Status Report SIDR and Origination Validation Geoff Huston SIDR WG, IETF 71 March 2008.

Slides:



Advertisements
Similar presentations
RPKI Standards Activity Geoff Huston APNIC February 2010.
Advertisements

Update on Resource Certification Geoff Huston, APNIC Mark Kosters, ARIN SSAC Meeting, March 2008.
An Operational Perspective on BGP Security Geoff Huston February 2005.
A Profile for Trust Anchor Material for the Resource Certificate PKI Geoff Huston SIDR WG IETF 74.
The Role of a Registry Certificate Authority Some Steps towards Improving the Resiliency of the Internet Routing System: The Role of a Registry Certificate.
1 APNIC Resource Certification Service Project Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam George Michaelson.
BGP-SRx BGP - Secure Routing Extension BRITE BGP Security / RPKI Interoperability Test & Evaluation Doug Montgomery 1IETF 802/12/2014.
RPKI Certificate Policy Status Update Stephen Kent.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.
APNIC Member Services George Kuo. MyAPNIC 2 What is MyAPNIC A secure Member services website Internet resources management, for example: –Whois updates.
RPKI and Routing Security ICANN 44 June Today’s Routing Environment is Insecure Routing is built on mutual trust models Routing auditing requires.
Overview of draft-ietf-sidr-roa-format-01.txt Matt Lepinski BBN Technologies.
ROAs and Detecting “Bad” Originations Geoff Huston SIDR WG IETF 74.
An Introduction to Routing Security (and RPKI Tools) Geoff Huston May 2013.
Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.
Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.
Validation Algorithms for a Secure Internet Routing PKI David Montana Mark Reynolds BBN Technologies.
Review of draft-ietf-sidr-arch-01.txt Steve Kent BBN Technologies.
Securing the Border Gateway Protocol Using S-BGP Dr. Stephen Kent Chief Scientist - Information Security APNIC Open Policy Meeting Routing.
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
1 Towards Secure Interdomain Routing For Dr. Aggarwal Win 2004.
Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.
Some Lessons Learned from Designing the Resource PKI Geoff Huston Chief Scientist, APNIC May 2007.
Summary Report on Resource Certification February 2007 Geoff Huston Chief Scientist APNIC.
APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.
A PKI For IDR Public Key Infrastructure and Number Resource Certification AUSCERT 2006 Geoff Huston Research Scientist APNIC.
Wed 28 Jul 2010SIDR IETF 78 Maastricht, NL1 SIDR Working Group IETF 78 Maastricht, NL Wednesday, 28 Jul 2010.
Progress Report on resource certification February 2007 Geoff Huston Chief Scientist APNIC.
Resource Certification What it means for LIRs Alain P. AINA Special Project Manager.
Progress Report on APNIC Trial of Certification of IP Addresses and ASes APNIC 22 September 2006 Geoff Huston.
The Resource Public Key Infrastructure Geoff Huston APNIC.
APNIC eLearning: Intro to RPKI 10 December :30 PM AEST Brisbane (UTC+10)
1 San Diego, California 25 February Securing Routing: RPKI Overview Mark Kosters Chief Technology Officer.
RPKI Tutorial Andy Newton Chief Engineer, ARIN. Agenda Resource Public Key Infrastructure(RPKI) Route Origin Authorizations (ROAs) Certificate Authorities.
Using Resource Certificates Progress Report on the Trial of Resource Certification October 2006 Geoff Huston Chief Scientist APNIC.
Routing Security and the Border Gateway Protocol Dr. Stephen Kent Chief Scientist - Information Security.
Interdomain Routing Security. How Secure are BGP Security Protocols? Some strange assumptions? – Focused on attracting traffic from as many Ases as possible.
A Brief Overview of draft-ietf-sidr-cp-01.txt draft-ietf-sidr-cps-rirs-01.txt draft-ietf-sidr-cps-isp-00.txt Steve Kent BBN Technologies.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian
Secure Origin BGP: What is (and isn't) in a name? Dan Wendlandt Princeton Routing Security Reading Group.
BGPSEC Router Key Roll-over draft-rogaglia-sidr-bgpsec-rollover-00 Roque Gagliano Keyur Patel Brian Weis.
Using Resource Certificates Progress Report on the Trial of Resource Certification November 2006 Geoff Huston APNIC.
1 Madison, Wisconsin 9 September14. 2 Security Overlays on Core Internet Protocols – DNSSEC and RPKI Mark Kosters ARIN Engineering.
Updates to the RPKI Certificate Policy I-D Steve Kent BBN Technologies.
Draft-huston-sidr-rfc6490-bis Geoff Huston Slide 1/6.
1 APNIC Trial of Certification of IP Addresses and ASes RIPE October 2005 Geoff Huston.
Overview of draft-ietf-sidr-roa-00.txt Steve Kent BBN Technologies.
Securing the Internet Backbone: Current activities in the IETF’s Secure InterDomain Routing Working Group Geoff Huston Chief Scientist, APNIC.
1 Auto-Detecting Hijacked Prefixes? Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam Geoff Huston.
Wed 24 Mar 2010SIDR IETF 77 Anaheim, CA1 SIDR Working Group IETF 77 Anaheim, CA Wednesday, Mar 24, 2010.
RPKI implementation experiences in the LAC Region Carlos M. Martínez – Arturo Servín LACSEC 2012 – LACNIC XVIII.
Draft-ietf-sidr-roa-format draft-ietf-sidr-arch Matt Lepinski BBN Technologies.
Resource Certificate Provisioning Protocol Geoff Huston IETF 70 December 2007.
BGP Validation Russ White Rule11.us.
Securing BGP: The current state of RPKI
Auto-Detecting Hijacked Prefixes?
Auto-Detecting Hijacked Prefixes?
November 2006 Geoff Huston APNIC
Goals of soBGP Verify the origin of advertisements
APNIC Trial of Certification of IP Addresses and ASes
Some Thoughts on Integrity in Routing
APNIC Trial of Certification of IP Addresses and ASes
Resource Certificate Profile
Why don’t we have a Secure and Trusted Inter-Domain Routing System?
Progress Report on Resource Certification
ROA Content Proposal November 2006 Geoff Huston.
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006
Presentation transcript:

