From 4bfd864f10b68b71482b35c818559068ef8d5797 Mon Sep 17 00:00:00 2001 From: Thomas Voss Date: Wed, 27 Nov 2024 20:54:24 +0100 Subject: doc: Add RFC documents --- doc/rfc/rfc2725.txt | 2299 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 2299 insertions(+) create mode 100644 doc/rfc/rfc2725.txt (limited to 'doc/rfc/rfc2725.txt') diff --git a/doc/rfc/rfc2725.txt b/doc/rfc/rfc2725.txt new file mode 100644 index 0000000..fe952f2 --- /dev/null +++ b/doc/rfc/rfc2725.txt @@ -0,0 +1,2299 @@ + + + + + + +Network Working Group C. Villamizar +Request for Comments: 2725 Avici +Category: Standards Track C. Alaettinoglu + ISI + D. Meyer + Cisco + S. Murphy + TIS + December 1999 + + + Routing Policy System Security + +Status of this Memo + + This document specifies an Internet standards track protocol for the + Internet community, and requests discussion and suggestions for + improvements. Please refer to the current edition of the "Internet + Official Protocol Standards" (STD 1) for the standardization state + and status of this protocol. Distribution of this memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (1999). All Rights Reserved. + +Abstract + + The RIPE database specifications and RPSL language define languages + used as the basis for representing information in a routing policy + system. A repository for routing policy system information is known + as a routing registry. A routing registry provides a means of + exchanging information needed to address many issues of importance to + the operation of the Internet. The implementation and deployment of + a routing policy system must maintain some degree of integrity to be + of any operational use. This document addresses the need to assure + integrity of the data by providing an authentication and + authorization model. + + + + + + + + + + + + + + +Villamizar, et al. Standards Track [Page 1] + +RFC 2725 Routing Policy System Security December 1999 + + +Table of Contents + + 1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . 3 + 2 Background . . . . . . . . . . . . . . . . . . . . . . . . 3 + 3 Implicit Policy Assumptions . . . . . . . . . . . . . . . . 5 + 4 Scope of Security Coverage . . . . . . . . . . . . . . . . 5 + 5 Organization of this Document . . . . . . . . . . . . . . 6 + 6 Goals and Requirements . . . . . . . . . . . . . . . . . . 6 + 7 Data Representation . . . . . . . . . . . . . . . . . . . . 10 + 8 Authentication Model . . . . . . . . . . . . . . . . . . . 10 + 9 Authorization Model . . . . . . . . . . . . . . . . . . . . 12 + 9.1 Maintainer Objects . . . . . . . . . . . . . . . . . . 12 + 9.2 as-block and aut-num objects . . . . . . . . . . . . . 13 + 9.3 inetnum objects . . . . . . . . . . . . . . . . . . . 13 + 9.4 route objects . . . . . . . . . . . . . . . . . . . . 14 + 9.5 reclaim and no-reclaim attributes . . . . . . . . . . 14 + 9.6 Other Objects . . . . . . . . . . . . . . . . . . . . 15 + 9.7 Objects with AS Hierarchical Names . . . . . . . . . . 16 + 9.8 Query Processing . . . . . . . . . . . . . . . . . . . 16 + 9.9 Adding to the Database . . . . . . . . . . . . . . . . 17 + 9.10 Modifying or Deleting Database Objects . . . . . . . . 19 + 10 Data Format Summaries . . . . . . . . . . . . . . . . . . 20 + 10.1 Changes to the RIPE/RPSL Schema . . . . . . . . . . . 20 + Appendicies + A Core and Non-Core Functionality . . . . . . . . . . . . . . 23 + B Examples . . . . . . . . . . . . . . . . . . . . . . . . . 23 + C Technical Discussion . . . . . . . . . . . . . . . . . . . 26 + C.1 Relaxing requirements for ease of registry . . . . . 27 + C.2 The address lending issue . . . . . . . . . . . . . . 28 + C.3 Dealing with non-conformant or questionable older + data . . . . . . . . . . . . . . . . . . . . . . . . . 29 + D Common Operational Cases . . . . . . . . . . . . . . . . . 30 + D.1 simple hierarchical address allocation and route + allocation . . . . . . . . . . . . . . . . . . . . . . 31 + D.2 aggregation and multihomed more specific routes . . . 32 + D.3 provider independent addresses and multiple origin + AS . . . . . . . . . . . . . . . . . . . . . . . . . . 32 + D.4 change in Internet service provider . . . . . . . . . 32 + D.5 renumbering grace periods . . . . . . . . . . . . . . 32 + E Deployment Considerations . . . . . . . . . . . . . . . . . 33 + F Route Object Authorization Pseudocode . . . . . . . . . . . 35 + Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 37 + Intellectual Property Notice . . . . . . . . . . . . . . . . . 38 + References . . . . . . . . . . . . . . . . . . . . . . . . . . 38 + Security Considerations . . . . . . . . . . . . . . . . . . . 40 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 40 + Full Copyright Statement . . . . . . . . . . . . . . . . . . 