IP Block 99/8

Hi,

I am Shai from Rogers Cable Inc. ISP in Canada. We have IP block
99.x.x.x assigned to our customers. Which happened to be bogons block in
the past and was given to ARIN in Oct 2006. As we have recently started
using this block, we are getting complains from our customers who are
unable to surf some web site. After investigation we found that there
are still some prefix lists/acls blocks this IP block.

We own the following blocks:

99.224.0.0/12
99.240.0.0/13
99.248.0.0/14
99.252.0.0/16
99.253.128.0/19

Please update your bogons list.

Shai.

end

Own? ARIN gave you title?

--bill

If we had "clean" registries and signed/verifiable advertisements this would
not be an issue. Most of you know that DHS was pushing the Secure Protocols
for the Routing Infrastructure initiative
(http://www.cyber.st.dhs.gov/spri.html). Due to budget cuts this program is
on the shelf for now. However, we are still interested in making it happen.

I think that the discussion about 7.0.0.0/24 several days ago could also
have been avoided if we had already implemented some of the SPRI ideas.

Marc

Marcus H. Sachs, P.E.
SRI International
1100 Wilson Blvd Suite 2800, Arlington VA 22209
tel +1 703 247 8717 fax +1 703 247 8569
mob +1 703 932 3984 marcus.sachs@sri.com

I wouldn't count on that. If such a mechanism would become available (which isn't completely unthinkable, see http://www.bgpexpert.com/article.php?id=113 ), then obviously it will be a long time before everything that's in the routing tables has a corresponding certificate. It would be possible to give routes that check out a higher preference than ones that don't, but there's always that pesky longest match first rule that seems to cause so much trouble these days.

The grass is always greener, which is closely related to don't watch sausage being made.

Telephone numbers are over 50 years old, but routing of telephone numbers isn't actually verifiable either especially with some international destinations.

Almost all multi-organizational identity systems have this problem. If you can't trust the organizations involved, more math isn't going to help.

Marcus H. Sachs wrote:

If we had "clean" registries and signed/verifiable advertisements this would
not be an issue. Most of you know that DHS was pushing the Secure Protocols
for the Routing Infrastructure initiative
(http://www.cyber.st.dhs.gov/spri.html). Due to budget cuts this program is
on the shelf for now. However, we are still interested in making it happen.

I think that the discussion about 7.0.0.0/24 several days ago could also
have been avoided if we had already implemented some of the SPRI ideas.

Marc
  

Out of utter curiousness (not arrogance)... Why in the world should the
DHS be given control to the routing infrastructure when they can't even
secure their own networks.

//QUOTE//

�They will exploit anything and everything,� an official with the Naval
Network Warfare Command told Federal Computer Week (FCW) on condition of
anonymity.

More recently, Major General William Lord told Government Computer News
in August 2006 that China has downloaded 10 to 20 terabytes of data from
DoD�s main network, NIPRNet.
//END QUOTE//

http://www.scmagazine.com/uk/news/article/634401/chinese-hackers-waging-cyberwar-us/

I could instantly slap together about 10 links within the past 2 weeks
of these same things occurring over and over within the government...

I fail to see how/why DHS being in the middle of this would have helped.
I can't count how many times I've attempted to contact someone in the
DoD in referenced to compromised hosts and it seems one hand didn't
know what the other hand was doing and in almost 80% of my contact
attempts, no response was ever given...

So as a network operator who needs something done now, you expect
someone to go through the bureaucracy of the US government to get
something resolved? I think one could watch watch 5 coats of paint
dry faster.

Not only that, all you need is just that ONE instance where "hackers
owned our infrastructure" and we'll be in a much worse place then we
are in now. That is of course someone is fibbing in attempts to get
more money... "Hackers owned NIPR we need a new strategic plan to
get back at them. Send us $30 million"... No thanks keep these keys
away from ANY government body.

