[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Proof of ownership; when someone demands you remove a prefix
In this case we defaulted to trusting our customer and their LOA over a stranger on the Internet and asked our customer to review the request. Unfortunately, that doesn't necessarily mean a stranger on the Internet isn't the actual assignee. A means to definitively prove "ownership" from a technical angle would be great.
In the example provided in my original e-mail, it appears that an IP broker or related scammer gained access to the assignee's RIR account and made some object updates (e-mail, country, etc.) that they could use to "prove" they had authority to make the request. I assume their offer of proof would have been to send us an email from the dubious @yahoo.com account they had listed as the admin contact.
I agree with a private response that I received that at some point lawyers probably need to take over if a technical solution to verification is not reached.
I'm not terribly current on resource certification, but would RPKI play a role here? It looks like its application is limited to authenticating the announcement of resources to prevent route hijacking. If you've authorized a 3rd party to announce your routes, could you assign a certificate to that 3rd party for a specific resource and then revoke it if they are no longer authorized? Would it matter if someone gains access to your RIR/LIR account and revokes the certificate? This would assume protocol compatibility, that everyone is using it, etc.
From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Jason Hellenthal
Sent: Monday, March 12, 2018 6:40 PM
To: George William Herbert <george.herbert at gmail.com>
Cc: nanog at nanog.org
Subject: Re: Proof of ownership; when someone demands you remove a prefix
How about signed ownership ? (https://keybase.io) if you are able to update the record â?¦ and it is able to be signed then shouldnâ??t that be proof enough of ownership of the ASN ?
If you can update a forward DNS record then you can have the reverse record updated in the same sort of fashion and signed by a third party to provide first party of authoritative ownershipâ?¦ Assuming you have an assigned ASN and the admin has taken the time to let alone understand the concept and properly prove the identity in the first placeâ?¦ (EV cert ?)
Just a light opinion from â?¦ https://jhackenthal.keybase.pub
Trust is a big issue these days and validation even worse given SSL trust.
The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume.
> On Mar 12, 2018, at 21:20, George William Herbert <george.herbert at gmail.com> wrote:
> Sent from my iPhone
>> On Mar 12, 2018, at 4:11 PM, Randy Bush <randy at psg.com> wrote:
>> it's a real shame there is no authorative cryptographically verifyable
>> attestation of address ownership.