ION San Diego - ARIN Support for DNSSEC and RPKI
-
Upload
deploy360-programme-internet-society -
Category
Documents
-
view
181 -
download
2
description
Transcript of ION San Diego - ARIN Support for DNSSEC and RPKI
![Page 1: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/1.jpg)
ARIN Support for DNSSEC and RPKI
ION San Diego 11 December 2012
Pete Toscano, ARIN
![Page 2: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/2.jpg)
DNS and BGP • They have been around for a
long time. • DNS: 1982 • BGP: 1989
• They are not very secure. • Methods for securing them exist.
2
![Page 3: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/3.jpg)
• Domain Name System Security Extensions
• Took a while to implement -- • Design work started in 1993 at IETF 28. • The root zone signed: July 15th, 2010.
3
DNSSEC
![Page 4: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/4.jpg)
• Designed to verify data integrity and authenticity.
• Does not prevent data snooping. • Generally, that first point outweighs
these others.
4
DNSSEC
![Page 5: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/5.jpg)
• DNSSEC is an overlay on top of DNS, not a replacement.
• Uses public key cryptography and a chain of trust similar to X.509 certificates.
5
DNSSEC
![Page 6: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/6.jpg)
• Adds six new RR types and extension mechanisms for DNS (EDNS).
• DNSKEY • DS • RRSIG • NSEC • NSEC3 • NSEC3PARM
6
DNSSEC
![Page 7: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/7.jpg)
• DNSKEY: The public keys. Either a Key Signing Key (KSK) or Zone Signing Key (ZSK).
• DS: Delegation Signer. Hashes and identifies the KSK of a signed, delegated child zone.
7
DNSSEC
![Page 8: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/8.jpg)
• RRSIG: Resource Record Signature. Every RRset for each name has a single RRSIG. There are two exceptions:
• NS records at delegation points. • Glue records.
• DNSKEY RRSIGs are signed by the KSK, all others by ZSK.
8
DNSSEC
![Page 9: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/9.jpg)
• NSEC/NSEC3: Next Secure Record / Next Secure Record version 3.
• Used to prove the non-existence of a resource record.
9
DNSSEC
![Page 10: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/10.jpg)
example.com. SOA [SOA STUFF] ! NS ns ! MX 10 mail !mail A 128.66.0.100 ! AAAA 2001:db8::100 !ns A 128.66.0.10 ! AAAA 2001:db8::10 !sub NS ns.sub !ns.sub A 128.66.10.10 ! AAAA 2001:db8:10::10 ! !
• A simple example of securing a zone.
10
DNSSEC
![Page 11: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/11.jpg)
• Throw in the keys... example.com. SOA [SOA STUFF] ! NS ns ! MX 10 mail ! DNSKEY 256 [DNSKEY STUFF]; ZSK ! DNSKEY 257 [DNSKEY STUFF]; KSK !mail A 128.66.0.100 ! AAAA 2001:db8::100 !ns A 128.66.0.10 ! AAAA 2001:db8::10 !sub NS ns.sub !ns.sub A 128.66.10.10 ! AAAA 2001:db8:10::10 !
11
DNSSEC
![Page 12: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/12.jpg)
• Add the NSEC records so that all gaps are accounted for...
example.com. SOA [SOA STUFF] !example.com. NS ns !example.com. MX 10 mail !example.com. DNSKEY 256 [DNSKEY STUFF]; ZSK !example.com. DNSKEY 257 [DNSKEY STUFF]; KSK!example.com. NSEC mail.example.com. SOA NS MX DNSKEY NSEC !mail.example.com. A 128.66.0.100 !mail.example.com. AAAA 2001:db8::100 !mail.example.com. NSEC ns.example.com. A AAAA NSEC !ns.example.com. A 128.66.0.10 !ns.example.com. AAAA 2001:db8::10 !ns.example.com. NSEC sub.example.com. A AAAA NSEC !sub.example.com. NS ns.sub !sub.example.com. NSEC example.com. NS NSEC !ns.sub.example.com. A 128.66.10.10 !ns.sub.example.com. AAAA 2001:db8:10::10 !
