+ All Categories
Home > Documents > A Profile for Trust Anchor Material for the Resource ...– who should be putave TA for the RPKI...

A Profile for Trust Anchor Material for the Resource ...– who should be putave TA for the RPKI...

Date post: 16-Aug-2020
Category:

Documents
Upload: others
View: 0 times
Download: 0 times
Download Report this document
Share this document with a friend
10
A Profile for Trust Anchor Material for the Resource Cer6ficate PKI Geoff Huston SIDR WG IETF 74
Transcript
Page 1: A Profile for Trust Anchor Material for the Resource ...– who should be putave TA for the RPKI – how should TA material be published • Focus the discussion by creang a document

AProfileforTrustAnchorMaterialfortheResourceCer6ficatePKI

GeoffHustonSIDRWG

IETF74

Page 2: A Profile for Trust Anchor Material for the Resource ...– who should be putave TA for the RPKI – how should TA material be published • Focus the discussion by creang a document

Background

•  ThishasbeenthetopicofWGdiscussion– whoshouldbeputa6veTAfortheRPKI– howshouldTAmaterialbepublished

•  Focusthediscussionbycrea6ngadocumenttoaddressTrustAnchorsfortheRPKI– Removedsec6on6.3fromResCertprofiledraP– CreatedanewdraPwiththismaterial– draP‐ieR‐sidr‐ta‐00.txt

Page 3: A Profile for Trust Anchor Material for the Resource ...– who should be putave TA for the RPKI – how should TA material be published • Focus the discussion by creang a document

Who?

•  DraPissilentonprescribingrolesforbodies: “This document does not nominate any organizations as default trust anchors for the RPKI.”

•  Reasonsforthisposi6on:–  ThistaskfallsoutsideofIETFWGdirec6onrela6ngtoconven6onalprotocolparameterregistryfunc6ons

–  Thestandardtechnologyspecifica6onshouldencompassuseinabroadspectrumofcontextsincludingvariousformsofprivateuseaswellaspublic

•  However,thedocumentdoesobservethat: “for most RPs, the IANA is in a unique role as the default TA for representing public address space and public AS numbers.”

Page 4: A Profile for Trust Anchor Material for the Resource ...– who should be putave TA for the RPKI – how should TA material be published • Focus the discussion by creang a document

How?

•  NochangefrompreviousTAspecifica6onindraP‐ieR‐sidr‐res‐certs–  (asidefromsometerminologyclarifica6ons)

•  Two‐TierModelofTrustAnchor– Allowsforvaria6oninresourcesheldatthe“root”whilekeepingthetrustanchormaterialconstant

– Canbeusedinavarietyofcontexts,bothpublicandprivate

– AlignswiththeTAworkinPKIXWG(draP‐ieR‐pkix‐ta‐format‐01)

Page 5: A Profile for Trust Anchor Material for the Resource ...– who should be putave TA for the RPKI – how should TA material be published • Focus the discussion by creang a document

Signed:ETA

1.ExternalTrustAnchorCer6ficate‐ETA

Page 6: A Profile for Trust Anchor Material for the Resource ...– who should be putave TA for the RPKI – how should TA material be published • Focus the discussion by creang a document

Signed:ETA

Signed:ETA

2.Cer6ficateRevoca6onListforETA

Page 7: A Profile for Trust Anchor Material for the Resource ...– who should be putave TA for the RPKI – how should TA material be published • Focus the discussion by creang a document

Signed:ETA

Signed:ETA

Signed:ETA

3.ETAEECer6ficate(forCMSObjectVerifica6on)

Page 8: A Profile for Trust Anchor Material for the Resource ...– who should be putave TA for the RPKI – how should TA material be published • Focus the discussion by creang a document

Signed:ETA

Signed:ETA

Signed:ETA

Signed:RPKITA

4.RPKITACer6ficate

Page 9: A Profile for Trust Anchor Material for the Resource ...– who should be putave TA for the RPKI – how should TA material be published • Focus the discussion by creang a document

