IP Block 99/8 (DHS insanity - offtopic)

• Previous message (by thread): IP Block 99/8 (DHS insanity - offtopic)
• Next message (by thread): IP Block 99/8 (DHS insanity - offtopic)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Sean Donelan wrote:
> 
> On Mon, 23 Apr 2007, Chris L. Morrow wrote:
>> I think the strawman proposals so far were something like:
>>
>> 1) iana has 'root' ca-cert
>> 2) iana signs down certs for RIR's
>> 3) RIR's sign down certs for LIR's
>> 4) LIR's sign down certs for 'users' (where 'users' is probably
>> address-space users, like corporations or end-sites)
>>
>> This seemed not-too-insane, and would give ISP/operator type folks that
>> ability to easily and quickly verify that:
>>
>> 157.242.0.0/16 is in point of fact permitted to originate by the
>> org-id: LMU-1
>>
>> with some level of authority... It's nothing really more than that.
> 
> You can do online or offline verification of a trust chain.  RSA, certs,
> etc are just the math.  But the math doesn't change the trust.  If the
> LIR/RIR directories are poorly maintained, their signatures aren't going
> to be any better.

IMHO ISP's that are not maintaining their entries correctly should not
have a place on the Internet. In IPv6 one can see it quite well
actually, when one has route6 entries the prefix has more of a chance of
piercing through filters than when it has none. Adding a signature to
this chain of checks and enforcing BGP announcements to be signed would
definitely weed out a lot of bad ISP's who can't care less as they
suddenly start loosing connectivity.

Do also note that, like DNS roots, anybody can setup their private
signing authority and provide certs to their buddy ISP's in a similar
manner.

> The problem in your trust chain above is the LIR's don't actually verify
> much about the 'users'; and its very easy to spoof the LIRs (i.e. I
> forgot my password) to change their directory information.  And the same
> thing will probably be true when you ask LIRs to sign things.  I lost my
> RSA cert, please sign a new one for "me".

This is also more about who is responsible for the address. Not who
actually uses the address space. With hacked computers and botnets and
the likes that is an unknown anyway. But when the responsible
organization crosses the line a couple of times, it is easy to see where
the bad ones really are.

> An online chain of RWHOIS delegations or a offline chain of RSA
> certificates (which you will still need an online CRL check), doesn't
> change the problems in the LIRs (or even RIRs or IANA).  A lot of math
> won't make the answer more authoritative.

What is the problem here then? You simply mark the LIR as untrustworthy
when they peep up a number of times and as more and more ISP's do that
they silently disappear from the Internet, at least the one where the
'trusted' ISP's are in. This is the same as de-peering ones who are not
being nice to you, but now you at least know it is them being bad and
not somebody just hijacking them. It's just a little step up from what
already gets done.

With every verification mechanism that involves trust and signing there
usually is also a need for a white and a blacklist, you can manage these
yourself or you can let some 3rd party do it, like what is done with
many of the spam cases.

Greets,
 Jeroen


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 311 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20070424/79a5e73d/attachment.sig>

• Previous message (by thread): IP Block 99/8 (DHS insanity - offtopic)
• Next message (by thread): IP Block 99/8 (DHS insanity - offtopic)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]