Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only...

RPKIResourcePubicKeyInfrastructure

PurposeofRPKI

• RPKIreplacesIRRorlivessidebyside?• Sidebyside:differentadvantages• Security,almostrealtime,simpleinterface:RPKI

• PurposeofRPKI• IsthatASNauthorizedtooriginatethataddressrange?

ASPath

2001:DB8::/32 655516555065549i

Ihave2001:DB8::/32

Sendapacketto2001:DB8::1

65553 65549

65536Ihave2001:DB8::/32

2001:DB8::/32 6555265536i

INVALID

RPKIDeployment

Phase1OriginValidation

Phase2PathValidation

Ihave2001:DB8::/32

Sendapacketto2001:DB8::1

65552 65549

65551 65550

InternetRegistry(IR)/RIR

• MaintainsInternetResourcessuchasIPaddressesandASNs,andpublishtheregistrationinformation• AllocationsforLocalInternetRegistries• Assignmentsforend-users

• APNICistheRegionalInternetRegistry(RIR)intheAsiaPacificregion• NationalInternetRegistry(NIR)existsinseveraleconomies

TheEco-System

GoalsofRPKI

• AbletoauthoritativelyprovewhoownsanIPPrefixandwhatAS(s)mayAnnounceIt• Reducingroutingleaks• Attachingdigitalcertificatestonetworkresources(ASNumber&IPAddress)

• PrefixOwnershipFollowstheAllocationHierarchyIANA,RIRs,ISPs,…

AdvantageofRPKI

• Useabletoolset• Noinstallationrequired• Easytoconfiguremanualoverrides

• Tightintegrationwithrouters• SupportedroutershaveawarenessofRPKIvaliditystates

• SteppingstoneforAS-PathValidation• PreventAttacksonBGP

RPKIImplementation

• TwoRPKIimplementationtype• Delegated:EachparticipatingnodebecomesaCAandrunstheirownRPKIrepository,delegatedbytheparentCA.• Hosted:TheRIRrunstheCAfunctionalityforinterestedparticipants.

TwoComponents

• CertificateAuthority(CA)• InternetRegistries(RIR,NIR,LargeLIR)• Issuecertificatesforcustomers• AllowcustomerstousetheCA’sGUItoissueROAsfortheirprefixes

• RelyingParty(RP)• SoftwarewhichgathersdatafromCAs

IssuingParty

• InternetRegistries(RIR,NIR,LargeLIRs)• ActsasaCertificateAuthorityandissuescertificatesforcustomers• ProvidesawebinterfacetoissueROAsforcustomerprefixes• PublishestheROArecords

APNICRPKIEngine

publication

MyAPNIC GUI

rpki.apnic.net

Repository

RelyingParty(RP)

IANARepo

APNICRepo RIPERepo

LIRRepo LIRRepo

RPCache(gather) Validated

RPKI-Rtr Protocol

rpki.ripe.net

SoftwarewhichgathersdatafromCAsAlsocalledRPcacheorvalidator

rpki.apnic.net

RPKIBuildingBlocks

1. TrustAnchors(RIR’s)2. RouteOriginationAuthorizations(ROA)3. Validators

1.PKI&TrustAnchors

PublicKeyConcept

• Privatekey:Thiskeymustbeknownonlybyitsowner.• Publickey:Thiskeyisknowntoeveryone(itispublic)• Relationbetweenbothkeys:Whatonekeyencrypts,theotheronedecrypts,andviceversa.Thatmeansthatifyouencryptsomethingwithmypublickey(whichyouwouldknow,becauseit'spublic:-),Iwouldneedmyprivatekeytodecryptthemessage.• SamealikehttpwithSSLakahttps

RPKIProfile

CertificatesareX.509certificatesthatconformtothePKIXprofile[PKIX].Theyalsocontainan

extensionfieldthatlistsacollectionofIPresources(IPv4addresses,IPv6

addressesandASNumbers)[RFC3779]

X.509Cert

RFC3779Extension

Describes IPResources(Addr &ASN)

