NANOG36-NOTES 2006.02.14 talk 7 Randy IRR routing security revisited

Tue Feb 14 20:42:53 UTC 2006

Many apologies...I'm no Stan Barber, but still doing my best to keep up
with the note-taking.  ^_^;;

Matt

Slides are on Randy's site at
http://rip.psg.com/~randy/060214.nanog-pki.pdf

What I want for Eid ul-Fitr
Randy Bush
randy at psg.com

Definition of Eid ul-Fitr; end of Ramadan; breaking
of the fasting period, and of all evil habits.
Roughly October 24th this year.

10 years ago Randy plead for people to use IRR;
he gives, it didn't work, it has bad data, it
doesn't work.  Let's get rid of it.

Routing security is what we need.

Routing security gap
assume router has been captured.
routing security (not router) is a major problem.

http://rip.psg.com/~randy/060119.janog-routesec.pdf

need PKI, storing and passing and signing certificates.

Public Key Infrastructure
PKI Database
RIR Certs
ISP Certs
End Site Certs
IP Addresss Attestations
ASN Attestations

IP and AS Attestations
specifies identity == pyblic ckey of recipient
signed by allocator's private key
Follows allocation hierarchy
 IANA (or whomever) to RIR
 RIR to ISP
 ISP to downstream ISP or end user enterprise

IP allocation example
 IANA to RIR
 S.iana (192/8, rir)
 RIR allocatees to ISP
 S.rir(192.168/16)
and so on down the chain.
Each chain uses the private key to sign the certs
to hand down the chain.

ISP/End-site-certs
May be acquired anywhere.  Don't have to be chained to
a single master organization, and can use the same one
for multiple RIRs, orgs, etc.
RIRs can issue as a service for members who don't get
them anywhere.
They need no attestation because they are only used
 in business transactions where they are exchanged and
 managed by contract, or
 Bound to IP or ASN attestations by the RIRs or upstream
  ISPs.
Big ISPs may use an ARIN identity for an APNIC allocation
 or business transaction.

Since the keys are acquired separately, doesn't matter
where the certs come from, or where used.

RIR Identity similar.
it's their public key
can get it from 'above', RIR< NRO, IANA, or they can
even self cert.

No provision for revocation, however.

PKI Interfaces/Users
Nice slide showing the interrrelationships; go see
the slides for it, I won't try to render it in ASCII
in realtime.

The certificates are directly exchanged as part of
the business transaction when goods (IPs, ASNs, etc)
are exchanged.

Goal is to have formally verifiable route
attestations, so want replicas of data near routers
to be used to determine validity of route origination
and propagation.

Transacting with PKI
RFC2585 descripts FTP and HTTP transport for PKI
no need for transport security!

Tools for RIRs
Generate and receive ISP certs
Receive ASN and IP space attestations from upstairs

Tools for ISPs
generate/get certs
register role certs
generate certs for downstreams
sign allocations to downstreams

Open Issues
Coordination of updates
one central repository not feasible
LDAPv3 RFC3377 and RFC2829 for authentication
Cert/key rollover and revocatoin not covered
May require a separate and secured communication
 channel

NSF via awared ANI-0221435
Steve Bellovin & JI

>From microphone, are there TTLs on certs?  Yes, which is
why ISP certs are separated out.  Addresses from ARIN are
only "yours" as long as you keep paying ARIN.
Tie certs to contract terms.  But the ISP identity cert
is yours, nobody else should have control over rollover
and expiration.

APNIC is working to have web pges

Andrew Dole, Boeing; how to get funded--Randy will take
cash donations.  Andrew thinks it'll take 10 million to
get the ball rolling.
Randy doesn't think that's the problem.  The operator
community would prefer to see a rigorously correct and
verifiable solution with reasonable security infrastructure
rather than one more hack on the IRR.
Second question.  What is forum to discuss and nail down
the details?  He'll be at APNIC in 2 weeks; for this region
the ARIN meeting in Montreal, and this meeting is good
too.
Nobody seems to be sure where the right place to do this
is.  But Randy thinks the important part is to SEND the
message, that there is a valid path.

Vince Fuller.  Soliciting input from this group is a
good thing, but be more targetted.  Figure out why the
previous efforts failed, and target them.
Chris Morrow, Ted Seely...Randy targets some specific
people in the audience.

Chris Morrow notes that one challenge he faces is
being able to verify if filters are correct.
Randy notes the ROUTER will verify the validity itself.
Chris feels doing it in OSS system is safer.

RS--how do you deal with crufty stuff?  RIRs and
community will have to deal with that, he's just
talking about giving tools to make it possible.

Sandy Murphy, Sparta--Randy, you've said there's no
prefix lists needed for this; but this could be used
for building filter lists, or checking updates, or for
tracking customers who call in with issues, etc.
this is a first step for a whole BUNCH of things.
So no matter what else we want to build on top of
it, this really is the first level of the foundation
that needs to be built.

Beer and Gear at 5:30 directly beneath us today.

Surveys will be online this afternoon--fill it out
today or tomorrow!!
Especially give feedback on M-W vs Sun-Tue format;
next one will be M-W, then S-Tu for ARIN, after
that there will be flexibility.

Head for lunch, back by 2.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20060214/614f2e2f/attachment.html>