/lurkingmode disabled Should we, as a community, register with RIR's with PGP. And use special keys for resources? The only people to have the keys would be the end user/ISP and the RIR. Forged PGP can be done but not so easily. Basically email is so easy to forge should we not do what we do everywhere else and just add security? or ACL's or a firewall or....... /lurkingmode enabled ->-----Original Message----- ->From: william@elan.net [mailto:william@elan.net] ->Sent: Tuesday, November 04, 2003 7:00 AM ->To: nanog@merit.edu ->Subject: Re: Hijacked IP space. -> -> -> -> ->Also while we're on ip hijacking subject as I mentioned there ->is a new way it ->has been done where instead of reregistering domains, the ->actual email ->account is reused by somebody else and where whois at arin is ->for themost ->part left unchanged (making it difficult for arin to do anything). -> ->Because these cases are difficult to track the original ->owners and to proof ->hijacking or to notice that it happend, it would be nice to stop such ->activity in the first place. So I'd would really be good if ->somebody from ->earthlink contacts me and I can then tell them privately what ->names they ->need to "lock" as far as what their customers can request for ->additional ->emails. Same applies for other ISPs - if you who work for ->company that ->has in the past bought other large ISPs AND where you still ->allow new or ->existing customers to get new email accounts at the domains ->of those old ->companies (i.e. like earthlink is presumably doing with ->netcom.com), then ->let me know domains and I can tell you what not to allow your ->customers ->for emails. -> ->-- ->William Leibzon ->Elan Networks ->william@elan.net -> ->
> Should we, as a community, register with RIR's with PGP. Each of the RIRs has either already established, or is in the process of establishing, a CA for that purpose. Please use them. -Bill
Should we, as a community, register with RIR's with PGP. Each of the RIRs has either already established, or is in the process of establishing, a CA for that purpose. Please use them.
thanks, but i choose to have my peers certify my identity, not the rirs randy
On 4 Nov 2003, at 10:08, Randy Bush wrote:
Should we, as a community, register with RIR's with PGP. Each of the RIRs has either already established, or is in the process of establishing, a CA for that purpose. Please use them.
thanks, but i choose to have my peers certify my identity, not the rirs
How should your peers certify that the routes you announce are reasonable for them to receive?
----- Original Message ----- From: "Joe Abley" <jabley@isc.org> To: "Randy Bush" <randy@psg.com> Cc: "Bill Woodcock" <woody@pch.net>; <nanog@merit.edu> Sent: Tuesday, November 04, 2003 10:17 AM Subject: Re: Hijacked IP space.
How should your peers certify that the routes you announce are reasonable for them to receive?
Still doesn't solve the problem of ISPs announcing out hijacked blocks. It is stupidly simple to announce out blocks you don't own. A few years ago, when I was a netadmin, we on several occasions announced out blocks we had no permission to announce out (/24s). This happened on the days after 9/11 as well when we acquired customers who's ISPs didn't survive the collapse of the NYC telco network. All it took was using the BGP request form at a large unnamed Tier 1 backbone provider, and our filters were adjusted to allow us to announce out any network we wanted to. No questions asked, no authorization forms, nothing. I've confirmed this behavior with several of the backbones. Why are these backbones allowing their T1 customers to make these kind of announcements without any kind of authorization forms or simple checking to see if its a valid announcement for that customer? -------------------------- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The AHBL - http://www.ahbl.org
On Tue, 4 Nov 2003, Brian Bruns wrote: [snip]
I've confirmed this behavior with several of the backbones. Why are these backbones allowing their T1 customers to make these kind of announcements without any kind of authorization forms or simple checking to see if its a valid announcement for that customer?
Because confirming this isn't always trivial, and is easy to fake. Most importantly because it hasn't been a major problem, unless you consider william's ranting to be of operational impact.
