January 2004 - db-wg - mailman.ripe.net

RE: [db-wg] abuse-c
by Wilfried Woeber, UniVie/ACOnet 12 Jan '04

12 Jan '04

Christian, >I have a lot of inetnum objects which I need the same abuse address for so I >would REALLY appriciate not having to change each and everyone of them!.. :) supporting that was one of the goals in the design of the IRT object. All the (resources described by a set of) objects which are handled by the same incident team or function just get linked to the same IRT object. If you want to make any changes, then you update the info in _one_ place - much like the maintainer approach. And, the IRT structure supports hierarchy (for those resources which do have a hierarchy :-) It allows quite a few other things to be nicely described and maintained, eg. - giving key info if you want to use encryption for your complaint, or verify the identity of the security contact you get an answer from - decoupling of IP-Address management from operations ("rouitng") and incident handling - registering credibility info with this contact info, like the Trusted Introducer, which was the first structure to use this machinery. We are definitely still missing some things to make it fly high... Things that come to my mind without doing a full inventory: - make additional documentation available (TF-CSIRT is actively working on this) - try to get it deployed and _used_ (I'd look into the direction of the Anti-Spam folks to help with this) - maybe modify the default answer from the server for a whois query (what would the impact be on the "other" users of the registry data?) - try to define complaint handling roles in a concise way to allow selecting the "correct" contact from an object. (this doesn't chance whether you put it into an inetnum or an IRT object ;-) (I guess there will be another attempt in Madrid next week to deal with that amongst the incident handlers, and we may come back with a proposal or at least an idea) Wilfried.

1 0

RE: [db-wg] abuse-c
by TAYON, Julien 12 Jan '04

12 Jan '04

John Green <mailto:j.green@ukerna.ac.uk> wrote: > I have never understood what this gives you. If "Evil Company" wants > to misdirect abuse reports (why?) they can circumvent this by making > a fake IRT object with IRT XYZ as the contact email address. > If people circumvent this they are either evil or incompetent which is alreday a strong hint to be suspicious. Julien Tayon LDCOM networks BU DATA- +33 1 70 18 14 45 1 square Chaptal , 92309 Levallois Cedex

4 4

Defined roles
by Rev Adrian Kennard 12 Jan '04

12 Jan '04

Following on from the comment bt Shane Kerr > Also, what various contact information means is not clear. What > administration does the "admin-c:" do exactly? Only update the RIPE > Database? Coordinate with the RIPE NCC? Is it the CEO of a company? > The manager of the IT department? Or an independent contractor who handles > all the details of connectivity? I have to agree that "what is the responsibility" or perhaps just "the role" of the admin-c and tech-c. From what I have read on RIPE documents the role is not at all clear. I believe it said the admin contact has to be at the same address as the network? So what of unattended sites? There are many questions, and perhaps there should be some attempt to define more accurately what admin-c and tech-c are meant to be used for. As internet usage is becoming more of an issue (spam, child porn, etc) I can't help feeling that there should be some formal "responsibility" associated with an inetnum (like we have a "keeper of a vehicle" in the UK who has some responsibilities). I suspect to go this far would request some legal framework in countries affected, but RIPE could at least indicate, say, "The admin contact is intended to take responsibility for the IP addresses" or some such, which would be a good basis. Of course, if there was an abuse-c, then this could be a document explaining the detailed role of admin-c, tech-c, and abuse-c. Also, the "trouble" field is a good thought - maybe we should add "trouble" to inetnum, as there is already a field name defined for the purpose essentially. Just an idea. -- Rev Adrian Kennard Andrews & Arnold Ltd / AAISP www.aaisp.net.uk

1 0

E-mail Client Testing for S/MIME Compliance
by Denis Walker 09 Jan '04

09 Jan '04

[apologies for duplicate messages] Dear Colleagues, At the RIPE 45 Meeting a proposal was presented to implement an additional form of strong authentication for protecting objects in the RIPE Database and to allow for secure communication by e-mail with the RIPE NCC. This implementation uses the X.509 certificates. A question was raised by some members about how widespread is the compliance of S/MIME within mail clients. The RIPE NCC Software Engineering Department has undertaken a study to evaluate the use of S/MIME by mail clients. The results of this study can be found on our web site at: http://www.ripe.net/ripencc/pub-services/db/mail_client_tests.html Regards, -- Denis Walker Software Engineering Department RIPE NCC

4 5

Domail Clean-up
by RIPE Database Manager 06 Jan '04

06 Jan '04

Dear Colleagues, As of 6 January, 2004, messages concerning inconsistencies between "nserver:" attributes in DOMAIN objects and delegation NS RRs in our zone files will be sent out. The messages will be mailed to various contact addresses for the relevant DOMAIN objects. In addition to the description of the inconsistencies, an indication of the 'default actions' will also be provided. We kindly request data be updated so that the inconsistencies are corrected before 1 March, 2004. About two weeks before 1 March, 2004 we will send a second set of warnings for the remaining inconsistencies. By 1 March, 2004 all remaining inconsistencies will be cleaned by the RIPE NCC, using the 'default actions'. If you receive a warning about inconsistencies we recommend that you fix the data yourself. It may be that you receive multiple mails for multiple domains with multiple inconsistencies. If you want to configure a dedicated mail filter the messages will contain the subject header "Subject: Reverse DNS inconsistencies in the RIPE Database" and originate "From: <ripe-dbm(a)ripe.net>". If you have further questions please contact <ripe-dbm(a)ripe.net>. Background The cleanup is part of the effort to streamline reverse DNS operations [1] and make it easier for network range users to manipulate related DOMAIN objects. The goal of the cleanup [2] is to streamline the contents of DOMAIN objects and zone configuration files so that we can create zone files from the Whois Database. An explanation of the various possible inconsistencies can be found at: http://www.ripe.net/reverse/rdns-project/Cleanup.html. ----- [1]: Original proposal http://www.ripe.net/reverse/proposal.html. Discussion on this proposal has taken place on the RIPE NCC Services WG mailing list and was summarized in: http://www.ripe.net/ripe/mail-archives/ncc-services-wg/2003/msg00361.html [2]: Original cleanup proposal http://www.ripe.net/ripe/mail-archives/db-wg/2003/msg00738.html. ----- Can Bican Software Engineering Department Olaf Kolkman New Projects Group RIPE NCC

1 0