IRT object creation is easy
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, For the sake of promotion of the IRT object and for checking out if it really is easy creating it I requested an IRT object from RIPE, who have assigned it without much problems. The main problem was me not filling the form in correctly and after that being so stupid not having added the correct PGP key *whistle* and indeed it won't authenticate if the mnt-irt authentication is not satisified, thus that part is now also succesfully tested. Anyhow, it *is* easy getting it and if we (SixXS) can get it, then any ISP should be able to get it. Almost all the inet6nums assigned to the SixXS project now have a mnt-irt on their /40's, the other POPs will follow. Thus I can now say that: $ lftp ftp://ftp.ripe.net/ripe/dbase/split $ ls - -rw-r--r-- 1 ftpuser ftpgroup 176490 Mar 16 01:42 ripe.db.inet6num.gz $ get ripe.db.inet6num.gz $ gunzip ripe.db.inet6num.gz $ grep -cE inet6num ripe.db.inet6num 4206 $ grep -cE "mnt-by:.*SIXXS-MNT" ripe.db.inet6num 1872 1872/4206*100% ~= 44.50% of the inet6num's is now protected by the IRT-SIXXS object by adding about 10 mnt-irt attributes to 10 different objects. $ grep -c "mnt-irt:" ripe.db.inet6num ripe.db.inet6num 102 Add 6 to that at the moment, as the updated objects are not in this splitted file yet. For that matter, there are also other ISP's adding mnt's: $ cat ripe.db.inet6num |grep -E mnt-irt | sort | uniq -c 21 mnt-irt: IRT-AA 1 mnt-irt: IRT-ACOnet-CERT 49 mnt-irt: IRT-DFN-CERT 5 mnt-irt: IRT-ITGATE 2 mnt-irt: IRT-SPEEDKOM1 1 mnt-irt: IRT-UK 23 mnt-irt: irt-CERT-NL It would also be quite fast to deploy more mnt-irt's by making the field mandatory for new allocations forcing ISP's to make use of the object. Because of the above I don't see a reason for a abuse-c or similar object. If there is a need for adding things like 'spam' or 'ddos' etc then these should be added to the IRT object and not to a new one. Now everybody go request an IRT object and get it over with. In total it will probably cost you a max of 2 hours and I think that can be really worth it as when it is being used we can then tell abuse tool writers where to look. Handy docs: http://www.ripe.net/ripe/meetings/ripe-47/presentations/ripe47-db-irt.pdf http://www.ripe.net/ripe/docs/irt-object.html Greets, Jeroen -----BEGIN PGP SIGNATURE----- Version: Unfix PGP for Outlook Comment: Jeroen Massar / http://unfix.org/~jeroen/ iQBGBAERAgAQCRApqihSMz58IwUCQFZd8QAAxRMAn22KiziDgieySrdDQele+peb DXCPAJ9FwYSfaZy9XeU3SPK0gqkYM2a5LA== =ZDFN -----END PGP SIGNATURE-----
On Tue, 16 Mar 2004, Jeroen Massar wrote:
Anyhow, it *is* easy getting it and if we (SixXS) can get it, then any ISP should be able to get it.
Thanks :). I'm not insane after all.
Now everybody go request an IRT object and get it over with. In total it will probably cost you a max of 2 hours and I think that can be really worth it as when it is being used we can then tell abuse tool writers where to look.
Most of them are likely to use the mnt-irt oject if it is slightly more populated.
Handy docs: http://www.ripe.net/ripe/meetings/ripe-47/presentations/ripe47-db-irt.pdf http://www.ripe.net/ripe/docs/irt-object.html
FAQ and HOWTO available via http://www.dfn-cert.de/team/matho/irt-object/ Jan -- /~\ The ASCII / Jan Meijer \ / Ribbon Campaign -- -- SURFnet bv X Against HTML / http://www.surfnet.nl/organisatie/jm/ / \ Email http://cert-nl.surfnet.nl/
On Mar 16, Jan Meijer <jan.meijer@surfnet.nl> wrote:
FAQ and HOWTO available via http://www.dfn-cert.de/team/matho/irt-object/ The HOWTO still suggest to add mnt-irt to *all* inetnum records instead of only to the top level ones, this part should be clarified.
