[ppml] Staff Comments Regarding Policy Proposal 2006-3
On Fri, 6 Oct 2006, Larry Blunk wrote:
> RIPE supports a "mnt-routes:" attribute in their "inetnum" objects
> which refers
> to a maintainer in the routing registry who is allowed to create route
> which are covered by the given address space. Note that
> RIPE does not put AS information in the inetnum objects themselves.
> One could envision an attribute similar to mnt-routes in the ARIN address
> registry which would refer to a maintainer in the ARIN IRR who is
> allowed to create
> routes in the IRR covered by that address space. This avoids duplicate
> information in both the address and routing registries and would support
> existing RPSL based configuration tools.
The issue is trust in distributed system like this. You may put email
address for maintainer in ARIN whois (which would be new contact most
likely) and can check if this email address is listed in RR but you're
completely at the mercy of RR maintainer to make sure the person who
updated their registry was properly authenticated based on that
email address at the time that routing registry data was entered.
To provide proper verification security for whoever checks the RR you
need something like PGP fingerprint (or just public key directly)
corresponding to maintainer's PGP key as part of maintainer contact
data in ARIN whois and then need PGP signature with RR data. But as
I'm sure as some would quickly notice this all looks rather like SIDR....
[oh and did I mention about those fun pk roll-over issues that all
come into play for distrbuted PKI like that ...]
william at elan.net