Hi, I am Shai from Rogers Cable Inc. ISP in Canada. We have IP block 99.x.x.x assigned to our customers. Which happened to be bogons block in the past and was given to ARIN in Oct 2006. As we have recently started using this block, we are getting complains from our customers who are unable to surf some web site. After investigation we found that there are still some prefix lists/acls blocks this IP block. We own the following blocks: 99.224.0.0/12 99.240.0.0/13 99.248.0.0/14 99.252.0.0/16 99.253.128.0/19 Please update your bogons list. Shai. end
If we had "clean" registries and signed/verifiable advertisements this would not be an issue. Most of you know that DHS was pushing the Secure Protocols for the Routing Infrastructure initiative (http://www.cyber.st.dhs.gov/spri.html). Due to budget cuts this program is on the shelf for now. However, we are still interested in making it happen. I think that the discussion about 7.0.0.0/24 several days ago could also have been avoided if we had already implemented some of the SPRI ideas. Marc Marcus H. Sachs, P.E. SRI International 1100 Wilson Blvd Suite 2800, Arlington VA 22209 tel +1 703 247 8717 fax +1 703 247 8569 mob +1 703 932 3984 marcus.sachs@sri.com -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Shai Balasingham Sent: Friday, April 20, 2007 1:55 PM To: nanog@merit.edu Subject: IP Block 99/8 Hi, I am Shai from Rogers Cable Inc. ISP in Canada. We have IP block 99.x.x.x assigned to our customers. Which happened to be bogons block in the past and was given to ARIN in Oct 2006. As we have recently started using this block, we are getting complains from our customers who are unable to surf some web site. After investigation we found that there are still some prefix lists/acls blocks this IP block. We own the following blocks: 99.224.0.0/12 99.240.0.0/13 99.248.0.0/14 99.252.0.0/16 99.253.128.0/19 Please update your bogons list. Shai. end
On 20-apr-2007, at 21:32, Marcus H. Sachs wrote:
If we had "clean" registries and signed/verifiable advertisements this would not be an issue.
I wouldn't count on that. If such a mechanism would become available (which isn't completely unthinkable, see http://www.bgpexpert.com/ article.php?id=113 ), then obviously it will be a long time before everything that's in the routing tables has a corresponding certificate. It would be possible to give routes that check out a higher preference than ones that don't, but there's always that pesky longest match first rule that seems to cause so much trouble these days.
On Fri, 20 Apr 2007, Marcus H. Sachs wrote:
If we had "clean" registries and signed/verifiable advertisements this would not be an issue. Most of you know that DHS was pushing the Secure Protocols for the Routing Infrastructure initiative (http://www.cyber.st.dhs.gov/spri.html). Due to budget cuts this program is on the shelf for now. However, we are still interested in making it happen.
The grass is always greener, which is closely related to don't watch sausage being made. Telephone numbers are over 50 years old, but routing of telephone numbers isn't actually verifiable either especially with some international destinations. Almost all multi-organizational identity systems have this problem. If you can't trust the organizations involved, more math isn't going to help.
Marcus H. Sachs wrote:
If we had "clean" registries and signed/verifiable advertisements this would not be an issue. Most of you know that DHS was pushing the Secure Protocols for the Routing Infrastructure initiative (http://www.cyber.st.dhs.gov/spri.html). Due to budget cuts this program is on the shelf for now. However, we are still interested in making it happen.
I think that the discussion about 7.0.0.0/24 several days ago could also have been avoided if we had already implemented some of the SPRI ideas.
Marc
Out of utter curiousness (not arrogance)... Why in the world should the DHS be given control to the routing infrastructure when they can't even secure their own networks. //QUOTE// “They will exploit anything and everything,” an official with the Naval Network Warfare Command told Federal Computer Week (FCW) on condition of anonymity. More recently, Major General William Lord told Government Computer News in August 2006 that China has downloaded 10 to 20 terabytes of data from DoD’s main network, NIPRNet. //END QUOTE// http://www.scmagazine.com/uk/news/article/634401/chinese-hackers-waging-cybe... I could instantly slap together about 10 links within the past 2 weeks of these same things occurring over and over within the government... I fail to see how/why DHS being in the middle of this would have helped. I can't count how many times I've attempted to contact someone in the DoD in referenced to compromised hosts and it seems one hand didn't know what the other hand was doing and in almost 80% of my contact attempts, no response was ever given... So as a network operator who needs something done now, you expect someone to go through the bureaucracy of the US government to get something resolved? I think one could watch watch 5 coats of paint dry faster. Not only that, all you need is just that ONE instance where "hackers owned our infrastructure" and we'll be in a much worse place then we are in now. That is of course someone is fibbing in attempts to get more money... "Hackers owned NIPR we need a new strategic plan to get back at them. Send us $30 million"... No thanks keep these keys away from ANY government body. -- ==================================================== J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 echo infiltrated.net|sed 's/^/sil@/g' "Wise men talk because they have something to say; fools, because they have to say something." -- Plato
On Mon, 23 Apr 2007 14:40:31 EDT, "J. Oquendo" said:
More recently, Major General William Lord told Government Computer News in August 2006 that China has downloaded 10 to 20 terabytes of data from DoDs main network, NIPRNet.
Hello, Chinanet? Some guys over in 99/8 want to know how to get that much data past filters....
On Monday 23 April 2007 14:40, J. Oquendo wrote:
Marcus H. Sachs wrote:
If we had "clean" registries and signed/verifiable advertisements this would not be an issue. Most of you know that DHS was pushing the Secure Protocols for the Routing Infrastructure initiative (http://www.cyber.st.dhs.gov/spri.html). Due to budget cuts this program is on the shelf for now. However, we are still interested in making it happen.
I think that the discussion about 7.0.0.0/24 several days ago could also have been avoided if we had already implemented some of the SPRI ideas.
Marc
Out of utter curiousness (not arrogance)... Why in the world should the DHS be given control to the routing infrastructure when they can't even secure their own networks.
That is rediculous... The DHS should have no juristictional power over an international and collective entity (The Internet), Why? Because the USA does not own the internet, no country does. it's just as I posted in the former: an international and collective entity. All of this "let's monitor traffic for terrorists" is a case where the USA clearly has overstepped their bounds. The USA government wants to remove the "collective" factor of the internet and place an absolute authority (themselves) in charge of the internet.
//QUOTE//
“They will exploit anything and everything,” an official with the Naval Network Warfare Command told Federal Computer Week (FCW) on condition of anonymity.
More recently, Major General William Lord told Government Computer News in August 2006 that China has downloaded 10 to 20 terabytes of data from DoD’s main network, NIPRNet. //END QUOTE//
http://www.scmagazine.com/uk/news/article/634401/chinese-hackers-waging-cyb erwar-us/
I could instantly slap together about 10 links within the past 2 weeks of these same things occurring over and over within the government...
I fail to see how/why DHS being in the middle of this would have helped. I can't count how many times I've attempted to contact someone in the DoD in referenced to compromised hosts and it seems one hand didn't know what the other hand was doing and in almost 80% of my contact attempts, no response was ever given...
