[AusNOG] APNIC WHOIS

Terry Manderson terry at terrym.net
Tue Jul 20 18:42:00 EST 2010 

Speaking strictly as an individual and certainly not for any organisation I might be involved with.

Darren, 

Take a flip through the IETF SIDR charter and if you are game read over some of the current workgroup drafts:
Charter: http://datatracker.ietf.org/wg/sidr/charter/
Drafts: http://tools.ietf.org/wg/sidr/

To paraphrase, the SIDR working group is defining a X.509 hierarchy that can be used to validate the usage rights of IP addresses and ASNs. It's called the RPKI (Resource Public Key Infrastructure).

The RIRs are gearing up for this and have made statements that they will commence issuing these certificates for resources in 2011 [1]. They have even go so far as to say they are launching a 'fully operational' system by that time [2]. This is somewhat confusing to me as none of the RIR's RPKI updates yet seen also addresses the single Trust Anchor as described by the IETF's IAB [3]. Maybe I've been sleeping and missed it ;-) Or maybe the rir's have no plans to support such a thing. What I do know is that technically a X509 hierarchy works best with a single trust anchor. (and as I type I'm sure someone is queuing up the 'It is a political issue' response ;) If you are keen to play with this I believe Randy Bush has made a pretty good effort at demonstrating the ideal hierarchy with a substantial amount of working code. Although not sure if he is still looking for players. Could ask..

So will you at some stage in the not to distant future, irrespective of the completeness of of the implementation, be able to validate if a party has the rights to use some prefix? Yes. (modulo the sanity of any database behind the issuance of the certificates, as you would normally expect)

Will you be able to make hard and fast routing decisions based on that - well yes and no. Yes its possible as a local policy decision. But perhaps at the detriment of stability. Might you be able to make routing _preference_ statements. I think so - but I'd say I would be waiting on release 2 or 3 of any vendor code for sanity reasons.

That being the case I would think the remaining most interesting use of RPKI X.509 certificates will be to facilitate the mooted ipv4 address trading model. Just like a deed of title, only digital! But I'm sure we will all be on IPv6 by then and we won't need to do address trading.

[1] http://www.nro.net/news/nro-declaration-rpki.html
[2] http://www.nro.net/documents/pdf/ICANN-rpki.pdf
[3] http://www.ietf.org/mail-archive/web/ietf-announce/current/msg07028.html

Cheers
Terry

On 20/07/2010, at 5:09 PM, Darren Moss wrote:

> Cheers Karl.
>  
> Now that's a great idea :)
>  
> Imagine if we could create a validation register where parties who used IP ranges must be authenticated or their traffic stops routing.
>  
> If only we could.
>  
> Regards, 
>  
>  
> Darren Moss
> General Manager
> Australia and New Zealand
> [p] 1300 131 083 [f] 03 9017 2287
> [e] Darren.Moss at em3.com.au [w] www.em3.com.au
> 
>  
> em3 People and Technology | Managed Technology Experts
> postal: PO Box 2333, Moorabbin VIC 3189
> 
> New Zealand Airedale Street, Auckland City
> postal: PO Box 39573, Howick 2045
> [p] 09 887 0550 [f] 09 887 0273
> 
>  
> 
> From: Karl Kloppenborg [mailto:karl at karltec.net] 
> Sent: Tuesday, 20 July 2010 5:00 PM
> To: Darren Moss
> Cc: p8x; ausnog at lists.ausnog.net
> Subject: Re: [AusNOG] APNIC WHOIS
> 
> I would be honoured to write a DB and portable C application for this :D
> 
> Cheers!
> Karl Kloppenborg
> 
> 
> 
> 
> On 20/07/2010, at 16:46, Darren Moss wrote:
> 
>> 
>> If only the database was actually properly maintained and you *could* find contacts for troublesome hosts.
>> 
>> I have lost count of the number of networks we've blocked because the contact information is stale or wrong.
>> 
>> I suggested many times to APNIC that they have some method of ensuring contact information was up to date - ie: as part of IP Allocation to members - but they were not interested. 
>> 
>> If not APNIC, who should / could do this ?
>> 
>> 
>> Regards, 
>> 
>> 
>> Darren Moss
>> General Manager
>> Australia and New Zealand
>> [p] 1300 131 083 [f] 03 9017 2287
>> [e] Darren.Moss at em3.com.au [w] www.em3.com.au
>> 
>> em3 People and Technology | Managed Technology Experts
>> postal: PO Box 2333, Moorabbin VIC 3189
>> 
>> New Zealand Airedale Street, Auckland City
>> postal: PO Box 39573, Howick 2045
>> [p] 09 887 0550 [f] 09 887 0273
>> 
>> 
>> -----Original Message-----
>> From: ausnog-bounces at lists.ausnog.net [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of p8x
>> Sent: Tuesday, 20 July 2010 4:12 PM
>> To: ausnog at lists.ausnog.net
>> Subject: Re: [AusNOG] APNIC WHOIS
>> 
>> I would say you are fine.
>> 
>> On the APNIC whois page:
>> 
>> "The APNIC Whois Database is a publicly searchable database detailing address usage within the Asia Pacific region. The results of any search are provided purely for operational purposes (such as finding the authoritative contact for a troublesome machine) and are not to be used for commercial or marketing purposes." [1]
>> 
>> On the privacy page:
>> 
>> "Some of the personal information you provide may be publicly registered in the APNIC Whois Database. This is limited to contact details relating to the allocation of specific public Internet resources.
>> 
>> Please note that in relation to these network contact details, the APNIC Whois Database allows organizations to register "role objects" in place of personal details." [2]
>> 
>> It sounds a little odd that they would think the whois data is private. 
>> I wonder if they have fake whois data on their domains.
>> 
>> [1]: http://www.apnic.net/apnic-info/whois_search2/using-whois
>> [2]: http://www.apnic.net/apnic-info/privacy [Section 2.1]
>> 
>> 
>> On 20/07/2010 1:58 PM, Karl Kloppenborg wrote:
>>> Hey Noggers,
>>> 
>>> this is probably just another silly question, but I am having a 
>>> dispute with someone over them claiming that whois information is 
>>> private information about their company and thus I can't post it anywhere I want.
>>> Ie, post the whois with a comment on a public domain / forum.
>>> 
>>> I claim that this is indeed public information and can be used by anyone?
>>> 
>>> However I thought before I make a total idiot out of myself I would 
>>> ask you just incase I am wrong and the details are infact "Confidential"
>>> 
>>> *
>>> Cheers!
>>> Karl Kloppenborg*
>>> /
>>> /
>>> /
>>> /
>>> /
>>> /
>>> /
>>> /
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> AusNOG mailing list
>>> AusNOG at lists.ausnog.net
>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>> 
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
> 
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog

More information about the AusNOG mailing list