SlideShare a Scribd company logo

RPKI Trust Anchor

APNIC
APNIC

The document discusses trust anchors and public key infrastructure (PKI) in the context of the Resource Public Key Infrastructure (RPKI). It presents several models for establishing trust anchors for the RPKI, including: 1) A single IANA-issued trust anchor with subordinate certificates issued by each Regional Internet Registry (RIR) matching their number resource allocations. This would not support transferred resources. 2) An interim APNIC trust anchor structure containing self-signed certificates from each RIR to allow migration to a single IANA trust anchor. 3) Individual per-RIR self-signed trust anchors, a simpler interim model but requiring more work to transition to a single IANA trust anchor.

1 of 14
RPKI Trust Anchor Geoff Huston APNIC
Public Keys ? How can you “trust” a digital signature? What if you have never met the signer and have no knowledge of them or their keys? One approach is transitive trust via a hierarchy of public key certificates (there are other approaches, based on “web of trust” models, but lets not go there)
Public Key Infrastructure ? For transitive trust, you have to start somewhere with some initial entity (or entities) in whom you are prepared to trust This is your TRUST ANCHOR set, and you keep a local copy of their public key in your certificate store as Trusted Certificates Each Trust Anchor entry matches a unique PUBLIC KEY can can be used to certify a Certificate issued by this Certification Authority Key Store
Public Key Infrastructure ? Key Store Validation is a process of finding a chain of public key certificates that link a trust anchor to the entity being validated in this manner
The Resource Public Key Infrastructure The RPKI is a conventional PKI where the Certificate Issuer certifies BOTH the public key of the subject and the subject’s number resource holdings As it is a conventional PKI, the RPKI needs to have Trust Anchor(s) What models can be used to publish proposed Trust Anchors for the RPKI? And who can (or should) publish this Trust Anchor Material?
RPKI Certificates Follow Allocations: A single IANA-issued Trust Anchor IANA 0/0 Public Key AFRINIC APNIC ARIN LACNIC RIPE NCC Number Resource contents of RIR Subordinate CAs issued by the IANA match the contents of the IANA Number Registries
RPKI Certificates Follow Allocations: A single IANA-issued Trust Anchor IANA 0/0 Public Key AFRINIC APNIC ARIN LACNIC RIPE NCC The issue here is how to certify transferred resources. These resources are not separately listed in the IANA registries so will not be included in the IANA-issued CA Certificate. If we want to preserve this clear top-level certificate model then the implication is that modelling transferrred resources in this RPKI will: • require RIRs to issue certificates for each other • and because the certification validation paths will differ, a user holding transferred resources may be issued with multiple certificates
IANA TA, RPKI Certificates Follow Allocations IANA 0/0 Public Key AFRINIC APNIC ARIN LACNIC RIPE NCC From AFRINIC From ARIN From LACNIC From RIPE NCC From APNIC From ARIN From LACNIC From RIPE NCC From AFRINIC From APNIC From LACNIC From RIPE NCC From AFRINIC From APNIC From ARIN From RIPE NCC From AFRINIC From APNIC From ARIN From LACNIC This results in a complex inter-RIR CA structure to support transfers And ALL RIRs need to be in a position to support this model as a precondition to adoption But if one of more RIRs are not ready to do this, what can be done?
Interim APNIC TA Structure APNIC From AFRINIC From ARIN From LACNIC From RIPE NCC The interim model used by APNIC promotes the 5 “top level” certificates where APNIC would be the subject into a compound trust anchor containing 5 self-signed certificates This will allow APNIC to migrate to a single IANA TA without major change (the self signed certificates are changed to certificate signing requests and the local trust structure can be removed)
Other possible interim TA models APNIC All resources in APNIC’s registry This is a much simpler model, and is the one used by other RIRs as an interim per-RIR TA But this is some distance from the requirements to support a single IANA TA in the future So the amount of work and user impact to transform from this self-signed TA cert structure to a single IANA TA would be far larger
Other possible interim TA models APNIC 0/0 All resources This simplifies the TA structure further, as no changes are required to the TA in the event of resource movement. The published per RIR TA is essentially static so off-line (or even one-shot use) keys can be used However it does not reflect APNIC’s current resource holdings in the TA certificate
Comments? Questions?
14

Recommended

RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)
Fakrul Alam
 
RPKI Tutorial
RPKI Tutorial RPKI Tutorial
RPKI Tutorial
Bangladesh Network Operators Group
 
IDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKIIDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKI
APNIC
 
IPv6 deployment status in Bangladesh
IPv6 deployment status in BangladeshIPv6 deployment status in Bangladesh
IPv6 deployment status in Bangladesh
Fakrul Alam
 
SANOG 34: Internet number registry services - the next generation
SANOG 34: Internet number registry services - the next generationSANOG 34: Internet number registry services - the next generation
SANOG 34: Internet number registry services - the next generation
APNIC
 
Route Hijaking and the role of RPKI
Route Hijaking and the role of RPKIRoute Hijaking and the role of RPKI
Route Hijaking and the role of RPKI
APNIC
 
SANOG 34: Securing Internet Routing
SANOG 34: Securing Internet RoutingSANOG 34: Securing Internet Routing
SANOG 34: Securing Internet Routing
APNIC
 
Securing global routing system and operators approach
Securing global routing system and operators approachSecuring global routing system and operators approach
Securing global routing system and operators approach
APNIC
 

Recommended

RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)RPKI (Resource Public Key Infrastructure)
RPKI (Resource Public Key Infrastructure)
Fakrul Alam
 
RPKI Tutorial
RPKI Tutorial RPKI Tutorial
RPKI Tutorial
Bangladesh Network Operators Group
 
IDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKIIDNOG 6: RQC and RPKI
IDNOG 6: RQC and RPKI
APNIC
 
IPv6 deployment status in Bangladesh
IPv6 deployment status in BangladeshIPv6 deployment status in Bangladesh
IPv6 deployment status in Bangladesh
Fakrul Alam
 
SANOG 34: Internet number registry services - the next generation
SANOG 34: Internet number registry services - the next generationSANOG 34: Internet number registry services - the next generation
SANOG 34: Internet number registry services - the next generation
APNIC
 
Route Hijaking and the role of RPKI
Route Hijaking and the role of RPKIRoute Hijaking and the role of RPKI
Route Hijaking and the role of RPKI
APNIC
 
SANOG 34: Securing Internet Routing
SANOG 34: Securing Internet RoutingSANOG 34: Securing Internet Routing
SANOG 34: Securing Internet Routing
APNIC
 
Securing global routing system and operators approach
Securing global routing system and operators approachSecuring global routing system and operators approach
Securing global routing system and operators approach
APNIC
 
ThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
ThaiNOG Day 2019: Internet Number Registry Services, the Next GenerationThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
ThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
APNIC
 
Should I run my own RPKI Certificate Authority?
Should I run my own RPKI Certificate Authority?Should I run my own RPKI Certificate Authority?
Should I run my own RPKI Certificate Authority?
APNIC
 
IPv4 transfer presentation, SGNOG4
IPv4 transfer presentation, SGNOG4IPv4 transfer presentation, SGNOG4
IPv4 transfer presentation, SGNOG4
APNIC
 
Introduction to RPKI
Introduction to RPKIIntroduction to RPKI
Introduction to RPKI
APNIC
 
APNIC Updates
APNIC UpdatesAPNIC Updates
APNIC Updates
MyNOG
 
Peering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for PeeringPeering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for Peering
APNIC
 
The Next Generation Internet Number Registry Services
The Next Generation Internet Number Registry ServicesThe Next Generation Internet Number Registry Services
The Next Generation Internet Number Registry Services
MyNOG
 
Next-gen Network Telemetry is Within Your Packets: In-band OAM
Next-gen Network Telemetry is Within Your Packets: In-band OAMNext-gen Network Telemetry is Within Your Packets: In-band OAM
Next-gen Network Telemetry is Within Your Packets: In-band OAM
Open Networking Summit
 
RPKI Certification Tutorial
RPKI Certification TutorialRPKI Certification Tutorial
RPKI Certification Tutorial
RIPE NCC
 
Introduction to RPKI - MyNOG
Introduction to RPKI - MyNOGIntroduction to RPKI - MyNOG
Introduction to RPKI - MyNOG
Siena Perry
 
Universal Acceptance: APNIC system readiness
Universal Acceptance: APNIC system readinessUniversal Acceptance: APNIC system readiness
Universal Acceptance: APNIC system readiness
APNIC
 