-- ciao, | Marco | [5135 in2WmO7h.GEY.]
Hi Jeroen, Im sure that creating an IRT object is doable for any ISP which takes the time. The reason why I do not wish to use IRT is that it is much too complex for the very simple purpose it should have. It seems to have been designed to be used for outsourcing of abuse-handling, Im sure some ISP's do this but I haven't yet seen any numbers which justifies a design which primarily favors these ISP's. Remove the encryption-thing on the IRT object and let it be maintained by a maintainer object, then Im sure more ISP's would be willing to implement it, but for it to become a success I still believe the designers need to pay attention to the needs of those ISP's who have no use for the current version. I think its very unfortunate that the Ripe DB doesn't have abuse information on all IP addresses, that should actually be the primary goal for a public IP database, at least from the Internet users perspective. Med venlig hilsen/Best regards Christian Rasmussen Hosting manager, jay.net a/s Smedeland 32, 2600 Glostrup, Denmark Email: noc@jay.net Personal email: chr@corp.jay.net Tlf./Phone: +45 3336 6300, Fax: +45 3336 6301 Produkter / Products: http://hosting.jay.net
-----Original Message----- From: db-wg-admin@ripe.net [mailto:db-wg-admin@ripe.net]On Behalf Of Jeroen Massar Sent: 16. marts 2004 02:53 To: db-wg@ripe.net Subject: [db-wg] IRT object creation is easy
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
For the sake of promotion of the IRT object and for checking out if it really is easy creating it I requested an IRT object from RIPE, who have assigned it without much problems. The main problem was me not filling the form in correctly and after that being so stupid not having added the correct PGP key *whistle* and indeed it won't authenticate if the mnt-irt authentication is not satisified, thus that part is now also succesfully tested.
Anyhow, it *is* easy getting it and if we (SixXS) can get it, then any ISP should be able to get it. Almost all the inet6nums assigned to the SixXS project now have a mnt-irt on their /40's, the other POPs will follow. Thus I can now say that:
$ lftp ftp://ftp.ripe.net/ripe/dbase/split $ ls - -rw-r--r-- 1 ftpuser ftpgroup 176490 Mar 16 01:42 ripe.db.inet6num.gz $ get ripe.db.inet6num.gz $ gunzip ripe.db.inet6num.gz $ grep -cE inet6num ripe.db.inet6num 4206 $ grep -cE "mnt-by:.*SIXXS-MNT" ripe.db.inet6num 1872
1872/4206*100% ~= 44.50% of the inet6num's is now protected by the IRT-SIXXS object by adding about 10 mnt-irt attributes to 10 different objects.
$ grep -c "mnt-irt:" ripe.db.inet6num ripe.db.inet6num 102
Add 6 to that at the moment, as the updated objects are not in this splitted file yet.
For that matter, there are also other ISP's adding mnt's:
$ cat ripe.db.inet6num |grep -E mnt-irt | sort | uniq -c 21 mnt-irt: IRT-AA 1 mnt-irt: IRT-ACOnet-CERT 49 mnt-irt: IRT-DFN-CERT 5 mnt-irt: IRT-ITGATE 2 mnt-irt: IRT-SPEEDKOM1 1 mnt-irt: IRT-UK 23 mnt-irt: irt-CERT-NL
It would also be quite fast to deploy more mnt-irt's by making the field mandatory for new allocations forcing ISP's to make use of the object.
Because of the above I don't see a reason for a abuse-c or similar object. If there is a need for adding things like 'spam' or 'ddos' etc then these should be added to the IRT object and not to a new one.
Now everybody go request an IRT object and get it over with. In total it will probably cost you a max of 2 hours and I think that can be really worth it as when it is being used we can then tell abuse tool writers where to look.
Handy docs: http://www.ripe.net/ripe/meetings/ripe-47/presentations/ripe47-db-irt.pdf http://www.ripe.net/ripe/docs/irt-object.html
Greets, Jeroen
-----BEGIN PGP SIGNATURE----- Version: Unfix PGP for Outlook Comment: Jeroen Massar / http://unfix.org/~jeroen/
iQBGBAERAgAQCRApqihSMz58IwUCQFZd8QAAxRMAn22KiziDgieySrdDQele+peb DXCPAJ9FwYSfaZy9XeU3SPK0gqkYM2a5LA== =ZDFN -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Christian Rasmussen [mailto:chr@jay.net] wrote:
Im sure that creating an IRT object is doable for any ISP which takes the time. The reason why I do not wish to use IRT is that it is much too complex for the very simple purpose it should have. It seems to have been designed to be used for outsourcing of abuse-handling, Im sure some ISP's do this but I haven't yet seen any numbers which justifies a design which primarily favors these ISP's.
