Daniel Karrenberg Elected As Chair of ISOC's Board of Trustees

Daniel Karrenberg Elected As Chair of ISOC's Board of Trustees

www.ripe.net Information bulletin for the members of the RIPE NCC The RIPE NCC Member Update Daniel Karrenberg Elected as Chair of ISOC’s is intended for LIR Board of Trustees contacts. If you are not the right The RIPE NCC is pleased to announce that its person to receive Chief Scientist, Daniel Karrenberg, has been this update, please elected as the new Chair of the Internet Society’s forward it to the (ISOC’s) Board of Trustees. Daniel was elected appropriate colleague. on 1 July 2006 during ISOC’s Annual General Meeting (AGM) which was held in Marrakesh, Morocco. “The Internet Society has much to contribute to the continued success of the Internet,” said Daniel. “The diligent work of my predecessors, the Trustees and the staff has put the society in a very sound position. Building on this foundation, we will intensify our work in the areas of public policy and education. We will ensure that the © Merlin Daleman Internet Engineering Task Force (IETF) has the Daniel Karrenberg, Chief Scientist, RIPE NCC administrative support it needs to continue its exemplary standardisation work. We will continue was awarded the Jon Postel service award in to build a healthy network of chapters for local recognition of two decades of extraordinary activities close to the Internet users. All this will dedication to the development of networking help us to realise our motto ‘The Internet is for in Europe and around the world. A regular IETF Everyone’”. participant since 1992, Daniel has co-authored several RFCs. Daniel is a pioneer member of ISOC and has been actively involved with the development We hope you will join the RIPE NCC in of many of the society’s educational initiatives. congratulating Daniel on his election and wishing He taught tutorials at early INET conferences, him continued success with the important supported networking workshops and has contributions he makes to ISOC’s work for the written ISOC member briefings about Internet Internet community. • operations and coordination. In 2001, he This publication is available online at: Table of Contents http://www.ripe.net/ membership/newsletter/ Daniel Karrenberg Elected as RIPE “IP Anti-Spoofing” Task Force Formed 8 Chair of ISOC’s Board of Trustees 1 IP Resource Request Forms and If you have any Certification of IP Resources 2 - 3 Supporting Notes 9 feedback about this RIPE Policy Development in 2006 4 - 5 NRO Activities Related to Internet Governance 9 publication, please RIPE NCC Policy Development Officer 5 NRO Represented in Internet Governance contact: RIPE Meetings 5 Forum Advisory Group 9 [email protected] RIPE NCC General Meetings 6 The Internet Governance Forum, Athens 2006 10 RIPE NCC Regional Meetings 6 Improvements to RIPE NCC’s DNS Services 11 New ARIN Outreach Tools 7 The RIPE NCC E-Learning Centre 11 APNIC Update 7 - 8 Conference Calendar 12 Updated RIPE Database User Manual 8 RIPE NCC Training Courses 12 © RIPE NCC The mission of the RIPE NCC is to perform activities for the benefit of the membership; primarily activities All right reserved. that the members need to organise as a group, although they may compete with each other in other areas. Certification of IP Resources Geoff Huston, Internet Research Scientist, APNIC Introduction relating to address prefixes. So when a client network requests its ISP to accept a routing advertisement for a particular address prefix, The Internet has presented us with some novel how can the service provider establish whether challenges in its role as a global communications the request is valid and the addresses are, platform. These challenges include creating indeed, ones that properly can be associated applications that support new communication with the client network? When two ISPs enter paradigms, as well as tackling an entirely new Geoff Huston, APNIC into a peering arrangement at a local exchange, realm of security considerations. It is this latter how can each ISP tell whether all the route area, and in particular the aspect of network advertisements from the other ISP are valid? infrastructure security, that resource certification The task of establishing the validity of routing can play a critically important role. requests and routing advertisements is one that has serious repercussions if a mistake occurs, One of the common vulnerabilities of the Internet particularly if the ISP admits a malicious route lies in the routing subsystem. If it is possible to into the routing fabric. inject false routing information into the routing system, then a number of forms of hostile attack are enabled. In this case, there is no need Validating Routing Requests to compromise the proper operation of any particular application, nor is there any need to There are various information resources available create a drone army through the assembly of today that can assist in validating a routing captured end systems. request, including WHOIS database queries and Internet Routing Registries (IRRs). However, such By being able to