SIA– URIforwherethisPublishes

Owner’sPublicKey

Signed

byParent’sPrivateKey

X.509Certificates3779EXT

TrustAnchor

AFRINIC RIPE NCC ARIN APNIC LACNIC

NIR NIR

ISP ISP ISP ISP ISP

Trust Anchor CertificateResourceAllocationHierarchy

Issued Certificates

matchallocation actions

Source:http://isoc.org/wp/ietfjournal/?p=2438

RPKIChainofTrust

• TheRIRsholdaself-signedrootcertificateforalltheresourcesthattheyhaveintheregistry• Theyarethetrustanchorforthesystem

• Thatrootcertificateisusedtosignacertificatethatlistsyourresources• Youcanissuechildcertificatesforthoseresourcestoyourcustomers• Whenmakingassignmentsorsuballocations

2.ROARouteOriginAuthorizations

RouteOriginationAuthorizations(ROA)

• AROAisadigitallysignedobject thatprovidesameansofverifyingthatanIPaddressblockholder hasauthorized anAutonomousSystem(AS) tooriginateroutestooneormoreprefixes withintheaddressblock.• WithaROA,theresourceholderisattesting thattheoriginASnumberisauthorized toannounce theprefix(es).TheattestationcanbeverifiedcryptographicallyusingRPKI.

RouteOriginationAuthorizations(ROA)

• NexttotheprefixandtheASNwhichisallowedtoannounceit,theROAcontains:• Aminimumprefixlength• Amaximumprefixlength• Anexpirydate• OriginASN

• MultipleROAscanexistforthesameprefix• ROAscanoverlap

3.Validators

OriginValidation• RoutergetsROAinformationfromtheRPKICache• RPKIverificationisdonebytheRPKICache

• TheBGPprocesswillcheckeachannouncementwiththeROAinformationandlabeltheprefix

ValidatedRPKICache

RPKItoRTRprotocol

ResultofCheck

• Valid – IndicatesthattheprefixandASpairarefoundinthedatabase.• Invalid – Indicatesthattheprefixisfound,buteitherthecorrespondingASreceivedfromtheEBGPpeerisnottheASthatappearsinthedatabase,ortheprefixlengthintheBGPupdatemessageislongerthanthemaximumlengthpermittedinthedatabase.• NotFound /Unknown– Indicatesthattheprefixisnotamongtheprefixesorprefixrangesinthedatabase.

Valid>Unknown>Invalid

ROAExample

Prefix:10.0.0.0/16ASN:65420

ROA 65420 10.0.0.0/16 /18

OriginAS Prefix MaxLength

VALID AS65420 10.0.0.0/16

VALID AS65420 10.0.128.0/17

INVALID AS65421 10.0.0.0/16

INVALID AS65420 10.0.10.0/24

UNKNOWN AS65430 10.0.0.0/8

LocalPolicy

• Youcandefineyourpolicybasedontheoutcomes• Donothing• Justlogging• LabelBGPcommunities• Modifypreferencevalues• Rejectingtheannouncement

Insummary

• Asanannouncer/LIR• Youchooseifyouwantcertification• YouchooseifyouwanttocreateROAs• YouchooseAS,maxlength

• AsaRelyingParty• Youcanchooseifyouusethevalidator• YoucanoverridethelistsofvalidROAsinthecache,addingorremovingvalidROAslocally• YoucanchoosetomakeanyroutingdecisionsbasedontheresultsoftheBGPVerification(valid/invalid/unknown)

RPKICaveats

• WhenRTRsessiongoesdown,theRPKIstatuswillbenotfoundforallthebgp routeafterawhile• Invalid=>notfound• weneedseveralRTRsessionsorcareyourfilteringpolicy

• Incaseoftherouterreload,whichoneisfaster,receivingROAsorreceivingBGProutes?• IfreceivingBGPismatchfasterthanROA,therouterpropagatetheinvalidroutetoothers• WeneedtoputourCachevalidatorwithinourIGPscope

RPKIFurtherReading

• RFC5280:X.509PKICertificates• RFC3779:ExtensionsforIPAddressesandASNs• RFC6481-6493:ResourcePublicKeyInfrastructure

RPKIConfiguration

• Resources:• AS:131107[APNICTRAINING-DC]• IPv4:202.125.96.0/24• IPv6:2001:df2:ee00::/48