The DHS is a single point of failiure, as they fail to ensure their own security, how can they ensure the security of internet communications?
So as a network operator who needs something done now, you expect someone to go through the bureaucracy of the US government to get something resolved? I think one could watch watch 5 coats of paint dry faster.
If you want stuff done like yesterday, any government will never satisfy your requirement, it's amazing they don't make you fill out paperwork to file a report then mail it in. :P
Not only that, all you need is just that ONE instance where "hackers owned our infrastructure" and we'll be in a much worse place then we are in now. That is of course someone is fibbing in attempts to get more money... "Hackers owned NIPR we need a new strategic plan to get back at them. Send us $30 million"... No thanks keep these keys away from ANY government body.
Once again, having someone parked in the middle results in a single point of failiure, and in this case, a rather volitile one.
On Apr 23, 2007, at 4:36 PM, Kradorex Xeron wrote:
On Monday 23 April 2007 14:40, J. Oquendo wrote:
Marcus H. Sachs wrote:
If we had "clean" registries and signed/verifiable advertisements this would not be an issue. Most of you know that DHS was pushing the Secure Protocols for the Routing Infrastructure initiative (http://www.cyber.st.dhs.gov/spri.html). Due to budget cuts this program is on the shelf for now. However, we are still interested in making it happen.
I think that the discussion about 7.0.0.0/24 several days ago could also have been avoided if we had already implemented some of the SPRI ideas.
Marc
Out of utter curiousness (not arrogance)... Why in the world should the DHS be given control to the routing infrastructure when they can't even secure their own networks.
That is rediculous... The DHS should have no juristictional power over an international and collective entity (The Internet), Why? Because the USA does not own the internet, no country does. it's just as I posted in the former: an international and collective entity.
I do not want any particular gov't (US or otherwise) to be "in charge" of the Internet any more than the next person. And good thing too, because it simply cannot happen, political pipe-dreams not withstanding. But what has that got to do with the DHS promoting an idea to sign IP space allocations and/or annoucements? The idea in-and-of-itself doesn't sound wholly unreasonable. (I am not advocating this, just saying the idea shouldn't be rejected without consideration simply because the DHS said it.) Why not take the idea and see if it is useful, then implement it properly if there is any use? All this vitriol over the US gov't trying to take over the Internet is silly - sillier than the USG thinking it can actually do so. They're politicians, they're ignorant of reality and therefore can be excused for not understanding how stupid they sound. All of you should know better. -- TTFN, patrick
On Mon, 23 Apr 2007, Patrick W. Gilmore wrote: > ...what has that got to do with the DHS promoting an idea to sign IP > space allocations and/or annoucements? The idea in-and-of-itself doesn't > sound wholly unreasonable. (I am not advocating this, just saying the > idea shouldn't be rejected without consideration simply because the DHS > said it.) Exactly! This whole thread has been people arguing against a straw-man. DHS never asked for any KSKs or anything. They're not even mentioned in the report. HSARPA just put up some of the money to fund the drafting of the report, as ARPA/DARPA/HSARPA have been funding miscellaneous Internet stuff forever. -Bill
Bill Woodcock wrote:
On Mon, 23 Apr 2007, Patrick W. Gilmore wrote: > ...what has that got to do with the DHS promoting an idea to sign IP > space allocations and/or annoucements? The idea in-and-of-itself doesn't > sound wholly unreasonable. (I am not advocating this, just saying the > idea shouldn't be rejected without consideration simply because the DHS > said it.)
Exactly! This whole thread has been people arguing against a straw-man. DHS never asked for any KSKs or anything. They're not even mentioned in the report. HSARPA just put up some of the money to fund the drafting of the report, as ARPA/DARPA/HSARPA have been funding miscellaneous Internet stuff forever.
-Bill
Which report did you read... http://www.schneier.com/blog/archives/2007/04/dept_of_homelan.html http://www.upi.com/Security_Terrorism/Analysis/2007/04/12/analysis_owning_th... http://www.tiawood.com/2007/homeland-security-grabs-for-nets-master-keys/ -- ==================================================== J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 echo infiltrated.net|sed 's/^/sil@/g' "Wise men talk because they have something to say; fools, because they have to say something." -- Plato
Which report did you read...
http://www.schneier.com/blog/archives/2007/04/dept_of_homelan.html http://www.upi.com/Security_Terrorism/Analysis/2007/04/12/analysis_owning_th... e_internet/ http://www.tiawood.com/2007/homeland-security-grabs-for-nets-master-keys/
All of which were about reports that DHS was planning to hold keys to sign the DNS space. Nothing to do with addresses (domain names, IP addresses, different things). And I hear the reports are, well... --Sandy
DHS focuses on facilitating how to make things more secure or reliable via research, discussions with subject matter experts, and understanding of various scenarios that could impact our economy, critical services, and national security concerns. From that plans get developed, what type of expertise do we need to reach out to from an operational perspective, how can we facilitate getting those that provide critical services into areas to restore them, etc. (incident coordination/management) This idea that folks keep promulgating that DHS wants to control the Internet is ridiculous. Just like everyone one of you wants to make sure core Internet services are available to meet your service level agreements with customers, a reduction in electronic crimes, and concerned about the health of the Internet are concerns for those in government (pick one) and outside of government. My .02.... Jerry ----- Original Message ----- From: "J. Oquendo" <sil@infiltrated.net> To: "Bill Woodcock" <woody@pch.net> Cc: "Patrick W. Gilmore" <patrick@ianai.net>; <nanog@merit.edu> Sent: Monday, April 23, 2007 5:04 PM Subject: Re: IP Block 99/8 (DHS insanity - offtopic)
Bill Woodcock wrote:
On Mon, 23 Apr 2007, Patrick W. Gilmore wrote: > ...what has that got to do with the DHS promoting an idea to sign IP > space allocations and/or annoucements? The idea in-and-of-itself doesn't > sound wholly unreasonable. (I am not advocating this, just saying the > idea shouldn't be rejected without consideration simply because the DHS > said it.)
Exactly! This whole thread has been people arguing against a straw-man. DHS never asked for any KSKs or anything. They're not even mentioned in the report. HSARPA just put up some of the money to fund the drafting of the report, as ARPA/DARPA/HSARPA have been funding miscellaneous Internet stuff forever. -Bill
Which report did you read...
http://www.schneier.com/blog/archives/2007/04/dept_of_homelan.html http://www.upi.com/Security_Terrorism/Analysis/2007/04/12/analysis_owning_th... http://www.tiawood.com/2007/homeland-security-grabs-for-nets-master-keys/
-- ==================================================== J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 echo infiltrated.net|sed 's/^/sil@/g' "Wise men talk because they have something to say; fools, because they have to say something." -- Plato
At 04:52 PM 4/23/2007, Patrick W. Gilmore wrote:
I do not want any particular gov't (US or otherwise) to be "in charge" of the Internet any more than the next person. And good thing too, because it simply cannot happen, political pipe-dreams not withstanding.
