If there's a desire to trust information garnered from the Internet Routing Registry (eg. RADB, RIPE), it would seem that one would like a way to verify the server responding to queries. Is there a way to query the database using SSL or something else which can use digital certificates or other manner of keys which can be verified somewhat out-of-band? It would seem that it wouldn't be such a big deal to offer this capability not in lieu of, but just in addition to, the current "whois" protocol. No changes ought to be needed to the database language or back-end. Speaking of back-end, though, is there any verification that goes on in the mirroring process? Any comments or information are appreciated. Thanks, Tony
In the referenced message, Tony Tauber said:
If there's a desire to trust information garnered from the Internet Routing Registry (eg. RADB, RIPE), it would seem that one would like a way to verify the server responding to queries.
At this time, I think verification and sanity-checking of the data that goes into the IRR is more important than that which comes out of it. There is a plethora of stale registrations, entities who don't register (*cough*701*cough*), and at least one entity which is robo-proxy-registering routes "in the wild" (due to the folks who don't register.) I'ld love to see the first cleaned up (including others who have registered chunks of your address space with their own maintainer, making it tough to delete (much like the old problem of others creating/referencing DNS servers making it impossible to have them deleted.) The second group annoy me to no end, both in the customer and in the peer variety. The third is somewhat annoying since it can mask leaks from the folks who _do_ register, and doesn't really solve #2.
On Fri, 11 Jan 2002, Stephen Griffin wrote:
In the referenced message, Tony Tauber said:
If there's a desire to trust information garnered from the Internet Routing Registry (eg. RADB, RIPE), it would seem that one would like a way to verify the server responding to queries.
At this time, I think verification and sanity-checking of the data that goes into the IRR is more important than that which comes out of it.
There is a plethora of stale registrations, entities who don't register (*cough*701*cough*), and at least one entity which is robo-proxy-registering routes "in the wild" (due to the folks who don't register.)
I understand your gripe but am not interested in boiling the ocean today. If there were a *subset* of information that one was prepared to trust somewhat, the modest enhancement of more verifiable queries would be nice and, I think, fairly cheap to add. Tony
### On Fri, 11 Jan 2002 14:45:35 -0500 (EST), Tony Tauber ### <ttauber@genuity.net> casually decided to expound upon nanog@merit.edu ### the following thoughts about "SSL for IRR queries?": TT> If there's a desire to trust information garnered TT> from the Internet Routing Registry (eg. RADB, RIPE), TT> it would seem that one would like a way to verify TT> the server responding to queries. There is implimentation work being done for rps-auth (RFC2725) by RIPE, Merit and others I believe. This should ensure authenticated integrity of the data. If it's query-time man-in-the-middle type attacks one is worried about then an implimentation of rps-dist (RFC2769) addresses that issue which I believe is being done by RIPE, Merit and others as well. I had heard it was moved to a lower priority than implimenting rps-auth however. Perhaps someone from the RIPE db-wg could comment. -- /*===================[ Jake Khuon <khuon@NEEBU.Net> ]======================+ | Packet Plumber, Network Engineers /| / [~ [~ |) | | --------------- | | for Effective Bandwidth Utilisation / |/ [_ [_ |) |_| N E T W O R K S | +=========================================================================*/
Jake Khuon wrote:
### On Fri, 11 Jan 2002 14:45:35 -0500 (EST), Tony Tauber ### <ttauber@genuity.net> casually decided to expound upon nanog@merit.edu ### the following thoughts about "SSL for IRR queries?":
TT> If there's a desire to trust information garnered TT> from the Internet Routing Registry (eg. RADB, RIPE), TT> it would seem that one would like a way to verify TT> the server responding to queries.
There is implimentation work being done for rps-auth (RFC2725) by RIPE, Merit and others I believe. This should ensure authenticated integrity of the data. If it's query-time man-in-the-middle type attacks one is worried about then an implimentation of rps-dist (RFC2769) addresses that issue which I believe is being done by RIPE, Merit and others as well. I had heard it was moved to a lower priority than implimenting rps-auth however. Perhaps someone from the RIPE db-wg could comment.
The RIPE Database server implements RPSL-auth (RFC2725) and not rpsl-dist. The specification is quite complex and requires a lot of coordination efforts between the registries; so that near real-time mirroring of several major RR was considered more feasible at the moment. Our further development prospects are still aimed at making update path more secure, and perhaps implementing SSL for updates in the first place. Anyway, discussion of this feature may be appropriate within the RIPE Database WG (db-wg@ripe.net mailing list). Regards, Andrei Robachevsky RIPE NCC
participants (4)
-
Andrei Robachevsky -
Jake Khuon -
Stephen Griffin -
Tony Tauber