IoTMeetupGuildford#14: Mark Hill - http://thethingsnetwork.org - OpenTRV
IoTMeetupGuildford#14: Mark Hill - http://thethingsnetwork.org - OpenTRVIoTMeetupGuildford#14: Mark Hill - http://thethingsnetwork.org - OpenTRV
IoTMeetupGuildford#14: Mark Hill - http://thethingsnetwork.org - OpenTRV
MicheleNati
 
RPKI
RPKIRPKI
RPKI
RIPE NCC
 
Securing BGP
Securing BGPSecuring BGP
Securing BGP
RIPE NCC
 
IANA Transition: What does it all mean? @ SAMNOG 27
IANA Transition: What does it all mean? @ SAMNOG 27IANA Transition: What does it all mean? @ SAMNOG 27
IANA Transition: What does it all mean? @ SAMNOG 27
APNIC
 
Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27
APNIC
 
NANOG 84: DNS Openness
NANOG 84: DNS OpennessNANOG 84: DNS Openness
NANOG 84: DNS Openness
APNIC
 
PacNOG 23: Secure routing with RPKI
PacNOG 23: Secure routing with RPKIPacNOG 23: Secure routing with RPKI
PacNOG 23: Secure routing with RPKI
APNIC
 
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
APNIC
 
Emf 1. grup fi̇kstür
Emf 1. grup fi̇kstürEmf 1. grup fi̇kstür
Emf 1. grup fi̇kstür
Hakan Hakyemez
 
RPKI Deployment Panel
RPKI Deployment PanelRPKI Deployment Panel
RPKI Deployment Panel
APNIC
 
Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016
InfinIT - Innovationsnetværket for it
 

More Related Content

What's hot

ThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
ThaiNOG Day 2019: Internet Number Registry Services, the Next GenerationThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
ThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
APNIC
 
Should I run my own RPKI Certificate Authority?
Should I run my own RPKI Certificate Authority?Should I run my own RPKI Certificate Authority?
Should I run my own RPKI Certificate Authority?
APNIC
 
IPv4 transfer presentation, SGNOG4
IPv4 transfer presentation, SGNOG4IPv4 transfer presentation, SGNOG4
IPv4 transfer presentation, SGNOG4
APNIC
 
Introduction to RPKI
Introduction to RPKIIntroduction to RPKI
Introduction to RPKI
APNIC
 
APNIC Updates
APNIC UpdatesAPNIC Updates
APNIC Updates
MyNOG
 
Peering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for PeeringPeering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for Peering
APNIC
 
The Next Generation Internet Number Registry Services
The Next Generation Internet Number Registry ServicesThe Next Generation Internet Number Registry Services
The Next Generation Internet Number Registry Services
MyNOG
 
Next-gen Network Telemetry is Within Your Packets: In-band OAM
Next-gen Network Telemetry is Within Your Packets: In-band OAMNext-gen Network Telemetry is Within Your Packets: In-band OAM
Next-gen Network Telemetry is Within Your Packets: In-band OAM
Open Networking Summit
 
RPKI Certification Tutorial
RPKI Certification TutorialRPKI Certification Tutorial
RPKI Certification Tutorial
RIPE NCC
 
Introduction to RPKI - MyNOG
Introduction to RPKI - MyNOGIntroduction to RPKI - MyNOG
Introduction to RPKI - MyNOG
Siena Perry
 
Universal Acceptance: APNIC system readiness
Universal Acceptance: APNIC system readinessUniversal Acceptance: APNIC system readiness
Universal Acceptance: APNIC system readiness
APNIC
 
IoTMeetupGuildford#14: Mark Hill - http://thethingsnetwork.org - OpenTRV
IoTMeetupGuildford#14: Mark Hill - http://thethingsnetwork.org - OpenTRVIoTMeetupGuildford#14: Mark Hill - http://thethingsnetwork.org - OpenTRV
IoTMeetupGuildford#14: Mark Hill - http://thethingsnetwork.org - OpenTRV
MicheleNati
 
RPKI
RPKIRPKI
RPKI
RIPE NCC
 
Securing BGP
Securing BGPSecuring BGP
Securing BGP
RIPE NCC
 
IANA Transition: What does it all mean? @ SAMNOG 27
IANA Transition: What does it all mean? @ SAMNOG 27IANA Transition: What does it all mean? @ SAMNOG 27
IANA Transition: What does it all mean? @ SAMNOG 27
APNIC
 
Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27
APNIC
 
NANOG 84: DNS Openness
NANOG 84: DNS OpennessNANOG 84: DNS Openness
NANOG 84: DNS Openness
APNIC
 
PacNOG 23: Secure routing with RPKI
PacNOG 23: Secure routing with RPKIPacNOG 23: Secure routing with RPKI
PacNOG 23: Secure routing with RPKI
APNIC
 
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
APNIC
 

What's hot (19)

ThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
ThaiNOG Day 2019: Internet Number Registry Services, the Next GenerationThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
ThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
 
Should I run my own RPKI Certificate Authority?
Should I run my own RPKI Certificate Authority?Should I run my own RPKI Certificate Authority?
Should I run my own RPKI Certificate Authority?
 