But what has that got to do with the DHS promoting an idea to sign IP space allocations and/or annoucements? The idea in-and-of-itself doesn't sound wholly unreasonable. (I am not advocating this, just saying the idea shouldn't be rejected without consideration simply because the DHS said it.)
The question is who would do the signing and revocations. Whoever does that would indeed have a great amount of control over the internet. A single government agency should not have that sort of power to make a (for lack of better term), "no surf list" of IP space... ---Mike
On Apr 23, 2007, at 5:04 PM, Mike Tancsa wrote:
At 04:52 PM 4/23/2007, Patrick W. Gilmore wrote:
I do not want any particular gov't (US or otherwise) to be "in charge" of the Internet any more than the next person. And good thing too, because it simply cannot happen, political pipe-dreams not withstanding.
But what has that got to do with the DHS promoting an idea to sign IP space allocations and/or annoucements? The idea in-and-of-itself doesn't sound wholly unreasonable. (I am not advocating this, just saying the idea shouldn't be rejected without consideration simply because the DHS said it.)
The question is who would do the signing and revocations. Whoever does that would indeed have a great amount of control over the internet. A single government agency should not have that sort of power to make a (for lack of better term), "no surf list" of IP space...
Which is fine. Besides, no gov't _can_ have the single authority. You can always ignore what other people sign or do not sign. That said, I completely agree the DHS shouldn't have even the modicum of power holding the keys would give it. -- TTFN, patrick
The question is who would do the signing and revocations. Whoever does that would indeed have a great amount of control over the internet. A single government agency should not have that sort of power to make a (for lack of better term), "no surf list" of IP space...
You might try taking a look at the various presentations at NANOG/RIPE/ARIN/ APNIC/APRICOT about the whole idea. Central point: the entity that gives you a suballocation of its own address space signs something that says you now hold it. No governments involved. Here are a few URLs to start you off: NANOG 36 Feb 2006: What I Want for Eid ul-Fitr, An Operational ISP & RIR PKI http://www.nanog.org/mtg-0602/pdf/bush.pdf NANOG 38 Oct 2006: Serious Progress on X.509 Certification of RIR Resource Allocations http://www.nanog.org/mtg-0610/presenter-pdfs/bush.pdf ARIN XVII April 2006: X.509 Resource and Routing Certificate Panel http://www.arin.net/meetings/minutes/ARIN_XVII/PDF/monday/x509-huston.pdf http://www.arin.net/meetings/minutes/ARIN_XVII/PDF/monday/x509-kent.pdf RIPE 52 Apr 2006: A PKI for IP Address Space and AS Numbers http://www.ripe.net/ripe/meetings/ripe-52/presentations/ripe52-plenary-pki.p... RIPE 53 Oct 2006: Using Resource Certificates - A Progress Report on the Trial of Resource Certification http://www.ripe.net/ripe/meetings/ripe-53/presentations/using_res_certs.pdf RIPE 51 Oct 2005: APNIC Trial of Certification of IP Addresses and ASes http://www.ripe.net/ripe/meetings/ripe-51/presentations/pdf/ripe51-address-c... APNIC Mar 2006 APNIC resource certification update http://www.apnic.net/meetings/21/docs/sigs/routing/sig-routing-pres-ggm-reso... APRICOT Mar 2006: A PKI to Support Improved Internet Routing Security http://www.apricot2006.net/slides/conf/wednesday/Address%20Space%20PKI%20(AP... Work ongoing in the IETF SIDR working group: http://www.ietf.org/html.charters/sidr-charter.html --Sandy Murphy
On Mon, Apr 23, 2007 at 05:23:03PM -0400, Sandy Murphy wrote:
You might try taking a look at the various presentations at NANOG/RIPE/ARIN/ APNIC/APRICOT about the whole idea. Central point: the entity that gives you a suballocation of its own address space signs something that says you now hold it.
No governments involved.
--Sandy Murphy
no problemo... when i hand out a block of space, i'll expect my clients to hand me a DS record ... then I sign the DS. and I'll hand a DS to my parent, which they sign. That works a treat.... today (if you run current code) and gives you exactly what you describe above. Oh, you want the prefix attestation to be used for soemthing other than attestation as to whom holds a given prefix? you wnat to attest to the "routability" of said prefix? thats a bit more than a simple attestation of responsibility, IMHO of course. --bill
Thus spake <bmanning@karoshi.com>
On Mon, Apr 23, 2007 at 05:23:03PM -0400, Sandy Murphy wrote:
You might try taking a look at the various presentations at NANOG/RIPE/ARIN/APNIC/APRICOT about the whole idea. Central point: the entity that gives you a suballocation of its own address space signs something that says you now hold it.
No governments involved.
no problemo... when i hand out a block of space, i'll expect my clients to hand me a DS record ... then I sign the DS. and I'll hand a DS to my parent, which they sign. That works a treat.... today (if you run current code) and gives you exactly what you describe above.
That roughly matches what I expect, but the process seems backwards. If IANA hands, say, 99/8 to ARIN, I'd expect that to come with a certificate saying so. Then, if ARIN hands 99.1/16 to an ISP, they'd hand a certificate saying so to the ISP, which could be linked somehow to ARIN's authority to issue certificates under 99/8. And so on down the line. Then, when the final holder advertises their 99.1.1/24 route via BGP, receivers would check that it was signed by a certificate that had a verifiable path all the way back to IANA. Of course, one must be prepared to accept unsigned routes since they'll be the majority for a long time, which means you still run afoul of the longest-match rule. If someone has a signed route for 99.1/16, and someone else has unsigned routes for one or more (or all) of 99.1.0/24 through 99.1.255/24, what do you do? Do you block an unsigned route from entering the FIB if there's a signed aggregate present? Doesn't that break common forms of TE and multihoming? If you don't, doesn't that defeat signing in general since hijackers would merely need to use longer routes than the real holders of the space? To paraphrase Barbie, "security is hard; let's go shopping!" S Stephen Sprunk "Those people who think they know everything CCIE #3723 are a great annoyance to those of us who do." K5SSS --Isaac Asimov
On Mon, 23 Apr 2007, Stephen Sprunk wrote:
Thus spake <bmanning@karoshi.com>
On Mon, Apr 23, 2007 at 05:23:03PM -0400, Sandy Murphy wrote:
You might try taking a look at the various presentations at NANOG/RIPE/ARIN/APNIC/APRICOT about the whole idea. Central point: the entity that gives you a suballocation of its own address space signs something that says you now hold it.
No governments involved.
no problemo... when i hand out a block of space, i'll expect my clients to hand me a DS record ... then I sign the DS. and I'll hand a DS to my parent, which they sign. That works a treat.... today (if you run current code) and gives you exactly what you describe above.
