local ta management in prior wg meetings i presented a model for local management of trust anchors...
TRANSCRIPT
![Page 1: Local TA Management In prior WG meetings I presented a model for local management of trust anchors for the RPKI In response to these presentations, a](https://reader030.vdocument.in/reader030/viewer/2022032723/56649d0b5503460f949df054/html5/thumbnails/1.jpg)
![Page 2: Local TA Management In prior WG meetings I presented a model for local management of trust anchors for the RPKI In response to these presentations, a](https://reader030.vdocument.in/reader030/viewer/2022032723/56649d0b5503460f949df054/html5/thumbnails/2.jpg)
Local TA Management
In prior WG meetings I presented a model for local management of trust anchors for the RPKI
In response to these presentations, a request was made to create a document that explains in detail how to implement this approach to local TA management
This presentation describes the document that is being prepared
We are soliciting feedback on the document, and seeking to make this a WG item
2
![Page 3: Local TA Management In prior WG meetings I presented a model for local management of trust anchors for the RPKI In response to these presentations, a](https://reader030.vdocument.in/reader030/viewer/2022032723/56649d0b5503460f949df054/html5/thumbnails/3.jpg)
The Model: The RP is the TA!
The model we propose calls for each RP to recognize exactly one TA, itself!
The RP imports putative TAs (typically in the form of self-signed certificates) and re-homes them under itself
The RP can thus override the RPKI nominal hierarchy, as represented in the repository system (paralleling the allocation hierarchy)
3
![Page 4: Local TA Management In prior WG meetings I presented a model for local management of trust anchors for the RPKI In response to these presentations, a](https://reader030.vdocument.in/reader030/viewer/2022032723/56649d0b5503460f949df054/html5/thumbnails/4.jpg)
Making this Work in the RPKI
We will need to be able to create new certificates, often with modified RFC 3779 extensions
To make this work The self-signed RP certificate must contain RFC 3779
extensions encompassing all addresses and all ASNs The RP re-issues certificates with new 3779 extensions to
override the RPKI tree Delete overlapping 3779 data as neededRe-homing targeted certificates under the RP TARe-homing ancestors of re-parented certificates under the RP
TA
The RP can also override certain fields of the re-issued certificate using a “constraints file”
4
![Page 5: Local TA Management In prior WG meetings I presented a model for local management of trust anchors for the RPKI In response to these presentations, a](https://reader030.vdocument.in/reader030/viewer/2022032723/56649d0b5503460f949df054/html5/thumbnails/5.jpg)
An RPKI TA Example
5
APNIC
IANA
Reservedaddresses
LACNIC
Unallocated addresses
ARIN AFRINICRIPE
![Page 6: Local TA Management In prior WG meetings I presented a model for local management of trust anchors for the RPKI In response to these presentations, a](https://reader030.vdocument.in/reader030/viewer/2022032723/56649d0b5503460f949df054/html5/thumbnails/6.jpg)
RPKI with Local Control
6
APNIC
Reservedaddresses
LACNIC
Unallocated addresses
ARIN AFRINICRIPEIANA
(RP wants to make use of 10/8 for local routing)
![Page 7: Local TA Management In prior WG meetings I presented a model for local management of trust anchors for the RPKI In response to these presentations, a](https://reader030.vdocument.in/reader030/viewer/2022032723/56649d0b5503460f949df054/html5/thumbnails/7.jpg)
A More Detailed Example
7
ARIN
FOO
BAR
P-ARIN
P-BAR
As offered by ARIN As managed by an RP
P-FOO
(RP trusts its own knowledge of BAR’s address allocation and does not want any action by ARIN or FOO to override that knowledge)
![Page 8: Local TA Management In prior WG meetings I presented a model for local management of trust anchors for the RPKI In response to these presentations, a](https://reader030.vdocument.in/reader030/viewer/2022032723/56649d0b5503460f949df054/html5/thumbnails/8.jpg)
Elements of the Solution
Constraints file
Resource re-writing algorithm Target processing Ancestor processing Tree processing TA re-homing
Path discovery
Revocation
Expiration
8
![Page 9: Local TA Management In prior WG meetings I presented a model for local management of trust anchors for the RPKI In response to these presentations, a](https://reader030.vdocument.in/reader030/viewer/2022032723/56649d0b5503460f949df054/html5/thumbnails/9.jpg)
Constraints FileThe RP creates a constraints file specifying IP
address and AS# resources for target certificates Certificates are specified by SKI
The constraints file also allows the RP to control rewriting certain fields in the re-issued certificates Validity dates CRLDP AIA Policy Qualifier OID
![Page 10: Local TA Management In prior WG meetings I presented a model for local management of trust anchors for the RPKI In response to these presentations, a](https://reader030.vdocument.in/reader030/viewer/2022032723/56649d0b5503460f949df054/html5/thumbnails/10.jpg)
Resource Rewriting AlgorithmThere are four stages to the algorithm
Target processingCertificates that match a given SKI have their resources
rewritten to those specified in the constraints file Ancestor processing
Ancestors of targets are processed to insure RFC3779 rule compliance
Tree processingThe entire tree of certificates is searched, and certificates
with resources that conflict with any target resources are modified to remove the conflict
TA re-homingAll TAs in the original hierarchy are re-issued under the
RP’s sole TA
![Page 11: Local TA Management In prior WG meetings I presented a model for local management of trust anchors for the RPKI In response to these presentations, a](https://reader030.vdocument.in/reader030/viewer/2022032723/56649d0b5503460f949df054/html5/thumbnails/11.jpg)
Processing Order Dependencies?What happens if a certificate is processed by more
than one stage of the algorithm? Can the resulting “para-certificate” be dependant on the
order of the entries in the constraints file?
