You are here: Home > Participate > Join a Discussion > RIPE Forum
Please note that the Forum will be retired once the mailing lists have been migrated to a new mailman.

Routing Working Group

Threaded
Collapse

[routing-wg] RPKI Service Criticality Questionnaire

User Image

Job Snijders

2022-06-27 17:58:20 CET

Dear all,

RIPE NCC has asked the Routing WG Chairs to facilitate a working group
conversation on framing RIPE NCC's RPKI services subcomponents in terms
of criticality. 

At the bottom of this email is a form that focusses on three components:
confidentiality, integrity and availability. Each component is split
into three questions (a, b, and c), a total of 9 questions are being put
forward to the working group. We envision this process to be a public
consultation: WG participants can submit (free-form) responses, and also
chime in by replying to each other's responses; hopefully bringing us to
a degree of consensus in the coming weeks.

I believe this is an unique opportunity to help RIPE NCC! Investing our
time - in turn - will help ourselves rely on and integrate RIPE NCC's
RPKI services in our production environments. The goal is to help
RIPE NCC develop a deeper understanding of how the moving parts fit
together, which in turn helps decide where and how to invest resources.

            >>> Your feedback is much appreciated! <<<

NOTE: if you are *NOT* a RIPE NCC member, and use the RIPE NCC Trust
Anchor (e.g. as Relying Party to make informed routing decisions, inside
and outside the RIPE region), your feedback *also* is much appreciated.

Kind regards,

Job, Ignas, Paul
Routing WG co-chairs

----------------------- FORM STARTS BELOW -----------------------

Service Criticality Questionnaire Form - RPKI
=============================================

Introduction
------------

This form is used to gather input from the community on the service
criticality of the RPKI Service from RIPE NCC. The framework is
detailed in: https://labs.ripe.net/author/razvano/service-criticality-framework/

The service criticality has three components:

* Confidentiality: What is the highest possible impact of a data
                   confidentiality-related incident (e.g. data leak)?

* Integrity:       What is the highest possible impact of a data
                   integrity-related incident (e.g. hacking)?

* Availability:    What is the highest possible impact of a service
		   availability-related incident (e.g. outage)? (All RIPE NCC
		   services are designed with at least 99% availability, so
                   please consider outages of up to 22 hours.)

Service purpose
---------------

The RIPE NCC RPKI Service is the RPKI Trust Anchor (TA) for the RIPE NCC
service region, comprised of:
    * RPKI Dashboard (in the LIR portal)
    * Repositories (rsync/RRDP)
    * Certification Authorities (CAs)
    * RPKI Management API
    * Hardware Security Modules (HSMs)
    * Datasets

Service Criticality
-------------------

Please review the following three areas.

## (1) Global Routing

Incident Serverity
    * Low        (No / negligible impact)
    * Medium     (One or a few ASes are unavailable)
    * High       (Many ASes in a region are unavailable)
    * Very High  (Global Internet routing disruptions)

Please rate the incident serverity (Low to Very High) in the following
three areas. Please explain why.

(a) Confidentiality (Impact level of incidents such as data leaks)

Answer 1a:

(b) Integrity (Impact level of incidents such as hack attempts)

Answer 1b:

(c) Availability (Impact level of service outage incidents, up to 22 hours per quarter)

Answer 1c:

## (2) IP addresses and AS Numbers

Incident Serverity
    * Low       (No / negligible impact)
    * Medium    (Local disruptions (registration information not being
                 available for some entities))
    * High      (Regional disruptions (registration information not being
                 available for the RIPE NCC region))
    * Very High (Global disruptions (lack of registration information
                 for all AS Numbers and IP addresses))

Please rate the incident serverity (Low to Very High) in the following
three areas. Please explain why.