• NSEC doesn’t do glue. • Zone enumeration? That’s where NSEC3 comes in.
12
DNSSEC
![Page 13: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/13.jpg)
• Sign each label’s RRset and update NSECs... example.com. SOA [SOA STUFF] !example.com. RRSIG SOA [RRSIG STUFF] !example.com. NS ns !example.com. RRSIG NS [RRSIG STUFF] !example.com. MX 10 mail !example.com. RRSIG MX [RRSIG STUFF] !example.com. DNSKEY 256 [DNSKEY STUFF]; ZSK !example.com. DNSKEY 257 [DNSKEY STUFF]; KSK !example.com. RRSIG DNSKEY [RRSIG STUFF] !example.com. NSEC mail.example.com. SOA NS MX DNSKEY NSEC RRSIG !example.com. RRSIG NSEC [RRSIG STUFF] !mail.example.com. A 128.66.0.100 !mail.example.com. RRSIG A [RRSIG STUFF] !mail.example.com. AAAA 2001:db8::100 !mail.example.com. RRSIG AAAA [RRSIG STUFF] !mail.example.com. NSEC ns.example.com. A AAAA NSEC RRSIG !mail.example.com. RRSIG NSEC [RRSIG STUFF] !ns.example.com. A 128.66.0.10 !ns.example.com. RRSIG A [RRSIG STUFF] !ns.example.com. AAAA 2001:db8::10 !ns.example.com. RRSIG AAAA [RRSIGSTUFF] !ns.example.com. NSEC sub.example.com. A AAAA NSEC RRSIG !ns.example.com. RRSIG NSEC [RRSIG STUFF] !sub.example.com. NS ns.sub !sub.example.com. NSEC example.com. NS NSEC RRSIG !sub.example.com. RRSIG NSEC [RRSIG STUFF] !ns.sub.example.com. A 128.66.10.10 !ns.sub.example.com. AAAA 2001:db8:10::10 !
DNSSEC 13
![Page 14: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/14.jpg)
• Signed delegations. Add DS records and update NSEC and RRSIGs.
example.com. SOA [SOA STUFF] !example.com. RRSIG SOA [RRSIG STUFF] !example.com. NS ns !example.com. RRSIG NS [RRSIG STUFF] !example.com. MX 10 mail !example.com. RRSIG MX [RRSIG STUFF] !example.com. DNSKEY 256 [DNSKEY STUFF]; ZSK !example.com. DNSKEY 257 [DNSKEY STUFF]; KSK !example.com. RRSIG DNSKEY [RRSIG STUFF] !example.com. NSEC mail.example.com. SOA NS MX DNSKEY NSEC RRSIG !example.com. RRSIG NSEC [RRSIG STUFF] !mail.example.com. A 128.66.0.100 !mail.example.com. RRSIG A [RRSIG STUFF] !mail.example.com. AAAA 2001:db8::100 !mail.example.com. RRSIG AAAA [RRSIG STUFF] !mail.example.com. NSEC ns.example.com. A AAAA NSEC RRSIG !mail.example.com. RRSIG NSEC [RRSIG STUFF] !ns.example.com. A 128.66.0.10 !ns.example.com. RRSIG A [RRSIG STUFF] !ns.example.com. AAAA 2001:db8::10 !ns.example.com. RRSIG AAAA [RRSIG STUFF] !ns.example.com. NSEC sub.example.com. A AAAA NSEC RRSIG !ns.example.com. RRSIG NSEC [RRSIG STUFF] !sub.example.com. NS ns.sub !sub.example.com. DS [Hash of sub’s KSK] !sub.example.com. RRSIG DS [RRSIG STUFF] !sub.example.com. NSEC example.com. NS DS NSEC RRSIG !sub.example.com. RRSIG NSEC [RRSIG STUFF] !ns.sub.example.com. A 128.66.10.10 !ns.sub.example.com. AAAA 2001:db8:10::10 !
