-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I am new to this mailing list, so forgive me if this has been covered before. It seems there is a pretty clear need for an extra field in inetnum and inet6num records, specifically something like an abuse-c field referencing a person record. A lot of inetnum records I have seen have a remarks field identifying the abuse ocntact, but this is in an inconsistent format making it difficult to automate in any way. It also seems that a lot of network administrators (admin-c) do not feel they should administer their network to remove viruses, etc, and get quite annoyed when contacted regarding abuse. What would be the procedure for proposing such a new field? - -- Rev Adrian Kennard uk.aa -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE//o/MHBb4e52L0Y0RAoPzAJ9Vp94eC6DMAPvAK7Lx5HiiVBPQSgCfTfFZ HfzTEAB6TwmsFBbivTe4KaU= =mlgj -----END PGP SIGNATURE-----
Hi, On Fri, 9 Jan 2004, Rev Adrian Kennard wrote:
I am new to this mailing list, so forgive me if this has been covered before.
It seems there is a pretty clear need for an extra field in inetnum and inet6num records, specifically something like an abuse-c field referencing a person record.
A lot of inetnum records I have seen have a remarks field identifying the abuse ocntact, but this is in an inconsistent format making it difficult to automate in any way. It also seems that a lot of network administrators (admin-c) do not feel they should administer their network to remove viruses, etc, and get quite annoyed when contacted regarding abuse.
What would be the procedure for proposing such a new field?
It's already there :). Please check http://www.ripe.net/ripe/docs/irt-object.html and the TF-CSIRT effort to make it easier to use this: http://www.dfn-cert.de/team/matho/irt-object/ It's not perfect but it's there. Jan -- /~\ The ASCII / Jan Meijer \ / Ribbon Campaign -- -- SURFnet bv X Against HTML / http://www.surfnet.nl/organisatie/jm/ / \ Email http://cert-nl.surfnet.nl/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jan Meijer wrote: | Hi, | | On Fri, 9 Jan 2004, Rev Adrian Kennard wrote: | | |>I am new to this mailing list, so forgive me if this has been covered |>before. |> |>It seems there is a pretty clear need for an extra field in inetnum and |>inet6num records, specifically something like an abuse-c field |>referencing a person record. |> |>A lot of inetnum records I have seen have a remarks field identifying |>the abuse ocntact, but this is in an inconsistent format making it |>difficult to automate in any way. It also seems that a lot of network |>administrators (admin-c) do not feel they should administer their |>network to remove viruses, etc, and get quite annoyed when contacted |>regarding abuse. |> |>What would be the procedure for proposing such a new field? | | | It's already there :). | | Please check | http://www.ripe.net/ripe/docs/irt-object.html | | and the TF-CSIRT effort to make it easier to use this: | http://www.dfn-cert.de/team/matho/irt-object/ | | It's not perfect but it's there. I did look at the IRT object, but it looked far far more complex than the simple requirement of "who do I email abuse to for an IP address", which is what the "remarks" fields in a lot of inetnum objects are providing. Indeed, I am somewhat concerned by the "Creation procedure" which looks overly complex and a manual process. I will however read up on irt objects in more detail and get one created. Thanks for the feedback. - -- Rev Adrian Kennard -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE//rWCHBb4e52L0Y0RAu+rAKCMUG2qBtxZvZTIxmomdaWzrprB2QCaAuwI zLr4T5mCGF6stm/KbpgFgtY= =Rc3P -----END PGP SIGNATURE-----
On Fri, 9 Jan 2004, Rev Adrian Kennard wrote:
|>A lot of inetnum records I have seen have a remarks field identifying |>the abuse ocntact, but this is in an inconsistent format making it |>difficult to automate in any way. It also seems that a lot of network |>administrators (admin-c) do not feel they should administer their |>network to remove viruses, etc, and get quite annoyed when contacted |>regarding abuse. |> |>What would be the procedure for proposing such a new field? | | | It's already there :). | | Please check | http://www.ripe.net/ripe/docs/irt-object.html | | and the TF-CSIRT effort to make it easier to use this: | http://www.dfn-cert.de/team/matho/irt-object/ | | It's not perfect but it's there.
I did look at the IRT object, but it looked far far more complex than the simple requirement of "who do I email abuse to for an IP address", which is what the "remarks" fields ina lot of inetnum objects are providing.
Ditto. I haven't bothered with an irt object either. That is also why there are only 40 irt objects in the RIPE DB. -Hank
Indeed, I am somewhat concerned by the "Creation procedure" which looks overly complex and a manual process.
Hi, I wasn't aware this object type existed, but I can see ripe-254 is from July 2002, so its not exactly new.. The current situation in my opinion is that people (or applications) simply send their abuse complaint to all possible email addresses showing up when doing a whois on an IP address. In many cases such mails are never replied, which is the reason why all addresses are used instead of just trying one, people believe there is a greater chance for a reply this way.. This behaviour will probably not change until people feel confident that a mail to an abuse address found on a whois is read by the actual technicians who takes care of this. Realistically I think the majority of inetnum objects needs to have such a record before anything will change. Therefore I believe it has to be mandatory for all new inetnum objects to reference an abuse address. This irt object seems a bit complex with encryption and so on if the intention should be for all inetnums to reference such an object. It has to be the responsibility of the LIR maintaining the address block to ensure endusers are not abusing the addresses. Only the LIR can create inetnum objects for their address block (else something is very wrong!) and this way have the ability to ensure the correct abuse address is used, so I don't see how it can be absolutely necessary to use encryption..?! The procedure for implementing the irt object (modify every single inetnum object) does not exactly motivate LIRs, what about referencing an abuse object from the maintainer object? MNT-BY is mandatory on inetnum objects, so it should be possible for a LIR to reference all inetnum objects this way by just adding an attribute to their maintainer object. I imagine it would be possible for the whois to show a part of a maintainer object? I would suggest to use something simpler than the irt object, what about a role object or simply a person object as suggested by Adrian Kennard? The most important has to be to have all inetnum objects referencing some kind of abuse object, until then it will not have much effect. Once this goal is reached it can be extended with encryption and so on if the LIRs wants it. Med venlig hilsen/Best regards Christian Rasmussen Hosting manager, jay.net a/s Smedeland 32, 2600 Glostrup, Denmark Email: noc@jay.net Personal email: chr@corp.jay.net Tlf./Phone: +45 3336 6300, Fax: +45 3336 6301 Produkter / Products: http://hosting.jay.net
-----Original Message----- From: db-wg-admin@ripe.net [mailto:db-wg-admin@ripe.net]On Behalf Of Jan Meijer Sent: 9. januar 2004 13:33 To: Rev Adrian Kennard Cc: db-wg@ripe.net Subject: Re: [db-wg] abuse-c
Hi,
On Fri, 9 Jan 2004, Rev Adrian Kennard wrote:
I am new to this mailing list, so forgive me if this has been covered before.
