[ARIN-consult] Community Consultation on IRR Route Validation

Gert Doering gert at space.net
Sun Mar 22 08:31:19 EDT 2015


Hello ARIN,

On Tue, Mar 17, 2015 at 01:30:50PM -0400, ARIN wrote:
> The following suggestions submitted via the ARIN Consultation and
> Suggestion Process (ACSP) are related to the topic of validation between
> an Internet Routing Registry (IRR) and the ARIN registry database.
> 
> * 2015.3: Tie Route Objects in IRR to Netblocks of RIR Database
[..]
> ARIN is opening this community consultation to obtain feedback on the
> following questions:
> 
> * Should ARIN begin a new project to enable IRR route object validation
> to the ARIN registry database?

Yes, please.

Some of you might know that I'm not from the ARIN region, but I think that
this is an important necessity for the Global Internet to be sustainable in 
the future, so I'm speaking up here.

We see an increased number of cases where Spammers find network blocks that
are not actively used (for whatever reason), register "route"-Objeckts for
them in a database that does not protect against unauthorized creation
of objects (like, in our most recent case, the RA DB), and then announce
this address space as "theirs".  The fake route: objects will circumvent
BGP prefix filters if built from an IRR DB that does not properly check
authorization for route object creation, thus enabling the spammer to 
have wide reach with their announcement.

(In case one wants to check: 185.54.188.0/22 is one of our prefixes that
was abused that way - announced for just under one hour, but sufficiently
long to send enough spam so the complaints hit our abuse desk and made me
investigate.  The bogus entry is still in RA DB, as they do not consider
it their duty to remove it.  *sigh*)


Cross-Registry authorization will still remain a not easily solved problem,
but at least every region should have a IRR DB that has strongly authorized
data in it concerning their own members' resources - and the RIR in question 
is the only entity that can state with certainity whether or not a resource 
holder is authorized to put in routing information for a given network, or not.

[..]
> * If yes, should this effort be coordinated with other RIRs to help
> facilitate cross-registry authentication?
> * If yes, should this effort also support third party IRR route object
> authentication?

Yes, and yes.  And I understand that this is much harder, but is also
of crucial importance if we want to give users of the database(s) a chance
to build proper prefix filters for customers that happen to be authorized
to announce networks coming from different regions.  Which happens often
enough to be relevant :-)

Gert Doering
        -- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG                        Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444           USt-IdNr.: DE813185279



More information about the ARIN-consult mailing list