DNSSEC 14
![Page 15: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/15.jpg)
• What to do with all this extra data? • Publishing the signed data is only half
the battle. • The authoritative DNS responses need
to be validated.
15
DNSSEC
![Page 16: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/16.jpg)
• Response validation involves following a chain of trust from the trust anchor to the answer received.
• Typically, the root zone’s KSK == Trust Anchor
16
DNSSEC
![Page 17: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/17.jpg)
• The backbone of the chain of trust is the DS, DNSKEY, RRSIG interaction.
• Trust travels from the parent zone down to the child zone. Repeat until the target zone is found.
• Start at the trust anchor’s zone.
17
DNSSEC
![Page 18: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/18.jpg)
Parent Zone KSK DNSKEY !ZSK DNSKEY !
RRSIG !
Child Zone
DS !
... !
KSK DNSKEY !ZSK DNSKEY !
RRSIG !
DS !
RRSIG ! ... !
RRSIG !
18
DNSSEC
![Page 19: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/19.jpg)
• Once the target child zone is found, the ZSK is used the verify the appropriate RRSIG.
• If the question cannot be answered, the ZSK can be used to verify the appropriate NSEC/NSEC3 RRSIG.
• If the answer can’t be verified, then NXDOMAIN status is returned.
19
DNSSEC
![Page 20: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/20.jpg)
• From a DNS publisher’s point of view, DNSSEC can greatly expand the size of zones.
• On average, responses are larger. • Management of the keys can be tricky. • Protects the data, not the headers. • Does nothing to protect the stub resolver
to recursive resolver communication.
20
DNSSEC
![Page 21: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/21.jpg)
• At ARIN, we currently sign our v4 /8s and v6 /12 and /24s.
• ARIN Online allows members to add DS records to the zones their resources are delegated from.
21
DNSSEC
![Page 22: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/22.jpg)
• DNSSEC Analyzer: http://dnssec-analyzer.verisignlabs.com
• DNSViz: http://dnsviz.net • ldns / Drill:
http://www.nlnetlabs.nl/projects/ldns/ • DNSSEC Validator:
http://www.dnssec-validator.cz/ (FF Plugin) • Other Tools:
https://www.dnssec-deployment.org/wiki/index.php/Tools_and_Resources
22
DNSSEC
![Page 23: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/23.jpg)
RPKI
23
![Page 24: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/24.jpg)
“The inter-domain routing protocol BGP was created when the Internet environment had not yet reached the present, contentious state. Consequently, the BGP design did not include protections against deliberate or accidental errors that could cause disruptions of routing behavior.” • Intro to RFC 4272 “BGP Security Vulnerabilities Analysis” January 2006
24
![Page 25: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/25.jpg)
I have 209.85.128.0/17
Send a packet to
209.85.128.100
This is the basic problem...
25
RPKI
![Page 26: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/26.jpg)
165.135.0.2 209.85.128.100
AS100 AS200 AS300
26
RPKI
![Page 27: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/27.jpg)
165.135.0.2 209.85.128.100
AS100 AS200 AS300
AS666
209.85.128.100
27
RPKI
![Page 28: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/28.jpg)
• April 1997 – AS 7007 announced paths for all of the internet to themselves.
• Feb. 24, 2008 –Pakistan Telecom announced a part of YouTube’s address blocks.
• April 2010 - China Telecom mis-originated about 15% of Internet address blocks affecting I-root.
• Nov. 2012 – Google was unavailable some places via route leak from Moratel.
28
RPKI
![Page 29: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/29.jpg)
165.135.0.2 209.85.128.100
AS100 AS200 AS300
Phase 1: Origin Validation
Phase 2: Path Validation (still in draft
phase)
(requires RPKI)
29
RPKI
![Page 30: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/30.jpg)
• Resource Public Key Infrastructure • RPKI attaches ASNs and IP address
blocks to X.509 v3 certs. • These resource certs are signed by the
resource parent.
