Transitioning to a single RPKI trust anchor...How does RPKI validation work? As far as resource...
Transcript of Transitioning to a single RPKI trust anchor...How does RPKI validation work? As far as resource...
![Page 1: Transitioning to a single RPKI trust anchor...How does RPKI validation work? As far as resource holdings are concerned, the issuer must cover all of the resources C1 issues /25 to](https://reader036.fdocuments.in/reader036/viewer/2022071000/5fbcbbea2d98441ccb1bb39f/html5/thumbnails/1.jpg)
Transitioning to a single RPKI trust anchor
![Page 2: Transitioning to a single RPKI trust anchor...How does RPKI validation work? As far as resource holdings are concerned, the issuer must cover all of the resources C1 issues /25 to](https://reader036.fdocuments.in/reader036/viewer/2022071000/5fbcbbea2d98441ccb1bb39f/html5/thumbnails/2.jpg)
What is the current state?
2
APNIC fromIANA TA
APNIC fromRIPE TA
APNIC fromARIN TA
APNIC fromAFRINIC TA
APNIC fromLACNIC TA
APNIC fromIANA CA
APNIC fromAFRINIC CA
APNIC fromARIN CA
APNIC fromRIPE CA
APNIC fromLACNIC CA
Member CAs Member CAs Member CAs Member CAs Member CAs
APNIC fromIANA CA
APNIC fromAFRINIC CA
APNIC fromARIN CA
APNIC fromRIPE CA
APNIC fromLACNIC CA
APNIC fromIANA CA
APNIC fromRIPE CA
APNIC fromARIN CA
APNIC fromAFRINIC CA
APNIC fromLACNIC CA
![Page 3: Transitioning to a single RPKI trust anchor...How does RPKI validation work? As far as resource holdings are concerned, the issuer must cover all of the resources C1 issues /25 to](https://reader036.fdocuments.in/reader036/viewer/2022071000/5fbcbbea2d98441ccb1bb39f/html5/thumbnails/3.jpg)
How does the transition happen? (1)
3
APNIC TA
APNIC fromRIPE TA
APNIC fromARIN TA
APNIC fromAFRINIC TA
APNIC fromLACNIC TA
APNIC fromIANA CA
APNIC fromAFRINIC CA
APNIC fromARIN CA
APNIC fromRIPE CA
APNIC fromLACNIC CAMember CAs Member CAs Member CAs Member CAs Member CAs
APNIC fromIANA CA
APNIC fromAFRINIC CA
APNIC fromARIN CA
APNIC fromRIPE CA
APNIC fromLACNIC CA
APNIC fromIANA CA
APNIC fromRIPE CA
APNIC fromARIN CA
APNIC fromAFRINIC CA
APNIC fromLACNIC CA
● APNIC TA expanded to cover 0/0, ::/0, AS1-4294967295
![Page 4: Transitioning to a single RPKI trust anchor...How does RPKI validation work? As far as resource holdings are concerned, the issuer must cover all of the resources C1 issues /25 to](https://reader036.fdocuments.in/reader036/viewer/2022071000/5fbcbbea2d98441ccb1bb39f/html5/thumbnails/4.jpg)
How does the transition happen? (2)
4
APNIC TA
APNIC fromRIPE TA
APNIC fromARIN TA
APNIC fromAFRINIC TA
APNIC fromLACNIC TA
APNIC fromIANA CA
APNIC fromAFRINIC CA
APNIC fromARIN CA
APNIC fromRIPE CA
APNIC fromLACNIC CAMember CAs Member CAs Member CAs Member CAs Member CAs
APNIC fromIANA CA
APNIC fromAFRINIC CA
APNIC fromARIN CA
APNIC fromRIPE CA
APNIC fromLACNIC CA
APNIC fromIANA CA
APNIC fromRIPE CA
APNIC fromARIN CA
APNIC fromAFRINIC CA
APNIC fromLACNIC CA
APNICIntermed. CA
