Home page logo

nanog logo nanog mailing list archives

Re: Thanks & Let's Prevent this in the Future.
From: Mark Tinka <mtinka () globaltransit net>
Date: Mon, 6 Feb 2012 13:01:20 +0800

On Thursday, February 02, 2012 01:00:43 AM George Bonser 

One problem is the number of routing registries and the
requirements differ for them.  The nefarious operator
can enter routes in an IRR just as easily as a
legitimate operator.  There was a time when some
significant networks used the IRRs for their filtration
policy.  I'm not sure how many still do.

I've dealt with AfriNIC and APNIC WHOIS databases, and they 
normally control the 'inetnum' and inet6num' entries that go 
into the WHOIS databases. So there is some degree of 
certainty that what is in there is generally true.

You're right, anyone can create an IRR record, and it's 
quite terrible how easy it is to create false information 
that could break another person's network. This is why we 
don't generally trust IRR or PeeringDB data when verifying 
downstream prefixes which we should permit through our 
filters. We rely on the RIR 'inetnum' and 'inet6num' records 
for that.

My memory fails me on what ARIN do, but before AfriNIC was 
established and the majority of Africa's prefixes were 
allocated by RIPE and ARIN, I recall the ARIN policy (SWIP 
templates, et al) being a hassle-rich experience that 
anything else is long forgotten :-).


Attachment: signature.asc
Description: This is a digitally signed message part.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]