Presentation is loading. Please wait.

Presentation is loading. Please wait.

Progress Report on Resource Certification

Published byGodwin Ferguson Modified over 6 years ago

Similar presentations

Presentation on theme: "Progress Report on Resource Certification"— Presentation transcript:

1 Progress Report on Resource Certification
February 2007 Geoff Huston Chief Scientist APNIC

2 Objective To create a robust framework that allows validation of assertions relating to IP addresses and ASNs and their use and To make it easier for anyone to see if someone is lying about actual control over addresses and/or routing!

3 Uses Signing of IRR entries Signing of Routing Origination
“Yes, I am the right-of-use holder and that’s precisely the information I entered into the IRR.” Signing of Routing Origination “Yes, I am the right-of-use holder for this address prefix and I am permitting ASx to originate a route to this address prefix.” Signing of Route Requests “Please route address prefix a.b.c.d/x through customer interface xxx.”

4 Resources for this work
APNIC’s allocation database Public / Private key technology X.509 v3 certificate technology IP resource extensions to X.509 v3 certificates PKI models and trust relationships

5 The Overall Objective To support a PKI that mirrors the existing resource allocation state Every resource allocation can be attested by a matching certificate that binds the allocated resource with the resource issuer and recipient To use these resource certificates to make signed assertions that can be validated through this PKI

6 Resource Certificates
Resource Allocation Hierarchy IANA AFRINIC RIPE NCC ARIN APNIC LACNIC NIR1 NIR2 ISP1 ISP2 ISP3 ISP4 ISP ISP ISP

7 Resource Certificates
Resource Allocation Hierarchy IANA AFRINIC RIPE NCC ARIN APNIC LACNIC Issued Certificates match allocation actions NIR1 NIR2 ISP1 ISP2 ISP3 ISP4 ISP ISP ISP

8 Resource Certificates
Resource Allocation Hierarchy IANA AFRINIC RIPE NCC ARIN APNIC LACNIC Issuer: APNIC Subject: NIR2 Resources: /16 Key Info: <nir2-key-pub> Signed: <apnic-key-priv> Issued Certificates NIR1 NIR2 ISP1 ISP2 ISP3 ISP4 ISP ISP ISP

9 Resource Certificates
Resource Allocation Hierarchy IANA AFRINIC RIPE NCC ARIN APNIC LACNIC Issuer: APNIC Subject: NIR2 Resources: /16 Key Info: <nir2-key-pub> Signed: <apnic-key-priv> Issued Certificates NIR1 NIR2 Issuer: NIR2 Subject: ISP4 Resources: /24 Key Info: <isp4-key-pub> Signed: <nir2-key-priv> ISP ISP2 ISP3 ISP4 ISP ISP ISP

10 Resource Certificates
Resource Allocation Hierarchy IANA AFRINIC RIPE NCC ARIN APNIC LACNIC Issuer: APNIC Subject: NIR2 Resources: /16 Key Info: <nir2-key> Signed: <apnic-key-priv> Issued Certificates NIR1 NIR2 Issuer: NIR2 Subject: ISP4 Resources: /22 Key Info: <isp4-key> Signed: <nir2-key-priv> Issuer: ISP4 Subject: ISP4-EE Resources: /24 Key Info: <isp4-ee-key> Signed: <isp4-key-priv> ISP ISP ISP3 ISP4 ISP ISP ISP

11 Use: Routing Authority
Resource Allocation Hierarchy IANA AFRINIC RIPE NCC ARIN APNIC LACNIC Issued Certificates NIR1 NIR2 Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix /24” ISP ISP ISP ISP4 ISP ISP ISP

12 Resource Allocation Hierarchy
Signed Objects Resource Allocation Hierarchy IANA AFRINIC RIPE NCC ARIN APNIC LACNIC Issued Certificates Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix /24” Attachment: <isp4-ee-cert> Signed, ISP4 <isp4-ee-key-priv> LIR1 NIR2 ISP ISP ISP3 ISP4 ISP ISP ISP

13 Signed Object Validation
Resource Allocation Hierarchy IANA AFRINIC RIPE NCC ARIN APNIC LACNIC Issued Certificates Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix /24” Attachment: <isp4-ee-cert> Signed, ISP4 <isp4-ee-key-priv> LIR1 NIR2 ISP ISP ISP3 ISP4 ISP ISP ISP 1. Did the matching private key sign this text?

14 Signed Object Validation
Resource Allocation Hierarchy IANA AFRINIC RIPE NCC ARIN APNIC LACNIC Issued Certificates Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix /24” Attachment: <isp4-ee-cert> Signed, ISP4 <isp4-ee-key-priv> LIR1 NIR2 ISP ISP ISP3 ISP4 ISP ISP ISP 2. Is this certificate valid?