CMSPayload

CMSHeader

Signed:ETA

Signed:ETA

Signed:ETA

Signed:RPKITA

Signed:ETAEE

5.CMSpackagingoftheRPKITACer6ficate

Page 10: A Profile for Trust Anchor Material for the Resource ...– who should be putave TA for the RPKI – how should TA material be published • Focus the discussion by creang a document

CMSPayload

CMSHeader

Signed:ETA

Signed:ETA

Signed:ETA

Signed:RPKITA

Signed:ETAEE


Recommended
APNIC RPKI Report

APNIC RPKI Report

Documents

Delegated RPKI / ARIN Command Line

Delegated RPKI / ARIN Command Line

Documents

BGP Resource Public Key Infrastructure (RPKI) … Resource Public Key Infrastructure (RPKI) Origin Validation . ... Overview of RPKI ... Figure 5 shows the high-level network diagram

BGP Resource Public Key Infrastructure (RPKI) … Resource Public Key Infrastructure (RPKI) Origin Validation . ... Overview of RPKI ... Figure 5 shows the high-level network diagram

Documents

Introduction to RPKI

Introduction to RPKI

Internet

IP Address Certification (RPKI)

IP Address Certification (RPKI)

Technology

Resource Certification (RPKI)

Resource Certification (RPKI)

Documents

Resource Certification (RPKI) · Resource Certification (RPKI), MENOG 10 The RIPE NCC involvement in RPKI • The authority on who is the registered holder of an Internet Number

Resource Certification (RPKI) · Resource Certification (RPKI), MENOG 10 The RIPE NCC involvement in RPKI • The authority on who is the registered holder of an Internet Number

Documents

High Level Overview of RPKI & DNSSEC

High Level Overview of RPKI & DNSSEC

Technology

Resource(PublicKeyInfrastructure((RPKI) · set routing-options validation group RPKI session 202.4.96.221 hold-time 180 set routing-options validation group RPKI session 202.4.96.221

Resource(PublicKeyInfrastructure((RPKI) · set routing-options validation group RPKI session 202.4.96.221 hold-time 180 set routing-options validation group RPKI session 202.4.96.221

Documents

Adventures in RPKI (non) deployment

Adventures in RPKI (non) deployment

Documents

LIFE Elia – Creang green corridors · LIFE Elia – Creang green corridors 24/10/2014, Hannover Gérard JADOUL and Simon de VOGHEL

LIFE Elia – Creang green corridors · LIFE Elia – Creang green corridors 24/10/2014, Hannover Gérard JADOUL and Simon de VOGHEL

Documents

RPKI Tutorial and hands-on - APNIC · 2018. 1. 23. · –BGPSEC –security mechanism for BGP routing is being implemented ... What’s up in Japan •JANOG RPKI routing WG –RPKI

RPKI Tutorial and hands-on - APNIC · 2018. 1. 23. · –BGPSEC –security mechanism for BGP routing is being implemented ... What’s up in Japan •JANOG RPKI routing WG –RPKI

Documents

Intro to RPKI - APNIC Training...RFCs on RPKI • RFC 6810 – The Resource Public Key Infrastructure (RPKI) to Router Protocol (January 2013) - Standard • RFC 6480 – An Infrastructure

Intro to RPKI - APNIC Training...RFCs on RPKI • RFC 6810 – The Resource Public Key Infrastructure (RPKI) to Router Protocol (January 2013) - Standard • RFC 6480 – An Infrastructure

Documents

RPKI: An Operator’s Implementation

RPKI: An Operator’s Implementation

Internet

RPKI - UKNOF

RPKI - UKNOF

Documents

RPKI for Peering - Peering Asia 2.02.peeringasia.com/wp-content/uploads/2018/11/RPKI-for-Peering.pdf · RPKI for Peering Che-Hoo Cheng APNIC @Peering Asia 2.0 in HK 2018-10-24

RPKI for Peering - Peering Asia 2.02.peeringasia.com/wp-content/uploads/2018/11/RPKI-for-Peering.pdf · RPKI for Peering Che-Hoo Cheng APNIC @Peering Asia 2.0 in HK 2018-10-24

Documents

Updates to the RPKI Certificate Policy

Updates to the RPKI Certificate Policy

Documents

RPKI Deployment Status in Bangladesh

RPKI Deployment Status in Bangladesh

Internet