It seems there is a pretty clear need for an extra field in inetnum and inet6num records, specifically something like an abuse-c field referencing a person record.
A lot of inetnum records I have seen have a remarks field identifying the abuse ocntact, but this is in an inconsistent format making it difficult to automate in any way. It also seems that a lot of network administrators (admin-c) do not feel they should administer their network to remove viruses, etc, and get quite annoyed when contacted regarding abuse.
What would be the procedure for proposing such a new field?
It's already there :).
Please check http://www.ripe.net/ripe/docs/irt-object.html
and the TF-CSIRT effort to make it easier to use this: http://www.dfn-cert.de/team/matho/irt-object/
It's not perfect but it's there.
Jan
-- /~\ The ASCII / Jan Meijer \ / Ribbon Campaign -- -- SURFnet bv X Against HTML / http://www.surfnet.nl/organisatie/jm/ / \ Email http://cert-nl.surfnet.nl/
On Fri, 9 Jan 2004, Rev Adrian Kennard wrote:
It seems there is a pretty clear need for an extra field in inetnum and inet6num records, specifically something like an abuse-c field referencing a person record.
A lot of inetnum records I have seen have a remarks field identifying the abuse ocntact, but this is in an inconsistent format making it difficult to automate in any way. It also seems that a lot of network administrators (admin-c) do not feel they should administer their network to remove viruses, etc, and get quite annoyed when contacted regarding abuse.
What would be the procedure for proposing such a new field?
On Fri, Jan 09, 2004 at 03:47:36PM +0100, Christian Rasmussen wrote:
Realistically I think the majority of inetnum objects needs to have such a record before anything will change. Therefore I believe it has to be mandatory for all new inetnum objects to reference an abuse address.
I suggest to make this mandatory for _all_ (new and existing) that have a tech-c entry, by copying the tech-c entries. Afterwards everyone can change his abuse-c, and I think most tools will stop spamming all other email addresses shortly if enough people ignore those reports that are sent multiple times.
On Fri, Jan 09, 2004 at 01:32:39PM +0100, Jan Meijer wrote:
It seems there is a pretty clear need for an extra field in inetnum and inet6num records, specifically something like an abuse-c field referencing a person record.
It's already there :).
Please check http://www.ripe.net/ripe/docs/irt-object.html
and the TF-CSIRT effort to make it easier to use this: http://www.dfn-cert.de/team/matho/irt-object/
It's not perfect but it's there.
That's exactly the point, IRT is there but far for perfect for the purpose the original poster is refering to. The problem is that there are a lot of 'tools' out there who have a mechansim to query ripe or another db for the inetnum and all person and role objects asociated with it to find line which contains an '@' to be a valid address to complain to. Refering to an abuse address in remarks is possible, but then even you have to be carefull to not enclose the address in <> as some webbased tools strip them out. Not to judge on all, but I get the feeling that there are a lot of people who don't know what the fields mean, let alone they will know on how to use the irt object. So we can start advertising the irt mechanism to both the LIR's and the people who migth come searching for an address to send a complaint to. I don't think it is very likely to hit a large public in a reasonable time. Introducing an extra (mandatory) field in inetnum objects to hold the abuse address for that specific netblock and nothing more makes it much more easier for all those people who write automated process to get the information requested and not have to fallback to listing addresses in changed: fields as a possible way to complain. Introducing it and making some noise about it on certain mailinglists and fora, will probably be picked much faster. As such can this subject be put an the wg-agenda for ripe-47 ? To formalize it a little bit I wan't to put forward the proposal to add an 'abuse' field to inetnum and inet6num objects. This field will be limited to one line containing a syntactically correct email address which can be used to send abuse complaints on ip-addresses in that block. Reasons to do so are to give people an easy way to automate finding a place to complain and giving LIR's an easy and generic way to publish the abuse address, without having to resort to the unknown and for the average database user complex method of the irt-object. As a side effect this might result in more spammers hitting the abuse box directly as they harvest the database :) I'm not stating that this is the best way, but a have a feeling this can improve things a lot. Grtx, Marco Hogewoning
At 06:27 PM 09-01-04 +0100, MarcoH wrote:
On Fri, Jan 09, 2004 at 01:32:39PM +0100, Jan Meijer wrote:
It seems there is a pretty clear need for an extra field in inetnum and inet6num records, specifically something like an abuse-c field referencing a person record.
It's already there :).
Please check http://www.ripe.net/ripe/docs/irt-object.html
and the TF-CSIRT effort to make it easier to use this: http://www.dfn-cert.de/team/matho/irt-object/
It's not perfect but it's there.
That's exactly the point, IRT is there but far for perfect for the purpose the original poster is refering to.
The problem is that there are a lot of 'tools' out there who have a mechansim to query ripe or another db for the inetnum and all person and role objects asociated with it to find line which contains an '@' to be a valid address to complain to.
And I don't know of any automated tool that processes the irt object.
Refering to an abuse address in remarks is possible, but then even you have to be carefull to not enclose the address in <> as some webbased tools strip them out.
Not to judge on all, but I get the feeling that there are a lot of people who don't know what the fields mean, let alone they will know on how to use the irt object.
