Resource Certification (RPKI) · Resource Certification (RPKI), Alex Band Management: Your Choice...
Transcript of Resource Certification (RPKI) · Resource Certification (RPKI), Alex Band Management: Your Choice...
![Page 1: Resource Certification (RPKI) · Resource Certification (RPKI), Alex Band Management: Your Choice • Open Source Software to run a member CA – Use the RIPE NCC as parent CA (trust](https://reader035.fdocuments.net/reader035/viewer/2022063008/5fbcbb4befb8a823413ea79a/html5/thumbnails/1.jpg)
Resource Certification(RPKI)Alex Band – Product Manager
![Page 2: Resource Certification (RPKI) · Resource Certification (RPKI), Alex Band Management: Your Choice • Open Source Software to run a member CA – Use the RIPE NCC as parent CA (trust](https://reader035.fdocuments.net/reader035/viewer/2022063008/5fbcbb4befb8a823413ea79a/html5/thumbnails/2.jpg)
Resource Certification (RPKI), Alex Band
The RIPE NCC involvement in RPKI
• The authority on who is the registered holder of an Internet Number Resource in our region
– IPv4 and IPv6 Address Blocks
– Autonomous System Numbers
• Information is kept in the Registry
• Accuracy and completeness are key
2
![Page 3: Resource Certification (RPKI) · Resource Certification (RPKI), Alex Band Management: Your Choice • Open Source Software to run a member CA – Use the RIPE NCC as parent CA (trust](https://reader035.fdocuments.net/reader035/viewer/2022063008/5fbcbb4befb8a823413ea79a/html5/thumbnails/3.jpg)
Resource Certification (RPKI), Alex Band
Digital Resource Certificates
• Based on open IETF standards (sidr)– RFC 5280: X.509 PKI Certificates
– RFC 3779: Extensions for IP Addresses and ASNs
• Issued by the RIRs
• State that an Internet number resource has
been registered by the RIPE NCC
3
![Page 4: Resource Certification (RPKI) · Resource Certification (RPKI), Alex Band Management: Your Choice • Open Source Software to run a member CA – Use the RIPE NCC as parent CA (trust](https://reader035.fdocuments.net/reader035/viewer/2022063008/5fbcbb4befb8a823413ea79a/html5/thumbnails/4.jpg)
Resource Certification (RPKI), Alex Band
Digital Resource Certificates
• Resource Certification is a free, opt-in service– Your choice to request a certificate
– Linked to registration
– Renewed every 12 months
• Certificate does not list any identity information
4
![Page 5: Resource Certification (RPKI) · Resource Certification (RPKI), Alex Band Management: Your Choice • Open Source Software to run a member CA – Use the RIPE NCC as parent CA (trust](https://reader035.fdocuments.net/reader035/viewer/2022063008/5fbcbb4befb8a823413ea79a/html5/thumbnails/5.jpg)
Resource Certification (RPKI), Alex Band
Certificate Authority (CA) Structure
5
Root CA (RIPE NCC)
Member CA (LIR)
Customer CA
![Page 6: Resource Certification (RPKI) · Resource Certification (RPKI), Alex Band Management: Your Choice • Open Source Software to run a member CA – Use the RIPE NCC as parent CA (trust](https://reader035.fdocuments.net/reader035/viewer/2022063008/5fbcbb4befb8a823413ea79a/html5/thumbnails/6.jpg)
Applicationsfor Certificates
![Page 7: Resource Certification (RPKI) · Resource Certification (RPKI), Alex Band Management: Your Choice • Open Source Software to run a member CA – Use the RIPE NCC as parent CA (trust](https://reader035.fdocuments.net/reader035/viewer/2022063008/5fbcbb4befb8a823413ea79a/html5/thumbnails/7.jpg)
Resource Certification (RPKI), Alex Band
Applications for Resource Certificates
• Make the Registry more robust– Offer validatable proof of holdership
• Secure and legitimise resource transfers
• Aid in securing Internet routing– BGP origin validation now
– BGP path validation in the future
• System does not create additional
powers for the RIRs
7
![Page 8: Resource Certification (RPKI) · Resource Certification (RPKI), Alex Band Management: Your Choice • Open Source Software to run a member CA – Use the RIPE NCC as parent CA (trust](https://reader035.fdocuments.net/reader035/viewer/2022063008/5fbcbb4befb8a823413ea79a/html5/thumbnails/8.jpg)
Resource Certification (RPKI), Alex Band
