Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

RPKI Service Updates by Brenda Buwu

76 views

Published on

APNIC RPKI Service. More info www.mynog.org

Published in: Data & Analytics
  • Be the first to comment

  • Be the first to like this

RPKI Service Updates by Brenda Buwu

  1. 1. MyNOG 2017 APNIC RPKI Service Update Brenda Buwu, Network Engineer brenda@apnic.net
  2. 2. RPKI in Malaysia at a glance 2 ASN IPv4 holders IPv6 holders Delegated 199 227 154 Active in RPKI 11 12 5 •  Low levels of participation — <10% in all categories •  This is mostly a ‘one click’ activity in MyAPNIC, so easy to engage! •  Percentage coverage of active BGP by address range high: 100% in IPv6, >75% in IPv4 •  Please log in to your MyAPNIC account and enable RPKI It’s your address and routing plan: protect it!
  3. 3. What does the current APNIC RPKI look like? 3 APNIC from IANA TA APNIC from RIPE TA APNIC from ARIN TA APNIC from AFRINIC TA APNIC from LACNIC TA APNIC from IANA CA APNIC from AFRINIC CA APNIC from ARIN CA APNIC from RIPE CA APNIC from LACNIC CA Member CAs Member CAs Member CAs Member CAs Member CAs APNIC from IANA CA APNIC from AFRINIC CA APNIC from ARIN CA APNIC from RIPE CA APNIC from LACNIC CA APNIC from IANA CA APNIC from RIPE CA APNIC from ARIN CA APNIC from AFRINIC CA APNIC from LACNIC CA
  4. 4. APNIC is altering its RPKI TA model •  PKI depends on a Trust Anchor (TA) model –  Validation of all signed objects is under a given TA –  The TA is external, supplied; foundation of the trust system •  The current APNIC RPKI depends on five TAs –  Pre-emptively architected to align with real-world and future unified global RPKI model –  BUT, unification has not emerged; instead complex divergent set of TAs across the five RIRs –  All RIRs’ TAs converging into a single, consistent TA model – each RIR can certify any resource 4
  5. 5. Why is this happening? •  Increase RIR consistency by aligning on TA approach –  We will now operate a mutually consistent model •  Reduce invalidity risks: –  Internet transfers (inter and intra) are frequent — resources are coming into or leaving any given RIR each month –  Necessitates changes in the TA to reflect these shrinkages and growth events –  Each transaction is a risk window for a process failure –  TA work is now far less frequent; no changes as resources move between RIRs, or are assigned by IANA 5
  6. 6. How can transfers affect validity? •  Transfer occurs, but operator errors/bugs leaves TA unpublished •  Online CA over-claims: invalid •  All Member CAs become invalid, not just those receiving transferred resources 6 APNIC TA APNIC from RIR CA Mem. CA ✔ Mem. CA Mem. CA ✘ Mem. CA ✘ ✘ ✘ ✘
  7. 7. How can this problem be resolved? •  Draft IETF document (draft-ietf-sidr-rpki-validation- reconsidered) allowing an over-claiming certificate to be considered valid for those resources that are covered by its issuer •  But still some time before the document is finalized, and longer still until relying party software is upgraded and deployed 7
  8. 8. Failure in RPKI has wide consequences •  Operational failure high in the tree is catastrophic –  All resources under that arc of a tree (for a TA, all resources!) are invalid •  Each transaction is a risk window for a process failure –  All failures in the APNIC TA risks invalidating all products across the Asia Pacific –  APNIC felt this risk was unacceptable •  APNIC has decided to re-architect to a model that removes this risk, and also removes operational complexity under transfers •  Reunify under one TA — make that TA ‘all resources’ 8
  9. 9. How does the transition happen? (1) 9 APNIC TA APNIC from RIPE TA APNIC from ARIN TA APNIC from AFRINIC TA APNIC from LACNIC TA APNIC from IANA CA APNIC from AFRINIC CA APNIC from ARIN CA APNIC from RIPE CA APNIC from LACNIC CA Member CAs Member CAs Member CAs Member CAs Member CAs APNIC from IANA CA APNIC from AFRINIC CA APNIC from ARIN CA APNIC from RIPE CA APNIC from LACNIC CA APNIC from IANA CA APNIC from RIPE CA APNIC from ARIN CA APNIC from AFRINIC CA APNIC from LACNIC CA - APNIC TA expanded to cover 0/0, ::/0, AS1-4294967295
