February 2000 - lir-wg - mailman.ripe.net

Re: Modifying references to contact info in the RIPE DB
by Wilfried Woeber, UniVie/ACOnet 24 Jun '01

24 Jun '01

Hi Joao! >If the reference is by name then when I query the DB I will get the list of >persons with that name, right? Right. >Whether the object belongs to the person or not is not going to save this >person from being contacted. From the point of view of the database and the >user querying it, the object belongs to that person. Right >The link is via a name. > >Now we substitute the reference by name with a reference by nic handle >pointing to the same person. >What is the difference? > >ALMOST NONE except that: True, for the case where there is a strict one-to-one mapping, e.g the recursion using the name returns *one* object. What do you suggets to do with the case where the recursion, based on the names, returns a *set* of objects? I can see 2 approaches (at least): - do not perform the handle substitution for that referring object and put it on the list of those requiring human intervention - expand the xxxx-c: list (which? the tech-c:?) to refer to *all* objects, but by ref'ing their handles While human beings are quite clever in selecting the "proper" instance of a person: object (by looking at country, address, email,...) a script might be quite clueless with that respect :-) Wilfried. -------------------------------------------------------------------------- Wilfried Woeber : e-mail: Woeber(a)CC.UniVie.ac.at Computer Center - ACOnet : Tel: +43 1 4277 - 140 33 Vienna University : Fax: +43 1 4277 - 9 140 Universitaetsstrasse 7 : RIPE-DB (&NIC) Handle: WW144 A-1010 Vienna, Austria, Europe : PGP public key ID 0xF0ACB369 --------------------------------------------------------------------------

3 3

Draft Agenda for lir-wg at RIPE 24 - second draft
by Hans Petter Holen 09 Mar '00

09 Mar '00

Dear working Group, as the first draft was made for the plenary presentation at RIPE 34 it has been out for a while at http://www.ripe.net/ripe/wg/lir/r35-draftagenda.html Here is an updated second draft. Please approach me with additional items to the agenda. 1. Admin scribe, participant list, charter, mailinglists 2. Agenda 3. Meet the RIPE NCC hostmasters 4. RIPE 34 minutes actions 5. Reports from the Registries RIPE NCC APNIC ARIN ICANN Status of the Latin and AFRI NiCs 6. Report from the address council 7. The policy making process 8. Establish final selection procedure for the address council 9. Domain objects in the database 10. PGP authentication 11. WG management 12.. AOB Joint Lir-wg / IPv6 WG: B. Comments on the Provisional Assignment on Allocation of IPv6 addresses document (ipv6-wg & lir-wg) - Why is a dial-up link treated differently - should such users get a /48 or a /64 ?!? - Public or private addresses recommendation for point-to-point links - What constitutes 80% utilization ?!? (I am looking for a volunteer from the RIPE NCC for an introduction on the issues - other speakers are also welcome to volunteer)

3 2

RE: DB consistancy checking tools
by Matthew Robinson 07 Mar '00

07 Mar '00

I won't be at RIPE-35 as my first child is due at the same time but I'll definitely knock something together as a draft. If other people are interested then things should go ahead at RIPE-35 otherwise I do have permission from my wife to attend RIPE-36 ;-) Kind regards Matthew -----Original Message----- From: Wilfried Woeber, UniVie/ACOnet [mailto:woeber@cc.univie.ac.at] Sent: 20 January 2000 14:55 To: matthew(a)planet.net.uk Cc: lir-wg(a)ripe.net; db-wg(a)ripe.net; woeber(a)cc.univie.ac.at Subject: RE: DB consistancy checking tools Matthew, I think this is an interesting proposal: >I have been wondering recently whether a separate group should be set up for >the sole purpose of creating tools/advise/methods/hints 'n' tips for LIR's >to keep on top of their entries and make management easier. A sort of RIPE >users working group not concerned with designing objects for the database >but how to put existing objects in it, remove them, manage them, etc. > >My 2c > >Matthew To start things moving, could you come up with a coarse draft of ideas and short-term goals to take up? On the more formal side, one of the possible solutions to accomodate that activity might be to create a TaskForce to work on well-defined items during RIPE35 (do you intend to particpate?). This TF might be supported by both LIR and DB, or sponsored by whichever group is seen to be appropriate... Wilfried.

