1 Madison, Wisconsin 9 September14. 2 Security Overlays on Core Internet Protocols – DNSSEC and RPKI Mark Kosters ARIN Engineering.

Slides:



Advertisements
Similar presentations
RPKI Standards Activity Geoff Huston APNIC February 2010.
Advertisements

1 APNIC Resource Certification Service Project Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam George Michaelson.
ARIN Update NANOG 55 – 6 June 2012 Mark Kosters Chief Technology Officer, ARIN.
Introduction to ARIN and the Internet Registry System.
RPKI Certificate Policy Status Update Stephen Kent.
APNIC Member Services George Kuo. MyAPNIC 2 What is MyAPNIC A secure Member services website Internet resources management, for example: –Whois updates.
RPKI and Routing Security ICANN 44 June Today’s Routing Environment is Insecure Routing is built on mutual trust models Routing auditing requires.
An Introduction to Routing Security (and RPKI Tools) Geoff Huston May 2013.
Validation Algorithms for a Secure Internet Routing PKI David Montana Mark Reynolds BBN Technologies.
What’s Next: DNSSEC & RPKI Mark Kosters. Why are DNSSEC and RPKI Important Two critical resources – DNS – Routing Hard to tell when it is compromised.
IPv6: The Future of the Internet? July 27th, 1999 Auug.
IANA Status Update ARIN XXVI meeting, Atlanta Barbara Roseman October 2010.
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.
Summary Report on Resource Certification February 2007 Geoff Huston Chief Scientist APNIC.
APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.
Progress Report on resource certification February 2007 Geoff Huston Chief Scientist APNIC.
Resource Certification What it means for LIRs Alain P. AINA Special Project Manager.
Technical Area Report Bryon Ellacott, Technical Area Manager APNIC 28.
The Resource Public Key Infrastructure Geoff Huston APNIC.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Introduction to ARIN and the Internet Registry System.
Reverse DNS Delegations, Templates and RWS Andy Newton Chief Engineer.
A PKI for IP Address Space and AS Numbers Stephen Kent.
APNIC eLearning: Intro to RPKI 10 December :30 PM AEST Brisbane (UTC+10)
Providing A Subset of Whois Data Via DNS Shuang Zhu Xing Li CERNET Center.
Cheyenne, Wyoming 20 May Wireless Access: SSID: LACheyenneGuest PW: none.
Changes at ARIN—Not your Grandpa’s RIR anymore (RPKI, DNSSEC, etc.) Andy Newton Chief Engineer.
Roseau, Dominica 18 June Wireless Access Network: Fort Young Hotel Password:
1 San Diego, California 25 February Securing Routing: RPKI Overview Mark Kosters Chief Technology Officer.
Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman
RPKI Tutorial Andy Newton Chief Engineer, ARIN. Agenda Resource Public Key Infrastructure(RPKI) Route Origin Authorizations (ROAs) Certificate Authorities.
ARIN Update Aaron Hughes ARIN Board of Trustees Focus Increased focus on customer service – Based on feedback and survey Continued IPv4 to IPv6.
Halifax, Ontario 21 May Wireless Access: SSID: Conference PW: ARIN.
Engineering Report Mark Kosters. Big changes with Engineering Lots of requests for development/operations support The Board heard you Engineering growing.
Regional Internet Registries Statistics & Activities IETF 55 Atlanta Prepared By APNIC, ARIN, LACNIC, RIPE NCC.
Using Resource Certificates Progress Report on the Trial of Resource Certification October 2006 Geoff Huston Chief Scientist APNIC.
ARIN Update Aaron Hughes ARIN Board of Trustees Focus Increased focus on customer service – Based on feedback and survey Continued IPv4 to IPv6.
John Curran APNIC 29 5 March 2010 ARIN Update. 4-byte ASN Stats In 2009 – Received 197 requests for 4-byte ASNs – 140 changed request to 2-byte – ARIN.
Engineering Report Mark Kosters. Staffing Tim Christensen QA Manager – Passed away August 5, 2014 – Worked for ARIN for 14 years DBA System Architect.
Using Resource Certificates Progress Report on the Trial of Resource Certification November 2006 Geoff Huston APNIC.
Columbia, SC 30 October Wireless Access: SSID: HHonors PW:Hilton16.
AU, March 2, DNSSEC, APNIC, & how EPP might play a Role Ed Lewis DNS SIG APNIC 21.
Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.
APNIC Security Update APSIRCC 2002 Tokyo, 25 March 2002.
Fairfield, NJ 10 September Wireless Access SSID: Password:
Lansing, MI 27 October Welcome. Here today from ARIN… David Farmer, ARIN Advisory Council Susan Hamlin, Director, Communications and Member Services.
Engineering Report Mark Kosters. Staffing Operations – 7 operations engineers + 2 managers (AT FULL STRENGTH) Development – 8 programmers + manager (AT.
Draft Policy ARIN : Remove NRPM section 7.1.
Winnipeg 11 September Welcome. Here today from ARIN… Paul Andersen, ARIN Board of Trustees – Vice Chair and Treasurer Susan Hamlin, Director, Communications.
1 APNIC Trial of Certification of IP Addresses and ASes RIPE October 2005 Geoff Huston.
Anchorage, Alaska 5 June Wireless Access: SSID: PW:
Status Report SIDR and Origination Validation Geoff Huston SIDR WG, IETF 71 March 2008.
Mark Kosters Engineering Status Report. Engineering Theme 2011 success was aided by contractors Lots of work yet to do (but a great deal now done) An.
By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu.
RPKI implementation experiences in the LAC Region Carlos M. Martínez – Arturo Servín LACSEC 2012 – LACNIC XVIII.
Seattle, WA 20 January Welcome. Here today from ARIN… Einar Bohlin, Senior Policy Analyst Mark Kosters, Chief Technology Officer Tina Morris, ARIN.
Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.
APNIC Update Elly Tawhai Senior Internet Resource Analyst/Liaison Officer, Pacific, APNIC AusNOG
Edmonton 3 May Welcome. Here today from ARIN… Paul Andersen, ARIN Board of Trustees Eddie Diego, Senior Resource Analyst Wendy Leedy, Member Engagement.
Tampa, FL 18 February Welcome. Here today from ARIN… Jan Blacka, Senior User Experience Specialist Kevin Blumberg, ARIN Advisory Council John Curran,
Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.
Delegated RPKI / ARIN Command Line
November 2006 Geoff Huston APNIC
RPKI Trust Anchor Geoff Huston APNIC.
APNIC Trial of Certification of IP Addresses and ASes
New Functionality in ARIN Online
APNIC Trial of Certification of IP Addresses and ASes
ARIN Update John Curran President and CEO.
Progress Report on Resource Certification
Presentation transcript:

1 Madison, Wisconsin 9 September14

2 Security Overlays on Core Internet Protocols – DNSSEC and RPKI Mark Kosters ARIN Engineering

3 Why are DNSSEC and RPKI Important Two critical resources – DNS – Routing Hard to tell if compromised – From the user point of view – From the ISP/Enterprise Focus on government funding

4 Why DNSSEC? What is it? Standard DNS (forward or reverse) responses are not secure – Easy to spoof – Notable malicious attacks DNSSEC attaches signatures – Validates responses – Can not spoof

5 Reverse DNS at ARIN ARIN issues blocks without any working DNS – Registrant must establish delegations after registration – Then employ DNSSEC if desired Just as susceptible as forward DNS if you do not use DNSSEC

6 Reverse DNS at ARIN Authority to manage reverse zones follows allocations – “Shared Authority” model – Multiple sub-allocation recipient entities may have authority over a particular zone

7 Changes completed to make DNSSEC work at ARIN Permit by-delegation management Sign in-addr.arpa. and ip6.arpa. delegations that ARIN manages Create entry method for DS Records – ARIN Online – RESTful interface – Not available via templates

8 Changes completed to make DNSSEC work at ARIN Only key holders may create and submit Delegation Signer (DS) records DNSSEC users need to have signed a registration services agreement with ARIN to use these services