30
RPKI
![Page 31: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/31.jpg)
ARIN !APNIC !AFRINIC ! LACNIC ! RIPE NCC !
IANA !
ISP 1 !
ISP 3 ! ISP !
ISP 2 !
ISP ! ISP !
ISP 4 !
31
RPKI Resource Allocation Hierarchy
![Page 32: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/32.jpg)
ARIN !APNIC !AFRINIC ! LACNIC ! RIPE NCC !
IANA !
ISP 1 !
ISP 3 ! ISP !
ISP 2 !
ISP ! ISP !
Issuer: ARIN !Subject: ARIN !Resources: 192.0.0.0/8 !Key Info: <arin-key-pub> !Signed: <arin-key-priv> !
Certificates issued to match
allocations.
ISP 4 !
32
RPKI
![Page 33: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/33.jpg)
ARIN !APNIC !AFRINIC ! LACNIC ! RIPE NCC !
IANA !
ISP 1 !
ISP 3 ! ISP !
ISP 2 !
ISP ! ISP !
Issuer: ARIN !Subject: ISP1 !Resources: 192.2.0.0/16 !Key Info: <isp1-key-pub> !Signed: <arin-key-priv> !
Issuer: ARIN !Subject: ARIN !Resources: 192.0.0.0/8 !Key Info: <arin-key-pub> !Signed: <arin-key-priv> !
Certificates issued to match
allocations.
ISP 4 !
33
RPKI
![Page 34: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/34.jpg)
ARIN !APNIC !AFRINIC ! LACNIC ! RIPE NCC !
IANA !
ISP 1 !
ISP 3 ! ISP !
ISP 2 !
ISP ! ISP !
Issuer: ARIN !Subject: ISP1 !Resources: 192.2.0.0/16 !Key Info: <isp1-key-pub> !Signed: <arin-key-priv> !
Issuer: ISP1 !Subject: ISP3 !Resources: 192.2.200.0/24 !Key Info: <isp3-key-pub> !Signed: <isp1-key-priv> !
Issuer: ARIN !Subject: ARIN !Resources: 192.0.0.0/8 !Key Info: <arin-key-pub> !Signed: <arin-key-priv> !
Certificates issued to match
allocations.
ISP 4 !
34
RPKI
![Page 35: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/35.jpg)
• Address holders issue Route Origin Authorizations (ROAs).
35
RPKI
![Page 36: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/36.jpg)
ARIN !APNIC !AFRINIC ! LACNIC ! RIPE NCC !
IANA !
ISP 1 !
ISP 3 ! ISP !
ISP 2 !
ISP ! ISP !
Issuer: ARIN !Subject: ISP1 !Resources: 192.2.0.0/16 !Key Info: <isp1-key-pub> !Signed: <arin-key-priv> !
Issuer: ISP1 !Subject: ISP3 !Resources: 192.2.200.0/24 !Key Info: <isp3-key-pub> !Signed: <isp1-key-priv> !
Issuer: ARIN !Subject: ARIN !Resources: 192.0.0.0/8 !Key Info: <arin-key-pub> !Signed: <arin-key-priv> !
Certificates issued to match
allocations.
ISP 4 !
36
RPKI
![Page 37: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/37.jpg)
ARIN !APNIC !AFRINIC ! LACNIC ! RIPE NCC !
IANA !
ISP 1 !
ISP 3 ! ISP !
ISP 2 !
ISP ! ISP !
Issuer: ARIN !Subject: ISP1 !Resources: 192.2.0.0/16 !Key Info: <isp1-key-pub> !Signed: <arin-key-priv> !
Issuer: ISP1 !Subject: ISP3 !Resources: 192.2.200.0/24 !Key Info: <isp3-key-pub> !Signed: <isp1-key-priv> !