41 + + + + +Villamizar, et al. Standards Track [Page 2] + +RFC 2725 Routing Policy System Security December 1999 + + +1 Overview + + The Internet Routing Registry (IRR) has evolved to meet a need for + Internet-wide coordination. This need was described in RFC-1787, an + informational RFC prepared on behalf of the IAB [14]. The following + summary appears in Section 7 of RFC-1787. + + While ensuring Internet-wide coordination may be more and more + difficult, as the Internet continues to grow, stability and + consistency of the Internet-wide routing could significantly + benefit if the information about routing requirements of various + organizations could be shared across organizational boundaries. + Such information could be used in a wide variety of situations + ranging from troubleshooting to detecting and eliminating + conflicting routing requirements. The scale of the Internet + implies that the information should be distributed. Work is + currently underway to establish depositories of this information + (Routing Registries), as well as to develop tools that analyze, as + well as utilize this information. + + A routing registry must maintain some degree of integrity to be of + any use. The degree of integrity required depends on the usage of + the routing policy system. + + An initial intended usage of routing policy systems such as the RIPE + database had been in an advisory capacity, documenting the intended + routing policies for the purpose of debugging. In this role a very + weak form of authentication was deemed sufficient. + + The IRR is increasingly used for purposes that have a stronger + requirement for data integrity and security. This document addresses + issues of data integrity and security that is consistent with the + usage of the IRR and which avoids compromising data integrity and + security even if the IRR is distributed among less trusted + repositories. + +2 Background + + An early routing policy system used in the NSFNET, the policy routing + database (PRDB), provided a means of determining who was authorized + to announce specific prefixes to the NSFNET backbone. The need for a + policy database was recognized as far back as 1989 [6, 4]. By 1991 + the database was in place [5]. Authentication was accomplished by + requiring confirmation and was a manually intensive process. This + solved the problem for the NSFNET, but was oriented toward holding + the routing policy of a single organization. + + + + + +Villamizar, et al. Standards Track [Page 3] + +RFC 2725 Routing Policy System Security December 1999 + + + The problem since has become more difficult. New requirements have + emerged. + + 1. There is a need to represent the routing policies of many + organizations. + + 2. CIDR and overlapping prefixes and the increasing complexity of + routing policies and the needs of aggregation have introduced new + requirements. + + 3. There is a need to assure integrity of the data and delegate + authority for the data representing specifically allocated + resources to multiple persons or organizations. + + 4. There is a need to assure integrity of the data and distribute the + storage of data subsets to multiple repositories. + + The RIPE effort specificly focused on the first issue and needs of + the European community. Its predecessor, the PRDB, addressed the + needs of a single organization, the NSF. The RIPE database formats as + described in [2] were the basis of the original IRR. + + Routing protocols themselves provide no assurance that the + origination of a route is legitimate and can actually reach the + stated destination. The nature of CIDR allows more specific prefixes + to override less specific prefixes [9, 15, 8]. Even with signed + route origination, there is no way to determine if a more specific + prefix is legitimate and should override a less specific route + announcement without a means of determining who is authorized to + announce specific prefixes. Failing to do so places no assurance of + integrity of global routing information and leaves an opportunity for + a very effective form of denial of service attack. + + The Routing Policy System Language (RPSL) [1, 13] was a fairly + substantial evolutionary step in the data representation which was + largely targeted at addressing the second group of needs. The PRDB + accommodated CIDR in 1993 [12] and the RIPE database accommodated the + entry of CIDR prefixes from inception, but RPSL provides many needed + improvements including explicit support for aggregation. + + This document addresses the third group of needs identified above. + + While the current implementation supporting weak authentication + doesn't guarantee integrity of the data, it does provide extensive + mechanisms to make sure that all involved parties get notified when a + change is made to the database, whether the change was malicious or + intended. This provides inadequate protection against additions. + Since the software is increasingly used to configure the major parts + + + +Villamizar, et al. Standards Track [Page 4] + +RFC 2725 Routing Policy System Security December 1999 + + + of the Internet infrastructure, it is not considered to be adequate + anymore to know about and have the ability roll back unintended + changes. Therefore, more active security mechanisms need to be + developed to prevent such problems before they happen. + + A separate document will be needed to address the fourth group of + needs. + +3 Implicit Policy Assumptions + + The authorization model encodes certain policies for allocation of + address numbers, AS numbers, and for the announcement of routes. + Implicit to the authorization model is a very limited number of + policy assumptions. + + 1. Address numbers are allocated hierarchically. The IANA delegates + portions of the address space to the regional registries + (currently ARIN, APNIC and RIPE), which in turn delegate address + space to their members, who can assign addresses to their + customers. + + 2. AS numbers are allocated either singly or in small blocks by + registries. Registries are allocated blocks of AS numbers, + thereby making the allocation hierarchical. + + 3. Routes should only be announced with the consent of the holder of + the origin AS number of the announcement and with the consent of + the holder of the address space. + + 4. AS numbers and IP address registries may be different entities + from routing registries. + + For subsets of any of these three allocation spaces, network + addresses, AS numbers, and routes, these restrictions may be loosened + or disabled by specifying a very weak authorization method or an + authentication method of "none". However, even when no + authentication mechanism is used, all involved parties can be + notified about the changes that occurred through use of the existing + "notify" attribute. + +4 Scope of Security Coverage + + This document is intended only to provide an authentication and + authorization model to insure the integrity of the policy data in a + registry. Only authetication and authorization of additions, + deletions, and changes to the database are within the scope of this + document. Authentication and authorization of database queries is + + + + +Villamizar, et al. Standards Track [Page 5] + +RFC 2725 Routing Policy System Security December 1999 + + + explicitly out of scope. Mutual authentication of queries, that is + authenticating both the origin of the query and the repository from + which query results are obtained, is also out of scope. + +5 Organization of this Document + + Familiarity with RIPE-181 [2] and RPSL [1] is assumed throughout this + document. Goals are described in Section 6. Section 7 through + Section 9 provide descriptions of the changes and discussion. + Section 10 provides a concise summary of data formats and semantics. + Appendix C through Appendix E provide additional technical + discussion, examples, and deployment considerations. + + Goals and Requirements Section 6 provides a more detailed + description of the issues and identifies specific problems that + need to be solved, some of which require a degree of cooperation + in the Internet community. + + Data Representation Section 7 provides some characteristics of + RPSL and formats for external representations of information. + + Authentication Model Section 8 describes current practice, + proposes additional authentication methods, and describes the + extension mechanism if additional methods are needed in the + future. + + Authorization Model Section 9 describes the means of determining + whether a transaction contains the authorization needed to add, + modify, or delete specific data objects, based on stated + authentication requirements in related data objects. + + Data Format Summaries Section 10 provides a concise reference to + the data formats and steps in transaction processing. + + Technical Discussion Section C contains some discussion of + technical tradeoffs. + + Common Operational Cases Section D provides some examples drawn + from past operational experience with the IRR. + + Deployment Considerations Section E describes some deployment + issues and discusses possible means of resolution. + +6 Goals and Requirements + + The Internet is an open network. This openness and the large scale + of the Internet can present operational problems. Technical + weaknesses that allow misconfiguration or errant operation in part of + + + +Villamizar, et al. Standards Track [Page 6] + +RFC 2725 Routing Policy System Security December 1999 + + + the network to propagate globally or which provide potentials for + simple denial of service attacks should be eliminated to the extent + that it is practical. The integrity of routing information is + critical in assuring that traffic goes where it is supposed to. + + An accidental misconfiguration can direct traffic toward routers that + cannot reach