the easy to use solution is to require external data to be signed by RPKI certificates from another RIR's system.
1) its time limited: all signed objects have a lifetime 2) its secure (as secure as PKI) 3) it doesn't require massive effort to implement: a well formed object can be specified by anyone, and then signed by the prime resource holder using a certificate covering the resources. The receiving side can validate it directly. Thats pretty much what I said to the microphone of the routing wg meeting. On 9 November 2014 08:42, Sander Steffann <[email protected]> wrote: > Hi Ronald, > > >> Having IP addresses is not a requirement for getting an ASN. There are > >> many legitimate cases where an ASN may be used to announce address space > >> belonging to someone else. For example an ISP announcing address space > >> belonging to its customer. Or a transit provider. > > > > OK, that's a good point. But I'm not sure that it fully negates the > > possible value of my question. > > > > Everybody is _supposed_ to have working e-mail address contacts in their > > IP allocation records within the WHOIS data bases of the various RiRs, > > yes? So suppose that there had been a protocol in place that required > > an affirmative e-mail response from at least one legitimate IP address > > block registrant (in some/any region) before the allocation of an AS > > number would proceed. Such a protocol would have forestalled the > > situation that we now see with AS201640, would it not? > > It is a possible implementation but one that only has a one-time check. It > wouldn't keep track of changes to resources in other regions. The working > group asked the RIPE NCC to look into the possibilities and report back to > the working group. Let's see if there is a easy to use solution that makes > sure we don't import data into our database that then end up being invalid > or outdated. > > Cheers, > Sander > > >