So we can start advertising the irt mechanism to both the LIR's and the people who migth come searching for an address to send a complaint to. I don't think it is very likely to hit a large public in a reasonable time.
Introducing an extra (mandatory) field in inetnum objects to hold the abuse address for that specific netblock and nothing more makes it much more easier for all those people who write automated process to get the information requested and not have to fallback to listing addresses in changed: fields as a possible way to complain.
Introducing it and making some noise about it on certain mailinglists and fora, will probably be picked much faster.
As such can this subject be put an the wg-agenda for ripe-47 ?
To formalize it a little bit I wan't to put forward the proposal to add an 'abuse' field to inetnum and inet6num objects.
This field will be limited to one line containing a syntactically correct email address which can be used to send abuse complaints on ip-addresses in that block.
Reasons to do so are to give people an easy way to automate finding a place to complain and giving LIR's an easy and generic way to publish the abuse address, without having to resort to the unknown and for the average database user complex method of the irt-object.
As a side effect this might result in more spammers hitting the abuse box directly as they harvest the database :)
I'm not stating that this is the best way, but a have a feeling this can improve things a lot.
I too would support a simple abuse-c object. -Hank
Grtx,
Marco Hogewoning
MarcoH wrote:
On Fri, Jan 09, 2004 at 01:32:39PM +0100, Jan Meijer wrote:
It seems there is a pretty clear need for an extra field in inetnum and inet6num records, specifically something like an abuse-c field referencing a person record.
It's already there :).
Please check http://www.ripe.net/ripe/docs/irt-object.html
and the TF-CSIRT effort to make it easier to use this: http://www.dfn-cert.de/team/matho/irt-object/
It's not perfect but it's there.
That's exactly the point, IRT is there but far for perfect for the purpose the original poster is refering to.
The problem is that there are a lot of 'tools' out there who have a mechansim to query ripe or another db for the inetnum and all person and role objects asociated with it to find line which contains an '@' to be a valid address to complain to.
Well, except that the word 'abuse' may be a bit easier to understand than 'irt' for many non-RIPE-database-gurus, I do not see much difference between a reference to an IRT object or a reference to a person/role object. The big difference is that an IRT is usually better protected (see below) and provides more information. The protection that the IRT gives over a person/role object includes: - It MUST be maintained, while a person or role object does not have to be; it can be completely unprotected. - Authorization from the IRT is required, before the IRT can be linked to the inet[6]num object. This is important so not all mail for a malicious company can go to another (or non-existent) address. Moreover, if the IRT object is maintained by TRUSTED-INTRODUCER-MNT (or possibly other organisations of Incident Response Teams), it means the object's information has been verified and is verified on a regular basis.
Refering to an abuse address in remarks is possible, but then even you have to be carefull to not enclose the address in <> as some webbased tools strip them out.
Not to judge on all, but I get the feeling that there are a lot of people who don't know what the fields mean, let alone they will know on how to use the irt object.
The encryption information in the IRT object is just for communication that needs encryption. For normal abuse reports just the e-mail/phone/fax/address fields will suffice.
So we can start advertising the irt mechanism to both the LIR's and the people who migth come searching for an address to send a complaint to. I don't think it is very likely to hit a large public in a reasonable time.
Neither would another extra attribute, because people will still be sending their mail to ALL adresses found...
Introducing an extra (mandatory) field in inetnum objects to hold the abuse address for that specific netblock and nothing more makes it much more easier for all those people who write automated process to get the information requested and not have to fallback to listing addresses in changed: fields as a possible way to complain.
If they can find the information in a person/role object, so can they in an IRT object. If the tool finds an mnt-irt attribute, just let it look for the contact information (address, phone, fax-no and e-mail) in the IRT object and display that to the user.
Introducing it and making some noise about it on certain mailinglists and fora, will probably be picked much faster.
I agree on that point...
As such can this subject be put an the wg-agenda for ripe-47 ?
To formalize it a little bit I wan't to put forward the proposal to add an 'abuse' field to inetnum and inet6num objects.
This field will be limited to one line containing a syntactically correct email address which can be used to send abuse complaints on ip-addresses in that block.
Reasons to do so are to give people an easy way to automate finding a place to complain and giving LIR's an easy and generic way to publish the abuse address, without having to resort to the unknown and for the average database user complex method of the irt-object.
I agree that making an IRT object is a bit more difficult than making an extra attribute, but reading an IRT object is not so difficult and could be easily automated.
As a side effect this might result in more spammers hitting the abuse box directly as they harvest the database :)
As if the abuse boxes aren't full enough already... ;-) Personally, I would suggest promoting the current advanced mechanism instead of inventing something new. Regards, Menno Pieters -- Menno Pieters - Stelvio Postbus 215, 3740 AE Baarn phone: +31-35-5.429.324 / fax: +31-35-5.429.327 XOIP: +31-84-8.720.349 / Web: http://www.stelvio.nl/
Well, except that the word 'abuse' may be a bit easier to understand than 'irt' for many non-RIPE-database-gurus, I do not see much difference between a reference to an IRT object or a reference to a person/role object. The big difference is that an IRT is usually better protected (see below) and provides more information.
I don't see IRTs and abuse-c as inconsistent. In particular, I'd like to see _one_ of them ASAP, whichever one it is. /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML mouse@rodents.montreal.qc.ca / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
Hi Menno,
Well, except that the word 'abuse' may be a bit easier to understand than 'irt' for many non-RIPE-database-gurus, I do not see much difference between a reference to an IRT object or a reference to a person/role object. The big difference is that an IRT is usually better protected (see below) and provides more information.
The protection that the IRT gives over a person/role object includes: - It MUST be maintained, while a person or role object does not have to be; it can be completely unprotected. - Authorization from the IRT is required, before the IRT can be linked to the inet[6]num object. This is important so not all mail for a malicious company can go to another (or non-existent) address.
Moreover, if the IRT object is maintained by TRUSTED-INTRODUCER-MNT (or possibly other organisations of Incident Response Teams), it means the object's information has been verified and is verified on a regular basis.