That roughly matches what I expect, but the process seems backwards. If IANA hands, say, 99/8 to ARIN, I'd expect that to come with a certificate saying so. Then, if ARIN hands 99.1/16 to an ISP, they'd hand a certificate saying so to the ISP, which could be linked somehow to ARIN's authority to issue certificates under 99/8. And so on down the line. Then, when the final holder advertises their 99.1.1/24 route via BGP, receivers would check that it was signed by a certificate that had a verifiable path all the way back to IANA.
Of course, one must be prepared to accept unsigned routes since they'll be the majority for a long time, which means you still run afoul of the longest-match rule. If someone has a signed route for 99.1/16, and someone
keep in mind that the first step didn't include any real 'routing protocol' hooks as I recall, but some automation help and OSS/ops help to look over a long list of prefixes in a better manner. With some assurance that the allocations/assignments were all proper... (and that hopefully the customer was really the person authorized to use the ip space)
else has unsigned routes for one or more (or all) of 99.1.0/24 through 99.1.255/24, what do you do? Do you block an unsigned route from entering the FIB if there's a signed aggregate present? Doesn't that break common
that sounds like sBGP/SoBGP ... of those the (last I saw) soBGP route of using the certification information as a policy knob seemed the most reasonable.
(email string deleted...) I'm deeply saddened that the very folks who work so hard to run the Internet are publicly speculating that DHS wants to take over the 'net. If that's the message that DHS is sending, then we need to go back to the drawing boards and re-write the message. Can somebody point to DHS quotes that lend support to this idea? Or are the ideas coming from a bunch of pseudo-news hacked together by non-technical reporters that have absolutely no idea what they are talking about? Unless I'm totally out to lunch, the DHS is not trying to take over the Internet (nor DoD, nor Commerce, nor DoJ, not even George W. Bush himself.) The DHS Science and Technology Directorate is funding several programs aimed at increasing the security of Internet mechanisms, primarily the DNS and the routing infrastructure. Funding RDTE&T is not the same as running a global infrastructure. Folks, please do some research on this and stop bashing a group that is working hard to make your jobs easier to perform (unless you think that bashing is needed, and if so, please cite the sources of your concerns.) We need a lot of leadership, both public and private, and I think that DHS is offering us something that we should be reinforcing, not tearing down. Thanks. Marc Marcus H. Sachs, P.E. SRI International 1100 Wilson Blvd Suite 2800, Arlington VA 22209 tel +1 703 247 8717 fax +1 703 247 8569 mob +1 703 932 3984 marcus.sachs@sri.com
(email string deleted...)
I'm deeply saddened that the very folks who work so hard to run the Internet are publicly speculating that DHS wants to take over the 'net.
Please provide some evidence of your assertion. I have seen no evidence that the very folks who work so hard to run the Internet are making any speculations at all about the DHS.
Can somebody point to DHS quotes that lend support to this idea? Or are the ideas coming from a bunch of pseudo-news hacked together by non-technical reporters that have absolutely no idea what they are talking about?
Maybe you need to take your own advice here... The fact is that *ANY* public agency attracts criticism. This is a good thing. It is a good thing that people are criticising the DHS for what it is doing and for what they imagine that it might be doing. This kind of criticism, whether warranted or not, is what keeps public agencies on their toes. Public agencies are complex beasts and one person cannot fully understand all the activities and motives of the DHS. In fact, the DHS itself changes as its personnel change, so what may be true of today's DHS will not be true of tomorrow's. Also note, that people can cooperate with and support certain DHS work, while at the same time being vocal critics of the DHS. It's not a zero-sum game. --Michael Dillon
Please provide some evidence of your assertion. I have seen no evidence
that
the very folks who work so hard to run the Internet are making any speculations at all about the DHS.
Scroll backwards through the emails to the first one in this modified thread (RE: IP Block 99/8 (DHS insanity - offtopic)) and read the first few comments that came in. Marc
Please provide some evidence of your assertion. I have seen no evidence that the very folks who work so hard to run the Internet are making any speculations at all about the DHS.
Scroll backwards through the emails to the first one in this modified thread (RE: IP Block 99/8 (DHS insanity - offtopic)) and read the first few comments that came in.
Did that. The first three are from J. Oquendo, Valdis Kletnieks and Kradorex Xeron. Of these three, Valdis has some sort of netops responsibility at Virginia Tech, and the other two are aliases for unknown individuals. J. Oquendo seems to be "joking" in Spanish and the other seems to be a garbled version of "dark stranger". Are you seriously asserting that these are "THE FOLKS" who work so hard to run the Internet? I know of thousands of people who would strongly disagree with you on that account. --Michael Dillon P.S. NANOG is just a mailing list and the people who are on it are just people having a chat.
NANOG is just a mailing list and the people who are on it are just people having a chat.
Whew. That's refreshing good news. And here I thought that this was a place to discuss operational issues. OK, back to the real world and thanks for the chat. Marc
On Tue, 24 Apr 2007 12:34:25 BST, michael.dillon@bt.com said:
Did that. The first three are from J. Oquendo, Valdis Kletnieks and
Hey - I stayed out of the signed-BGP and signed-DNS lunacy. The only thing *I* commented on was the reported leakage of 10 to 20 terabytes of data. And I think we can all agree that filters and firewalls that leak terabytes of data qualify as "operational" (the topic, not the filters). (I'm going to ignore the alternate interpretation, that Chinese downloaded that much *open* data from NIPRNet, along with multiple (unreported) terabytes of open data from Akamai, CNN, Apple's iTunes, and hundreds of other similar data sources. After all, conflating secure and open data like that in order to "create" an issue would be just.... wrong.. :)
Please provide some evidence of your assertion. I have seen no evidence that the very folks who work so hard to run the Internet are making any speculations at all about the DHS.
Scroll backwards through the emails to the first one in this modified
Marcus H. Sachs wrote: thread
(RE: IP Block 99/8 (DHS insanity - offtopic)) and read the first few comments that came in.
Marc
Getting back to the original articles here is where my notions and the notions of many others comes from: // END QUOTE // The US Department of Homeland Security (DHS), which was created after the attacks on September 11, 2001 as a kind of overriding department, wants to have the key to sign the DNS root zone solidly in the hands of the US government. This ultimate master key would then allow authorities to track DNS Security Extensions (DNSSec) all the way back to the servers that represent the name system's root zone on the Internet. ... At the ICANN meeting, Turcotte said that the managers of country registries were concerned about this proposal. When contacted by heise online, Turcotte said that the national registries had informed their governmental representatives about the DHS's plans. http://www.heise.de/english/newsticker/news/87655 // END QUOTE // This is not something I "chopped" together for spite, this is what I've read and am reading. So when experts from ICANN, the security world (Schneier) and others take a quick step back and questioned this, I read more into it. ... // QUOTE // The issue of who holds signing keys has until recently been pretty much an academic one. ... But that might be changing, with the U.S. government leading the way, as DNSSEC becomes a requirement under the Federal Information Security Management Act. http://www.gcn.com/online/vol1_no1/43443-1.html // END QUOTE // So now I ask, on the DHS' Cyber Security Research paper, how should I infer the following comment: // COPIED // "Actively pursue strategies for facilitating technology tranfer and diffusion of Federally-funder R&D into coommercial product and services, and private sector use http://www.infragard.net/library/congress_05/cyber_security/cyber_security_r... Mission and Strategic Objectives (concluded) // END COPY // Let me play devil's advocate a bit further... What if Canada, Italy or some other country was asking that I abide by something I don't agree with especially when they're trying to get ahold of something they have no control over... Should I roll over and play dead. That in itself would direct some form of control to any said country. I don't know about you but its fundamentally fraud. Now logically in accordance to the way this country has become, even less so would I give the authority to any government to direct the flow of information lest I be in a drunken stupor for 28 days(daze). michael.dillon@bt.com wrote:
Did that. The first three are from J. Oquendo, Valdis Kletnieks and Kradorex Xeron. Of these three, ... J. Oquendo seems to be "joking" in Spanish
You mean after all this time I never controlled my Internet :( On a serious note now...