Management: Your Choice
• Open Source Software to run a member CA– Use the RIPE NCC as parent CA (trust anchor)
– Generate and publish Certificate yourself
• RIPE NCC Hosted Platform– All processes are secured and automated
– One click set-up of Resource Certificate
– WebUI to manage Certificates in LIR Portal
8
![Page 9: Resource Certification (RPKI) · Resource Certification (RPKI), Alex Band Management: Your Choice • Open Source Software to run a member CA – Use the RIPE NCC as parent CA (trust](https://reader035.fdocuments.net/reader035/viewer/2022063008/5fbcbb4befb8a823413ea79a/html5/thumbnails/9.jpg)
Resource Certification (RPKI), Alex Band
Certification to Secure Internet Routing
• Members can use their resource certificate to make statements about their BGP Routing
• Other network operators can set their routing preferences based on this information
9
Route Origin Authorisation (ROA):“I authorise this Autonomous System
to originate these IP prefixes”
![Page 10: Resource Certification (RPKI) · Resource Certification (RPKI), Alex Band Management: Your Choice • Open Source Software to run a member CA – Use the RIPE NCC as parent CA (trust](https://reader035.fdocuments.net/reader035/viewer/2022063008/5fbcbb4befb8a823413ea79a/html5/thumbnails/10.jpg)
Resource Certification (RPKI), Alex Band
Route Origin Authorisations
• Only the registered holder of a Internet number resource can create a valid ROA
• A ROA affects the RPKI validity of a route announcement:
– VALID: ROA found, authorised announcement
– INVALID: ROA found, unauthorised announcement
– UNKNOWN: No ROA found (resource not yet signed)
10
![Page 11: Resource Certification (RPKI) · Resource Certification (RPKI), Alex Band Management: Your Choice • Open Source Software to run a member CA – Use the RIPE NCC as parent CA (trust](https://reader035.fdocuments.net/reader035/viewer/2022063008/5fbcbb4befb8a823413ea79a/html5/thumbnails/11.jpg)
ROA CreationDemo
![Page 12: Resource Certification (RPKI) · Resource Certification (RPKI), Alex Band Management: Your Choice • Open Source Software to run a member CA – Use the RIPE NCC as parent CA (trust](https://reader035.fdocuments.net/reader035/viewer/2022063008/5fbcbb4befb8a823413ea79a/html5/thumbnails/12.jpg)
Resource Certification (RPKI), Alex Band 12
![Page 13: Resource Certification (RPKI) · Resource Certification (RPKI), Alex Band Management: Your Choice • Open Source Software to run a member CA – Use the RIPE NCC as parent CA (trust](https://reader035.fdocuments.net/reader035/viewer/2022063008/5fbcbb4befb8a823413ea79a/html5/thumbnails/13.jpg)
Resource Certification (RPKI), Alex Band 13
![Page 14: Resource Certification (RPKI) · Resource Certification (RPKI), Alex Band Management: Your Choice • Open Source Software to run a member CA – Use the RIPE NCC as parent CA (trust](https://reader035.fdocuments.net/reader035/viewer/2022063008/5fbcbb4befb8a823413ea79a/html5/thumbnails/14.jpg)
Resource Certification (RPKI), Alex Band 14
![Page 15: Resource Certification (RPKI) · Resource Certification (RPKI), Alex Band Management: Your Choice • Open Source Software to run a member CA – Use the RIPE NCC as parent CA (trust](https://reader035.fdocuments.net/reader035/viewer/2022063008/5fbcbb4befb8a823413ea79a/html5/thumbnails/15.jpg)
Resource Certification (RPKI), Alex Band
Data Quality and Integrity
• Use RIS Route Collectors to support Certification– Show the RPKI validity state of a route announcement
– Trigger alert when ROAs mismatch BGP
15
![Page 16: Resource Certification (RPKI) · Resource Certification (RPKI), Alex Band Management: Your Choice • Open Source Software to run a member CA – Use the RIPE NCC as parent CA (trust](https://reader035.fdocuments.net/reader035/viewer/2022063008/5fbcbb4befb8a823413ea79a/html5/thumbnails/16.jpg)
Resource Certification (RPKI), Alex Band
Publication of cryptographic objects
• Publication is distributed by design– Publish yourself or publish through a 3rd party
• Each RIR has a public repository– Holds Certificates, ROAs, etc.