Hello, Chinanet? Some guys over in 99/8 want to know how to get that much
data past filters....

Marcus H. Sachs wrote:
> If we had "clean" registries and signed/verifiable advertisements this
> would not be an issue. Most of you know that DHS was pushing the Secure
> Protocols for the Routing Infrastructure initiative
> (http://www.cyber.st.dhs.gov/spri.html). Due to budget cuts this program
> is on the shelf for now. However, we are still interested in making it
> happen.
>
> I think that the discussion about 7.0.0.0/24 several days ago could also
> have been avoided if we had already implemented some of the SPRI ideas.
>
> Marc

Out of utter curiousness (not arrogance)... Why in the world should the
DHS be given control to the routing infrastructure when they can't even
secure their own networks.

That is rediculous... The DHS should have no juristictional power over an
international and collective entity (The Internet), Why? Because the USA does
not own the internet, no country does. it's just as I posted in the former:
an international and collective entity.

All of this "let's monitor traffic for terrorists" is a case where the USA
clearly has overstepped their bounds.

The USA government wants to remove the "collective" factor of the internet and
place an absolute authority (themselves) in charge of the internet.

//QUOTE//

“They will exploit anything and everything,” an official with the Naval
Network Warfare Command told Federal Computer Week (FCW) on condition of
anonymity.

More recently, Major General William Lord told Government Computer News
in August 2006 that China has downloaded 10 to 20 terabytes of data from
DoD’s main network, NIPRNet.
//END QUOTE//

http://www.scmagazine.com/uk/news/article/634401/chinese-hackers-waging-cyb
erwar-us/

I could instantly slap together about 10 links within the past 2 weeks
of these same things occurring over and over within the government...

I fail to see how/why DHS being in the middle of this would have helped.
I can't count how many times I've attempted to contact someone in the
DoD in referenced to compromised hosts and it seems one hand didn't
know what the other hand was doing and in almost 80% of my contact
attempts, no response was ever given...

The DHS is a single point of failiure, as they fail to ensure their own
security, how can they ensure the security of internet communications?

So as a network operator who needs something done now, you expect
someone to go through the bureaucracy of the US government to get
something resolved? I think one could watch watch 5 coats of paint
dry faster.

If you want stuff done like yesterday, any government will never satisfy your
requirement, it's amazing they don't make you fill out paperwork to file a
report then mail it in.

Not only that, all you need is just that ONE instance where "hackers
owned our infrastructure" and we'll be in a much worse place then we
are in now. That is of course someone is fibbing in attempts to get
more money... "Hackers owned NIPR we need a new strategic plan to
get back at them. Send us $30 million"... No thanks keep these keys
away from ANY government body.

Once again, having someone parked in the middle results in a single point of
failiure, and in this case, a rather volitile one.

I do not want any particular gov't (US or otherwise) to be "in charge" of the Internet any more than the next person. And good thing too, because it simply cannot happen, political pipe-dreams not withstanding.

But what has that got to do with the DHS promoting an idea to sign IP space allocations and/or annoucements? The idea in-and-of-itself doesn't sound wholly unreasonable. (I am not advocating this, just saying the idea shouldn't be rejected without consideration simply because the DHS said it.)

Why not take the idea and see if it is useful, then implement it properly if there is any use? All this vitriol over the US gov't trying to take over the Internet is silly - sillier than the USG thinking it can actually do so. They're politicians, they're ignorant of reality and therefore can be excused for not understanding how stupid they sound. All of you should know better.

Exactly! This whole thread has been people arguing against a straw-man.
DHS never asked for any KSKs or anything. They're not even mentioned in
the report. HSARPA just put up some of the money to fund the drafting of
the report, as ARPA/DARPA/HSARPA have been funding miscellaneous Internet
stuff forever.

                                -Bill

The question is who would do the signing and revocations. Whoever does that would indeed have a great amount of control over the internet. A single government agency should not have that sort of power to make a (for lack of better term), "no surf list" of IP space...