● APNIC TA issues new intermediate online certificate● Intermediate certificate also covers 0/0, ::/0, AS1-4294967295
![Page 5: Transitioning to a single RPKI trust anchor...How does RPKI validation work? As far as resource holdings are concerned, the issuer must cover all of the resources C1 issues /25 to](https://reader036.fdocuments.in/reader036/viewer/2022071000/5fbcbbea2d98441ccb1bb39f/html5/thumbnails/5.jpg)
How does the transition happen? (3)
5
APNIC TA APNIC fromRIPE TA
APNIC fromARIN TA
APNIC fromAFRINIC TA
APNIC fromLACNIC TA
APNIC fromIANA CA
APNIC fromAFRINIC CA
APNIC fromARIN CA
APNIC fromRIPE CA
APNIC fromLACNIC CAMember CAs Member CAs Member CAs Member CAs Member CAs
APNIC fromIANA CA
APNIC fromAFRINIC CA
APNIC fromARIN CA
APNIC fromRIPE CA
APNIC fromLACNIC CA
APNIC fromIANA CA
APNIC fromRIPE CA
APNIC fromARIN CA
APNIC fromAFRINIC CA
APNIC fromLACNIC CA
APNICIntermed. CA
● One existing online certificate is re-signed by the intermediate
![Page 6: Transitioning to a single RPKI trust anchor...How does RPKI validation work? As far as resource holdings are concerned, the issuer must cover all of the resources C1 issues /25 to](https://reader036.fdocuments.in/reader036/viewer/2022071000/5fbcbbea2d98441ccb1bb39f/html5/thumbnails/6.jpg)
How does the transition happen? (4)
6
APNIC TA APNIC fromRIPE TA
APNIC fromARIN TA
APNIC fromAFRINIC TA
APNIC fromLACNIC TA
APNIC fromIANA CA
APNIC fromAFRINIC CA
APNIC fromARIN CA
APNIC fromRIPE CA
APNIC fromLACNIC CAMember CAs Member CAs Member CAs Member CAs Member CAs
APNIC fromIANA CA
APNIC fromAFRINIC CA
APNIC fromARIN CA
APNIC fromRIPE CA
APNIC fromLACNIC CA
APNIC fromIANA CA
APNIC fromRIPE CA
APNIC fromARIN CA
APNIC fromAFRINIC CA
APNIC fromLACNIC CA
APNICIntermed. CA
● Remaining online certificates are re-signed by the intermediate
![Page 7: Transitioning to a single RPKI trust anchor...How does RPKI validation work? As far as resource holdings are concerned, the issuer must cover all of the resources C1 issues /25 to](https://reader036.fdocuments.in/reader036/viewer/2022071000/5fbcbbea2d98441ccb1bb39f/html5/thumbnails/7.jpg)
How does the transition happen? (5)
7
APNIC TA APNIC fromRIPE TA
APNIC fromARIN TA
APNIC fromAFRINIC TA
APNIC fromLACNIC TA
APNIC fromIANA CA
APNIC fromAFRINIC CA
APNIC fromARIN CA
APNIC fromRIPE CA
APNIC fromLACNIC CAMember CAs Member CAs Member CAs Member CAs Member CAs
APNIC fromIANA CA
APNIC fromAFRINIC CA
APNIC fromARIN CA
APNIC fromRIPE CA
APNIC fromLACNIC CA
APNIC fromIANA CA
APNIC fromRIPE CA
APNIC fromARIN CA
APNIC fromAFRINIC CA
APNIC fromLACNIC CA
APNICIntermed. CA
● Unused TAs are withdrawn from publication
![Page 8: Transitioning to a single RPKI trust anchor...How does RPKI validation work? As far as resource holdings are concerned, the issuer must cover all of the resources C1 issues /25 to](https://reader036.fdocuments.in/reader036/viewer/2022071000/5fbcbbea2d98441ccb1bb39f/html5/thumbnails/8.jpg)
What is the state after the transition?
