APNIC, profile picture
Uploaded byAPNIC
770 views

RPKI Trust Anchor

The document discusses trust anchors and public key infrastructure (PKI) in the context of the Resource Public Key Infrastructure (RPKI). It presents several models for establishing trust anchors for the RPKI, including: 1) A single IANA-issued trust anchor with subordinate certificates issued by each Regional Internet Registry (RIR) matching their number resource allocations. This would not support transferred resources. 2) An interim APNIC trust anchor structure containing self-signed certificates from each RIR to allow migration to a single IANA trust anchor. 3) Individual per-RIR self-signed trust anchors, a simpler interim model but requiring more work to transition to a single IANA trust anchor.

Embed presentation

RPKI Trust Anchor Geoff Huston APNIC
Public Keys ? How can you “trust” a digital signature? What if you have never met the signer and have no knowledge of them or their keys? One approach is transitive trust via a hierarchy of public key certificates (there are other approaches, based on “web of trust” models, but lets not go there)
Public Key Infrastructure ? For transitive trust, you have to start somewhere with some initial entity (or entities) in whom you are prepared to trust This is your TRUST ANCHOR set, and you keep a local copy of their public key in your certificate store as Trusted Certificates Each Trust Anchor entry matches a unique PUBLIC KEY can can be used to certify a Certificate issued by this Certification Authority Key Store
Public Key Infrastructure ? Key Store Validation is a process of finding a chain of public key certificates that link a trust anchor to the entity being validated in this manner
The Resource Public Key Infrastructure The RPKI is a conventional PKI where the Certificate Issuer certifies BOTH the public key of the subject and the subject’s number resource holdings As it is a conventional PKI, the RPKI needs to have Trust Anchor(s) What models can be used to publish proposed Trust Anchors for the RPKI? And who can (or should) publish this Trust Anchor Material?
RPKI Certificates Follow Allocations: A single IANA-issued Trust Anchor IANA 0/0 Public Key AFRINIC APNIC ARIN LACNIC RIPE NCC Number Resource contents of RIR Subordinate CAs issued by the IANA match the contents of the IANA Number Registries
RPKI Certificates Follow Allocations: A single IANA-issued Trust Anchor IANA 0/0 Public Key AFRINIC APNIC ARIN LACNIC RIPE NCC The issue here is how to certify transferred resources. These resources are not separately listed in the IANA registries so will not be included in the IANA-issued CA Certificate. If we want to preserve this clear top-level certificate model then the implication is that modelling transferrred resources in this RPKI will: • require RIRs to issue certificates for each other • and because the certification validation paths will differ, a user holding transferred resources may be issued with multiple certificates
IANA TA, RPKI Certificates Follow Allocations IANA 0/0 Public Key AFRINIC APNIC ARIN LACNIC RIPE NCC From AFRINIC From ARIN From LACNIC From RIPE NCC From APNIC From ARIN From LACNIC From RIPE NCC From AFRINIC From APNIC From LACNIC From RIPE NCC From AFRINIC From APNIC From ARIN From RIPE NCC From AFRINIC From APNIC From ARIN From LACNIC This results in a complex inter-RIR CA structure to support transfers And ALL RIRs need to be in a position to support this model as a precondition to adoption But if one of more RIRs are not ready to do this, what can be done?
Interim APNIC TA Structure APNIC From AFRINIC From ARIN From LACNIC From RIPE NCC The interim model used by APNIC promotes the 5 “top level” certificates where APNIC would be the subject into a compound trust anchor containing 5 self-signed certificates This will allow APNIC to migrate to a single IANA TA without major change (the self signed certificates are changed to certificate signing requests and the local trust structure can be removed)
Other possible interim TA models APNIC All resources in APNIC’s registry This is a much simpler model, and is the one used by other RIRs as an interim per-RIR TA But this is some distance from the requirements to support a single IANA TA in the future So the amount of work and user impact to transform from this self-signed TA cert structure to a single IANA TA would be far larger
Other possible interim TA models APNIC 0/0 All resources This simplifies the TA structure further, as no changes are required to the TA in the event of resource movement. The published per RIR TA is essentially static so off-line (or even one-shot use) keys can be used However it does not reflect APNIC’s current resource holdings in the TA certificate
Comments? Questions?
14

