the easy to use solution is to require external data to be signed by RPKI certificates from another RIR's system. 1) its time limited: all signed objects have a lifetime 2) its secure (as secure as PKI) 3) it doesn't require massive effort to implement: a well formed object can be specified by anyone, and then signed by the prime resource holder using a certificate covering the resources. The receiving side can validate it directly. Thats pretty much what I said to the microphone of the routing wg meeting. On 9 November 2014 08:42, Sander Steffann <sander@steffann.nl> wrote:
Hi Ronald,
Having IP addresses is not a requirement for getting an ASN. There are many legitimate cases where an ASN may be used to announce address space belonging to someone else. For example an ISP announcing address space belonging to its customer. Or a transit provider.
OK, that's a good point. But I'm not sure that it fully negates the possible value of my question.
Everybody is _supposed_ to have working e-mail address contacts in their IP allocation records within the WHOIS data bases of the various RiRs, yes? So suppose that there had been a protocol in place that required an affirmative e-mail response from at least one legitimate IP address block registrant (in some/any region) before the allocation of an AS number would proceed. Such a protocol would have forestalled the situation that we now see with AS201640, would it not?
It is a possible implementation but one that only has a one-time check. It wouldn't keep track of changes to resources in other regions. The working group asked the RIPE NCC to look into the possibilities and report back to the working group. Let's see if there is a easy to use solution that makes sure we don't import data into our database that then end up being invalid or outdated.
Cheers, Sander