Have you had Internet 'problems' when your IP address space has been 'hijacked' by a spammer or accidentally by some other site? Or maybe it was that the IP address space of a friend's, customer's, or web site suffered this kind of problem? These events are not uncommon, sad to say.

I have spent much time and energy over the last years in the area of making the Internet routing system more reliable. One of the sub-areas of this is secure routing, knowing that the routing information a router receives from its neighbors is correct. One aspect of this is the ability to *formally* verify who has title to which network resources, namely IP address space and AS (Autonomous System) number allocations, and which AS is *formally* allowed to announce a particular piece of the IP address space.

You might wonder why I care so much about the security of the Internet routing system. Aside from surface issues such as spammers abusing the routing system to source spam from address space which they do not own, my real concern is attacks on electronic commerce and other transaction systems of serious value. For a high-level view of how the routing system can be abused to these ends, see my presentation at UKNOF from earlier this year http://rip.psg.com/‾randy/060519.uknof-routesec.pdf, which is essentially what I have been singing around operational fora for the last year.

At the end of that presentation, you will note that the solution space involves cryptographically signed routing announcements based on formal certification of rights to IP address space, AS number title, and the attestation that a particular AS may announce specific IP address space.

For the last eight months, I have been working with a team of R&D engineers, led by Geoff Huston, from the RIRs (Regional Internet Registries): ARIN (American Registry for Internet Numbers, http://arin.net/), the APNIC (Asia Pacific Network Information Centre, http://www.apnic.net/), and the RIPE/NCC (RIPE Network Coordination Centre, http://ripe.net/) to develop the technology infrastructure to support this. The work is based on a X.509-based certificate infrastructure with RFC 3779 extensions which allow the certificates to specify IP address and AS number resources.

Rob Austein of ISC, under an ARIN contract, has written the extensions to OpenSSL to support the RFC 3779 extensions, and the work has been given to the OpenSSL team under an open source OpenSSL license. I.e. the work is freely available, and is expected to be merged into the OpenSSL code base and hence become available on most server operating systems by default.

We are now finishing specification and development of an open source code base that will enable the RIRs and ISPs to generate and maintain a distributed PKI (Public Key Infrastructure) that RIRs, ISPs, and end users can use to formally certify title to IP address space and AS numbers, and to formally certify which AS(s) may announce each prefix.

The result will be that, by the middle of next year, the RIRs will have web-based portals where ISPs and end sites which have title to IP resources can acquire formally cryptographically verifiable rights to those resources, formally sub-divide and/or further allocate titles to the resources they control, etc. Large ISPs and other entities which want to run the open source software and integrate it into their own back-end systems for address management will be able to get the software freely and participate using their own front-ends.

Everyone will be able to ask "Who has title to address space X?" and get a formal cryptographically verifiable answer. This certificate infrastructure will also be able to be used to sign who is and other network infrastructure data. Geoff Huston of APNIC and I presented this at the recent NANOG (North American Network Operators' Group, http://nanog.org/) meeting; my presentation is at http://www.nanog.org/mtg-0610/presenter-pdfs/bush.pdf.

For example, an end site which has its own address space will be able to prove to a new upstream provider that indeed they have title to that space and the provider should feel comfortable announcing it. When a router is being configured using tools for automatically building prefix filter lists, the prefixes can be formally verified.

In the longer run, routers, using modifications to the routing protocols to use the certificate infrastructure (Google "s-bgp") so that the routing protocols themselves will be formally protected by these cryptographic techniques.

This shift to a formally verifiable title to a holder's resources will be a significant change for the Internet culture. While it is a very positive change, there are a number of issues such as rights of use and even title to address space that will be new for many. So, while we are confident that the technology base may be constructed by the middle of next year, the process of adoption may take more time whiles various operational and policy fora debate the implications. We hope that will not be a discussion that delays deployment for long. The users of the Internet today have far more faith in the integrity of the underlying routing system than is prudent. It would be wise to make incremental improvements that try to match the users' level of faith, and this is certainly one significant improvement.