North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: SSL for IRR queries?

  • From: Andrei Robachevsky
  • Date: Mon Jan 14 11:39:01 2002

Jake Khuon wrote:

### On Fri, 11 Jan 2002 14:45:35 -0500 (EST), Tony Tauber
### <[email protected]> casually decided to expound upon [email protected]
### the following thoughts about "SSL for IRR queries?":

TT> If there's a desire to trust information garnered
TT> from the Internet Routing Registry (eg. RADB, RIPE),
TT> it would seem that one would like a way to verify
TT> the server responding to queries.

There is implimentation work being done for rps-auth (RFC2725) by RIPE,
Merit and others I believe. This should ensure authenticated integrity of
the data. If it's query-time man-in-the-middle type attacks one is worried
about then an implimentation of rps-dist (RFC2769) addresses that issue
which I believe is being done by RIPE, Merit and others as well. I had
heard it was moved to a lower priority than implimenting rps-auth however. Perhaps someone from the RIPE db-wg could comment.

The RIPE Database server implements RPSL-auth (RFC2725) and not rpsl-dist. The specification is quite complex and requires a lot of coordination efforts between the registries; so that near real-time mirroring of several major RR was considered more feasible at the moment.

Our further development prospects are still aimed at making update path more secure, and perhaps implementing SSL for updates in the first place. Anyway, discussion of this feature may be appropriate within the RIPE Database WG ([email protected] mailing list).

Andrei Robachevsky