Discussion of cybersecurity opportunities and challenges and how APNIC can assist with RPKI, DNSSEC, and BCP 38 implementation to help secure the Internet's infrastructure.
2. Agenda
• Overview of APNIC
• Opportunities and challenges
– Source address validation (Best Current Practice (BCP)
38)
– Securing the Internet with Resource Certification
– Effective incident response and handling (APNIC Whois
Database)
– Awareness and education
• The way forward
2
3. Overview
3
APNIC’s Vision:
“A global, open,
stable, and
secure Internet
that serves the
entire Asia Pacific
community”
Serving APNIC Members
Supporting Internet development
in the Asia Pacific region
Collaborating with the Internet
community
5. APNIC’s Mission
• Function as the RIR for the Asia Pacific, in the service of the
community of Members and others
• Provide Internet registry services to the highest possible
standards of trust, neutrality, and accuracy
• Provide information, training, and supporting services to
assist the community in building and managing the Internet
• Support critical Internet infrastructure to assist in creating and
maintaining a robust Internet environment
• Provide leadership and advocacy in support of its vision and
the community
• Facilitate regional Internet development as needed throughout
the APNIC community
5
6. Strategic Engagement
6
• NOGs, NIR OPMs, I*, CERTs, ISOC
Chapters, PACINET, PICISOC, PTC
Technical
community
• APEC-TEL 47 and 48, ITU WTPF, APT,
WSIS+10, ITU Connect Asia Pacific
Summit, ITU Telecom World 2013, APEC
TEL 49, NETmundial
Governmental
• National IGFs (Nethui, auIGF), APrIGF
• Bali IGF - significant support given for
fundraising and logistics
IGF
8. Opportunities and Challenges
• Government institutions, CERTs, Law Enforcement
Agencies (LEAs) and stakeholders have been
collaborating all along
• What else needs to be done?
• What are the opportunities and challenges?
10. Source Address Validation (BCP 38)
• Problem
– Network providers allow traffic from IP addresses that they do not hold
– As a result it is trivial to spoof IP addresses
– This enables attacks such as the DDoS Reflection/Amplification
• Recipe for Amplification attacks
– Network that allows source IP spoofing
– Network services that respond to non-customer requests
• This is not new
– BCP 38 has been around since 2000 (RFC 2827)
– Also known as Network Ingress Filtering
• Is your provider allowing source address spoofing?
– Source Address Validation Everywhere! (SAVE)
11. BCP 38 Ingress Packet Filtering
11
Internet
ISP
96.0.21.0/24
96.0.20.0/24
96.0.22.0/24
ISP’s Customer Allocation Block: 96.0.0.0/19
BCP 38 Filter = Allow only source addresses from the customer’s
96.0.X.X/24
BCP 38 Applied
Here
Credit: http://confluence.senki.org/pages/viewpage.action?pageId=1474569
12. Resource Certification with RPKI
• Resource Public Key Infrastructure
– Security framework to verify the association between specific IP
address blocks or Autonomous System (AS) numbers and the
holders of the resources
– Uses digital certificates and Public Key cryptography
• Essential because:
– Improves security of inter-domain routing. Currently, it’s based on
mutual trust
– Can prove authoritatively who uses an IP address block and what AS
has announced it
• Prevents mis-origination or “Route Hijacking”
– When an entity participating in Internet routing announces a prefix
without authorization (either mistake or malicious intention)
12
13. 13
ISP A
ISP B
ISP E
My AS number is
1001
My prefix is
198.58.1.0/24
My AS number is
1001
My prefix is
198.58.1.0/24
14. Resource Certification Benefits
• Routing information corresponds to properly delegated
address resources
• Resource certification gives resource holders proof that
they hold certain resources
• Resource holders can attest to those resources when
distributing them
• Resource certification is a highly robust means of
preventing the injection of false information into the
Internet’s routing system
14
15. Resource Certification with RPKI
• Role of APNIC
– Acts as Certificate Authority, attests that the
certificate belong to the identified party
– Issues RPKI certificates to APNIC Members
15
16. Whois Database – Improving Incident
Response and Handling
• Security incidents happen and timely response is
critical
• The Incident Response Team (IRT) object requires
resource holders to provide contact information
• There are opportunities to:
– Enhance incident response and handling capabilities
– Provide additional information for escalation (i.e. National
CSIRT/CERT or relevant agency)
– Report invalid contact information
16
17. 17
inetnum: 202.55.176.0 - 202.55.191.255
netname: SKYCC
descr: SKYCC, VoIP and ISP, Ulaanbaatar, Mongolia
country: MN
admin-c: SD635-AP
tech-c: TB231-AP
status: ALLOCATED PORTABLE
remarks: *************************************************************
remarks: This object can only modify by APNIC hostmaster
remarks: If you wish to modify this object details please
remarks: send email to hostmaster@apnic.net with your organisation
remarks: account in the subject line.
remarks: *************************************************************
changed: hm-changed@apnic.net 20030708
mnt-by: APNIC-HM
mnt-lower: MAINT-MN-SKYCC
mnt-routes: MAINT-MN-SKYCC
mnt-irt: IRT-SKYCC-MN
changed: hm-changed@apnic.net 20081114
changed: hm-changed@apnic.net 20130611
source: APNIC
irt: IRT-SKYCC-MN
address: Sukhbaatar District-1,
address: Chinggis Khan Avenue-9,
address: Skytel Plaza building,
address: Ulaanbaatar-13,
e-mail: soyoloo@skycc.mn
abuse-mailbox: soyoloo@skycc.mn
admin-c: SD635-AP
tech-c: TB231-AP
auth: # Filtered
mnt-by: MAINT-MN-SKYCC
changed: soyoloo@skycc.mn 20101210
source: APNIC
IRT contact
18. Awareness and Education
• Reaching out to operators (resource holders) and
relevant stakeholders is important to create awareness
and ability to apply best current practices
• Challenges:
– Cost and availability of subject matter experts
• APNIC provides training at events across the region as
well as online
– training.apnic.net
• Topics include
– BGP, IPv6, DNSSEC, Network Security and much more
18
19. Recent and Upcoming Events
• Bangladesh Network Operators Group 1 Workshop and
Conference
– 19 – 24 May 2014 in Dhaka, Bangladesh
– 3-day Workshops, 1-day tutorial and 2-day
conference
– 90 participants for 3 workshops
• Network Security
• Routing/BGP
• Virtualization
• Internet Investigation Training Day
– 9 July 2014, New Zealand
– 1-day tutorial on how the Internet works
– Focused on LEA engagement
– Collaboration with ICANN, APTLD, .nz DNC, New Zealand police
19
20. The Way Forward
• Infrastructure security issues are part of the bigger
picture and must be addressed
• The full impact of security controls may only be
realized if everyone implements them
– Relevant stakeholders and operators must make things happen
• Awareness and education activities are at the core
of all of the above
• Let’s work together!
20