APNIC's Resource Certification Service

APNIC
APNICAPNIC
Issue Date: Revision: APNIC Resource Certification Service Tuan Nguyen [31 May 2014] [4]
Internet Routing Security •  Routing security is essential to integrity of the Internet –  Need to improve security of inter-domain routing •  Who has the authority to advertise information into the routing system? •  The majority of network relationships are based on system of mutual trust –  Each party trusts that routes used to transmit information are safe •  The trust model is increasingly open to potential abuse and attack 2
About RPKI •  An architecture to support improved security of Internet routing using PKI infrastructure •  A robust security framework for verifying the association between resource holders and their Internet resources –  “Cryptographically verifiable attestations” for IP address delegations and their use •  This architecture is called Resource Public Key Infrastructure (RPKI) 3
Resource Delegation Hierarchy IANA AFRINIC RIPE NCC ARIN APNIC LACNIC NIR1 NIR2 ISP ISP ISP ISP ISP ISP ISP
About RPKI •  “Trustable authority” mirrors the administrative resource allocation hierarchy with certificates that match current resource delegations •  A resource holder operating a sub-delegation registry (for example, an LIR) may use an RPKI system to generate certificates that correspond to these delegations –  Grant a unique “right-of-use” for the associated set of IP resources 5
About RPKI •  These certificates are called resource certificates and they conform to X.509 PKIX standards •  RPKI is not used to validate attestations of an individual’s identity or that individual’s role, but as a means to validate that person’s authority to use IP address resources •  An RPKI resource certificate is required to enable a resource holder to issue “Route Origination Authorizations” (ROAs) 6
What is a ROA? •  It is a digital object that contains a list of address prefixes and one AS number •  It is an authority created by a prefix holder to authorize an AS number to originate one or more specific route advertisements •  It does not contain any routing policy information, nor does it convey whether or not the AS holder has even consented to actually announce the prefix(es) into the routing system
APNIC’s RPKI Service •  Enhancement to the RIRs –  Offers verifiable proof of resources holdings •  Resource certification is an opt-in service –  Resource holders choose to request a certificate and provide their public key to be certified •  APNIC has integrated the RPKI management service into MyAPNIC for APNIC Member use 8
What you need to know •  You are encouraged to experiment, test, play and develop –  For example, you can create your ROAs •  RPKI standards are still being developed, and the operating environment for RPKI use is still fragile •  It’s ready for testing and prototyping, but is probably not ready for production use just yet •  Please tell us what you find but don’t rely on it in your network yet
MyAPNIC - Resource Certification Service
MyAPNIC-Resource Certification 11
MyAPNIC-Resource Certification 12
MyAPNIC-Resource Certification 13
MyAPNIC-Resource Certification 14
MyAPNIC-Resource Certification 15
MyAPNIC-Resource Certification 16
More RPKI Information •  Securing BGP –  The Internet Protocol Journal, Volume 14, No. 2 •  An Infrastructure to Support Secure Internet Routing –  RFC6480 •  A Reappraisal of Validation in the RPKI –  labs.apnic.net/blabs •  An Introduction to Routing Security (and RPKI tools) –  labs.apnic.net/presentations/store/2013-05-13-rpki.pdf •  MyAPNIC Resource Certification Guide –  www.apnic.net/myapnic 17
Questions or Comments?
THANK YOU www.facebook.com/APNIC www.twitter.com/apnic www.youtube.com/apnicmultimedia www.flickr.com/apnic www.weibo.com/APNICrir
1 of 19

APNIC's Resource Certification Service

Download to read offline
Internet

An overview of Resource Public Key Infrastructure (RPKI) a service APNIC offers to its Members to help secure inter-domain routing.

