- db-wg - mailman.ripe.net

Re: [db-wg] Defined roles
by Wilfried Woeber, UniVie/ACOnet 13 Jan '04

13 Jan '04

>> I don't have any problem with the concept of an abuse-c:, in whatever >> colour, shape or texture. the real problem that I (still) have after so >> many years is that we still lack a definition of "abuse", and which part >> of an organisation is supposed to deal with the "abuse". >> >> Also note that usually there is an aspect of "incoming" and >> "originated" abuse. > >In that case, db-wg will only supply the tools and not make any decision >on the contents or the usage and we should get other working groups >involved in this (anti-spam ?). Indeed. >However in some sort of way, the information in the database is 'abused' >by users in the way that they don't use the correct attributes. This in >some form can be explained as the current tools lacking some functionality >or being to complex to use for the larger public. I agree. >So what we need to decide on is whether there is a problem and users will >gain something if we add some functionallity to the system. > >I think that the usability of the system is on-topic for this working >group definitely > and as far as my personal opinion goes, we need to do something >extra to stop people from 'abusing' certain information before the >majority decides that it's a lost game and start removing information >which is usefull for other parts of the work like troubleshooting 'the >internet'. Private opinion: I am one of those who think it is a lost case already. How long has the info in changed: been abused to spam the folks for the address distribution, who simply update a record in the DB, with spam and port scan and xyz complaints? >We don't have to go further then to specify you can include only 1 valid >email address and advice people to insert the address where they want to >recieve the complaints and if you query the database for this information >use this field as a default. > >MarcoH Wilfried.

1 0

Re: [db-wg] abuse-c
by Wilfried Woeber, UniVie/ACOnet 13 Jan '04

13 Jan '04

> >> Not if the relevant IRT object is automatically returned for every > >> inetnum query. This is what ARIN does, BTW. > > Could I see an example of ARIN doing that, please? >$ whois 4.0.0.1 > >OrgName: Genuity >[...] > >NetRange: 4.0.0.0 - 4.255.255.255 >[...] > >OrgAbuseHandle: ABUSE23-ARIN >OrgAbuseName: Abuse >OrgAbusePhone: +1-800-436-8489 >OrgAbuseEmail: abuse(a)genuity.com Thanks, Marco! 2 observations: - the XyzOrg-Type objects seem to be optional (as our university's address block info comes back without them) ? - where can I find documentation about the schema for those XyzOrg... entries? Wilfried.

