Hijacked IP space.

George Michaelson ggm at apnic.net
Wed Nov 5 02:40:56 UTC 2003


Certification of internet resource allocations is being actively considered by
most if not all RIRs.  In the case of APNIC, this has been regarded as a likely
development since our CA project started several years ago (always subject to
community agreement on appropriate standards).

As it happens, the IETF PKIX working group has almost completed the certificate
extension specification for this very purpose, within the S-BGP framework:

 http://www.ietf.org/internet-drafts/draft-ietf-pkix-x509-ipaddr-as-extn-03.txt

Regardless of the deployment of S-BGP, RIRs could start issuing certificates any
time after specification is completed.  APNIC is currently investigating this
possibility.

cheers
	-George

-- 
George Michaelson       |  APNIC
Email: ggm at apnic.net    |  PO Box 2131 Milton QLD 4064
Phone: +61 7 3367 0490  |  Australia
  Fax: +61 7 3367 0482  |  http://www.apnic.net

---

On Tue, 4 Nov 2003 09:35:23 -0800 (PST) william at elan.net wrote:

> 
> On Tue, 4 Nov 2003, Bill Woodcock wrote:
> 
> >     > Should we, as a community, register with RIR's with PGP.
> > 
> > Each of the RIRs has either already established, or is in the process of
> > establishing, a CA for that purpose.  Please use them.
> 
> I'm very much for what RIRs are doing in this area (though ARIN could do 
> PGP together with x.509 as I mentioned back in Memphis) as it will provide
> good security for communication to ARIN and making changes to RIR whois 
> and other data and thus in the far future should seriously decrease 
> possibility of hijacking even blocks when company is gone and blocks are 
> no longer in use. 
> 
> But lets be clear about it, what RIRs are doing as far as pgp or x.509 
> are for communication between RIR and the admin of the ip space. RIRs 
> specifically do not want to "certify" by digital means that particular 
> entity has the right to that netblock. What it means is that if you have 
> a customer that has this x.509 certificate from ARIN and they ask you to 
> announce it, you really can not see their certificate and will have to 
> just do regular whois like you usually do (in fact you will not even 
> know if the ip block whois is protected by this security feature). 
> 
> You can not actually ask the for some digital certificate signed by ARIN 
> showing its their block. At these RIR signed certificates for use by 
> 3rd parties are really what is needed for at least automated checking 
> when peer or customer is asking to let their new announced block in and 
> adjust the filters (we are not even talking about S-BGP here, just way to 
> improve the security of the  process of adjusting filter to announce new 
> routes through your network).  S-BGP would be next and will also require 
> to use these kind of certificates as well, but as others will be quick to 
> mention, S-BGP proposal still needs some work before we could begin 
> beta-testing it.
> 
> ---
> William Leibzon
> Elan Networks
> william at elan.net



More information about the NANOG mailing list