Certification of internet resource allocations is being actively considered by most if not all RIRs. In the case of APNIC, this has been regarded as a likely development since our CA project started several years ago (always subject to community agreement on appropriate standards). As it happens, the IETF PKIX working group has almost completed the certificate extension specification for this very purpose, within the S-BGP framework: http://www.ietf.org/internet-drafts/draft-ietf-pkix-x509-ipaddr-as-extn-03.t... Regardless of the deployment of S-BGP, RIRs could start issuing certificates any time after specification is completed. APNIC is currently investigating this possibility. cheers -George -- George Michaelson | APNIC Email: ggm@apnic.net | PO Box 2131 Milton QLD 4064 Phone: +61 7 3367 0490 | Australia Fax: +61 7 3367 0482 | http://www.apnic.net --- On Tue, 4 Nov 2003 09:35:23 -0800 (PST) william@elan.net wrote:
On Tue, 4 Nov 2003, Bill Woodcock wrote:
> Should we, as a community, register with RIR's with PGP.
Each of the RIRs has either already established, or is in the process of establishing, a CA for that purpose. Please use them.
I'm very much for what RIRs are doing in this area (though ARIN could do PGP together with x.509 as I mentioned back in Memphis) as it will provide good security for communication to ARIN and making changes to RIR whois and other data and thus in the far future should seriously decrease possibility of hijacking even blocks when company is gone and blocks are no longer in use.
But lets be clear about it, what RIRs are doing as far as pgp or x.509 are for communication between RIR and the admin of the ip space. RIRs specifically do not want to "certify" by digital means that particular entity has the right to that netblock. What it means is that if you have a customer that has this x.509 certificate from ARIN and they ask you to announce it, you really can not see their certificate and will have to just do regular whois like you usually do (in fact you will not even know if the ip block whois is protected by this security feature).
You can not actually ask the for some digital certificate signed by ARIN showing its their block. At these RIR signed certificates for use by 3rd parties are really what is needed for at least automated checking when peer or customer is asking to let their new announced block in and adjust the filters (we are not even talking about S-BGP here, just way to improve the security of the process of adjusting filter to announce new routes through your network). S-BGP would be next and will also require to use these kind of certificates as well, but as others will be quick to mention, S-BGP proposal still needs some work before we could begin beta-testing it.
--- William Leibzon Elan Networks william@elan.net