manipulate the network’s routing resources have some issues with the currency, state, it is possible to redirect user traffic as well accuracy, completeness and the validity of the as to perform traffic inspection, alteration or information they present. Validating a routing subversion, all without the user even being aware request or a routing advertisement can quickly of the attack. Through deliberate subversion of become an exercise in data mining across routing, services can be hijacked or blocked and a rather diverse set of potentially conflicting entire networks can be black-holed. Why is the information sources. Such a validation task can Internet’s routing system, the integrity of which be complex, expensive to undertake and can appears to be so critical to the proper functioning lead to outcomes that are not totally trustworthy. of all forms of Internet services, such a point of vulnerability? In an industry of low margins and cost constraint, it is not surprising that route validation, Routing and “Trust” particularly in complex cases, is often performed in a haphazard fashion. This leads to a continual series of attack incidents via deliberate The answer lies in the nature of the Internet. A subversion of the route admission process more historical model of network service and, consequently, deliberate subversion of the provision was that of a small number of qualified routing system. network service providers and an associated set of network clients. The trust model within Can we improve this situation? Is it possible to such a framework spans across the network improve the level of accuracy of validation while service providers and explicitly excludes the at the same time making validation fast, efficient, client base. Examples of such a framework accurate and cheap? include the international postal system or the public switched telephone system. The Internet model has a broader model of a network service Resource Certification provider that includes various forms of networks that would normally be considered as clients One possible approach to this is through the use rather than peer network service providers. This of public key cryptography, coupled with a public results in a trust domain that is both very broad key certificate infrastructure. In such a framework, and very diverse. Indeed so diverse as to make IP resource holders (of IP addresses and AS the term “trust” inapplicable. Numbers) hold a private key that is associated with their resource holdings. The corresponding In such an environment, networks interconnect public key is certified by the resource issuer, by means of exchange of routing information where the public certificate lists both the matching public key and the resource holdings. This the resource sub-allocations that it performs, certificate is signed by the issuer’s private key. and so on. Validation of a resource certificate Any document signed with the resource holder’s is, within the terms of this framework, directly private key can be readily validated against the analogous to unravelling and validating a issued certificate, and if the document contains a sequence of WHOIS resource allocation records reference to an IP resource, this resource can be from the RIR to the target entity. However, in this compared to that listed in the certificate. In effect, case the path is deterministic and the information this certificate represents a form of “right-of- model being used is consistent along the use” of an IP resource, granted by the resource entire certificate path. How can such resource issuer. For example, if an entity has been certificates be used to improve the situation with assigned the IP address block 192.0.2.0/24 respect to routing security? and wishes an ISP to route that address prefix on its behalf, it would sign a route request with Improving Routing Security its private signature and attach the associated resource certificate. The recipient of the route This resource certificate framework can also request could validate the signature against the be used as the supporting infrastructure for certificate, and check that the address block in security-related refinements in inter-domain the certificate encompasses the address block routing protocols. One approach, sBGP, 192.0.2.0/24. Why is the proposes adding digital signatures to BGP update messages, allowing a BGP peer to Internet’s This certificate is then validated in the context of validate the authenticity of the address prefix routing system, a Resource Certificate Public Key Infrastructure being advertised. This also allows a BGP peer (PKI). If the certificate is valid, then there is a high the integrity of to validate that the update message itself degree of confidence that the routing request is has traversed the same network path as that which appears legitimate, that it came from the current holder of asserted in the AS PATH attribute of the update to be so critical the resource and that the resource itself is validly message.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    12 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us