We can agree that it would be preferable to have a special abuse-object with a mandatory maintainer attribute instead of just refering a role/person object, still the most important is that the whois database is an effectiv tool to locate an abuse address. Regarding authorization of the object, it could be done kind of the same way as a route object meaning maintainer has to be the same or can authorize the other. The LIR maintaing an address block is responsible for taking care of the related abuse cases. I see no problem in some LIRs outsourcing this to a third party (which I guess is what you mean by "other organisations of Incident Response Teams"), but I don't see it to be more trustworthy if a third party is involved than if the LIR takes care of it. But I do see it as a problem if such third party needs to be verified and such procedure makes this matter so complicated that almost no LIRs bother using it (as the case is today).
So we can start advertising the irt mechanism to both the LIR's and the people who migth come searching for an address to send a complaint to. I don't think it is very likely to hit a large public in a reasonable time.
Neither would another extra attribute, because people will still be sending their mail to ALL adresses found...
The current problem is that the majority of LIRs have chosen not to use irt, probably both because it haven't been announced enough and because it is too complicated. As soon as an attribute is implemented in most inetnum objects, meaning people have a reason to trust that an abuse address actually works, then people will stop using any other address, simply because the abuse address will work and the others will not.
Introducing an extra (mandatory) field in inetnum objects to hold the abuse address for that specific netblock and nothing more makes it much more easier for all those people who write automated process to get the information requested and not have to fallback to listing addresses in changed: fields as a possible way to complain.
If they can find the information in a person/role object, so can they in an IRT object. If the tool finds an mnt-irt attribute, just let it look for the contact information (address, phone, fax-no and e-mail) in the IRT object and display that to the user.
Yes, but thats not the point. Either the current irt object or a new and simpler abuse object implemented in most inetnum objects will be easy to retrieve abuse addresses from. The point is simply that it is much more realistic to implement a simple object than a complex one in most inetnum objects.
As such can this subject be put an the wg-agenda for ripe-47 ?
To formalize it a little bit I wan't to put forward the proposal to add an 'abuse' field to inetnum and inet6num objects.
Sounds like a good idea.
Personally, I would suggest promoting the current advanced mechanism instead of inventing something new.
The question simply is if ALL LIRs are ready/willing to implement the current irt object, its much more likely that the majority will implement a simpler version. The irt features can then be introduced at a later time once all inetnum objects have been updated. I would suggest a project be initiated like when encryption was made mandatory in maintainer objects. Abuse addresses in inetnum objects will not have much effect until they are implemented in all inet[6]num objects. Once the correct attribute has been decided it must be implemented ASAP. Med venlig hilsen/Best regards Christian Rasmussen Hosting manager, jay.net a/s Smedeland 32, 2600 Glostrup, Denmark Email: noc@jay.net Personal email: chr@corp.jay.net Tlf./Phone: +45 3336 6300, Fax: +45 3336 6301 Produkter / Products: http://hosting.jay.net
Christian Rasmussen wrote: [SNIP]
We can agree that it would be preferable to have a special abuse-object with a mandatory maintainer attribute instead of just refering a role/person object, still the most important is that the whois database is an effectiv tool to locate an abuse address.
Correct.
Regarding authorization of the object, it could be done kind of the same way as a route object meaning maintainer has to be the same or can authorize the other.
No, but let me explain below.
The LIR maintaing an address block is responsible for taking care of the related abuse cases. I see no problem in some LIRs outsourcing this to a third party (which I guess is what you mean by "other organisations of Incident Response Teams"), but I don't see it to be more trustworthy if a third party is involved than if the LIR takes care of it. But I do see it as a problem if such third party needs to be verified and such procedure makes this matter so complicated that almost no LIRs bother using it (as the case is today).
In the current implementation the IRT and the LIR (maintainer) are supposes to be different groups of persons, whether they are part of the same organisation of not. The LIR cannot simply make the IRT responsible for its IP range, but the IRT has to authorise this, by counter-signing the request to add an mnt-irt attribute to the inet[6]num object. Otherwise any maintainer of an inet[6]num (which could be delegated) could simply make the inet[6]num object point to any IRT for abuse complaints. The current mechanism is to protect the IRT form being blamed for things they are not responsible for simply because "Evil Company" points a finger towards them. The "other organisations" are (future?) organisations like TI (http://www.ti.terena.nl/), in which IRTs can cooperate and establish trust relationships with eachother and with the RIPE community.
So we can start advertising the irt mechanism to both the LIR's and the people who migth come searching for an address to send a complaint to. I don't think it is very likely to hit a large public in a reasonable time.
Neither would another extra attribute, because people will still be sending their mail to ALL adresses found...
The current problem is that the majority of LIRs have chosen not to use irt, probably both because it haven't been announced enough and because it is too complicated. As soon as an attribute is implemented in most inetnum objects, meaning people have a reason to trust that an abuse address actually works, then people will stop using any other address, simply because the abuse address will work and the others will not.
That is exactly why there must be double authorization for the relationship between IRT and inet[6]num: to ensure correctness and mutual agreement.
Introducing an extra (mandatory) field in inetnum objects to hold the abuse address for that specific netblock and nothing more makes it much more easier for all those people who write automated process to get the information requested and not have to fallback to listing addresses in changed: fields as a possible way to complain.
If they can find the information in a person/role object, so can they in an IRT object. If the tool finds an mnt-irt attribute, just let it look for the contact information (address, phone, fax-no and e-mail) in the IRT object and display that to the user.
Yes, but thats not the point. Either the current irt object or a new and simpler abuse object implemented in most inetnum objects will be easy to retrieve abuse addresses from. The point is simply that it is much more realistic to implement a simple object than a complex one in most inetnum objects.
The object itself is not so complicated. The mechanism to create it is, and that has a purpose (see above). [SNIP]
Personally, I would suggest promoting the current advanced mechanism instead of inventing something new.
The question simply is if ALL LIRs are ready/willing to implement the current irt object, its much more likely that the majority will implement a simpler version. The irt features can then be introduced at a later time once all inetnum objects have been updated.