It is a seperate object, just like what the abuse-c is supposed to be, but indeed without the encryption. If you put one pgpkey in the RIPE registry you are done, and you should already be using signed messages to update your objects anyways.
Remove the encryption-thing on the IRT object and let it be maintained by a maintainer object, then Im sure more ISP's would be willing to implement it, but for it to become a success I still believe the designers need to pay attention to the needs of those ISP's who have no use for the current version.
I could live with changing the mnt-irt to be an or case with the mnt-by too indeed as currently when one wants to update an object protected by the mnt-irt it needs to be signed by both the mnt-by and the mnt-irt, when you are 'outsourcing' as you call it this is a problem, otherwise one will have access to both the maintainer and the irt anyhow.
I think its very unfortunate that the Ripe DB doesn't have abuse information on all IP addresses, that should actually be the primary goal for a public IP database, at least from the Internet users perspective.
Well currently, according to toolwriters, it has, as they will just use all the e-mail lines they can find. Now there is a good solution, not ;) Greets, Jeroen -----BEGIN PGP SIGNATURE----- Version: Unfix PGP for Outlook Comment: Jeroen Massar / http://unfix.org/~jeroen/ iQBGBAERAgAQCRApqihSMz58IwUCQFc7lgAA5OUAnj9D2qJO0OVwEzz+bJUXwX1A Tbx3AKCKHU1lljo9gV+IIs/Wc8uJsavWjA== =wszm -----END PGP SIGNATURE-----
Hi Jeroen Jeroen Massar wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Christian Rasmussen [mailto:chr@jay.net] wrote:
Im sure that creating an IRT object is doable for any ISP which takes the time. The reason why I do not wish to use IRT is that it is much too complex for the very simple purpose it should have. It seems to have been designed to be used for outsourcing of abuse-handling, Im sure some ISP's do this but I haven't yet seen any numbers which justifies a design which primarily favors these ISP's.
It is a seperate object, just like what the abuse-c is supposed to be, but indeed without the encryption. If you put one pgpkey in the RIPE registry you are done, and you should already be using signed messages to update your objects anyways.
Remove the encryption-thing on the IRT object and let it be maintained by a maintainer object, then Im sure more ISP's would be willing to implement it, but for it to become a success I still believe the designers need to pay attention to the needs of those ISP's who have no use for the current version.
I could live with changing the mnt-irt to be an or case with the mnt-by too indeed as currently when one wants to update an object protected by the mnt-irt it needs to be signed by both the mnt-by and the mnt-irt, when you are 'outsourcing' as you call it this is a problem, otherwise one will have access to both the maintainer and the irt anyhow.
You only need to include the authorisation for the mnt-irt: when it is first added to an object. Once the mnt-irt: is in the object you do not need to include this authorisation for subsequent modifications or deletions. Nor do you need this authorisation to remove the mnt-irt: from this object. So only the addition of an mnt-irt: attribute needs to be authorised by the mnt-irt:. (It does not matter if this attribute is included when creating the object or added later with a modification of the object, both would require the additional authorisation.)
I think its very unfortunate that the Ripe DB doesn't have abuse information on all IP addresses, that should actually be the primary goal for a public IP database, at least from the Internet users perspective.
Well currently, according to toolwriters, it has, as they will just use all the e-mail lines they can find. Now there is a good solution, not ;)
Greets, Jeroen
-----BEGIN PGP SIGNATURE----- Version: Unfix PGP for Outlook Comment: Jeroen Massar / http://unfix.org/~jeroen/
iQBGBAERAgAQCRApqihSMz58IwUCQFc7lgAA5OUAnj9D2qJO0OVwEzz+bJUXwX1A Tbx3AKCKHU1lljo9gV+IIs/Wc8uJsavWjA== =wszm -----END PGP SIGNATURE-----
Best Regards Denis Walker RIPE NCC Software Engineering Department
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Denis Walker [mailto:denis@ripe.net] wrote:
Hi Jeroen
Jeroen Massar wrote:
<SNIP>
I could live with changing the mnt-irt to be an or case with the mnt-by too indeed as currently when one wants to update an object protected by the mnt-irt it needs to be signed by both the mnt-by and the mnt-irt, when you are 'outsourcing' as you call it this is a problem, otherwise one will have access to both the maintainer and the irt anyhow.