• Process• CreateROA• Setupcachevalidationserver• ValidatetheROA

ImplementationScenario

Trust Anchors

Trust AnchorsDNS

Trust Anchors

RPKI Cache Validator

{rsync}{bgp4}

repository

upstream

• {bgp4}RoutersvalidateupdatesfromotherBGPpeers

• {rtr}CachesfeedsroutersusingRTRprotocolwithROAinformation

• {rsync}Cachesretrievesandcryptographicallyvalidatescertificates&ROAsfromrepositories

PhaseI- PublishingROA

• LogintoyourMyAPNIC portal• Requiredvalidcertificate• GotoResources>CertificationTab

• ShowavailableprefixforwhichyoucancreateROA

PhaseI- CheckyourROA

# whois -h whois.bgpmon.net 2001:df2:ee00::/48

Prefix: 2001:df2:ee00::/48Prefix description: APNICTRAINING-DCCountry code: AUOrigin AS: 131107Origin AS Name: ASN for APNICTRAINING LAB DCRPKI status: ROA validation successfulFirst seen: 2016-06-30Last seen: 2017-01-03Seen by #peers: 160

PhaseI- CheckyourROA

# whois -h whois.bgpmon.net " --roa 131107 2001:df2:ee00::/48"

0 – Valid------------------------ROA Details------------------------Origin ASN: AS131107Not valid Before: 2016-09-07 02:10:04Not valid After: 2020-07-30 00:00:00 Expires in 3y208d1h39m28.7999999821186sTrust Anchor: rpki.apnic.netPrefixes: 2001:df2:ee00::/48 (max length /48) 202.125.96.0/24 (max length /24)

PhaseII- RPKIValidator

• Twooptions:

A.RIPENCCRPKIValidator• https://www.ripe.net/manage-ips-and-asns/resource-management/certification/tools-and-resources

B.DragonResearchLabsRPKIToolkit• https://github.com/dragonresearch/rpki.net

A.RIPENCCRPKIValidator

• DownloadRPKIValidator• http://www.ripe.net/lir-services/resource-management/certification/tools-and-resources

• Installation

# tar -zxvf rpki-validator-app-2.21-dist.tar.gz# cd rpki-validator-app-2.21# ./rpki-validator.sh start

A.RIPENCCRPKIValidator

http://rpki-validator.apnictraining.net:8080/

B.DragonResearchLabsRPKIToolkit

• InstallationprocessinUbuntuXenial 16.04• https://github.com/dragonresearch/rpki.net/blob/master/doc/quickstart/xenial-rp.md

• Installation

# wget -q -O /etc/apt/sources.list.d/rpki.listhttps://download.rpki.net/APTng/rpki.xenial.list# wget -q -O /etc/apt/trusted.gpg.d/rpki.asc https://download.rpki.net/APTng/apt-gpg-key.asc# apt update# apt install rpki-rp

• B.DragonResearchLabsRPKIToolkit

http://rpki-dragonresearch.apnictraining.net/rcynic/

PhaseIII- RouterConfiguration(JunOS)

http://pastebin.com/50bmnv9F

PhaseIII- RouterConfiguration(IOS)

http://pastebin.com/p30nWu0R

PhaseIII- RouterConfiguration(GoBGP)

http://pastebin.com/DwQbdq7A

Checkyourprefix

rpki-junos>show route protocol bgp 202.125.96.46/24

202.125.96.0/24 *[BGP/170] 3w5d 16:57:33, MED 0, localpref 110AS path: 3333 4608 131107 I, validation-state:

verified> to 193.0.19.254 via xe-1/3/0.0

• Junos

Checkyourprefix

rpki-ios>show ip bgp 202.125.96.0/24

BGP routing table entry for 202.125.96.0/24, version 70470025Paths: (2 available, best #2, table default)Not advertised to any peerRefresh Epoch 13333 1273 4637 1221 4608 131107 193.0.19.254 from 193.0.3.5 (193.0.0.56)Origin IGP, localpref 110, valid, externalCommunity: 83449328 83450313path 287058B8 RPKI State valid

• IOS

Checkyourprefix

fakrul@gobgp:~$ gobgp global rib 202.125.96.0/24

Network Next Hop AS_PATH Age Attrs

V*> 202.125.96.0/24 202.12.29.113 4608 1221 4826 131107 00:13:29 [{Origin: i} {Med: 0} {LocalPref: 110} {Communities: 4608:11101}]

• GoBGP

Commands

• Checksessionstatusofcachevalidatorservershow validation session detail

show bgp ipv4 unicast rpki servers

gobgp rpki server

show validation database

show bgp ipv4 unicast rpki table

gobgp rpki table

• Fullvalidationdatabase

!Caution!

