IRT Object in the RIPE Database Andrew Cormack Don Stikvoort Wilfried Woeber Andrei Robachevsky Document ID: ripe-254 Date: 19 July 2002 -------------------------------------------------------------------------------- Abstract This document describes the irt object and related functionality in the RIPE Database. The irt object is used to provide information about a Computer Security Incident Response Team (CSIRT). This document also describes the creation procedure for the irt object. -------------------------------------------------------------------------------- Table of Contents 1. Motivation 2. Object template 3. New attributes 4. Referencing an irt object 5. Authorisation checks 6. Notifications 7. New query functionality 8. Creation procedure 8.1 Member teams 8.2 Independent teams 9. Some recommendations on using irt object 10 Usage examples 11. Future applications 12. References 13. Acknowledgement 1. Motivation When a computer/network security incident happens, such as DOS (Denial of Service) or spam attack, or other abuse of services, it is important to know whom to contact. The RIPE Database provides the facility to get administrative and technical contacts for a network where the attack came from by a simple IP lookup. In many cases such incidents are handled by CSIRTs whose contacts are different from those listed in "admin-c:" and "tech-c:" attributes. Unfortunately there is no easy way to identify which CSIRT is serving any given IP address. Also, presenting additional information, such as public certificates of a CSIRT, and query functionality that allows to search for the responsible team would facilitate prompt incident handling. 2. Object template irt: [mandatory] [single] [primary/lookup key] remarks: [optional] [multiple] [ ] address: [mandatory] [multiple] [ ] phone: [optional] [multiple] [ ] fax-no: [optional] [multiple] [ ] e-mail: [mandatory] [multiple] [lookup key] signature: [mandatory] [multiple] [ ] encryption: [mandatory] [multiple] [ ] admin-c: [mandatory] [multiple] [inverse key] tech-c: [mandatory] [multiple] [inverse key] auth: [mandatory] [multiple] [ ] irt-nfy: [optional] [multiple] [inverse key] notify: [optional] [multiple] [inverse key] mnt-by: [mandatory] [multiple] [inverse key] changed: [mandatory] [multiple] [ ] source: [mandatory] [single] [ ] 3. New attributes "irt:" Specifies the name of the irt object. The name should start with the prefix "IRT-", reserved for this type of object. An irt name is made up of letters, digits, the character underscore "_", and the character hyphen "-"; it must start with "irt-", and the last character of a name must be a letter or a digit. "signature:" References a key-cert object representing a CSIRT public key used by the team to sign their correspondence. The value of this attribute has the format: PGPKEY-, where is the PGP key ID of the public key in 8-digit hexadecimal format without "0x" prefix. "encryption:" References a key-cert object representing a CSIRT public key used to encrypt correspondence sent to the CSIRT. The value of this attribute has the format: PGPKEY-, where is the PGP key ID of the public key in 8-digit hexadecimal format without "0x" prefix. "irt-nfy:" Specifies the e-mail address to be notified when a reference to the irt object is added or removed. An e-mail address as defined in RFC 2822. "mnt-irt:" May appear in an inetnum or inet6num object. It points to an existing irt object representing CSIRT that handles security incidents for the address space specified by the inetnum or inet6num object. The value of this attribute is the name of the irt object. Please see section "Referencing an irt object" for details. Please refer to the RIPE Database Reference Manual [1] for the description of other attributes. 4. Referencing an irt object An irt object can be referenced from an inetnum or inet6num object by using the optional "mnt-irt:" attribute, which can appear multiple times in the object. The value of this attribute is the name of an irt object. Please see section "Usage Examples" for details. 5. Authorisation checks When modifying an irt object the update should pass authorisation checks specified by one of the mntners listed in "mnt-by:" attributes of the irt object. When adding a reference to an irt object the update of an inet[6]num should pass the following authorisation checks: from the irt object itself as specified in one of the "auth:" attribute from any of the mntner objects that protect the inet[6]num object (i.e. referenced using "mnt-by:" attribute). 6. Notifications Whenever a reference to an irt object is added to an inet[6]num object or removed from it, a notification about this event is sent to e-mail address specified in the "irt-nfy:" attribute of the referenced irt object. This facility may be useful for tracking purposes. All other notification rules apply too. Please see [1] for the description of the RIPE Database Notifications. 7. New query functionality As was already mentioned, in many cases administrative contacts for a network may differ from a CSIRT. Also a CSIRT may be responsible for several networks within a specific address range. For example, a large ISP may have a CSIRT that handles incidents in all clients' networks. It is desirable to put the reference to an irt object only from the inetnum (inet6num) encompassing the clients' networks. The new query functionality allows searching for an inetnum object that contains the reference to an irt object representing CSIRT responsible for a given address or address range. It is implemented with a new '-c' flag that modifies the behaviour of a normal ip lookup, so that the Database will return the smallest less specific inetnum (inet6num) object containing the reference to an irt object. The result of this lookup is an inet[6]num object and referenced contacts, if name recursion is not disabled (-r flag). It does not contain the referenced irt object, nor contact information about the team. 8. Creation procedure An irt object is created manually by the RIPE Database Administration. There are two main categories of CSIRTs: A CSIRT that is a member of a recognised and trusted body within the CSIRT community. An independent CSIRT. It may also be a CSIRT from category 1 willing to be registered as independent. The creation procedure is different for these two cases. We will consider each of them below. It is important to stress here that existence of an irt object in the Database does not prove authenticity and credibility of the team. A stand-alone irt object has little meaning, the actual meaning emerges when a reference to the object is made. The role of the above described creation process is to help maintain a high quality of information in the database in this area. However, it is up to a consumer to verify the team's authenticity and credibility. 