I would suggest a project be initiated like when encryption was made mandatory in maintainer objects. Abuse addresses in inetnum objects will not have much effect until they are implemented in all inet[6]num objects.
Once the correct attribute has been decided it must be implemented ASAP.
I agree that there must be a better mechanism than the comments in the inet[6]num and maintainer objects, but I'm still in favor of promoting the existing one and perhaps explaining it a little better. Regards, Menno Pieters -- Menno Pieters - Stelvio Postbus 215, 3740 AE Baarn phone: +31-35-5.429.324 / fax: +31-35-5.429.327 XOIP: +31-84-8.720.349 / Web: http://www.stelvio.nl/
Menno Pieters (Stelvio) wrote:
The object itself is not so complicated. The mechanism to create it is, and that has a purpose (see above).
I can't see anything "above" which explains why the creation purpose should be complicated. Can you elaborate? Thanks John JANET-CERT
John Green wrote:
Menno Pieters (Stelvio) wrote:
The object itself is not so complicated. The mechanism to create it is,
and that has a purpose (see above).
I can't see anything "above" which explains why the creation purpose should be complicated.
Well, "above" I wrote:
In the current implementation the IRT and the LIR (maintainer) are supposes to be different groups of persons, whether they are part of the same organisation of not. The LIR cannot simply make the IRT responsible for its IP range, but the IRT has to authorise this, by counter-signing the request to add an mnt-irt attribute to the inet[6]num object. Otherwise any maintainer of an inet[6]num (which could be delegated) could simply make the inet[6]num object point to any IRT for abuse complaints. The current mechanism is to protect the IRT form being blamed for things they are not responsible for simply because "Evil Company" points a finger towards them.
To elaborate on that, the complications for creating an IRT object are: - You need a maintainer for an IRT object (which is not required for an extra attribute or a person/role object); - Strong authentication from both the IRT and the LIR is required to link an IRT object to the inet[6]num object. The reasons to do it this way is to prevent that the IRT mentioned in the IRT object gets complaints about abuse made form IP ranges that they are not responsible for, simply because "Evil Company" put the e-mail address of the IRT in its inet[6]num object (or as Daniel Karrenberg suggested in on of the maintainer objects protecting the object). So both the IRT and the LIR (even if they are in the same room or just next door), must agree. In a small organisation it is possible that it's the same (group of) person(s), using the same PGP key and the problem is void, because the request needs to be signed only once. Regards, Menno Pieters -- Menno Pieters - Stelvio Postbus 215, 3740 AE Baarn phone: +31-35-5.429.324 / fax: +31-35-5.429.327 XOIP: +31-84-8.720.349 / Web: http://www.stelvio.nl/
Menno Pieters (Stelvio) wrote:
To elaborate on that, the complications for creating an IRT object are: - You need a maintainer for an IRT object (which is not required for an extra attribute or a person/role object); - Strong authentication from both the IRT and the LIR is required to link an IRT object to the inet[6]num object.
The reasons to do it this way is to prevent that the IRT mentioned in the IRT object gets complaints about abuse made form IP ranges that they are not responsible for, simply because "Evil Company" put the e-mail address of the IRT in its inet[6]num object (or as Daniel Karrenberg suggested in on of the maintainer objects protecting the object).
So both the IRT and the LIR (even if they are in the same room or just next door), must agree. In a small organisation it is possible that it's the same (group of) person(s), using the same PGP key and the problem is void, because the request needs to be signed only once.
I have never understood what this gives you. If "Evil Company" wants to misdirect abuse reports (why?) they can circumvent this by making a fake IRT object with IRT XYZ as the contact email address. John Green JANET-CERT
On Jan 12, John Green <j.green@ukerna.ac.uk> wrote:
I can't see anything "above" which explains why the creation purpose should be complicated. It's complicated if you want to use TI. When I wanted to create an IRT object I just asked RIPE to authorize it, and it was done quickly and with no pain. Currently I see no reason to use TI.
BTW, what about returning the IRT record by default for inetnum queries? This would let more people know about it and if decorated with big ASCII art could partially solve the problem of lusers writing to every email address they find in the answer. -- ciao, | Marco | [4044 PlaPejYGTr8eQ]
Marco d'Itri wrote:
On Jan 12, John Green <j.green@ukerna.ac.uk> wrote:
I can't see anything "above" which explains why the creation purpose should be complicated. It's complicated if you want to use TI. When I wanted to create an IRT object I just asked RIPE to authorize it, and it was done quickly and with no pain. Currently I see no reason to use TI.
TI is an organisation that verifies the information, so that it can be *trusted*. For ordinary users it may be to hard to understand this and how to make sure it all correct. For IRT among eachother it may be important.
BTW, what about returning the IRT record by default for inetnum queries? This would let more people know about it and if decorated with big ASCII art could partially solve the problem of lusers writing to every email address they find in the answer.
Well, *that* is a good idea! Regards, Menno Pieters -- Menno Pieters - Stelvio Postbus 215, 3740 AE Baarn phone: +31-35-5.429.324 / fax: +31-35-5.429.327 XOIP: +31-84-8.720.349 / Web: http://www.stelvio.nl/
Menno Pieters (Stelvio) wrote:
TI is an organisation that verifies the information, so that it can be *trusted*. For ordinary users it may be to hard to understand this and how to make sure it all correct. For IRT among eachother it may be important.
But all that going via the TI route gives you is a "mnt-by: TI" entry in your object. There are other non-RIPE ways for teams to infer how much trust they should give to another team, and overloading mnt-by seems undesirable. Some useful changes would be renaming the IRT object to something more general, like Abuse (?) object and for it to be returned by default when querying an IP (or AS). The seperation into an easily maintainable object which includes stuff in addition to email address (like postal address, pgp and phone) are useful enhancements to "trouble:". Cheers John
Hi Menno, Thank you for your comments.
The LIR maintaing an address block is responsible for taking care of the related abuse cases. I see no problem in some LIRs outsourcing this to a third party (which I guess is what you mean by "other organisations of Incident Response Teams"), but I don't see it to be more trustworthy if a third party is involved than if the LIR takes care of it. But I do see it as a problem if such third party needs to be verified and such procedure makes this matter so complicated that almost no LIRs bother using it (as the case is today).
