Internet2 Network Security SIG

[Karl Newell <>]

I did not write down the names of attendees.

 

-Vice chair – we need to nominate and elect a vice chair.  We’ll do that on the next call

-Should we develop a best practice on how we allow access to the control plane (e.g., out of band management network)?

-We decided that the Security WG would focus on RPKI

                -Develop a reference implementation

                -Launch a pilot.  I will send out an email early next week with more detail

-Internet2 could validate routes and advertise status via BGP communities

-The strategy needs to be developed with various entities in mind – campus vs regional vs Internet2

 

 

There was a follow up RPKI BoF where we outlined the pilot and success factors (meeting notes below).

 

Documentation

 

Pilot

                Education

                Operational effort

                Use of signed objects outside BGP validation

                Signal validation via community

                Focus on v6 space (no legacy)

                Workshop

                Architecture levels - backbone, regional, campus

                Interop tests - validators and routers

 

Success factors - what are they?

                Percentage routes signed

                Percentage with valid ROA

                availability/accessibility of caches and validators

                Cookbook for arch levels

                Are we making things more stable

                What’s the effective validation model (campus, regional, backbone)

                Interop tests

 

How many caches do you need?  Redundancy?

 

Signing I2 objects

 

Proxy signing?

 

--

Karl Newell

Cyberinfrastructure Security Engineer

Internet2

520-344-0459