Should we, as a community, register with RIR's with PGP. And
use special keys for resources?
The only people to have the keys would be the end user/ISP and
the RIR.
Forged PGP can be done but not so easily.
Basically email is so easy to forge should we not do what
we do everywhere else and just add security? or ACL's or
a firewall or.......
/lurkingmode enabled
->-----Original Message-----
->From: william@elan.net [mailto:william@elan.net]
->Sent: Tuesday, November 04, 2003 7:00 AM
->To: nanog@merit.edu
->Subject: Re: Hijacked IP space.
->
->
->
->
->Also while we're on ip hijacking subject as I mentioned there
->is a new way it
->has been done where instead of reregistering domains, the
->actual email
->account is reused by somebody else and where whois at arin is
->for themost
->part left unchanged (making it difficult for arin to do anything).
->
->Because these cases are difficult to track the original
->owners and to proof
->hijacking or to notice that it happend, it would be nice to stop such
->activity in the first place. So I'd would really be good if
->somebody from
->earthlink contacts me and I can then tell them privately what
->names they
->need to "lock" as far as what their customers can request for
->additional
->emails. Same applies for other ISPs - if you who work for
->company that
->has in the past bought other large ISPs AND where you still
->allow new or
->existing customers to get new email accounts at the domains
->of those old
->companies (i.e. like earthlink is presumably doing with
->netcom.com), then
->let me know domains and I can tell you what not to allow your
->customers
->for emails.
->
->--
->William Leibzon
->Elan Networks
->william@elan.net
->
->
Randy,
Those options are not mutually exclusive, and, while I agree that
it would be better if the RIR's accepted generic GPG keys along the lines
of what RADB does, the X.509 certificate is not a bad first step. At least
it's better than Mail-From or Crypt-PW.
Still doesn't solve the problem of ISPs announcing out hijacked blocks.
It is stupidly simple to announce out blocks you don't own.
A few years ago, when I was a netadmin, we on several occasions announced
out blocks we had no permission to announce out (/24s). This happened on
the days after 9/11 as well when we acquired customers who's ISPs didn't
survive the collapse of the NYC telco network. All it took was using the
BGP request form at a large unnamed Tier 1 backbone provider, and our
filters were adjusted to allow us to announce out any network we wanted to.
No questions asked, no authorization forms, nothing.
I've confirmed this behavior with several of the backbones. Why are these
backbones allowing their T1 customers to make these kind of announcements
without any kind of authorization forms or simple checking to see if its a
valid announcement for that customer?
I've confirmed this behavior with several of the backbones. Why are these
backbones allowing their T1 customers to make these kind of announcements
without any kind of authorization forms or simple checking to see if its a
valid announcement for that customer?
Because confirming this isn't always trivial, and is easy to fake.
Most importantly because it hasn't been a major problem, unless you
consider william's ranting to be of operational impact.
Those options are not mutually exclusive, and, while I agree that
it would be better if the RIR's accepted generic GPG keys along
the lines of what RADB does, the X.509 certificate is not a bad
first step. At least it's better than Mail-From or Crypt-PW.
Should we, as a community, register with RIR's with PGP.
Each of the RIRs has either already established, or is in the
process of establishing, a CA for that purpose. Please use
them.
thanks, but i choose to have my peers certify my identity, not the
rirs
the rirs already accept pgp certs. and i use them, as do all
security-conscious registrants. i was disagreeing with woody's
pushing x.509 certs to the exclusion of pgp certs.
Those options are not mutually exclusive, and, while I agree that
it would be better if the RIR's accepted generic GPG keys along
the lines of what RADB does, the X.509 certificate is not a bad
first step. At least it's better than Mail-From or Crypt-PW.
Should we, as a community, register with RIR's with PGP.
Each of the RIRs has either already established, or is in the
process of establishing, a CA for that purpose. Please use
them.
thanks, but i choose to have my peers certify my identity, not the
rirs
the rirs already accept pgp certs. and i use them, as do all
security-conscious registrants. i was disagreeing with woody's
pushing x.509 certs to the exclusion of pgp certs.
Yes and no. For the RIPE Database authentication pgp and x.509 will be equally accepted with no CA involved as such. This is different from x.509 certificates the RIPE NCC issues for the members, only to authenticate themselves while accessing RIPE NCC services.
I'm very much for what RIRs are doing in this area (though ARIN could do
PGP together with x.509 as I mentioned back in Memphis) as it will provide
good security for communication to ARIN and making changes to RIR whois
and other data and thus in the far future should seriously decrease
possibility of hijacking even blocks when company is gone and blocks are
no longer in use.
But lets be clear about it, what RIRs are doing as far as pgp or x.509
are for communication between RIR and the admin of the ip space. RIRs
specifically do not want to "certify" by digital means that particular
entity has the right to that netblock. What it means is that if you have
a customer that has this x.509 certificate from ARIN and they ask you to
announce it, you really can not see their certificate and will have to
just do regular whois like you usually do (in fact you will not even
know if the ip block whois is protected by this security feature).
You can not actually ask the for some digital certificate signed by ARIN
showing its their block. At these RIR signed certificates for use by
3rd parties are really what is needed for at least automated checking
when peer or customer is asking to let their new announced block in and
adjust the filters (we are not even talking about S-BGP here, just way to
improve the security of the process of adjusting filter to announce new
routes through your network). S-BGP would be next and will also require
to use these kind of certificates as well, but as others will be quick to
mention, S-BGP proposal still needs some work before we could begin
beta-testing it.
smart. the careful reader might have noted that i did not say i
did not like x.509 certs, especially given future sbgp etc. use.
there is an rfc out on use of x.509 certs in the web of trust
model.
If the previous stuff is ignorable, it doesn't need to be quoted. Top posting while quoting material that is ignorable is lazy and not appreciated by most participants on *this* forum. Please snip ignorable material, and then post your reply *below* what you are commenting on, so that ALL can easily participate in this forum using this standard format.
jc
P.S. OWEN, PLEASE STOP CC'ING ME ON REPLIES. EITHER REPLY TO ME ONLY, OR TO THE LIST (WHICHEVER YOU PREFER), BUT NOT TO BOTH.
pps: Lazily clicking "reply to all" and sending off a message (with an unwanted *attachment* no less) cc'd to a bunch of people who don't need duplicate replies typically goes hand in hand with top posting. These are clear signs of someone who is too lazy to bother with following standard conventions, and who thinks that it's OK to do the lazy "easy" thing even when it inconveniences others.
P.S. OWEN, PLEASE STOP CC'ING ME ON REPLIES. EITHER REPLY TO ME ONLY,
OR TO THE LIST (WHICHEVER YOU PREFER), BUT NOT TO BOTH.
JC,
With all due respect, you already have one list that you are policing.
Let's move the arguments of merits of top and bottom posting to
inet-access, where it belongs.
Oh yeah: If dupes bother you, 'man procmailex' and implement dupe
filtering. For one, with nanog-l delays from one to 12 hours, I like to
see responses quickly.
ktnx.
Alex Pilosov | DSL, Colocation, Hosting Services
President | alex@pilosoft.com (800) 710-7031
Pilosoft, Inc. | http://www.pilosoft.com
pps: Lazily clicking "reply to all" and sending off a message (with an unwanted *attachment* no less) cc'd to a bunch of people who don't need duplicate replies typically goes hand in hand with top posting. These are clear signs of someone who is too lazy to bother with following standard conventions, and who thinks that it's OK to do the lazy "easy" thing even when it inconveniences others.
Most mail servers worth using discard duplicates as long as they contain the same
message-id. Unfortunately this does not help discarding duplicate subjects like
the monthly spam discussion.