6 6

inetnum conversion
by Engin Gunduz 28 Feb '00

28 Feb '00

Dear colleagues, RIPE NCC will be converting the legacy inetnum objects which are in old classful notation into classless range notation. We provide the list of inetnum objects to be converted during this process at: http://www.ripe.net/ripencc/pub-services/db/in_conversion/ There are 16404 such inetnums in the RIPE whois database, so we have divided them in four parts, but the list is available also as a big single file. The list contains the classful notation, new classless notation and the netname of the inetnums. The conversion is planned to take place on 26-27 February. You can check the list for your inetnum objects. If you detect a problem, please contact <ripe-dbm(a)ripe.net>. Also, please send your comments about the conversion to the list, Regards, Engin Gunduz RIPE NCC Database Group -----------------------

1 2

Re: RIPE DB service restored
by Janos Zsako 23 Feb '00

23 Feb '00

> From owner-lir-wg(a)ripe.net Wed Feb 23 13:47:01 2000 > From: Nils Jeppe <nils(a)work.de> Dear Nils, > Yes, one question; why haven't you announced taking down the DB? I find > this unacceptable, some of us have to work with it you know? We have > customers which need new Person objects, new Domains, etc. etc. Now, I > understand perfectly if there are emergency maintainances or whatever, but > don't just switch it off for an entire day without at least letting us > know! How much effort would it have been if you had written a seven line > email explaining that you have to take the DB down, and why? > > It's not like you're some kind of Internet Dictatorship or IP God which > can do as it pleases; the RIPE NCC takes care of this stuff on the behalf > of the LIRs and is financed by the LIRs, so this heavy-handed approach is > really not something I appreciate. I guess the RIPE community in general does not appreciate YOUR approach (at least I do not). :(( Please find below the mail the RIPE NCC sent out BEFORE they turned updates off. I guess you have not been at the RIPE meetings and did not follow the work the RIPE NCC has been doing in the last many years. Otherwise I do not think you would make a remark like the above. Best regards, Janos > > > Best wishes, > Nils Jeppe > > > On Tue, 22 Feb 2000, RIPE Database Administration wrote: > > > > > Dear Colleagues, > > > > We wish to announce that the whois and update service > > of the RIPE Database has returned to normal. Currently, the > > queue of updates is being processed. We expect this queue to > > be cleared later this evening. > > > > Thank you for being patient. You will find that the service > > level of the RIPE Database has been improved. If you > > have questions, please contact <ripe-dbm(a)ripe.net>. > > > > If you have any questions, please don't hesitate > > to contact <ripe-dbm(a)ripe.net>. > > > > Regards, > > > > Daniele Arena > > ____________________________ > > RIPE Database Administration. > > > > ----- Begin Included Message -----

4 3

RIPE DB service restored
by RIPE Database Administration 22 Feb '00

22 Feb '00

Dear Colleagues, We wish to announce that the whois and update service of the RIPE Database has returned to normal. Currently, the queue of updates is being processed. We expect this queue to be cleared later this evening. Thank you for being patient. You will find that the service level of the RIPE Database has been improved. If you have questions, please contact <ripe-dbm(a)ripe.net>. If you have any questions, please don't hesitate to contact <ripe-dbm(a)ripe.net>. Regards, Daniele Arena ____________________________ RIPE Database Administration.

2 1

RIPE DB service outage.
by RIPE Database Administration 22 Feb '00

22 Feb '00

Dear Colleagues, Due to a regretable oversight, the following message was not sent to this list last night. Due to a crash of our whois server, we had to stop the updates and re-index the data. There is no need to resend your updates. The updates are queued and they will be processed later. We are also going to upgrade the main server so that it can cope better with the ever growing load. The whois query service has been switched to our backup server, therefore the response time is slower than usual. The latest news is that the re-indexing process has finished and we are currently working on the main server itself. We anticipate that the full service will be restored sometime later today. We shall keep you informed. If you have anymore questions, please contact <ripe-dbm(a)ripe.net>. Regards, A. M. R. Magee ______________ RIPE NCC

1 0

Updates to the RIPE whois database stopped
by RIPE Database Administration 21 Feb '00

21 Feb '00

Dear All, Due to a crash of our whois server which we experienced last Saturday we are stopping the updates tonight and we are going to reindex the data. There is no need to resend your updates. The updates will be queued and they will be resumed tomorrow. We are also going to upgrade the main server so that it can cope better with the ever growing load. The whois query service will be switched to our backup server, therefore the response time will be slower than usual. If you have any questions, please don't hesitate to contact <ripe-dbm(a)ripe.net>. Regards, Marek Bukowy ____________________________ RIPE Database Administration. ----- End Included Message -----