– Refreshed at least every 24 hrs
• Accessed using a Validation tool– Communication via rsync
– Builds up a local validated cache
16
![Page 17: Resource Certification (RPKI) · Resource Certification (RPKI), Alex Band Management: Your Choice • Open Source Software to run a member CA – Use the RIPE NCC as parent CA (trust](https://reader035.fdocuments.net/reader035/viewer/2022063008/5fbcbb4befb8a823413ea79a/html5/thumbnails/17.jpg)
Resource Certification (RPKI), Alex Band
0
100
200
300
400
500
600
700
800Number of certificates issued
Adoption
17
Jan Mar May SepJulFeb Apr Jun Aug Oct Nov
![Page 18: Resource Certification (RPKI) · Resource Certification (RPKI), Alex Band Management: Your Choice • Open Source Software to run a member CA – Use the RIPE NCC as parent CA (trust](https://reader035.fdocuments.net/reader035/viewer/2022063008/5fbcbb4befb8a823413ea79a/html5/thumbnails/18.jpg)
Resource Certification (RPKI), Alex Band
0
100
200
300
400
500Number of ROAs created by members
Adoption
18
Jan Mar May SepJulFeb Apr Jun Aug Oct Nov
![Page 19: Resource Certification (RPKI) · Resource Certification (RPKI), Alex Band Management: Your Choice • Open Source Software to run a member CA – Use the RIPE NCC as parent CA (trust](https://reader035.fdocuments.net/reader035/viewer/2022063008/5fbcbb4befb8a823413ea79a/html5/thumbnails/19.jpg)
RIPE NCC RPKI Validation tool
![Page 20: Resource Certification (RPKI) · Resource Certification (RPKI), Alex Band Management: Your Choice • Open Source Software to run a member CA – Use the RIPE NCC as parent CA (trust](https://reader035.fdocuments.net/reader035/viewer/2022063008/5fbcbb4befb8a823413ea79a/html5/thumbnails/20.jpg)
Resource Certification (RPKI), Alex Band
RIPE NCC RPKI-RTR Validator
• Web-based user interface
• Periodically validates all ROA repositories– Downloads and processes changes automatically
• Ignore Filters (Apply RPKI status ‘Unknown’)
• Whitelist (Apply RPKI status ‘Valid’)
• RPKI-Router Support– Cisco, Juniper, Quagga...
20
Open source, BSD License
![Page 21: Resource Certification (RPKI) · Resource Certification (RPKI), Alex Band Management: Your Choice • Open Source Software to run a member CA – Use the RIPE NCC as parent CA (trust](https://reader035.fdocuments.net/reader035/viewer/2022063008/5fbcbb4befb8a823413ea79a/html5/thumbnails/21.jpg)
Resource Certification (RPKI), Alex Band
RIPE NCC RPKI-RTR Validator
21
![Page 22: Resource Certification (RPKI) · Resource Certification (RPKI), Alex Band Management: Your Choice • Open Source Software to run a member CA – Use the RIPE NCC as parent CA (trust](https://reader035.fdocuments.net/reader035/viewer/2022063008/5fbcbb4befb8a823413ea79a/html5/thumbnails/22.jpg)
Resource Certification (RPKI), Alex Band
RIPE NCC RPKI-RTR Validator
22
![Page 23: Resource Certification (RPKI) · Resource Certification (RPKI), Alex Band Management: Your Choice • Open Source Software to run a member CA – Use the RIPE NCC as parent CA (trust](https://reader035.fdocuments.net/reader035/viewer/2022063008/5fbcbb4befb8a823413ea79a/html5/thumbnails/23.jpg)
Resource Certification (RPKI), Alex Band
RPKI-Router Integration
• Local Validator Tool feeds RPKI capable router with processed data set
– Router does not do the crypto!
• Implementations in beta by Cisco and Juniper– Public release in Q2, 2012
• Quagga has BGP Secure Routing Extensions– BGP-SRx open source reference implementation
23
![Page 24: Resource Certification (RPKI) · Resource Certification (RPKI), Alex Band Management: Your Choice • Open Source Software to run a member CA – Use the RIPE NCC as parent CA (trust](https://reader035.fdocuments.net/reader035/viewer/2022063008/5fbcbb4befb8a823413ea79a/html5/thumbnails/24.jpg)
Resource Certification (RPKI), Alex Band
Information and Announcements
24
http://ripe.net/certification #RPKI
![Page 25: Resource Certification (RPKI) · Resource Certification (RPKI), Alex Band Management: Your Choice • Open Source Software to run a member CA – Use the RIPE NCC as parent CA (trust](https://reader035.fdocuments.net/reader035/viewer/2022063008/5fbcbb4befb8a823413ea79a/html5/thumbnails/25.jpg)
[email protected]_bandlinkedin.com/in/alexanderband