Presentation is loading. Please wait.

Presentation is loading. Please wait.

Resource Certification What it means for LIRs Alain P. AINA Special Project Manager.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Resource Certification What it means for LIRs Alain P. AINA Special Project Manager."— Presentation transcript:

1 Resource Certification What it means for LIRs Alain P. AINA Special Project Manager

2 What is Resource Certification ?  Resource Certification is a security framework for verifying the association between resource holders and their Internet resources. Add a verifiable form of a holder's current “right-of-use” over Internet resources in the resources management system  Resource Public Key Infrastructure(RPKI) is a PKI based on the Internet resources management hierarchy and under which X509 certificates with RFC 3779 extensions and other signed objects are published and bound together in an verifiable way.

3 Motivations  Facilitate a better routes filtering  Prepare for a secure Routing  Solve the chicken-and-egg problem  Provide trusted data Better than the current Whois and IRR data  Post IPv4 exhaustion data accuracy Resource transfers

4 Overview

5 THIS IS NOT AN IDENTITY CERTIFICATE A RPKI Certificate

6 Use Cases  ROAs - against hijacks  Enabling S*BGP  Customer sign-up  Resources transfers  RPSLSIG  ROA2RPSL ?  Bogon filtering – BOAs? More to come :-)

7 Use Cases: ROA ROA – Route Origination Authorization Using my certificate covering a prefix, I can formally, verifiably authorize an AS to announce that prefix  Can be useful for constructing route filters  Could be used by S*BGPs

8 Use Cases: ROA ROA – Route Origination Authorization

9 Without RPKI How do you verify their claim over a resource? Use Cases: Customer Sign-up

10 With RPKI Use Cases: Customer sign-up

11 Use Cases: Customer sign-up (cont’d) With RPKI

12 Use Cases: RPSLSIG Combining RPKI and RPSL: RPSL Signatures  Use RPKI to sign RPSL objects by extending RPSL syntax  It could raise the trust level of RPSL data by providing “object security” as an addition For example: Prefix and AS holder both sign a route object, thereby expressing their agreement on it.

13 Use Cases: RPSLSIG Route: 192.0.2.0/24 descr: GroupNet and ISP1 origin: AS65536 mnt-by: GroupNet-MNT signature: v=1;c=rsync://.../....cer; m=sha1- rsa;t=2009-03- 01T10:11:01T;a=route+descr+origin+mnt- by;b=324kjndfg9083GAD4sEW32. signature: v=1;c=rsync://.../....cer; m=sha1- rsa;t=2009-03- 02T11:11:01T;a=route+descr+origin+mnt- by; b=9ds3D4sW3234tj11wdhuon... source: AFRINIC

14 I nternet Registries(RIR/LIR/ISP) can:  Receive their certificates from their “upstreams”  Issue certificates to their clients or themselves: End Entities Certificate  Sign data with operative content using their own Certificates Participating in the RPKI

15 Enter the RPKI Engine Participating in the RPKI

16 To participate, an IR needs:  RPKIE software and an infrastructure to run it  On the higher levels: Hardware Security Module(s)  Good back-end database of resource delegations  Some Mandatory documents for a PKI: - Certificate Policy(CP) - Certification Practice Statement (CPS)

17 Services for the RPKI Intended AfriNIC services for LIRs:  Certify LIR resources using the AfriNIC own RPKIE  Provide hosted RPKI services for LIRs: - A full managed RPKIE for LIR - Run the LIR’s RPKIE et give real control to LIRs  Deploy the UP-Down protocol to talk to LIRs willing to run their own RPKIE  Provide the necessary public repository  Access to these services: - Through the normal channels (MyAFRINIC) - With strong authentication X509 Auth with BPKI certs

18 Services for the RPKI Potential services:  Central cache for certificates (repository collection)  Certificate validation  Object validation  Repository service  Others?