NANOG is just a mailing list and the people who are on it are just people having a chat.
I've always enjoyed seeing other perspectives on NANOG but I now await the gracious Mr. Bellovin's response (if would be kind enough to provide on)... "Using Bloom Filters for Authenticated Yes/No Answers in the DNS" // More off topic // Who is responsible for the sorry state of Internet security? http://isc.sans.org/poll.html?pollid=75&results=Y 21.2 % =>Users 18.2 % =>Vendors 12.9 % =>I am responsible! 10.4 % =>Programmers 8.8 % =>Software Architects 5.4 % =>Nobody 3.4 % =>Schools/Universities (for not teaching better programming and such) 3 % =>Government 16.6 % =>Other (please comment) Total Answers: 2265 -- ==================================================== J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 echo infiltrated.net|sed 's/^/sil@/g' "Wise men talk because they have something to say; fools, because they have to say something." -- Plato Using Bloom Filters for Authenticated Yes/No Answers in the DNS
J. Oquendo wrote:
That is the article that started a very unfortunate chain of events. The reporter got all of the facts wrong, then people who I thought had some clue jumped into the mess and only made it worse.
DHS does not want the "keys to the Internet" anymore than they want the keys to your car. The DNSSEC initiative gets funding from DHS' Science and Technology directorate as directed by the National Strategy to Secure Cyberspace, published by the White House in 2003 (disclaimer - I was part of the team at the WH that wrote that document, so feel free to toss barbs at me about it, keeping in mind that it was published over four years ago and A LOT has changed since then...) The DNSSEC initiative is supported by many countries, not just the United States. The root key (actually, the root zone's Key Signing Key or KSK) will be held by the Root Key Operator (RKO), which is some yet-to-be designated organization or group. Details about all of this is at http://www.dnssec-deployment.org if you want to get into the weeds of the initiative. It would be nice if reporters had bothered to contact DHS to request an interview before making statements like, "The Homeland Security Department has stirred up online controversy with its suggestion that the government should hold a master key for digitally signing the root zone of the Domain Name System under the DNS Security scheme." For a more accurate perspective, see this: http://www.upi.com/Security_Terrorism/Analysis/2007/04/12/analysis_owning_th e_keys_to_the_internet. Marc
Alrighty... Since you pointed out this article I already read. // QUOTE // "This is the U.S. government stepping forward and showing leadership," Douglas Maughan, an official with the Department of Homeland Security's Science and Technology Directorate, told United Press International. // END // Strong leadership? What are they implying they will lead. They can't even lead their own security issues and I've yet to see anything on GCN, FCW implying that mil or gov servers had their DNS servers hijacked. So what is proposed that they will lead? // MORE // The DNS Security Extensions Protocol, or DNSSec, is designed to end such abuse by allowing the instantaneous authentication of DNS information -- effectively creating a series of digital keys for the system. One lingering question -- largely academic until now -- has been who should hold the key for the so-called DNS Root Zone, the part of the system that sits above the so-called Top Level Domains, like .com and .org. ... The draft lays out a series of options for who could be the holder, or "operator," of the Root Zone Key, essentially boiling down to a governmental agency or a contractor. // END // You mean like Verisign? Why should the US handpick a company or one of their contractors to manage this. You're implying that a PRIVATE CORPORATION would never follow the will of the one feeding it... I could as could anyone else point out the systemic abuse that would follow. One would have to be ignorant to ignore the potential for abuse not solely from a government whispering sweet nothings in the ear for sake of perhaps censorship, but what about the private abuse... No form of oversight other than the US and our Department of Terrorism and Paranoia Security are mentioned. // QUOTED // "Nowhere in the document do we make any proposal about the identity of the Root Key Operator," said Maughan, the cyber-security research and development manager for Homeland Security. // END QUOTE// Uh... In the same article it states "The draft lays out a series of options for who could be the holder, or "operator," of the Root Zone Key, essentially boiling down to a governmental agency or a contractor." Yet here is Maughan stating "Oh no... DHS and the US government won't pick who holds keys..." // QUOTE // "The Root Key Operator is going to be in a highly trusted position. It's going to be a highly trusted entity. The idea that anyone in that position would abuse it to spoof addresses is just silly." // END // The idea that it has a huge potential for abuse is not silly. I can see where some would be either too good hearted to take heed to common logic, but the potential for abuse is right smack dab in anyone's face. You pointed out the article Mr. Sachs, so please explain to me how you can now come back and state "But the DHS has no intention on controlling the key... Sure they intend on handpicking who does, but that doesn't mean said company will not follow what it is mandated to do by US government, nor will said company abuse it on their own." I can point out hundreds of contractors with the government who so blatantly con the government and circumvent laws. But that would be geared towards a political mailing list, not this one. So if we're to stick to the facts, getting the gist out of the article you chose... You just re-confirmed the US government's underlying desire to somehow control the root keys... -- ==================================================== J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 echo infiltrated.net|sed 's/^/sil@/g' "Wise men talk because they have something to say; fools, because they have to say something." -- Plato
Mr. Oquendo (I presume "Mr." but if it's "Ms." please accept my apologies...), it appears that there is little common ground between you and me. So, rather than stringing this out for the next several days and boring everybody else to tears, I will say thanks for the "chat" and I look forward to continuing this in person over a beer or other libation at some future gathering. Marc -----Original Message----- From: J. Oquendo [mailto:sil@infiltrated.net] Sent: Tuesday, April 24, 2007 9:58 AM To: Marcus H. Sachs Cc: nanog@merit.edu Subject: Re: IP Block 99/8 (DHS insanity - offtopic) Alrighty... Since you pointed out this article I already read. // QUOTE // "This is the U.S. government stepping forward and showing leadership," Douglas Maughan, an official with the Department of Homeland Security's Science and Technology Directorate, told United Press International. // END // Strong leadership? What are they implying they will lead. They can't even lead their own security issues and I've yet to see anything on GCN, FCW implying that mil or gov servers had their DNS servers hijacked. So what is proposed that they will lead? // MORE // The DNS Security Extensions Protocol, or DNSSec, is designed to end such abuse by allowing the instantaneous authentication of DNS information -- effectively creating a series of digital keys for the system. One lingering question -- largely academic until now -- has been who should hold the key for the so-called DNS Root Zone, the part of the system that sits above the so-called Top Level Domains, like .com and .org. ... The draft lays out a series of options for who could be the holder, or "operator," of the Root Zone Key, essentially boiling down to a governmental agency or a contractor. // END // You mean like Verisign? Why should the US handpick a company or one of their contractors to manage this. You're implying that a PRIVATE CORPORATION would never follow the will of the one feeding