Thursday, April 28, 2011

Introduction to RPKI

What is RPKI

Resource Public Key Infrastructure (RPKI) is the name of the game.
For the Internet to work, we need BGP1 which in turn requires IP prefixes and AS numbers.  When an LIR or any multi homed organization wants to be reachable on the Internet, they have to peer using these number resources.

No security framework exists that authenticates whether a peer does indeed own the resource set that they are advertising. Consequently, rogue announcements2 may appear on the internet that will impact on the reachability of legitimate sites. RPKI allows one to take these resources, add them into a certificate and then use these resource aware certificates to sign Route Origin Authorizations (ROA) and a set of other objects that may be defined in the future (The underlying specification documents are still in draft status For the latest and up to date specifications, please see the sidr ietf page).

Number resources are issued by IANA to the 5 RIRs. These RIRs then issue resources to LIRs/NIRs which issue their resources to their customers. Their customers may issue their resources... PKIs do follow a similar tree structure where there's a root (self signed CA certificate) issues other certificates (Which may be CA certificates that subissue ...). Consequently, every resource owner can and should have a resource certificate.


These two hierarchical structures are similar and this allows them to be tightly integrated.

An example allocation structure:


Table 1: Resource Allocation table
ORG IPV4 IPV6 ASN Function
IANA 0/0 0/0 1-2**32 Issues resources to RIRS
AFRINIC 196/8 2001:4200/23 327680-328703 Issues resources to LIRS
LIR C 196.1/16 2001:4200/32 327680-327690 Large ISP.
ISP X 196.1.0/23 2001:4200/48 327685 Small ISP.

An example PKI structure:

What is RPKI...Really?

Well:
  • It allows a resource holder to prove that they do actually owns a set of resources (Binds number resources to the subject of the certificate).
  • A resource holder can provide a PKI based authorisation attesting that a peer is allowed to originate a set of prefixes on their behalf (In simple terms, I am a small company X who buys bandwidth with A & C. A ROA can be created to attest that only A & C can advertise X's prefixes)
  • CRLs are also published and their distribution points listed in certificates.
  • Certificates, CRLs and products such as ROAs for each authority publication point are listed along with their hashes in a signed structure that is published. This structure is called a manifest(mft).
  • CA certs, CRLs, MFTs, ROAs are published in a repository to the world over rsync and optionally https.
  • Validation tools exist that can validate an entire repository tree
Next, A quick peek at sample RPKI certificates.

No comments:

Post a Comment