You are here: Home > Manage IPs and ASNs > RIPE Database > FAQ: RIPE Database > FAQ: IRT Object

FAQ: IRT Object

An IRT enables complaints about Internet security issues to be routed to the appropriate person.
Show or Hide answer Why use an IRT object?

It enables complaints about Internet security issues to be routed to the appropriate person.

Show or Hide answer Where do I find more information on this object?

More information can be found in the RIPE Database Documentation Library

Show or Hide answer How do I obtain an IRT object?

Either through the RIPE NCC directly or through a trustbroker.

- A trustbroker is registered with the Database Administration to act as a single point of contact for creation of irt objects. There is currently only one registered trustbroker, the European Trusted Introducer (TI).

- To register through the RIPE NCC directly, read the creation procedure in RIPE IRT object - Technical HOW TO.

Show or Hide answer How do the tools work?

There is currently just one tool to look specifically for irt objects in the RIPE Database, the RIPE Whois-client. Using the '-c' flag you will get the smallest specific inet(6)num object containing an "mnt-irt:" attribute. A second query is needed to obtain the irt object itself. Use the '-r' flag of the RIPE Whois tool to disable recursion and avoid unwanted information as a result of your query.

 

meijer@kruimel:~$ whois -h whois.ripe.net -c 192.87.108.3
% This is the RIPE Whois server.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

inetnum: 192.87.108.0 - 192.87.111.255
netname: SIPLAN
descr: SURFnet bv
descr: Utrecht
country: NL
admin-c: SENS1-RIPE
tech-c: SENS1-RIPE
status: ASSIGNED PA
notify: sens@surfnet.nl
notify: info@SURFnet.nl
mnt-by: SN-LIR-MNT
mnt-irt: irt-CERT-NL
changed: Erik-Jan.Bos@surfnet.nl 19961219
changed: ripe-dbm@ripe.net 19990706
changed: jan.meijer@surfnet.nl 20000417
changed: jan.meijer@surfnet.nl 20010315
changed: Derk.Reinders@SURFnet.nl 20010326
changed: Rogier.Spoor@SURFnet.nl 20020607
source: RIPE

role: SURFnet Services and Support
address: Radboudkwartier 273
address: 3511 CK Utrecht
address: The Netherlands
phone: +31 30 2305305
fax-no: +31 30 2305329
e-mail: SenS@surfnet.nl
admin-c: JS489-RIPE
tech-c: JS489-RIPE
nic-hdl: SENS1-RIPE
notify: info@SURFnet.nl
notify: SenS@surfnet.nl
mnt-by: SN-LIR-MNT
mnt-by: SN-LIR-MNT
changed: Jan.Meijer@surfnet.nl 19980107
changed: Derk.Reinders@SURFnet.nl 20010326
source: RIPE

meijer@kruimel:~$ whois -h whois.ripe.net -r irt-CERT-NL
% This is the RIPE Whois server.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html

irt: irt-CERT-NL
address: p/a SURFnet bv
address: Postbus 19035
address: 3501 DA Utrecht
phone: +31 30 2305305
fax-no: +31 30 2305329
e-mail: cert-nl@surfnet.nl
signature: PGPKEY-A6D57ECE
encryption: PGPKEY-A6D57ECE
admin-c: SAM36-RIPE
tech-c: SAM36-RIPE
auth: PGPKEY-834125A1
auth: PGPKEY-3D10C493
remarks: CERT-NL is the Computer Emergency Response Team of SURFnet
remarks: This is a level 2 IRT (http://www.ti.terena.nl/teams/level2.html)
irt-nfy: cert-nl@SURFnet.nl
notify: info@SURFnet.nl
notify: tiirt@stelvio.nl
mnt-by: TRUSTED-INTRODUCER-MNT
changed: menno.pieters@stelvio.nl 20020305
source: RIPE
Show or Hide answer What webtools query for the IRT object?

A Webtool that can be used to query for irt objects is the CERT-Polska webquery-tool.


Show or Hide answer How do I handle more than one level of incident handling (SPAM complaints for example)?

