Using Resource Certificates Progress Report on the Trial of Resource Certification

Similar documents
Using Resource Certificates Progress Report on the Trial of Resource Certification

APNIC Trial of Certification of IP Addresses and ASes

A PKI For IDR Public Key Infrastructure and Number Resource Certification

How To Get An Ipv6 Allocation On Ipv4 (Ipv4) From Ipv5) From The Ipvripe Ncc (Ip6) From A Ipvv6 Ipv2 (Ip4) To Ip

IPv6 and IPv4 Update from the RIPE NCC. Sandra Brás, Ferenc Csorba

RIPE Network Coordination Centre RIPE NCC LIR Tutorial

Internet Operations and the RIRs

IPv4 Address Trading Using Resource Certificate

Regional Internet Registries. Statistics & Activities. Prepared By APNIC, ARIN, LACNIC, RIPE NCC

RPKI Tutorial. Certification. Goals. Current Practices in Filtering

Internet Structure and Organization

IPE Database Features

IPv6 The Big Picture. Rob Evans, Janet

The ISP Column A monthly column on things Internet. Securing BGP with BGPsec. Introduction

Internet Bodies.

Baseline requirements Version 1.0 Errata

Introduction to The Internet. ISP/IXP Workshops

TELSTRA RSS CA Subscriber Agreement (SA)

IPv6 Address Planning

Introduction to IP Numbers vs. Domain names. Adiel A. Akplogan CEO, AFRINIC. 2014

Resource Certification. Alex Band Product Manager

Introduction to The Internet

technical Operations Area IP Resource Management

Measuring IPv6 Deployment. Geoff Huston APNIC December 2009

ARIN Online Users Forum

LIR Handbook. January 2012 RIPE NETWORK COORDINATION CENTRE

PKI and OpenSSL part 1 X.509 from the user s and the client software s point of view

Components of Routing Table Growth

The Internet. On October 24, 1995, the FNC unanimously passed a resolution defining the term Internet.

Simple Multihoming. ISP Workshops. Last updated 30 th March 2015

APNIC elearning: Requesting IP Address

The Internet Introductory material.

Simple Multihoming. ISP/IXP Workshops

The IANA Functions. An Introduction to the Internet Assigned Numbers Authority (IANA) Functions

IPv6 Addressing. ISP Training Workshops

Improving Rou-ng Security with RPKI

RTMA Working Group Agenda. Overview Speakers Discussion

IPv6 Address Design. A Few Practical Principles. Texas IPv6 Summit 20 November, 2012

BGP. 1. Internet Routing

SPAM - and how to deal with it. Turn spam against the spammers and virus writers for fun and profit

RIPE Policy Development Process

Topic 1: Internet Architecture & Addressing

ICANN- INTERNET CORPORATION OF ASSIGNED NAMES & NUMBERS

Routing Security Training Course

Approaches of Managing IPv4 Exhaustion. We re running out of IPv4 addresses and we still have a lot of use for them even with the

Local Internet Registry Training Course - First Day at Work As an LIR Contact

Extensions to the ripe-dbase Whois software

IPv6 Addressing. John Rullan Cisco Certified Instructor Trainer Thomas A. Edison CTE HS

BGP Multihoming Techniques

Authentication Applications

BGP Security The Human Threat

ARTL PKI. Certificate Policy PKI Disclosure Statement

BGP Multihoming Techniques

Enabling Operational Use of RPKI via Internet Routing Registries

Class 3 Registration Authority Charter

Large Space IPv4 Trial Usage Program for Future IPv6 Deployment ~ Activities update Vol.8 ~ APNIC 19 Meeting / IPv6 Tech SIG

Policy Implementation and Experience Report. Leslie Nobile

Distributed Systems. 09. Naming. Paul Krzyzanowski. Rutgers University. Fall 2015

Update from the RIPE NCC

RIPE Database User Manual: Getting Started

Ref: A. Leon Garcia and I. Widjaja, Communication Networks, 2 nd Ed. McGraw Hill, 2006 Latest update of this lecture was on