APNIC
APNICAPNIC

Recommended

How APNIC can support law enforcement agencies in cybercrime investigtaion by
How APNIC can support law enforcement agencies in cybercrime investigtaionHow APNIC can support law enforcement agencies in cybercrime investigtaion
How APNIC can support law enforcement agencies in cybercrime investigtaionAPNIC
2.9K views30 slides
34 - IDNOG03 - Fakrul Alam (APNIC) - Securing Global Routing System and Oper... by
34 - IDNOG03 - Fakrul Alam (APNIC) - Securing Global Routing System and Oper...34 - IDNOG03 - Fakrul Alam (APNIC) - Securing Global Routing System and Oper...
34 - IDNOG03 - Fakrul Alam (APNIC) - Securing Global Routing System and Oper...Indonesia Network Operators Group
656 views24 slides
APNIC Update: ARIN 37 by
APNIC Update: ARIN 37APNIC Update: ARIN 37
APNIC Update: ARIN 37Bhadrika Magan
266 views38 slides
IPv6 Adoption by ASEAN Government Agencies by
IPv6 Adoption by ASEAN Government AgenciesIPv6 Adoption by ASEAN Government Agencies
IPv6 Adoption by ASEAN Government AgenciesAPNIC
670 views21 slides
APNIC Policy Update, LACNIC 26 by
APNIC Policy Update, LACNIC 26APNIC Policy Update, LACNIC 26
APNIC Policy Update, LACNIC 26APNIC
386 views6 slides
IDNOG 2: AS interconnection in indonesia by
IDNOG 2: AS interconnection in indonesiaIDNOG 2: AS interconnection in indonesia
IDNOG 2: AS interconnection in indonesiaAPNIC
1.1K views43 slides

More Related Content

What's hot

Route Origin Authorization (ROA) using RPKI by
Route Origin Authorization (ROA) using RPKIRoute Origin Authorization (ROA) using RPKI
Route Origin Authorization (ROA) using RPKIAPNIC
3.8K views18 slides
Introduction to RPKI - MyNOG by
Introduction to RPKI - MyNOGIntroduction to RPKI - MyNOG
Introduction to RPKI - MyNOGSiena Perry
1.4K views28 slides
Whois - Addressing the Asia Pacifc by
Whois - Addressing the Asia PacifcWhois - Addressing the Asia Pacifc
Whois - Addressing the Asia PacifcAPNIC
657 views39 slides
APNIC Update, NPNOG 0.5 by
APNIC Update, NPNOG 0.5APNIC Update, NPNOG 0.5
APNIC Update, NPNOG 0.5APNIC
625 views33 slides
APNIC Update for ARIN 35 by
APNIC Update for ARIN 35APNIC Update for ARIN 35
APNIC Update for ARIN 35APNIC
1.3K views33 slides
Whois organization object by
Whois organization objectWhois organization object
Whois organization objectAPNIC
753 views11 slides

What's hot(20)