15 Signed Object Validation
Resource Allocation Hierarchy IANA APNIC Trust Anchor AFRINIC RIPE NCC ARIN APNIC LACNIC Issued Certificates Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix /24” Attachment: <isp4-ee-cert> Signed, ISP4 <isp4-ee-key-priv> LIR1 NIR2 ISP ISP ISP3 ISP4 ISP ISP ISP 3. Is there a valid certificate path from a Trust Anchor to this certificate?

16 Signed Object Validation
Resource Allocation Hierarchy IANA Validation Outcomes ISP4 authorized this Authority document /24 is a valid address, derived from an APNIC allocation ISP4 holds a current right-of-use of /24 A route object, where AS65000 originates an advertisement for the address prefix /24, has the explicit authority of ISP4, who is the current holder of this address prefix RIPE NCC Trust Anchor AFRINIC RIPE NCC ARIN RIPE NCC LACNIC Issued Certificates Route Origination Authority “ISP4 permits AS65000 to originate a route for the prefix /24” Attachment: <isp4-ee-cert> Signed, ISP4 <isp4-ee-key-priv> LIR1 LIR2 ISP ISP ISP ISP4 ISP ISP ISP

17 Example of a Signed Object
netnum-set: RS-TELSTRA-AU-EX1 descr: Example routes for customer with space under apnic members: , /24 tech-c: GM85-AP admin-c: GM85-AP notify: mnt-by: MAINT-AU-TELSTRA-AP sigcert: rsync://repository.apnic.net/TELSTRA-AU-IANA/cbh3Sk-iwj8Yd8uqaB5 Ck010p5Q/Hc4yxwhTamNXW-cDWtQcmvOVGjU.cer sigblk: BEGIN PKCS7----- MIIBdQYJKoZIhvcNAQcCoIIBZjCCAWICAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3 DQEHATGCAUEwggE9AgEBMBowFTETMBEGA1UEAxMKdGVsc3RyYS1hdQIBATAJBgUr DgMCGgUAMA0GCSqGSIb3DQEBAQUABIIBAEZGI2dAG3lAAGi+mAK/S5bsNrgEHOmN 1leJF9aqM+jVO+tiCvRHyPMeBMiP6yoCm2h5RCR/avP40U4CC3QMhU98tw2Bq0TY HZvqXfAOVhjD4Apx4KjiAyr8tfeC7ZDhO+fpvsydV2XXtHIvjwjcL4GvM/gES6dJ KJYFWWlrPqQnfTFMm5oLWBUhNjuX2E89qyQf2YZVizITTNg3ly1nwqBoAqmmDhDy +nsRVAxax7II2iQDTr/pjI2VWfe4R36gbT8oxyvJ9xz7I9IKpB8RTvPV02I2HbMI 1SvRXMx5nQOXyYG3Pcxo/PAhbBkVkgfudLki/IzB3j+4M8KemrnVMRo= -----END PKCS7----- changed: source: APNIC

18 Signer’s Resource Certificate
Version: 3 Serial: 1 Issuer: CN=telstra-au Validity: Not Before: Fri Aug 18 04:46: GMT Validity: Not After: Sat Aug 18 04:46: GMT Subject: CN=An example sub-space from Telstra IANA, Subject Key Identifier g(SKI): Hc4yxwhTamNXW-cDWtQcmvOVGjU Subject Info Access: caRepository – rsync://repository.apnic.net/TELSTRA-AU-IANA/cbh3Sk-iwj8Yd8uqaB5 Ck010p5Q/Hc4yxwhTamNXW-cDWtQcmvOVGjU Key Usage: DigitalSignature, nonRepudiation CRL Distribution Points: Ck010p5Q.crl Authority Info Access: caIssuers – Ck010p5Q.cer Authority Key Identifier: Key Identifier g(AKI): cbh3Sk-iwj8Yd8uqaB5Ck010p5Q Certificate Policies: IPv4: , /24

19 Trial Activity Status Specification of X.509 Resource Certificates
Generation of resource certificate repositories aligned with existing resource allocations and assignments Tools for Registration Authority / Certificate Authority interaction (undertaken by RIPE NCC) Tools to perform validation of resource certificatesExtensions to OpenSSL for Resource Certificates (open source development activity, supported by ARIN) Current Activities Tools for resource collection management, object signing and signed object validation (APNIC, and also open source development activity, supported by ARIN) LIR / ISP Tools for certificate management Testing, Testing, Testing Operational service profile specification Working notes and related material we’ve been working on in this trial activity:

20 Focus points for Q1 2007 Can we design the certificate management subsystem to be an largely automated “slave” of the resource allocation function? Provide a toolset to allow IRs to manage certificate issuance Use the same toolset to provide “hosted” certificate services

21 Focus points for Q1 2007 Defining the components and interactions of a “certificate engine”

22 Focus points for Q1 2007 Automated certificate issuance
Query / Response interaction between registry and registry clients: List: What resources have been allocated to me and what’s the corresponding state of issued certificates? Issue: Here is a certificate request – please issue me with a certificate that matches my allocated resource set Remove: Please revoke certificates issued with this public key

23 Next Steps Development of the Certificate Engine
End Entity Certificates Tools for Relying Parties Evaluation of Progress

24 Thank You Questions?

Download ppt "Progress Report on Resource Certification"

Similar presentations

Internet Number Resource Status Report As of 30 June 2005.

Internet Number Resource Status Report As of 30 June 2005.
Update on Resource Certification Geoff Huston, APNIC Mark Kosters, ARIN SSAC Meeting, March 2008.

Update on Resource Certification Geoff Huston, APNIC Mark Kosters, ARIN SSAC Meeting, March 2008.
The Role of a Registry Certificate Authority Some Steps towards Improving the Resiliency of the Internet Routing System: The Role of a Registry Certificate.

The Role of a Registry Certificate Authority Some Steps towards Improving the Resiliency of the Internet Routing System: The Role of a Registry Certificate.
1 APNIC Resource Certification Service Project Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam George Michaelson.

1 APNIC Resource Certification Service Project Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam George Michaelson.
Local TA Management A TA is a public key and associated data used as the starting point for certificate path validation It need not be a self-signed certificate.

Local TA Management A TA is a public key and associated data used as the starting point for certificate path validation It need not be a self-signed certificate.
December 2013 Internet Number Resource Report. December 2013 Internet Number Resource Report INTERNET NUMBER RESOURCE STATUS REPORT As of 31 December.

December 2013 Internet Number Resource Report. December 2013 Internet Number Resource Report INTERNET NUMBER RESOURCE STATUS REPORT As of 31 December.
March 2014 Internet Number Resource Report. March 2014 Internet Number Resource Report INTERNET NUMBER RESOURCE STATUS REPORT As of 31 March 2014 Prepared.

March 2014 Internet Number Resource Report. March 2014 Internet Number Resource Report INTERNET NUMBER RESOURCE STATUS REPORT As of 31 March 2014 Prepared.
1 Overview of policy proposals Policy SIG Wednesday 26 August 2009 Beijing, China.

1 Overview of policy proposals Policy SIG Wednesday 26 August 2009 Beijing, China.
RPKI and Routing Security ICANN 44 June 2012. Today’s Routing Environment is Insecure Routing is built on mutual trust models Routing auditing requires.

RPKI and Routing Security ICANN 44 June Today’s Routing Environment is Insecure Routing is built on mutual trust models Routing auditing requires.
An Introduction to Routing Security (and RPKI Tools) Geoff Huston May 2013.

An Introduction to Routing Security (and RPKI Tools) Geoff Huston May 2013.
Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.
Validation Algorithms for a Secure Internet Routing PKI David Montana Mark Reynolds BBN Technologies.

Validation Algorithms for a Secure Internet Routing PKI David Montana Mark Reynolds BBN Technologies.
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
Summary Report on Resource Certification February 2007 Geoff Huston Chief Scientist APNIC.

Summary Report on Resource Certification February 2007 Geoff Huston Chief Scientist APNIC.
APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.

APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.
A PKI For IDR Public Key Infrastructure and Number Resource Certification AUSCERT 2006 Geoff Huston Research Scientist APNIC.

A PKI For IDR Public Key Infrastructure and Number Resource Certification AUSCERT 2006 Geoff Huston Research Scientist APNIC.
Progress Report on resource certification February 2007 Geoff Huston Chief Scientist APNIC.

Progress Report on resource certification February 2007 Geoff Huston Chief Scientist APNIC.
Resource Certification What it means for LIRs Alain P. AINA Special Project Manager.

Resource Certification What it means for LIRs Alain P. AINA Special Project Manager.
Progress Report on APNIC Trial of Certification of IP Addresses and ASes APNIC 22 September 2006 Geoff Huston.

Progress Report on APNIC Trial of Certification of IP Addresses and ASes APNIC 22 September 2006 Geoff Huston.
The Resource Public Key Infrastructure Geoff Huston APNIC.

The Resource Public Key Infrastructure Geoff Huston APNIC.

Similar presentations

Ads by Google