Re: 4 Byte AS tested
If I can answer, yes, APNIC expects to deploy a node in Japan in the near future for more persistent testing of this kind of thing. -The equipment is just being commissioned. Other experiments may be done before then of course. cheers -george
Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security)
On Wed, 23 Nov 2005 17:42:21 -1000 Randy Bush <[EMAIL PROTECTED]> wrote: > > We need prefix ownership certs; these need a special field > > identifying the prefix owned. (See RFC 3779, which also describes > > AS certificates). We need the latter in CA form, for delegation. yes. the resource certs we are making, the test certs, have CA bit set, and include RFC3779 fields for ASN, IPv4 and IPv6 ranges, using the range ASN.1 notation for ASN ranges. > > sorry to complicate, by iana allocates as ranges which are then > subbed to rirs. so the ca bit could be set on these for the APNIC resource certificates in test, they are. cheers -George > > randy > -- George Michaelson | APNIC Email: [EMAIL PROTECTED]| PO Box 2131 Milton Phone: +61 7 3858 3150 | QLD 4064 Australia Fax: +61 7 3858 3199 | http://www.apnic.net
Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security)
On Wed, 23 Nov 2005 16:39:11 -1000 Randy Bush <[EMAIL PROTECTED]> wrote: > >> [0] - i'll want the business cert to have the ca bit if i am > >> large enough to have internal authorization process, and > >> thus want to create and manage different certs for dns, > >> billing, ... > > > > We are discussing how we can do subsidiary certificate services like > > this in APNIC but I think this goes outside of routing policy and > > into registry business practices which are unlikely to be common > > for all RIR and NIR in the ways that resource certificates *have* > > to be. > > if it is not common across registries, and if my certs do not > work across registries, then something is very very broken, > and a major pita at the isps', aka your members', expense. > > randy If you want to see member-certificates which gate access to RIR/NIR specific services common across all registries, I think you want to get that onto an RIR meeting agenda Randy. We currently have no cross-certification activity in member identity. cheers -George
Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security)
On Wed, 23 Nov 2005 16:03:35 -1000 Randy Bush <[EMAIL PROTECTED]> wrote: > > According to what I understand, there have to be two certificates > > per entity: > > > > one is the CA-bit enabled certificate, used to sign > > subsidiary certificates about resources being given to other people > > to use. > > > > the other is a self-signed NON-CA certificate, used to sign > > route assertions you are attesting to yourself: you make > > this cert using the CA cert you get from your logical parent. > > probably more. smb has convinced me that the (possibly ca[0]) cert > i get from the rir, with which i do business with the rir (dns, > ip requests, billing), should be different than that which i use > for routing info. At APNIC the cert we expect you to identify yourself with to transact with the registry is not the same as the cert which identifies resource utilization. But we (APNIC) also expect to use a different root CA for these 'identity' certs anyway. the test APNIC resource certificates are using an interim self-signed CA, and will be moving to a hardware-token secured CA shortly. The hardware is the same as our identity certificates used in MyAPNIC, but a different trust anchor and CA identity will be used for resource certificate processes. We probably need to make this explict in our policies in this area. We've always cheers -George > > randy > > --- > > [0] - i'll want the business cert to have the ca bit if i am > large enough to have internal authorization process, and > thus want to create and manage different certs for dns, > billing, ... We are discussing how we can do subsidiary certificate services like this in APNIC but I think this goes outside of routing policy and into registry business practices which are unlikely to be common for all RIR and NIR in the ways that resource certificates *have* to be. cheers -George
Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security)
On Wed, 23 Nov 2005 17:54:44 -0800 (PST) "william(at)elan.net" <[EMAIL PROTECTED]> wrote: > > > On Thu, 24 Nov 2005, George Michaelson wrote: > > > According to what I understand, there have to be two certificates > > per entity: > > > > one is the CA-bit enabled certificate, used to sign > > subsidiary certificates about resources being given to other people > > to use. > > > > the other is a self-signed NON-CA certificate, used to sign > > route assertions you are attesting to yourself: you make > > this cert using the CA cert you get from your logical parent. > > So how is the 2nd one different from the first? the important distinction is that the certificate used to sign resource assertions doesn't have the CA bit set. -George
Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security)
According to what I understand, there have to be two certificates per entity: one is the CA-bit enabled certificate, used to sign subsidiary certificates about resources being given to other people to use. the other is a self-signed NON-CA certificate, used to sign route assertions you are attesting to yourself: you make this cert using the CA cert you get from your logical parent. -George
APNIC Privacy of customer assignment records - implementation update
Dear colleagues, This is an important announcement on the implementation of APNIC approved proposal prop-007-v001 regarding privacy of customer assignment records. The proposal document, presentation, minutes, and discussion are available at: http://www.apnic.net/docs/policy/proposals/prop-007-v001.html The APNIC Secretariat will be implementing this proposal on 30 September 2004. Please note that after this date, customer assignment objects will no longer be visible in the APNIC Whois Database, unless the APNIC account holder chooses to make public the customer records for their allocated address range. A set of Frequently Asked Questions about this project is now available at: http://www.apnic.net/info/faq/privacy-faq.html If you have any concerns or questions regarding this policy, please contact the APNIC helpdesk at: E-mail: [EMAIL PROTECTED] Phone: +617 3858 3188 Fax: +617 3858 3199 Regards __ APNIC Secretariat <[EMAIL PROTECTED]> Asia Pacific Network Information Centre (APNIC) Tel: +61-7-3858-3100 PO Box 2131 Milton, QLD 4064 AustraliaFax: +61-7-3858-3199 __
Re: Where can I find a list of IPs and their regions.
On Mon, 9 Feb 2004 20:50:10 -0500 Matthew Crocker <[EMAIL PROTECTED]> wrote: > >> On 10.02.2004 01:43 Matthew Crocker wrote: >>> I've look at IANA but it doesn't give enough detailed information. I >>> would like to find a list of /8 or /16s and what geographic region >>> the exist in. I know it isn't an exact science but something close >>> would be nice. I know 210/8 & 211/8 are APNIC, I likes to know stuff >>> like 210.100/16 is Korea and 210.120/16 is China, etc. Does anyone >>> have a list I can pull from? >> >> Have a look at http://www.aso.icann.org/stats/index.html and retrieve >> up-to-date files from APNIC, ARIN, LACNIC and RIPE. >> >This is exactly what I want, thank you very much :) > >I wonder why APNIC & ARIN have delegated-*-latest files but LACNIC & >RIPE do not. grrr. This data should be accurate enough for what I'm >trying to accomplish LACNIC and RIPE-NCC do. Please see: http://www.apnic.net/mailing-lists/apnic-announce/archive/2004/01/msg2.html this has the URL for all 4 current RIR paths to the files. -George > >Thanks again > >-Matt -- George Michaelson | APNIC Email: [EMAIL PROTECTED]| PO Box 2131 Milton QLD 4064 Phone: +61 7 3858 3150 | Australia Fax: +61 7 3858 3199 | http://www.apnic.net
Re: Hijacked IP space.