More Related Content

PDF
RPKI (Resource Public Key Infrastructure)
byFakrul Alam
 
PDF
RPKI Tutorial
byBangladesh Network Operators Group
 
PDF
IDNOG 6: RQC and RPKI
byAPNIC
 
PDF
IPv6 deployment status in Bangladesh
byFakrul Alam
 
PDF
SANOG 34: Internet number registry services - the next generation
byAPNIC
 
PDF
Route Hijaking and the role of RPKI
byAPNIC
 
PDF
SANOG 34: Securing Internet Routing
byAPNIC
 
PDF
Securing global routing system and operators approach
byAPNIC
 
RPKI (Resource Public Key Infrastructure)
byFakrul Alam
 
RPKI Tutorial
byBangladesh Network Operators Group
 
IDNOG 6: RQC and RPKI
byAPNIC
 
IPv6 deployment status in Bangladesh
byFakrul Alam
 
SANOG 34: Internet number registry services - the next generation
byAPNIC
 
Route Hijaking and the role of RPKI
byAPNIC
 
SANOG 34: Securing Internet Routing
byAPNIC
 
Securing global routing system and operators approach
byAPNIC
 

What's hot

PDF
ThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
byAPNIC
 
PDF
Should I run my own RPKI Certificate Authority?
byAPNIC
 
PPTX
IPv4 transfer presentation, SGNOG4
byAPNIC
 
PDF
Introduction to RPKI
byAPNIC
 
PDF
APNIC Updates
byMyNOG
 
PDF
Peering Asia 2.0: RPKI for Peering
byAPNIC
 
PDF
The Next Generation Internet Number Registry Services
byMyNOG
 
PDF
Next-gen Network Telemetry is Within Your Packets: In-band OAM
byOpen Networking Summit
 
PDF
RPKI Certification Tutorial
byRIPE NCC
 
PDF
Introduction to RPKI - MyNOG
bySiena Perry
 
PPTX
Universal Acceptance: APNIC system readiness
byAPNIC
 
PDF
IoTMeetupGuildford#14: Mark Hill - http://thethingsnetwork.org - OpenTRV
byMicheleNati
 
PDF
RPKI
byRIPE NCC
 
PDF
Securing BGP
byRIPE NCC
 
PDF
IANA Transition: What does it all mean? @ SAMNOG 27
byAPNIC
 
PDF
Community tools to fight against DDoS, SANOG 27
byAPNIC
 
PDF
NANOG 84: DNS Openness
byAPNIC
 
PDF
PacNOG 23: Secure routing with RPKI
byAPNIC
 
PDF
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
byAPNIC
 
ThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
byAPNIC
 
Should I run my own RPKI Certificate Authority?
byAPNIC
 
IPv4 transfer presentation, SGNOG4
byAPNIC
 
Introduction to RPKI
byAPNIC
 
APNIC Updates
byMyNOG
 
Peering Asia 2.0: RPKI for Peering
byAPNIC
 
The Next Generation Internet Number Registry Services
byMyNOG
 
Next-gen Network Telemetry is Within Your Packets: In-band OAM
byOpen Networking Summit
 
RPKI Certification Tutorial
byRIPE NCC
 
Introduction to RPKI - MyNOG
bySiena Perry
 
Universal Acceptance: APNIC system readiness
byAPNIC
 
IoTMeetupGuildford#14: Mark Hill - http://thethingsnetwork.org - OpenTRV
byMicheleNati
 
