APNIC Security Update

APSIRCC 2002Tokyo, 25 March 2002

Contents

• What is APNIC?

• RIR security issues

• APNIC developments

• Routing system security

• Questions

What is APNIC?

• Regional Internet Registry (RIR)for the Asia Pacific Region– Regional authority for Internet Resource

distribution– IP addresses (IPv4 and IPv6), AS numbers, in-

addr.arpa delegation

• Industry self-regulatory body– In the “Internet Tradition”…– Non-profit, neutral and independent– Consensus-based, open and transparent– Open membership-based structure

What does APNIC do?

1. Internet resource management– IP address allocation and assignment– AS number assignments

2. Resource registration– Authoritative registration server: whois– Internet Routing Registry: apirr

3. DNS management– Delegate reverse DNS zones/domains– Authoritative DNS servers

• in-addr.arpa, ip6.arpa (ip6.int)

Where is APNIC?

Where is APNIC?

A S O(an d A d d ress C ou n c il)

IA N AM arin a d e l R ey, C A , U S

L IR

L IR

L IR

L IR L IR

N IR

A P N ICB risb an e , A u s tra lia

IS P IS P

IS P IS P

IS P

A R INR es ton , V A , U S

L IR L IR L IR L IR L IR

R IP E -N C CA m sterd am , Th e N eth erlan d s

IC A N N

What else does APNIC do?

• Training and Seminars– 2 training courses per month in 2002– Seminars with other AP* organisations

• Publication– Newsletter, web site, mailing lists etc– Regional and global statistics

• Policy development and coordination– Major Open Policy Meetings: 2/year

• SIGs, WGs, BOFs, training sessions

– ASO and ICANN processes

APNIC Status Summary

• Location: Brisbane, Australia– Tokyo, Japan from 1993 to 1998

• Staff: 33 full time• Membership: over 700

– ISPs, multinationals, national NICs– Total ISPs served: over 1200

• Allocations: 1.7 /8 in 2001 (28 million addresses)– More than allocated in EU (first time)

• Budget: USD 3.75m in 2002– Maintain 1 year capital reserve

• Contact details:http://www.apnic.netinfo@apnic.net, abuse@apnic.net, etc

Total APNIC Membership

0

100

200

300

400

500

600

700

800

Jun-96 Dec-96 Jun-97 Dec-97 Jun-98 Dec-98 Jun-99 Dec-99 Jun-00 Dec-00 Jun-01 Dec-01

Very Large

Large

Medium

Small

Very Small

Associate

IPv4 Addresses Allocated in Total

0

10

20

30

40

50

60

70

80

90

100

Jan-96 Jul-96 Jan-97 Jul-97 Jan-98 Jul-98 Jan-99 Jul-99 Jan-00 Jul-00 Jan-01 Jul-01 Jan-02

Mill

ion

s

219

218

211

210

203

202

061

Whois Queries per Month

0

5

10

15

20

25

Jan-96 Jul-96 Jan-97 Jul-97 Jan-98 Jul-98 Jan-99 Jul-99 Jan-00 Jul-00 Jan-01 Jul-01 Jan-02

Mill

ion

s

APNIC Security Update

Issues and Developments

RIR security issues

• Online server security– Whois, APIRR, in-addr.arpa, ip6.arpa (ip6.int)– Standard security measures: 24x7– Redundant distribution model under dev.

• “Internal” information security– Common membership concern– Member agreement, NDA, etc

• Registration issues– Database development, distribution etc– Handling abuse reports (security, spam etc)

• Routing system security– More later

APNIC certificate authority (CA)

• Trial service established– Public key certificates (PKI/X.509)– Started in 2000

• APNIC-specific applications– Email security to/from APNIC– “MyAPNIC” access– Database access (whois/IRR)– Future: Resource certification

• Supporting routing system security

– Future: Other general purposes • As determined by community

Registration issues

• APNIC database whois.apnic.net– Primary APNIC responsibility as RIR– Covers only APNIC address space

• 61/8, 202/7, 210/7, 218/7

• Increasing abuse report load– Often misdirected at APNIC

• Resulting from query of whois.arin.net

– Often relate to outdated information or unresponsive ISPs

– Need improved database mirror/distribution– Need improved policies/agreements

Routing system security

• Currently vulnerable– Routing system attacks yet to come– Currently ISPs rely on registry data, but

without common auth* framework– ISP priority is to serve customers,

respond quickly to route requests– Better system will be needed

Routing system security

• Proposed PKI-based scheme– Address space holders reliably identified– Resource allocations certified– Clear chain of trust

• Incomplete system– Does not eliminate need for secure

routing protocols

• Details and procedures need to be defined…

– Work in progress

Finally – you’re invited…

• 14th APNIC Open Policy Meeting– 3-6 Sep 2002, Kita-Kyushu, Japan– Hosted by JPNIC

• http://www.apnic.net/meetings

• 15th APNIC Open Policy Meeting– In conjunction within APRICOT 2003– March 2003, Taipei, Taiwan

• http://www.apricot.net

APNIC Security Update

Thank you

pwilson@apnic.net