Route Origin Authorization (ROA) using RPKI by APNIC
Route Origin Authorization (ROA) using RPKIRoute Origin Authorization (ROA) using RPKI
Route Origin Authorization (ROA) using RPKI
APNIC3.8K views
Introduction to RPKI - MyNOG by Siena Perry
Introduction to RPKI - MyNOGIntroduction to RPKI - MyNOG
Introduction to RPKI - MyNOG
Siena Perry1.4K views
Whois - Addressing the Asia Pacifc by APNIC
Whois - Addressing the Asia PacifcWhois - Addressing the Asia Pacifc
Whois - Addressing the Asia Pacifc
APNIC657 views
APNIC Update, NPNOG 0.5 by APNIC
APNIC Update, NPNOG 0.5APNIC Update, NPNOG 0.5
APNIC Update, NPNOG 0.5
APNIC625 views
APNIC Update for ARIN 35 by APNIC
APNIC Update for ARIN 35APNIC Update for ARIN 35
APNIC Update for ARIN 35
APNIC1.3K views
Whois organization object by APNIC
Whois organization objectWhois organization object
Whois organization object
APNIC753 views
HKNOG1.1 presentation by APNIC
HKNOG1.1 presentationHKNOG1.1 presentation
HKNOG1.1 presentation
APNIC1.1K views
npNOG 2: APNIC activity report by APNIC
npNOG 2: APNIC activity reportnpNOG 2: APNIC activity report
npNOG 2: APNIC activity report
APNIC722 views
IDNOG 2: IPv4 Transfers by APNIC
IDNOG 2: IPv4 TransfersIDNOG 2: IPv4 Transfers
IDNOG 2: IPv4 Transfers
APNIC1.3K views
Introduction to RPKI by APNIC
Introduction to RPKIIntroduction to RPKI
Introduction to RPKI
APNIC1.4K views
BKNIX Peering Forum: Quick introduction of HKIX by APNIC
BKNIX Peering Forum: Quick introduction of HKIXBKNIX Peering Forum: Quick introduction of HKIX
BKNIX Peering Forum: Quick introduction of HKIX
APNIC511 views
Securing global routing system and operators approach by APNIC
Securing global routing system and operators approachSecuring global routing system and operators approach
Securing global routing system and operators approach
APNIC817 views
CommuniCast 2014: Connecting your business to the Internet by APNIC
CommuniCast 2014: Connecting your business to the InternetCommuniCast 2014: Connecting your business to the Internet
CommuniCast 2014: Connecting your business to the Internet
APNIC1.9K views
RPKI - 5W2H [APRICOT 2015] by APNIC
RPKI - 5W2H [APRICOT 2015]RPKI - 5W2H [APRICOT 2015]
RPKI - 5W2H [APRICOT 2015]
APNIC2.2K views
APNIC Technical Assistance Service, IDNIC OPM 2016 by APNIC
APNIC Technical Assistance Service, IDNIC OPM 2016APNIC Technical Assistance Service, IDNIC OPM 2016
APNIC Technical Assistance Service, IDNIC OPM 2016
APNIC662 views
IGFA 2017: IPv6 deployment by APNIC
IGFA 2017: IPv6 deploymentIGFA 2017: IPv6 deployment
IGFA 2017: IPv6 deployment
APNIC687 views
IPv4 Transfers, Taiwan Internet Forum by APNIC
IPv4 Transfers, Taiwan Internet ForumIPv4 Transfers, Taiwan Internet Forum
IPv4 Transfers, Taiwan Internet Forum
APNIC908 views
How the Internet works...and why by APNIC
How the Internet works...and whyHow the Internet works...and why
How the Internet works...and why
APNIC905 views
IANA Stewardship Transition Consultation - APNIC 38 by APNIC
IANA Stewardship Transition Consultation - APNIC 38IANA Stewardship Transition Consultation - APNIC 38
IANA Stewardship Transition Consultation - APNIC 38
APNIC6.7K views
ARM 7: ROA session by APNIC
ARM 7: ROA sessionARM 7: ROA session
ARM 7: ROA session
APNIC1.1K views

Similar to APNIC's Resource Certification Service

09 (IDNOG01) Introduction about APNIC by Wita Laksono by
09 (IDNOG01) Introduction about APNIC by Wita Laksono09 (IDNOG01) Introduction about APNIC by Wita Laksono
09 (IDNOG01) Introduction about APNIC by Wita LaksonoIndonesia Network Operators Group
854 views35 slides
PCTA Convention 2023: APNIC Introduction by
PCTA Convention 2023: APNIC IntroductionPCTA Convention 2023: APNIC Introduction
PCTA Convention 2023: APNIC IntroductionAPNIC
265 views22 slides
PCTA Convention 2023: APNIC Introduction by
PCTA Convention 2023: APNIC IntroductionPCTA Convention 2023: APNIC Introduction
PCTA Convention 2023: APNIC IntroductionAPNIC
265 views22 slides
APNIC's role in stability and security - 4th APT Cybersecurity Forum by
APNIC's role in stability and security - 4th APT Cybersecurity ForumAPNIC's role in stability and security - 4th APT Cybersecurity Forum
APNIC's role in stability and security - 4th APT Cybersecurity ForumAPNIC
581 views40 slides
Cybersecurity Opportunities Challenges APNIC by
Cybersecurity Opportunities Challenges APNICCybersecurity Opportunities Challenges APNIC
Cybersecurity Opportunities Challenges APNICAPNIC
1.6K views22 slides
KHNOG 5: APNIC Services by
KHNOG 5: APNIC ServicesKHNOG 5: APNIC Services
KHNOG 5: APNIC ServicesAPNIC
414 views15 slides

Similar to APNIC's Resource Certification Service(20)

