Dear Wilfried, Dear colleagues, Please find attached a draft proposal of the CERT object. Your comments and suggestions are appreciated. Regards, Andrei Robachevsky DB Group Manager RIPE NCC "Wilfried Woeber, UniVie/ACOnet" wrote:
Dear Andrei!
Following up on today's discussion, could you please send the CERT Object (pre)draft, that you were showing to me a short while ago, to the DB-WG List?
Then we can start to think about any modifications (or alternate approches), and what a presumed deployment could look like.
TIA, regards, Wilfried.
CERT object in the RIPE Database ----------------------------------- Problem: - direct contacts (admin-c, tech-c) or indirect contacts (admin-c, tech-c of the respective maintainer) are not necessarily point to a CERT team; - because of this CERT infrastructure is not reflected in the RIPE Database, which is essential for tracing/blocking attacks, etc.; - because of this there is no consistent approach to secure/authenticate transactions between CERTs or a CERT and a user. Goals: - to support coordination between different CERT teams/NOCs; - to provide contact information for reports of attacks/abuse/spam; - to support secure/authentic transactions between CERTs and users. Object format -------------- The proposed cert objet is a hybrid of role and mntner objects. It inherits contact information from a role object and authentication/authorization features from a mntner object. cert: [mandatory] [single] [primary/look-up key] address: [mandatory] [multiple] [ ] phone: [optional] [multiple] [ ] fax-no: [optional] [multiple] [ ] e-mail: [mandatory] [multiple] [look-up key] admin-c: [mandatory] [multiple] [inverse key] tech-c: [mandatory] [multiple] [inverse key] upd-to: [mandatory] [multiple] [inverse key] mnt-nfy: [optional] [multiple] [ ] auth: [mandatory] [multiple] [ ] remarks: [optional] [multiple] [ ] notify: [optional] [multiple] [inverse key] mnt-by: [mandatory] [multiple] [inverse key] changed: [mandatory] [multiple] [ ] source: [mandatory] [single] [ ] The auth attribute points to a key-cert object. Referencing a cert object ------------------------- The object can be referenced from inetnum, inet6num, route (route6) objects by using cert-c attribute. While updating an objects with this attribute the authorization checks specified in the auth attribute of a referenced cert object should be passed. CERT related queries -------------------- Typical use case is to find CERT contacts provided that IP address/prefix of the abuser/source of an attack/etc. is known. Possible scenario could be: - the database finds the smallest less specific inetnum/route which contains cert attribute starting from the exact match. - result of the query is inetnum/route object, cert object and key-cert object. A new query could be defined (-c in the example below that will trigger such IP/CERT lookups) $ whois -c 194.85.160.0 inetnum: 194.0.0.0 - 194.255.255.255 netname: EU-ZZ-194 descr: European Regional Registry descr: Europe country: EU admin-c: NN32-RIPE tech-c: CREW-RIPE tech-c: OPS4-RIPE status: ALLOCATED UNSPECIFIED mnt-by: RIPE-NCC-HM-MNT mnt-lower: RIPE-NCC-HM-MNT cert-c: RIPE-CERT changed: marten@ripe.net 19930901 changed: GeertJan.deGroot@ripe.net 19941125 changed: GeertJan.deGroot@ripe.net 19950118 changed: david@ripe.net 19951019 changed: hostmaster@ripe.net 19960118 changed: hostmaster@ripe.net 19970204 changed: hostmaster@ripe.net 19970428 changed: roman@ripe.net 19980424 changed: hostmaster@ripe.net 19980723 changed: hostmaster@ripe.net 20000615 source: RIPE cert: RIPE-CERT address: Singel 258 address: 1016 AB Amsterdam address: The Netherlands phone: +31 20 535 4444 fax-no: +31 20 535 4445 e-mail: cert@ripe.net upd-to: ripe-dbm@ripe.net mnt-nfy: ripe-dbm@ripe.net auth: PGPKEY-C059B6CM notify: ripe-dbm@ripe.net mnt-by: RIPE-DBM-MNT changed: ripe-dbm@ripe.net 19970429 changed: riep-dbm@ripe.net 19980211 source: RIPE key-cert: PGPKEY-C059B6CM method: PGP owner: cert@ripe.net fingerpr: 7A B7 9A A5 AB 87 34 A2 89 BE 72 D6 57 D2 09 8D certif: -----BEGIN PGP PUBLIC KEY BLOCK----- certif: Version: PGP for Personal Privacy 5.0 certif: certif: mQCNAzTpYXMAAAEEAMXSsVmnIRlAN/TOK445wLoCIL0R3d8CbuCVMMV6c3wFYr3J certif: G0EnHtjzSH/v4U+1BEqAN1ac20DpT8yKoz4Kq3PRZPY2QdOTllDhtovQxfJeH0E7 certif: UotmT6e88sexDXV+r4lXbEF1wlwtlTr6aAvgyMNX/qvBwkfumIE1ZsPAWbbLAAUR certif: tBVob3N0bWFzdGVyQGFsbGNvbi5uZXSJAJUDBRA06WFzgTVmw8BZtssBAVilA/0W certif: 74jmkUDpOFcs4DufX5D9XmP0P6616xx4uO0Hop2QAv2TqloAVg5OvR3/w5caswNT certif: +54QjeYcebwxA/Itl/XNlzTswTOZBJ8F0qIZlwQomy0nVJAzQRgIbqiVvDliRJkC certif: ZSVBUsvHdecM6jnD6E/UKl3iHsAb9IM/yr+YiRZvIIkAlQMFEDZcmtCEBm5d7AWM certif: dQEBOKAD/RaS124qsJuOOeM3U50IrmoCoSyoMDIfAn0GglyxXtUJNtujTdtGCJ0w certif: cFZvlzVJnvXXF5YCIN19K2XI5ZWX1AVvtEecTH0Ulp/zdBIqqGU1E3nV9Kx5frmb certif: CRr3Qi5HXPnDHG/L2vVWLaCeQpw3Nx+9EqH4c4MWZCuqqwM0hWIn certif: =OyNk certif: -----END PGP PUBLIC KEY BLOCK----- notify: cert@ripe.net mnt-by: RIPE-NCC-MNT changed: cert@ripe.net 19981126 source: RIPE