RPKI
byRIPE NCC
 
Securing BGP
byRIPE NCC
 
IANA Transition: What does it all mean? @ SAMNOG 27
byAPNIC
 
Community tools to fight against DDoS, SANOG 27
byAPNIC
 
NANOG 84: DNS Openness
byAPNIC
 
PacNOG 23: Secure routing with RPKI
byAPNIC
 
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
byAPNIC
 

Viewers also liked

PDF
Emf 1. grup fi̇kstür
byHakan Hakyemez
 
PDF
RPKI Deployment Panel
byAPNIC
 
PDF
Cyber Security 4.0 conference 30 November 2016
byInfinIT - Innovationsnetværket for it
 
PPTX
Industrial Cybersecurity and Critical Infrastructure Protection in Europe
byPositive Hack Days
 
PDF
Symantec 2010 Critical Infrastructure Protection Study
bySymantec
 
PDF
Securing Internet Routing: RPSL & RPKI
byAPNIC
 
Emf 1. grup fi̇kstür
byHakan Hakyemez
 
RPKI Deployment Panel
byAPNIC
 
Cyber Security 4.0 conference 30 November 2016
byInfinIT - Innovationsnetværket for it
 
Industrial Cybersecurity and Critical Infrastructure Protection in Europe
byPositive Hack Days
 
Symantec 2010 Critical Infrastructure Protection Study
bySymantec
 
Securing Internet Routing: RPSL & RPKI
byAPNIC
 

Similar to RPKI Trust Anchor

PDF
Transitioning to a single TA
byAPNIC
 
PPTX
APNIC RPKI Service Update: MyIX/MyNOG 2017
byAPNIC
 
PDF
RPKI Service Updates by Brenda Buwu
byMyNOG
 
PDF
AFRINIC Presentation - Resource certification by Amreesh Phokeer
byAFRINIC
 
PDF
Global IRR and RPKI: a Problem Statement
byAPNIC
 
PDF
Developments in Routing Security
byRIPE NCC
 
PDF
Recent Developments in RPKI
byRIPE NCC
 
PPT
Crypto Analysis slides presentation slides
bytahirsaleem54
 
PDF
APNIC's Resource Certification Service
byAPNIC
 
PDF
Introduction to RPKI by Sheryl (Shane) Hermoso
byMyNOG
 
PDF
IETF 104: Resource tagged attestations
byAPNIC
 
PDF
Rpki with rpki.net tools
byMuhammad Moinur Rahman
 
PPTX
Public Key Infrastructures
byZefren Edior
 
PPTX
Introduction to Public Key Infrastructure
byTheo Gravity
 
PDF
VNIXNOG 2019: Securing Internet Routing
byAPNIC
 
PDF
RPKI - Securing the Internet One Hop at a Time
byRIPE NCC
 
PDF
Registry improvements update
byAPNIC
 
PDF
Secure Inter-domain Routing with RPKI
byAPNIC
 
PDF
Resource Public Key Infrastructure (RPKI)
byBangladesh Network Operators Group
 
