Embed Size (px)
Citation preview
The RPKI & Origin Validation
2009.06.15 1
NANOG Philly / 2009.06.15
Randy Bush <[email protected]> Rob Austein <[email protected]>
<http://archive.psg.com/090615.all-rpki.pdf>
2009.06.15 2
RFC 3779 Extension
Describes IP Resources (Addr & ASN)
X.509 Cert
Owner’s Public Key
X.509 Certificate w/ 3779 Ext CA
SIA – URI for where this Publishes
2009.06.15 3
192.168.0.0/16
Public Key
192.168.0.0/20
Public Key
192.168.16.0/20
Public Key
192.168.32.0/19
Public Key
192.168.16.0/24
Public Key
192.168.17.0/24
Public Key
Cert/JPNIC
Cert/OCN Cert/IIJ
Cert/CNNIC Cert/PSGnet
Cert/APNIC CA
CA CA CA
CA CA
Certificate Hierarchy follows
Allocation Hierarchy
SIA
2009.06.15 4
192.168.0.0/24
Public Key
192.168.0.0/24
AS 42
EE Cert
ROA
Route Origin Authorization (ROA)
192.168.0.0/24
Public Key
Owning Cert CA
2009.06.15 5
0/0
Public Key
98.0.0.0/8 AS 0-4000
Public Key
98.128.0.0/16 AS 3130
Public Key
PSGnet
ARIN
IANA
98.128.0.0/24
AS 3130
ROA
98.128.1.0/24
AS 3130
ROA
98.128.2.0/24
AS 3130
ROA
98.128.3.0/24
AS 3130
ROA
98.128.4.0/24
AS 3130
ROA
Too Many EE Certs and ROAs, Yucchhy!
Announces 256 /24s
PSGnet /16 Experimental Allocation from ARIN
CA
CA
CA
98.128.0.0/24
Public Key
EE Cert 98.128.1.0/24
Public Key
EE Cert 98.128.2.0/24
Public Key
EE Cert 98.128.30/24
Public Key
EE Cert 98.128.4.0/24
Public Key
EE Cert
2009.06.15 6
0/0
Public Key
98.0.0.0/8
Public Key
98.128.0.0/16
Public Key
PSGnet
ARIN
IANA
98.128.0.0/16-24
AS 3130
ROA
ROA Aggregation Using Max Length 98.128.0.0/16
Public Key
EE Cert
CA
CA
CA
Big, Centralized, & Scary We Don’t Do This
2009.06.15 7
RPKI DataBase
IP Resource Certs ASN Resource Certs
Route Origin Attestations
2009.06.15 8
Distributed RPKI DataBase IANA IANA
ARIN ARIN APNIC APNIC
UUNET UUNET PSGnet PSGnet
UUcust UUcust
IIJ IIJ
A Player (CA) Publishes All Certificates Which
They Generate in Their Own Unique
Publication Point
SIA
SIA
SIA
SIA
RCynic Cache Gatherer
2009.06.15 9
RCynic Gatherer Validated
Cache
Trust Anchor
(cynical rsync)
IANA IANA
ARIN ARIN APNIC APNIC
UUNET UUNET PSGnet PSGnet
UUcust UUcust
IIJ IIJ
SIA
SIA
SIA
SIA
2009.06.15 10
Reliability Issue
Expensive To Fetch & Unreliable
Publication Point
IANA IANA
ARIN ARIN APNIC APNIC
UUNET UUNET PSGnet PSGnet
UUcust UUcust
IIJ IIJ
SIA
SIA
SIA
SIA
UUcust
2009.06.15 11
Reliability Via Hosted Publication
Reducing the Number of Publication Points Makes RCynic Much More Efficient
Repository with
Multiple Publication
Points
IANA IANA
ARIN ARIN APNIC APNIC
UUNET UUNET PSGnet
PSGnet
UUcust
IIJ IIJ
RPKI Relationships
2009.06.15 12
RIR ISP Contractual Cert Exchange of ISP's Business Key
ISP
Contractual Cert Exchange
End Site
Cert Exchange
Addr Attest
Rsch & Audit
Cache Cache Cache Cache
Global Routing Infrastructure
Distributed RPKI
DataBase
Running Code
And the Three RPKI Protocols
2009.06.15 13
2009.06.15 14
IR Back End
RPKI Engine
Left /Right Protocol
IR Back End
RPKI Engine
Left /Right Protocol
Simple Parent and
Simple Child
My Resources
Childs’ Resources
My Resources
Childs’ Resources
Up / Down Protocol
Registry Back Ends
Up / Down Protocol
Up / Down Protocol
2009.06.15 15
IR Back End
RPKI Engine
Left /Right Protocol
Hosting of
Stub Children
My Resources
42’s Resources 666’s Resources
ID=Me
RPKI Engine
ID=42
RPKI Engine
ID=666
Up / Down Protocol
2009.06.15 16
IR Back End
RPKI Engine
Left /Right Protocol
Hosting of a Sub-
Allocator
1’s Resources ID=Me
RPKI Engine
ID=42
RPKI Engine
ID=666
42’s Resources 42’s Childs’ Res 666’s Resources
666’s Childs’ Res
Up / Down Protocol
Up / Down Protocol
2009.06.15 17
Up / Down Protocol
Up / Down Protocol
IR Back End
RPKI Engine
Left /Right Protocol Hosting
of many Sub-
Allocators
1’s Resources
1/42’s Resources 1/666’s Resources
ID=1/Me
RPKI Engine
ID=1/42