a destination for which they are advertising + reachability. This is commonly caused by misconfigured static routes + though there are numerous other potential causes. Static routes are + often used to provide constant apparent reachability to single homed + destinations. Some of the largest ISPs literally have thousands of + static routes in their networks. These are often entered manually by + operators. Mistyping can divert traffic from a completely unrelated + destination to a router with no actual reachability to the advertised + destination. This can happen and does happen somewhat regularly. In + addition, implementation bugs or severe misconfigurations that result + in the loss of BGP AS path information or alteration of prefix length + can result in the advertisement of large sets of routes. Though + considerably more rare, on a few occasions where this has occurred + the results were catastrophic. + + Where there is the potential for an accidental misconfiguration in a + remote part of the Internet affecting the global Internet there is + also the potential for malice. For example, it has been demonstrated + by accident that multiple hour outages at a major institution can be + caused by a laptop and a dial account if proper precautions are not + taken. The dial account need not be with the same provider used by + the major institution. + + The potential for error is increased by the CIDR preference for more + specific routes [8]. If an institution advertises a single route of + a given length and a distant router advertises a more specific route + covering critical hosts, the more specific route, if accepted at all, + is preferred regardless of administrative weighting or any routing + protocol attributes. + + There is a need to provide some form of checks on whether a route + advertisement is valid. Today checks are typically made against the + border AS advertising the route. This prevents accepting routes from + the set of border AS that could not legitimately advertise the route. + Theses checks rely on the use of information registered in the IRR to + generate lists of prefixes that could be advertised by a specific + border AS. Checks can also be made against the origin AS. If policy + information were sufficiently populated, checks could be made against + the entire AS path, but this is not yet feasible. + + + + + + +Villamizar, et al. Standards Track [Page 7] + +RFC 2725 Routing Policy System Security December 1999 + + + The use of a routing registry can also make it more difficult for + prefixes to be used without authorization such as unallocated + prefixes or prefixes allocated to another party. + + In summary, some of the problems being addressed are: + + o Localizing the impact of accidental misconfiguration made by + Internet Providers to that provider's networks only. + + o Eliminating the potential for an Internet provider's customer to + use malicious misconfiguration of routing as a denial of service + attack if the provider route filters their customers. Localizing + the denial of service to that Internet provider only if the + immediate Internet service provider does not route filter their + customers but other providers route filter the route exchange at + the interprovider peering. + + o Eliminating the unauthorized use of address space. + + If the data within a routing registry is critical, then the ability + to change the data must be controlled. Centralized authorities can + provide control but centralization can lead to scaling problems (and + is politically distasteful). + + Address allocation and name allocation is already delegated. Since + delegation can be to outside registries it is at least somewhat + distributed [11]. Autonomous System (AS) numbers are allocated by + the same authorities. It makes sense to delegate the routing number + space in a manner similar to the address allocation and AS number + allocation. The need for this delegation of authority to numerous + registries increases the difficulty of maintaining the integrity of + the body of information as a whole. + + As a first step, the database can be somewhat centrally administered + with authority granted to many parties to change the information. + This is the case with the current IRR. There are a very small number + of well trusted repositories and a very large number of parties + authorized to make changes. Control must be exercised over who can + make changes and what changes they can make. The distinction of who + vs what separates authentication from authorization. + + o Authentication is the means to determine who is attempting to make + a change. + + o Authorization is the determination of whether a transaction + passing a specific authentication check is allowed to perform a + given operation. + + + + +Villamizar, et al. Standards Track [Page 8] + +RFC 2725 Routing Policy System Security