How to prove 192.5.5.0/24 is authorized?
Chris Kilbourn
kilbo-list at forest.net
Sat May 3 17:32:13 UTC 2003
At 1:51 PM -0500 5/2/03, John Palmer wrote:
>Good judgement should prevail. Thats the problem when you start calling
>for a bureaucratic solution. Bureucrats read from manuals and are inflexible.
Computers also read very rigid instruction sets and are completely
inflexible and brittle and will do the same thing over and over until
directed to do otherwise.
The authentication process back in 1992 when I applied for my first
netblocks from the InterNIC was twofold. Firstly, I had to figure out
where and how to get a netblock. Secondly, I had to secure an
Internet connection and pay to have my transit provider announce it.
In the first case, I had to attain a sufficient level of clue before
my forms were finally accepted. (I think that it was even one
half-time position managing that entire process by hand then.) In the
second case, it was a financial barrier since I was paying for
transit. (~$1,500/mo for a 56K as I recall.)
Untoward events tended to be technical mistakes as opposed to
outright fraudulent behavior. (Default route injection into BGP, etc.)
If you had enough clue and enough money, you were authorized to
announce a network. In 1992, this used to be a reasonable barrier as
there was little financial incentive to spend upwards of $20,000 for
hardware and $18,000 a year for bandwidth. Plus, the InterNIC would
pretty much give you what you wanted as long as you new the proper
incantations on the forms.
Bottom line, it was about trust. Trust that you knew what you were
doing and that you were not going to take advantage of other
operators networks.
Flash forward to 2003, and the base requirements are still the same:
clue and money. (And as with other processes in capitalistic
societies, if you have enough money, you don't even need a clue.)
Clue is easier today to obtain since everything you need to know is a
few mouse clicks away to the entire world as opposed to buried on an
ftp server that only a few hundred people know about. The hardware
and bandwidth costs are for all practical purposes close enough to
zero not to worry about.
As as I've seen discussed here over and over, we're still operating
on trust even when we know that there are network operators out there
that don't give a damn if or how the technical system works as long
as they are making money.
They don't care if they screw us over in the process. They blithely
violate our trust because they _just_don't_care_.
Periodically we have our regular 'tragedy of the commons' discussions
and we build more fences (read: filters,) and fret about the rabble
that keep climbing over our fences and trampling our lands and
breaking our fences.
Now we're faced with the fact that the rabble have discovered where
we were getting our fence materials from (the RIR's,) and are
starting to build their own fences and then we go out into our lands,
spot these new fences, scratch our heads and go, "Gee, did my
neighbor build that or not?"
Until we collectively get off of our butts and make something like
SBGP, (I'm not advocating this method over any other, just using it
as a talking point,) a requirement of network operation, we're going
to continue to get screwed by unscrupulous network operators who will
continue to cost us our time and our money to deal with them while
they make their money.
My quick spin through the ARIN web site shows one proposed policy
that basically says that there should be correct contact information
for a record. http://www.arin.net/policy/2003_2.html
It says nothing about authentication, which is the root of our
problem here. We need to re-build our web of trust somehow and then
move forward from there.
I view our situation as analogous to medieval bankers. Business is
growing like crazy, but unless we get our act together and build new
webs of trust, authentication and information exchange, it will
inhibit our ability to scale the network effectively and leave us
exposed to fraud.
I'm at a point where I have some time that I can contribute to the
effort, but before I go and re-invent the wheel here or tilt at a
windmill, I see from the archives that there was some activity going
on in 2000 with regards to this issue. Can someone point me to more
recent efforts in this area?
--
Regards,
Chris Kilbourn
Founder
_________________________________________________________________
digital.forest Int'l: +1-425-483-0483
where Internet solutions grow http://www.forest.net
More information about the NANOG
mailing list