IRT Object FAQ
Contents
- Why use an IRT object?
- Where do I find more information on this object?
- How do I obtain an IRT object?
- How do the tools work?
- What webtools query for the IRT object?
- How to handle more than one level of incident handling
(SPAM complaints for example)?
- Are Links to different IRT objects possible?
- Why can I not link my IRT object to AS objects?
- How do I implement a hierarchy of CSIRTs?
- What if I am not a member of the Trusted Introducer
but I have a lot of IRT objects to register?
- How do I mass-link my INETNUM objects to my IRT object?
- How do I let my regular RIPE object-maintainer link
INETNUM objects to my IRT object without my involvement?
A: It enables complaints about Internet security issues to be
routed to the appropriate person.
A: More information can be found in the "RIPE Database Reference
Manual"
http://www.ripe.net/ripe/docs/databaseref-manual.html
You can also refer to ripe-254, "IRT Object in the RIPE Database"
http://www.ripe.net/ripe/docs/irt-object.html
A: Either through the RIPE NCC directly or through a trustbroker.
- A trustbroker is registered with the Database Administration to act
as a single point of contact for creation of irt objects.
There is currently only one registered trustbroker, the European Trusted Introducer (TI).
- To register through the RIPE NCC directly, read the creation procedure
as explained in ripe-254, "IRT Object in the RIPE Database".
http://www.ripe.net/ripe/docs/irt-object.html#creation_procedure
A: There is currently just one tool to look specifically for irt
objects in the RIPE Database, the RIPE Whois-client.
Using the '-c' flag you will get the smallest specific inet(6)num
object containing an "mnt-irt:" attribute. A second query is
needed to obtain the irt object itself. Use the '-r'
flag of the RIPE Whois tool to disable recursion and avoid unwanted information
as a result of your query.
meijer@kruimel:~$ whois -h whois.ripe.net -c 192.87.108.3
% This is the RIPE Whois server.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html
inetnum: 192.87.108.0 - 192.87.111.255
netname: SIPLAN
descr: SURFnet bv
descr: Utrecht
country: NL
admin-c: SENS1-RIPE
tech-c: SENS1-RIPE
status: ASSIGNED PA
notify: sens@surfnet.nl
notify: info@SURFnet.nl
mnt-by: SN-LIR-MNT
mnt-irt: irt-CERT-NL
changed: Erik-Jan.Bos@surfnet.nl 19961219
changed: ripe-dbm@ripe.net 19990706
changed: jan.meijer@surfnet.nl 20000417
changed: jan.meijer@surfnet.nl 20010315
changed: Derk.Reinders@SURFnet.nl 20010326
changed: Rogier.Spoor@SURFnet.nl 20020607
source: RIPE
role: SURFnet Services and Support
address: Radboudkwartier 273
address: 3511 CK Utrecht
address: The Netherlands
phone: +31 30 2305305
fax-no: +31 30 2305329
e-mail: SenS@surfnet.nl
admin-c: JS489-RIPE
tech-c: JS489-RIPE
nic-hdl: SENS1-RIPE
notify: info@SURFnet.nl
notify: SenS@surfnet.nl
mnt-by: SN-LIR-MNT
mnt-by: SN-LIR-MNT
changed: Jan.Meijer@surfnet.nl 19980107
changed: Derk.Reinders@SURFnet.nl 20010326
source: RIPE
meijer@kruimel:~$ whois -h whois.ripe.net -r irt-CERT-NL
% This is the RIPE Whois server.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html
irt: irt-CERT-NL
address: p/a SURFnet bv
address: Postbus 19035
address: 3501 DA Utrecht
phone: +31 30 2305305
fax-no: +31 30 2305329
e-mail: cert-nl@surfnet.nl
signature: PGPKEY-A6D57ECE
encryption: PGPKEY-A6D57ECE
admin-c: SAM36-RIPE
tech-c: SAM36-RIPE
auth: PGPKEY-834125A1
auth: PGPKEY-3D10C493
remarks: CERT-NL is the Computer Emergency Response Team of SURFnet
remarks: This is a level 2 IRT (http://www.ti.terena.nl/teams/level2.html)
irt-nfy: cert-nl@SURFnet.nl
notify: info@SURFnet.nl
notify: tiirt@stelvio.nl
mnt-by: TRUSTED-INTRODUCER-MNT
changed: menno.pieters@stelvio.nl 20020305
source: RIPE
A: A Webtool that can be used to query for irt
objects is the CERT-Polska webquery-tool. This can be found at:
- http://www.cert.pl/cgi-bin/ipdig.pl
-
-
A: There are two ways to implement multi-level incident handling. The
first method involves using multiple "e-mail:" attributes and
accompanying "remarks:" attributes inside an irt
object. The second method is to link to multiple irt
objects in your inetnum objects and indicate the purpose
of each, again by using "remarks:" attributes.