19 Trust Anchors for RP:Which root CAs ?  TA choice is the Relying Party’s decision  For the RPKI, RIRs seems to be a natural choice But just as every IRs, they will only certify what they allocate/assign  Possible use of multiple TAs  IANA can also be a single (or an additional) TA  The NRO statement of the RPKI TA http://www.nro.net/news/nro-declaration-rpki.html

20 Questions ??? http://tools.ietf.org/wg/sidr/ A resource certification portal soon

Download ppt "Resource Certification What it means for LIRs Alain P. AINA Special Project Manager."

Similar presentations

RPKI Standards Activity Geoff Huston APNIC February 2010.

RPKI Standards Activity Geoff Huston APNIC February 2010.
1 APNIC Resource Certification Service Project Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam George Michaelson.

1 APNIC Resource Certification Service Project Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam George Michaelson.
Local TA Management A TA is a public key and associated data used as the starting point for certificate path validation It need not be a self-signed certificate.

Local TA Management A TA is a public key and associated data used as the starting point for certificate path validation It need not be a self-signed certificate.
RPKI Certificate Policy Status Update Stephen Kent.

RPKI Certificate Policy Status Update Stephen Kent.
Nigel Titley. RIPE 54, 9 May 2007, Tallinn, Estonia. 1 RIPE NCC Certification Task Force Update Presented by Nigel Titley RIPE NCC.

Nigel Titley. RIPE 54, 9 May 2007, Tallinn, Estonia. 1 RIPE NCC Certification Task Force Update Presented by Nigel Titley RIPE NCC.
APNIC Member Services George Kuo. MyAPNIC 2 What is MyAPNIC A secure Member services website Internet resources management, for example: –Whois updates.

APNIC Member Services George Kuo. MyAPNIC 2 What is MyAPNIC A secure Member services website Internet resources management, for example: –Whois updates.
Projects Awaiting Prioritization Nate Davis. Planned Functionality Projects underway or next in queue Hosted RPKI (Planned 2012 Q2 Deployment) - RPKI.

Projects Awaiting Prioritization Nate Davis. Planned Functionality Projects underway or next in queue Hosted RPKI (Planned 2012 Q2 Deployment) - RPKI.
RPKI and Routing Security ICANN 44 June 2012. Today’s Routing Environment is Insecure Routing is built on mutual trust models Routing auditing requires.

RPKI and Routing Security ICANN 44 June Today’s Routing Environment is Insecure Routing is built on mutual trust models Routing auditing requires.
Overview of draft-ietf-sidr-roa-format-01.txt Matt Lepinski BBN Technologies.

Overview of draft-ietf-sidr-roa-format-01.txt Matt Lepinski BBN Technologies.
An Introduction to Routing Security (and RPKI Tools) Geoff Huston May 2013.

An Introduction to Routing Security (and RPKI Tools) Geoff Huston May 2013.
Certificates Last Updated: Aug 29, 2013. A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.

Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.
Validation Algorithms for a Secure Internet Routing PKI David Montana Mark Reynolds BBN Technologies.

Validation Algorithms for a Secure Internet Routing PKI David Montana Mark Reynolds BBN Technologies.
RPKI Validation - Revisited draft-huston-rpki-validation-01.txt Geoff Huston George Michaelson APNIC Slide 1/19.

RPKI Validation - Revisited draft-huston-rpki-validation-01.txt Geoff Huston George Michaelson APNIC Slide 1/19.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Review of draft-ietf-sidr-arch-01.txt Steve Kent BBN Technologies.

Review of draft-ietf-sidr-arch-01.txt Steve Kent BBN Technologies.
What’s Next: DNSSEC & RPKI Mark Kosters. Why are DNSSEC and RPKI Important Two critical resources – DNS – Routing Hard to tell when it is compromised.

What’s Next: DNSSEC & RPKI Mark Kosters. Why are DNSSEC and RPKI Important Two critical resources – DNS – Routing Hard to tell when it is compromised.
6/1/20151 Digital Signature and Public Key Infrastructure Course:COSC513-01 Instructor:Professor Anvari Student ID:106845 Name:Xin Wen Date:11/25/00.

6/1/20151 Digital Signature and Public Key Infrastructure Course:COSC Instructor:Professor Anvari Student ID: Name:Xin Wen Date:11/25/00.
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

Similar presentations

Ads by Google