Certification of internet resource allocations is being actively considered by most if not all RIRs. In the case of APNIC, this has been regarded as a likely development since our CA project started several years ago (always subject to community agreement on appropriate standards). As it happens, the IETF PKIX working group has almost completed the certificate extension specification for this very purpose, within the S-BGP framework: http://www.ietf.org/internet-drafts/draft-ietf-pkix-x509-ipaddr-as-extn-03.txt Regardless of the deployment of S-BGP, RIRs could start issuing certificates any time after specification is completed. APNIC is currently investigating this possibility. cheers -George -- George Michaelson | APNIC Email: [EMAIL PROTECTED]| PO Box 2131 Milton QLD 4064 Phone: +61 7 3367 0490 | Australia Fax: +61 7 3367 0482 | http://www.apnic.net --- On Tue, 4 Nov 2003 09:35:23 -0800 (PST) [EMAIL PROTECTED] wrote: > > On Tue, 4 Nov 2003, Bill Woodcock wrote: > > > > Should we, as a community, register with RIR's with PGP. > > > > Each of the RIRs has either already established, or is in the process of > > establishing, a CA for that purpose. Please use them. > > I'm very much for what RIRs are doing in this area (though ARIN could do > PGP together with x.509 as I mentioned back in Memphis) as it will provide > good security for communication to ARIN and making changes to RIR whois > and other data and thus in the far future should seriously decrease > possibility of hijacking even blocks when company is gone and blocks are > no longer in use. > > But lets be clear about it, what RIRs are doing as far as pgp or x.509 > are for communication between RIR and the admin of the ip space. RIRs > specifically do not want to "certify" by digital means that particular > entity has the right to that netblock. What it means is that if you have > a customer that has this x.509 certificate from ARIN and they ask you to > announce it, you really can not see their certificate and will have to > just do regular whois like you usually do (in fact you will not even > know if the ip block whois is protected by this security feature). > > You can not actually ask the for some digital certificate signed by ARIN > showing its their block. At these RIR signed certificates for use by > 3rd parties are really what is needed for at least automated checking > when peer or customer is asking to let their new announced block in and > adjust the filters (we are not even talking about S-BGP here, just way to > improve the security of the process of adjusting filter to announce new > routes through your network). S-BGP would be next and will also require > to use these kind of certificates as well, but as others will be quick to > mention, S-BGP proposal still needs some work before we could begin > beta-testing it. > > --- > William Leibzon > Elan Networks > [EMAIL PROTECTED]
Re: current apnic prefixes
The APNIC web was being moved from SCO UNIX to Linux last night, and website indexing was broken until this morning, Australian time. It has now been restored, and we are looking at improving relevancy/hits/scoring methods to make searches more effective. Please accept my apologies for loss of search services. -George -- George Michaelson | APNIC Email: [EMAIL PROTECTED]| PO Box 2131 Milton QLD 4064 Phone: +61 7 3367 0490 | Australia Fax: +61 7 3367 0482 | http://www.apnic.net On Tue, 12 Nov 2002 10:59:31 -0800 Randy Bush <[EMAIL PROTECTED]> wrote: > > i find it droll that using apnic's site and searching for "prefix" > yields zero hits. > > randy
new reverse-DNS generation process at APNIC
Reverse-DNS changes for 61/8, 202/8, 203/8, 210/8, 211/8, 218/8, 219/8, 220/8, 221/8, 2001:0200::/23 and 2001:0C00::/23 APNIC has converted its DNS generation processes to a new system. This is in preparation for conversion to RPSL based whois services, as APNIC generates authoritative in-addr.arpa, ip6.arpa and ip6.int reverse-DNS records directly from whois information. This conversion will also improve reverse-DNS services for the IPv4 and IPv6 ranges APNIC has responsibility for, by providing faster resolution of reverse-DNS lookup, faster termination of lookup for non-existing domains, and a more stable DNS generation process. The reverse zone of a /8 for IPv4, or a pair of /24 for IPv6, now contain all children objects directly, and intermediate zones (which we used to assert down to the edge resource records in some cases) have been withdrawn. For all IPv4 and IPv6 ranges APNIC is authoritative for, the reverse DNS zones are now generated in a more efficient manner. Updates will propagate from whois domain objects to DNS more effectively. At present APNIC re-generates the reverse DNS zones on a 2 hour cycle, every day, and only increments the zone serial on changes to resource records. This is in line with the zonefiles asserted by RIPE NCC and ARIN, and will provide a more uniform global DNS service in respect of reverse-DNS. Kind regards, George Michaelson -- George Michaelson | APNIC Email: [EMAIL PROTECTED]| PO Box 2131 Milton QLD 4064 Phone: +61 7 3858 3100 | Australia Fax: +61 7 3858 3199 | http://www.apnic.net