An iterative sorting algorithm is applied to the constraint file entries to remove such dependencies
There is an upper bound on the iteration count to ensure that the algorithm converges
So long as the maximum path length is less than or equal to this upper bound, no order dependency can occur
![Page 12: Local TA Management In prior WG meetings I presented a model for local management of trust anchors for the RPKI In response to these presentations, a](https://reader030.vdocument.in/reader030/viewer/2022032723/56649d0b5503460f949df054/html5/thumbnails/12.jpg)
ImplicationsThis algorithm creates two parallel hierarchies: the
original certificate hierarchy and the para-certificate hierarchy
There are implications for path discovery, since a certificate can now have an original parent and a para-parent
There are implications for revocation
There are also implications for expiration, since the constraints file allows rewriting the validity interval of para-certificates
![Page 13: Local TA Management In prior WG meetings I presented a model for local management of trust anchors for the RPKI In response to these presentations, a](https://reader030.vdocument.in/reader030/viewer/2022032723/56649d0b5503460f949df054/html5/thumbnails/13.jpg)
Path Discovery Path discovery prefers the para-certificate hierarchy
If a certificate has a para-parent, that para-parent will be used to form the certificate path
If the certificate has only an original parent, but that parent was a target specified in the constraints file, or an ancestor of such a target, then path discovery fails This can occur if the RP has revoked the para-certificate, the
original certificate is still present, and the Local TA tool has not yet been run to regenerate the para-certificate
If the certificate has only an original parent, and the parent is not a target, or the ancestor of a target, path discovery can proceed up the original chain
![Page 14: Local TA Management In prior WG meetings I presented a model for local management of trust anchors for the RPKI In response to these presentations, a](https://reader030.vdocument.in/reader030/viewer/2022032723/56649d0b5503460f949df054/html5/thumbnails/14.jpg)
RevocationThe original hierarchy and the para-hierarchy are
disjoint; revocation of a certificate in one does not affect the other
Para-certificates are all issued by the RP, so only the RP can revoke them
Original certificates can still be revoked by their issuers
Because of the modified path discovery rule, revocation of any para-certificate will cause path discovery to fail until the para-certificate has been replaced or regenerated
![Page 15: Local TA Management In prior WG meetings I presented a model for local management of trust anchors for the RPKI In response to these presentations, a](https://reader030.vdocument.in/reader030/viewer/2022032723/56649d0b5503460f949df054/html5/thumbnails/15.jpg)
ExpirationThe constraints file allows the RP to specify notBefore
and notAfter for all para-certificates This is a global rewrite rule, not a per-certificate rewrite
rule
As a result, expiration of the original certificate does not necessarily imply that the corresponding para-certificate expires at the same time
Expiration of a para-certificate affects path discovery in the same way as revocation of a para-certificate If an original certificate was encompassed by the
constraint file rules, and the para-certificate is not present, the original certificate cannot be used to form a path
![Page 16: Local TA Management In prior WG meetings I presented a model for local management of trust anchors for the RPKI In response to these presentations, a](https://reader030.vdocument.in/reader030/viewer/2022032723/56649d0b5503460f949df054/html5/thumbnails/16.jpg)
Questions?
16