In the current implementation the IRT and the LIR (maintainer) are supposes to be different groups of persons, whether they are part of the same organisation of not.
This is where I disagree with the idea behind the irt implementation, I do not see the reason for making the distinction between LIR and IRT as it do not apply to all LIRs. In many LIRs abuse is handled by the same group (and sometimes even the same persons) as the ones handling general LIR functions.
for its IP range, but the IRT has to authorise this, by counter-signing the request to add an mnt-irt attribute to the inet[6]num object. Otherwise any maintainer of an inet[6]num (which could be delegated) could simply make the inet[6]num object point to any IRT for abuse complaints. The current mechanism is to protect the IRT form being blamed for things they are not responsible for simply because "Evil Company" points a finger towards them.
I very much agree with you that a LIR shall not be able to "forward the problem" by using another organsations irt object without permission. But the question is how many LIRs choose to "outsource" abuse, even to a group within the organization? I could have hoped this had been determined before implementing the IRT object. I understand that it is necessary for LIRs who prefer to use a seperate group within the organization or a third party to use encryption for authentication, but can we agree that for the rest of the LIRs it could just as easily be done by maintainer authentication like when creating route objects? If so what would the disadvantage be? Im not opposed that some LIRs can effectively outsource abuse even if it requires special objects/attributes in the Ripe database, but Im very much opposed that these special objects/attributes are mandatory meaning it becomes an obstacle for LIRs prefering to keep abuse within the organization.
The current problem is that the majority of LIRs have chosen not to use irt, probably both because it haven't been announced enough and because it is too complicated. As soon as an attribute is implemented in most inetnum objects, meaning people have a reason to trust that an abuse address actually works, then people will stop using any other address, simply because the abuse address will work and the others will not.
That is exactly why there must be double authorization for the relationship between IRT and inet[6]num: to ensure correctness and mutual agreement.
Only in cases where LIRs choose to outsource abuse, if it is within the same organzation, one LIR cannot (hopefully) hijack another LIRs maintainer, meaning an abuse object created and used by one LIR cannot be used by another.
I agree that there must be a better mechanism than the comments in the inet[6]num and maintainer objects, but I'm still in favor of promoting the existing one and perhaps explaining it a little better.
The reason why a better explanation is needed for the current IRT object is because it has extensive authentication, if many LIRs have no use for these extra features, can you find any reason for them to spent time finding out how to use/create this object? Med venlig hilsen/Best regards Christian Rasmussen Hosting manager, jay.net a/s Smedeland 32, 2600 Glostrup, Denmark Email: noc@jay.net Personal email: chr@corp.jay.net Tlf./Phone: +45 3336 6300, Fax: +45 3336 6301 Produkter / Products: http://hosting.jay.net
Realistically speaking it is not very likely that stupid tools will change very soon. Nonetheless I like the proposal of a simple 'abuse-mailbox' attribute containing an e-mail address and nothing else. This would open the possibility to ask tool-writers not to spam all the other e-mail addresses in the inet*num objects and any object remotely related to them. In other words: we provide specific information where to send such messages, so it is a Bad Idea(TM) to send it anywhere else. I do not think we should make this attribute mandatory however, as introducing mandatory attributes is difficult in existing objects that have significant deployment. Furthermore making an attribute mandatory tends to decrease its meaningfulness somewhat as people fill in 'anything' if they do not have meaningful data to provide. Preventing general spam from stupid tools and getting abuse e-mail concentrated in one mailbox should be enough motivation for deployment. I am also in favour of adding the 'abuse-mailbox' attribute to the maintainer object in order to provide a quick way for deployment that does not involve changing a lot of inet*num objects. The referencing recommendation should be: "If the inet*num object for the address concerned has an 'abuse-mailbox', use this address *only* for sending abuse complaints. If such an attribute is not present, check the maintainer object for an 'abuse-mailbox' attribute and use this address *only* for sending abuse complaints." Daniel "When doing a simple software project, always assume others will take it furter, a lot further!"
This would certainly address my needs. Niall O'Reilly On 12 Jan 2004, at 07:45, Daniel Karrenberg wrote:
Realistically speaking it is not very likely that stupid tools will change very soon. Nonetheless I like the proposal of a simple 'abuse-mailbox' attribute containing an e-mail address and nothing else. This would open the possibility to ask tool-writers not to spam all the other e-mail addresses in the inet*num objects and any object remotely related to them. In other words: we provide specific information where to send such messages, so it is a Bad Idea(TM) to send it anywhere else.
On Mon, Jan 12, 2004 at 08:45:09AM +0100, Daniel Karrenberg wrote:
Realistically speaking it is not very likely that stupid tools will change very soon. Nonetheless I like the proposal of a simple 'abuse-mailbox' attribute containing an e-mail address and nothing else. This would open the possibility to ask tool-writers not to spam all the other e-mail addresses in the inet*num objects and any object remotely related to them. In other words: we provide specific information where to send such messages, so it is a Bad Idea(TM) to send it anywhere else.
I do not think we should make this attribute mandatory however, as introducing mandatory attributes is difficult in existing objects that have significant deployment. Furthermore making an attribute mandatory tends to decrease its meaningfulness somewhat as people fill in 'anything' if they do not have meaningful data to provide. Preventing general spam from stupid tools and getting abuse e-mail concentrated in one mailbox should be enough motivation for deployment.
I am also in favour of adding the 'abuse-mailbox' attribute to the maintainer object in order to provide a quick way for deployment that does not involve changing a lot of inet*num objects. The referencing recommendation should be: "If the inet*num object for the address concerned has an 'abuse-mailbox', use this address *only* for sending abuse complaints. If such an attribute is not present, check the maintainer object for an 'abuse-mailbox' attribute and use this address *only* for sending abuse complaints."
I totally agree on this, this will give a clear and easy to understand/implement mechanism for people writing whatever tool to find abuse handling addresses. Grtx, MarcoH
MarcoH wrote:
Not to judge on all, but I get the feeling that there are a lot of people who don't know what the fields mean, let alone they will know on how to use the irt object.