IPv4 transfer presentation, SGNOG4
IPv4 transfer presentation, SGNOG4IPv4 transfer presentation, SGNOG4
IPv4 transfer presentation, SGNOG4
 
Introduction to RPKI
Introduction to RPKIIntroduction to RPKI
Introduction to RPKI
 
APNIC Updates
APNIC UpdatesAPNIC Updates
APNIC Updates
 
Peering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for PeeringPeering Asia 2.0: RPKI for Peering
Peering Asia 2.0: RPKI for Peering
 
The Next Generation Internet Number Registry Services
The Next Generation Internet Number Registry ServicesThe Next Generation Internet Number Registry Services
The Next Generation Internet Number Registry Services
 
Next-gen Network Telemetry is Within Your Packets: In-band OAM
Next-gen Network Telemetry is Within Your Packets: In-band OAMNext-gen Network Telemetry is Within Your Packets: In-band OAM
Next-gen Network Telemetry is Within Your Packets: In-band OAM
 
RPKI Certification Tutorial
RPKI Certification TutorialRPKI Certification Tutorial
RPKI Certification Tutorial
 
Introduction to RPKI - MyNOG
Introduction to RPKI - MyNOGIntroduction to RPKI - MyNOG
Introduction to RPKI - MyNOG
 
Universal Acceptance: APNIC system readiness
Universal Acceptance: APNIC system readinessUniversal Acceptance: APNIC system readiness
Universal Acceptance: APNIC system readiness
 
IoTMeetupGuildford#14: Mark Hill - http://thethingsnetwork.org - OpenTRV
IoTMeetupGuildford#14: Mark Hill - http://thethingsnetwork.org - OpenTRVIoTMeetupGuildford#14: Mark Hill - http://thethingsnetwork.org - OpenTRV
IoTMeetupGuildford#14: Mark Hill - http://thethingsnetwork.org - OpenTRV
 
RPKI
RPKIRPKI
RPKI
 
Securing BGP
Securing BGPSecuring BGP
Securing BGP
 
IANA Transition: What does it all mean? @ SAMNOG 27
IANA Transition: What does it all mean? @ SAMNOG 27IANA Transition: What does it all mean? @ SAMNOG 27
IANA Transition: What does it all mean? @ SAMNOG 27
 
Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27
 
NANOG 84: DNS Openness
NANOG 84: DNS OpennessNANOG 84: DNS Openness
NANOG 84: DNS Openness
 
PacNOG 23: Secure routing with RPKI
PacNOG 23: Secure routing with RPKIPacNOG 23: Secure routing with RPKI
PacNOG 23: Secure routing with RPKI
 
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
 

Viewers also liked

Emf 1. grup fi̇kstür
Emf 1. grup fi̇kstürEmf 1. grup fi̇kstür
Emf 1. grup fi̇kstür
Hakan Hakyemez
 
RPKI Deployment Panel
RPKI Deployment PanelRPKI Deployment Panel
RPKI Deployment Panel
APNIC
 
Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016
InfinIT - Innovationsnetværket for it
 
Industrial Cybersecurity and Critical Infrastructure Protection in Europe
Industrial Cybersecurity and Critical Infrastructure Protection in EuropeIndustrial Cybersecurity and Critical Infrastructure Protection in Europe
Industrial Cybersecurity and Critical Infrastructure Protection in Europe
Positive Hack Days
 
Symantec 2010 Critical Infrastructure Protection Study
Symantec 2010 Critical Infrastructure Protection StudySymantec 2010 Critical Infrastructure Protection Study
Symantec 2010 Critical Infrastructure Protection Study
Symantec
 
Securing Internet Routing: RPSL & RPKI
Securing Internet Routing: RPSL & RPKISecuring Internet Routing: RPSL & RPKI
Securing Internet Routing: RPSL & RPKI
APNIC
 

Viewers also liked (6)

