RPKI Validation Revisited: Challenges and Solutions

Slide Note
Embed
Share

Revisiting RPKI validation raises questions about the complexity and fragility of the current model, highlighting the risks of unintentional certificate invalidation and large-scale routing failures. The focus is on simplifying the framework while minimizing the scope of consequential damage due to INR mismatches.

gemn
gemn Follow

Uploaded on Oct 09, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. RPKI Validation - Revisited draft-huston-rpki-validation-01.txt Geoff Huston George Michaelson APNIC Slide 1/19

  2. Motivation The current model of validation, when applied to the RIR model of resource distribution, has lead us to an intricate system of multiple certificates with complex transitional states with a high degree of fragility The consequences of INR inconsistencies at points that are high in the RPKI hierarchy include the potential for catastrophically large routing failures though unintentional certificate invalidation Demanding persistent absolute perfection from our certificate management systems has its elements of risk Is it possible to think about removing some aspects of this complexity within the RPKI framework, and also reducing the scope of consequential damage of certificate INR mismatch? Slide 2/19

  3. RPKI Validation RFC3779: For a certificate to be valid : the certificate must satisfy a number of criteria, Syntax correctness, validity dates, etc and there must exist an ordered sequence of certificates (1..n) where: Certificate 1 is issued by a trust anchor Certificate x s Subject Name value matches Certificate x+1 s Issuer Name value The resources in the INR extensions of Certificate x+1 must be subsumed by the INR extensions listed in Certificate x Certificate n is the certificate to be validated Certificates 1 through n-1 are also valid according to this same criteria Slide 3/19

  4. This is Valid Local Trust Anchor Issuer: A Subject: B Resources: 192.0.2.0/24, AS64996-AS65000 Issuer: B Subject: C Resources: 192.0.2.0/25, AS64996-AS65000 Certificate being Tested for validity Issuer: C Subject: D Resources: 192.0.2.0/25 Slide 4/19

  5. This is not Valid Local Trust Anchor Issuer: A Subject: B Resources: 192.0.2.0/24, AS64996-AS65000 Issuer: B Subject: C Resources: 192.0.2.0/25, AS64996-AS65011 Certificate being Tested for validity Issuer: C Subject: D Resources: 192.0.2.0/25 Slide 5/19

  6. This is not Valid Local Trust Anchor Issuer: A Subject: B Resources: 192.0.2.0/24, AS64996-AS65000 Issuer: B Subject: C Resources: 192.0.2.0/25, AS64996-AS65011 Certificate being Tested for validity Issuer: C Subject: D Resources: 192.0.2.0/25 Slide 6/19

  7. Why is this? We looking at the entire collection of resources in a certificate as an immutable blob when we think about validation Why are we doing this? Are there alternative perspectives? Slide 7/19

  8. The Semantics of an RPKI Certificate What is the semantic difference between a single certificate and a collection of certificates with common crypto and control values? Issuer: A Subject: B Resources: AS64996-AS64998 ? Issuer: A Subject: B Resources: 192.0.2.0/24, AS64996-AS65000 Issuer: A Subject: B Resources: AS64999-AS65000 Issuer: A Subject: B Resources: 192.0.2.0/24 Slide 8/19

  9. The Semantics of an RPKI certificate What s critical in terms of the Resources contained in the RPKI cert? Is it the COLLECTION of resources that s critical? Or the ENUMERATION of the resources contained in that collection? Lets explore the implications of asserting that it s the the enumeration of the individual resources contained in the certificate that are critical here, not the particular collection of resources 9 Slide 9/19

  10. The Semantics of an RPKI Certificate These two certificate sets represent the same information Issuer: A Subject: B Resources: AS6496-AS6498 Issuer: A Subject: B Resources: 192.0.2.0/24, AS6496-AS6500 Issuer: A Subject: B Resources: AS64499-AS6500 Issuer: A Subject: B Resources: 192.0.2.0/24 Slide 10/19

  11. So what? The RFC3779 definition of certificate validation has its operational consequences Treating the collection of resources as an immutable aggregate has caused considerable complexity and fragility in the RPKI Examples: Holders of resources that have different allocation paths require multiple certificates Changes in resource holdings require careful synchronization of certificate issuance actions between distinct actors Mismatch in collections between parent and child certificates invalidates the entire child hierarchy Slide 11/19

  12. An Alternative Approach Treat each RPKI certificate as a separable set of resources with a common crypto bundle Re-phrase the RP s validation approach to validate as many of the resources contained in the certificate s INR extension as possible, with a given set of TAs For each certificate generate a set of resources which is the union of all resources that can be validated via this certificate by the RP using the set of the RP s chosen TAs Slide 12/19

  13. An Alternative Validity question Replace: Is this certificate valid for the entire collection of resources listed in the certificate? with: For which resourcesis this certificate valid? i.e. associate a computed set of resources with a certificate such that these are the resources that the RP can validate using the RP s chosen set of TAs Slide 13/19

  14. This is Valid for 192.0.2.0/25 Local Trust Anchor 192.0.2.0/24, AS64996-AS65000 Issuer: A Subject: B Resources: 192.0.2.0/24, AS64996-AS65000 Issuer: B Subject: C Resources: 192.0.2.0/25, AS64996-AS65011 192.0.2.0/25, AS64996-AS65000 Issuer: C Subject: D Resources: 192.0.0.0/16 192.0.2.0/25 Slide 14/19