You only need to include the authorisation for the mnt-irt: when it is first added to an object. Once the mnt-irt: is in the object you do not need to include this authorisation for subsequent modifications or deletions. Nor do you need this authorisation to remove the mnt-irt: from this object. So only the addition of an mnt-irt: attribute needs to be authorised by the mnt-irt:.
Then people should not have a problem at all with this concept. Thus it is only needed when there is extra 'work' for the IRT. Thanks for the clarification. Greets, Jeroen -----BEGIN PGP SIGNATURE----- Version: Unfix PGP for Outlook Comment: Jeroen Massar / http://unfix.org/~jeroen/ iQBGBAERAgAQCRApqihSMz58IwUCQFdXmAAAr5QAnRx+C/gqbqESOzOVnmCKlA2E ukWwAJ9wJ7hHpq5vfPR8lTXta/ewwGhzJw== =O7wT -----END PGP SIGNATURE-----
Hi Jeroen,
Im sure that creating an IRT object is doable for any ISP which takes the time. The reason why I do not wish to use IRT is that it is much too complex for the very simple purpose it should have. It seems to have been designed to be used for outsourcing of abuse-handling, Im sure some ISP's do this but I haven't yet seen any numbers which justifies a design which primarily favors these ISP's.
It is a seperate object, just like what the abuse-c is supposed to be, but indeed without the encryption. If you put one pgpkey in the RIPE registry you are done, and you should already be using signed messages to update your objects anyways.
When creating a non-IRT object the encryption in the maintainer is used.. Why can't it be the same with IRT?
Remove the encryption-thing on the IRT object and let it be maintained by a maintainer object, then Im sure more ISP's would be willing to implement it, but for it to become a success I still believe the designers need to pay attention to the needs of those ISP's who have no use for the current version.
I could live with changing the mnt-irt to be an or case with the mnt-by too indeed as currently when one wants to update an object protected by the mnt-irt it needs to be signed by both the mnt-by and the mnt-irt, when you are 'outsourcing' as you call it this is a problem, otherwise one will have access to both the maintainer and the irt anyhow.
I think its very unfortunate that the Ripe DB doesn't have abuse information on all IP addresses, that should actually be the primary goal for a public IP database, at least from the Internet users perspective.
Well currently, according to toolwriters, it has, as they will just use all the e-mail lines they can find. Now there is a good solution, not ;)
Well, the easy solution would have been to just put a mandatory abuse-email on the maintainer object, this would force all inet(6)num's to instantly have an abuse address - setting the notify address as default or similiar will also encourage LIR's to change the abuse address to the correct one. Of course this might be a bit too simplified, but I still believe the most important is to have an abuse address associated with each IP address in the Ripe DB as soon as possible. Med venlig hilsen/Best regards Christian Rasmussen Hosting manager, jay.net a/s Smedeland 32, 2600 Glostrup, Denmark Email: noc@jay.net Personal email: chr@corp.jay.net Tlf./Phone: +45 3336 6300, Fax: +45 3336 6301 Produkter / Products: http://hosting.jay.net
On Mar 17, Christian Rasmussen <chr@jay.net> wrote:
When creating a non-IRT object the encryption in the maintainer is used.. Why can't it be the same with IRT? If you are really so much concerned about this then you could use the same key for everything.
Of course this might be a bit too simplified, but I still believe the most important is to have an abuse address associated with each IP address in the Ripe DB as soon as possible. "And shown by default for inetnum/inetnum6 queries."