Should we, as a community, register with RIR's with PGP. Each of the RIRs has either already established, or is in the process of establishing, a CA for that purpose. Please use them. thanks, but i choose to have my peers certify my identity, not the rirs How should your peers certify that the routes you announce are reasonable for them to receive?
completely orthogonal issue. but, if you have interest in the topic, you might look into sbgp. randy
On Tuesday, November 04, 2003 4:48 PM, Randy Bush <randy@psg.com> wrote:
How should your peers certify that the routes you announce are reasonable for them to receive?
completely orthogonal issue.
but, if you have interest in the topic, you might look into sbgp.
sBGP does don't protect you to pick up garbage ... Arnold
Randy, Those options are not mutually exclusive, and, while I agree that it would be better if the RIR's accepted generic GPG keys along the lines of what RADB does, the X.509 certificate is not a bad first step. At least it's better than Mail-From or Crypt-PW. Owen --On Tuesday, November 4, 2003 7:08 AM -0800 Randy Bush <randy@psg.com> wrote:
Should we, as a community, register with RIR's with PGP. Each of the RIRs has either already established, or is in the process of establishing, a CA for that purpose. Please use them.
thanks, but i choose to have my peers certify my identity, not the rirs
randy
-- If it wasn't signed, it probably didn't come from me.
Those options are not mutually exclusive, and, while I agree that it would be better if the RIR's accepted generic GPG keys along the lines of what RADB does, the X.509 certificate is not a bad first step. At least it's better than Mail-From or Crypt-PW.
Should we, as a community, register with RIR's with PGP. Each of the RIRs has either already established, or is in the process of establishing, a CA for that purpose. Please use them. thanks, but i choose to have my peers certify my identity, not the rirs
the rirs already accept pgp certs. and i use them, as do all security-conscious registrants. i was disagreeing with woody's pushing x.509 certs to the exclusion of pgp certs. randy --- Q: Because it reverses the logical flow of conversation. A: Why is top posting frowned upon?
On Tue, 4 Nov 2003, Randy Bush wrote: > i was disagreeing with woody's pushing > x.509 certs to the exclusion of pgp certs. Nah, you were just being disagreeable. -Bill
Your statement is contrary to what we were told at the ARIN meeting by ARIN. Owen Q: Why is top posting appreciated? A: Because it allows people who've been part of the thread to identify the newest information more quickly and ignore the previous stuff they don't need for reference. However, at your request, I have avoided top posting in this message. -- If it wasn't signed, it probably didn't come from me.
At 08:16 AM 11/4/2003, Owen DeLong wrote:
ignore the previous stuff they don't need for reference.
If the previous stuff is ignorable, it doesn't need to be quoted. Top posting while quoting material that is ignorable is lazy and not appreciated by most participants on *this* forum. Please snip ignorable material, and then post your reply *below* what you are commenting on, so that ALL can easily participate in this forum using this standard format. jc P.S. OWEN, PLEASE STOP CC'ING ME ON REPLIES. EITHER REPLY TO ME ONLY, OR TO THE LIST (WHICHEVER YOU PREFER), BUT NOT TO BOTH. pps: Lazily clicking "reply to all" and sending off a message (with an unwanted *attachment* no less) cc'd to a bunch of people who don't need duplicate replies typically goes hand in hand with top posting. These are clear signs of someone who is too lazy to bother with following standard conventions, and who thinks that it's OK to do the lazy "easy" thing even when it inconveniences others.
P.S. OWEN, PLEASE STOP CC'ING ME ON REPLIES. EITHER REPLY TO ME ONLY, OR TO THE LIST (WHICHEVER YOU PREFER), BUT NOT TO BOTH. JC,
With all due respect, you already have one list that you are policing. Let's move the arguments of merits of top and bottom posting to inet-access, where it belongs. Oh yeah: If dupes bother you, 'man procmailex' and implement dupe filtering. For one, with nanog-l delays from one to 12 hours, I like to see responses quickly. ktnx. Alex Pilosov | DSL, Colocation, Hosting Services President | alex@pilosoft.com (800) 710-7031 Pilosoft, Inc. | http://www.pilosoft.com
On Tue, Nov 04, 2003 at 03:31:28PM -0500, alex@pilosoft.com wrote:
Oh yeah: If dupes bother you, 'man procmailex' and implement dupe filtering. For one, with nanog-l delays from one to 12 hours, I like to see responses quickly.
# from the procmailex man page, this is supposed to weed out duplicate # messages. :0 Wh: msgid.lock | formail -D 16384 msgid.cache -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
On Tue, 04 Nov 2003 15:42:11 EST, Jared Mauch <jared@puck.nether.net> said:
# from the procmailex man page, this is supposed to weed out duplicate # messages. :0 Wh: msgid.lock | formail -D 16384 msgid.cache
Might want to go for 32K or 64K there, if you get a lot of mail. I just checked a folder of 6K or so messages, and the average message-id was 48 chars long. So only about 334 of them will fit in 16K (less if you allow for database overhead) - so if you're likely to get more than 250-300 messages between the two you care about dup suppression, it won't catch it.