(a) Confidentiality (Impact level of incidents such as data leaks)

Answer 2a:

(b) Integrity (Impact level of incidents such as hack attempts)

Answer 2b:

(c) Availability (Impact level of service outage incidents, up to 22 hours per quarter)

Answer 2c:

## (3) Global DNS

Incident Severity
    * Low       (No / negligible impact)
    * Medium    (Local disruptions)
    * High      (Regional disruptions)
    * Very High (Global disruptions)

Please rate the incident serverity (Low to Very High) in the following
three areas. Please explain why.

(a) Confidentiality (Impact level of incidents such as data leaks)

Answer 3a:

(b) Integrity (Impact level of incidents such as hack attempts)

Answer 3b:

(c) Availability (Impact level of service outage incidents, up to 22 hours per quarter)

Answer 3c:

---------------------------- FORM ENDS ------------------------------

User Image

Randy Bush

2022-06-27 21:59:09 CET

> RIPE NCC has asked the Routing WG Chairs to facilitate a working group
> conversation on framing RIPE NCC's RPKI services subcomponents in terms
> of criticality.

micromanagement are us!

> Service Criticality Questionnaire Form - RPKI
> =============================================
> 
> * Confidentiality: What is the highest possible impact of a data
>                    confidentiality-related incident (e.g. data leak)?

rpki data are not confidential.  only private keys are.  and the ncc
uses hsms, which is as good as you are gonna get

> * Integrity:       What is the highest possible impact of a data
>                    integrity-related incident (e.g. hacking)?

rpki data and protocols are pretty seriously designed against attacks on
data integrity

> * Availability:    What is the highest possible impact of a service
> 		   availability-related incident (e.g. outage)? (All RIPE NCC
> 		   services are designed with at least 99% availability, so
>                    please consider outages of up to 22 hours.)

well designed and written relying party software should be pretty
resiliant to such.  of course, updates during the outage will not be
visible.  poorly designed and written rp software is a consumer's
choice; it's available. :)

randy

User Image

Mike Booth

2022-06-28 09:40:37 CET

I presume Global Routing is a wider scope than just Ripe.

----------------------- FORM STARTS BELOW -----------------------

Service Criticality Questionnaire Form - RPKI
=============================================

Introduction
------------

This form is used to gather input from the community on the service
criticality of the RPKI Service from RIPE NCC. The framework is
detailed in: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flabs.ripe.net%2Fauthor%2Frazvano%2Fservice-criticality-framework%2F&data=05%7C01%7Cmbooth%40libertyglobal.com%7C49bd82c9d07b4b21914d08da5855e632%7C98fbb2314a934dee85a89c286ddfb92d%7C1%7C0%7C637919423243790490%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=mexUm47VM3nyc0BJ3fg5n0H%2FNHp%2Foyv8%2BSVlbnKxxnM%3D&reserved=0

The service criticality has three components:

* Confidentiality: What is the highest possible impact of a data
                   confidentiality-related incident (e.g. data leak)?

* Integrity:       What is the highest possible impact of a data
                   integrity-related incident (e.g. hacking)?

* Availability:    What is the highest possible impact of a service
                   availability-related incident (e.g. outage)? (All RIPE NCC
                   services are designed with at least 99% availability, so
                   please consider outages of up to 22 hours.)

Service purpose
---------------

The RIPE NCC RPKI Service is the RPKI Trust Anchor (TA) for the RIPE NCC
service region, comprised of:
    * RPKI Dashboard (in the LIR portal)
    * Repositories (rsync/RRDP)
    * Certification Authorities (CAs)
    * RPKI Management API
    * Hardware Security Modules (HSMs)
    * Datasets

Service Criticality
-------------------

Please review the following three areas.

## (1) Global Routing

Incident Serverity
    * Low        (No / negligible impact)
    * Medium     (One or a few ASes are unavailable)
    * High       (Many ASes in a region are unavailable)
    * Very High  (Global Internet routing disruptions)

Please rate the incident serverity (Low to Very High) in the following
three areas. Please explain why.

