereg- 01, October 24, 2003 IETF CRISP Working Group 