Emf 1. grup fi̇kstür
Emf 1. grup fi̇kstürEmf 1. grup fi̇kstür
Emf 1. grup fi̇kstür
 
RPKI Deployment Panel
RPKI Deployment PanelRPKI Deployment Panel
RPKI Deployment Panel
 
Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016
 
Industrial Cybersecurity and Critical Infrastructure Protection in Europe
Industrial Cybersecurity and Critical Infrastructure Protection in EuropeIndustrial Cybersecurity and Critical Infrastructure Protection in Europe
Industrial Cybersecurity and Critical Infrastructure Protection in Europe
 
Symantec 2010 Critical Infrastructure Protection Study
Symantec 2010 Critical Infrastructure Protection StudySymantec 2010 Critical Infrastructure Protection Study
Symantec 2010 Critical Infrastructure Protection Study
 
Securing Internet Routing: RPSL & RPKI
Securing Internet Routing: RPSL & RPKISecuring Internet Routing: RPSL & RPKI
Securing Internet Routing: RPSL & RPKI
 

Similar to RPKI Trust Anchor

MMIX Peering Forum: Securing Internet Routing
MMIX Peering Forum: Securing Internet RoutingMMIX Peering Forum: Securing Internet Routing
MMIX Peering Forum: Securing Internet Routing
APNIC
 
WSO2 MASTER CLASS ITALIA #11 - APIM 4.0 & approccio event based
WSO2 MASTER CLASS ITALIA #11 - APIM 4.0 & approccio event basedWSO2 MASTER CLASS ITALIA #11 - APIM 4.0 & approccio event based
WSO2 MASTER CLASS ITALIA #11 - APIM 4.0 & approccio event based
Profesia Srl, Lynx Group
 
BKNIX Peering Forum 2019: Securing Internet Routing
BKNIX Peering Forum 2019: Securing Internet RoutingBKNIX Peering Forum 2019: Securing Internet Routing
BKNIX Peering Forum 2019: Securing Internet Routing
APNIC
 
btNOG 6: Securing Internet Routing
btNOG 6: Securing Internet RoutingbtNOG 6: Securing Internet Routing
btNOG 6: Securing Internet Routing
APNIC
 
ARIN 35 Tutorial: How to certify your ARIN resources with RPKI
ARIN 35 Tutorial: How to certify your ARIN resources with RPKIARIN 35 Tutorial: How to certify your ARIN resources with RPKI
ARIN 35 Tutorial: How to certify your ARIN resources with RPKI
ARIN
 
API Security in a Microservice Architecture
API Security in a Microservice ArchitectureAPI Security in a Microservice Architecture
API Security in a Microservice Architecture
Matt McLarty
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
Muhammad Zbeedat
 
Demystify internal certificates requirements for lync server
Demystify internal certificates requirements for lync serverDemystify internal certificates requirements for lync server
Demystify internal certificates requirements for lync server
Thomas Poett
 
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeScott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
DigiCert, Inc.
 
Restful api
Restful apiRestful api
Restful api
Anurag Srivastava
 
APNIC's Resource Certification Service
APNIC's Resource Certification ServiceAPNIC's Resource Certification Service
APNIC's Resource Certification Service
APNIC
 
SOA Security - So What?
SOA Security - So What?SOA Security - So What?
SOA Security - So What?
Oliver Pfaff
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ON
OWASP EEE
 
apidays LIVE Hong Kong 2021 - Headless API Management by Snehal Chakraborty, ...
apidays LIVE Hong Kong 2021 - Headless API Management by Snehal Chakraborty, ...apidays LIVE Hong Kong 2021 - Headless API Management by Snehal Chakraborty, ...
apidays LIVE Hong Kong 2021 - Headless API Management by Snehal Chakraborty, ...
apidays
 
ESNOG 29-Alvaro_Vives-Routing_Security.pdf
ESNOG 29-Alvaro_Vives-Routing_Security.pdfESNOG 29-Alvaro_Vives-Routing_Security.pdf
ESNOG 29-Alvaro_Vives-Routing_Security.pdf
RIPE NCC
 
HTTP Authorization using OPA
HTTP Authorization using OPAHTTP Authorization using OPA
HTTP Authorization using OPA
Knoldus Inc.
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives
APNIC
 
APIs Design - Creation - Management.pdf
APIs Design - Creation - Management.pdfAPIs Design - Creation - Management.pdf
APIs Design - Creation - Management.pdf
WilliamELKAIMPhd
 
Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-Infrastructures
Oliver Pfaff
 
RPKI Service Updates by Brenda Buwu
RPKI Service Updates by Brenda BuwuRPKI Service Updates by Brenda Buwu
RPKI Service Updates by Brenda Buwu
MyNOG
 

Similar to RPKI Trust Anchor (20)

MMIX Peering Forum: Securing Internet Routing
MMIX Peering Forum: Securing Internet RoutingMMIX Peering Forum: Securing Internet Routing
MMIX Peering Forum: Securing Internet Routing
 
WSO2 MASTER CLASS ITALIA #11 - APIM 4.0 & approccio event based
WSO2 MASTER CLASS ITALIA #11 - APIM 4.0 & approccio event basedWSO2 MASTER CLASS ITALIA #11 - APIM 4.0 & approccio event based
WSO2 MASTER CLASS ITALIA #11 - APIM 4.0 & approccio event based
 
BKNIX Peering Forum 2019: Securing Internet Routing
BKNIX Peering Forum 2019: Securing Internet RoutingBKNIX Peering Forum 2019: Securing Internet Routing
BKNIX Peering Forum 2019: Securing Internet Routing
 
btNOG 6: Securing Internet Routing
btNOG 6: Securing Internet RoutingbtNOG 6: Securing Internet Routing
btNOG 6: Securing Internet Routing
 
ARIN 35 Tutorial: How to certify your ARIN resources with RPKI
ARIN 35 Tutorial: How to certify your ARIN resources with RPKIARIN 35 Tutorial: How to certify your ARIN resources with RPKI
ARIN 35 Tutorial: How to certify your ARIN resources with RPKI
 
API Security in a Microservice Architecture
API Security in a Microservice ArchitectureAPI Security in a Microservice Architecture
API Security in a Microservice Architecture
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
 
Demystify internal certificates requirements for lync server
Demystify internal certificates requirements for lync serverDemystify internal certificates requirements for lync server
Demystify internal certificates requirements for lync server
 
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeScott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
 
Restful api
Restful apiRestful api
Restful api
 
APNIC's Resource Certification Service
APNIC's Resource Certification ServiceAPNIC's Resource Certification Service
APNIC's Resource Certification Service
 
SOA Security - So What?
SOA Security - So What?SOA Security - So What?
SOA Security - So What?
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ON
 
apidays LIVE Hong Kong 2021 - Headless API Management by Snehal Chakraborty, ...
apidays LIVE Hong Kong 2021 - Headless API Management by Snehal Chakraborty, ...apidays LIVE Hong Kong 2021 - Headless API Management by Snehal Chakraborty, ...
apidays LIVE Hong Kong 2021 - Headless API Management by Snehal Chakraborty, ...
 
ESNOG 29-Alvaro_Vives-Routing_Security.pdf
ESNOG 29-Alvaro_Vives-Routing_Security.pdfESNOG 29-Alvaro_Vives-Routing_Security.pdf
ESNOG 29-Alvaro_Vives-Routing_Security.pdf
 
HTTP Authorization using OPA
HTTP Authorization using OPAHTTP Authorization using OPA
HTTP Authorization using OPA
 
APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives APAN 50: RPKI industry trends and initiatives
APAN 50: RPKI industry trends and initiatives
 
APIs Design - Creation - Management.pdf
APIs Design - Creation - Management.pdfAPIs Design - Creation - Management.pdf
APIs Design - Creation - Management.pdf
 
Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-Infrastructures
 
RPKI Service Updates by Brenda Buwu
RPKI Service Updates by Brenda BuwuRPKI Service Updates by Brenda Buwu
RPKI Service Updates by Brenda Buwu
 

More from APNIC

IPv6: Unlocking the Potential, presented by Paul Wilson at CommunicAsia 2024
IPv6: Unlocking the Potential, presented by Paul Wilson at CommunicAsia 2024IPv6: Unlocking the Potential, presented by Paul Wilson at CommunicAsia 2024
IPv6: Unlocking the Potential, presented by Paul Wilson at CommunicAsia 2024
APNIC
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
APNIC
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
APNIC
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC
 
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
APNIC
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
APNIC
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
APNIC
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
APNIC
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
APNIC
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
APNIC
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
APNIC
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
APNIC
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
APNIC
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
APNIC
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
APNIC
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC
 

More from APNIC (20)