PDF
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
byJUSTSTYLISH3B2MOHALI
 
Transitioning to a single TA
byAPNIC
 
APNIC RPKI Service Update: MyIX/MyNOG 2017
byAPNIC
 
RPKI Service Updates by Brenda Buwu
byMyNOG
 
AFRINIC Presentation - Resource certification by Amreesh Phokeer
byAFRINIC
 
Global IRR and RPKI: a Problem Statement
byAPNIC
 
Developments in Routing Security
byRIPE NCC
 
Recent Developments in RPKI
byRIPE NCC
 
Crypto Analysis slides presentation slides
bytahirsaleem54
 
APNIC's Resource Certification Service
byAPNIC
 
Introduction to RPKI by Sheryl (Shane) Hermoso
byMyNOG
 
IETF 104: Resource tagged attestations
byAPNIC
 
Rpki with rpki.net tools
byMuhammad Moinur Rahman
 
Public Key Infrastructures
byZefren Edior
 
Introduction to Public Key Infrastructure
byTheo Gravity
 
VNIXNOG 2019: Securing Internet Routing
byAPNIC
 
RPKI - Securing the Internet One Hop at a Time
byRIPE NCC
 
Registry improvements update
byAPNIC
 
Secure Inter-domain Routing with RPKI
byAPNIC
 
Resource Public Key Infrastructure (RPKI)
byBangladesh Network Operators Group
 
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
byJUSTSTYLISH3B2MOHALI
 

More from APNIC

PPTX
APNIC Report, presented at APAN 60 by Thy Boskovic
byAPNIC
 
PDF
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
byAPNIC
 
PDF
RPKI Status Update, presented by Makito Lay at IDNOG 10
byAPNIC
 
PDF
The Internet -By the Numbers, Sri Lanka Edition
byAPNIC
 
PDF
Triggering QUIC, presented by Geoff Huston at IETF 123
byAPNIC
 
PDF
DNSSEC Made Easy, presented at PHNOG 2025
byAPNIC
 
PDF
BGP Security Best Practices that Matter, presented at PHNOG 2025
byAPNIC
 
PDF
APNIC's Role in the Pacific Islands, presented at Pacific IGF 2205
byAPNIC
 
PDF
IPv6 Deployment and Best Practices, presented by Makito Lay
byAPNIC
 
PDF
Cleaning up your RPKI invalids, presented at PacNOG 35
byAPNIC
 
PDF
The Internet - By the numbers, presented at npNOG 11
byAPNIC
 
PDF
Transmission Control Protocol (TCP) and Starlink
byAPNIC
 
PDF
DDoS in India, presented at INNOG 8 by Dave Phelan
byAPNIC
 
PDF
Global Networking Trends, presented at the India ISP Conclave 2025
byAPNIC
 
PDF
Make DDoS expensive for the threat actors
byAPNIC
 
PDF
Fast Reroute in SR-MPLS, presented at bdNOG 19
byAPNIC
 
PDF
DDos Mitigation Strategie, presented at bdNOG 19
byAPNIC
 
PDF
ICP -2 Review – What It Is, and How to Participate and Provide Your Feedback
byAPNIC
 
PDF
APNIC Update - Global Synergy among the RIRs: Connecting the Regions
byAPNIC
 
PDF
Measuring Starlink Protocol Performance, presented at LACNIC 43
byAPNIC
 
APNIC Report, presented at APAN 60 by Thy Boskovic
byAPNIC
 
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
byAPNIC
 
RPKI Status Update, presented by Makito Lay at IDNOG 10
byAPNIC
 
The Internet -By the Numbers, Sri Lanka Edition
byAPNIC
 
Triggering QUIC, presented by Geoff Huston at IETF 123
byAPNIC
 
DNSSEC Made Easy, presented at PHNOG 2025
byAPNIC
 
BGP Security Best Practices that Matter, presented at PHNOG 2025
byAPNIC
 
APNIC's Role in the Pacific Islands, presented at Pacific IGF 2205
byAPNIC
 
IPv6 Deployment and Best Practices, presented by Makito Lay
byAPNIC
 
Cleaning up your RPKI invalids, presented at PacNOG 35
byAPNIC
 
The Internet - By the numbers, presented at npNOG 11
byAPNIC
 
Transmission Control Protocol (TCP) and Starlink
byAPNIC
 
DDoS in India, presented at INNOG 8 by Dave Phelan
byAPNIC
 
Global Networking Trends, presented at the India ISP Conclave 2025
byAPNIC
 
Make DDoS expensive for the threat actors
byAPNIC
 
Fast Reroute in SR-MPLS, presented at bdNOG 19
byAPNIC
 
DDos Mitigation Strategie, presented at bdNOG 19
byAPNIC
 
ICP -2 Review – What It Is, and How to Participate and Provide Your Feedback
byAPNIC
 