(a) Confidentiality (Impact level of incidents such as data leaks)

Answer 1a: Low – The Routing table is public.

(b) Integrity (Impact level of incidents such as hack attempts)

Answer 1b: Very High – If incorrect data is in the GRT we will incorrectly route traffic.

(c) Availability (Impact level of service outage incidents, up to 22 hours per quarter)

Answer 1c: Very High – the GRT is key for our operation.

## (2) IP addresses and AS Numbers

Incident Serverity
    * Low       (No / negligible impact)
    * Medium    (Local disruptions (registration information not being
                 available for some entities))
    * High      (Regional disruptions (registration information not being
                 available for the RIPE NCC region))
    * Very High (Global disruptions (lack of registration information
                 for all AS Numbers and IP addresses))

Please rate the incident serverity (Low to Very High) in the following
three areas. Please explain why.

(a) Confidentiality (Impact level of incidents such as data leaks)

Answer 2a: Low – This is public information

(b) Integrity (Impact level of incidents such as hack attempts)

Answer 2b: Very High – If incorrect data is in the IRR or RPKI repositories we will incorrectly route traffic.

(c) Availability (Impact level of service outage incidents, up to 22 hours per quarter)

Answer 2c: High – while most will not notice a short down time over a prolonged period this would lead to automated prefix list failures etc.

## (3) Global DNS

Incident Severity
    * Low       (No / negligible impact)
    * Medium    (Local disruptions)
    * High      (Regional disruptions)
    * Very High (Global disruptions)

Please rate the incident serverity (Low to Very High) in the following
three areas. Please explain why.

(a) Confidentiality (Impact level of incidents such as data leaks)

Answer 3a: Low – DNS is public information.

(b) Integrity (Impact level of incidents such as hack attempts)

Answer 3b: Very High - Ripe operate a trusted anchor, this would be propagated.

(c) Availability (Impact level of service outage incidents, up to 22 hours per quarter)

Answer 3c: Low – There are other roots.

---------------------------- FORM ENDS ------------------------------

User Image

Nathalie Trenaman

2022-08-10 09:45:17 CET

RIPE NCC staff member

Dear all,

I want to thank Mike and Randy for their input so far. It is important for us at the RIPE NCC to learn what the Routing Working Group thinks about the nine questions in relation to the service criticality. So if you haven’t yet, please provide us with your thoughts.

This will help us decide on many things in relation to RPKI, including service level objectives, security controls, as well as how we use cloud services in relation to RPKI. More information on the overall project is at:
https://labs.ripe.net/author/razvano/service-criticality-framework/ 

As Job said, you can provide your input free form or you can follow the template. The most important thing is that we do get your input :)

