nanog mailing list archives

Re: IP Block 99/8 (DHS insanity - offtopic)

From: "Chris L. Morrow" <christopher.morrow () verizonbusiness com>
Date: Tue, 24 Apr 2007 15:02:37 +0000 (GMT)



On Tue, 24 Apr 2007, Sean Donelan wrote:

On Mon, 23 Apr 2007, Chris L. Morrow wrote:

I think the strawman proposals so far were something like:

1) iana has 'root' ca-cert
2) iana signs down certs for RIR's
3) RIR's sign down certs for LIR's
4) LIR's sign down certs for 'users' (where 'users' is probably
address-space users, like corporations or end-sites)

This seemed not-too-insane, and would give ISP/operator type folks that
ability to easily and quickly verify that:

157.242.0.0/16 is in point of fact permitted to originate by the org-id: LMU-1

with some level of authority... It's nothing really more than that.


You can do online or offline verification of a trust chain.  RSA, certs,
etc are just the math.  But the math doesn't change the trust.  If the
LIR/RIR directories are poorly maintained, their signatures aren't going
to be any better.


yes, but:
1) there is no discussion of certs+bgp
2) they need to cleanup/tightenup anyway, adding some helpful (to
operators) bits is a nice thing, yes?

The problem in your trust chain above is the LIR's don't actually verify
much about the 'users'; and its very easy to spoof the LIRs (i.e. I
forgot my password) to change their directory information.  And the same
thing will probably be true when you ask LIRs to sign things.  I lost my
RSA cert, please sign a new one for "me".


Is it really that easy? I recall a few people having LOTS of trouble
getting their address block information changed so it was once again
usable... I know we had some headaches getting our information switched
around to reflect corporate changes.

An online chain of RWHOIS delegations or a offline chain of RSA
certificates (which you will still need an online CRL check), doesn't
change the problems in the LIRs (or even RIRs or IANA).  A lot of math
won't make the answer more authoritative.


yes, but the math makes, hopefully. the checking simpler... and it's a
better system than exists today at many places where 'if you put yer
object in the IRR we'll accept it!' (see ConEd incident of 2 years back
for one example). Without any programmatic checking of this data the only
thing accomplished with use of an IRR is to increase the speed with which
you can change prefix-list data :( there is no check for accuracy nor
authority.

-Chris

Current thread:

RE: IP Block 99/8 (DHS insanity - offtopic), (continued)
- - - RE: IP Block 99/8 (DHS insanity - offtopic) Marcus H. Sachs (Apr 24)
    - Re: IP Block 99/8 (DHS insanity - offtopic) Leigh Porter (Apr 24)
    - RE: BGP certificate insanity was: (DHS insanity - offtopic) michael.dillon (Apr 24)
    - Re: BGP certificate insanity was: (DHS insanity - offtopic) Joe Abley (Apr 24)
    - RE: BGP certificate insanity was: (DHS insanity - offtopic) michael.dillon (Apr 24)
    - Re: BGP certificate insanity was: (DHS insanity - offtopic) Joe Abley (Apr 24)
    - RE: BGP certificate insanity was: (DHS insanity - offtopic) Chris L. Morrow (Apr 24)
    - Re: IP Block 99/8 (DHS insanity - offtopic) Chris L. Morrow (Apr 23)
    - Re: IP Block 99/8 (DHS insanity - offtopic) Sean Donelan (Apr 24)
    - Re: IP Block 99/8 (DHS insanity - offtopic) Jeroen Massar (Apr 24)
    - Re: IP Block 99/8 (DHS insanity - offtopic) Chris L. Morrow (Apr 24)
- RE: IP Block 99/8 Frank Bulk (Apr 20)
  - RE: IP Block 99/8 Shai Balasingham (Apr 20)
    - Re: IP Block 99/8 James Blessing (Apr 23)
    - Re: IP Block 99/8 Owen DeLong (Apr 23)
- RE: IP Block 99/8 David Lemon (Apr 23)
  - Re: IP Block 99/8 Suresh Ramasubramanian (Apr 23)
  - RE: IP Block 99/8 michael.dillon (Apr 23)
- RE: IP Block 99/8 David Lemon (Apr 23)
  - Re: IP Block 99/8 John Payne (Apr 23)
    - Re: IP Block 99/8 John Payne (Apr 23)