2 1

RE: [db-wg] Defined roles
by Wilfried Woeber, UniVie/ACOnet 13 Jan '04

13 Jan '04

[up-front disclaimer: apologies or this loooong reply. Maybe it's of help ] >Following on from the comment bt Shane Kerr > > > Also, what various contact information means is not clear. What > > administration does the "admin-c:" do exactly? It is (was [1]) the point of contact in the organisation holding a resource, who or which is allowed/expected to represent the organisation "administratively" > Only update the RIPE Maybe, but not necessarily. > Database? Coordinate with the RIPE NCC? > Is it the CEO of a company? The manager of the IT department? Maybe, yes, but it can also be an employee which is put in charge of that responsibility. Depends on the internal organisation. Someone or something _inside_ the organisation. >Or an independent contractor who handles > all the details of connectivity? No, that is the entity which would be listed as the tech-c: There is a good chance that an organisation holds resources (e.g. address space, an AS Number) which always remains the same, while the operational aspects may be tendered on a regular basis, out-sourced to a third party, or taken care of collectively with an/other organisation/s. Hence the concept of a role: to eg. describe a NOC >I have to agree that "what is the responsibility" or perhaps just "the >role" of the admin-c and tech-c. From what I have read on RIPE documents >the role is not at all clear. I believe it said the admin contact has to >be at the same address as the network? So what of unattended sites? You have to take into account that many parties try to use the DB these days in ways and for purposes for which it was not designed from the beginning. At that point in time there were 2 (3?) goals or objectives: 1 Provide an _authoritative_ registry for internet resources (IP address blocks and AS numbers) which were allocated or assigned (distributed) within the framework of RIPE and the RIPE NCC. There is a formal relatinship in place between the RIPE NCC and the LIRs defining the requirements of collectively maintaining these records. This is the IP- and ASN-Registry inside the RIPE DataBase 2 Provide the means to register Routing Policy for Autonomous Systems. This set of data is - from the point of view of the NCC! - NOT authoritative. In the sense that the NCC is not responsible for completeness and/or correctness of entries. This is the Rouitng Registry inside the RIPE DataBase 3 In support of the IP-Address Registry, and as a convenience for the community in the "early days" of the Internet in Europe, there is a mechanism to register DNS Domain objects in the database. The only (important!) functionality that is left here is keeping track of the ReverseDNS Tree for those address blocks which belong to the IP-Address Registry. All the other domain objects were eventually removed, after going through a lengthy migration and clean-up phase, together with many TLD administrations. At that point in time there was no "Spam", (almost) no attacks or break-ins, a limited library of malware, and so on. >There are many questions, and perhaps there should be some attempt to >define more accurately what admin-c and tech-c are meant to be used for. No problem with that. But this probably has to be taken up in other working groups, like the Addess Policy WG, the Routing WG, etc. The DataBase Gang should only provide the tools to implement their semantics. >As internet usage is becoming more of an issue (spam, child porn, etc) I >can't help feeling that there should be some formal "responsibility" >associated with an inetnum (like we have a "keeper of a vehicle" in the >UK who has some responsibilities). Yes, I fully agree. The interesting part here is that we'll open _many_ BIG cans of worms if we try to progress that. Every attempt until now has got entangled between the colliding interests of the network operators (technical trouble-shooting), law- and intellectual property-rights-enforcement (child porn, copyright violations, etc.) and the _protection of privacy_ of the users. There is at least one region which has proposed to hide name, address and email data on whois queries, in the interest of privacy protection. I didn't have the time to follow up whether it was implemented. But I agree, we may be very close to the point in time where this has to happen, somewhere... > I suspect to go this far would >request some legal framework in countries affected, You bet. I can tell from some private discussions with people from the EU commission that not even between them they have resolved those conflicting points of views. >but RIPE could at >least indicate, say, "The admin contact is intended to take >responsibility for the IP addresses" or some such, which would be a good >basis. From my point of view, that is exactly the role of the admin-c _at large_ or at least as a fall-back. However the organisation can "delegate" responsibilty for some aspects to other groups, parties, or contacts. This is done in real life! E.g. - for operational aspects we can list a differenet tech-c. - for database maint. there is the maintainer (and notification) mechanism - for routing there is the set of objects in the routing registry - for hacking, intrusion, DoS, and law/(C) stuff there is the machinery to point/link to the Incident Response Team to be contacted for those cases. [Note, that even in that camp there is'nt full consensus yet on how to document the different contacts for different incident types ;-] >Of course, if there was an abuse-c, then this could be a document >explaining the detailed role of admin-c, tech-c, and abuse-c. I don't have any problem with the concept of an abuse-c:, in whatever colour, shape or texture. the real problem that I (still) have after so many years is that we still lack a definition of "abuse", and which part of an organisation is supposed to deal with the "abuse". Also note that usually there is an aspect of "incoming" and "originated" abuse. >Also, the "trouble" field is a good thought - maybe we should add >"trouble" to inetnum, as there is already a field name defined for the >purpose essentially. Just an idea. > >-- >Rev Adrian Kennard >Andrews & Arnold Ltd / AAISP www.aaisp.net.uk Regards, Wilfried (this time wearing my hat as DB-WG Chair :-) _________________________________:_____________________________________ Wilfried Woeber : e-mail: Woeber(a)CC.UniVie.ac.at UniVie Computer Center - ACOnet : Tel: +43 1 4277 - 140 33 Universitaetsstrasse 7 : Fax: +43 1 4277 - 9 140 A-1010 Vienna, Austria, Europe : RIPE-DB: WW144, PGP keyID 0xF0ACB369 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~:~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Never attribute to malice what can adequately be explained by incompetence.