Status Report SIDR and Origination Validation Geoff Huston SIDR WG, IETF 71 March 2008

RPSEC Requirements From RPSEC the requirements are: –For Routing Don’t increase convergence times Allow for incremental deployment Autonomous bootstrap Local controls and local policies Light touch on routers

RPSEC Requirements –For infrastructure Verification of data origination Integrity of data Resilience Availability No new imposed trust points

RPSEC on Origination “Any BGP Security solution MUST support the ability of an address block holder to declare (in a secure fashion) the AS(es) that the holder authorizes to originate routes to its address block(s) or any portion thereof regardless of the relationship of the entities. An associated delegation criteria is the requirement to allow for non-BGP stub networks. As a result, all secured BGP implementations MUST allow for the contemporaneous origination of a route for a prefix by more than one AS. “ draft-ietf-rpsec-bgpsecrec-09.txt

The SIDR Approach to Origination Specification of a “Resource Public Key Infrastructure” (RPKI) –Based on use of IP number resource extensions to PKIX Certificates (RFC 3779) –A certificate hierarchy that conforms precisely to the IP address and AS allocation hierarchy –Allows attestations or authorisations relating to IP addresses and AS numbers to be digitally signed by the certified resource holder –Allows relying parties to validate such attestations within the context of the RPKI

The SIDR Approach to Origination Specification of a protocol between resource issuer and recipient to maintain an accurate certificate state at all times –relates allocation state to issued certificate state Specification of a distributed publication repository structure, allowing each CA and EE to publish signed products in local publication repositories Allow for Relying Parties to maintain a local cache of the current RPKI publication state in order to perform local validation operations

The SIDR Approach to Origination Specification of two (so far!) signed objects in the RPKI framework to support origination validation: –Specification of Route Origination Authorization (ROA) object to allow an address holder to authorize originating AS(s) –Specification of a Bogon Origination Attestation (BOA) object to allow a resource holder to explicitly deny the validity of any origination using these resources

The SIDR Approach to Origination Approaches to validated route update filter construction may be considered Possible approaches: –Use of the RPKI BOA / ROA sets to generate filters for BGP speakers relating to origination acceptance or –Signed Internet Routing Registry objects to complement existing IRR-based filter construction tools with RPKI validation of IRR data or –Define additional RPKI objects in order to validate IRR objects to complement existing IRR-based tools

The SIDR Approach to Origination Approaches to Route object validation may be considered –A BGP Speaker could submit Route objects to a local RPKI validation engine that would attempt a match of the Route object to a valid published ROA or BOA in the RPKI –The validation outcome, coupled with local policy settings, could result in some form of local preference relative weighting that the relying BGP speakers could apply to the route object

Use of RPKI and BGP No required changes to BGP the protocol –For Example: Updates could contain a pointer to the associated ROA when looking at update validation, but this is neither required nor necessary Support piecemeal deployment models –For Example: Piecemeal use of ROAs and BOAs –Piecemeal use by BGP speakers Support local policy setting –ROA validation outcomes may set local BGP preferences –BOA validation outcomes may be used to apply local damping of an update No strict requirement to process online in real time –Alternative options to use near-line and near-time processing –May use a single processor per AS with a reverse iBGP feed of local preference settings according to local AS policy settings

Current SIDR Document Set Resource PKI Documentation –Architecture of the RPKI: draft-ietf-sidr-arch-03.txt –Profile for RPKI Certificates: draft-ietf-sidr-res-certs-09.txt –Profile for Route Origination Authorizations: draft-ietf-sidr-roa-format-02.txt –Use of manifests o the RPKI publication repositories: draft-ietf-sidr-manifests-00.txt –Certificate Policy for the RPKI: draft-ietf-sidr-cp-03.txt –Template for Certification Practice Statement: draft-ietf-sidr-cps-irs-03.txt draft-ietf-sidr-cps-isp-02.txt