Issuer: ARIN !Subject: ARIN !Resources: 192.0.0.0/8 !Key Info: <arin-key-pub> !Signed: <arin-key-priv> !
Certificates issued to match
allocations.
ROA: “ISP 3 permits ASN 123 to originate its 192.2.200.0/24 network space.” !!! ß Attached !Signed, <isp3EE-key-priv> !!
Issuer: ISP3 !Subject: ISP3-EE !Resources: 192.2.200.0/24 !Key Info: <isp3EE-key-pub> !Signed: <isp3-key-priv> !
ISP 4 !
37
RPKI
![Page 38: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/38.jpg)
• Two RPKI implementation types: • Delegated: Each participating node
becomes a CA and runs their own RPKI repository, delegated to by the parent CA. • Hosted: The RIR runs the CA functionality for
interested participants.
38
RPKI
![Page 39: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/39.jpg)
• For most participants, running a CA would be an insurmountable obstacle to the implementation of RPKI.
• This is why the hosted option exists.
39
RPKI
![Page 40: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/40.jpg)
• Regardless of the method used, the RPKI repositories are published.
• TAL: Trust Anchor Locator • Points to the rsync entry point of that
repo.
• Includes that repo’s public key.
40
RPKI
![Page 41: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/41.jpg)
• Reliant third parties would gather all relevant TALs.
• Get all of the RPKI repos. • Validate, validate, validate.
41
RPKI
![Page 42: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/42.jpg)
• Once we have validated ROAs and the backing resource hierarchy, what do we do?
42
RPKI
![Page 43: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/43.jpg)
• Once we have validated ROAs and the backing resource hierarchy, what do we do?
• Use ROAs to weight BGP path announcements as they’re received.
43
RPKI
![Page 44: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/44.jpg)
165.135.0.2 209.85.128.100
AS100 AS200 AS300
AS666
209.85.128.100
44
RPKI
![Page 45: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/45.jpg)
165.135.0.2
AS100 AS200 AS300
209.85.128.100
45
RPKI
![Page 46: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/46.jpg)
165.135.0.2
AS100 AS200 AS300
209.85.128.100
46
RPKI “Only AS 300 can originate 209.85.128.0/24 network space.” !
![Page 47: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/47.jpg)
165.135.0.2
AS100 AS200 AS300
209.85.128.100
AS666
209.85.128.100
47
RPKI “Only AS 300 can originate my 209.85.128.0/24 network space.” !
![Page 48: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/48.jpg)
165.135.0.2
AS100 AS200
“Only AS 300 can originate my 209.85.128.0/24 network space.” !
AS666
AS300
209.85.128.100
209.85.128.100
48
RPKI
![Page 49: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/49.jpg)
• Border routers use the RPKI with the RPKI/Router protocol.
• http://tools.ietf.org/html/draft-ietf-sidr-rpki-rtr
• Implemented on Cisco IOS and Quagga. JunOS recently added.
49
RPKI
![Page 50: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/50.jpg)
• Offload validation and origin evaluation to some other box.
• “Valid”, “Invalid”, “Unknown” • What’s done with these values is up to
the local policy.
50
RPKI
![Page 51: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/51.jpg)
RPKI
• As with DNSSEC, the more buy in, the better the security.
• Be a good netizen: certify your resources.
• Even better: publish ROAs. • Be the best happy shiny: validate
route origins as support allows.
51
![Page 52: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/52.jpg)
• Only hosted model is currently implemented.
• The delegated model will be released in the not-too-distant future.
• Non-repudiation requirement. • Third parties need to sign a RPA
before getting the TAL.
52
RPKI @ ARIN
![Page 53: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/53.jpg)
Future of RPKI
• Single TAL. • Inter-RIR transfers. • Integrated with a path validation
system.
53
![Page 54: ION San Diego - ARIN Support for DNSSEC and RPKI](https://reader033.fdocuments.in/reader033/viewer/2022060109/5555d36fd8b42a711f8b4b52/html5/thumbnails/54.jpg)
Questions
54