Testbed

• Cisco(hostedbytheRIPENCC)• PublicCiscorouter:rpki-rtr.ripe.net• Telnetusername:ripe/Nopassword

• Juniper(hostedbyKaia GlobalNetworks)• PublicJuniperrouters:193.34.50.25,193.34.50.26• Telnetusername:rpki /Password:testbed

Configuration- ReferenceLink

• Cisco• http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/command/irg-cr-book/bgp-m1.html#wp3677719851

• Juniper• http://www.juniper.net/techpubs/en_US/junos12.2/topics/topic-map/bgp-origin-as-validation.html

www.apnic.net/roa

Thanks

Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only...

Documents

Transcript of Resource Pubic Key Infrastructure · Public Key Concept •Private key: This key must be known only...

Public Key Infrastructures - Eindhoven University of ... · Public Key Infrastructures … a public key infrastructure (PKI) is designed to facilitate the use of public key cryptography.

Public Messaging - US EPA€¦ · Web viewPUBLIC MESSAGING PUBLIC MESSAGING SUMMARY—KEY MESSAGES Cyanobacteria, formerly known as blue-green algae, naturally occur in surface waters.

Steganography with Public-Key Cryptography for Videoconferencelncc.br/~borges/doc/Steganography with Public-Key... · Steganography with Public-Key Cryptography for Videoconference

Public Key Infrastructure Fundamentals - SecAppDevsecappdev.org/handouts/2010/Bart Preneel/public key infrastructure... · Public Key Infrastructure Fundamentals Bart Preneel Katholieke

Public key cryptography principles, public key cryptography … · 2019-03-24 · and verify signatures a private-key, known only to the recipient, used to decrypt messages, and sign

Public key cryptography - Computer - Simson Garfinkel · true public key cryptography system known today as RSA. With RSA, users can create both a public key and a secret key. Anything

Public key algorithm

Public key

key word 60ptclose-brothers-emerging-leaders.com/wp-content/uploads/...o Known to Self Open/ Public Self Hidden Self o Not Known to Self Blind Spot Unknown Area/ Potential Source:The

Homomorphic Encryption: from Private-Key to Public-Key · between public-key and private-key homomorphic encryption. The easy direction is showing that a public-key homomorphic encryption

KEY MANAGEMENT; OTHER PUBLIC-KEY CRYPTOSYSTEMS - Chapter 10 KEY MANAGEMENT; OTHER PUBLIC-KEY CRYPTOSYSTEMS - Chapter 10 KEY MANAGEMENT DIFFIE-HELLMAN KEY.

Blockchain Fundamentals - INFOSECURITY VIP · Blockchain Internals - Transactions • Each user posses N numbers of Private Key and a Public Key. • Public Keys are known as Address.

Key findingsofLCA studyon Tetra Recart · 2018-06-15 · Key findingsofLCA studyon Tetra Recart ... known companies, business associations, NGOs, public utilities, transport and logistics

Breaking and fixing public-key Kerberos - CORE and fixing public-key Kerberos ... known as PKINIT, ... (the first message) sent by a client different from the one the reply is generated

Public Key Cryptography

Public-Key Encryption - Computer Science and Engineeringweb.cse.ohio-state.edu/~lai.1/5351/7.public-key.pdf · p2. Public-Key Encryption • Also known as asymmetric-key encryption.

Applied Cryptography (Public Key) RSA. Public Key Cryptography Every Egyptian received two names, which were known respectively as the true name and the.

KEY FACTORS LANGUAGES KNOWN EDUCATIONAL TECHNICAL ...

Naor-Reingold Goes Public: The Complexity of … Goes Public: The Complexity of Known-key Security? ... Our psPRP result instantiates the round functions in the Naor-Reingold (NR)

Computer Security: Public Key Crypto€¦ · Public key crypto RSA Essentials Public Key Crypto in Java Public key protocols Di e-Hellman and El Gamal Radboud University Nijmegen