December 1999 + + + Different portions of the database will require different methods of + authentication. Some applications will require authentication based + on strong encryption. In other cases software supporting strong + encryption may not be necessary or may not be legally available. For + this reason multiple authentication methods must be supported, + selected on a per object basis through the specification of + authentication methods in the maintainer object "auth" attribute. + The authentication methods may range from very weak data integrity + checks to cryptographicly strong signatures. The authorization model + must sure that the use of weak integrity checks in parts of the + database does not compromise the overall integrity of the database. + + Additional requirements are placed on the authorization model if the + database is widely distributed with delegations made to parties that + may not be trustworthy or whose security practices may be lacking. + This problem must be addressed in the authorization model in order to + enable later evolution to a more distributed routing registry. + + Autonomous system numbers can be delegated in blocks and subdelegated + as needed and then individual AS numbers assigned. Address + allocation is a simple numeric hierarchy. Route allocation is + somewhat more complicated. The key attributes in a route object (key + with regard to making it unique) contain both an address prefix and + an AS number, known as the origin AS. The addition of a route object + must be validated against the authorization criteria for both the AS + and the address prefix. Route objects may exist for the same prefix + with multiple origin AS values due to a common multihoming practice + that does not require a unique origin AS. There is often no + correlation between the origin AS of a prefix and the origin AS of + overlapping more specific prefixes. + + There are numerous operational cases that must be accommodated. Some + of the more common are listed below. These are explored in greater + detail in Appendix D with discussion of technical tradeoffs in + Appendix C. + + o simple hierarchical address allocation and route allocation + + o aggregation and multihomed more specific routes + + o provider independent addresses and multiple origin AS + + o changing Internet service providers + + o renumbering grace periods + + + + + + +Villamizar, et al. Standards Track [Page 9] + +RFC 2725 Routing Policy System Security December 1999 + + + The authorization model must accommodate a variety of policies + regarding the allocation of address space and cannot mandate the use + of any one model. There is no standardization of address allocation + policies though guidelines do exist [11, 16]. Whether authorization + allows the recovery of address space must be selectable on a per + object basis and may differ in parts of the database. This issue is + discussed further in Appendix C. + +7 Data Representation + + RPSL provides a complete description of the contents of a routing + repository [1]. Many RPSL data objects remain unchanged from the + RIPE specifications and RPSL references the RIPE-181 specification as + recorded in RFC-1786 [2]. RPSL provides external data + representation. Data may be stored differently internal to a routing + registry. + + Some database object types or database attributes must be added to + RPSL to record the delegation of authority and to improve the + authentication and authorization mechanisms. These additions are + very few and are described in Section 8 and Section 9. + + Some form of encapsulation must be used to exchange data. The + defacto encapsulation has been the one which the RIPE tools accept, a + plain text file or plain text in the body of an RFC-822 formatted + mail message with information needed for authentication derived from + the mail headers or the body of the message. Merit has slightly + modified this using the PGP signed portion of a plain text file or + PGP signed portion of the body of a mail message. These very simple + forms of encapsulation are suitable for the initial submission of a + database transaction. + + The encapsulation of registry transaction submissions, registry + queries and registry responses and exchanges between registries is + outside the scope of this document. The encapsulation of registry + transaction submissions and exchanges between registries is outside + the scope of this document. + +8 Authentication Model + + The maintainer objects serve as a container to hold authentication + filters. A reference to a maintainer within another object defines + authorization to perform operations on the object or on a set of + related objects. The maintainer is typically referenced by name in + mnt-by attributes of objects. Further details on the use of + maintainers are provided in Section 9.1. + + + + + +Villamizar, et