Deploying and Managing a Public Key Infrastructure

Certificate Policy and Certification Practice Statement CNRS/CNRS-Projets/Datagrid-fr

The Regional Internet Registries

4.1.2., , [Section Number Retired] Determination of IP address allocation

IRINN affiliation Guide

IPv6 Addressing and Subnetting

How To Transition To Annia.Org From Aaa To Anora.Org

Fireware How To Dynamic Routing

Distributed Systems. 22. Naming Paul Krzyzanowski. Rutgers University. Fall 2013

BGP Multihoming Techniques

How To Manage Ip Addresses On A Whois On A Microsoft Ipdb.Net (Ipd) On A Pc Or Ipd (Ipod) On An Ipd.Net On A Linux Ipd Or Ipod (Ipad

PKD Board ICAO PKD unclassified B-Tec/37. Procedures for the ICAO Public Key Directory

BGP Multihoming Techniques. Philip Smith APRICOT 2013 Singapore 19 th February 1 st March 2013

Ford Motor Company CA Certification Practice Statement

256 4 = 4,294,967,296 ten billion = 18,446,744,073,709,551,616 ten quintillion. IP Addressing. IPv4 Address Classes

ESnet SSL CA service Certificate Policy And Certification Practice Statement Version 1.0

Technologies for an IPv4 Address Exhausted World

The Great IPv4 Land Grab: Resource Certification for the IPv4 Grey Market

Certification Practice Statement (ANZ PKI)

Department of Defense PKI Use Case/Experiences

SSAC Advisory on the Changing Nature of IPv4 Address Semantics

Law Enforcement and Internet Governance: An Ounce of Prevention Is Worth a Pound of Cure

GAO Engagement on the Internet Domain Name System Discussion Guide

Expert Reference Series of White Papers. Fundamentals of the PKI Infrastructure

What is AfriNIC, IPv4 exhaustion & IPv6 transition

ETSI TS V1.1.1 ( )

Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

Introduction to RPSL. TorIX Meeting, September 2004 Joe Abley,

RIPE Whois Database Query Reference Manual

Study Report on the IPv4 Address Space Exhaustion Issue (Phase I)

APNIC elearning: Reverse DNS for IPv4 and IPv6

esign Online Digital Signature Service

Today s Mobile Internet. Geoff Huston, APNIC Labs

IPv4 Transfers in the RIPE Region

Database Update. Johan Åhlén Assistant Manager and Denis Walker Business Analyst

How It Works: 101: Naming, Addressing, Routing ALAIN DURAND ICANN

Policy-Based AS Path Verification with Enhanced Comparison Algorithm to Prevent 1-Hop AS Path Hijacking in Real Time

Master Service Agreement. Definitions

Transcription:

Using Resource Certificates Progress Report on the Trial of Resource Certification October 2006 Geoff Huston APNIC

Sound Familiar? 4:30 pm Mail: Geoff, mate, I ve been dealing with your phone people and I m getting nowhere could you route xxx/24 for me this afternoon? I ve got a customer on my back and I need this done by 5 today, and I m getting desperate.

Sound Familiar? 4:30 pm Mail: Geoff, mate, I ve been dealing with your phone people and I m getting nowhere could you route xxx/24 for me this afternoon? I ve got a customer on my back and I need this done by 5 today, and I m getting desperate. 7:00pm Trouble Ticket: Customer complaining that they have been disconnected. The circuit is up, but the customer is complaining that there is no traffic.

Sound Familiar? 4:30 pm Mail: Geoff, mate, I ve been dealing with your phone people and I m getting nowhere could you route xxx/24 for me this afternoon? I ve got a customer on my back and I need this done by 5 today, and I m getting desperate. 7:00pm Trouble Ticket: Customer complaining that they have been disconnected. The circuit is up, but the customer is complaining that there is no traffic. 9:30 am Mail: Product Manager: We ve had a complaint with a customer threatening legal action over some kind of address dispute. We have a call with legal this afternoon at 2:00 details below.

