IAB statement on the RPKI.
IAB Chair <iab-chair@ietf.org> Fri, 12 February 2010 10:55 UTC
Return-Path: <wwwrun@core3.amsl.com>
X-Original-To: ietf-announce@ietf.org
Delivered-To: ietf-announce@core3.amsl.com
Received: by core3.amsl.com (Postfix, from userid 30) id A162228C161; Fri, 12 Feb 2010 02:55:43 -0800 (PST)
From: IAB Chair <iab-chair@ietf.org>
To: IETF Announcement list <ietf-announce@ietf.org>
Subject: IAB statement on the RPKI.
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0
Message-Id: <20100212105543.A162228C161@core3.amsl.com>
Date: Fri, 12 Feb 2010 02:55:43 -0800
Cc: iab@iab.org
X-BeenThere: ietf-announce@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: iab@iab.org
List-Id: "IETF announcement list. No discussions." <ietf-announce.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf-announce>, <mailto:ietf-announce-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf-announce>
List-Post: <mailto:ietf-announce@ietf.org>
List-Help: <mailto:ietf-announce-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-announce>, <mailto:ietf-announce-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Feb 2010 10:55:43 -0000
IAB statement on the RPKI.
= RPKI as a prerequisite for improving the security of the global
routing system.
To date, the Internet has operated without a secure means to certify
the allocation of Internet number resources, particularly Autonomous
System (AS) numbers and IP addresses. The pending exhaustion of the
IPv4 address space, coupled with a pressing need to improve the
security of the global Internet routing system, has given impetus to
the development of a resource certification infrastructure for the
Internet. A consistent shared view around the world of which number
resources are allocated to whom is essential for the reliable
operation of the Internet as it continues to grow. The IETF Secure
Inter-domain Routing (SIDR) Working Group (WG) has been working with
the various stakeholders to specify a Resource Public Key
Infrastructure (RPKI) system that can be used to certify these
resource allocations in order to substantially improve the security
of the routing system.
The IAB considers a properly designed and deployed RPKI to be an
absolute prerequisite to having a secure global routing system,
which is in turn a prerequisite to having a reliable worldwide
Internet. In its absence, there is no formally verifiable
authoritative source to determine the allocation for any
Internet number resource. Consequently, before originating,
propagating, or accepting an IP address prefix, each routing domain
must individually assess the consistency of that prefix with
whatever information can be obtained about actual allocations. This
loose "routing by rumor" approach provides considerable flexibility
to each routing domain, but the negative consequences are severe.
The global routing system is vulnerable to large-scale disruptions
through both misconfiguration and malice. These vulnerabilities can
be substantially reduced through the use of an RPKI. Through proper
design and wide-scale deployment, an RPKI enables network operators
to generate their routing policies from securely verifiable
allocation data, providing much higher confidence in the
authenticity of routing information.
= Technical considerations with respect to the design of the PKI
For any PKI, a certification hierarchy must exist that allows
parties to ascertain the validity of a given certificate. The SIDR
architecture uses a certification hierarchy, and relying parties
must explicitly place trust in the top-level of the hierarchy,
commonly called a trust anchor. The SIDR architecture and protocols
have been designed to support a single trust anchor as well as
multiple trust anchors. The IAB however, is in strong agreement with
the Number Resource Organization (NRO) (made up of the five
Regional Internet Registries (RIRs)) regarding the number of trust
anchors as well as what and whom they represent:
1. the RPKI should have a single authoritative trust anchor
2. this trust anchor should be aligned with the registry of the root
of the allocation hierarchy
The reasoning is of a technological nature and is as follows. A
single root for the certification hierarchy significantly reduces
the risk of two or more parties accidentally (or maliciously)
issuing conflicting certifications for the same address block,
because a single authoritative entity at the top-level of the
allocation hierarchy is authoritative for both (a) the allocation of
the address block and (b) the cryptographic certification of the
fact that it did indeed allocate that address block.
Thus, the IAB strongly recommends a single root aligned with the
root of the address allocation hierarchy (now part of the IANA
function). Doing so will minimize unnecessary complexity in the
system, in particular virtually eliminating the possibility of
resource conflicts in the system, reducing substantially the
likelihood of errors as the allocation and certificate generation
can be done together by the same operator.
= Implementation considerations
The notion of having a certification hierarchy with multiple equally
trusted roots may be appealing from a social and political perspective
because of 'fairness' and 'equality' arguments. But that notion
allows different organizations to make inconsistent and conflicting
assertions about to whom a particular address block has been
allocated. In the case of conflicting assertions, the conflict would
need to be solved by each relying party, requiring each relying party
to have their own security policy and the associated increased
complexity. Such an approach does not provide any guarantee that the
outcome would lead to a globally coherent view of which resources
have been allocated to whom.
It should be noted that mistakes in and attacks on the allocation
process are possible, and that sensible caution and fallback plans
still remain necessary. Therefore, architecturally, the set of trust
anchors employed by a relying party application remains strictly a
local matter. In practice relying parties will likely employ local
policy files (e.g., for local address spaces such as RFC 1918 spaces
used internally) and trust anchors that reflect local security
decisions. Therefore the existence of a single root for the
certification hierarchy does not give that root unilateral control
over the Internet. Individual network operators choose to trust the
information given by that root, based on operational experience that
the information given by that root is trustworthy. If they find
it to be untrustworthy, they are free to ignore it and instead
enforce policy based on what they believe to be more appropriate
data. The fact that the relying parties choose to trust the root
only so long as it proves itself to be trustworthy gives the
organization operating the root a strong incentive to ensure that
the information they give is accurate and correct, thereby making it
rare for network operators to have any reason to distrust it.
Mechanisms to support local decisions about trust anchors, while
still maintaining compatibility with RFC 3779 certificate
processing, are currently being considered by the SIDR working
group. This statement is not to be interpreted as in conflict with
these goals; rather, it is concerned solely with the structure of
the RPKI certification hierarchy, as represented in the public
repository system and aligned with the Internet number resource
allocation hierarchy.
= Concluding remarks
The IAB commends the RIRs for their investment and leadership
in developing an RPKI system that can be used for digital
certification of Internet number resources, as well as enabling a
foundation upon which a secure Internet routing system can be
developed.
IAB, Jan 27, 2010
- IAB statement on the RPKI. IAB Chair