         ---Mike

Bill Woodcock wrote:

Which is fine.

Besides, no gov't _can_ have the single authority. You can always ignore what other people sign or do not sign.

That said, I completely agree the DHS shouldn't have even the modicum of power holding the keys would give it.

I think the strawman proposals so far were something like:

1) iana has 'root' ca-cert
2) iana signs down certs for RIR's
3) RIR's sign down certs for LIR's
4) LIR's sign down certs for 'users' (where 'users' is probably
address-space users, like corporations or end-sites)

This seemed not-too-insane, and would give ISP/operator type folks that
ability to easily and quickly verify that:

157.242.0.0/16 is in point of fact permitted to originate by the org-id: LMU-1

with some level of authority... It's nothing really more than that.

-Chris
(who did spend some conference-room time with patrick/woody/doug/others
talking about this very problem)

The question is who would do the signing and revocations. Whoever
does that would indeed have a great amount of control over the
internet. A single government agency should not have that sort of
power to make a (for lack of better term), "no surf list" of IP
space...

You might try taking a look at the various presentations at NANOG/RIPE/ARIN/
APNIC/APRICOT about the whole idea. Central point: the entity that gives
you a suballocation of its own address space signs something that says you
now hold it.

No governments involved.

Here are a few URLs to start you off:

NANOG 36 Feb 2006: What I Want for Eid ul-Fitr, An Operational ISP & RIR PKI http://www.nanog.org/mtg-0602/pdf/bush.pdf
NANOG 38 Oct 2006: Serious Progress on X.509 Certification of RIR Resource Allocations http://www.nanog.org/mtg-0610/presenter-pdfs/bush.pdf
ARIN XVII April 2006: X.509 Resource and Routing Certificate Panel http://www.arin.net/meetings/minutes/ARIN_XVII/PDF/monday/x509-huston.pdf http://www.arin.net/meetings/minutes/ARIN_XVII/PDF/monday/x509-kent.pdf
RIPE 52 Apr 2006: A PKI for IP Address Space and AS Numbers http://www.ripe.net/ripe/meetings/ripe-52/presentations/ripe52-plenary-pki.pdf
RIPE 53 Oct 2006: Using Resource Certificates - A Progress Report on the Trial of Resource Certification http://www.ripe.net/ripe/meetings/ripe-53/presentations/using_res_certs.pdf
RIPE 51 Oct 2005: APNIC Trial of Certification of IP Addresses and ASes http://www.ripe.net/ripe/meetings/ripe-51/presentations/pdf/ripe51-address-certificate.pdf
APNIC Mar 2006 APNIC resource certification update http://www.apnic.net/meetings/21/docs/sigs/routing/sig-routing-pres-ggm-resource-cert-update.pdf
APRICOT Mar 2006: A PKI to Support Improved Internet Routing Security http://www.apricot2006.net/slides/conf/wednesday/Address%20Space%20PKI%20(APRICOT).pdf

Work ongoing in the IETF SIDR working group:

http://www.ietf.org/html.charters/sidr-charter.html

--Sandy Murphy

Which report did you read...

http://www.schneier.com/blog/archives/2007/04/dept_of_homelan.html
http://www.upi.com/Security_Terrorism/Analysis/2007/04/12/analysis_owning_the_keys_to_th
e_internet/
http://www.tiawood.com/2007/homeland-security-grabs-for-nets-master-keys/

All of which were about reports that DHS was planning to hold keys to sign
the DNS space. Nothing to do with addresses (domain names, IP addresses, different
things).

And I hear the reports are, well...