-- ciao, | Marco | [5161 der9PRWGJ2Q.Q]
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Christian Rasmussen [mailto:chr@jay.net] wrote:
Jeroen Massar wrote:
Christian Rasmussen [mailto:chr@jay.net] wrote:
Im sure that creating an IRT object is doable for any ISP which takes the time. The reason why I do not wish to use IRT is that it is much too complex for the very simple purpose it should have. It seems to have been designed to be used for outsourcing of abuse-handling, Im sure some ISP's do this but I haven't yet seen any numbers which justifies a design which primarily favors these ISP's.
It is a seperate object, just like what the abuse-c is supposed to be, but indeed without the encryption. If you put one pgpkey in the RIPE registry you are done, and you should already be using signed messages to update your objects anyways.
When creating a non-IRT object the encryption in the maintainer is used.. Why can't it be the same with IRT?
You can stick the same keys in the IRT object as one puts into the MNT object, which is exactly what I did too. See IRT-SIXXS + SIXXS-MNT. <SNIP>
Well currently, according to toolwriters, it has, as they will just use all the e-mail lines they can find. Now there is a good solution, not ;)
Well, the easy solution would have been to just put a mandatory abuse-email on the maintainer object, this would force all inet(6)num's to instantly have an abuse address - setting the notify address as default or similiar will also encourage LIR's to change the abuse address to the correct one.
Which defeats the following situation: You are a LIR and thus have EXAMPLELIR-MNT. You have a client without a maintainer. You have your own abuse departement. Your clients have their own abuse department and you don't want to be bothered with it. You make an inet6num for your client from your block: (stripping many fields ;) inet6num: 2001:db8:1000::/40 netname: EXAMPLE-NET-FOR-BIG-CUSTOMER admin-c: EXAMPLE-CUST-RIPE tech-c: EXAMPLE-CUST-RIPE status: ASSIGNED mnt-by: EXAMPLE-MNT irt-by: IRT-CUSTOMER Et tada, the IRT is now set to your customers department and all this doesn't require a seperate maintainer. The IRT object also contains more information than just the abuse contact.
Of course this might be a bit too simplified, but I still believe the most important is to have an abuse address associated with each IP address in the Ripe DB as soon as possible.
That is indeed very important and it can be accomplished _now_ using the IRT object. Try it ;) Greets, Jeroen -----BEGIN PGP SIGNATURE----- Version: Unfix PGP for Outlook Comment: Jeroen Massar / http://unfix.org/~jeroen/ iQBGBAERAgAQCRApqihSMz58IwUCQFiY9AAAgJ0AnRlAxa9SqodFTjvx0g+5beUn JJNqAKCUN+WHozVgKnqVawUco09EoydzIQ== =jbvY -----END PGP SIGNATURE-----
On Tue, Mar 16, 2004 at 02:52:50AM +0100, Jeroen Massar wrote:
out if it really is easy creating it I requested an IRT object from RIPE, who have assigned it without much problems. The main problem was me not filling the form in correctly and after that being so stupid not having added the correct PGP key *whistle* and indeed it won't authenticate if the mnt-irt authentication is not satisified, thus that part is now also succesfully tested.
I wouldn't say this. I sent request day ago and unil now I didn't get any response from people approving it. -- Tomasz Paszkowski http://www.e-wro.pl
Hi Tomasz, On 2004-03-17 12:55:49 +0100, Tomasz Paszkowski wrote:
On Tue, Mar 16, 2004 at 02:52:50AM +0100, Jeroen Massar wrote:
out if it really is easy creating it I requested an IRT object from RIPE, who have assigned it without much problems. The main problem was me not filling the form in correctly and after that being so stupid not having added the correct PGP key *whistle* and indeed it won't authenticate if the mnt-irt authentication is not satisified, thus that part is now also succesfully tested.
I wouldn't say this. I sent request day ago and unil now I didn't get any response from people approving it.
We aim at responding mails to <ripe-dbm@ripe.net> in 24 hours. We have received your IRT request yesterday afternoon and responded today a couple of hours ago. Please do not hesitate to contact <ripe-dbm@ripe.net> with your ticket number if you have any questions. Best regards,
-- Tomasz Paszkowski http://www.e-wro.pl
-- Engin Gunduz RIPE NCC Software Engineering Department
participants (7)
-
Christian Rasmussen -
Denis Walker -
Engin Gunduz -
Jan Meijer -
Jeroen Massar -
Marco d'Itri -
Tomasz Paszkowski