SSL for IRR queries?

Andrei Robachevsky andrei at ripe.net
Mon Jan 14 16:35:00 UTC 2002


Jake Khuon wrote:

> ### On Fri, 11 Jan 2002 14:45:35 -0500 (EST), Tony Tauber
> ### <ttauber at genuity.net> casually decided to expound upon nanog at merit.edu
> ### the following thoughts about "SSL for IRR queries?":
> 
> TT> If there's a desire to trust information garnered
> TT> from the Internet Routing Registry (eg. RADB, RIPE),
> TT> it would seem that one would like a way to verify
> TT> the server responding to queries.
> 
> There is implimentation work being done for rps-auth (RFC2725) by RIPE,
> Merit and others I believe.  This should ensure authenticated integrity of
> the data.  If it's query-time man-in-the-middle type attacks one is worried
> about then an implimentation of rps-dist (RFC2769) addresses that issue
> which I believe is being done by RIPE, Merit and others as well.  I had
> heard it was moved to a lower priority than implimenting rps-auth however. 
> Perhaps someone from the RIPE db-wg could comment.
>


The RIPE Database server implements RPSL-auth (RFC2725) and not 
rpsl-dist. The specification is quite complex and requires a lot of 
coordination efforts between the registries; so that near real-time 
mirroring of several major RR was considered more feasible at the moment.

Our further development prospects are still aimed at making update path 
more secure, and perhaps implementing SSL for updates in the first 
place. Anyway, discussion of this feature may be appropriate within the 
RIPE Database WG (db-wg at ripe.net mailing list).

Regards, 

Andrei Robachevsky
RIPE NCC




More information about the NANOG mailing list