09 (IDNOG01) Introduction about APNIC by Wita Laksono by Indonesia Network Operators Group
09 (IDNOG01) Introduction about APNIC by Wita Laksono09 (IDNOG01) Introduction about APNIC by Wita Laksono
09 (IDNOG01) Introduction about APNIC by Wita Laksono
Indonesia Network Operators Group854 views
PCTA Convention 2023: APNIC Introduction by APNIC
PCTA Convention 2023: APNIC IntroductionPCTA Convention 2023: APNIC Introduction
PCTA Convention 2023: APNIC Introduction
APNIC265 views
PCTA Convention 2023: APNIC Introduction by APNIC
PCTA Convention 2023: APNIC IntroductionPCTA Convention 2023: APNIC Introduction
PCTA Convention 2023: APNIC Introduction
APNIC265 views
APNIC's role in stability and security - 4th APT Cybersecurity Forum by APNIC
APNIC's role in stability and security - 4th APT Cybersecurity ForumAPNIC's role in stability and security - 4th APT Cybersecurity Forum
APNIC's role in stability and security - 4th APT Cybersecurity Forum
APNIC581 views
Cybersecurity Opportunities Challenges APNIC by APNIC
Cybersecurity Opportunities Challenges APNICCybersecurity Opportunities Challenges APNIC
Cybersecurity Opportunities Challenges APNIC
APNIC1.6K views
KHNOG 5: APNIC Services by APNIC
KHNOG 5: APNIC ServicesKHNOG 5: APNIC Services
KHNOG 5: APNIC Services
APNIC414 views
APNIC services and Policy Development Process | IDNOG 5 by APNIC
APNIC services and Policy Development Process | IDNOG 5APNIC services and Policy Development Process | IDNOG 5
APNIC services and Policy Development Process | IDNOG 5
APNIC443 views
Peering Asia 2.0: RPKI for Peering by APNIC
Peering Asia 2.0: RPKI for PeeringPeering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for Peering
APNIC580 views
APAN 50: RPKI industry trends and initiatives by APNIC
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives
APNIC796 views
APNIC Member Services by APNIC
APNIC Member ServicesAPNIC Member Services
APNIC Member Services
APNIC290 views
LEA Workshop dated 09052013 by APNIC
LEA Workshop dated 09052013LEA Workshop dated 09052013
LEA Workshop dated 09052013
APNIC517 views
Internet Resource Management Tutorial at SANOG 24 by APNIC
Internet Resource Management Tutorial at SANOG 24Internet Resource Management Tutorial at SANOG 24
Internet Resource Management Tutorial at SANOG 24
APNIC2.4K views
HKNOG 7.0: RPKI - it's time to start deploying it by APNIC
HKNOG 7.0: RPKI - it's time to start deploying itHKNOG 7.0: RPKI - it's time to start deploying it
HKNOG 7.0: RPKI - it's time to start deploying it
APNIC1.3K views
LEA Workshop 11/12/2013 by APNIC
LEA Workshop 11/12/2013LEA Workshop 11/12/2013
LEA Workshop 11/12/2013
APNIC440 views
ARIN 35 Tutorial: How to certify your ARIN resources with RPKI by ARIN
ARIN 35 Tutorial: How to certify your ARIN resources with RPKIARIN 35 Tutorial: How to certify your ARIN resources with RPKI
ARIN 35 Tutorial: How to certify your ARIN resources with RPKI
ARIN616 views
RPKI Overview, Case Studies, Deployment and Operations by APNIC
RPKI Overview, Case Studies, Deployment and OperationsRPKI Overview, Case Studies, Deployment and Operations
RPKI Overview, Case Studies, Deployment and Operations
APNIC183 views
34th TWNIC OPM: APNIC Policy Implementation Update by APNIC
34th TWNIC OPM: APNIC Policy Implementation Update34th TWNIC OPM: APNIC Policy Implementation Update
34th TWNIC OPM: APNIC Policy Implementation Update
APNIC154 views
Introduction to RPKI by Sheryl (Shane) Hermoso by MyNOG
Introduction to RPKI by Sheryl (Shane) HermosoIntroduction to RPKI by Sheryl (Shane) Hermoso
Introduction to RPKI by Sheryl (Shane) Hermoso
MyNOG1.6K views
MMIX Peering Forum and MMNOG 2020: Securing your resources with RPKI and IRT by APNIC
MMIX Peering Forum and MMNOG 2020: Securing your resources with RPKI and IRTMMIX Peering Forum and MMNOG 2020: Securing your resources with RPKI and IRT
MMIX Peering Forum and MMNOG 2020: Securing your resources with RPKI and IRT
APNIC104 views
APNIC Regional Update: PacINET 2014 by APNIC
APNIC Regional Update: PacINET 2014APNIC Regional Update: PacINET 2014
APNIC Regional Update: PacINET 2014
APNIC537 views