it... I could as could anyone else point out the systemic abuse that would follow. One would have to be ignorant to ignore the potential for abuse not solely from a government whispering sweet nothings in the ear for sake of perhaps censorship, but what about the private abuse... No form of oversight other than the US and our Department of Terrorism and Paranoia Security are mentioned. // QUOTED // "Nowhere in the document do we make any proposal about the identity of the Root Key Operator," said Maughan, the cyber-security research and development manager for Homeland Security. // END QUOTE// Uh... In the same article it states "The draft lays out a series of options for who could be the holder, or "operator," of the Root Zone Key, essentially boiling down to a governmental agency or a contractor." Yet here is Maughan stating "Oh no... DHS and the US government won't pick who holds keys..." // QUOTE // "The Root Key Operator is going to be in a highly trusted position. It's going to be a highly trusted entity. The idea that anyone in that position would abuse it to spoof addresses is just silly." // END // The idea that it has a huge potential for abuse is not silly. I can see where some would be either too good hearted to take heed to common logic, but the potential for abuse is right smack dab in anyone's face. You pointed out the article Mr. Sachs, so please explain to me how you can now come back and state "But the DHS has no intention on controlling the key... Sure they intend on handpicking who does, but that doesn't mean said company will not follow what it is mandated to do by US government, nor will said company abuse it on their own." I can point out hundreds of contractors with the government who so blatantly con the government and circumvent laws. But that would be geared towards a political mailing list, not this one. So if we're to stick to the facts, getting the gist out of the article you chose... You just re-confirmed the US government's underlying desire to somehow control the root keys... -- ==================================================== J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 echo infiltrated.net|sed 's/^/sil@/g' "Wise men talk because they have something to say; fools, because they have to say something." -- Plato
Don't forget to post to the list where you will do this so I can come and watch ;-) Marcus H. Sachs wrote:
Mr. Oquendo (I presume "Mr." but if it's "Ms." please accept my apologies...), it appears that there is little common ground between you and me. So, rather than stringing this out for the next several days and boring everybody else to tears, I will say thanks for the "chat" and I look forward to continuing this in person over a beer or other libation at some future gathering.
Marc
-----Original Message----- From: J. Oquendo [mailto:sil@infiltrated.net] Sent: Tuesday, April 24, 2007 9:58 AM To: Marcus H. Sachs Cc: nanog@merit.edu Subject: Re: IP Block 99/8 (DHS insanity - offtopic)
Alrighty... Since you pointed out this article I already read.
// QUOTE // "This is the U.S. government stepping forward and showing leadership," Douglas Maughan, an official with the Department of Homeland Security's Science and Technology Directorate, told United Press International. // END //
Strong leadership? What are they implying they will lead. They can't even lead their own security issues and I've yet to see anything on GCN, FCW implying that mil or gov servers had their DNS servers hijacked. So what is proposed that they will lead?
// MORE // The DNS Security Extensions Protocol, or DNSSec, is designed to end such abuse by allowing the instantaneous authentication of DNS information -- effectively creating a series of digital keys for the system.
One lingering question -- largely academic until now -- has been who should hold the key for the so-called DNS Root Zone, the part of the system that sits above the so-called Top Level Domains, like .com and .org.
...
The draft lays out a series of options for who could be the holder, or "operator," of the Root Zone Key, essentially boiling down to a governmental agency or a contractor. // END //
You mean like Verisign? Why should the US handpick a company or one of their contractors to manage this. You're implying that a PRIVATE CORPORATION would never follow the will of the one feeding it... I could as could anyone else point out the systemic abuse that would follow. One would have to be ignorant to ignore the potential for abuse not solely from a government whispering sweet nothings in the ear for sake of perhaps censorship, but what about the private abuse... No form of oversight other than the US and our Department of Terrorism and Paranoia Security are mentioned.
// QUOTED // "Nowhere in the document do we make any proposal about the identity of the Root Key Operator," said Maughan, the cyber-security research and development manager for Homeland Security. // END QUOTE//
Uh... In the same article it states "The draft lays out a series of options for who could be the holder, or "operator," of the Root Zone Key, essentially boiling down to a governmental agency or a contractor." Yet here is Maughan stating "Oh no... DHS and the US government won't pick who holds keys..."
// QUOTE // "The Root Key Operator is going to be in a highly trusted position. It's going to be a highly trusted entity. The idea that anyone in that position would abuse it to spoof addresses is just silly." // END //
The idea that it has a huge potential for abuse is not silly. I can see where some would be either too good hearted to take heed to common logic, but the potential for abuse is right smack dab in anyone's face. You pointed out the article Mr. Sachs, so please explain to me how you can now come back and state "But the DHS has no intention on controlling the key... Sure they intend on handpicking who does, but that doesn't mean said company will not follow what it is mandated to do by US government, nor will said company abuse it on their own."
I can point out hundreds of contractors with the government who so blatantly con the government and circumvent laws. But that would be geared towards a political mailing list, not this one. So if we're to stick to the facts, getting the gist out of the article you chose... You just re-confirmed the US government's underlying desire to somehow control the root keys...
-- ==================================================== J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 echo infiltrated.net|sed 's/^/sil@/g'
"Wise men talk because they have something to say; fools, because they have to say something." -- Plato
You might try taking a look at the various presentations at NANOG/RIPE/ARIN/ APNIC/APRICOT about the whole idea. Central point: the entity that gives you a suballocation of its own address space signs something that says you now hold it.
If the whois directories actually operated under some set of guidelines defining their purpose and scope which was enforced by the directory publishers, then there would be no need for this certificate nonsense. Why force the routers to do crypto and check certificates when it is easier, less fragile, and more reliable to have some kind of operational support system checking the RIR whois diirectory? If the RIRs actually took whois directories seriously and RIGOROUSLY cleaned the information in those directories, then there would be no need for putting crypto in the BGP protocol or on the routers. This whole BGP-security-based-on-certificates idea is using a sledgehammer to fix an administrative problem with the whois directories. Note that RIPE is already moving to a more rigorous whois directory because of European Data Protection laws. It is no longer acceptable to just do whois like it was done 20 years ago just because that is the net tradition. Now we must have policies which define the purpose of whois directories and rigorously check the data to ensure that it meets those policies. This is an area where every ISP can get involved with a small amount of effort, much smaller than dealing with crypto on the routers and certificate systems.
No governments involved.
