ARIN XIMemphis, TN April 2003 ARIN DBWG Tim Christensen Authentication Update

April 2003ARIN XI Memphis, TNMemphis, TN

ARIN DBWGARIN DBWGTim ChristensenTim Christensen

Authentication Authentication UpdateUpdate

April 2003ARIN XI Memphis, TNARIN XI Memphis, TN

OverviewOverview

Mandate for change

Applying authentication to processes

Choosing the first method

Make it happen

Next steps

Why Change, Why Now?Why Change, Why Now?

Community has made it clear that mail-from authentication is inadequate and want better options

Stewardship principles dictate that ARIN move away from loose security

Release of new database clears path for forward progress

Applying Better Applying Better AuthenticationAuthentication

Identify use cases for authentication mechanisms: What processes benefit from stronger authentication?

►Inbound templates and requests

►Outbound mail

►Outbound files

►Web publishing

►Web transactions

ApproachApproach

Community has asked for spectrum of authentication choices►Password (md5-pw, des, etc.)

►PGP

►X.509

Implement one at a time, evaluate, and repeat

Consider mail-from deprecation after evaluating adoption progress

Authentication Authentication Deployment PreceptsDeployment Precepts

Phased, opt-in adoption

Permit multiple authentication methods

Prohibit a POC’s use of mail-from when an “improved” authentication method is selected by a POC

Choosing the First Choosing the First Authentication MethodAuthentication Method

Investigate other RIRs’ implementations►APNIC – using userid/password, PGP, and

X.509; running Certificate Authority (CA)

►LACNIC – using userid/passphrase

►RIPE NCC – using password and PGP

Choosing the First Choosing the First Authentication MethodAuthentication Method

Community input – public policy mtgs.►Certificates “good”

►When implementing PGP don’t use public key servers

Engineering evaluation►Applicability to processes

►Strength of security

►Coordination with other ongoing eng efforts

►Other RIR implementations

The choice: X.509 FirstThe choice: X.509 FirstPermits application of secure authentication to widest array of processes:►Can protect (authenticate and encrypt) email

templates

►Can authenticate web transactions

►Can authenticate data produced by ARIN

Provides best combination of:►Control

►Security

►Utility

How X.509 Adopters Get How X.509 Adopters Get Tighter AuthenticationTighter Authentication

POC generatesCertificate Signing

Request (CSR)

POC sends CSRin a new template

to ARIN

ARIN verifiesCSR contents

ARIN generatescertificate, updates

database, and returns it to POC

POC usescertificate to

sign templates

POC maintainsauthentication

certificate(“rollover”)

ARINauthenticates

templatessubmitted by that

Getting ThereGetting ThereIdentify process touch points►Registration template processing (email)

►Non-template email communication

►Online processing (future)

Establish test bed

Propose process changes►CSR processing

►Running the ARIN Certificate Authority (CA)

►Signed template acceptance & rejection

►Response to authentication failure

TimelineTimeline

TimelineTimelineEstablish requirements and prerequisites

TimelineTimelineAccomplish prerequisites

Establish requirements and prerequisites

Explore options

Understand existing RIR implementations

Explore options

Identify use cases & touch points

Explore options

Establish test bed

Choose first deployment method

Explore options

Establish test bed

Explore options

Establish test bed

Develop process changesPOC-Auth TemplateProcedural changesSystematic changes

Explore options

Establish test bed

Develop process changes

Form beta community and testInterested? beta@arin.netPerform beta training & testingRefine/respond to beta issuesTraining (internal/external)

Explore options

Establish test bed

Form beta community and test

Deploy

Explore options

Establish test bed

Implement other methods

Deploy

Explore options

Establish test bed

Implement other methods

Deploy

Deprecate Mail-From?

Thank You!

ARIN XIMemphis, TN April 2003 ARIN DBWG Tim Christensen Authentication Update

Documents

Arin prese final

ARIN Update Aaron Hughes ARIN Board of Trustees

ARIN 34 ARIN Reports: Engineering

ARIN Elections

ARIN EXPRESS

ARIN ANNOUNCESuse. (ARIN, 2016). The ARIN BOD approved the position statement in January 2016. The Capnography Position Statement is posted on the ARIN website and scheduled for publication

ARIN Engineering

4 HEZKUNTZA LEHEN Euskara Arin-arin · 2020. 2. 27. · Lehen Hezkuntzako 4. mailarako Arin-arin liburua Zubia Editoriala, S.L.ren eta Santillana Educación, S. L.ren Hezkuntza Argitalpenetarako

Arin, Arin, Mari Arin

ARIN Update - NANOG Archive · ARIN Update NANOG 57 6 February 2013 John Curran President and CEO, ARIN

ARIN 35 Tutorial: How to certify your ARIN resources with RPKI

ARIN LBM4 TUMBANG

Industrias Arin

ARIN CPS for Resource Certification · ARIN CPS for Resource Certification Version 1.0 1 American Registry for Internet Numbers, Ltd. ... 15! 2.3. Identification and authentication

ARIN Registry Update

5 HEZKUNTZA LEHEN Euskara Arin-arin · Lehen Hezkuntzako 5. mailarako Arin-arin liburua Zubia Editoriala, S.L.ren eta Santillana Educación, S. L.ren Hezkuntza Argitalpenetarako Sailean

HEZKUNTZA Euskara LEHEN Arin-arin · 2019. 3. 15. · Lehen Hezkuntzako 3. mailarako Arin-arin irakaslearen liburua oharrekin Zubia Editoriala, S.L.ren eta Santillana Educación,

ARIN Update - Team ARINteamarin.net/.../2012/09/ARIN-Update-NANOG-571.pdf · ARIN Update NANOG 57 6 February 2013 John Curran President and CEO, ARIN

Future ARIN Meetings

ARIN Update