IP Block 99/8 (DHS insanity - offtopic)
Chris L. Morrow
christopher.morrow at verizonbusiness.com
Tue Apr 24 15:02:37 UTC 2007
On Tue, 24 Apr 2007, Sean Donelan wrote:
> On Mon, 23 Apr 2007, Chris L. Morrow wrote:
> > I think the strawman proposals so far were something like:
> >
> > 1) iana has 'root' ca-cert
> > 2) iana signs down certs for RIR's
> > 3) RIR's sign down certs for LIR's
> > 4) LIR's sign down certs for 'users' (where 'users' is probably
> > address-space users, like corporations or end-sites)
> >
> > This seemed not-too-insane, and would give ISP/operator type folks that
> > ability to easily and quickly verify that:
> >
> > 157.242.0.0/16 is in point of fact permitted to originate by the org-id: LMU-1
> >
> > with some level of authority... It's nothing really more than that.
>
> You can do online or offline verification of a trust chain. RSA, certs,
> etc are just the math. But the math doesn't change the trust. If the
> LIR/RIR directories are poorly maintained, their signatures aren't going
> to be any better.
yes, but:
1) there is no discussion of certs+bgp
2) they need to cleanup/tightenup anyway, adding some helpful (to
operators) bits is a nice thing, yes?
> The problem in your trust chain above is the LIR's don't actually verify
> much about the 'users'; and its very easy to spoof the LIRs (i.e. I
> forgot my password) to change their directory information. And the same
> thing will probably be true when you ask LIRs to sign things. I lost my
> RSA cert, please sign a new one for "me".
Is it really that easy? I recall a few people having LOTS of trouble
getting their address block information changed so it was once again
usable... I know we had some headaches getting our information switched
around to reflect corporate changes.
> An online chain of RWHOIS delegations or a offline chain of RSA
> certificates (which you will still need an online CRL check), doesn't
> change the problems in the LIRs (or even RIRs or IANA). A lot of math
> won't make the answer more authoritative.
yes, but the math makes, hopefully. the checking simpler... and it's a
better system than exists today at many places where 'if you put yer
object in the IRR we'll accept it!' (see ConEd incident of 2 years back
for one example). Without any programmatic checking of this data the only
thing accomplished with use of an IRR is to increase the speed with which
you can change prefix-list data :( there is no check for accuracy nor
authority.
-Chris
More information about the NANOG
mailing list