Fixing whois is even better. No security experts involved. There are just far too few real security experts to go around. This push for signing routes and signing DNS is just madness because it means that net operations people will not be able to determine whether a data source is trustable or not without becoming a security expert themselves. This is a wholly inappropriate application of certificates and crypto. --Michael Dillon
On 24-Apr-2007, at 10:15, <michael.dillon@bt.com> wrote:
You might try taking a look at the various presentations at NANOG/RIPE/ARIN/ APNIC/APRICOT about the whole idea. Central point: the entity that gives you a suballocation of its own address space signs something that says you now hold it.
If the whois directories actually operated under some set of guidelines defining their purpose and scope which was enforced by the directory publishers, then there would be no need for this certificate nonsense.
How can anybody be sure that the random peering tech they are talking to really works for the organisation listed in the whois record? By visual inspection of the e-mail address? A faxed LOA on company letterhead? Given a polished toolset, I'd take a signed ROA over any of those. Joe
How can anybody be sure that the random peering tech they are talking to really works for the organisation listed in the whois record? By visual inspection of the e-mail address?
Do people really talk to random peering techs? I thought that peering contacts were all set up via face-to-face meetings. In any case, if it is email authentication that you are after, putting certificates in your router will not help you. Also, normal business practices can be very useful to establish the identity of people. For instance, call the company where said peering tech works, and ask for their extension. If you can't reach them by phone, then tell them that you need to discuss the matter with their boss. Everybody has a boss and should be willing to identify the boss by name. Then phone the company and ask for the boss by name. If there is still no luck, then you know that your leg is being pulled.
A faxed LOA on company letterhead?
A lot of people do require LOAs on company letterhead to begin peering but I'm not sure faxed documents are good enough. In addition, a lot of companies define the contact points in the peering agreeements so you know who is who at the other side and how to reach them (direct dial phone numbers). There is also INOC-DBA where somebody else has done some level of authentication of people at your peers. In other words, there are lots of reasonable ways to solve this problem without having to put the complexity and load of crypto on your routers. The advantage of applying reasonable processes to the problem is that any reasonably intelligent person in your business can verify that the process works. Once you go to crypto, it all becomes a mysterious blackbox that nobody in your company can verify. You just have to trust it all because somebody, somewhere, says that it should be trusted. There just isn't enough security expertise to go around for every company to examine the whole thing to be sure that it really is as secure as it claims to be. There is a long history of crypto technology being applied to problems and then being discovered to be faulty in some way. Trust was misplaced. People trusted untrustworthy systems just because it had the magic air of crypto about it. Quite frankly, the Internet is too important to trust critical infrastructure to magic crypto systems. There are other, better ways to solve these problems, that do not introduce single points of failure into the system. --Michael Dillon P.S. when I said "system" above, I was using the term in the sense that C.W. Churchman did when he wrote his book, "The Systems Approach".
On 24-Apr-2007, at 11:51, <michael.dillon@bt.com> wrote:
How can anybody be sure that the random peering tech they are talking to really works for the organisation listed in the whois record? By visual inspection of the e-mail address?
Do people really talk to random peering techs? I thought that peering contacts were all set up via face-to-face meetings.
Your view of the world is far from universal.
In any case, if it is email authentication that you are after, putting certificates in your router will not help you.
I never suggested putting certificates in a router.
Also, normal business practices can be very useful to establish the identity of people.
For sure, but I don't need to care about the identity of people if I have am given a signed ROA which checks out back to a trust anchor I am prepared to trust. No crypto on routers involved. Joe
I think a backup and level-set is in order... The original comment that started this discussion was talking about ONLY signing allocations down from IANA->RIR->LIR->EndSite, only in the whois system and NOT for use in routing devices. The papers/preso's that Sandy pointed to all talk only about using cert-material to help figure out who really is the owner of the space and use that knowledge to update prefix-list/policy in the field. Randy's preso at: http://www.nanog.org/mtg-0602/pdf/bush.pdf has a very clear walk through of this (and nice font too... but that's beside the point). So, all FUD about 'certs on routes in bgp' aside (which is the mission of sBGP/soBGP and NOT the mission of the discussion so far) is there a real issue with giving operators a way to see, in a programmatic and simple fashion, if there's little overhead/cost on the system (whois system) as a whole? ...a little more below... On Tue, 24 Apr 2007 michael.dillon@bt.com wrote:
How can anybody be sure that the random peering tech they are talking to really works for the organisation listed in the whois record? By visual inspection of the e-mail address?
Do people really talk to random peering techs? I thought that peering contacts were all set up via face-to-face meetings. In any case, if it is email authentication that you are after, putting certificates in your router will not help you.
The scenario I worry about isn't the 'peering tech' (mostly because I don't know any aside from Sri...) it's the 'random customer' who calls in or emails in and 'needs this prefix change quickly, something got screwy and we need you to accept this post-haste!' (insert 'millions of dollars/sec lost!' conversation and escalation to senior-exec-management... yes, this is a real-life example) Those cases are painful and we have no method of knowing easily who the 'customer' is and who the 'ip owner' (user/end-site) is and if there is proper LOA in place :( Making a simple shell script to do 5 whois lookups and 3 openssl cert checks seems like a 'big win', eh?
Also, normal business practices can be very useful to establish the identity of people. For instance, call the company where said peering tech works, and ask for their extension. If you can't reach them by phone, then tell them that you need to discuss the matter with their boss. Everybody has a boss and should be willing to identify the boss by name. Then phone the company and ask for the boss by name. If there is still no luck, then you know that your leg is being pulled.
call my office I'll get our president on the phone with you.. pardon his voice though, he's got a little bit of a cold :( Is this really something you'd trust in the real world? If so, could you route: 209.173.48.0/20 for me?
A faxed LOA on company letterhead?
A lot of people do require LOAs on company letterhead to begin peering but I'm not sure faxed documents are good enough. In addition, a lot of
they are not good enough :( you wouldn't imagine the word-template-crap we get as LOA from obvious scammer/spammer/bad-peeps :( it's sad really.
companies define the contact points in the peering agreeements so you know who is who at the other side and how to reach them (direct dial phone numbers). There is also INOC-DBA where somebody else has done some level of authentication of people at your peers.
peering is a whole-nuther-land ... customer prefix attestation/ajudication is where the real rubber hits the road (for me atleast).
In other words, there are lots of reasonable ways to solve this problem without having to put the complexity and load of crypto on your routers.
correct, here we agree... We may be a minority, but :) -Chris
On Mon, 23 Apr 2007, Mike Tancsa wrote:
At 04:52 PM 4/23/2007, Patrick W. Gilmore wrote:
I do not want any particular gov't (US or otherwise) to be "in charge" of the Internet any more than the next person. And good thing too, because it simply cannot happen, political pipe-dreams not withstanding.
But what has that got to do with the DHS promoting an idea to sign IP space allocations and/or annoucements? The idea in-and-of-itself doesn't sound wholly unreasonable. (I am not advocating this, just saying the idea shouldn't be rejected without consideration simply because the DHS said it.)