2 1

RE: [db-wg] abuse-c
by TAYON, Julien 13 Jan '04

13 Jan '04

Christian Rasmussen <mailto:chr@jay.net> wrote: Hi Christian, >> >> I'd also like to see a mandatory/multiple abuse-c field containing a >> rfc-valid email address. > > Im not sure why it should be multiple? But I think most of us on this > list can agree with you that a valid abuse email address associated > with each inetnum in the database would be very welcome. >From what I have seen so far I would need: abuse: copyright.infringement@ourdomain // spam from some people abuse: system.attack@ourdomain // DoS, portscan .... abuse: spam@ourdomain abuse: legal@ourdomain // For cybersquatting, legal procedure But I am not sure the problem is only technic I see it partly as a matter of usage : if we where behaving the same even putting the abuse in remarks, desc or whatever the field is, people would get used to it, and they would stop writing to all address. Regards, -- Julien Tayon LDCOM networks BU DATA- +33 1 70 18 14 45 1 square Chaptal , 92309 Levallois Cedex

4 3

RE: [db-wg] abuse-c
by TAYON, Julien 13 Jan '04

13 Jan '04

MarcoH <mailto:marcoh@marcoh.net> wrote: > On Tue, Jan 13, 2004 at 04:14:13PM +0100, Christian Rasmussen wrote: >> Hi Marco, >> >> >> Okay, I think I now understand better what you mean. There are >> different levels of check of entered abuse address: >> >> 1. Nothing >> 2. Syntax check >> 3. Address validity check (as previously described) >> 4. Response time check > > level 4 would be to run random audits on the information present in > the database. > Last time I misfilled an inetnum abuse with a mnt-lower ( yes I did :( ). as my email was present in changed: they complained a lot to everybody even in the "upper block" including me that abuse email was wrong. My idea is if internet user follow the RFC and their common erratic sense (i.e. complaining to the "upper authority" if no response from the implied inetnum) and we all read our emails, everything should be fine. I think internet users are really are our best low cost efficient auditing system, and we might listen to them. If you want to pay for something that is free though ... well it is no matter to me. -- Julien Tayon LDCOM networks BU DATA- +33 1 70 18 14 45 1 square Chaptal , 92309 Levallois Cedex