8
APNIC TA
APNIC fromIANA CA
APNIC fromAFRINIC CA
APNIC fromARIN CA
APNIC fromRIPE CA
APNIC fromLACNIC CAMember CAs Member CAs Member CAs Member CAs Member CAs
APNIC fromIANA CA
APNIC fromAFRINIC CA
APNIC fromARIN CA
APNIC fromRIPE CA
APNIC fromLACNIC CA
APNIC fromIANA CA
APNIC fromRIPE CA
APNIC fromARIN CA
APNIC fromAFRINIC CA
APNIC fromLACNIC CA
APNICIntermed. CA
![Page 9: Transitioning to a single RPKI trust anchor...How does RPKI validation work? As far as resource holdings are concerned, the issuer must cover all of the resources C1 issues /25 to](https://reader036.fdocuments.in/reader036/viewer/2022071000/5fbcbbea2d98441ccb1bb39f/html5/thumbnails/9.jpg)
Why is this happening?● Increase RIR consistency by aligning on TA approach
● Reduce invalidity risks associated with:
– Inter-RIR transfers and other changes in resource disposition
– TA work
9
![Page 10: Transitioning to a single RPKI trust anchor...How does RPKI validation work? As far as resource holdings are concerned, the issuer must cover all of the resources C1 issues /25 to](https://reader036.fdocuments.in/reader036/viewer/2022071000/5fbcbbea2d98441ccb1bb39f/html5/thumbnails/10.jpg)
How is RIR consistency helped?
• Each of the other RIRs has a single TA
• APNIC has five TAs, because of expectations around system development that were overtaken by events
• This lack of consistency concerns people who might otherwise be interested in using RPKI
• Having each RIR explicitly adopt the same approach deals with this problem
10
![Page 11: Transitioning to a single RPKI trust anchor...How does RPKI validation work? As far as resource holdings are concerned, the issuer must cover all of the resources C1 issues /25 to](https://reader036.fdocuments.in/reader036/viewer/2022071000/5fbcbbea2d98441ccb1bb39f/html5/thumbnails/11.jpg)
How does RPKI validation work?● As far as resource
holdings are concerned, the issuer must cover all of the resources
● C1 issues /25 to C2, and C2 issues /25 to C3: all certificates valid
11
Issuer: C1Subject: C1192.0.2.0/24
Issuer: C1Subject: C2192.0.2.0/25
Issuer: C2Subject: C3192.0.2.0/25
✔
✔
✔
![Page 12: Transitioning to a single RPKI trust anchor...How does RPKI validation work? As far as resource holdings are concerned, the issuer must cover all of the resources C1 issues /25 to](https://reader036.fdocuments.in/reader036/viewer/2022071000/5fbcbbea2d98441ccb1bb39f/html5/thumbnails/12.jpg)
How does RPKI validation work?● If any of the
resources are not covered, the certificate as a whole is invalid
● C1 reissues C2 with /26: C3 now entirely invalid
12
Issuer: C1Subject: C1192.0.2.0/24
Issuer: C1Subject: C2192.0.2.0/26
Issuer: C2Subject: C3192.0.2.0/25
✔
✔
✘
![Page 13: Transitioning to a single RPKI trust anchor...How does RPKI validation work? As far as resource holdings are concerned, the issuer must cover all of the resources C1 issues /25 to](https://reader036.fdocuments.in/reader036/viewer/2022071000/5fbcbbea2d98441ccb1bb39f/html5/thumbnails/13.jpg)
How can transfers affect validity?● Before inbound
transfer: each certificate’s resources covered by issuer, so each certificate is valid
13
APNIC TA
APNIC from RIR CA
Mem.CA
✔
✔
Mem.CA
Mem.CA
✔ ✔✔
![Page 14: Transitioning to a single RPKI trust anchor...How does RPKI validation work? As far as resource holdings are concerned, the issuer must cover all of the resources C1 issues /25 to](https://reader036.fdocuments.in/reader036/viewer/2022071000/5fbcbbea2d98441ccb1bb39f/html5/thumbnails/14.jpg)
How can transfers affect validity?● Transfer occurs, but
operator error/bug leaves TA unpublished
● Online CA overclaims: invalid
● All member CAs become invalid, not just those receiving transferred resources
14
APNIC TA
APNIC from RIR CA
Mem.CA
✔
Mem.CA
Mem.CA
✘
Mem.CA✘ ✘ ✘ ✘
![Page 15: Transitioning to a single RPKI trust anchor...How does RPKI validation work? As far as resource holdings are concerned, the issuer must cover all of the resources C1 issues /25 to](https://reader036.fdocuments.in/reader036/viewer/2022071000/5fbcbbea2d98441ccb1bb39f/html5/thumbnails/15.jpg)
How can this problem be resolved?