1 0

Strengthening the management of the lir-wg
by Hans Petter Holen 19 Feb '00

19 Feb '00

Dear Working Group, I have found myslef spending the better part of the nights doing ICANN Address Council work rather than RIPE local ir work or even sleeping :-) I was thinking that maybe it would be a good idea to form a small group to support the chair and the work that needs to be donebbbbbbbbb. Tasks for thw group would for instance be - follow discussions on the mailinglist - summarize and try to conclude when possible - keep track on our actionlists, follow up on other people - prepare issues for the lir-wg meeting from my own experience this kind of work is invaluable training in a proffesional career :-) We could discuss this further in Amsterdam next week. -hph

1 0

PGP for mails to and from RIPE NCC hostmaster
by Maldwyn Morris 18 Feb '00

18 Feb '00

Hi, We will be presenting the proposal below at the LIR-WG at RIPE 35. Comments are most welcome. Cheers, Olaf and Maldwyn -- The use of PGP for the encryption and authentication of e-mails to and from the RIPE NCC hostmaster mailbox. Olaf M. Kolkman Maldwyn G.T. Morris February 2000. -------------------- A. Introduction The RIPE NCC has received requests to enable customer Local Internet Registries ( LIRs ) to use PGP for authentication and encryption of e-mails to hostmaster(a)ripe.net. We have tried to identify the possible uses for PGP in communication between the LIRs and the RIPE NCC hostmaster mailbox and tried to determine what risks and operational difficulties there are in using PGP for both the LIRs and the RIPE NCC. In this document we will present our ideas and a possible implementation. We assume that the reader is familiar with PGP and the related protocols and terminology. Note that: - we are not security protocol experts; we welcome all comments and will, in a later stage of the design, involve security experts. - the use of the proposed technology would be optional for our customer LIRs. -------------------- B. Uses of PGP. For e-mail exchange between the RIPE NCC and the LIRs we identify four possible uses. 1. Encryption of e-mails to the RIPE NCC. Means LIRs can send company confidential information to the RIPE NCC without the risk of it being read when traversing the Internet. 2. Authentication of e-mails from the RIPE NCC. Means LIRs can be sure the mail came from the RIPE NCC. Non-repudiation of signed mails is also a benefit for the LIR in case of conflicts. 3. Encryption of e-mails to the LIR. Means LIRs can send company confidential information to the RIPE NCC without the risk it being read when traversing the Internet when included in RIPE NCC replies. 4. Authentication of e-mails from the LIR. Means it is much harder for a 3rd party to impersonate a LIR. Items 1 and 2 are relatively easy to implement. The RIPE NCC needs to publish the public RIPE NCC key and needs to design an internal infrastructure that prevents unauthorised persons from using the private RIPE NCC key. LIRs will be able to make use of these methods without contacting the RIPE NCC to arrange it in advance. More on the design of the RIPE NCC internal infrastructure in section C.1. and C.2. below. Items 3 and 4 are more difficult to implement. Here the RIPE NCC has to be sure that a certain key did indeed originate from the LIR the mail purports to be from. To use these methods, LIRs will have to give RIPE NCC their public keys in advance and in section D below we describe a protocol for key exchange that makes it difficult to impersonate a LIR. The RIPE NCC will not sign any of the public keys of the LIRs i.e. it will not become a Certification Authority. -------------------- C Protocols and implementation for items 1 and 2: Encryption of e-mails to the RIPE NCC and authentication of e-mails from the RIPE NCC. C.1. The LIR's side. not need to have it own key-pair it only needs to obtain suitable software and RIPE NCC's public key to encrypt messages to RIPE NCC or authenticate messages from RIPE NCC. C.2. The RIPE NCC side. The RIPE NCC will publish its public key on its ( secure ) webserver. We will allow further authentication of our public key by reading its fingerprint at the RIPE meeting, printing the fingerprint on the invoices we send or by other broadcast methods. The RIPE NCC does not want to share its private key among multiple employees, but on the other hand the RIPE NCC does not want to revoke individual keys whenever employees take on other functions. We have chosen to use one RIPE NCC key for company-wide authentication and decryption. The RIPE NCC will keep its private key on a dedicated internal signing server. Using strong authentication methods ( probably SSH ), RIPE NCC employees will be able to open an authenticated connection to the box that will perform a decryption or a signing operation. The request will be logged to leave an audit trail. The signing server will need to be highly secured. To prevent possible long-term damage if the machine ever gets compromised, the RIPE NCC key will expire every n-years. A key revoking procedure, which will include a public message, will be in place. Using this setup we can ensure individual RIPE NCC employees ( except for the limited set of people having system level access to the server ) will not be able to read the private RIPE NCC key. We also have the flexibility to control who can sign and decrypt RIPE NCC mail. -------------------- D. Protocols and implementation for items 3 and 4: Encryption of e-mails from the RIPE NCC and authentication of e-mails to the RIPE NCC. Before describing the protocol and implementation details in section