A: Yes. The inetnum specification
defines this:
mnt-irt: [optional] [multiple] [inverse key]
A: When the irt object was introduced, it was
decided to implement it only in the inetnum object. Implementation
into the AS object is being considered. This will depend
on how widely it is used in inetnum objects.
A: There are two ways: By referencing different irt objects
in the inetnum-hierarchy. In the following example the inetnum
object UK-V4 references the IRT-UK: The larger inetnum
object UNIVIE references the IRT-ACOnet-CERT:
-
meijer@gebbetje:~$ whois -h whois.ripe.net -r -c 131.130.0.0
% This is the RIPE Whois server.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html
inetnum: 131.130.0.0 - 131.130.255.255
netname: UNIVIE
descr: LAN University of Vienna
country: AT
admin-c: HS118
tech-c: UVNA1-RIPE
mnt-by: AS760-MNT
mnt-irt: IRT-ACOnet-CERT
status: ASSIGNED PI
changed: porten@mvs.gmd.de 19900816
changed: dfk@cwi.nl 19900917
changed: Ewald.Jenisch@cc.univie.ac.at 19930315
changed: ripe-dbm@ripe.net 20000225
changed: woeber@cc.univie.ac.at 20010626
changed: panigl@cc.univie.ac.at 20010629
source: RIPE
meijer@gebbetje:~$ whois -h whois.ripe.net -r -c 131.130.7.33
% This is the RIPE Whois server.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html
inetnum: 131.130.7.32 - 131.130.7.47
netname: UK-V4
mnt-irt: IRT-UK
descr: LAN Ulrich Kiermayr
country: AT
admin-c: UK6107-RIPE
tech-c: UK3
mnt-by: AS760-MNT
mnt-by: UK-MNT
status: ASSIGNED PA
changed: ulrich.kiermayr@univie.ac.at 20020822
source: RIPE
Another way would be to reference multiple irt objects
in the most specific inetnum object, but that does not
convey how the hierarchy is made up. This is the only way if there is
no IP hierarchy that is usable for this purpose. This might occur with
legacy class B/C addresses where one constituent might want to add his
own irt object as well as the one of the NREN/LIR and
the LIR does not also control the less-specific. Then the only way is
for you to use both irt objects.
-
- A: There are four possibilities:
- Have them all become Trusted Introducer accredited teams.
- Have all of them go through ripe-dbm@ripe.net.
- Approach some other organisation to become an irt object
registrar.
- Set up your own irt object registrar.
A: Normally you do not have to do this. It is sufficient to link
the inetnum that is less specific to other inetnums
(which would usually be an allocation inetnum) would
be enough, because if the query uses a '-c' flag, the smallest specific
inet(6)num object with an "mnt-irt:" attribute
will be returned.
If you really need to do this, this can be done as follows: If your
inetnum objects have a "mnt-by:" attribute,
it is straightforward. Retrieve all your inetnum objects
by querying for that "mnt-by:" attribute, modify them to include
the irt object reference and add a "changed:"
attribute line to every object.
Query for all your inetnum objects:
-
meijer@gebbetje:~$ whois -h whois.ripe.net -Tinetnum -i mnt-by SN-LIR-MNT -r > snlirmnt.txt
-
- The RIPE Database reference manual, section 2.8. The '-r' flag prevents
you coming up against these access-controls.