1 0

Database Modifications for X.509 Support
by Shane Kerr 13 Jan '04

13 Jan '04

All, Attached please find a description of the database modifications necessary to implement X.509 authentication in the RIPE Database. This is the outcome of previous discussions on the mailing list, presentations and discussions at RIPE meetings, and a review of the implementation details. The only new feature added is making "fingerpr:" an inverse key, which helps dbupdate lookup the appropriate X.509 key. -- Shane Kerr Software Engineering Group Manager RIPE NCC Database Modifications for X.509 Support 1. Proposal ------------- To add X.509 authentication to the RIPE Database. 2. Changes to the key-cert class -------------------------------- The key-cert class will be altered to allow both PGP and X.509 certificates to be represented. PGP certificates will remain the same. X.509 certificates will have the following attributes: - "key-cert:" will be of the form X509-nnn, where nnn is a unique number assigned by the database. (See "Primary key for X.509 KEY-CERT objects" below.) - "method:" will be X509. - "owner:" will be the Distinguished Name (DN) of the certificate. Sometimes this is called the certificate subject. - "fingerpr:" will be the MD5 fingerprint of the certificate. - "certif:" will contain the ASCII representation of the X.509 certificate. The "fingerpr:" attribute will become an inverse key. The format and meaning of all other attributes remain unchanged. Example of an X.509 KEY-CERT object: key-cert: X509-42 method: X509 owner: /C=NL/O=RIPE NCC/OU=Members/CN=eu.ripe-ncc.shane/Email=shane(a)ripe.net fingerpr: D5:92:29:08:F8:AB:75:5F:42:F5:A8:5F:A3:8D:08:2E certif: -----BEGIN CERTIFICATE----- certif: MIID/DCCA2WgAwIBAgICAIQwDQYJKoZIhvcNAQEEBQAwcTELMAkGA1UEBhMCRVUx certif: EDAOBgNVBAgTB0hvbGxhbmQxEDAOBgNVBAoTB25jY0RFTU8xHTAbBgNVBAMTFFNv . . . certif: hZNmF5c/d0gauqvL+egb+3V+Zg+sJTzHMVKQLF1ybWgJjU75Pi+mO7BG0zsQ13pT certif: YxuZCR2W15nwt7zLiHtmfw== certif: -----END CERTIFICATE----- remarks: Sample Key Certificate notify: ripe-dbm(a)ripe.net mnt-by: RIPE-DBM-MNT changed: ripe-dbm(a)ripe.net 20040101 source: RIPE 3. Primary key for X.509 KEY-CERT objects ----------------------------------------- The "key-cert:" attribute is the primary key of KEY-CERT objects. This will be given a generated value that is the object ID. X.509 object IDs are auto-generated similar to the way person/role "nic-hdl:" attributes are auto-generated. For new KEY-CERT objects, the user must use AUTO-<digit> during creation of the object, it will then it will be assigned an appropriate ID. The key-cert ID cannot be reused. If a key-cert ID was used in the past by a KEY-CERT object and then deleted, this ID cannot be used in new KEY-CERT objects. Using a unique identifier is different from the PGP object IDs. In PGP, the key ID is used as part of the object ID (specified in RFC 2726). This is a 32-bit value, expressed in hexadecimal. There are several problems with this. Collisions occur (*), and keys can be spoofed (**). This is less of a problem with X.509 because it uses much longer fingerprints; however, in any system where the source of the fingerprint is passed to other users the possibility exists of a third party adding the certificate to the database. 4. Change to the "auth:" attribute ---------------------------------- The "auth:" attribute is present in MNTNER and IRT objects, and specifies the authentication scheme of the maintainer. The following additional value will be added: X509-<id> Strong scheme of authentication. This string is the same one that is used in the corresponding KEY-CERT object's "key-cert:" attribute. 5. Change to authentication --------------------------- When a maintainer specifies an X.509 KEY-CERT object the signature, using the private key associated with the certificate contained in the KEY-CERT object, will authenticate that maintainer. 6. Changes to e-mail processing ---------------------------- S/MIME messages will be accepted. S/MIME messages must not be encrypted; an encrypted message will be rejected as invalid input. Either the whole message may be an S/MIME signed message or one MIME part may contain an S/MIME signed message. S/MIME may be used fully, partially, or not at all with other authentication mechanisms. Therefore, it is acceptable to receive a message that is an S/MIME signed message which has been further signed by PGP, or an S/MIME message may be forwarded with the addition of a password at the outer level. 7. Changes to synchronous updates --------------------------------- The server will accept SSL connections with any client side certificate, this certificate will be used to authenticate any updates. (*) http://www.imc.org/ietf-openpgp/mail-archive/msg00484.html (**) http://archives.neohapsis.com/archives/vuln-dev/2001-q4/0147.html

2 1

abuse-c
by Rev Adrian Kennard 13 Jan '04

13 Jan '04

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I am new to this mailing list, so forgive me if this has been covered before. It seems there is a pretty clear need for an extra field in inetnum and inet6num records, specifically something like an abuse-c field referencing a person record. A lot of inetnum records I have seen have a remarks field identifying the abuse ocntact, but this is in an inconsistent format making it difficult to automate in any way. It also seems that a lot of network administrators (admin-c) do not feel they should administer their network to remove viruses, etc, and get quite annoyed when contacted regarding abuse. What would be the procedure for proposing such a new field? - -- Rev Adrian Kennard uk.aa -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE//o/MHBb4e52L0Y0RAoPzAJ9Vp94eC6DMAPvAK7Lx5HiiVBPQSgCfTfFZ HfzTEAB6TwmsFBbivTe4KaU= =mlgj -----END PGP SIGNATURE-----