D.1. and D.2. some general remarks and requirements. Currently, authentication is based on mail addresses and the reg id contained in the e-mails, and on the common sense of the RIPE NCC hostmasters. After RIPE NCC implements this part of the project, LIRs will have to be able to choose to use PGP to authenticate themselves to the RIPE NCC. Once they have made that choice the RIPE NCC will not accept non-PGP authenticated communication from that particular LIR. The most important application is to prevent impersonation. Therefore we need a procedure to assure ourselves that a public key belongs to the LIR which is claiming to have sent the e-mail. If a malicious third party ( Mallet ) tries to submit a public key in the name of a LIR ( zz.alice ) then a number of things can go wrong: - Once we start using Mallet's key, zz.alice's non-authenticated messages will not be accepted by the RIPE NCC. - RIPE NCC might start sending zz.alice information encrypted with Mallet's key which zz.alice will not be able to read and Mallet might also intercept this traffic and extract confidential information. To prevent the LIR having to use "group" keys we have set the requirement that a LIR should be able to add and revoke keys for their employees. D.1. LIR keys and key exchange protocol. We are studying two methods for key exchange and we will have a security expert look at this before implementation. In both methods of key exchange the LIR will need to begin by creating a public/private key pair, we refer to these as the LIR's Master keys. The key exchange method ( see below ) defines how these Master keys are authenticated. Once the Master key has been authenticated, the LIR can create keys for their employees. The employees' public keys must be signed by the LIR's Master key and sent to the RIPE NCC before they can be used for mails to RIEP NCC. The LIR's Master key can be used: - for authentication of mails to hostmaster(a)ripe.net - as a decryption key for mails from the RIPE NCC. - for adding and revoking employee's keys with the RIPE NCC - to tell the RIPE NCC that the LIR no longer wishes to use PGP authentication. The LIR's employees' keys can only be used: - for authentication of mails to hostmaster(a)ripe.net - as a decryption key for mails from the RIPE NCC. In this way the LIR has control over who is permitted to communicate with the RIPE NCC. First proposed key exchange method. We use a secret ('billing-secret'), sent with the paper invoice that the LIR receives by surface mail. The LIR will send us an e-mail signed using its private Master key and containing the 'billing-secret' and its public Master key. Once we receive the key we will send a confirmation to the LIR contact address and from then on we will only allow PGP authenticated communication with that LIR. Using this method we put trust in the billing address to be correct and the surface-mail not being intercepted. Second proposed key exchange method. The LIR will sign the public Master key with the private Master key and send this signed public Master key to the RIPE NCC. The RIPE NCC will use the LIR's public Master key to check the signature and then send a secret string to a LIR contact. The LIR contact will reply to the RIPE NCC with a mail containing the secret signed with the Master key. From the moment the RIPE NCC receives the secret back we will only allow PGP authenticated communication with that LIR. Using this method we put our trust in the fact that the contact information is correct and that the e-mail to the LIR cannot be blocked and intercepted In both methods it could happen that just before doing the key exchange our malicious friend Mallet changed the the contact details using the current weak authentication method. This could result in Mallet impersonating LIR zz.alice. We think the chance of this happening is small. Being aware of this vulnerability in the protocol we can, if in doubt, use other methods to convince ourselves that the LIR's Master key actually comes from zz.alice. We think the extra costs involved in using these methods preclude their use in every case. There is a risk that the LIR's Master key gets lost and if that happens we will have to use an off-band mechanism to revoke the LIR's key. This may involve for example, a fax with the LIR's letterhead and a phone call to the LIR contact. D.2. RIPE NCC's implementation. RIPE NCC will implement this using dedicated key rings or a keyserver. So as not to risk RIPE NCC being seen as a Certification Authority the key ring or keys server will be for internal use only. The interface to it will be a mail robot. This is to prevent people uploading unneeded keys. The hostmaster mail robot will test if PGP encryption or authentication is used and will bounce non-PGP authenticated mails from those LIRs who use PGP authentication. Once mails are processed by the robots they are believed to be authenticated as coming from the LIR whose reg id is contained in the e-mail. The robot will also decrypt encrypted incoming messages on arrival. We will think further about whether encryption of outgoing e-mails should be the default or only an option ( for LIRs who have sent us their public keys ). The local copies of all communication will be kept in plaintext, with appropriate access permissions. -------------------- E. Final remarks. We are thinking of using OpenPGP for the basis of this project. The RIPE NCC will not support LIRs in setting up and or maintaining (Open)PGP but we will produce a general guide that should clearly explain what they need to do. PGP might, because of local law, not be available to all LIRs.

1 0