More from APNIC

IETF 118: Starlink Protocol Performance by
IETF 118: Starlink Protocol PerformanceIETF 118: Starlink Protocol Performance
IETF 118: Starlink Protocol PerformanceAPNIC
244 views22 slides
HKNOG 12.0: RPKI Actions Required by HK Networks by
HKNOG 12.0: RPKI Actions Required by HK NetworksHKNOG 12.0: RPKI Actions Required by HK Networks
HKNOG 12.0: RPKI Actions Required by HK NetworksAPNIC
466 views26 slides
KHNOG 5: RPKI Status Update by
KHNOG 5: RPKI Status UpdateKHNOG 5: RPKI Status Update
KHNOG 5: RPKI Status UpdateAPNIC
401 views25 slides
PITA Strategy Forum 2023: Internet resilience by
PITA Strategy Forum 2023: Internet resiliencePITA Strategy Forum 2023: Internet resilience
PITA Strategy Forum 2023: Internet resilienceAPNIC
438 views7 slides
SANOG 40: DDoS in South Asia by
SANOG 40: DDoS in South AsiaSANOG 40: DDoS in South Asia
SANOG 40: DDoS in South AsiaAPNIC
350 views52 slides
SANOG 40: RPKI in South Asia by
SANOG 40: RPKI in South AsiaSANOG 40: RPKI in South Asia
SANOG 40: RPKI in South AsiaAPNIC
351 views16 slides

More from APNIC(20)

IETF 118: Starlink Protocol Performance by APNIC
IETF 118: Starlink Protocol PerformanceIETF 118: Starlink Protocol Performance
IETF 118: Starlink Protocol Performance
APNIC244 views
HKNOG 12.0: RPKI Actions Required by HK Networks by APNIC
HKNOG 12.0: RPKI Actions Required by HK NetworksHKNOG 12.0: RPKI Actions Required by HK Networks
HKNOG 12.0: RPKI Actions Required by HK Networks
APNIC466 views
KHNOG 5: RPKI Status Update by APNIC
KHNOG 5: RPKI Status UpdateKHNOG 5: RPKI Status Update
KHNOG 5: RPKI Status Update
APNIC401 views
PITA Strategy Forum 2023: Internet resilience by APNIC
PITA Strategy Forum 2023: Internet resiliencePITA Strategy Forum 2023: Internet resilience
PITA Strategy Forum 2023: Internet resilience
APNIC438 views
SANOG 40: DDoS in South Asia by APNIC
SANOG 40: DDoS in South AsiaSANOG 40: DDoS in South Asia
SANOG 40: DDoS in South Asia
APNIC350 views
SANOG 40: RPKI in South Asia by APNIC
SANOG 40: RPKI in South AsiaSANOG 40: RPKI in South Asia
SANOG 40: RPKI in South Asia
APNIC351 views
RenasCON 2023: Learning from honeypots by APNIC
RenasCON 2023: Learning from honeypotsRenasCON 2023: Learning from honeypots
RenasCON 2023: Learning from honeypots
APNIC428 views
IGF 2023: DNS Privacy by APNIC
IGF 2023: DNS PrivacyIGF 2023: DNS Privacy
IGF 2023: DNS Privacy
APNIC429 views
MNSEC Conference 2023: Mining Bots by APNIC
MNSEC Conference 2023: Mining BotsMNSEC Conference 2023: Mining Bots
MNSEC Conference 2023: Mining Bots
APNIC423 views
VNIX-NOG 2023: IPv6 Deployment in government networks by APNIC
VNIX-NOG 2023: IPv6 Deployment in government networksVNIX-NOG 2023: IPv6 Deployment in government networks
VNIX-NOG 2023: IPv6 Deployment in government networks
APNIC429 views
VNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalids by APNIC
VNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalidsVNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalids
VNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalids
APNIC424 views
SGNOG 10: IPv6 Insights in South East Asia by APNIC
SGNOG 10: IPv6 Insights in South East AsiaSGNOG 10: IPv6 Insights in South East Asia
SGNOG 10: IPv6 Insights in South East Asia
APNIC416 views
mnNOG 5: Open source SD-WAN by APNIC
mnNOG 5: Open source SD-WANmnNOG 5: Open source SD-WAN
mnNOG 5: Open source SD-WAN
APNIC482 views
mnNOG 2023: State of IPv6 in Mongolia by APNIC
mnNOG 2023: State of IPv6 in MongoliamnNOG 2023: State of IPv6 in Mongolia
mnNOG 2023: State of IPv6 in Mongolia
APNIC933 views
mnNOG 2023: On GEOs, LEOs and Starlink by APNIC
mnNOG 2023: On GEOs, LEOs and StarlinkmnNOG 2023: On GEOs, LEOs and Starlink
mnNOG 2023: On GEOs, LEOs and Starlink
APNIC496 views
AusNOG 2023: RPKI and whois updates by APNIC
AusNOG 2023: RPKI and whois updatesAusNOG 2023: RPKI and whois updates
AusNOG 2023: RPKI and whois updates
APNIC566 views
AusNOG 2023: A quick look at QUIC by APNIC
AusNOG 2023: A quick look at QUICAusNOG 2023: A quick look at QUIC
AusNOG 2023: A quick look at QUIC
APNIC583 views
APrIGF 2023: Sustainability of Complementary Connectivity Initiatives by APNIC
APrIGF 2023: Sustainability of Complementary Connectivity InitiativesAPrIGF 2023: Sustainability of Complementary Connectivity Initiatives
APrIGF 2023: Sustainability of Complementary Connectivity Initiatives
APNIC607 views
APAN 56: APNIC Report by APNIC
APAN 56: APNIC Report APAN 56: APNIC Report
APAN 56: APNIC Report
APNIC293 views
2023 NCIT: Introduction to Intrusion Detection by APNIC
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection
APNIC172 views

