APNIC contends that the majority of network relationships, based on a system of mutual trust, are not secure. They can be susceptible to a variety of attacks such as injection of false information into the routing system.
These networks can also be affected by non-malicious events such as routing leaks. The global disruption of YouTube in February this year would have been averted if there was a secure route between trusted Internet resources, according to APNIC.
The system is based on digital (X.509) certificates with an extended format that incorporates Internet resources, such as, IPv4 and IPv6 address blocks and autonomous system (AS) numbers.
Using public key certificates through public key infrastructure (PKI), resource holders encrypt or sign routing instructions with a private key that can only be decrypted or unlocked with the corresponding public key.
"APNIC sees resources certification as an important development to assist the Asia Pacific Internet industry to maintain the integrity of network transactions," said Geoff Huston, chief scientist of APNIC.
Safe and Secure Keys
The private key is kept private, but the public key is openly published for others to access. APNIC, acting as the certificate authority, publishes the public key in a certificate and attests that the key belongs to the resource holder identified in the certificate. APNIC signs this attestation with its own private key and makes the APNIC public key available.
In this way, resource certificates extend the public key certification model and affirm that the resource holder is the 'right-of-use' holder or controller of a specific set of IP address and AS number resources.
Included in this system of routing security is a mechanism that allows entities to verify that an AS has permission from an IP address block holder to advertise routes to one or more prefixes within that address block. The address block holder would sign a route origin attestation (ROA). Where an AS advertises routes with one or more autonomous systems (ASes), it would sign as adjacency attestation (AAO). This attests that there is an inter-domain adjacency or that the local AS is a routing peer with those ASes adjacent to it.
APNIC members, the majority of ISPs, telecommunication operators and large network managers across the Asia Pacific, can access resource certification via the secure online portal, MyAPNIC. This is a one-stop shop that allows members to manage resource certificates, route origin attestations, and other signed objects all within the resource management GUI. Users are able to create, manage, apply, and destroy certificates over all their resources and see them published in the worldwide resource certificate repository hierarchy at APNIC.
Having built the framework for resource certification, APNIC will be working with the technical community to implement its technology. "The next step for this project will be further work with the Internet Engineering Task Force (IETF), to assist with the creation of client-side code which can be integrated into network security applications," said Huston.