RPKI Engine
ID=1/666
IR Back End
RPKI Engine
Left /Right Protocol
2’s Resources
2/42’s Resources 2/666’s Resources
ID=2/Me
RPKI Engine
ID=2/42
RPKI Engine
ID=2/666
IR Back End
RPKI Engine
Left /Right Protocol
3’s Resources
3/42’s Resources 3/666’s Resources
ID=3/Me
RPKI Engine
ID=3/42
RPKI Engine
ID=3/666
Up / Down Protocol
Up / Down Protocol
Up / Down Protocol
Up / Down Protocol
2009.06.15 18
IR Back End
[Hardware] Signing Module
IR RPKI
Priv Keys
Private RPKI Keys
Issued ROAs
My Misc Config Options
Public RPKI Keys
ID=Me ID=Me
RPKI Engine
Resource PKI IP Resource Certs
ASN Resource Certs Route Origin Attestations
Stub Provided
to be Hacked
Internal CA Data
Internal CA Data
XML Object Transport & Handler
Business Key/Cert
Management
Private IR Biz Trust Anchor Internal
CA Data
Up/Down EE Public Keys
Keys for Talking to
IR BackEnd
Certs Issued to
DownStreams
My Resources
My RightsToRoute
Repo Mgt
Up / Down Protocol
Up / Down Protocol
Publication Protocol
Left Right
Protocol Biz EE Signing Key(s)
Origin Validation • Prevent YouTube incident • Prevent 7007 accident • Prevents most accidental announcements • Does not prevent malicious path attacks
such as the Kapela/Pilosov attack • That requires “Path Validation” and
locking the data plane to the control plane, the next steps
2009.06.15 19
RPKI -> Router
2009.06.15 20
the net
RCynic Gatherer
RPKI to Rtr
Protocol
In PoP
BGP Decision Process
The Fourth Protocol (origin validation only)
Cache / Server
Origin Only Validation • Vendors are coding Origin Validation now • We are exchanging clue with them • We are doing research on estimation of
compute and traffic loads • Vendors will not do Path Validation if not
first comfortable with Origin • Need to get all vendors on board
2009.06.15 21
The Contentious Bits • Detestations / BOAs – assert that some
space may not be announced by anyone • This is not needed
• Root Trust Anchors – The RIRs demand independence from ICANN / DoC
• This is causing a technical kludge which is more open to error
2009.06.15 22
2009.06.15 23
Allocation in Reality
My Infrastructure
Unused Static (non BGP) Cust
BGP Cust
2009.06.15 24
ROA Use
My Aggregate ROA
Customer ROAs
I Generate for ‘Lazy’ Customer My Infrastructure
Unused Static (non BGP) Cust
BGP Cust
2009.06.15 25
0/0
Public Key
APNIC
Public Key
ARIN
Public Key
LACNIC
Public Key
ARIN APNIC LACNIC
IANA
AP AfriNIC
Public Key
RIPE
Public Key
RIPE AfriNIC
IANA
Public Key
APNIC
Public Key
ARIN
Public Key
LACNIC
Public Key
ARIN APNIC LACNIC IANA
AP AfriNIC
Public Key
RIPE
Public Key
RIPE AfriNIC
Single Trust Anchor
Multiple Trust Anchors
Their Job is Uniqueness!
Highly Vulnerable to Overlap and Gaps
2009.06.15 26
IR Back End
[Hardware] Signing Module
IR RPKI
Priv Keys
Private RPKI Keys
Issued ROAs
My Misc Config Options
Public RPKI Keys
ID=Me ID=Me
RPKI Engine
Resource PKI IP Resource Certs
ASN Resource Certs Route Origin Attestations
Stub Provided
to be Hacked
Internal CA Data
Internal CA Data
XML Object Transport & Handler
Business Key/Cert
Management
Private IR Biz Trust Anchor Internal
CA Data
Keys for Talking to
IR BackEnd
Certs Issued to
DownStreams
My Resources
My RightsToRoute
Repo Mgt
Up / Down Protocol
Up / Down Protocol
Publication Protocol
Left Right
Protocol
Prototyping a Basic
Back End
Up/Down EE Public Keys
Biz EE Signing
Key
Work Supported By
DHS / ARO / ARL Contract W911NF-05-C-0113
Internet Initiative Japan
ARIN 2009.06.15 27
![Limiting the Power of RPKI Authorities · RPKI is a prerequisite for BGPSec [RFC 8205] that provides path validation. 3/19. Delegated and Hosted RPKI Delegated RPKI ... Trust Anchor](https://img.pdfslide.net/doc/110x75/5fbcbb49efb8a823413ea78d/limiting-the-power-of-rpki-authorities-rpki-is-a-prerequisite-for-bgpsec-rfc-8205.jpg)