IPv6: Unlocking the Potential, presented by Paul Wilson at CommunicAsia 2024
IPv6: Unlocking the Potential, presented by Paul Wilson at CommunicAsia 2024IPv6: Unlocking the Potential, presented by Paul Wilson at CommunicAsia 2024
IPv6: Unlocking the Potential, presented by Paul Wilson at CommunicAsia 2024
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
 
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 

Recently uploaded

Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
Paul Walk
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
Tarandeep Singh
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
3a0sd7z3
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
3a0sd7z3
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
k4ncd0z
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
davidjhones387
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
thezot
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
Donato Onofri
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
rtunex8r
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
xjq03c34
 

Recently uploaded (10)

Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
 

RPKI Trust Anchor

  • 1. RPKI Trust Anchor Geoff Huston APNIC
  • 2. Public Keys ? How can you “trust” a digital signature? What if you have never met the signer and have no knowledge of them or their keys? One approach is transitive trust via a hierarchy of public key certificates (there are other approaches, based on “web of trust” models, but lets not go there)
  • 3. Public Key Infrastructure ? For transitive trust, you have to start somewhere with some initial entity (or entities) in whom you are prepared to trust This is your TRUST ANCHOR set, and you keep a local copy of their public key in your certificate store as Trusted Certificates Each Trust Anchor entry matches a unique PUBLIC KEY can can be used to certify a Certificate issued by this Certification Authority Key Store
  • 4. Public Key Infrastructure ? Key Store Validation is a process of finding a chain of public key certificates that link a trust anchor to the entity being validated in this manner
  • 5. The Resource Public Key Infrastructure The RPKI is a conventional PKI where the Certificate Issuer certifies BOTH the public key of the subject and the subject’s number resource holdings As it is a conventional PKI, the RPKI needs to have Trust Anchor(s) What models can be used to publish proposed Trust Anchors for the RPKI? And who can (or should) publish this Trust Anchor Material?
  • 6. RPKI Certificates Follow Allocations: A single IANA-issued Trust Anchor IANA 0/0 Public Key AFRINIC APNIC ARIN LACNIC RIPE NCC Number Resource contents of RIR Subordinate CAs issued by the IANA match the contents of the IANA Number Registries
  • 7. RPKI Certificates Follow Allocations: A single IANA-issued Trust Anchor IANA 0/0 Public Key AFRINIC APNIC ARIN LACNIC RIPE NCC The issue here is how to certify transferred resources. These resources are not separately listed in the IANA registries so will not be included in the IANA-issued CA Certificate. If we want to preserve this clear top-level certificate model then the implication is that modelling transferrred resources in this RPKI will: • require RIRs to issue certificates for each other • and because the certification validation paths will differ, a user holding transferred resources may be issued with multiple certificates
  • 8. IANA TA, RPKI Certificates Follow Allocations IANA 0/0 Public Key AFRINIC APNIC ARIN LACNIC RIPE NCC From AFRINIC From ARIN From LACNIC From RIPE NCC From APNIC From ARIN From LACNIC From RIPE NCC From AFRINIC From APNIC From LACNIC From RIPE NCC From AFRINIC From APNIC From ARIN From RIPE NCC From AFRINIC From APNIC From ARIN From LACNIC This results in a complex inter-RIR CA structure to support transfers And ALL RIRs need to be in a position to support this model as a precondition to adoption But if one of more RIRs are not ready to do this, what can be done?
  • 9. Interim APNIC TA Structure APNIC From AFRINIC From ARIN From LACNIC From RIPE NCC The interim model used by APNIC promotes the 5 “top level” certificates where APNIC would be the subject into a compound trust anchor containing 5 self-signed certificates This will allow APNIC to migrate to a single IANA TA without major change (the self signed certificates are changed to certificate signing requests and the local trust structure can be removed)
  • 10. Other possible interim TA models APNIC All resources in APNIC’s registry This is a much simpler model, and is the one used by other RIRs as an interim per-RIR TA But this is some distance from the requirements to support a single IANA TA in the future So the amount of work and user impact to transform from this self-signed TA cert structure to a single IANA TA would be far larger
  • 11. Other possible interim TA models APNIC 0/0 All resources This simplifies the TA structure further, as no changes are required to the TA in the event of resource movement. The published per RIR TA is essentially static so off-line (or even one-shot use) keys can be used However it does not reflect APNIC’s current resource holdings in the TA certificate
  • 12.
  • 14. 14