If only. I could ve quickly and accurately figured out who really had the right-of-use of the address block at the time I could ve asked for a signed route origination that gave me (ASx) an authority to route prefix xxx that I could validate independently

Motivation: Address and Routing Security The (very) basic routing security questions that need to be answered are: Is this a valid address prefix? Who advertised this address prefix into the network? Did they have the necessary credentials to advertise this address prefix? Is the advertised path authentic?

What would be good To be able to use a reliable infrastructure to validate assertions about addresses and their use: Allow third parties to authenticate that an address or routing assertion was made by the current right-of-use holder of the address resource Confirm that the asserted information is complete and unaltered from the original Convey routing authorities from the resource holder to a nominated party that cannot be altered or forged

What would be good Is to have a reliable, efficient, and effective way to underpin the integrity of the Internet s address resource distribution structure and our use of these resources in the operational Internet Is to replace various forms of risk-prone assertions, rumours and fuzzy traditions about addresses and their use with demonstrated validated authority

Resource Certificate Trial Approach: Use X.509 v3 Public Key Certificates (RFC3280) with IP address and ASN extensions (RFC3779) Parameters: Use existing technologies where possible Leverage on existing open source software tools and deployed systems Contribute to open source solutions and open standards OpenSSL as the foundational platform Add RFC3779 (resource extension) support Design of a Certification framework anchored on the IP resource distribution function

Resource Public Key Certificates The certificate s Issuer certifies that: the certificate s Subject whose public key is contained in the certificate is the current controller of a collection of IP address and AS resources that are listed in the certificate s resource extension

Resource Certificates Resource Allocation Hierarchy IANA AFRINIC APNIC RIPE NCC ARIN LACNIC LIR1 LIR2 ISP ISP ISP ISP ISP ISP ISP

Resource Certificates Resource Allocation Hierarchy IANA AFRINIC APNIC RIPE NCC ARIN LACNIC Issued Certificates match allocation actions LIR1 LIR2 ISP ISP ISP ISP ISP ISP ISP

Resource Certificates Resource Allocation Hierarchy IANA AFRINIC APNIC RIPE NCC ARIN LACNIC Issuer: ARIN Subject: LIR2 Resources: 192.2.0.0/16 Key Info: <lir2-key-pub> LIR1 LIR2 Signed: <arin-key-priv> Issued Certificates ISP ISP ISP ISP4 ISP ISP ISP

Resource Certificates Resource Allocation Hierarchy IANA AFRINIC APNIC RIPE NCC ARIN LACNIC Issuer: ARIN Subject: LIR2 Resources: 192.2.0.0/16 Key Info: <lir2-key-pub> LIR1 LIR2 Signed: <arin-key-priv> Issuer: LIR2 Subject: ISP4 Resources: 192.2.200.0/24 Key Info: <isp4-key-pub> ISP Signed: <lir2-key-priv> ISP ISP ISP4 ISP ISP ISP Issued Certificates

Resource Certificates Resource Allocation Hierarchy IANA AFRINIC APNIC RIPE NCC ARIN LACNIC Issuer: ARIN Subject: LIR2 Resources: 192.2.0.0/16 Key Info: <lir2-key> Signed: <arin-key-priv> LIR1 LIR2 Issuer: LIR2 Subject: ISP4 Resources: Issuer: ISP4 192.2.200.0/22 Key Subject: Info: <isp4-key> ISP4-EE ISP ISP Signed: Resources: <lir2-key-priv> 192.2.200.0/24 ISP ISP4 ISP ISP ISP Key Info: <isp4-ee-key> Signed: <isp4-key-priv> Issued Certificates

Base Object in a Routing Authority Context Resource Allocation Hierarchy IANA AFRINIC APNIC RIPE NCC ARIN LACNIC Issued Certificates LIR1 LIR2 Route Origination Authority ISP4 permits AS65000 to to originate a route for for the the ISPprefix ISP ISP ISP4 ISP ISP ISP 192.2.200.0/24