Update your inetnum objects using, for example, a variant
on this script:
-
/^inetnum.*194.171.*/,/^$/{
/^mnt-by.*SN-LIR-MNT/{
a\
mnt-irt: irt-CERT-NL
}
/^source:.*RIPE/{
i\
changed: Rogier.Spoor@SURFnet.nl
}
p
}
# Call this script like this:
# sed -n -f
# This script searches for inetnums in the range 194.171.0.0/16
# and adds a MNT-IRT and "changed" to them.
Send your updated inetnum objects to the RIPE Database
using your usual method(s).
The update itself can be one large e-mail containing all the updated
inetnum objects. This e-mail, assumes you are using PGP
as your authentication method, can be signed as a whole, it is not necessary
to sign all the individual inetnum entries. Although
the message size limit is fairly generous, you should try to keep the
overall size of the e-mail to less than three megabytes.
A: Include the PGP authentication key of your RIPE object-maintainer
in your IRT object. Looking at the irt-CERT-NL object
you can see two "auth:" attributes are defined. They contain
the authorisation keys used by the SN-LIR-MNT, which is the SURFnet maintainer
object responsible for updating SURFnet inetnum objects.
There is no security-risk involved: only the maintainer of your IRT object
can modify your IRT object. What you do by adding the "auth:"
attribute is giving another maintainer the right to link its inetnum
objects to your irt object. Please read chapter
5. Authorisation checks of ripe-254,
IRT Object in the RIPE Database for a precise definition of the authorisation
checks in the IRT object.
-
irt: irt-CERT-NL
address: p/a SURFnet bv
address: Postbus 19035
address: 3501 DA Utrecht
phone: +31 30 2305305
fax-no: +31 30 2305329
e-mail: cert-nl@surfnet.nl
signature: PGPKEY-A6D57ECE
encryption: PGPKEY-A6D57ECE
admin-c: SAM36-RIPE
tech-c: SAM36-RIPE
auth: PGPKEY-834125A1 <--------!first SN-LIR-MNT authorisation key
auth: PGPKEY-3D10C493 <--------!second SN-LIR-MNT authorisation key
remarks: CERT-NL is the Computer Emergency Response Team of SURFnet
remarks: This is a level 2 IRT (http://www.ti.terena.nl/teams/level2.html)
irt-nfy: cert-nl@SURFnet.nl
notify: info@SURFnet.nl
notify: tiirt@stelvio.nl
mnt-by: TRUSTED-INTRODUCER-MNT
changed: menno.pieters@stelvio.nl 20020305
source: RIPE
mntner: SN-LIR-MNT
descr: SURFnet LIR Maintainer
admin-c: SAM36-RIPE
tech-c: SNS1-RIPE
upd-to: info@surfnet.nl
auth: PGPKEY-3D10C493 <--------!first SN-LIR-MNT authorisation key
auth: PGPKEY-834125A1 <--------!second SN-LIR-MNT authorisation key
notify: info@surfnet.nl
mnt-by: AS1103-MNT
referral-by: RIPE-DBM-MNT
changed: Peter.Hinrich@SURFnet.nl 20000128
changed: Peter.Hinrich@SURFnet.nl 20000725
changed: Wim.Biemolt@SURFnet.nl 20020211
source: RIPE
mntner: TRUSTED-INTRODUCER-MNT
descr: Maintainer for Trusted Introducer Accredited CSIRT teams
admin-c: DS660-RIPE
tech-c: MP2890-RIPE
tech-c: GHB1-RIPE
upd-to: tiirt@s-cure.nl
mnt-nfy: tiirt@s-cure.nl
auth: PGPKEY-7F74D279
auth: PGPKEY-CD60C417
auth: PGPKEY-7111E05E
notify: ti@s-cure.nl
mnt-by: TRUSTED-INTRODUCER-MNT
referral-by: RIPE-DBM-MNT
changed: Menno.Pieters@Stelvio.nl 20020219
changed: Menno.Pieters@Stelvio.nl 20020305
changed: Menno.Pieters@Stelvio.nl 20021030
changed: Menno.Pieters@Stelvio.nl 20030122
changed: Menno.Pieters@Stelvio.nl 20030720
changed: Menno.Pieters@Stelvio.nl 20030909
source: RIPE
This document was first created by jan.meijer@surfnet.nl
and is used with permission.
|
you are here: home -> RIPE Database
