Proof of ownership for IP addresses
On 3 January 2011, RIPE NCC officially ushered in a new era in internet routing. 73 of RIPE's 7,000-odd members have already certified IP address blocks. The practice is intended to prevent future internet routing 'hijacks', but should also help prevent incorrect addressing. In practice, the latter is more frequently responsible for sites temporarily disappearing from the web than hacking.
Work on the Public Key Infrastructure (PKI) for securing routing has been ongoing for several years. Digital certificates should in future make it possible to check automatically whether entities announcing routes are entitled to do so. All five organisations responsible for allocating IP addresses originally agreed to launch their resource PKIs on 1st January 2011. While AfriNIC, LACNIC and RIPE NCC did launch on this date, APNIC has offered the service since last spring. 362 members from the Asia and the Pacific region are already using the service.
In the RIPE region, German, Czech and Swiss members have been quickest to jump on the RPKI bandwagon. Alongside major network operators such as KPN, Telia Sonera, Swisscom and Claranet, smaller providers, such as Mannheim-based 'Home of the Brave' and Bempflingen-based Nepustil, have been quick to obtain certificates. Bavarian company Netzknoten BayCIX is also among the pioneers, along with Brussels-based Keytrade Bank, Swiss Post and Luxembourg's VoIPgate.
The North American registry, ARIN, is the only registry to have back-pedalled on the launch date, which it has now rescheduled for the second quarter of this year, due to the need for additional security measures. It is striking that it is the US registry which is delaying implementation, since the US is a major sponsor of this technology, standardised by the Internet Engineering Task Force (IETF). In an interview with US journalist Carolyn Duffy, Doug Maughan, director of the Cybersecurity Division within the DHS' Science and Technology Directorate, stated that there is a drive to require government agencies to use Resource Public Key Infrastructure (RPKI) for IP resources. He added that the Department of Homeland Security is planning to spend $3 million a year on developing RPKI and a more secure version of the BGP routing protocol.
The National Institute of Standards and Technology (NIST) has already taken part in test certification and will in future be able to certify its own resources. According to Alex Band of RIPE NCC, the test involved checking early validation tools.
(by Monika Ermert)
(Monika Ermert / crve)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