9 Reverse DNS in ARIN Online First identify the network that you want to put Reverse DNS nameservers on…

10 Reverse DNS in ARIN Online …then enter the Reverse DNS nameservers…

11 DNSSEC in ARIN Online …then apply DS record to apply to the delegation

12 Reverse DNS: Querying ARIN’s Whois Query for the zone directly: whois> in-addr.arpa Name: in-addr.arpa. Updated: NameServer: AUTHNS2.DNVR.QWEST.NET NameServer: AUTHNS3.STTL.QWEST.NET NameServer: AUTHNS1.MPLS.QWEST.NET Ref:

13 DNSSEC in Zone Files ; File written on Mon Feb 24 17:00: ; dnssec_signzone version P1-RedHat P1.el5_ in-addr.arpa IN NS NS3.COVAD.COM IN NS NS4.COVAD.COM NSEC 1.74.in-addr.arpa. NS RRSIG NSEC RRSIG NSEC ( in-addr.arpa. oNk3GVaCWj2j8+EAr0PncqnZeQjm8h4w51nS D2VUi7YtR9FvYLF/j4KO+8qYZ3TAixb9c05c 8EVIhtY1grXEdOm30zJpZyaoaODpbHt8FdWY vwup9Tq4oVbxVyuSNXriZ2Mq55IIMgDR3nAT BLP5UClxUWkgvS/6poF+W/1H4QY= ) 1.74.in-addr.arpa IN NS NS3.COVAD.COM IN NS NS4.COVAD.COM NSEC in-addr.arpa. NS RRSIG NSEC RRSIG NSEC ( in-addr.arpa. DKYGzSDtIypDVcer5e+XuwoDW4auKy6G/OCV VTcfQGk+3iyy2CEKOZuMZXFaaDvXnaxey9R1 mjams519Ghxp2qOnnkOw6iB6mR5cNkYlkL0h lu+IC4Buh6DqM4HbJCZcMXKEtWE0a6dMf+tH sa+5OV7ezX5LCuDvQVp6p0LftAE= )

14 DNSSEC in Zone Files in-addr.arpa IN NS DNS1.ACTUSA.NET IN NS DNS2.ACTUSA.NET IN NS DNS3.ACTUSA.NET DS ( AEEDA98EE493DFF5F3F33208ECB0FA4186BD 8056 ) DS ( 66E6D421894AFE2AF0B350BD8F4C54D2EBA5 DA72A615FE64BE8EF600C6534CEF ) RRSIG DS ( in-addr.arpa. n+aPxBHuf+sbzQN4LmHzlOi0C/hkaSVO3q1y 6J0KjqNPzYqtxLgZjU+IL9qhtIOocgNQib9l gFRmZ9inf2bER435GMsa/nnjpVVWW/MBRKxf Pcc72w2iOAMu2G0prtVT08ENxtu/pBfnsOZK nhCY8UOBOYLOLE5Whtk3XOuX9+U= ) NSEC in-addr.arpa. NS DS RRSIG NSEC RRSIG NSEC ( in-addr.arpa. YvRowkdVDfv+PW42ySNUwW8S8jRyV6EKKRxe …

15 DNSSEC Validating Resolvers

16 Reverse DNS Management and DNSSEC in ARIN Online Available on ARIN’s website

17 What is RPKI? R esource P ublic K ey I nfrastructure Attaches digital certificates to network resources – AS Numbers – IP Addresses Allows ISPs to associate the two – Route Origin Authorizations (ROAs) – Can follow the address allocation chain to the top

18 What does RPKI accomplish? Allows routers or other processes to validate route origins Simplifies validation authority information – Trust Anchor Locator Distributes trusted information – Through repositories

19 AFRINICRIPE NCCAPNICARINLACNIC LIR1 ISP2 ISP ISP4ISP Issued Certificates Resource Allocation Hierarchy Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix /24” Attachment: Signed, ISP4 Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix /24” Attachment: Signed, ISP4 ICANN Resource Cert Validation

20 AFRINICRIPE NCCAPNIC ARIN LACNIC LIR1 ISP2 ISP ISP4 ISP Resource Allocation Hierarchy Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix /24” Attachment: Signed, ISP4 Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix /24” Attachment: Signed, ISP4 1. Did the matching private key sign this text? ICANN Issued Certificates Resource Cert Validation