Recently uploaded

DU Series - Day 4.pptx by
DU Series - Day 4.pptxDU Series - Day 4.pptx
DU Series - Day 4.pptxUiPathCommunity
100 views28 slides
information by
informationinformation
informationkhelgishekhar
8 views4 slides
Marketing and Community Building in Web3 by
Marketing and Community Building in Web3Marketing and Community Building in Web3
Marketing and Community Building in Web3Federico Ast
12 views64 slides
Is Entireweb better than Google by
Is Entireweb better than GoogleIs Entireweb better than Google
Is Entireweb better than Googlesebastianthomasbejan
12 views1 slide
How to think like a threat actor for Kubernetes.pptx by
How to think like a threat actor for Kubernetes.pptxHow to think like a threat actor for Kubernetes.pptx
How to think like a threat actor for Kubernetes.pptxLibbySchulze1
5 views33 slides
WEB 2.O TOOLS: Empowering education.pptx by
WEB 2.O TOOLS: Empowering education.pptxWEB 2.O TOOLS: Empowering education.pptx
WEB 2.O TOOLS: Empowering education.pptxnarmadhamanohar21
16 views16 slides

Recently uploaded(9)

DU Series - Day 4.pptx by UiPathCommunity
DU Series - Day 4.pptxDU Series - Day 4.pptx
DU Series - Day 4.pptx
UiPathCommunity100 views
information by khelgishekhar
informationinformation
information
khelgishekhar8 views
Marketing and Community Building in Web3 by Federico Ast
Marketing and Community Building in Web3Marketing and Community Building in Web3
Marketing and Community Building in Web3
Federico Ast12 views
Is Entireweb better than Google by sebastianthomasbejan
Is Entireweb better than GoogleIs Entireweb better than Google
Is Entireweb better than Google
sebastianthomasbejan12 views
How to think like a threat actor for Kubernetes.pptx by LibbySchulze1
How to think like a threat actor for Kubernetes.pptxHow to think like a threat actor for Kubernetes.pptx
How to think like a threat actor for Kubernetes.pptx
LibbySchulze15 views
WEB 2.O TOOLS: Empowering education.pptx by narmadhamanohar21
WEB 2.O TOOLS: Empowering education.pptxWEB 2.O TOOLS: Empowering education.pptx
WEB 2.O TOOLS: Empowering education.pptx
narmadhamanohar2116 views
PORTFOLIO 1 (Bret Michael Pepito).pdf by brejess0410
PORTFOLIO 1 (Bret Michael Pepito).pdfPORTFOLIO 1 (Bret Michael Pepito).pdf
PORTFOLIO 1 (Bret Michael Pepito).pdf
brejess04108 views
UiPath Document Understanding_Day 3.pptx by UiPathCommunity
UiPath Document Understanding_Day 3.pptxUiPath Document Understanding_Day 3.pptx
UiPath Document Understanding_Day 3.pptx
UiPathCommunity103 views
Building trust in our information ecosystem: who do we trust in an emergency by Tina Purnat
Building trust in our information ecosystem: who do we trust in an emergencyBuilding trust in our information ecosystem: who do we trust in an emergency
Building trust in our information ecosystem: who do we trust in an emergency
Tina Purnat98 views

APNIC's Resource Certification Service

  • 1. Issue Date: Revision: APNIC Resource Certification Service Tuan Nguyen [31 May 2014] [4]