8.1. Member teams There are several consortiums that provide a framework for formation and coordination of incidence response teams. Trusted Introducer [2] and FIRST [3] are examples of such consortiums. It is expected that such forums maintain their own procedures regarding CSIRTs, like authentication of teams, maintaining contact information up to date, etc, and use the RIPE Database to publish this information as irt objects. Therefore such forums register themselves with the Database Administration to become a single point of contact for creation of the irt objects in the Database. General guidelines here are (but alterations are possible): The consortium is responsible for correctness of the information presented in irt object. Therefore such objects are protected by the mntner held by the consortium. The mntner should use the strongest authorisation scheme available in the RIPE Database. Please refer to [1] for more information. The mntner name may be recognised by incident tracing tools and used to present affiliation of an IRT to the consortium. Details of such functionality are outside the scope of this document. The creation request comes from the registered contact signed by a public PGP key of the consortium. The Database Administration verifies the signature and creates the object in the database. All other irt related database transactions, such as modifying or deleting an irt, referencing an irt from inetnum or inet6num objects do not require Database Administration intervention. They are controlled by security features of the database system. Please see section "Authorisation checks" above. 8.2. Independent teams There may be cases when a CSIRT do not belong to any particular forum, or would like to register themselves independently. In such cases the following criteria must be satisfied: The creation request comes from the admin-c contact of the irt object. The request is authenticated by an existing mntner, referenced by the object. The need to create an irt object cannot be the reason for mntner creation. The keys referenced by the irt are in the database, the key owner shows affinity to the irt. The reason for creation is presented along with the timeline for deployment (i.e. referencing the object from where and when). 9. Some recommendations on using irt object The keys in the "signature" attribute(s) are used to authenticate correspondence from a CSIRT. It is recommended that the Team key comes first. It is important to maintain the security of the irt object itself. The security level is determined by the security level of the weakest mntner referenced by the irt in its "mnt-by:" attributes. It is wise to ensure that the mntner(s) are using the strongest possible authentication scheme (currently, PGPKEY). Please refer to [1] for further information. The mntner[s] should be under trusted control (e.g. TI) or full control of the CSIRT. Addition of a reference to an irt object representing a CSIRT means taking responsibility of the team over the address range specified by the inet[6]num object. This responsibility may be taken over by an irt object referenced from a more specific inet[6]num object. The "irt-nfy:" attribute may be used to specify an e-mail address that will be used for tracking additions or removals of references to the irt object. 10. Usage examples Consider the following irt object: irt: IRT-TEST remarks: This one should not be trusted address: Same address, 1234 phone: +31 20 0000000 fax-no: +31 20 0000001 e-mail: csirt@example.net signature: PGPKEY-FFFFFFFF encryption: PGPKEY-FFFFFFFF admin-c: DPO1-RIPE tech-c: DPO1-RIPE auth: PGPKEY-00000000 irt-nfy: csirt-log@example.net notify: csirt-log@example.net mnt-by: TEST-MNT changed: ripe-dbm@ripe.net 20020117 source: TEST Now consider the following address space hierarchy registered in the RIPE Database (only relevant fields are shown): inetnum: 172.16.0.0 - 172.31.255.255 source: TEST inetnum: 172.18.0.0 - 172.25.255.255 mnt-irt: IRT-TEST source: TEST inetnum: 172.18.10.0 - 172.18.10.255 source: TEST The second inetnum object references the irt object (IRT-TEST). This implies that the CSIRT team represented by that object handles security incidents related to the address space covered by that inetnum object. Please note that if a more specific inetnum object references another irt object, that team takes over responsibility. If one makes the following query: whois -c 172.18.10.12 the following inetnum will be returned in response: inetnum: 172.18.0.0 - 172.25.255.255 mnt-irt: IRT-TEST source: TEST 11. Future applications A utility could be developed that will accept IP numbers and yield the corresponding CSIRT as deduced from the RIPE Database CSIRT object space, including maintainer info. The latter offers the opportunity to visualize value added information, like e.g. the fact that CSIRT has a Trusted Introducer accreditation. 12. References [1] RIPE Database Reference Manual [2] Trusted Introducer. www.ti.terena.nl [3] FIRST www.first.org 13. Acknowledgment: The initial version of this document was produced by Andrew Cormack (JANET-CERT), Don Stikvoort (M&I/Stelvio b.v.), Wilfried Woeber (UniVie/ACOnet), and Andrei Robachevsky (RIPE NCC).