  15. An example using Multiple TAs Local Trust Anchor 2 Local Trust Anchor 1 Issuer: X Subject: B Resources: AS64996-AS65000 Issuer: A Subject: B Resources: 192.0.2.0/24 AS64996-AS65000 192.0.2.0/24 Issuer: B Subject: C Resources: 192.0.2.0/25, AS64996-AS65011 192.0.2.0/25, AS64996-AS65000 192.0.2.0/25, AS65000 Issuer: C Subject: D Resources: 192.0.0.0/16, AS65000-AS65011 Slide 15/19

  16. What else changes? Not much: A ROA is valid if the certificate used to sign the ROA is valid for the resources listed in the ROA Similar refinements can be used in other cases of RPKI certificate use The semantics of certificate issuance are unaltered: CAs only issue certificates based on their records of the resources held by the subordinate entity The top-down local cache validation function is consistent with the current approach to local cache management Slide 16/19

  17. A revised Local Cache Management Approach Perform top-down local cache construction Add a data object to the local cache of each certificate This object holds the intersection of the resources listed in the associated certificate and the resources in the data object associated with the parent certificate Use the resources in the associated data object instead of the resources listed in the certificate in all cases where resources certified by this certificate are used Slide 17/19

  18. This Alternate RPKI Validation Model This alternative approach: For a certificate to be valid for a given Internet Number Resource: the certificate must satisfy a number of criteria, Syntax correctness, validity dates, etc and there must exist an ordered sequence of certificates (1..n) where: Certificate 1 is issued by a trust anchor Certificate x s Subject Name value matches Certificate x+1 s Issuer Name value The resources in the INR extensions of Certificate x must subsume the given Internet Number Resource Certificate n is the certificate to be validated Certificates 1 through n-1 are also valid according to this same criteria Slide 18/19

  19. So what? This approach provides a higher degree of robustness to the RPKI system and can simplify the mapping of multiple allocation registries into equivalent certificates Examples: Holders of resources can use a single certificate to describe the entirety of their resource holdings (or not, as it would be effectively a choice available to the resource holder) Changes in resource holdings would need not be synchronized across CAs, as the only aspect of potential disruption is the resource that is being moved Local Trust Anchors could be used to refer to specific resource sets without additional support mechanisms Slide 19/19

Related


RPKI Deployment and Security Overview

RPKI Deployment and Security Overview

boehlke_j
Enhancing Interdomain Routing Security with RPKI

Enhancing Interdomain Routing Security with RPKI

yunker_b
Transitioning to BGP Security: Incentives and Challenges

Transitioning to BGP Security: Incentives and Challenges

aalca
Snow Cover Validation Workshop 2013 Overview

Snow Cover Validation Workshop 2013 Overview

mpie
ESA Validation Approach & Fiducial Reference Measurements Overview

ESA Validation Approach & Fiducial Reference Measurements Overview

newell_c
Implementing Data Validation in National Accounts with Eurostat

Implementing Data Validation in National Accounts with Eurostat

elin
Understanding Clinical Validation and DRG Validation in Healthcare

Understanding Clinical Validation and DRG Validation in Healthcare

belen
Insights from CCMC-Led Model Validation Challenges & International Coordination

Insights from CCMC-Led Model Validation Challenges & International Coordination

tfout
Machine Learning Techniques: K-Nearest Neighbour, K-fold Cross Validation, and K-Means Clustering

Machine Learning Techniques: K-Nearest Neighbour, K-fold Cross Validation, and K-Means Clustering

yetz582
Understanding Cross-Validation in Machine Learning

Understanding Cross-Validation in Machine Learning

kray
CEOS LPV Fire Disturbance Products Overview

CEOS LPV Fire Disturbance Products Overview

kem_kis
Facilities Information Management System (FIMS) Data Validation Process

Facilities Information Management System (FIMS) Data Validation Process

jeo_k
Evolution of Serials Validation Processes at OhioLINK

Evolution of Serials Validation Processes at OhioLINK

evel_571
NIMAS File Validation Using NIMAC Validation Wizard

NIMAS File Validation Using NIMAC Validation Wizard

imran
Enhancing NIMAS File Validation with New Validation Wizard

Enhancing NIMAS File Validation with New Validation Wizard

rudd_i
Evolution of vCloud Air ISV Program in 2015

Evolution of vCloud Air ISV Program in 2015

fsam
Ortho Vision Validation and Operation in RCI

Ortho Vision Validation and Operation in RCI

farah
Approval and Validation Updates for NR MIMO OTA in 3GPP TSG-RAN.WG4 Meeting

Approval and Validation Updates for NR MIMO OTA in 3GPP TSG-RAN.WG4 Meeting

abram
Staff Data Validation Training 2023-2024 Overview

Staff Data Validation Training 2023-2024 Overview

waah
SAGE III Validation Update: Mission Planning, Partnerships, and Criteria

SAGE III Validation Update: Mission Planning, Partnerships, and Criteria

osinski_z
Understanding ASP.NET Validators and Validation Controls

Understanding ASP.NET Validators and Validation Controls

arve_907
Understanding Validation in Authentic Assessment Items

Understanding Validation in Authentic Assessment Items

oli_br
Overview of Sea Ice Characterization and Validation Process

Overview of Sea Ice Characterization and Validation Process

vanc_joy
Principles of Calibration, Validation, and Warehousing in Pharmaceutical Quality Assurance

Principles of Calibration, Validation, and Warehousing in Pharmaceutical Quality Assurance

olaf

More Related Content