Hijacked IP space.

william at elan.net william at elan.net
Tue Nov 4 17:35:23 UTC 2003

On Tue, 4 Nov 2003, Bill Woodcock wrote:

>     > Should we, as a community, register with RIR's with PGP.
> Each of the RIRs has either already established, or is in the process of
> establishing, a CA for that purpose.  Please use them.

I'm very much for what RIRs are doing in this area (though ARIN could do 
PGP together with x.509 as I mentioned back in Memphis) as it will provide
good security for communication to ARIN and making changes to RIR whois 
and other data and thus in the far future should seriously decrease 
possibility of hijacking even blocks when company is gone and blocks are 
no longer in use. 

But lets be clear about it, what RIRs are doing as far as pgp or x.509 
are for communication between RIR and the admin of the ip space. RIRs 
specifically do not want to "certify" by digital means that particular 
entity has the right to that netblock. What it means is that if you have 
a customer that has this x.509 certificate from ARIN and they ask you to 
announce it, you really can not see their certificate and will have to 
just do regular whois like you usually do (in fact you will not even 
know if the ip block whois is protected by this security feature). 

You can not actually ask the for some digital certificate signed by ARIN 
showing its their block. At these RIR signed certificates for use by 
3rd parties are really what is needed for at least automated checking 
when peer or customer is asking to let their new announced block in and 
adjust the filters (we are not even talking about S-BGP here, just way to 
improve the security of the  process of adjusting filter to announce new 
routes through your network).  S-BGP would be next and will also require 
to use these kind of certificates as well, but as others will be quick to 
mention, S-BGP proposal still needs some work before we could begin 
beta-testing it.

William Leibzon
Elan Networks
william at elan.net

More information about the NANOG mailing list