Cybersecurity Opportunities Challenges APNIC


Published on

Discussion of cybersecurity opportunities and challenges and how APNIC can assist with RPKI, DNSSEC, and BCP 38 implementation to help secure the Internet's infrastructure.

Published in: Internet
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Cybersecurity Opportunities Challenges APNIC

  1. 1. Issue Date: Revision: Cyber Security Opportunities and Challenges Adli Wahid Security Specialist, APNIC 5th APT Cyber Security Forum, 27-29 May 2014 27 May 2014 2
  2. 2. Agenda •  Overview of APNIC •  Opportunities and challenges –  Source address validation (Best Current Practice (BCP) 38) –  Securing the Internet with Resource Certification –  Effective incident response and handling (APNIC Whois Database) –  Awareness and education •  The way forward 2
  3. 3. Overview 3 APNIC’s Vision: “A global, open, stable, and secure Internet that serves the entire Asia Pacific community” Serving APNIC Members Supporting Internet development in the Asia Pacific region Collaborating with the Internet community
  4. 4. 4
  5. 5. APNIC’s Mission •  Function as the RIR for the Asia Pacific, in the service of the community of Members and others •  Provide Internet registry services to the highest possible standards of trust, neutrality, and accuracy •  Provide information, training, and supporting services to assist the community in building and managing the Internet •  Support critical Internet infrastructure to assist in creating and maintaining a robust Internet environment •  Provide leadership and advocacy in support of its vision and the community •  Facilitate regional Internet development as needed throughout the APNIC community 5
  6. 6. Strategic Engagement 6 •  NOGs, NIR OPMs, I*, CERTs, ISOC Chapters, PACINET, PICISOC, PTC Technical community •  APEC-TEL 47 and 48, ITU WTPF, APT, WSIS+10, ITU Connect Asia Pacific Summit, ITU Telecom World 2013, APEC TEL 49, NETmundial Governmental •  National IGFs (Nethui, auIGF), APrIGF •  Bali IGF - significant support given for fundraising and logistics IGF
  7. 7. Opportunities and Challenges 7
  8. 8. Opportunities and Challenges •  Government institutions, CERTs, Law Enforcement Agencies (LEAs) and stakeholders have been collaborating all along •  What else needs to be done? •  What are the opportunities and challenges?
  9. 9. BEST CURRENT PRACTICES Internet Resources Management
  10. 10. Source Address Validation (BCP 38) •  Problem –  Network providers allow traffic from IP addresses that they do not hold –  As a result it is trivial to spoof IP addresses –  This enables attacks such as the DDoS Reflection/Amplification •  Recipe for Amplification attacks –  Network that allows source IP spoofing –  Network services that respond to non-customer requests •  This is not new –  BCP 38 has been around since 2000 (RFC 2827) –  Also known as Network Ingress Filtering •  Is your provider allowing source address spoofing? –  Source Address Validation Everywhere! (SAVE)
  11. 11. BCP 38 Ingress Packet Filtering 11 Internet ISP ISP’s Customer Allocation Block: BCP 38 Filter = Allow only source addresses from the customer’s 96.0.X.X/24 BCP 38 Applied Here Credit:
  12. 12. Resource Certification with RPKI •  Resource Public Key Infrastructure –  Security framework to verify the association between specific IP address blocks or Autonomous System (AS) numbers and the holders of the resources –  Uses digital certificates and Public Key cryptography •  Essential because: –  Improves security of inter-domain routing. Currently, it’s based on mutual trust –  Can prove authoritatively who uses an IP address block and what AS has announced it •  Prevents mis-origination or “Route Hijacking” –  When an entity participating in Internet routing announces a prefix without authorization (either mistake or malicious intention) 12
  13. 13. 13 ISP A ISP B ISP E My AS number is 1001 My prefix is My AS number is 1001 My prefix is
  14. 14. Resource Certification Benefits •  Routing information corresponds to properly delegated address resources •  Resource certification gives resource holders proof that they hold certain resources •  Resource holders can attest to those resources when distributing them •  Resource certification is a highly robust means of preventing the injection of false information into the Internet’s routing system 14
  15. 15. Resource Certification with RPKI •  Role of APNIC – Acts as Certificate Authority, attests that the certificate belong to the identified party – Issues RPKI certificates to APNIC Members 15
  16. 16. Whois Database – Improving Incident Response and Handling •  Security incidents happen and timely response is critical •  The Incident Response Team (IRT) object requires resource holders to provide contact information •  There are opportunities to: –  Enhance incident response and handling capabilities –  Provide additional information for escalation (i.e. National CSIRT/CERT or relevant agency) –  Report invalid contact information 16
  17. 17. 17 inetnum: - netname: SKYCC descr: SKYCC, VoIP and ISP, Ulaanbaatar, Mongolia country: MN admin-c: SD635-AP tech-c: TB231-AP status: ALLOCATED PORTABLE remarks: ************************************************************* remarks: This object can only modify by APNIC hostmaster remarks: If you wish to modify this object details please remarks: send email to with your organisation remarks: account in the subject line. remarks: ************************************************************* changed: 20030708 mnt-by: APNIC-HM mnt-lower: MAINT-MN-SKYCC mnt-routes: MAINT-MN-SKYCC mnt-irt: IRT-SKYCC-MN changed: 20081114 changed: 20130611 source: APNIC irt: IRT-SKYCC-MN address: Sukhbaatar District-1, address: Chinggis Khan Avenue-9, address: Skytel Plaza building, address: Ulaanbaatar-13, e-mail: abuse-mailbox: admin-c: SD635-AP tech-c: TB231-AP auth: # Filtered mnt-by: MAINT-MN-SKYCC changed: 20101210 source: APNIC IRT contact
  18. 18. Awareness and Education •  Reaching out to operators (resource holders) and relevant stakeholders is important to create awareness and ability to apply best current practices •  Challenges: –  Cost and availability of subject matter experts •  APNIC provides training at events across the region as well as online – •  Topics include –  BGP, IPv6, DNSSEC, Network Security and much more 18
  19. 19. Recent and Upcoming Events •  Bangladesh Network Operators Group 1 Workshop and Conference –  19 – 24 May 2014 in Dhaka, Bangladesh –  3-day Workshops, 1-day tutorial and 2-day conference –  90 participants for 3 workshops •  Network Security •  Routing/BGP •  Virtualization •  Internet Investigation Training Day –  9 July 2014, New Zealand –  1-day tutorial on how the Internet works –  Focused on LEA engagement –  Collaboration with ICANN, APTLD, .nz DNC, New Zealand police 19
  20. 20. The Way Forward •  Infrastructure security issues are part of the bigger picture and must be addressed •  The full impact of security controls may only be realized if everyone implements them –  Relevant stakeholders and operators must make things happen •  Awareness and education activities are at the core of all of the above •  Let’s work together! 20
  21. 21. You’re Invited! •  APNIC 38: Brisbane, Australia, 9-19 Sep 2014 •  APRICOT 2015: Fukuoka, Japan, 24 Feb-6 Mar 2015 21
  22. 22. THANK YOU