North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: How to prove is authorized?

  • From: Chris Kilbourn
  • Date: Sat May 03 13:36:25 2003

At 1:51 PM -0500 5/2/03, John Palmer wrote:
Good judgement should prevail. Thats the problem when you start calling
for a bureaucratic solution. Bureucrats read from manuals and are inflexible.
Computers also read very rigid instruction sets and are completely inflexible and brittle and will do the same thing over and over until directed to do otherwise.

The authentication process back in 1992 when I applied for my first netblocks from the InterNIC was twofold. Firstly, I had to figure out where and how to get a netblock. Secondly, I had to secure an Internet connection and pay to have my transit provider announce it.

In the first case, I had to attain a sufficient level of clue before my forms were finally accepted. (I think that it was even one half-time position managing that entire process by hand then.) In the second case, it was a financial barrier since I was paying for transit. (~$1,500/mo for a 56K as I recall.)

Untoward events tended to be technical mistakes as opposed to outright fraudulent behavior. (Default route injection into BGP, etc.)

If you had enough clue and enough money, you were authorized to announce a network. In 1992, this used to be a reasonable barrier as there was little financial incentive to spend upwards of $20,000 for hardware and $18,000 a year for bandwidth. Plus, the InterNIC would pretty much give you what you wanted as long as you new the proper incantations on the forms.

Bottom line, it was about trust. Trust that you knew what you were doing and that you were not going to take advantage of other operators networks.

Flash forward to 2003, and the base requirements are still the same: clue and money. (And as with other processes in capitalistic societies, if you have enough money, you don't even need a clue.)

Clue is easier today to obtain since everything you need to know is a few mouse clicks away to the entire world as opposed to buried on an ftp server that only a few hundred people know about. The hardware and bandwidth costs are for all practical purposes close enough to zero not to worry about.

As as I've seen discussed here over and over, we're still operating on trust even when we know that there are network operators out there that don't give a damn if or how the technical system works as long as they are making money.

They don't care if they screw us over in the process. They blithely violate our trust because they _just_don't_care_.

Periodically we have our regular 'tragedy of the commons' discussions and we build more fences (read: filters,) and fret about the rabble that keep climbing over our fences and trampling our lands and breaking our fences.

Now we're faced with the fact that the rabble have discovered where we were getting our fence materials from (the RIR's,) and are starting to build their own fences and then we go out into our lands, spot these new fences, scratch our heads and go, "Gee, did my neighbor build that or not?"

Until we collectively get off of our butts and make something like SBGP, (I'm not advocating this method over any other, just using it as a talking point,) a requirement of network operation, we're going to continue to get screwed by unscrupulous network operators who will continue to cost us our time and our money to deal with them while they make their money.

My quick spin through the ARIN web site shows one proposed policy that basically says that there should be correct contact information for a record.

It says nothing about authentication, which is the root of our problem here. We need to re-build our web of trust somehow and then move forward from there.

I view our situation as analogous to medieval bankers. Business is growing like crazy, but unless we get our act together and build new webs of trust, authentication and information exchange, it will inhibit our ability to scale the network effectively and leave us exposed to fraud.

I'm at a point where I have some time that I can contribute to the effort, but before I go and re-invent the wheel here or tilt at a windmill, I see from the archives that there was some activity going on in 2000 with regards to this issue. Can someone point me to more recent efforts in this area?

Chris Kilbourn
digital.forest Int'l: +1-425-483-0483
where Internet solutions grow