1 APNIC Trial of Certification of IP Addresses and ASes RIPE 51 11 October 2005 Geoff Huston.

Slides:



Advertisements
Similar presentations
RPKI Standards Activity Geoff Huston APNIC February 2010.
Advertisements

Update on Resource Certification Geoff Huston, APNIC Mark Kosters, ARIN SSAC Meeting, March 2008.
1 APNIC Resource Certification Service Project Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam George Michaelson.
Chapter 14 – Authentication Applications
CSCE 815 Network Security Lecture 10 KerberosX.509 February 13, 2003.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Nigel Titley. RIPE 54, 9 May 2007, Tallinn, Estonia. 1 RIPE NCC Certification Task Force Update Presented by Nigel Titley RIPE NCC.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC Open Policy Meeting SIG: Whois Database October 2000 APNIC Certificate Authority.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.
RPKI and Routing Security ICANN 44 June Today’s Routing Environment is Insecure Routing is built on mutual trust models Routing auditing requires.
An Introduction to Routing Security (and RPKI Tools) Geoff Huston May 2013.
Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.
Validation Algorithms for a Secure Internet Routing PKI David Montana Mark Reynolds BBN Technologies.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.
Securing the Border Gateway Protocol Using S-BGP Dr. Stephen Kent Chief Scientist - Information Security APNIC Open Policy Meeting Routing.
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
1 Towards Secure Interdomain Routing For Dr. Aggarwal Win 2004.
Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.
Some Lessons Learned from Designing the Resource PKI Geoff Huston Chief Scientist, APNIC May 2007.
Summary Report on Resource Certification February 2007 Geoff Huston Chief Scientist APNIC.
APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E 36th RIPE Meeting Budapest 2000 APNIC Certificate Authority Status Report.
A PKI For IDR Public Key Infrastructure and Number Resource Certification AUSCERT 2006 Geoff Huston Research Scientist APNIC.
Progress Report on resource certification February 2007 Geoff Huston Chief Scientist APNIC.
CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”
Resource Certification What it means for LIRs Alain P. AINA Special Project Manager.
Progress Report on APNIC Trial of Certification of IP Addresses and ASes APNIC 22 September 2006 Geoff Huston.
The Resource Public Key Infrastructure Geoff Huston APNIC.
14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.
A PKI for IP Address Space and AS Numbers Stephen Kent.
APNIC eLearning: Intro to RPKI 10 December :30 PM AEST Brisbane (UTC+10)
Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
1 San Diego, California 25 February Securing Routing: RPKI Overview Mark Kosters Chief Technology Officer.
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
Using Resource Certificates Progress Report on the Trial of Resource Certification October 2006 Geoff Huston Chief Scientist APNIC.
CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.
Using Resource Certificates Progress Report on the Trial of Resource Certification October 2006 Geoff Huston APNIC.
A Brief Overview of draft-ietf-sidr-cp-01.txt draft-ietf-sidr-cps-rirs-01.txt draft-ietf-sidr-cps-isp-00.txt Steve Kent BBN Technologies.
Using Resource Certificates Progress Report on the Trial of Resource Certification November 2006 Geoff Huston APNIC.
1 Madison, Wisconsin 9 September14. 2 Security Overlays on Core Internet Protocols – DNSSEC and RPKI Mark Kosters ARIN Engineering.
Updates to the RPKI Certificate Policy I-D Steve Kent BBN Technologies.
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Status Report SIDR and Origination Validation Geoff Huston SIDR WG, IETF 71 March 2008.
Overview of draft-ietf-sidr-roa-00.txt Steve Kent BBN Technologies.
Securing the Internet Backbone: Current activities in the IETF’s Secure InterDomain Routing Working Group Geoff Huston Chief Scientist, APNIC.
1 Auto-Detecting Hijacked Prefixes? Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam Geoff Huston.
1 Certification Issue : how do we confidently know the public key of a given user? Authentication : a process for confirming or refuting a claim of identity.
Using Resource Certificates Progress Report on the Trial of Resource Certification October 2006 Geoff Huston APNIC.
Securing BGP: The current state of RPKI
Auto-Detecting Hijacked Prefixes?
Auto-Detecting Hijacked Prefixes?
November 2006 Geoff Huston APNIC
Cryptography and Network Security
Goals of soBGP Verify the origin of advertisements
RPKI Trust Anchor Geoff Huston APNIC.
APNIC Trial of Certification of IP Addresses and ASes
APNIC Trial of Certification of IP Addresses and ASes
Resource Certificate Profile
Progress Report on Resource Certification
October 2006 Geoff Huston APNIC
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006
Presentation transcript:

1 APNIC Trial of Certification of IP Addresses and ASes RIPE October 2005 Geoff Huston

2 Address and Routing Security What we have today is a relatively insecure system that is vulnerable to various forms of deliberate disruption and subversion And it appears that bogon filters and routing policy databases are not entirely robust forms of defence against these vulnerabilities

3 Address and Routing Security The basic routing payload security questions that need to be answered are: –Is this a valid address prefix? –Who injected this address prefix into the network? –Did they have the necessary credentials to inject this address prefix? –Is the forwarding path to reach this address prefix an acceptable representation of the network’s forwarding state?

