This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/db-wg@ripe.net/
CERT Object and friends
- Previous message (by thread): CERT Object and friends
- Next message (by thread): DB RPSL migration task force
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Andrei Robachevsky
andrei at ripe.net
Fri Sep 15 12:19:00 CEST 2000
Dear Wilfried, Dear colleagues, Please find attached a draft proposal of the CERT object. Your comments and suggestions are appreciated. Regards, Andrei Robachevsky DB Group Manager RIPE NCC "Wilfried Woeber, UniVie/ACOnet" wrote: > > Dear Andrei! > > Following up on today's discussion, could you please send the CERT Object > (pre)draft, that you were showing to me a short while ago, to the DB-WG List? > > Then we can start to think about any modifications (or alternate > approches), and what a presumed deployment could look like. > > TIA, > regards, > Wilfried. CERT object in the RIPE Database ----------------------------------- Problem: - direct contacts (admin-c, tech-c) or indirect contacts (admin-c, tech-c of the respective maintainer) are not necessarily point to a CERT team; - because of this CERT infrastructure is not reflected in the RIPE Database, which is essential for tracing/blocking attacks, etc.; - because of this there is no consistent approach to secure/authenticate transactions between CERTs or a CERT and a user. Goals: - to support coordination between different CERT teams/NOCs; - to provide contact information for reports of attacks/abuse/spam; - to support secure/authentic transactions between CERTs and users. Object format -------------- The proposed cert objet is a hybrid of role and mntner objects. It inherits contact information from a role object and authentication/authorization features from a mntner object. cert: [mandatory] [single] [primary/look-up key] address: [mandatory] [multiple] [ ] phone: [optional] [multiple] [ ] fax-no: [optional] [multiple] [ ] e-mail: [mandatory] [multiple] [look-up key] admin-c: [mandatory] [multiple] [inverse key] tech-c: [mandatory] [multiple] [inverse key] upd-to: [mandatory] [multiple] [inverse key] mnt-nfy: [optional] [multiple] [ ] auth: [mandatory] [multiple] [ ] remarks: [optional] [multiple] [ ] notify: [optional] [multiple] [inverse key] mnt-by: [mandatory] [multiple] [inverse key] changed: [mandatory] [multiple] [ ] source: [mandatory] [single] [ ] The auth attribute points to a key-cert object. Referencing a cert object ------------------------- The object can be referenced from inetnum, inet6num, route (route6) objects by using cert-c attribute. While updating an objects with this attribute the authorization checks specified in the auth attribute of a referenced cert object should be passed. CERT related queries -------------------- Typical use case is to find CERT contacts provided that IP address/prefix of the abuser/source of an attack/etc. is known. Possible scenario could be: - the database finds the smallest less specific inetnum/route which contains cert attribute starting from the exact match. - result of the query is inetnum/route object, cert object and key-cert object. A new query could be defined (-c in the example below that will trigger such IP/CERT lookups) $ whois -c 194.85.160.0 inetnum: 194.0.0.0 - 194.255.255.255 netname: EU-ZZ-194 descr: European Regional Registry descr: Europe country: EU admin-c: NN32-RIPE tech-c: CREW-RIPE tech-c: OPS4-RIPE status: ALLOCATED UNSPECIFIED mnt-by: RIPE-NCC-HM-MNT mnt-lower: RIPE-NCC-HM-MNT cert-c: RIPE-CERT changed: marten at ripe.net 19930901 changed: GeertJan.deGroot at ripe.net 19941125 changed: GeertJan.deGroot at ripe.net 19950118 changed: david at ripe.net 19951019 changed: hostmaster at ripe.net 19960118 changed: hostmaster at ripe.net 19970204 changed: hostmaster at ripe.net 19970428 changed: roman at ripe.net 19980424 changed: hostmaster at ripe.net 19980723 changed: hostmaster at ripe.net 20000615 source: RIPE cert: RIPE-CERT address: Singel 258 address: 1016 AB Amsterdam address: The Netherlands phone: +31 20 535 4444 fax-no: +31 20 535 4445 e-mail: cert at ripe.net upd-to: ripe-dbm at ripe.net mnt-nfy: ripe-dbm at ripe.net auth: PGPKEY-C059B6CM notify: ripe-dbm at ripe.net mnt-by: RIPE-DBM-MNT changed: ripe-dbm at ripe.net 19970429 changed: riep-dbm at ripe.net 19980211 source: RIPE key-cert: PGPKEY-C059B6CM method: PGP owner: cert at ripe.net fingerpr: 7A B7 9A A5 AB 87 34 A2 89 BE 72 D6 57 D2 09 8D certif: -----BEGIN PGP PUBLIC KEY BLOCK----- certif: Version: PGP for Personal Privacy 5.0 certif: certif: mQCNAzTpYXMAAAEEAMXSsVmnIRlAN/TOK445wLoCIL0R3d8CbuCVMMV6c3wFYr3J certif: G0EnHtjzSH/v4U+1BEqAN1ac20DpT8yKoz4Kq3PRZPY2QdOTllDhtovQxfJeH0E7 certif: UotmT6e88sexDXV+r4lXbEF1wlwtlTr6aAvgyMNX/qvBwkfumIE1ZsPAWbbLAAUR certif: tBVob3N0bWFzdGVyQGFsbGNvbi5uZXSJAJUDBRA06WFzgTVmw8BZtssBAVilA/0W certif: 74jmkUDpOFcs4DufX5D9XmP0P6616xx4uO0Hop2QAv2TqloAVg5OvR3/w5caswNT certif: +54QjeYcebwxA/Itl/XNlzTswTOZBJ8F0qIZlwQomy0nVJAzQRgIbqiVvDliRJkC certif: ZSVBUsvHdecM6jnD6E/UKl3iHsAb9IM/yr+YiRZvIIkAlQMFEDZcmtCEBm5d7AWM certif: dQEBOKAD/RaS124qsJuOOeM3U50IrmoCoSyoMDIfAn0GglyxXtUJNtujTdtGCJ0w certif: cFZvlzVJnvXXF5YCIN19K2XI5ZWX1AVvtEecTH0Ulp/zdBIqqGU1E3nV9Kx5frmb certif: CRr3Qi5HXPnDHG/L2vVWLaCeQpw3Nx+9EqH4c4MWZCuqqwM0hWIn certif: =OyNk certif: -----END PGP PUBLIC KEY BLOCK----- notify: cert at ripe.net mnt-by: RIPE-NCC-MNT changed: cert at ripe.net 19981126 source: RIPE
- Previous message (by thread): CERT Object and friends
- Next message (by thread): DB RPSL migration task force
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ db-wg Archives ]