Proof of ownership; when someone demands you remove a prefix

Sean Pedersen spedersen.lists at gmail.com
Tue Mar 13 14:23:06 UTC 2018


In this case we defaulted to trusting our customer and their LOA over a stranger on the Internet and asked our customer to review the request. Unfortunately, that doesn't necessarily mean a stranger on the Internet isn't the actual assignee. A means to definitively prove "ownership" from a technical angle would be great.

In the example provided in my original e-mail, it appears that an IP broker or related scammer gained access to the assignee's RIR account and made some object updates (e-mail, country, etc.) that they could use to "prove" they had authority to make the request. I assume their offer of proof would have been to send us an email from the dubious @yahoo.com account they had listed as the admin contact. 

I agree with a private response that I received that at some point lawyers probably need to take over if a technical solution to verification is not reached. 

I'm not terribly current on resource certification, but would RPKI play a role here? It looks like its application is limited to authenticating the announcement of resources to prevent route hijacking. If you've authorized a 3rd party to announce your routes, could you assign a certificate to that 3rd party for a specific resource and then revoke it if they are no longer authorized? Would it matter if someone gains access to your RIR/LIR account and revokes the certificate? This would assume protocol compatibility, that everyone is using it, etc. 

-----Original Message-----
From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Jason Hellenthal
Sent: Monday, March 12, 2018 6:40 PM
To: George William Herbert <george.herbert at gmail.com>
Cc: nanog at nanog.org
Subject: Re: Proof of ownership; when someone demands you remove a prefix

How about signed ownership ? (https://keybase.io) if you are able to update the record … and it is able to be signed then shouldn’t that be proof enough of ownership of the ASN ?

If you can update a forward DNS record then you can have the reverse record updated in the same sort of fashion and signed by a third party to provide first party of authoritative ownership… Assuming you have an assigned ASN and the admin has taken the time to let alone understand the concept and properly prove the identity in the first place… (EV cert ?)


Just a light opinion from … https://jhackenthal.keybase.pub

Trust is a big issue these days and validation even worse given SSL trust.

-- 

The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume.





> On Mar 12, 2018, at 21:20, George William Herbert <george.herbert at gmail.com> wrote:
> 
> Ownership?...
> 
> (Duck)
> 
> -george 
> 
> Sent from my iPhone
> 
>> On Mar 12, 2018, at 4:11 PM, Randy Bush <randy at psg.com> wrote:
>> 
>> it's a real shame there is no authorative cryptographically verifyable
>> attestation of address ownership.





More information about the NANOG mailing list