 
            -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Apologies for wading into something that isn't my area, but I just noticed Friday's story on the Register: http://www.theregister.co.uk/2014/11/14/dormant_web_space_ripe_for_hijacking... On 17/11/14 08:21, Sander Steffann wrote:
Hi Ronald,
It now seems certain to me that the absence of anything even remotely approximating proper validation of RIPE route objects is not, in fact, a problem which is limited to just inter-RiR situations. Apparently, RIPE member LIRs can just as easily hijack the IP blocks of other RIPE members as they can in the case of IP blocks belonging to parties in other regions.
I don't think so...
As a routing newbie, I'd appreciate clarification on what exactly *is* different between the case where the inetnum and the ASN are both allocated by RIPE, and an "inter-RIR" route. And *should* anything be different?
To be able to create the route object
route: 188.229.1.0/24 descr: Netserv-Client origin: AS43890 mnt-by: NETSERV-MNT source: RIPE
Authorisation from both the address block
inetnum: 188.229.0.0 - 188.229.63.255 netname: LTE-4G descr: new service for data country: IR admin-c: RL7844-RIPE tech-c: RL7844-RIPE status: ASSIGNED PA mnt-by: MCCI-MNT source: RIPE
and the AS number
aut-num: AS43890 as-name: NETSERV-AS descr: Netserv Consult SRL [...] org: ORG-SNCS6-RIPE status: ASSIGNED mnt-by: NETSERV-MNT mnt-by: RIPE-NCC-END-MNT mnt-routes: NETSERV-MNT source: RIPE
is required. So the route cannot be created unless MCCI-MNT and NETSERV-MNT both authorise it.
Such has been my limited experience with administering the RIPEdb: the object isn't published until identical ones are added by the maintainer of the netblock and the maintainer of the ASN. So is not the RIPE database of prefixes itself relatively secure even without RPKI? Do we think the authorisation for MCCI-MNT has been compromised? Is the absence of a "mnt-routes" attribute in the netblock significant? And even without this object: % Information related to '188.229.16.0/24AS43890' route: 188.229.16.0/24 descr: Netserv-Client origin: AS43890 mnt-by: NETSERV-MNT source: RIPE # Filtered What is to prevent AS43890 (or something claiming to be AS43890) advertising this prefix via BGP? What action *can* RIPE take?
I understand that the route objects look a little weird, but what makes you think that it is an authorisation problem in the RIPE DB that made it possible for someone to create them?
Cheers, Sander
Thanks for everyone's work on this, and for future clarifications. Back to lurking... - -- All best wishes, Cedric Knight -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJUabeMAAoJEN5s/jLcInyImj8P/2O99AajMeIW9t8t/BSaP6lu HKV2MgnICF1iAHrizENXLNm1WxwwO8I2EJrw1PDO7KsDoUfe2QoZd1IZf5RrzLH/ qWn8fBTWNeTY/n6hpEAhbVOjKfhM+iFbqEEyWkCQr/5kZGZDiJruFWDVABoFqv8S pw646gjoUyUJgDtdP1il3b73QCZLF26tElRdce0YA2XfGmNHTc1IYYPHyRXtVXvq DfqdDeadLte3AkN2AQPPiSYoAJPnxIqer+GwW5+wP+54PoHhDISKQuZK5l1JGj7O wwiof4fxiRWNEQybrrQ8kJKjwDijfwgzy5vDcCWvg5/s2FWNYU2twGBcl8XMu8HM TBzW3A6PCFTqeLtqctNHmLDlDozGiYRp8L4Nebsw7wIu2Meo1jycBUpjzC2+ukOY cgv8T6IfqgCkge3bf48fqs54QRiE/dROtZAiH4JLg9aKnr8UbNGAtEZMOAmKmwxl lOesKf/e8cUyVKFKEJwkT/xATOjGFHYsIgMv2sLNyh9kbffkbP5s7w1LDihMnCgW UEEa6+35PRXZxd5IdUpCElScVxB0zskihzIz0tCHhVEXNza50Gb56z0aMOO0yU3l JZFM5kyFxsjTy2LY5Ce6cVos/1XyUOu4wLVQ89uXVnsfrJiEZ8Ils21fUneFfeLn THtpD4DQZsxVeegcaCP2 =DoVE -----END PGP SIGNATURE-----