transitioning to a single rpki trust anchor...how does rpki validation work? as far as resource...
TRANSCRIPT
Transitioning to a single RPKI trust anchor
What is the current state?
2
APNIC fromIANA TA
APNIC fromRIPE TA
APNIC fromARIN TA
APNIC fromAFRINIC TA
APNIC fromLACNIC TA
APNIC fromIANA CA
APNIC fromAFRINIC CA
APNIC fromARIN CA
APNIC fromRIPE CA
APNIC fromLACNIC CA
Member CAs Member CAs Member CAs Member CAs Member CAs
APNIC fromIANA CA
APNIC fromAFRINIC CA
APNIC fromARIN CA
APNIC fromRIPE CA
APNIC fromLACNIC CA
APNIC fromIANA CA
APNIC fromRIPE CA
APNIC fromARIN CA
APNIC fromAFRINIC CA
APNIC fromLACNIC CA
How does the transition happen? (1)
3
APNIC TA
APNIC fromRIPE TA
APNIC fromARIN TA
APNIC fromAFRINIC TA
APNIC fromLACNIC TA
APNIC fromIANA CA
APNIC fromAFRINIC CA
APNIC fromARIN CA
APNIC fromRIPE CA
APNIC fromLACNIC CAMember CAs Member CAs Member CAs Member CAs Member CAs
APNIC fromIANA CA
APNIC fromAFRINIC CA
APNIC fromARIN CA
APNIC fromRIPE CA
APNIC fromLACNIC CA
APNIC fromIANA CA
APNIC fromRIPE CA
APNIC fromARIN CA
APNIC fromAFRINIC CA
APNIC fromLACNIC CA
● APNIC TA expanded to cover 0/0, ::/0, AS1-4294967295
How does the transition happen? (2)
4
APNIC TA
APNIC fromRIPE TA
APNIC fromARIN TA
APNIC fromAFRINIC TA
APNIC fromLACNIC TA
APNIC fromIANA CA
APNIC fromAFRINIC CA
APNIC fromARIN CA
APNIC fromRIPE CA
APNIC fromLACNIC CAMember CAs Member CAs Member CAs Member CAs Member CAs
APNIC fromIANA CA
APNIC fromAFRINIC CA
APNIC fromARIN CA
APNIC fromRIPE CA
APNIC fromLACNIC CA
APNIC fromIANA CA
APNIC fromRIPE CA
APNIC fromARIN CA
APNIC fromAFRINIC CA
APNIC fromLACNIC CA
APNICIntermed. CA
● APNIC TA issues new intermediate online certificate● Intermediate certificate also covers 0/0, ::/0, AS1-4294967295
How does the transition happen? (3)
5
APNIC TA APNIC fromRIPE TA
APNIC fromARIN TA
APNIC fromAFRINIC TA
APNIC fromLACNIC TA
APNIC fromIANA CA
APNIC fromAFRINIC CA
APNIC fromARIN CA
APNIC fromRIPE CA
APNIC fromLACNIC CAMember CAs Member CAs Member CAs Member CAs Member CAs
APNIC fromIANA CA
APNIC fromAFRINIC CA
APNIC fromARIN CA
APNIC fromRIPE CA
APNIC fromLACNIC CA
APNIC fromIANA CA
APNIC fromRIPE CA
APNIC fromARIN CA
APNIC fromAFRINIC CA
APNIC fromLACNIC CA
APNICIntermed. CA
● One existing online certificate is re-signed by the intermediate
How does the transition happen? (4)
6
APNIC TA APNIC fromRIPE TA
APNIC fromARIN TA
APNIC fromAFRINIC TA
APNIC fromLACNIC TA
APNIC fromIANA CA
APNIC fromAFRINIC CA
APNIC fromARIN CA
APNIC fromRIPE CA
APNIC fromLACNIC CAMember CAs Member CAs Member CAs Member CAs Member CAs
APNIC fromIANA CA
APNIC fromAFRINIC CA
APNIC fromARIN CA
APNIC fromRIPE CA
APNIC fromLACNIC CA
APNIC fromIANA CA
APNIC fromRIPE CA
APNIC fromARIN CA
APNIC fromAFRINIC CA
APNIC fromLACNIC CA
APNICIntermed. CA
● Remaining online certificates are re-signed by the intermediate
How does the transition happen? (5)
7
APNIC TA APNIC fromRIPE TA
APNIC fromARIN TA
APNIC fromAFRINIC TA
APNIC fromLACNIC TA
APNIC fromIANA CA
APNIC fromAFRINIC CA
APNIC fromARIN CA
APNIC fromRIPE CA
APNIC fromLACNIC CAMember CAs Member CAs Member CAs Member CAs Member CAs
APNIC fromIANA CA
APNIC fromAFRINIC CA
APNIC fromARIN CA
APNIC fromRIPE CA
APNIC fromLACNIC CA
APNIC fromIANA CA
APNIC fromRIPE CA
APNIC fromARIN CA
APNIC fromAFRINIC CA
APNIC fromLACNIC CA
APNICIntermed. CA
● Unused TAs are withdrawn from publication
What is the state after the transition?
