So let's have a look and see what rpki is the resource public key infrastructure is a security framework for verifying the association between resource holder and the Internet resources and this was created to address the issues which were discussed in RFC 45 93 called generic threats the routing protocols back in October 2006 rpki helps to secure internet routing by validating rats and is proof that prefix announcements are coming from the legitimate holder of the resource our receive 6480 describes the infrastructure to support securing internet routing and that was published in February 2012 and more recently we have had RFC 71 15 origin validation operation based on the resource public key infrastructure so the benefits of rpki for routing are that it will prevent route hijacking a route hijack is where a prefix is originated by an autonomous system without authorization and the cause is usually malicious intent one entity is trying to pretend it is some other organization the second benefit is to prevent miss origination a prefix that is mistakenly originated by an AAS which does not own it and this also will prevent route leakage and usually caused by configuration mistake whether its filters or simple typing error of originated address space BGP SEC is an extension to BGP that provides improved security for BGP routing and this is being worked on by the cider working group at the IETF this is implemented via a new optional non-transitive BGP attribute that contains a digital signature the two components BGP prefix origin validation using rpki and should be pass validation we start off by having an issuing party the issuing party is the internet registry so the regional internet registries the national internet registries and large local internet registries and they act as what is known as a certificate authority and issue certificates for their customers these will provide a web interface usually to issue laws for customer prefixes and will publish the raw records the slide shows a typical example of how a peenics one functions a Pinnock has a web interface through them I a panic GUI where roars the route origin authorizations are signed these are then fed into the rpki engine and then published on a Penix rpki repository the relying party RRP is where we gather the certificate authority records in a central location so for example a network operator would build another Pete cache where it will gather the records from the various CAS the C is our intended to follow the address delegation hierarchy Iona itself doesn't actually run a repository but the five regional registries all run their own certificate authorities it's also known as an RP cache or a validate the validated cache is then used by the routers the routers will talk to the validated cache to build a local table of validated prefixes the routers will talk to this cache using something known as the RTR protocol the rpki to router protocol our PKI components therefore are the my opinion GUI which is used by the resource holder by the opinion member or the registry member to talk to the rpki engine which will then publish their data the data is fed into the rpki repository other registries will do the same thing these data will then be fed to the RP caches or are pooled by the RP caches and then pulled by the network operators router so the slide shows the various rpki components the two service models the first model is the hosted model where the regional internet registry runs the certificate authority on behalf of its members the registry will manage the keys the repository and so on and it will generate certificates for resource certifications running a CA is fairly complicated and so this is one of the services that the registries offer on behalf of the members the other model is the delegated model where the member itself becomes the certificate authority delegated from the parent CA usually the registry and in a delegated model the member operates the full rpki system Currently at least in the asia-pacific region JPNIC, TWNIC and CNIC operates CAs and these are delegated from APNIC.
© Produced by Philip Smith and the Network Startup Resource Center, through the University of Oregon.
Attribution-NonCommercial 4.0 International (CC BY-NC 4.0)
This is a human-readable summary of (and not a substitute for) the license. Disclaimer. You are free to: Share — copy and redistribute the material in any medium or format Adapt — remix, transform, and build upon the material The licensor cannot revoke these freedoms as long as you follow the license terms. Under the following terms: Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. NonCommercial — You may not use the material for commercial purposes. No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.