--Sandy

DHS focuses on facilitating how to make things more secure or reliable via research, discussions with subject matter experts, and understanding of various scenarios that could impact our economy, critical services, and national security concerns. From that plans get developed, what type of expertise do we need to reach out to from an operational perspective, how can we facilitate getting those that provide critical services into areas to restore them, etc. (incident coordination/management)

This idea that folks keep promulgating that DHS wants to control the Internet is ridiculous. Just like everyone one of you wants to make sure core Internet services are available to meet your service level agreements with customers, a reduction in electronic crimes, and concerned about the health of the Internet are concerns for those in government (pick one) and outside of government.

My .02....

Jerry

no problemo... when i hand out a block of space, i'll expect
  my clients to hand me a DS record ... then I sign the DS.
  and I'll hand a DS to my parent, which they sign.
  That works a treat.... today (if you run current code)
  and gives you exactly what you describe above.

  Oh, you want the prefix attestation to be used for soemthing
  other than attestation as to whom holds a given prefix?

  you wnat to attest to the "routability" of said prefix?
  thats a bit more than a simple attestation of responsibility,
  IMHO of course.

--bill

Thus spake <bmanning@karoshi.com>

You might try taking a look at the various presentations at
NANOG/RIPE/ARIN/APNIC/APRICOT about the whole idea.
Central point: the entity that gives you a suballocation of its
own address space signs something that says you now hold it.

No governments involved.

no problemo... when i hand out a block of space, i'll expect
my clients to hand me a DS record ... then I sign the DS.
and I'll hand a DS to my parent, which they sign.
That works a treat.... today (if you run current code)
and gives you exactly what you describe above.

That roughly matches what I expect, but the process seems backwards. If IANA hands, say, 99/8 to ARIN, I'd expect that to come with a certificate saying so. Then, if ARIN hands 99.1/16 to an ISP, they'd hand a certificate saying so to the ISP, which could be linked somehow to ARIN's authority to issue certificates under 99/8. And so on down the line. Then, when the final holder advertises their 99.1.1/24 route via BGP, receivers would check that it was signed by a certificate that had a verifiable path all the way back to IANA.

Of course, one must be prepared to accept unsigned routes since they'll be the majority for a long time, which means you still run afoul of the longest-match rule. If someone has a signed route for 99.1/16, and someone else has unsigned routes for one or more (or all) of 99.1.0/24 through 99.1.255/24, what do you do? Do you block an unsigned route from entering the FIB if there's a signed aggregate present? Doesn't that break common forms of TE and multihoming? If you don't, doesn't that defeat signing in general since hijackers would merely need to use longer routes than the real holders of the space?

To paraphrase Barbie, "security is hard; let's go shopping!"

S

Stephen Sprunk "Those people who think they know everything
CCIE #3723 are a great annoyance to those of us who do."
K5SSS --Isaac Asimov

(email string deleted...)

I'm deeply saddened that the very folks who work so hard to run the Internet
are publicly speculating that DHS wants to take over the 'net. If that's
the message that DHS is sending, then we need to go back to the drawing
boards and re-write the message. Can somebody point to DHS quotes that lend
support to this idea? Or are the ideas coming from a bunch of pseudo-news
hacked together by non-technical reporters that have absolutely no idea what
they are talking about?

Unless I'm totally out to lunch, the DHS is not trying to take over the
Internet (nor DoD, nor Commerce, nor DoJ, not even George W. Bush himself.)
The DHS Science and Technology Directorate is funding several programs aimed
at increasing the security of Internet mechanisms, primarily the DNS and the
routing infrastructure. Funding RDTE&T is not the same as running a global
infrastructure.

Folks, please do some research on this and stop bashing a group that is
working hard to make your jobs easier to perform (unless you think that
bashing is needed, and if so, please cite the sources of your concerns.) We
need a lot of leadership, both public and private, and I think that DHS is
offering us something that we should be reinforcing, not tearing down.

Thanks.

Marc

Marcus H. Sachs, P.E.
SRI International
1100 Wilson Blvd Suite 2800, Arlington VA 22209
tel +1 703 247 8717 fax +1 703 247 8569
mob +1 703 932 3984 marcus.sachs@sri.com