APNIC Product Manager, Registry Services George Michaelson present on why RPKI really matters at the 2nd ICANN APAC-TWNIC Engagement Forum, held from 15 to 16 April 2021.
4. 4
4
Whats RPKI?
• RPKI is the R(esource) PKI
– OK. So whats PKI…
• PKI is Public Key Infrastructure
– Public, Private keypairs, X509 Certificates (sometimes)
• Use of cryptography for identity, privacy and trust
– RPKI is a PKI for Internet Number Resources
• Trust the delegate of the INR has said how they want them used (BGP)
• Trust the delegate has control of the specific INR being discussed
• Here’s two PKI you’re using all the time:
5. 5
Some PKI you know
• Web server names
– Secured by a PKI which confirms
the holder of the domain is the
entity you can trust on the DNS
name
– Trust embedded in the browser
• But you can manage it
independently
– Governance by (semi) closed
committee
6. 6
Some PKI you know
• Web server names
– Secured by a PKI which confirms
the holder of the domain is the
entity you can trust on the DNS
name
– Trust embedded in the browser
• But you can manage it
independently
– Governance by (semi) closed
committee
• Exposes as certificates
– Websites run with private keys
7. 7
Some PKI you know
• DNSSEC
– Secured by a PKI which confirms
the DNS delegation is trusted
– Trust configured into the DNS
software of your platform and
provider(s)
– Governance in ICANN/ccTLD
8. 8
Some PKI you know
• DNSSEC
– Secured by a PKI which confirms
the DNS delegation is trusted
– Trust configured into the DNS
software of your platform and
provider(s)
– Governance in ICANN/ccTLD
• Exposes as Public Keys and
signatures
– DNS Authorities run with private
keys signing DNS records
10. 10
The 3 legged stool
• The Internet is often described as a
“three legged stool”
11. 11
The 3 legged stool
DNS BGP
Addresses
• The Internet is often described as a
“three legged stool”
– Names to find the addresses (DNS)
– Unique Addresses (RIR)
– A routing model (BGP)
14. 14
The 3 legged stool grew a leg (web)
DNS BGP
Addresses
Addresses
DNS
BGP
Web
15. 15
The 3 legged stool grew a leg (web)
DNS
BGP
Web
DNSSEC
Addresses
Web PKI
• DNSSEC and web are
secured by PKI
Certificates themselves.
16. 16
The 3 legged stool grew a leg (web)
DNS
BGP
Web
DNSSEC
RPKI
Addresses
Web PKI
• DNSSEC and web are
secured by PKI
Certificates themselves.
• RPKI adds a PKI to both
address management
and routing.
• Addresses in PKI
certificates
• Routing is secured
by a signed “object”
called a ROA
17. 17
The 3 legged stool grew a leg (web)
DNS
BGP
Web
DNSSEC
RPKI
Addresses
Web PKI
• All the legs of the stool
now have PKI
• A four legged stool is
more stable than a three
legged stool…
• RPKI secures two legs
in a common
governance structure
18. 18
Securing the stool
• DNSSEC and Web Certificates
widely deployed
• Higher layer services, trust in
names, and websites is now high
• Web protocol has moved to
“secure by default”
• Semi-automatic certificate
issuance now normal
(letsencrypt)
• Routing and Addressing needed
attention
• RIR and Operations community
and IETF process led to RPKI
– SIDR and subsequently SIDROPS
WG in IETF
– Governance process aligns to
address policy governance in the
RIR system
– Deployment is a work in progress
19. 19
19
RPKI: The Internet’s PKI for routing
• Routing is secured by RPKI, which is managed by the RIR
– Delegation of addresses ties ownership of the PKI private key to the
listed resources in the certificate
– Use of the certificate to sign Routing origination secures BGP
• origin-AS only at this time (BGP Path is work-in-progress)
• How are we doing?
RIR IPv4 IPv6
LACNIC 28% 36%
RIPENCC 47% 30%
AFRINIC 11% 05%
APNIC 20% 14%
ARIN 19% 10%
https://www.nro.net/about/rirs/statistics/
https://stats.labs.apnic.net/
20. 20
20
RPKI: The Internet’s PKI for routing
• Routing is secured by RPKI, which is managed by the RIR
– Delegation of addresses ties ownership of the PKI private key to the
listed resources in the certificate
– Use of the certificate to sign Routing origination secures BGP
• origin-AS only at this time (BGP Path is work-in-progress)
• How are we doing?
RIR IPv4 IPv6
LACNIC 28% 36%
RIPENCC 47% 30%
AFRINIC 11% 05%
APNIC 20% 14%
ARIN 19% 10%
IPv4 IPv6
TW 98% 93%
RPKI services delegated through TWNIC
https://www.nro.net/about/rirs/statistics/
https://stats.labs.apnic.net/
21. 21
RPKI in APNIC Region
• CNNIC, IDNIC, JPNIC, TWNIC operate delegated RPKI
– VNNIC planned for 2021/2022
– IRINN/KRNIC provide service in MyAPNIC portal to their members
• APNIC Routing Security SIG has oversight/engagement
– We present RPKI statistics, uptake reports, operations reports
– APNIC Policy guidance on operation of RPKI
• use of AS0 (undelegated) RPKI ROA for unallocated/reserved APNIC INR