Signed Objects Resource Allocation Hierarchy IANA AFRINIC APNIC RIPE NCC ARIN LACNIC Issued Certificates Route Origination Authority LIR1 ISP4 permits AS65000 to to originate a route for for the the prefix 192.2.200.0/24 LIR2 Attachment: <isp4-ee-cert> ISP ISP ISP ISP4 ISP ISP ISP Signed, ISP4 <isp4-ee-key-priv>

Signed Object Validation Resource Allocation Hierarchy IANA AFRINIC APNIC RIPE NCC ARIN LACNIC Issued Certificates Route Origination Authority LIR1 ISP4 permits AS65000 to to originate a route for for the the prefix 192.2.200.0/24 LIR2 Attachment: <isp4-ee-cert> ISP ISP ISP ISP4 ISP ISP ISP 1. Did the matching private key sign this text? Signed, ISP4 <isp4-ee-key-priv>

Signed Object Validation Resource Allocation Hierarchy IANA AFRINIC APNIC RIPE NCC ARIN LACNIC Issued Certificates Route Origination Authority LIR1 ISP4 permits AS65000 to to originate a route for for the the prefix 192.2.200.0/24 LIR2 Attachment: <isp4-ee-cert> ISP ISP ISP ISP4 ISP ISP ISP Signed, ISP4 <isp4-ee-key-priv> 2. Is this certificate valid?

Signed Object Validation Resource Allocation Hierarchy IANA ARIN Trust Anchor AFRINIC APNIC RIPE NCC ARIN LACNIC Issued Certificates Route Origination Authority LIR1 ISP4 permits AS65000 to to originate a route for for the the prefix 192.2.200.0/24 LIR2 Attachment: <isp4-ee-cert> ISP ISP ISP ISP4 ISP ISP ISP Signed, 3. Is there a valid certificate path from a Trust Anchor ISP4 <isp4-ee-key-priv> to this certificate?

Signed Object Validation Resource Allocation Hierarchy IANA RIPE NCC Trust Anchor Validation Outcomes AFRINIC APNIC RIPE 1. 1. NCC ISP4 authorized ARIN this this Authority LACNIC document 2. Issued Certificates 2. 192.2.200.0/24 is is a valid valid address 3. 3. ISP4 holds a current right-of-use of of Route Origination Authority LIR1 192.2 LIR2 200.0/24 ISP4 permits AS65000 to to 4. 4. A route object where AS65000 originate a route for for the the prefix originates an an advertisement for for the the 192.2.200.0/24 address prefix 192.2.200.0/24 has has the the explicit authority of of ISP4, who who is is Attachment: <isp4-ee-cert> the ISP ISP the current ISP holder ISP4 of ISP of this ISP this address ISP prefix Signed, ISP4 <isp4-ee-key-priv>

What could you do with Resource Certificates? Issue signed subordinate resource certificates for any sub-allocations of resources, such as may be seen in a LIR context Maintain a certificate collection that matches the current resource allocation state LIR ISP

What could you do with Resource Certificates? Sign routing authorities, routing requests, or WHOIS objects or IR objects with your private key Use the private key to sign attestations with a signature that is associated with a right-of-use of a resource Route Origination Authority LIR1 ISP4 permits AS65000 to to originate a route for for the the prefix 192.2.200.0/24 Attachment: <isp4-ee-cert> ISP ISP ISP4 Signed, ISP4 <isp4-ee-key-priv>

What could you do with Resource Certificates? Validate signed objects Authentication: Did the resource holder really produce this document or object? Authenticity: Is the document or object in exactly the same state as it was when originally signed? Validity: Is the document valid today? A relying party can: authenticate that the signature matches the signed object, validate the signature against the matching certificate s public key, validate the certificate in the context of the Resource PKI

