Post on 17-Jan-2016
APNIC Security Update
APSIRCC 2002Tokyo, 25 March 2002
Contents
• What is APNIC?
• RIR security issues
• APNIC developments
• Routing system security
• Questions
What is APNIC?
• Regional Internet Registry (RIR)for the Asia Pacific Region– Regional authority for Internet Resource
distribution– IP addresses (IPv4 and IPv6), AS numbers, in-
addr.arpa delegation
• Industry self-regulatory body– In the “Internet Tradition”…– Non-profit, neutral and independent– Consensus-based, open and transparent– Open membership-based structure
What does APNIC do?
1. Internet resource management– IP address allocation and assignment– AS number assignments
2. Resource registration– Authoritative registration server: whois– Internet Routing Registry: apirr
3. DNS management– Delegate reverse DNS zones/domains– Authoritative DNS servers
• in-addr.arpa, ip6.arpa (ip6.int)
Where is APNIC?
Where is APNIC?
A S O(an d A d d ress C ou n c il)
IA N AM arin a d e l R ey, C A , U S
L IR
L IR
L IR
L IR L IR
N IR
A P N ICB risb an e , A u s tra lia
IS P IS P
IS P IS P
IS P
A R INR es ton , V A , U S
L IR L IR L IR L IR L IR
R IP E -N C CA m sterd am , Th e N eth erlan d s
IC A N N
What else does APNIC do?
• Training and Seminars– 2 training courses per month in 2002– Seminars with other AP* organisations
• Publication– Newsletter, web site, mailing lists etc– Regional and global statistics
• Policy development and coordination– Major Open Policy Meetings: 2/year
• SIGs, WGs, BOFs, training sessions
– ASO and ICANN processes
APNIC Status Summary
• Location: Brisbane, Australia– Tokyo, Japan from 1993 to 1998
• Staff: 33 full time• Membership: over 700
– ISPs, multinationals, national NICs– Total ISPs served: over 1200
• Allocations: 1.7 /8 in 2001 (28 million addresses)– More than allocated in EU (first time)
• Budget: USD 3.75m in 2002– Maintain 1 year capital reserve
• Contact details:http://www.apnic.netinfo@apnic.net, abuse@apnic.net, etc
Total APNIC Membership
0
100
200
300
400
500
600
700
800
Jun-96 Dec-96 Jun-97 Dec-97 Jun-98 Dec-98 Jun-99 Dec-99 Jun-00 Dec-00 Jun-01 Dec-01
Very Large
Large
Medium
Small
Very Small
Associate
IPv4 Addresses Allocated in Total
0
10
20
30
40
50
60
70
80
90
100
Jan-96 Jul-96 Jan-97 Jul-97 Jan-98 Jul-98 Jan-99 Jul-99 Jan-00 Jul-00 Jan-01 Jul-01 Jan-02
Mill
ion
s
219
218
211
210
203
202
061
Whois Queries per Month
0
5
10
15
20
25
Jan-96 Jul-96 Jan-97 Jul-97 Jan-98 Jul-98 Jan-99 Jul-99 Jan-00 Jul-00 Jan-01 Jul-01 Jan-02
Mill
ion
s
APNIC Security Update
Issues and Developments
RIR security issues
• Online server security– Whois, APIRR, in-addr.arpa, ip6.arpa (ip6.int)– Standard security measures: 24x7– Redundant distribution model under dev.
• “Internal” information security– Common membership concern– Member agreement, NDA, etc
• Registration issues– Database development, distribution etc– Handling abuse reports (security, spam etc)
• Routing system security– More later
APNIC certificate authority (CA)
• Trial service established– Public key certificates (PKI/X.509)– Started in 2000
• APNIC-specific applications– Email security to/from APNIC– “MyAPNIC” access– Database access (whois/IRR)– Future: Resource certification
• Supporting routing system security
– Future: Other general purposes • As determined by community
Registration issues
• APNIC database whois.apnic.net– Primary APNIC responsibility as RIR– Covers only APNIC address space
• 61/8, 202/7, 210/7, 218/7
• Increasing abuse report load– Often misdirected at APNIC
• Resulting from query of whois.arin.net
– Often relate to outdated information or unresponsive ISPs
– Need improved database mirror/distribution– Need improved policies/agreements
Routing system security
• Currently vulnerable– Routing system attacks yet to come– Currently ISPs rely on registry data, but
without common auth* framework– ISP priority is to serve customers,
respond quickly to route requests– Better system will be needed
Routing system security
• Proposed PKI-based scheme– Address space holders reliably identified– Resource allocations certified– Clear chain of trust
• Incomplete system– Does not eliminate need for secure
routing protocols
• Details and procedures need to be defined…
– Work in progress
Finally – you’re invited…
• 14th APNIC Open Policy Meeting– 3-6 Sep 2002, Kita-Kyushu, Japan– Hosted by JPNIC
• http://www.apnic.net/meetings
• 15th APNIC Open Policy Meeting– In conjunction within APRICOT 2003– March 2003, Taipei, Taiwan
• http://www.apricot.net
APNIC Security Update
Thank you
pwilson@apnic.net