JC Dill wrote:
pps: Lazily clicking "reply to all" and sending off a message (with an unwanted *attachment* no less) cc'd to a bunch of people who don't need duplicate replies typically goes hand in hand with top posting. These are clear signs of someone who is too lazy to bother with following standard conventions, and who thinks that it's OK to do the lazy "easy" thing even when it inconveniences others.
Most mail servers worth using discard duplicates as long as they contain the same message-id. Unfortunately this does not help discarding duplicate subjects like the monthly spam discussion. Pete
P.S. OWEN, PLEASE STOP CC'ING ME ON REPLIES. EITHER REPLY TO ME ONLY, OR TO THE LIST (WHICHEVER YOU PREFER), BUT NOT TO BOTH.
pps: Lazily clicking "reply to all" and sending off a message (with an unwanted *attachment* no less) cc'd to a bunch of people who don't need duplicate replies typically goes hand in hand with top posting. These are clear signs of someone who is too lazy to bother with following standard conventions, and who thinks that it's OK to do the lazy "easy" thing even when it inconveniences others.
I've seen lots of requests in both directions, over the years. On a slow list like this, people often like to be cc'd directly. It's hard to know what to do in all situations, other than mind one's own mailbox. There are ways to filter out duplicates, and that seems (to me) to be the best. Yours, mm
On Tue, 2003-11-04 at 10:51, Randy Bush wrote:
Those options are not mutually exclusive, and, while I agree that it would be better if the RIR's accepted generic GPG keys along the lines of what RADB does, the X.509 certificate is not a bad first step. At least it's better than Mail-From or Crypt-PW.
Should we, as a community, register with RIR's with PGP. Each of the RIRs has either already established, or is in the process of establishing, a CA for that purpose. Please use them. thanks, but i choose to have my peers certify my identity, not the rirs
the rirs already accept pgp certs. and i use them, as do all security-conscious registrants. i was disagreeing with woody's pushing x.509 certs to the exclusion of pgp certs.
randy ---
I would note that the RIPE NCC, while implementing X.509 support, is moving away from the concept of running their own CA. Their X.509 support will be very "PGP-like". See the following for details - http://www.ripe.net/ripe/meetings/ripe-46/presentations/ripe46-db-x509.pdf
Larry J. Blunk wrote:
On Tue, 2003-11-04 at 10:51, Randy Bush wrote:
Those options are not mutually exclusive, and, while I agree that it would be better if the RIR's accepted generic GPG keys along the lines of what RADB does, the X.509 certificate is not a bad first step. At least it's better than Mail-From or Crypt-PW.
Should we, as a community, register with RIR's with PGP.
Each of the RIRs has either already established, or is in the process of establishing, a CA for that purpose. Please use them.
thanks, but i choose to have my peers certify my identity, not the rirs
the rirs already accept pgp certs. and i use them, as do all security-conscious registrants. i was disagreeing with woody's pushing x.509 certs to the exclusion of pgp certs.
randy ---
I would note that the RIPE NCC, while implementing X.509 support, is moving away from the concept of running their own CA. Their X.509 support will be very "PGP-like". See the following for details - http://www.ripe.net/ripe/meetings/ripe-46/presentations/ripe46-db-x509.pdf
Yes and no. For the RIPE Database authentication pgp and x.509 will be equally accepted with no CA involved as such. This is different from x.509 certificates the RIPE NCC issues for the members, only to authenticate themselves while accessing RIPE NCC services. Thanks, Andrei Robachevsky RIPE NCC
I would note that the RIPE NCC, while implementing X.509 support, is moving away from the concept of running their own CA. Their X.509 support will be very "PGP-like". See the following for details - http://www.ripe.net/ripe/meetings/ripe-46/presentations/ripe46-db-x509.pdfv
smart. the careful reader might have noted that i did not say i did not like x.509 certs, especially given future sbgp etc. use. there is an rfc out on use of x.509 certs in the web of trust model. randy
On Tue, 4 Nov 2003, Bill Woodcock wrote:
> Should we, as a community, register with RIR's with PGP.