For the record, there is one other way you might use to indicate an abuse contact, via the "trouble:" attribute in the role object: Contains information on who to contact when there are problems. Also, what various contact information means is not clear. What administration does the "admin-c:" do exactly? Only update the RIPE Database? Coordinate with the RIPE NCC? Is it the CEO of a company? The manager of the IT department? Or an independent contractor who handles all the details of connectivity? I know that all of these interpretations do appear in the database. A similar range of meanings are attached to the "tech-c:" attribute. On of the problems that was identified when the irt object type was defined is that there are a lot of meanings of "incident" that the "irt" could be responding to. The same applies to an "abuse-c:" attribute. Does abuse mean spam? DoS? Illegally trading movies? E-mailed viruses? Pornography? Gambling? Hijacking address space? Do you have different desks for these different types of abuses? If so, does it make sense to have different contacts for them? (History shows this doesn't matter too much - as users tend to send to every e-mail they can find. But in the future, it would make modifying output of tools to only display relevant information easier.) -- Shane Kerr RIPE NCC
Hi Shane,
On of the problems that was identified when the irt object type was defined is that there are a lot of meanings of "incident" that the "irt" could be responding to. The same applies to an "abuse-c:" attribute. Does abuse mean spam? DoS? Illegally trading movies? E-mailed viruses? Pornography? Gambling? Hijacking address space?
I believe "abuse-address" in regards to IP addresses simply means the entity to contact if you feel the user of a specific IP addresses has acted inappropriately, this is of course relative and also has to do with the law in the country where the IP address is used. The point is that any Internet user can access a public available database and find the entity in charge of the IP address - if communication between the entity in charge and the Internet user reporting the abuse concludes no law has been broken in the country where the IP address is operated then this doesn't have much to do with the database telling which entity is in charge of the IP address.
Do you have different desks for these different types of abuses? If so, does it make sense to have different contacts for them? (History shows this doesn't matter too much - as users tend to send to every e-mail they can find. But in the future, it would make modifying output of tools to only display relevant information easier.)
If you have to create categories for abuse, both all LIRs and all Internet users has to agree on the definitions and I don't think that's very realistic. Med venlig hilsen/Best regards Christian Rasmussen Hosting manager, jay.net a/s Smedeland 32, 2600 Glostrup, Denmark Email: noc@jay.net Personal email: chr@corp.jay.net Tlf./Phone: +45 3336 6300, Fax: +45 3336 6301 Produkter / Products: http://hosting.jay.net
On Mon, Jan 12, 2004 at 09:55:06AM +0100, Shane Kerr wrote:
On of the problems that was identified when the irt object type was defined is that there are a lot of meanings of "incident" that the "irt" could be responding to. The same applies to an "abuse-c:" attribute. Does abuse mean spam? DoS? Illegally trading movies? E-mailed viruses? Pornography? Gambling? Hijacking address space?
Do you have different desks for these different types of abuses? If so, does it make sense to have different contacts for them? (History shows this doesn't matter too much - as users tend to send to every e-mail they can find. But in the future, it would make modifying output of tools to only display relevant information easier.)
That's why I proposed a simple attribute only containing 1 single email address where people can send their complaints. It will mostly end-up being abuse@isp for every single inetnum. It's harder to maintain, but easier to delegate abuse handling for a specific inetnum to a certain part of the company or even to the enduser. If you define a abuse-c: as a person/role object, you still have the problem that people need to resolve it and then possibly get multiple addresses. So the problem doesn't get solved and we can just stick with the irt-object. I think for this we can better stick to the most simple solution available. Grtx, MarcoH
On Jan 12, MarcoH <marcoh@marcoh.net> wrote:
If you define a abuse-c: as a person/role object, you still have the problem that people need to resolve it and then possibly get multiple addresses. So the problem doesn't get solved and we can just stick with the irt-object. Not if the relevant IRT object is automatically returned for every inetnum query. This is what ARIN does, BTW.
I think for this we can better stick to the most simple solution available. I think you should define better you requirements of simplicity...
-- ciao, | Marco | [4046 bascZNOGgkZo2]
On Mon, Jan 12, 2004 at 03:39:32PM +0100, Marco d'Itri wrote:
If you define a abuse-c: as a person/role object, you still have the problem that people need to resolve it and then possibly get multiple addresses. So the problem doesn't get solved and we can just stick with the irt-object. Not if the relevant IRT object is automatically returned for every inetnum query. This is what ARIN does, BTW.
Ok, but in that case we need to launch a campaign to get people aware of the irt object and how they should use it.
I think for this we can better stick to the most simple solution available. I think you should define better you requirements of simplicity...
IMHO you can define two groups of database users: - the relatively small group of techies who are updating the database and/or know how to use it and how to find specific information like incident response teams. - The large group of users who hardly know what the database is and why it is there and only want to get one piece of information: Where can I complain about this spam I got. For the first group everything is in place and working. As from my personal experience the second group doesn't understand how things work and how to read the information returned on a query and to be more specific admin-c, tech-c and especially changed attributes are not by default the best address to send complaints to as we already mentioned in the remarks section which got returned on the same query. Reading the remarks section which is used by most people to list abuse information is easy for the human reader, although I have came accross webinterfaces who didn't like the <address> notation most people use. But it's hard for a programmer to 'read' as it is not fixed format. Introducing the abuse: attribute as a single syntactically valid[1] email address on inetnum objects or the first level of objects it refers to makes it simple in the way that: whois ip-address | grep abuse: Will always result in a valid email address to send the complaint, without the need to walk to a tree of objects referring to each other and search for remarks fields pointing to the abuse desk or just collecting everything which includes an '@' and not even using uniq on them. Take it from the point of the non-professional "I'm sure this is easy to write in perl/php/shell/cobol/whatever" programmer who needs to query and parse the ripe database. MarcoH
Hi Marco,
IMHO you can define two groups of database users:
- the relatively small group of techies who are updating the database and/or know how to use it and how to find specific information like incident response teams. - The large group of users who hardly know what the database is and why it is there and only want to get one piece of information: Where can I complain about this spam I got.
