NANOG36-NOTES 2006.02.14 talk 7 Randy IRR routing security revisited
Many apologies...I'm no Stan Barber, but still doing my best to keep up with the note-taking. ^_^;; Matt Slides are on Randy's site at http://rip.psg.com/~randy/060214.nanog-pki.pdf What I want for Eid ul-Fitr Randy Bush randy at psg.com Definition of Eid ul-Fitr; end of Ramadan; breaking of the fasting period, and of all evil habits. Roughly October 24th this year. 10 years ago Randy plead for people to use IRR; he gives, it didn't work, it has bad data, it doesn't work. Let's get rid of it. Routing security is what we need. Routing security gap assume router has been captured. routing security (not router) is a major problem. http://rip.psg.com/~randy/060119.janog-routesec.pdf need PKI, storing and passing and signing certificates. Public Key Infrastructure PKI Database RIR Certs ISP Certs End Site Certs IP Addresss Attestations ASN Attestations IP and AS Attestations specifies identity == pyblic ckey of recipient signed by allocator's private key Follows allocation hierarchy IANA (or whomever) to RIR RIR to ISP ISP to downstream ISP or end user enterprise IP allocation example IANA to RIR S.iana (192/8, rir) RIR allocatees to ISP S.rir(192.168/16) and so on down the chain. Each chain uses the private key to sign the certs to hand down the chain. ISP/End-site-certs May be acquired anywhere. Don't have to be chained to a single master organization, and can use the same one for multiple RIRs, orgs, etc. RIRs can issue as a service for members who don't get them anywhere. They need no attestation because they are only used in business transactions where they are exchanged and managed by contract, or Bound to IP or ASN attestations by the RIRs or upstream ISPs. Big ISPs may use an ARIN identity for an APNIC allocation or business transaction. Since the keys are acquired separately, doesn't matter where the certs come from, or where used. RIR Identity similar. it's their public key can get it from 'above', RIR< NRO, IANA, or they can even self cert. No provision for revocation, however. PKI Interfaces/Users Nice slide showing the interrrelationships; go see the slides for it, I won't try to render it in ASCII in realtime. The certificates are directly exchanged as part of the business transaction when goods (IPs, ASNs, etc) are exchanged. Goal is to have formally verifiable route attestations, so want replicas of data near routers to be used to determine validity of route origination and propagation. Transacting with PKI RFC2585 descripts FTP and HTTP transport for PKI no need for transport security! Tools for RIRs Generate and receive ISP certs Receive ASN and IP space attestations from upstairs Tools for ISPs generate/get certs register role certs generate certs for downstreams sign allocations to downstreams Open Issues Coordination of updates one central repository not feasible LDAPv3 RFC3377 and RFC2829 for authentication Cert/key rollover and revocatoin not covered May require a separate and secured communication channel NSF via awared ANI-0221435 Steve Bellovin & JI
From microphone, are there TTLs on certs? Yes, which is why ISP certs are separated out. Addresses from ARIN are only "yours" as long as you keep paying ARIN. Tie certs to contract terms. But the ISP identity cert is yours, nobody else should have control over rollover and expiration.
APNIC is working to have web pges Andrew Dole, Boeing; how to get funded--Randy will take cash donations. Andrew thinks it'll take 10 million to get the ball rolling. Randy doesn't think that's the problem. The operator community would prefer to see a rigorously correct and verifiable solution with reasonable security infrastructure rather than one more hack on the IRR. Second question. What is forum to discuss and nail down the details? He'll be at APNIC in 2 weeks; for this region the ARIN meeting in Montreal, and this meeting is good too. Nobody seems to be sure where the right place to do this is. But Randy thinks the important part is to SEND the message, that there is a valid path. Vince Fuller. Soliciting input from this group is a good thing, but be more targetted. Figure out why the previous efforts failed, and target them. Chris Morrow, Ted Seely...Randy targets some specific people in the audience. Chris Morrow notes that one challenge he faces is being able to verify if filters are correct. Randy notes the ROUTER will verify the validity itself. Chris feels doing it in OSS system is safer. RS--how do you deal with crufty stuff? RIRs and community will have to deal with that, he's just talking about giving tools to make it possible. Sandy Murphy, Sparta--Randy, you've said there's no prefix lists needed for this; but this could be used for building filter lists, or checking updates, or for tracking customers who call in with issues, etc. this is a first step for a whole BUNCH of things. So no matter what else we want to build on top of it, this really is the first level of the foundation that needs to be built. Beer and Gear at 5:30 directly beneath us today. Surveys will be online this afternoon--fill it out today or tomorrow!! Especially give feedback on M-W vs Sun-Tue format; next one will be M-W, then S-Tu for ARIN, after that there will be flexibility. Head for lunch, back by 2.
participants (1)
-
Matthew Petach