Access Keys:
Skip to content (Access Key - 0)
ICONS Beta

What do you think of the wiki?
Please contact us with feedback or bug reports.



Resource Certification – Question and Answer

Geoff Huston, Chief Scientist APNIC

What is Resource Certification?

Certification is a widespread security mechanism used to provide end-users with assurance relating to the authenticity and integrity of digital information. It is generally used in conjunction with the World Wide Web to provide secure websites that protect the end-user against security breaches associated with routing security (such as  eavesdropping and theft).
Resource Certification is a new solution for another class of potential problems that lay further down in the network infrastructure. These problems relate to the potential abuse and theft of Internet addresses – the identifiers used to direct traffic within the Internet.
Theft of addresses can lead to brute force attacks such as service disruption, or can support more subtle multi-spectrum attacks to undermine all forms of user protection at the application level, such as anti-virus or anti-phishing measures.
In simple terms, Resource Certification is a means of applying digital cryptography to IP addresses. It allows the legitimate holder of an IP address to apply a digital signature to address information, which cannot be forged and allows the information to be locked in such a way that it cannot be tampered with or altered in any way.
When this technology is coupled with current inter-domain routing systems, it is then possible to allow network operators to secure their own network reachability advertisements in a way that cannot be tampered with. It also offers network operators various ways to detect efforts to tamper with the legitimate reachability advertisements generated by other networks.

Why is Resource Certification so important?

The Internet has become a key business platform and now has so many transactions occurring online that these security risks have real cost implications for businesses.
With the increasing level of economic dependence on the Internet for all forms of commerce and critical communications systems, it is vital that network operators can secure their own addresses against theft and abuse and detect efforts related to the theft and abuse of other networks.

If it is so important, why has this only become an issue now?

APNIC sees Resources Certification as an important development to assist the Asia Pacific Internet industry to maintain the integrity of network transactions.
This issue is not a recent problem. Efforts to improve the security and robustness of the Internet's infrastructure have been underway for more than a decade. The common theme with these efforts is to address the problem of how to inject trusted authority into the system.
The Resource Certification system uses the IP address distribution framework operated by the five Regional Internet Registries (RIRs) as the anchor point for the generation of a parallel certificate framework. In this framework, every address allocation is described in a corresponding digital certificate.
In this way, the Regional Internet Registries can provide the essential element of a trusted, authoritative, and independent information source that can be used to validate digitally signed attestations related to IP addresses and their use.
This is not a trivial exercise, and the construction of this security framework has entailed the investment of significant resources by many organisations and individuals, including Regional Internet Registries like APNIC.
The broader effort includes the standardization of secure inter-domain routing protocols and mechanisms, being undertaken in the IETF (Internet Engineering Task Force) by the Secure Inter-Domain Routing Working Group, the development of open source software systems by the ISC (Internet Software Consortium) and BBN, support from the US Department of Homeland Security, and the efforts of many other interested parties.

What attacks could a network experience because of a breakdown in 'trust'?

Perhaps the most prominent recent example of a breakdown in the integrity of the address space occurred early in 2008 when an incorrect use of YouTube's IP address block by Pakistan Telecom caused a worldwide outage of [YouTube] for over an hour.
While the cause, in this case, was attributed to a human error in the configuration of a firewall system, the incident is a graphic illustration that much of the operational integrity of the Internet still relies on mutual trust. If that trust is abused, even inadvertently, the consequences can be catastrophic.
The unauthorized use of addresses can subvert all other network functions, including traffic inspection as well as masquerading, Denial of Service and selective corruption of services. It can cause corruption of security services, subvert the operation of other secure services, disrupt Virtual Private Networks and support a wide set of consequent attacks on the integrity of the network itself.

What other opportunities do you think Resource Certification brings for the industry?

Resource Certification brings a level of certainty to address management. With a certification hierarchy, you can create business rules to act in a number of situations. For instance, if you use a network management system to manage IP address resources, you can rely on resource certificates to help answer questions such as whether or not to route an address block, or whether others will trust a request to route your own addresses.
Certification can help you control what addresses are routed via your infrastructure, or an ISP could prevent the use of their addresses once they no longer have a financial relationship with their customer
Another major use of certification is in the area of resource transfers. If the Internet community ever decides to permit the transfer or resources, then Resource Certification will bring a level of certainty over who controls particular Internet resources.

How do Internet resource holders obtain Resource Certificates?

All APNIC registered resource holders are able to get access to the [MyAPNIC] online portal to manage their resources and other aspects of their relationship with APNIC. Registered [MyAPNIC] users can apply for and get certificates for their resources via the secure online portal. Users can manage resource certificates, route origin attestations, and other signed objects all within the resource management GUI. Users are able to create, manage, apply, and destroy certificates over all their resources and see them published in the worldwide resource certificate repository hierarchy at APNIC.
What technology did APNIC use to develop Resource Certification?
The APNIC Resource Certification framework is constructed using Industry Standards and Open Source Software. At its heart, the system relies on X.509 Pubic Key Certificates and the [OpenSSL] open source library.
The project integrates specifications developed at the global level in conjunction with the other RIRs and with contributions from global organizations such as the IETF and the ISC.
What is the next stage in implementing this technology?
Now that we have built the framework for Resource Certification, we are continuing our work with the technical community to assist in the implementation of this technology.
The next step for this project will be further work with the IETF to assist in the creation of client-side code that developers can integrate into network security applications.
In the future, we expect to be working on a wider collection of tools and services to allow resource certificates to be integrated into a range of network operator toolsets. We will also continue our efforts to integrate this PKI into the ongoing work to bring better security to the area of inter-Domain routing.


Security News

Blog Posts

  • Blog post: Cisco DNS Patch created by
    Editor
    Jul 18, 2008
    Security



    • Security Bookmarks

    Internet experts are siding overwhelmingly with ICANN, arguing that the crucial responsibility of making sure users can trust the technical equivalent of the internet's phone book belongs in the hands of the net's main oversight body.

    Posted 1308 days ago | View Bookmark Page
    0 Comments

    A proposal [PDF, 276K] to sign the root zone file with Domain Name System Security Extensions, or DNSSEC, technology was released by ICANN today.

    Posted 1310 days ago | View Bookmark Page
    0 Comments

    Starting Thursday morning, the U.S. government is seeking comment on who should create and vouch for the internet's most crucial document – the root zone file – that serves as the cornerstone of the system that lets users get to websites and emails find their way to inboxes.

    Posted 1314 days ago | View Bookmark Page
    0 Comments

    THE quick and ferocious nature of cyber attacks on government must be recognised in the next generation of security, a previously unreleased report from the Attorney-General's Department urges.

    Posted 1324 days ago | View Bookmark Page
    0 Comments

    Philippine websites remain at risk of being redirected even if their Internet service providers (ISPs) have patched their DNS servers.

    Posted 1345 days ago | View Bookmark Page
    0 Comments
    View More 
      Add Bookmark
    Click to add...     		 



    Adaptavist Theme Builder (4.2.3) Powered by Atlassian Confluence 3.5.13, the Enterprise Wiki