For the first group everything is in place and working. As from my personal experience the second group doesn't understand how things work and how to read the information returned on a query and to be more specific admin-c, tech-c and especially changed attributes are not by default the best address to send complaints to as we already mentioned in the remarks section which got returned on the same query.
Reading the remarks section which is used by most people to list abuse information is easy for the human reader, although I have came accross webinterfaces who didn't like the <address> notation most people use. But it's hard for a programmer to 'read' as it is not fixed format.
Introducing the abuse: attribute as a single syntactically valid[1] email address on inetnum objects or the first level of objects it refers to makes it simple in the way that:
whois ip-address | grep abuse:
Will always result in a valid email address to send the complaint, without the need to walk to a tree of objects referring to each other and search for remarks fields pointing to the abuse desk or just collecting everything which includes an '@' and not even using uniq on them.
Take it from the point of the non-professional "I'm sure this is easy to write in perl/php/shell/cobol/whatever" programmer who needs to query and parse the ripe database.
MarcoH
I very much agree with your description of the 2 groups using the whois database. It is very interesting that we got this big database running and lots of tech people taking the time to update it, but it actually misses the primary reason for its existence! As I have always understood the whois database, its a system where everybody can find the person responsible for a specific IP address in case they have a complaint about this IP address. I also think that in order for abuse addresses to work successfully in the system it has to be as easy as you described, with a grep command. If that only works sometimes, some IP addresses are registered another way, then its not worth much.. To make sure something which is implemented also works its very important that its simple, eventhough most LIRs have technical people who can figure out how to use Ripe systems it does not make sense if a very sofisticated system is implemented which has advanced features which is fully used by only about half the LIRs, then why should the rest bother with it? Med venlig hilsen/Best regards Christian Rasmussen Hosting manager, jay.net a/s Smedeland 32, 2600 Glostrup, Denmark Email: noc@jay.net Personal email: chr@corp.jay.net Tlf./Phone: +45 3336 6300, Fax: +45 3336 6301 Produkter / Products: http://hosting.jay.net
On Jan 12, MarcoH <marcoh@marcoh.net> wrote:
If you define a abuse-c: as a person/role object, you still have the problem that people need to resolve it and then possibly get multiple addresses. So the problem doesn't get solved and we can just stick with the irt-object. Not if the relevant IRT object is automatically returned for every inetnum query. This is what ARIN does, BTW. Ok, but in that case we need to launch a campaign to get people aware of the irt object and how they should use it. The same would apply to abuse-c as well. I think IRT has the advantage that it already exists. If the server could be changed to return by default the relevant IRT object for inetnum queries I think it would be at least as useful as the half-proposed abuse-c attribute.
Introducing the abuse: attribute as a single syntactically valid[1] email address on inetnum objects or the first level of objects it refers to makes it simple in the way that:
whois ip-address | grep abuse: IRT would be about as easy to use if returned by default. Some ASCII banner would help pointing lusers at the right address where to send complaints. Do not forget that abuse-c would have to refer to a role or person address (just using a mailbox as the attribute content would be really too much ugly IMO, and not consistent with the general style of the DB), so a little indirection would still be present.
Will always result in a valid email address to send the complaint, without the need to walk to a tree of objects referring to each other and search for remarks fields pointing to the abuse desk or just collecting everything which includes an '@' and not even using uniq on them. You will always find a better idiot... But procmail can help you.
-- ciao, | Marco | [4069 coxDCUA1EuKYs]
MarcoH wrote:
On Mon, Jan 12, 2004 at 09:55:06AM +0100, Shane Kerr wrote:
On of the problems that was identified when the irt object type was defined is that there are a lot of meanings of "incident" that the "irt" could be responding to. The same applies to an "abuse-c:" attribute. Does abuse mean spam? DoS? Illegally trading movies? E-mailed viruses? Pornography? Gambling? Hijacking address space?
Do you have different desks for these different types of abuses? If so, does it make sense to have different contacts for them? (History shows this doesn't matter too much - as users tend to send to every e-mail they can find. But in the future, it would make modifying output of tools to only display relevant information easier.)
That's why I proposed a simple attribute only containing 1 single email address where people can send their complaints. It will mostly end-up being abuse@isp for every single inetnum.
Apart from that and in general, the I think relying on RFC 2142 (which is a standard) is at least an equally good approximation as introducing any new email-containing attributes: RFC2142, Sect. 2: For example, if an Internet service provider's domain name is COMPANY.COM, then the <ABUSE@COMPANY.COM> address must be valid and supported, even though the customers whose activity generates complaints use hosts with more specific domain names like SHELL1.COMPANY.COM. Note, however, that it is valid and encouraged to support mailbox names for sub-domains, as appropriate. and Sect4: states there should be ABUSE Customer Relations Inappropriate public behaviour NOC Network Operations Network infrastructure SECURITY Network Security Security bulletins or queries Ok, it is not always trivial to fiure out a domain to an ip-range, but for the well behaved ones that would use the abuse-c it is usually easy to make out the right abuse@.... and the bad-guys would either not use it at all, or put something like abuse_box_for_me@hotmail.com in (or an approbriate role holding that data. so it would be worthless anyway. Am I missing something here? lG uk -- Ulrich Kiermayr Zentraler Informatikdienst der Universitaet Wien Network - Security - ACOnet-CERT Universitaetsstrasse 7, 1010 Wien, AT eMail: ulrich.kiermayr@univie.ac.at Tel: (+43 1) 4277 / 14104 PGP Key-ID: 0xA8D764D8 Fax: (+43 1) 4277 / 9140
participants (14)
-
Christian Rasmussen -
Daniel Karrenberg -
der Mouse -
Hank Nussbacher -
Jan Meijer -
John Green -
Marco d'Itri -
MarcoH -
Menno Pieters (Stelvio) -
Niall O'Reilly -
Patrick Rother -
Rev Adrian Kennard -
Shane Kerr -
Ulrich Kiermayr