8
APNIC TA
APNIC fromIANA CA
APNIC fromAFRINIC CA
APNIC fromARIN CA
APNIC fromRIPE CA
APNIC fromLACNIC CAMember CAs Member CAs Member CAs Member CAs Member CAs
APNIC fromIANA CA
APNIC fromAFRINIC CA
APNIC fromARIN CA
APNIC fromRIPE CA
APNIC fromLACNIC CA
APNIC fromIANA CA
APNIC fromRIPE CA
APNIC fromARIN CA
APNIC fromAFRINIC CA
APNIC fromLACNIC CA
APNICIntermed. CA
Why is this happening?● Increase RIR consistency by aligning on TA approach
● Reduce invalidity risks associated with:
– Inter-RIR transfers and other changes in resource disposition
– TA work
9
How is RIR consistency helped?
• Each of the other RIRs has a single TA
• APNIC has five TAs, because of expectations around system development that were overtaken by events
• This lack of consistency concerns people who might otherwise be interested in using RPKI
• Having each RIR explicitly adopt the same approach deals with this problem
10
How does RPKI validation work?● As far as resource
holdings are concerned, the issuer must cover all of the resources
● C1 issues /25 to C2, and C2 issues /25 to C3: all certificates valid
11
Issuer: C1Subject: C1192.0.2.0/24
Issuer: C1Subject: C2192.0.2.0/25
Issuer: C2Subject: C3192.0.2.0/25
✔
✔
✔
How does RPKI validation work?● If any of the
resources are not covered, the certificate as a whole is invalid
● C1 reissues C2 with /26: C3 now entirely invalid
12
Issuer: C1Subject: C1192.0.2.0/24
Issuer: C1Subject: C2192.0.2.0/26
Issuer: C2Subject: C3192.0.2.0/25
✔
✔
✘
How can transfers affect validity?● Before inbound
transfer: each certificate’s resources covered by issuer, so each certificate is valid
13
APNIC TA
APNIC from RIR CA
Mem.CA
✔
✔
Mem.CA
Mem.CA
✔ ✔✔
How can transfers affect validity?● Transfer occurs, but
operator error/bug leaves TA unpublished
● Online CA overclaims: invalid
● All member CAs become invalid, not just those receiving transferred resources
14
APNIC TA
APNIC from RIR CA
Mem.CA
✔
Mem.CA
Mem.CA
✘
Mem.CA✘ ✘ ✘ ✘
How can this problem be resolved?
• There is a document currently working through the IETF, draft-ietf-sidr-rpki-validation-reconsidered, that allows an overclaiming certificate to be considered valid for those resources that are covered by its issuer
• However, it will be some time before the document is finalised, and longer still until relying party software is upgraded and deployed
15
How does the transition help this?● If the TA claims all
resources
● Then it’s impossible for the online CA to overclaim
● And mass invalidity due to overclaiming can’t occur
16
APNIC TA(0/0, ::/0, AS1-4294967295)
APNIC from RIR CA
Mem.CA
✔
✔
Mem.CA
Mem.CA
✔ ✔✔
always
How can TA work affect validity?
• APNIC’s TAs are backed by a Hardware Security Module (HSM), as are those of the other RIRs
• A great deal of care must be exercised when using an HSM
– For example, devices may have policies such that a certain number of failed authentication attempts leads to irreversible key destruction
• The more TA work that is happening, the greater the risk
17
How does the transition help this?
• By having the TA be responsible for all resources, the need to do TA work is limited to scheduled and well-understood events:
– Manifest/CRL reissuance
– TA reissuance
18
What do I need to do?
• If you only issue ROAs:
– No change required
• If you run relying party software:
– Once APNIC has announced the successful transition, remove the unused TAs from configuration and cache
– However, leaving them in place will not affect validity outcomes
19
When will this happen?
• Previously planned for September
• Some problems that were found during the testbed transition mean that deployment has been delayed so that further testing can occur
• An announcement will be made as to a new timeline once that has been confirmed
20
21