How to prove is authorized?

Chris Kilbourn kilbo-list at
Sat May 3 17:32:13 UTC 2003

At 1:51 PM -0500 5/2/03, John Palmer wrote:
>Good judgement should prevail. Thats the problem when you start calling
>for a bureaucratic solution. Bureucrats read from manuals and are inflexible.

Computers also read very rigid instruction sets and are completely 
inflexible and brittle and will do the same thing over and over until 
directed to do otherwise.

The authentication process back in 1992 when I applied for my first 
netblocks from the InterNIC was twofold. Firstly, I had to figure out 
where and how to get a netblock. Secondly, I had to secure an 
Internet connection and pay to have my transit provider announce it.

In the first case, I had to attain a sufficient level of clue before 
my forms were finally accepted. (I think that it was even one 
half-time position managing that entire process by hand then.) In the 
second case, it was a financial barrier since I was paying for 
transit. (~$1,500/mo for a 56K as I recall.)

Untoward events tended to be technical mistakes as opposed to 
outright fraudulent behavior. (Default route injection into BGP, etc.)

If you had enough clue and enough money, you were authorized to 
announce a network. In 1992, this used to be a reasonable barrier as 
there was little financial incentive to spend upwards of $20,000 for 
hardware and $18,000 a year for bandwidth. Plus, the InterNIC would 
pretty much give you what you wanted as long as you new the proper 
incantations on the forms.

Bottom line, it was about trust. Trust that you knew what you were 
doing and that you were not going to take advantage of other 
operators networks.

Flash forward to 2003, and the base requirements are still the same: 
clue and money. (And as with other processes in capitalistic 
societies, if you have enough money, you don't even need a clue.)

Clue is easier today to obtain since everything you need to know is a 
few mouse clicks away to the entire world as opposed to buried on an 
ftp server that only a few hundred people know about. The hardware 
and bandwidth costs are for all practical purposes close enough to 
zero not to worry about.

As as I've seen discussed here over and over, we're still operating 
on trust even when we know that there are network operators out there 
that don't give a damn if or how the technical system works as long 
as they are making money.

They don't care if they screw us over in the process. They blithely 
violate our trust because they _just_don't_care_.

Periodically we have our regular 'tragedy of the commons' discussions 
and we build more fences (read: filters,) and fret about the rabble 
that keep climbing over our fences and trampling our lands and 
breaking our fences.

Now we're faced with the fact that the rabble have discovered where 
we were getting our fence materials from (the RIR's,) and are 
starting to build their own fences and then we go out into our lands, 
spot these new fences, scratch our heads and go, "Gee, did my 
neighbor build that or not?"

Until we collectively get off of our butts and make something like 
SBGP, (I'm not advocating this method over any other, just using it 
as a talking point,) a requirement of network operation, we're going 
to continue to get screwed by unscrupulous network operators who will 
continue to cost us our time and our money to deal with them while 
they make their money.

My quick spin through the ARIN web site shows one proposed policy 
that basically says that there should be correct contact information 
for a record.

It says nothing about authentication, which is the root of our 
problem here. We need to re-build our web of trust somehow and then 
move forward from there.

I view our situation as analogous to medieval bankers. Business is 
growing like crazy, but unless we get our act together and build new 
webs of trust, authentication and information exchange, it will 
inhibit our ability to scale the network effectively and leave us 
exposed to fraud.

I'm at a point where I have some time that I can contribute to the 
effort, but before I go and re-invent the wheel here or tilt at a 
windmill, I see from the archives that there was some activity going 
on in 2000 with regards to this issue. Can someone point me to more 
recent efforts in this area?

Chris Kilbourn
digital.forest                             Int'l: +1-425-483-0483
where Internet solutions grow     

More information about the NANOG mailing list