ARIN Valueadded Trust Services Using DNSSEC and RPKI
- Slides: 31
ARIN Value-added Trust Services: Using DNSSEC and RPKI to Secure the Internet Infrastructure Tim Christensen ARIN
Agenda • DNSSEC – a brief update • RPKI – the major focus – What is it? – What it will look like within ARIN Online?
Why are DNSSEC and RPKI important? • Two critical resources – DNS – Routing • Hard to tell when resource is compromised • Focus of ARIN-region government funding
What is DNSSEC? • DNS responses are not secure – Easy to spoof – Notable malicious attacks • DNSSEC attaches signatures – Validates responses – Can not spoof
Changes required to make DNSSEC work • Signing in-addr. arpa. , ip 6. arpa. , and delegations that ARIN manages • Provisioning of DS Records – ARIN Online – RESTful interface (deployed July 2011)
Using DNSSEC in ARIN Online • Available on ARIN’s website https: //www. arin. net/knowledge/dnssec/
RPKI Pilot • Available since June 2009 – ARIN-branded version of RIPE NCC software http: //rpki-pilot. arin. net • > 50 organizations participating
What is RPKI? • Attaches certificates to network resources – AS Numbers – IP Addresses • Allows ISPs to associate the two – Route Origin Authorizations (ROAs) – Follow the address allocation chain to the top
What is RPKI? • Allows routers to validate Origins • Start of validated routing • Need minimal bootstrap info – Trust Anchors – Lots of focus on Trust Anchors
What does RPKI Create? • It creates a repository – RFC 3779 (RPKI) Certificates – ROAs – CRLs – Manifest records – Supports “ghostbusters” records
Repository View. /ba/03 a 5 be-ddf 6 -4340 -a 1 f 9 -1 ad 3 f 2 c 39 ee 6/1: total 40 -rw-r--r-- 1 143 1543 Jun 26 2009 ICca. IRKh. GHJ-Tg. UZv 8 GRKqkid. R 4. roa -rw-r--r-- 1 143 1403 Jun 26 2009 c. Kx. LCU 94 um. S-q. D 4 DOOk. AK 0 M 2 US 0. cer -rw-r--r-- 1 143 485 Jun 26 2009 d. Smer. M 6 u. JGLWMMQTl 2 esy 4 xy. UAA. crl -rw-r--r-- 1 143 1882 Jun 26 2009 d. Smer. M 6 u. JGLWMMQTl 2 esy 4 xy. UAA. mnf -rw-r--r-- 1 143 1542 Jun 26 2009 n. B 0 g. DFt. Wff. Kk 4 VWgln-12 pd. Ft. E 8. roa A Repository Directory containing an RFC 3779 Certificate, two ROAs, a CRL, and a manifest
Repository Use • Pull down these files using “rcynic” • Validate the ROAs contained in the repository • Communicate with the router marking routes “valid”, “invalid”, “unknown” • Up to ISP to use local policy on how to route
Possible Flow • • RPKI Web interface -> Repository aggregator -> Validator Validated entries -> Route Checking Route checking results -> local routing decisions (based on local policy)
Resource Cert Validation Resource Allocation Hierarchy AFRINIC ICANN RIPE NCC APNIC ARIN LACNIC Issued Certificates Route Origination Authority LIR 1 “ISP 4 permits AS 65000 to originate a route for the prefix 192. 2. 200. 0/24” Attachment: <isp 4 -ee-cert> ISP Signed, ISP 4 <isp 4 -ee-key-priv> ISP 2 ISP 4 ISP ISP
Resource Cert Validation Resource Allocation Hierarchy AFRINIC ICANN RIPE NCC APNIC ARIN LACNIC Issued Certificates Route Origination Authority LIR 1 “ISP 4 permits AS 65000 to originate a route for the prefix 192. 2. 200. 0/24” Attachment: <isp 4 -ee-cert> ISP Signed, ISP 4 <isp 4 -ee-key-priv> ISP 2 ISP 4 ISP ISP 1. Did the matching private key sign this text?
Resource Cert Validation Resource Allocation Hierarchy AFRINIC ICANN RIPE NCC APNIC ARIN LACNIC Issued Certificates Route Origination Authority LIR 1 “ISP 4 permits AS 65000 to originate a route for the prefix 192. 2. 200. 0/24” Attachment: <isp 4 -ee-cert> ISP ISP 2 ISP 4 ISP Signed, ISP 4 <isp 4 -ee-key-priv> 2. Is this certificate valid? ISP
Resource Cert Validation Resource Allocation Hierarchy AFRINIC ICANN RIPE NCC APNIC ARIN LACNIC Issued Certificates Route Origination Authority LIR 1 “ISP 4 permits AS 65000 to originate a route for the prefix 192. 2. 200. 0/24” Attachment: <isp 4 -ee-cert> ISP Signed, ISP 4 <isp 4 -ee-key-priv> ISP 2 ISP 4 ISP ISP 3. Is there a valid certificate path from a Trust Anchor to this certificate?
Why is RPKI taking awhile? • Intense review of liabilities by legal team and Board of Trustees created additional requirements at ARIN XXVI • Two new big requirements – Non-repudiation in ROA generation for hosted CAs – Thwart “Evil Insider” (rogue employee) from making changes
General Architecture of RPKI Registration Interface Database ARIN Online RPKI Engine Persistence HSM Tight coupling between resource certificate / ROA entities and registration dataset at the database layer. Once certs/ROAs are created, they must be maintained if the registered dependents are changed.
Development before ARIN XXVI With a few finishing touches, ready to go Jan 1, 2011 with Hosted Model, Delegated Model to follow end of Q 1. Highly influenced by RIPE NCC entities. ARIN Online Database RPKI Engine Persistence HSM Everything is Java, JBoss, Hibernate. RIPE NCC RPKI Engine with a few tweaks. Sun SCA 6000
Changes Underway Since ARIN XXVI In-browser ROA request signing via AJAX. Minor changes. ARIN Online Database Persistence RPKI Engine HSM Message driven engine which delegates to the HSM. Custom programming on IBM 4764’s to enable all DER encoding and crypto. HSM coding is in C as extensions to IBM CCA. Libtasn 1 used for DER encoding.
Example – Creating an ROA
Updates within RPKI outside of ARIN • The four other RIRs are in production with Hosted CA services • Major routing vendor support being tested • Announcement of public domain routing code support
ARIN Status • Hosted CA anticipated in 2012 • We intend to add up/down code required for delegated model after Hosted CA completed
Why is this important? • Provides more credibility to identify resource holders • Helps in the transfer market to identify real resource holders • Bootstraps routing security
Thank You
- Telstra doktrini
- Nextarin
- Dnssec analyzer
- Arin greene
- Arin whois database search
- Chapter 6 summary great gatsby
- John curran arin
- Iana arin
- John curran arin
- Proposed fee structure
- Northern trust charitable trust
- Planned giving certification
- Planned giving and trust services
- Fidelity trust services fees
- Cleaning service access rope
- Using system using system.collections.generic
- Dtfd switch
- Diffserv vs intserv
- Wake county human services community services center
- Tech mahindra pf helpdesk
- Azure security privacy compliance and trust
- How do knowledge bases help build trust and relationships
- A matter of trust chapter questions and answers
- Empathy theories johannes volkelt
- Meded coventry
- Trust communication respect
- Duty of trust and confidence cipd
- Care and share charitable trust
- Bpi asset management
- Some may trust in horses
- Living life from god's perspective
- Secret service worthy of trust and confidence