4 What would be good … To use a public key infrastructure to support attestations about addresses and their use: – the authenticity of the address object being advertised – authenticity of the origin AS – the explicit authority from the address to AS that permits an original routing announcement

5 What would also be good… If the attestation referred to the address allocation path (IANA to RIR to LIR to…) use of an RIR issued certificate to validate the attestation signature chain If the attestation was associated with the route advertisement such attestations to be carried in BGP as an Update attribute If validation these attestations was treated as a route object preference indicator attestation validation to be a part of the BGP route acceptance process

6 Adoption of some basic security functions into the Internet’s routing domain: Injection of reliable trustable data Address and AS certificate PKI as the base of validation of network data Explicit verifiable mechanisms for integrity of data distribution Adoption of some form of certification mechanism to support validation of distribution of address and routing information A Starting Point for Routing Security

7 X.509 Extensions for IP Addresses RFC3779 defines extension to the X.509 certificate format for IP addresses & AS number The extension binds a list of IP address blocks and AS numbers to the subject of a certificate The extension specifies that the certification authority hierarchy should follow the IP address and AS delegation hierarchy –Follows IANA  RIR  LIR And all their downstream delegations These extensions may be used to convey the issuer’s authorization of the subject for exclusive use of the IP addresses and autonomous system identifiers contained in the certificate extension

8 RFC3779 summary The certificate chain will reflect the delegation hierarchy, from IANA down to the end users IANA RIR NIR ISP End user RIR ISP LIR ISP End user ISP End user

9 Certificate Format SERIAL NUMBER v3 CN=APNIC CA Trial VERSION SIGNATURE ALGORITHM SHA-1 with RSA ISSUER VALIDITY 1/1/05 - 1/1/06 SUBJECT CN=FC00DEADBEEF SUBJECT PUBLIC KEY INFO RSA, ISSUER UNIQUE ID ACBDEFGH SUBJECT UNIQUE ID RSTUVWXY EXTENSIONS SIGNATURE KeyUsage (critical if CA) digitalSignature, keyCertSign, and cRLSign IP address / / :14C0::/32 AS identifier AS123 – AS124 Cert Policies OIDs Basic constraints CA bit ON – Allocations CA bit OFF – Assignments

10 What is being Certified APNIC (the “Issuer”) certifies that: the certificate “Subject” whose public key is contained in the certificate is the current controller of a set of IP address and AS resources that are listed in the certificate extension APNIC does NOT certify the identity of the subject, nor their good (or evil) intentions!

11 What can you do with certificates? You can sign routing authorities or routing requests with your private key. The recipient can validate this signature against the matching certificate’s public key You can use the private key to sign routing information that is propagated by a routing protocol You can issue signed derivative certificates for any sub-allocations of resources

12 APNIC Certificate Project Phases Trial – 4Q 2005 –Early adopters, s/w developers, protocol designers –Major requirement changes allowed Certificate formats may change Pilot – 1Q 2006 –Input from trial used to test service –Wider deployment –Minor requirement changes allowed Certificate format should be stable Full service – 2Q 2006 –General service availability –Full policy and procedures in place

13 APNIC Certificate Trial Trial service provides: –Issue of RFC3779 compliant certificates to APNIC members –Policy and technical infrastructure necessary to deploy and use the certificates in testing contexts by the routing community and general public CPS (Certification practice statement) Certificate repository CRL (Certificate revocation list) –Tools and examples (open source) for downstream certification by NIR, LIR and ISP display of certificate contents encoding certificates

14 Notes (1) – APNIC Certificate is an APNIC Member Service Certificates issued as a service to APNIC members Certificate lifetime tied to current membership – Certificate Subject Name Uses unique HEX string of encoded 40 bit value –Constant across various entity name events –Consistent label for entity relationship with APNIC –Reverse reference to be loaded into WHOIS record (future) – Not General Purpose Certificates Certificates are not trusted confirmation of identity or bona fides claims Certificates limited to confirmation of association of IP resources with private key holder – CA Bit is SET Subject may issue sub-certificates describing further sub- allocations of resources

15 Notes (2) – APNIC certify LIR sub-delegations? NO - only warrant relationship with LIR, existance of resource allocation to that LIR from APNIC – RFC3779 Compliance Use a subset of 3779 options –Avoid IP ranges and use only CIDR spanning sets – APNIC Root CA Current trial uses a certificate root at APNIC –2 Certificate Repositories APNIC-Issued Certificates APNIC-Issued plus derived sub-allocation certificates that are lodged with APNIC Access via OCSP, FTP, RSYNC,… – Compatibility with related work Ensure that these certificates can be used to feed into sBGP or soBGP or ?

16 Current Status Test Certificates being generated –Locally generated key pair –Cover all current APNIC membership holdings –CRL test Reissue all certificates with explicit revocation on original certificate set Example tools being developed APNIC Trial Certificate Repository ftp://ftp.apnic.net/pub/test-certs/

17 Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.