There are two ways to implement multi-level incident handling. The first method involves using multiple "e-mail:" attributes and accompanying "remarks:" attributes inside an irt object. The second method is to link to multiple irt objects in your inetnum objects and indicate the purpose of each, again by using "remarks:" attributes.

Show or Hide answer Are links to different IRT objects possible?

A: Yes. The inetnum specification defines this:

mnt-irt: [optional] [multiple] [inverse key] 
Show or Hide answer Why can I not link my IRT object to AS objects?

When the irt object was introduced, it was decided to implement it only in the inetnum object. Implementation into the AS object is being considered. This will depend on how widely it is used in inetnum objects.

Show or Hide answer How do I implement a hierarchy of CSIRTs?

There are two ways: By referencing different irt objects in the inetnum-hierarchy. In the following example the inetnum object UK-V4 references the IRT-UK: The larger inetnum object UNIVIE references the IRT-ACOnet-CERT:

meijer@gebbetje:~$ whois -h whois.ripe.net -r -c  131.130.0.0
% This is the RIPE Whois server.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html

inetnum:      131.130.0.0 - 131.130.255.255
netname:      UNIVIE
descr:        LAN University of Vienna
country:      AT
admin-c:      HS118
tech-c:       UVNA1-RIPE
mnt-by:       AS760-MNT
mnt-irt:      IRT-ACOnet-CERT
status:       ASSIGNED PI
changed:      porten@mvs.gmd.de 19900816
changed:      dfk@cwi.nl 19900917
changed:      Ewald.Jenisch@cc.univie.ac.at 19930315
changed:      ripe-dbm@ripe.net 20000225
changed:      woeber@cc.univie.ac.at 20010626
changed:      panigl@cc.univie.ac.at 20010629
source:       RIPE

meijer@gebbetje:~$ whois -h whois.ripe.net -r -c 131.130.7.33
% This is the RIPE Whois server.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html

inetnum:      131.130.7.32 - 131.130.7.47
netname:      UK-V4
mnt-irt:      IRT-UK
descr:        LAN Ulrich Kiermayr
country:      AT
admin-c:      UK6107-RIPE
tech-c:       UK3
mnt-by:       AS760-MNT
mnt-by:       UK-MNT
status:       ASSIGNED PA
changed:      ulrich.kiermayr@univie.ac.at 20020822
source:       RIPE


Another way would be to reference multiple irt objects in the most specific inetnum object, but that does not convey how the hierarchy is made up. This is the only way if there is no IP hierarchy that is usable for this purpose. This might occur with legacy class B/C addresses where one constituent might want to add his own irt object as well as the one of the NREN/LIR and the LIR does not also control the less-specific. Then the only way is for you to use both irt objects.

 

Show or Hide answer What if I am not a member of the Trusted Introducer but I have a lot of IRT objects to register?

There are four possibilities:

  • Have them all become Trusted Introducer accredited teams.
  • Have all of them go through ripe-dbm@ripe.net.
  • Approach some other organisation to become an irt object registrar.
  • Set up your own irt object registrar.
Show or Hide answer How do I mass-link my INETNUM objects to my IRT object?

Normally you do not have to do this. It is sufficient to link the inetnum that is less specific to other inetnums (which would usually be an allocation inetnum) would be enough, because if the query uses a '-c' flag, the smallest specific inet(6)num object with an "mnt-irt:" attribute will be returned.

If you really need to do this, this can be done as follows: If your inetnum objects have a "mnt-by:" attribute, it is straightforward. Retrieve all your inetnum objects by querying for that "mnt-by:" attribute, modify them to include the irt object reference and add a "changed:" attribute line to every object.

Query for all your inetnum objects:

meijer@gebbetje:~$ whois -h whois.ripe.net -Tinetnum -i mnt-by SN-LIR-MNT -r > snlirmnt.txt
The RIPE Database reference manual, section 2.8. The '-r' flag prevents you coming up against these access-controls.

Update your inetnum objects using, for example, a variant on this script:
/^inetnum.*194.171.*/,/^$/{
/^mnt-by.*SN-LIR-MNT/{
         a\
mnt-irt:      irt-CERT-NL
}
/^source:.*RIPE/{
	 i\
changed:      Rogier.Spoor@SURFnet.nl
}
p
}

# Call this script like this:
# sed -n -f  
# This script searches for inetnums in the range 194.171.0.0/16
# and adds a MNT-IRT and "changed" to them.