Many thanks,

Nathalie Trenaman
Routing Security Programme Manager
RIPE NCC

> On 27 Jun 2022, at 17:58, Job Snijders via routing-wg <routing-wg _at_ ripe _dot_ net> wrote:
> 
> Dear all,
> 
> RIPE NCC has asked the Routing WG Chairs to facilitate a working group
> conversation on framing RIPE NCC's RPKI services subcomponents in terms
> of criticality. 
> 
> At the bottom of this email is a form that focusses on three components:
> confidentiality, integrity and availability. Each component is split
> into three questions (a, b, and c), a total of 9 questions are being put
> forward to the working group. We envision this process to be a public
> consultation: WG participants can submit (free-form) responses, and also
> chime in by replying to each other's responses; hopefully bringing us to
> a degree of consensus in the coming weeks.
> 
> I believe this is an unique opportunity to help RIPE NCC! Investing our
> time - in turn - will help ourselves rely on and integrate RIPE NCC's
> RPKI services in our production environments. The goal is to help
> RIPE NCC develop a deeper understanding of how the moving parts fit
> together, which in turn helps decide where and how to invest resources.
> 
>>>> Your feedback is much appreciated! <<<
> 
> NOTE: if you are *NOT* a RIPE NCC member, and use the RIPE NCC Trust
> Anchor (e.g. as Relying Party to make informed routing decisions, inside
> and outside the RIPE region), your feedback *also* is much appreciated.
> 
> Kind regards,
> 
> Job, Ignas, Paul
> Routing WG co-chairs
> 
> ----------------------- FORM STARTS BELOW -----------------------
> 
> Service Criticality Questionnaire Form - RPKI
> =============================================
> 
> Introduction
> ------------
> 
> This form is used to gather input from the community on the service
> criticality of the RPKI Service from RIPE NCC. The framework is
> detailed in: https://labs.ripe.net/author/razvano/service-criticality-framework/
> 
> The service criticality has three components:
> 
> * Confidentiality: What is the highest possible impact of a data
>                   confidentiality-related incident (e.g. data leak)?
> 
> * Integrity:       What is the highest possible impact of a data
>                   integrity-related incident (e.g. hacking)?
> 
> * Availability:    What is the highest possible impact of a service
> 		   availability-related incident (e.g. outage)? (All RIPE NCC
> 		   services are designed with at least 99% availability, so
>                   please consider outages of up to 22 hours.)
> 
> Service purpose
> ---------------
> 
> The RIPE NCC RPKI Service is the RPKI Trust Anchor (TA) for the RIPE NCC
> service region, comprised of:
>    * RPKI Dashboard (in the LIR portal)
>    * Repositories (rsync/RRDP)
>    * Certification Authorities (CAs)
>    * RPKI Management API
>    * Hardware Security Modules (HSMs)
>    * Datasets
> 
> Service Criticality
> -------------------
> 
> Please review the following three areas.
> 
> ## (1) Global Routing
> 
> Incident Serverity
>    * Low        (No / negligible impact)
>    * Medium     (One or a few ASes are unavailable)
>    * High       (Many ASes in a region are unavailable)
>    * Very High  (Global Internet routing disruptions)
> 
> Please rate the incident serverity (Low to Very High) in the following
> three areas. Please explain why.
> 
> (a) Confidentiality (Impact level of incidents such as data leaks)
> 
> Answer 1a:
> 
> (b) Integrity (Impact level of incidents such as hack attempts)
> 
> Answer 1b:
> 
> (c) Availability (Impact level of service outage incidents, up to 22 hours per quarter)
> 
> Answer 1c:
> 
> ## (2) IP addresses and AS Numbers
> 
> Incident Serverity
>    * Low       (No / negligible impact)
>    * Medium    (Local disruptions (registration information not being
>                 available for some entities))
>    * High      (Regional disruptions (registration information not being
>                 available for the RIPE NCC region))
>    * Very High (Global disruptions (lack of registration information
>                 for all AS Numbers and IP addresses))
> 
> Please rate the incident serverity (Low to Very High) in the following
> three areas. Please explain why.
> 
> (a) Confidentiality (Impact level of incidents such as data leaks)
> 
> Answer 2a:
> 
> (b) Integrity (Impact level of incidents such as hack attempts)
> 
> Answer 2b:
> 
> (c) Availability (Impact level of service outage incidents, up to 22 hours per quarter)
> 
> Answer 2c:
> 
> ## (3) Global DNS
> 
> Incident Severity
>    * Low       (No / negligible impact)
>    * Medium    (Local disruptions)
>    * High      (Regional disruptions)
>    * Very High (Global disruptions)
> 
> Please rate the incident serverity (Low to Very High) in the following
> three areas. Please explain why.
> 
> (a) Confidentiality (Impact level of incidents such as data leaks)
> 
> Answer 3a:
> 
> (b) Integrity (Impact level of incidents such as hack attempts)
> 
> Answer 3b:
> 
> (c) Availability (Impact level of service outage incidents, up to 22 hours per quarter)
> 
> Answer 3c:
> 
> ---------------------------- FORM ENDS ------------------------------
> 
> -- 
> 
> To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/routing-wg