APNIC Trial of Certification of IP Addresses and ASes



Similar documents
A PKI For IDR Public Key Infrastructure and Number Resource Certification

Displaying SSL Certificate and Key Pair Information

RPKI Tutorial. Certification. Goals. Current Practices in Filtering

DEPARTMENT OF DEFENSE PUBLIC KEY INFRASTRUCTURE EXTERNAL CERTIFICATION AUTHORITY MASTER TEST PLAN VERSION 1.0

Brocade Engineering. PKI Tutorial. Jim Kleinsteiber. February 6, Page 1

Internet Operations and the RIRs

Key Management and Distribution

Purpose of PKI PUBLIC KEY INFRASTRUCTURE (PKI) Terminology in PKIs. Chain of Certificates

Authentication Applications

Microsoft Trusted Root Certificate: Program Requirements

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

ETSI TS V1.1.1 ( )

Cryptography and Network Security Chapter 14. Key Distribution. Key Management and Distribution. Key Distribution Task 4/19/2010

Public Key Infrastructure (PKI)

Internet Structure and Organization

Certificate Policy for. SSL Client & S/MIME Certificates

TACC ROOT CA CERTIFICATE POLICY

Certificates and network security

Cryptography and Network Security Chapter 14

Bugzilla ID: Bugzilla Summary:

Ciphermail S/MIME Setup Guide

Internet Bodies.

Authentication Application

SSL Interception Proxies. Jeff Jarmoc Sr. Security Researcher Dell SecureWorks. and Transitive Trust

Windows Server 2008 PKI and Certificate Security

The IVE also supports using the following additional features with CA certificates:

ECC Certificate Addendum to the Comodo EV Certification Practice Statement v.1.03

ESnet SSL CA service Certificate Policy And Certification Practice Statement Version 1.0

Authentication Applications

Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

PKI and OpenSSL part 1 X.509 from the user s and the client software s point of view

associate professor BME Híradástechnikai Tanszék Lab of Cryptography and System Security (CrySyS)

TeliaSonera Public Root CA. Certification Practice Statement. Revision Date: Version: Rev A. Published by: TeliaSonera Sverige AB

Certification Path Processing in the Tumbleweed Validation Authority Product Line Federal Bridge CA Meeting 10/14/2004

Key Management and Distribution

Certipost Trust Services. Certificate Policy. for Lightweight Certificates for EUROCONTROL. Version 1.2. Effective date 03 May 2012

Certificate Path Validation

Digital Signatures in a PDF

PKI NBP Certification Policy for ESCB Signature Certificates. OID: version 1.5

CA Certificate Policy. SCHEDULE 1 to the SERVICE PROVIDER AGREEMENT

User Guide Supplement. S/MIME Support Package for BlackBerry Smartphones BlackBerry Pearl 8100 Series

Interoperability Guidelines for Digital Signature Certificates issued under Information Technology Act

Displaying SSL Certificate and Key Pair Information

PKI NBP Certification Policy for ESCB Encryption Certificates. OID: version 1.2

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 14 Key Management and Distribution.

Asymmetric cryptosystems fundamental problem: authentication of public keys

IPv6 First Hop Security Protecting Your IPv6 Access Network

SWITCHaai Metadata CA. Certificate Policy and Certification Practice Statement

Network Security: Public Key Infrastructure

Lecture VII : Public Key Infrastructure (PKI)

APNIC IPv6 Deployment

apple WWDR Certification Practice Statement Version 1.8 June 11, 2012 Apple Inc.

Concept of Electronic Approvals

Certificate Policy. SWIFT Qualified Certificates SWIFT

Digital Certificates Demystified

InCommon Certification Practices Statement. Server Certificates

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations Version 1.14 Effective Date: September 9, 2015

Certification services for electronic security certificates

Programme of Requirements part 3h: Certificate Policy Server certificates Private Services Domain (G3)

7 Key Management and PKIs

How To Make A Trustless Certificate Authority Secure

Certification Practice Statement

Class 3 Registration Authority Charter

Introduction to Network Security Key Management and Distribution

Public Key Cryptography in Practice. c Eli Biham - May 3, Public Key Cryptography in Practice (13)

BGP. 1. Internet Routing

Best Practices for SIP Security

4.1.2., , [Section Number Retired] Determination of IP address allocation

Chapter 4. Authentication Applications. COSC 490 Network Security Annie Lu 1

Public Key Infrastructure

An LDAP/X.500 based distributed PGP Keyserver

Certification Authority. The X.509 standard, PKI and electronic documents. X.509 certificates. X.509 version 3. Critical extensions.

Federal PKI (FPKI) Community Transition to SHA-256 Frequently Asked Questions (FAQ)

APNIC Internet Resource Management (IRM) Tutorial. Petaling Jaya, Malaysia 24 February 2014

Network Automation 9.22 Features: RIM and PKI Authentication July 31, 2013

Optimized Certificates A New Proposal for Efficient Electronic Document Signature Validation

EBIZID CPS Certification Practice Statement

Certification Practice Statement

Neutralus Certification Practices Statement

Computer and Network Security. Outline

OpenCA v (ten-ten 2 )

REVENUE ON-LINE SERVICE CERTIFICATE POLICY. Document Version 1.2 Date: 15 September OID for this CP:

Application Security: Threats and Architecture

Biometrics, Tokens, & Public Key Certificates

Using custom certificates with Spectralink 8400 Series Handsets

APNIC elearning: Requesting IP Address

SYMANTEC NON-FEDERAL SHARED SERVICE PROVIDER PKI SERVICE DESCRIPTION

Transcription:

APNIC Trial of Certification of IP Addresses and ASes RIPE 51 11 October 2005 Geoff Huston 1

Address and Routing Security What we have today is a relatively insecure system that is vulnerable to various forms of deliberate disruption and subversion And it appears that bogon filters and routing policy databases are not entirely robust forms of defence against these vulnerabilities 2

Address and Routing Security The basic routing payload security questions that need to be answered are: Is this a valid address prefix? Who injected this address prefix into the network? Did they have the necessary credentials to inject this address prefix? Is the forwarding path to reach this address prefix an acceptable representation of the network s forwarding state? 3

What would be good To use a public key infrastructure to support attestations about addresses and their use: the authenticity of the address object being advertised authenticity of the origin AS the explicit authority from the address to AS that permits an original routing announcement 4

What would also be good If the attestation referred to the address allocation path (IANA to RIR to LIR to ) use of an RIR issued certificate to validate the attestation signature chain If the attestation was associated with the route advertisement such attestations to be carried in BGP as an Update attribute If validation these attestations was treated as a route object preference indicator attestation validation to be a part of the BGP route acceptance process 5

A Starting Point for Routing Security Adoption of some basic security functions into the Internet s routing domain: Injection of reliable trustable data Address and AS certificate PKI as the base of validation of network data Explicit verifiable mechanisms for integrity of data distribution Adoption of some form of certification mechanism to support validation of distribution of address and routing information 6

X.509 Extensions for IP Addresses RFC3779 defines extension to the X.509 certificate format for IP addresses & AS number The extension binds a list of IP address blocks and AS numbers to the subject of a certificate The extension specifies that the certification authority hierarchy should follow the IP address and AS delegation hierarchy Follows IANA RIR LIR And all their downstream delegations These extensions may be used to convey the issuer s authorization of the subject for exclusive use of the IP addresses and autonomous system identifiers contained in the certificate extension 7

RFC3779 summary The certificate chain will reflect the delegation hierarchy, from IANA down to the end users RIR IANA RIR ISP ISP LIR NIR ISP ISP ISP End user End user End user End user 8

Certificate Format 12345 CN=APNIC CA Trial CN=FC00DEADBEEF ACBDEFGH VERSION SERIAL NUMBER SIGNATURE ALGORITHM ISSUER v3 SHA-1 with RSA VALIDITY 1/1/05-1/1/06 SUBJECT SUBJECT PUBLIC KEY INFO ISSUER UNIQUE ID SUBJECT UNIQUE ID RSA, 48...321 RSTUVWXY KeyUsage (critical if CA) digitalsignature, keycertsign, and crlsign Cert Policies OIDs EXTENSIONS Basic constraints CA bit ON Allocations CA bit OFF Assignments SIGNATURE IP address 10.0.0.0/8 192.168.0.0/24 2002:14C0::/32 AS identifier AS123 AS124 9

What is being Certified APNIC (the Issuer ) certifies that: the certificate Subject whose public key is contained in the certificate is the current controller of a set of IP address and AS resources that are listed in the certificate extension APNIC does NOT certify the identity of the subject, nor their good (or evil) intentions! 10

What can you do with certificates? You can sign routing authorities or routing requests with your private key. The recipient can validate this signature against the matching certificate s public key You can use the private key to sign routing information that is propagated by a routing protocol You can issue signed derivative certificates for any sub-allocations of resources 11

APNIC Certificate Project Phases Trial 4Q 2005 Early adopters, s/w developers, protocol designers Major requirement changes allowed Certificate formats may change Pilot 1Q 2006 Input from trial used to test service Wider deployment Minor requirement changes allowed Certificate format should be stable Full service 2Q 2006 General service availability Full policy and procedures in place 12

APNIC Certificate Trial Trial service provides: Issue of RFC3779 compliant certificates to APNIC members Policy and technical infrastructure necessary to deploy and use the certificates in testing contexts by the routing community and general public CPS (Certification practice statement) Certificate repository CRL (Certificate revocation list) Tools and examples (open source) for downstream certification by NIR, LIR and ISP display of certificate contents encoding certificates 13

Notes (1) APNIC Certificate is an APNIC Member Service Certificates issued as a service to APNIC members Certificate lifetime tied to current membership Certificate Subject Name Uses unique HEX string of encoded 40 bit value Constant across various entity name events Consistent label for entity relationship with APNIC Reverse reference to be loaded into WHOIS record (future) Not General Purpose Certificates Certificates are not trusted confirmation of identity or bona fides claims Certificates limited to confirmation of association of IP resources with private key holder CA Bit is SET Subject may issue sub-certificates describing further suballocations of resources 14

Notes (2) APNIC certify LIR sub-delegations? NO - only warrant relationship with LIR, existance of resource allocation to that LIR from APNIC RFC3779 Compliance Use a subset of 3779 options Avoid IP ranges and use only CIDR spanning sets APNIC Root CA Current trial uses a certificate root at APNIC 2 Certificate Repositories APNIC-Issued Certificates APNIC-Issued plus derived sub-allocation certificates that are lodged with APNIC Access via OCSP, FTP, RSYNC, Compatibility with related work Ensure that these certificates can be used to feed into sbgp or sobgp or? 15

Current Status Test Certificates being generated Locally generated key pair Cover all current APNIC membership holdings CRL test Reissue all certificates with explicit revocation on original certificate set Example tools being developed APNIC Trial Certificate Repository ftp://ftp.apnic.net/pub/test-certs/ 16

17 Questions?

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information