Each of the RIRs has either already established, or is in the process of establishing, a CA for that purpose. Please use them.
I'm very much for what RIRs are doing in this area (though ARIN could do PGP together with x.509 as I mentioned back in Memphis) as it will provide good security for communication to ARIN and making changes to RIR whois and other data and thus in the far future should seriously decrease possibility of hijacking even blocks when company is gone and blocks are no longer in use. But lets be clear about it, what RIRs are doing as far as pgp or x.509 are for communication between RIR and the admin of the ip space. RIRs specifically do not want to "certify" by digital means that particular entity has the right to that netblock. What it means is that if you have a customer that has this x.509 certificate from ARIN and they ask you to announce it, you really can not see their certificate and will have to just do regular whois like you usually do (in fact you will not even know if the ip block whois is protected by this security feature). You can not actually ask the for some digital certificate signed by ARIN showing its their block. At these RIR signed certificates for use by 3rd parties are really what is needed for at least automated checking when peer or customer is asking to let their new announced block in and adjust the filters (we are not even talking about S-BGP here, just way to improve the security of the process of adjusting filter to announce new routes through your network). S-BGP would be next and will also require to use these kind of certificates as well, but as others will be quick to mention, S-BGP proposal still needs some work before we could begin beta-testing it. --- William Leibzon Elan Networks william@elan.net
Certification of internet resource allocations is being actively considered by most if not all RIRs. In the case of APNIC, this has been regarded as a likely development since our CA project started several years ago (always subject to community agreement on appropriate standards). As it happens, the IETF PKIX working group has almost completed the certificate extension specification for this very purpose, within the S-BGP framework: http://www.ietf.org/internet-drafts/draft-ietf-pkix-x509-ipaddr-as-extn-03.t... Regardless of the deployment of S-BGP, RIRs could start issuing certificates any time after specification is completed. APNIC is currently investigating this possibility. cheers -George -- George Michaelson | APNIC Email: ggm@apnic.net | PO Box 2131 Milton QLD 4064 Phone: +61 7 3367 0490 | Australia Fax: +61 7 3367 0482 | http://www.apnic.net --- On Tue, 4 Nov 2003 09:35:23 -0800 (PST) william@elan.net wrote:
On Tue, 4 Nov 2003, Bill Woodcock wrote:
> Should we, as a community, register with RIR's with PGP.
Each of the RIRs has either already established, or is in the process of establishing, a CA for that purpose. Please use them.
I'm very much for what RIRs are doing in this area (though ARIN could do PGP together with x.509 as I mentioned back in Memphis) as it will provide good security for communication to ARIN and making changes to RIR whois and other data and thus in the far future should seriously decrease possibility of hijacking even blocks when company is gone and blocks are no longer in use.
But lets be clear about it, what RIRs are doing as far as pgp or x.509 are for communication between RIR and the admin of the ip space. RIRs specifically do not want to "certify" by digital means that particular entity has the right to that netblock. What it means is that if you have a customer that has this x.509 certificate from ARIN and they ask you to announce it, you really can not see their certificate and will have to just do regular whois like you usually do (in fact you will not even know if the ip block whois is protected by this security feature).
You can not actually ask the for some digital certificate signed by ARIN showing its their block. At these RIR signed certificates for use by 3rd parties are really what is needed for at least automated checking when peer or customer is asking to let their new announced block in and adjust the filters (we are not even talking about S-BGP here, just way to improve the security of the process of adjusting filter to announce new routes through your network). S-BGP would be next and will also require to use these kind of certificates as well, but as others will be quick to mention, S-BGP proposal still needs some work before we could begin beta-testing it.
--- William Leibzon Elan Networks william@elan.net
participants (18)
-
alex@pilosoft.com
-
Andrei Robachevsky
-
Bill Woodcock
-
Brian Bruns
-
George Michaelson
-
Greg Maxwell
-
Jared Mauch
-
JC Dill
-
Joe Abley
-
Larry J. Blunk
-
Mark E. Mallett
-
McBurnett, Jim
-
Nipper, Arnold
-
Owen DeLong
-
Petri Helenius
-
Randy Bush
-
Valdis.Kletnieks@vt.edu
-
william@elan.net