Send your updated inetnum objects to the RIPE Database using your usual method(s).

The update itself can be one large e-mail containing all the updated inetnum objects. This e-mail, assumes you are using PGP as your authentication method, can be signed as a whole, it is not necessary to sign all the individual inetnum entries. Although the message size limit is fairly generous, you should try to keep the overall size of the e-mail to less than three megabytes.

Show or Hide answer How do I let my regular RIPE object-maintainer link INETNUM objects to my IRT object without my involvement?

Include the PGP authentication key of your RIPE object-maintainer in your IRT object. Looking at the irt-CERT-NL object you can see two "auth:" attributes are defined. They contain the authorisation keys used by the SN-LIR-MNT, which is the SURFnet maintainer object responsible for updating SURFnet inetnum objects. There is no security-risk involved: only the maintainer of your IRT object can modify your IRT object. What you do by adding the "auth:" attribute is giving another maintainer the right to link its inetnum objects to your irt object. Please read chapter 5. Authorisation checks of ripe-254, IRT Object in the RIPE Database for a precise definition of the authorisation checks in the IRT object.

irt:          irt-CERT-NL
address: p/a SURFnet bv
address: Postbus 19035
address: 3501 DA Utrecht
phone: +31 30 2305305
fax-no: +31 30 2305329
e-mail: cert-nl@surfnet.nl
signature: PGPKEY-A6D57ECE
encryption: PGPKEY-A6D57ECE
admin-c: SAM36-RIPE
tech-c: SAM36-RIPE
auth: PGPKEY-834125A1 <--------!first SN-LIR-MNT authorisation key
auth: PGPKEY-3D10C493 <--------!second SN-LIR-MNT authorisation key
remarks: CERT-NL is the Computer Emergency Response Team of SURFnet
remarks: This is a level 2 IRT (http://www.ti.terena.nl/teams/level2.html)
irt-nfy: cert-nl@SURFnet.nl
notify: info@SURFnet.nl
notify: tiirt@stelvio.nl
mnt-by: TRUSTED-INTRODUCER-MNT
changed: menno.pieters@stelvio.nl 20020305
source: RIPE

mntner: SN-LIR-MNT
descr: SURFnet LIR Maintainer
admin-c: SAM36-RIPE
tech-c: SNS1-RIPE
upd-to: info@surfnet.nl
auth: PGPKEY-3D10C493 <--------!first SN-LIR-MNT authorisation key
auth: PGPKEY-834125A1 <--------!second SN-LIR-MNT authorisation key
notify: info@surfnet.nl
mnt-by: AS1103-MNT
referral-by: RIPE-DBM-MNT
changed: Peter.Hinrich@SURFnet.nl 20000128
changed: Peter.Hinrich@SURFnet.nl 20000725
changed: Wim.Biemolt@SURFnet.nl 20020211
source: RIPE

mntner: TRUSTED-INTRODUCER-MNT
descr: Maintainer for Trusted Introducer Accredited CSIRT teams
admin-c: DS660-RIPE
tech-c: MP2890-RIPE
tech-c: GHB1-RIPE
upd-to: tiirt@s-cure.nl
mnt-nfy: tiirt@s-cure.nl
auth: PGPKEY-7F74D279
auth: PGPKEY-CD60C417
auth: PGPKEY-7111E05E
notify: ti@s-cure.nl
mnt-by: TRUSTED-INTRODUCER-MNT
referral-by: RIPE-DBM-MNT
changed: Menno.Pieters@Stelvio.nl 20020219
changed: Menno.Pieters@Stelvio.nl 20020305
changed: Menno.Pieters@Stelvio.nl 20021030
changed: Menno.Pieters@Stelvio.nl 20030122
changed: Menno.Pieters@Stelvio.nl 20030720
changed: Menno.Pieters@Stelvio.nl 20030909
source: RIPE

 

This document was first created by jan.meijer@surfnet.nl and is used with permission.