21 AFRINICRIPE NCCAPNIC ARIN LACNIC LIR1 ISP2 ISP Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix /24” Attachment: Signed, ISP4 Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix /24” Attachment: Signed, ISP4 ISP ISP4 2. Is this certificate valid? ISP Issued Certificates Resource Allocation Hierarchy ICANN Resource Cert Validation

22 AFRINICRIPE NCCAPNIC ARIN LACNIC LIR1 ISP2 ISP Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix /24” Attachment: Signed, ISP4 Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix /24” Attachment: Signed, ISP4 ISP ISP4 ISP Issued Certificates Resource Allocation Hierarchy ICANN 3. Is there a valid certificate path from a Trust Anchor to this certificate? Resource Cert Validation

23 What does RPKI Create? It creates a repository – RFC 3779 (RPKI) Certificates – ROAs – CRLs – Manifest records

24 Repository View./ba/03a5be-ddf a1f9-1ad3f2c39ee6/1: total 40 -rw-r--r Jun ICcaIRKhGHJ-TgUZv8GRKqkidR4.roa -rw-r--r Jun cKxLCU94umS-qD4DOOkAK0M2US0.cer -rw-r--r Jun dSmerM6uJGLWMMQTl2esy4xyUAA.crl -rw-r--r Jun dSmerM6uJGLWMMQTl2esy4xyUAA.mnf -rw-r--r Jun nB0gDFtWffKk4VWgln-12pdFtE8.roa A Repository Directory containing an RFC3779 Certificate, two ROAs, a CRL, and a manifest

25 Repository Use Pull down these files using a manifest- validating mechanism Validate the ROAs contained in the repository Communicate with the router marking routes “valid”, “invalid”, “unknown” Up to ISP to use local policy on how to route

26 Possible Flow RPKI Web interface -> Repository Repository aggregator -> Validator Validated entries -> Route Checking Route checking results -> local routing decisions (based on local policy)

27 How you can use ARIN’s RPKI System? Hosted Hosted using ARIN’s RESTful service Web Delegated (being deprecated) Delegated using Up/Down Protocol

28 HostedRPKI Pros – Easier to use – ARIN managed Cons – No current support for downstream customers to manage their own space (yet) – Tedious through the IU if you have a large network – We hold your private key

29 HostedRPKI with RESTful Interace Pros – Easier to use – ARIN managed – Programmatic interface for large networks Cons – No current support for downstream customers to manage their own space (yet) – We hold your private key

30 Delegated RPKI with Up/Down Pros – Same as web delegated – Follows the IETF up/down protocol Cons – Extremely hard to setup – Need to operate your own RPKI environment

31 Hosted RPKI in ARIN Online

32 Hosted RPKI in ARIN Online

33 Hosted RPKI in ARIN Online

34 Hosted RPKI in ARIN Online

35 Hosted RPKI in ARIN Online SAMPLE-ORG

36 Hosted RPKI in ARIN Online SAMPLE-ORG

37 Hosted RPKI in ARIN Online

38 Your ROA request is automatically processed and the ROA is placed in ARIN’s repository, accompanied by its certificate and a manifest. Users of the repository can now validate the ROA using RPKI validators.

39 Delegated with Up/Down

40 Delegated with Up/Down

41 Delegated with Up/Down

42 Delegated with Up/Down You have to do all the ROA creation Need to setup a CA Have a highly available repository Create a CPS

43 Updates within RPKI outside of ARIN The four other RIRs are in production with Hosted CA services ARIN and APNIC have delegated working for the public Major routing vendor support being tested Announcement of public domain routing code support

44 ARIN Status Hosted CA deployed 15 Sept 2012 Web Delegated CA deployed 16 Feb 2013 Delegated using “Up/Down” protocol deployed 7 Sept 2013 RESTful interface deployed 1 Feb 2014

45 RPKI Usage Oct 2012Apr 2013Oct 2013Apr 2014 RPAs Signed Certified Orgs ROAs Covered Resources Web Delegated 000 Up/Down Delegated 00

46 Why is this important? Provides more credibility to identify resource holders Leads to better routing security

47 Q&A

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.