Re: CERT Object and friends

[Andrei Robachevsky <]

Dear Wilfried, Dear colleagues,

Please find attached a draft proposal of the CERT object.

Your comments and suggestions are appreciated.

Regards,

Andrei Robachevsky
DB Group Manager
RIPE NCC

"Wilfried Woeber, UniVie/ACOnet" wrote:
> 
> Dear Andrei!
> 
> Following up on today's discussion, could you please send the CERT Object
> (pre)draft, that you were showing to me a short while ago, to the DB-WG List?
> 
> Then we can start to think about any modifications (or alternate
> approches), and what a presumed deployment could look like.
> 
> TIA,
> regards,
> Wilfried.


CERT object in the RIPE Database
-----------------------------------
Problem:
- direct contacts (admin-c, tech-c) or indirect contacts (admin-c,
tech-c of the respective maintainer) are not necessarily point to a CERT
team;
- because of this CERT infrastructure is not reflected in the RIPE
Database, which is essential for tracing/blocking attacks, etc.;
- because of this there is no consistent approach to secure/authenticate
transactions between CERTs or a CERT and a user.


Goals: 
- to support coordination between different CERT teams/NOCs;
- to provide contact information for reports of attacks/abuse/spam;
- to support secure/authentic transactions between CERTs and users.

Object format
--------------

The proposed cert objet is a hybrid of role and mntner objects. It
inherits contact information from a role object and
authentication/authorization features from a mntner object.

cert:        [mandatory]  [single]     [primary/look-up key]    
address:     [mandatory]  [multiple]   [ ]                      
phone:       [optional]   [multiple]   [ ]                      
fax-no:      [optional]   [multiple]   [ ]                      
e-mail:      [mandatory]  [multiple]   [look-up key]            
admin-c:     [mandatory]  [multiple]   [inverse key]            
tech-c:      [mandatory]  [multiple]   [inverse key]            
upd-to:      [mandatory]  [multiple]   [inverse
key]                      
mnt-nfy:     [optional]   [multiple]   [ ]                      
auth:        [mandatory]  [multiple]   [ ]                      
remarks:     [optional]   [multiple]   [ ]                      
notify:      [optional]   [multiple]   [inverse key]            
mnt-by:      [mandatory]  [multiple]   [inverse key]            
changed:     [mandatory]  [multiple]   [ ]                      
source:      [mandatory]  [single]     [ ]                      

The auth attribute points to a key-cert object.

Referencing a cert object
-------------------------

The object can be referenced from inetnum, inet6num, route (route6)
objects by using cert-c attribute.

While updating an objects with this attribute the authorization checks
specified in the auth attribute of a referenced cert object should be
passed.

CERT related queries
--------------------

Typical use case is to find CERT contacts provided that IP
address/prefix of the abuser/source of an attack/etc. is known.

Possible scenario could be:
- the database finds the smallest less specific inetnum/route which
contains cert attribute starting from the exact match.
- result of the query is inetnum/route object, cert object and key-cert
object.

A new query could be defined (-c in the example below that will trigger
such IP/CERT lookups)

$ whois -c 194.85.160.0
inetnum:     194.0.0.0 - 194.255.255.255
netname:     EU-ZZ-194
descr:       European Regional Registry
descr:       Europe
country:     EU
admin-c:     NN32-RIPE
tech-c:      CREW-RIPE
tech-c:      OPS4-RIPE
status:      ALLOCATED UNSPECIFIED
mnt-by:      RIPE-NCC-HM-MNT
mnt-lower:   RIPE-NCC-HM-MNT
cert-c:      RIPE-CERT
changed:     marten@localhost 19930901
changed:     GeertJan.deGroot@localhost 19941125
changed:     GeertJan.deGroot@localhost 19950118
changed:     david@localhost 19951019
changed:     hostmaster@localhost 19960118
changed:     hostmaster@localhost 19970204
changed:     hostmaster@localhost 19970428
changed:     roman@localhost 19980424
changed:     hostmaster@localhost 19980723
changed:     hostmaster@localhost 20000615
source:      RIPE

cert:        RIPE-CERT
address:     Singel 258
address:     1016 AB Amsterdam
address:     The Netherlands
phone:       +31 20 535 4444
fax-no:      +31 20 535 4445
e-mail:      cert@localhost
upd-to:      ripe-dbm@localhost
mnt-nfy:     ripe-dbm@localhost
auth:        PGPKEY-C059B6CM
notify:      ripe-dbm@localhost
mnt-by:      RIPE-DBM-MNT
changed:     ripe-dbm@localhost 19970429
changed:     riep-dbm@localhost 19980211
source:      RIPE

key-cert:  PGPKEY-C059B6CM
method:    PGP
owner:     cert@localhost
fingerpr:  7A B7 9A A5 AB 87 34 A2  89 BE 72 D6 57 D2 09 8D
certif:     -----BEGIN PGP PUBLIC KEY BLOCK-----
certif:     Version: PGP for Personal Privacy 5.0
certif:       
certif: 
mQCNAzTpYXMAAAEEAMXSsVmnIRlAN/TOK445wLoCIL0R3d8CbuCVMMV6c3wFYr3J
certif: 
G0EnHtjzSH/v4U+1BEqAN1ac20DpT8yKoz4Kq3PRZPY2QdOTllDhtovQxfJeH0E7
certif: 
UotmT6e88sexDXV+r4lXbEF1wlwtlTr6aAvgyMNX/qvBwkfumIE1ZsPAWbbLAAUR
certif: 
tBVob3N0bWFzdGVyQGFsbGNvbi5uZXSJAJUDBRA06WFzgTVmw8BZtssBAVilA/0W
certif: 
74jmkUDpOFcs4DufX5D9XmP0P6616xx4uO0Hop2QAv2TqloAVg5OvR3/w5caswNT
certif: 
+54QjeYcebwxA/Itl/XNlzTswTOZBJ8F0qIZlwQomy0nVJAzQRgIbqiVvDliRJkC
certif: 
ZSVBUsvHdecM6jnD6E/UKl3iHsAb9IM/yr+YiRZvIIkAlQMFEDZcmtCEBm5d7AWM
certif: 
dQEBOKAD/RaS124qsJuOOeM3U50IrmoCoSyoMDIfAn0GglyxXtUJNtujTdtGCJ0w
certif: 
cFZvlzVJnvXXF5YCIN19K2XI5ZWX1AVvtEecTH0Ulp/zdBIqqGU1E3nV9Kx5frmb
certif:  CRr3Qi5HXPnDHG/L2vVWLaCeQpw3Nx+9EqH4c4MWZCuqqwM0hWIn
certif:  =OyNk
certif:  -----END PGP PUBLIC KEY BLOCK-----
notify:  cert@localhost
mnt-by:  RIPE-NCC-MNT
changed: cert@localhost 19981126
source:  RIPE