  • 2. Internet Routing Security •  Routing security is essential to integrity of the Internet –  Need to improve security of inter-domain routing •  Who has the authority to advertise information into the routing system? •  The majority of network relationships are based on system of mutual trust –  Each party trusts that routes used to transmit information are safe •  The trust model is increasingly open to potential abuse and attack 2
  • 3. About RPKI •  An architecture to support improved security of Internet routing using PKI infrastructure •  A robust security framework for verifying the association between resource holders and their Internet resources –  “Cryptographically verifiable attestations” for IP address delegations and their use •  This architecture is called Resource Public Key Infrastructure (RPKI) 3
  • 4. Resource Delegation Hierarchy IANA AFRINIC RIPE NCC ARIN APNIC LACNIC NIR1 NIR2 ISP ISP ISP ISP ISP ISP ISP
  • 5. About RPKI •  “Trustable authority” mirrors the administrative resource allocation hierarchy with certificates that match current resource delegations •  A resource holder operating a sub-delegation registry (for example, an LIR) may use an RPKI system to generate certificates that correspond to these delegations –  Grant a unique “right-of-use” for the associated set of IP resources 5
  • 6. About RPKI •  These certificates are called resource certificates and they conform to X.509 PKIX standards •  RPKI is not used to validate attestations of an individual’s identity or that individual’s role, but as a means to validate that person’s authority to use IP address resources •  An RPKI resource certificate is required to enable a resource holder to issue “Route Origination Authorizations” (ROAs) 6
  • 7. What is a ROA? •  It is a digital object that contains a list of address prefixes and one AS number •  It is an authority created by a prefix holder to authorize an AS number to originate one or more specific route advertisements •  It does not contain any routing policy information, nor does it convey whether or not the AS holder has even consented to actually announce the prefix(es) into the routing system
  • 8. APNIC’s RPKI Service •  Enhancement to the RIRs –  Offers verifiable proof of resources holdings •  Resource certification is an opt-in service –  Resource holders choose to request a certificate and provide their public key to be certified •  APNIC has integrated the RPKI management service into MyAPNIC for APNIC Member use 8
  • 9. What you need to know •  You are encouraged to experiment, test, play and develop –  For example, you can create your ROAs •  RPKI standards are still being developed, and the operating environment for RPKI use is still fragile •  It’s ready for testing and prototyping, but is probably not ready for production use just yet •  Please tell us what you find but don’t rely on it in your network yet
  • 17. More RPKI Information •  Securing BGP –  The Internet Protocol Journal, Volume 14, No. 2 •  An Infrastructure to Support Secure Internet Routing –  RFC6480 •  A Reappraisal of Validation in the RPKI –  labs.apnic.net/blabs •  An Introduction to Routing Security (and RPKI tools) –  labs.apnic.net/presentations/store/2013-05-13-rpki.pdf •  MyAPNIC Resource Certification Guide –  www.apnic.net/myapnic 17