  10. 10. How does the transition happen? (2) 10 APNIC TA APNIC from RIPE TA APNIC from ARIN TA APNIC from AFRINIC TA APNIC from LACNIC TA APNIC from IANA CA APNIC from AFRINIC CA APNIC from ARIN CA APNIC from RIPE CA APNIC from LACNIC CA Member CAs Member CAs Member CAs Member CAs Member CAs APNIC from IANA CA APNIC from AFRINIC CA APNIC from ARIN CA APNIC from RIPE CA APNIC from LACNIC CA APNIC from IANA CA APNIC from RIPE CA APNIC from ARIN CA APNIC from AFRINIC CA APNIC from LACNIC CA APNIC Intermed. CA - APNIC TA issues new intermediate online certificate - Intermediate certificate also covers 0/0, ::/0, AS1-4294967295
  11. 11. How does the transition happen? (3) 11 APNIC TA APNIC from RIPE TA APNIC from ARIN TA APNIC from AFRINIC TA APNIC from LACNIC TA APNIC from IANA CA APNIC from AFRINIC CA APNIC from ARIN CA APNIC from RIPE CA APNIC from LACNIC CA Member CAs Member CAs Member CAs Member CAs Member CAs APNIC from IANA CA APNIC from AFRINIC CA APNIC from ARIN CA APNIC from RIPE CA APNIC from LACNIC CA APNIC from IANA CA APNIC from RIPE CA APNIC from ARIN CA APNIC from AFRINIC CA APNIC from LACNIC CA APNIC Intermed. CA - One existing online certificate is re-signed by the intermediate
  12. 12. How does the transition happen? (4) 12 APNIC TA APNIC from RIPE TA APNIC from ARIN TA APNIC from AFRINIC TA APNIC from LACNIC TA APNIC from IANA CA APNIC from AFRINIC CA APNIC from ARIN CA APNIC from RIPE CA APNIC from LACNIC CA Member CAs Member CAs Member CAs Member CAs Member CAs APNIC from IANA CA APNIC from AFRINIC CA APNIC from ARIN CA APNIC from RIPE CA APNIC from LACNIC CA APNIC from IANA CA APNIC from RIPE CA APNIC from ARIN CA APNIC from AFRINIC CA APNIC from LACNIC CA APNIC Intermed. CA - Remaining online certificates are re-signed by the intermediate
  13. 13. How does the transition happen? (5) 13 APNIC TA APNIC from RIPE TA APNIC from ARIN TA APNIC from AFRINIC TA APNIC from LACNIC TA APNIC from IANA CA APNIC from AFRINIC CA APNIC from ARIN CA APNIC from RIPE CA APNIC from LACNIC CA Member CAs Member CAs Member CAs Member CAs Member CAs APNIC from IANA CA APNIC from AFRINIC CA APNIC from ARIN CA APNIC from RIPE CA APNIC from LACNIC CA APNIC from IANA CA APNIC from RIPE CA APNIC from ARIN CA APNIC from AFRINIC CA APNIC from LACNIC CA APNIC Intermed. CA - Unused TAs are withdrawn from publication
  14. 14. What is the state after the transition? 14 APNIC TA APNIC from IANA CA APNIC from AFRINIC CA APNIC from ARIN CA APNIC from RIPE CA APNIC from LACNIC CA Member CAs Member CAs Member CAs Member CAs Member CAs APNIC from IANA CA APNIC from AFRINIC CA APNIC from ARIN CA APNIC from RIPE CA APNIC from LACNIC CA APNIC from IANA CA APNIC from RIPE CA APNIC from ARIN CA APNIC from AFRINIC CA APNIC from LACNIC CA APNIC Intermed. CA LACNIC TA RIPE TAARIN TAAFRINIC TA - All RIRs look the same … … … …
  15. 15. How does the transition help this? •  If the TA claims all resources, it’s impossible for the online CA to over- claim •  Mass invalidity due to over-claiming can’t occur 15 APNIC TA (0/0, ::/0, AS1-4294967295) APNIC from RIR CA Mem. CA ✔ ✔ Mem. CA Mem. CA ✔ ✔✔ always
  16. 16. How can TA work affect validity? •  APNIC’s TAs are backed by a Hardware Security Module (HSM), as are those of the other RIRs •  A great deal of care must be exercised when using an HSM –  For example, devices may have policies such that a certain number of failed authentication attempts leads to irreversible key destruction •  The more TA work that is happening, the greater the risk 16
  17. 17. How does the transition help this? •  By having the TA be responsible for all resources, the need to do TA work is limited to scheduled and well-understood events: –  Manifest/CRL reissuance –  TA reissuance 17
  18. 18. What do I need to do? •  If you only issue ROAs: –  No change required •  If you run relying party software: –  Once APNIC has announced the successful transition, remove the unused TAs from configuration and cache –  However, leaving them in place will not affect validity outcomes 18
  19. 19. When will this happen? •  Previously planned for September •  Some problems that were found during the testbed transition meant that deployment has been delayed so that further testing can occur •  Update to the new single-TA model is expected to be completed by the end of October •  The four unused TAs will be withdrawn in 2018 https://www.apnic.net/single-ta-transition 19
  20. 20. Thanks!

×