Example of a Signed Object route-set: RS-TELSTRA-AU-EX1 descr: Example routes for customer with space under apnic members: 58.160.1.0-58.160.16.255,203.34.33.0/24 tech-c: GM85-AP admin-c: GM85-AP notify: test@telstra.net mnt-by: MAINT-AU-TELSTRA-AP sigcert: rsync://repository.apnic.net/telstra-au-iana/cbh3sk-iwj8yd8uqab5 Ck010p5Q/Hc4yxwhTamNXW-cDWtQcmvOVGjU.cer sigblk: -----BEGIN PKCS7----- MIIBdQYJKoZIhvcNAQcCoIIBZjCCAWICAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3 DQEHATGCAUEwggE9AgEBMBowFTETMBEGA1UEAxMKdGVsc3RyYS1hdQIBATAJBgUr DgMCGgUAMA0GCSqGSIb3DQEBAQUABIIBAEZGI2dAG3lAAGi+mAK/S5bsNrgEHOmN 1leJF9aqM+jVO+tiCvRHyPMeBMiP6yoCm2h5RCR/avP40U4CC3QMhU98tw2Bq0TY HZvqXfAOVhjD4Apx4KjiAyr8tfeC7ZDhO+fpvsydV2XXtHIvjwjcL4GvM/gES6dJ KJYFWWlrPqQnfTFMm5oLWBUhNjuX2E89qyQf2YZVizITTNg3ly1nwqBoAqmmDhDy +nsrvaxax7ii2iqdtr/pji2vwfe4r36gbt8oxyvj9xz7i9ikpb8rtvpv02i2hbmi 1SvRXMx5nQOXyYG3Pcxo/PAhbBkVkgfudLki/IzB3j+4M8KemrnVMRo= -----END PKCS7----- changed: test@telstra.net 20060822 source: APNIC

Signer s certificate Version: 3 Serial: 1 Issuer: CN=telstra-au Validity: Not Before: Fri Aug 18 04:46:18 2006 GMT Validity: Not After: Sat Aug 18 04:46:18 2007 GMT Subject: CN=An example sub-space from Telstra IANA, E=apnic-ca@apnic.net Subject Key Identifier g(ski): Hc4yxwhTamNXW-cDWtQcmvOVGjU Subject Info Access: carepository rsync://repository.apnic.net/telstra-au-iana/cbh3sk-iwj8yd8uqab5 Ck010p5Q/Hc4yxwhTamNXW-cDWtQcmvOVGjU Key Usage: DigitalSignature, nonrepudiation CRL Distribution Points: rsync://repository.apnic.net/telstra-au-iana/cbh3sk-iwj8yd8uqab5 Ck010p5Q.crl Authority Info Access: caissuers rsync://repository.apnic.net/telstra-au-iana/cbh3sk-iwj8yd8uqab5 Ck010p5Q.cer Authority Key Identifier: Key Identifier g(aki): cbh3sk-iwj8yd8uqab5ck010p5q Certificate Policies: 1.3.6.1.5.5.7.14.2 IPv4: 58.160.1.0-58.160.16.255, 203.34.33.0/24

Potential Scenarios Service interface via a Web Portal: Generate and Sign routing-related objects Validate signed objects against the PKI Manage subordinate certificate issuance (Automated certificate management processes) Local Tools LIR Use Local repository management Resource object signing Generate and lodge certificate objects

Resource Certificate Trial Program Specification of X.509 Resource Certificates Generation of resource certificate repositories aligned with existing resource allocations and assignments Tools for Registration Authority / Certificate Authority interaction (undertaken by RIPE NCC) Tools to perform validation of resource certificates Current Activities Extensions to OpenSSL for Resource Certificates (open source development activity, supported by ARIN) Tools for resource collection management, object signing and signed object validation (APNIC, and also open source development activity, supported by ARIN) LIR / ISP Tools for certificate management Operational service profile specification

Next Steps 1. Complete current trial activities by EOY 06 2. APNIC Evaluation of Trial activities Status of work items Does this approach meet the objectives? What are the implications of this form of certification of resources? Impact assessment Service infrastructure, operational procedures Utility of the authentication model Policy considerations Recommendations for production deployment

Credit where credit is due.. The design and implementation team involved in this trial: George Michaelson Rob Loomans Geoff Huston Randy Bush Rob Austein Rob Kisteleki Steve Kent Russ Housley

Thank You Questions?

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information