The question is who would do the signing and revocations. Whoever does that would indeed have a great amount of control over the internet. A single government agency should not have that sort of power to make a (for lack of better term), "no surf list" of IP space...
I think the strawman proposals so far were something like: 1) iana has 'root' ca-cert 2) iana signs down certs for RIR's 3) RIR's sign down certs for LIR's 4) LIR's sign down certs for 'users' (where 'users' is probably address-space users, like corporations or end-sites) This seemed not-too-insane, and would give ISP/operator type folks that ability to easily and quickly verify that: 157.242.0.0/16 is in point of fact permitted to originate by the org-id: LMU-1 with some level of authority... It's nothing really more than that. -Chris (who did spend some conference-room time with patrick/woody/doug/others talking about this very problem)
On Mon, 23 Apr 2007, Chris L. Morrow wrote:
I think the strawman proposals so far were something like:
1) iana has 'root' ca-cert 2) iana signs down certs for RIR's 3) RIR's sign down certs for LIR's 4) LIR's sign down certs for 'users' (where 'users' is probably address-space users, like corporations or end-sites)
This seemed not-too-insane, and would give ISP/operator type folks that ability to easily and quickly verify that:
157.242.0.0/16 is in point of fact permitted to originate by the org-id: LMU-1
with some level of authority... It's nothing really more than that.
You can do online or offline verification of a trust chain. RSA, certs, etc are just the math. But the math doesn't change the trust. If the LIR/RIR directories are poorly maintained, their signatures aren't going to be any better. The problem in your trust chain above is the LIR's don't actually verify much about the 'users'; and its very easy to spoof the LIRs (i.e. I forgot my password) to change their directory information. And the same thing will probably be true when you ask LIRs to sign things. I lost my RSA cert, please sign a new one for "me". An online chain of RWHOIS delegations or a offline chain of RSA certificates (which you will still need an online CRL check), doesn't change the problems in the LIRs (or even RIRs or IANA). A lot of math won't make the answer more authoritative.
Sean Donelan wrote:
On Mon, 23 Apr 2007, Chris L. Morrow wrote:
I think the strawman proposals so far were something like:
1) iana has 'root' ca-cert 2) iana signs down certs for RIR's 3) RIR's sign down certs for LIR's 4) LIR's sign down certs for 'users' (where 'users' is probably address-space users, like corporations or end-sites)
This seemed not-too-insane, and would give ISP/operator type folks that ability to easily and quickly verify that:
157.242.0.0/16 is in point of fact permitted to originate by the org-id: LMU-1
with some level of authority... It's nothing really more than that.
You can do online or offline verification of a trust chain. RSA, certs, etc are just the math. But the math doesn't change the trust. If the LIR/RIR directories are poorly maintained, their signatures aren't going to be any better.
IMHO ISP's that are not maintaining their entries correctly should not have a place on the Internet. In IPv6 one can see it quite well actually, when one has route6 entries the prefix has more of a chance of piercing through filters than when it has none. Adding a signature to this chain of checks and enforcing BGP announcements to be signed would definitely weed out a lot of bad ISP's who can't care less as they suddenly start loosing connectivity. Do also note that, like DNS roots, anybody can setup their private signing authority and provide certs to their buddy ISP's in a similar manner.
The problem in your trust chain above is the LIR's don't actually verify much about the 'users'; and its very easy to spoof the LIRs (i.e. I forgot my password) to change their directory information. And the same thing will probably be true when you ask LIRs to sign things. I lost my RSA cert, please sign a new one for "me".
This is also more about who is responsible for the address. Not who actually uses the address space. With hacked computers and botnets and the likes that is an unknown anyway. But when the responsible organization crosses the line a couple of times, it is easy to see where the bad ones really are.
An online chain of RWHOIS delegations or a offline chain of RSA certificates (which you will still need an online CRL check), doesn't change the problems in the LIRs (or even RIRs or IANA). A lot of math won't make the answer more authoritative.
What is the problem here then? You simply mark the LIR as untrustworthy when they peep up a number of times and as more and more ISP's do that they silently disappear from the Internet, at least the one where the 'trusted' ISP's are in. This is the same as de-peering ones who are not being nice to you, but now you at least know it is them being bad and not somebody just hijacking them. It's just a little step up from what already gets done. With every verification mechanism that involves trust and signing there usually is also a need for a white and a blacklist, you can manage these yourself or you can let some 3rd party do it, like what is done with many of the spam cases. Greets, Jeroen
On Tue, 24 Apr 2007, Sean Donelan wrote:
On Mon, 23 Apr 2007, Chris L. Morrow wrote:
I think the strawman proposals so far were something like:
1) iana has 'root' ca-cert 2) iana signs down certs for RIR's 3) RIR's sign down certs for LIR's 4) LIR's sign down certs for 'users' (where 'users' is probably address-space users, like corporations or end-sites)
This seemed not-too-insane, and would give ISP/operator type folks that ability to easily and quickly verify that:
157.242.0.0/16 is in point of fact permitted to originate by the org-id: LMU-1
with some level of authority... It's nothing really more than that.
You can do online or offline verification of a trust chain. RSA, certs, etc are just the math. But the math doesn't change the trust. If the LIR/RIR directories are poorly maintained, their signatures aren't going to be any better.
yes, but: 1) there is no discussion of certs+bgp 2) they need to cleanup/tightenup anyway, adding some helpful (to operators) bits is a nice thing, yes?
The problem in your trust chain above is the LIR's don't actually verify much about the 'users'; and its very easy to spoof the LIRs (i.e. I forgot my password) to change their directory information. And the same thing will probably be true when you ask LIRs to sign things. I lost my RSA cert, please sign a new one for "me".
Is it really that easy? I recall a few people having LOTS of trouble getting their address block information changed so it was once again usable... I know we had some headaches getting our information switched around to reflect corporate changes.
An online chain of RWHOIS delegations or a offline chain of RSA certificates (which you will still need an online CRL check), doesn't change the problems in the LIRs (or even RIRs or IANA). A lot of math won't make the answer more authoritative.
yes, but the math makes, hopefully. the checking simpler... and it's a better system than exists today at many places where 'if you put yer object in the IRR we'll accept it!' (see ConEd incident of 2 years back for one example). Without any programmatic checking of this data the only thing accomplished with use of an IRR is to increase the speed with which you can change prefix-list data :( there is no check for accuracy nor authority. -Chris
participants (19)
-
Bill Woodcock
-
bmanning@karoshi.com
-
Chris L. Morrow
-
Iljitsch van Beijnum
-
J. Oquendo
-
Jeroen Massar
-
Jerry Dixon
-
Joe Abley
-
Kradorex Xeron
-
Leigh Porter
-
Marcus H. Sachs
-
michael.dillon@bt.com
-
Mike Tancsa
-
Patrick W. Gilmore
-
sandy@tislabs.com
-
Sean Donelan
-
Shai Balasingham
-
Stephen Sprunk
-
Valdis.Kletnieks@vt.edu