APNIC Update - Global Synergy among the RIRs: Connecting the Regions
byAPNIC
 
Measuring Starlink Protocol Performance, presented at LACNIC 43
byAPNIC
 

RPKI Trust Anchor

  • 1.
  • 2.
    Public Keys ? How canyou “trust” a digital signature? What if you have never met the signer and have no knowledge of them or their keys? One approach is transitive trust via a hierarchy of public key certificates (there are other approaches, based on “web of trust” models, but lets not go there)
  • 3.
    Public Key Infrastructure ? Fortransitive trust, you have to start somewhere with some initial entity (or entities) in whom you are prepared to trust This is your TRUST ANCHOR set, and you keep a local copy of their public key in your certificate store as Trusted Certificates Each Trust Anchor entry matches a unique PUBLIC KEY can can be used to certify a Certificate issued by this Certification Authority Key Store
  • 4.
    Public Key Infrastructure ? KeyStore Validation is a process of finding a chain of public key certificates that link a trust anchor to the entity being validated in this manner
  • 5.
    The Resource PublicKey Infrastructure The RPKI is a conventional PKI where the Certificate Issuer certifies BOTH the public key of the subject and the subject’s number resource holdings As it is a conventional PKI, the RPKI needs to have Trust Anchor(s) What models can be used to publish proposed Trust Anchors for the RPKI? And who can (or should) publish this Trust Anchor Material?
  • 6.
    RPKI Certificates FollowAllocations: A single IANA-issued Trust Anchor IANA 0/0 Public Key AFRINIC APNIC ARIN LACNIC RIPE NCC Number Resource contents of RIR Subordinate CAs issued by the IANA match the contents of the IANA Number Registries
  • 7.
    RPKI Certificates FollowAllocations: A single IANA-issued Trust Anchor IANA 0/0 Public Key AFRINIC APNIC ARIN LACNIC RIPE NCC The issue here is how to certify transferred resources. These resources are not separately listed in the IANA registries so will not be included in the IANA-issued CA Certificate. If we want to preserve this clear top-level certificate model then the implication is that modelling transferrred resources in this RPKI will: • require RIRs to issue certificates for each other • and because the certification validation paths will differ, a user holding transferred resources may be issued with multiple certificates
  • 8.
    IANA TA, RPKICertificates Follow Allocations IANA 0/0 Public Key AFRINIC APNIC ARIN LACNIC RIPE NCC From AFRINIC From ARIN From LACNIC From RIPE NCC From APNIC From ARIN From LACNIC From RIPE NCC From AFRINIC From APNIC From LACNIC From RIPE NCC From AFRINIC From APNIC From ARIN From RIPE NCC From AFRINIC From APNIC From ARIN From LACNIC This results in a complex inter-RIR CA structure to support transfers And ALL RIRs need to be in a position to support this model as a precondition to adoption But if one of more RIRs are not ready to do this, what can be done?
  • 9.
    Interim APNIC TAStructure APNIC From AFRINIC From ARIN From LACNIC From RIPE NCC The interim model used by APNIC promotes the 5 “top level” certificates where APNIC would be the subject into a compound trust anchor containing 5 self-signed certificates This will allow APNIC to migrate to a single IANA TA without major change (the self signed certificates are changed to certificate signing requests and the local trust structure can be removed)
  • 10.
    Other possible interimTA models APNIC All resources in APNIC’s registry This is a much simpler model, and is the one used by other RIRs as an interim per-RIR TA But this is some distance from the requirements to support a single IANA TA in the future So the amount of work and user impact to transform from this self-signed TA cert structure to a single IANA TA would be far larger
  • 11.
    Other possible interimTA models APNIC 0/0 All resources This simplifies the TA structure further, as no changes are required to the TA in the event of resource movement. The published per RIR TA is essentially static so off-line (or even one-shot use) keys can be used However it does not reflect APNIC’s current resource holdings in the TA certificate
  • 13.
  • 14.