• There is a document currently working through the IETF, draft-ietf-sidr-rpki-validation-reconsidered, that allows an overclaiming certificate to be considered valid for those resources that are covered by its issuer
• However, it will be some time before the document is finalised, and longer still until relying party software is upgraded and deployed
15
![Page 16: Transitioning to a single RPKI trust anchor...How does RPKI validation work? As far as resource holdings are concerned, the issuer must cover all of the resources C1 issues /25 to](https://reader036.fdocuments.in/reader036/viewer/2022071000/5fbcbbea2d98441ccb1bb39f/html5/thumbnails/16.jpg)
How does the transition help this?● If the TA claims all
resources
● Then it’s impossible for the online CA to overclaim
● And mass invalidity due to overclaiming can’t occur
16
APNIC TA(0/0, ::/0, AS1-4294967295)
APNIC from RIR CA
Mem.CA
✔
✔
Mem.CA
Mem.CA
✔ ✔✔
always
![Page 17: Transitioning to a single RPKI trust anchor...How does RPKI validation work? As far as resource holdings are concerned, the issuer must cover all of the resources C1 issues /25 to](https://reader036.fdocuments.in/reader036/viewer/2022071000/5fbcbbea2d98441ccb1bb39f/html5/thumbnails/17.jpg)
How can TA work affect validity?
• APNIC’s TAs are backed by a Hardware Security Module (HSM), as are those of the other RIRs
• A great deal of care must be exercised when using an HSM
– For example, devices may have policies such that a certain number of failed authentication attempts leads to irreversible key destruction
• The more TA work that is happening, the greater the risk
17
![Page 18: Transitioning to a single RPKI trust anchor...How does RPKI validation work? As far as resource holdings are concerned, the issuer must cover all of the resources C1 issues /25 to](https://reader036.fdocuments.in/reader036/viewer/2022071000/5fbcbbea2d98441ccb1bb39f/html5/thumbnails/18.jpg)
How does the transition help this?
• By having the TA be responsible for all resources, the need to do TA work is limited to scheduled and well-understood events:
– Manifest/CRL reissuance
– TA reissuance
18
![Page 19: Transitioning to a single RPKI trust anchor...How does RPKI validation work? As far as resource holdings are concerned, the issuer must cover all of the resources C1 issues /25 to](https://reader036.fdocuments.in/reader036/viewer/2022071000/5fbcbbea2d98441ccb1bb39f/html5/thumbnails/19.jpg)
What do I need to do?
• If you only issue ROAs:
– No change required
• If you run relying party software:
– Once APNIC has announced the successful transition, remove the unused TAs from configuration and cache
– However, leaving them in place will not affect validity outcomes
19
![Page 20: Transitioning to a single RPKI trust anchor...How does RPKI validation work? As far as resource holdings are concerned, the issuer must cover all of the resources C1 issues /25 to](https://reader036.fdocuments.in/reader036/viewer/2022071000/5fbcbbea2d98441ccb1bb39f/html5/thumbnails/20.jpg)
When will this happen?
• Previously planned for September
• Some problems that were found during the testbed transition mean that deployment has been delayed so that further testing can occur
• An announcement will be made as to a new timeline once that has been confirmed
20
![Page 21: Transitioning to a single RPKI trust anchor...How does RPKI validation work? As far as resource holdings are concerned, the issuer must cover all of the resources C1 issues /25 to](https://reader036.fdocuments.in/reader036/viewer/2022071000/5fbcbbea2d98441ccb1bb39f/html5/thumbnails/21.jpg)
21