Hijacked IP space.
william at elan.net
william at elan.net
Tue Nov 4 17:35:23 UTC 2003
On Tue, 4 Nov 2003, Bill Woodcock wrote:
> > Should we, as a community, register with RIR's with PGP.
>
> Each of the RIRs has either already established, or is in the process of
> establishing, a CA for that purpose. Please use them.
I'm very much for what RIRs are doing in this area (though ARIN could do
PGP together with x.509 as I mentioned back in Memphis) as it will provide
good security for communication to ARIN and making changes to RIR whois
and other data and thus in the far future should seriously decrease
possibility of hijacking even blocks when company is gone and blocks are
no longer in use.
But lets be clear about it, what RIRs are doing as far as pgp or x.509
are for communication between RIR and the admin of the ip space. RIRs
specifically do not want to "certify" by digital means that particular
entity has the right to that netblock. What it means is that if you have
a customer that has this x.509 certificate from ARIN and they ask you to
announce it, you really can not see their certificate and will have to
just do regular whois like you usually do (in fact you will not even
know if the ip block whois is protected by this security feature).
You can not actually ask the for some digital certificate signed by ARIN
showing its their block. At these RIR signed certificates for use by
3rd parties are really what is needed for at least automated checking
when peer or customer is asking to let their new announced block in and
adjust the filters (we are not even talking about S-BGP here, just way to
improve the security of the process of adjusting filter to announce new
routes through your network). S-BGP would be next and will also require
to use these kind of certificates as well, but as others will be quick to
mention, S-BGP proposal still needs some work before we could begin
beta-testing it.
---
William Leibzon
Elan Networks
william at elan.net
More information about the NANOG
mailing list