14 29

Re: abuse-c
by Thor Kottelin 13 Jan '04

13 Jan '04

So, we already have the irt object and the trouble attribute. Additionally, abuse is often reported based on admin-c, tech-c, changed, remarks and $DEITY knows what. Please let's not add to the confusion by creating even more attribute or object types. As for the irt object requiring a maintainer, that requirement exists for security, the need for which should be obvious in the context of abuse reports as well. The obvious hardliner approach would be to require future inetnum updates to carry valid mnt-irt attributes. Thor -- http://thorweb.anta.net/

3 3

Re: db-wg digest, Vol 1 #152 - 13 msgs
by Rev Adrian Kennard 12 Jan '04

12 Jan '04

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 | From: Thor Kottelin <thor(a)anta.net> | So, we already have the irt object and the trouble attribute. | Additionally, | abuse is often reported based on admin-c, tech-c, changed, remarks and | $DEITY knows what. Please let's not add to the confusion by creating | even more attribute or object types. There is a clear problem with what we have now, whether techncially or simply awareness, as it is clear that lots and lots of inet[6]num objects have remarks identifying abuse contacts in a variety of formats. There is a need for people to identify abuse contacts associated with an IP[6]. "trouble" does not help as it is also free format and so not much better than remarks. "irt" may be the answer, and I am creating one for our use at present (still not had a reply - why is it a manual process?). It may be over complex. It is not well publicised to those that need to know. Even those that know of it (and I had seen it) do not realise it is the way to put an abuse contact on an inetnum (hence my original question). FYI, our abuse report scripts now look for a mnt-irt field and if not found go for the admin-c field. They used to just go for the admin field. However, I do think something has to be done as it is a nonsense the way it is now. - -- Rev Adrian Kennard -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAAufMHBb4e52L0Y0RAoHlAJ0ZLrp5QiftL7iWEqpcUxVUxZjLSgCcC8Vo j86xkD4uQ0dcTkzcWOOjtaU= =ykiB -----END PGP SIGNATURE-----

1 0

Re: [db-wg] abuse-c
by Wilfried Woeber, UniVie/ACOnet 12 Jan '04

12 Jan '04

Hi John! >Menno Pieters (Stelvio) wrote: >> TI is an organisation that verifies the information, so that it can be >> *trusted*. For ordinary users it may be to hard to understand this and >> how to make sure it all correct. For IRT among eachother it may be >> important. > >But all that going via the TI route gives you is a "mnt-by: TI" entry in >your object. Yes - what is wrong with that? > There are other non-RIPE ways for teams to infer how much >trust they should give to another team, Correct. >and overloading mnt-by seems undesirable. Maybe, but I don't see what the downside is in using a mechanism which is there, instead of inventing something new. Actually it was - maybe - blue-eyed to invent a new object type. Inventing a new attribute _without a proper syntax and semantic to go with it_ is probably not too much better... >Some useful changes would be renaming the IRT object to something more >general, like Abuse (?) object If we can reach consensus that this should be the name I expect the NCC to make the necessary modifications to the implementation. The problem (which was discussed in various environments more than once!) is that different entities have a different interpretation of the word "abuse". >and for it to be returned by default when querying an IP (or AS). I keep hearing that again and again (and from the incident/abuse point of view I agree!), so I'll put it onto the DB-WG. Maybe others can try to put it onto other WGs' agendas, as this is a pretty big change to the behaviour of the whois server. >The seperation into an easily maintainable object which includes stuff >in addition to email address (like postal address, pgp and phone) are >useful enhancements to "trouble:". > >Cheers >John Wilfried.

2 1