al. Standards Track [Page 10] + +RFC 2725 Routing Policy System Security December 1999 + + + The maintainer contains one or more "auth" attributes. Each "auth" + attribute begins with a keyword identifying the authentication method + followed by the authentication information needed to enforce that + method. The PGPKEY method is slightly syntactically different in + that the method PGPKEY is a substring. + + Authentication methods currently supported include the following. + Note that pgp-from is being replaced by the pgpkey (see Section 10 + and [18]). + + mail-from This is a very weak authentication check and is + discouraged. The authentication information is a regular + expression over ASCII characters. The maintainer is authenticated + if the from or reply-to fields in RFC-822 mail headers are matched + by this regular expression. Since mail forgery is quite easy, + this is a very weak form of authentication. + + crypt-pw This is another weak form of authentication. The + authentication information is a fixed encrypted password in UNIX + crypt format. The maintainer is authenticated if the transaction + contains the clear text password of the maintainer. Since the + password is in clear text in transactions, it can be captured by + snooping. Since the encrypted form of the password is exposed, it + is subject to password guessing attacks. + + pgp-from This format is being replaced by the "pgpkey" so that the + public key certificate will be available to remote repositories. + This is Merit's PGP extension. The authentication information is + a signature identity pointing to an external public key ring. The + maintainer is authenticated if the transaction (currently PGP + signed portion of a mail message) is signed by the corresponding + private key. + + pgpkey This keyword takes the form "PGPKEY-hhhhhhhh", where + "hhhhhhhh" is the hex representation of the four byte id of the + PGP public key used for authentication. The public key + certificate is stored in a separate object as described in [18]. + + Repositories may elect to disallow the addition of "auth" attributes + specifying weaker forms of authentication and/or disallow their use + in local transaction submissions. Repositories are encouraged to + disallow the addition of "auth" attributes with the deprecated "pgp- + from" method. + + Any digital signature technique can in principle be used for + authentication. Transactions should be signed using multiple digital + signature techniques to allow repositories or mirrors that only use a + + + + +Villamizar, et al. Standards Track [Page 11] + +RFC 2725 Routing Policy System Security December 1999 + + + subset of the techniques to verify at least one of the signatures. + The selection of digital signature techniques is not within the scope + of this document. + +9 Authorization Model + + The authorization model must accommodate the requirements outlined in + Section 6. A key feature of the authorization model is the + recognition that authorization for the addition of certain types of + data objects must be derived from related data objects. + + With multiple repositories, objects not found in RPSL are needed to + control AS delegations and new attributes are needed in existing + objects to control subdelegation. The definition of RPSL objects + used to implement a distrubuted routing registry system is not within + the scope of this document. + +9.1 Maintainer Objects + + The maintainer objects serve as a container to hold authentication + filters. The authentication methods are described in Section 8. The + maintainer can be referenced by name in other objects, most notably + in the mnt-by attributes of those objects. + + Maintainers themselves contain mnt-by attributes. In some cases the + mnt-by in a maintainer will reference the maintainer itself. In this + case, authorization to modify the maintainer is provided to a + (usually very limited) set of identities. A good practice is to + create a maintainer containing a long list of identities authorized + to make specific types of changes but have the maintainer's mnt-by + attribute reference a far more restrictive maintainer more tightly + controlling changes to the maintainer object itself. + + The mnt-by attribute is mandatory in all objects. Some data already + exists without mnt-by attributes. A missing mnt-by attribute is + interpreted as the absence of any control over changes. This is + highly inadvisable and most repositories will no longer allow this. + + An additional maintainer reference can occur through a new attribute, + "mnt-routes", and is used in aut-num, inetnum and route objects. The + "mnt-routes" attribute is an extension to RPSL and is described in + detail in Section 10. + + A mnt-routes attribute in an aut-num object allows addition of route + objects with that AS number as the origin to the maintainers listed. + A mnt-routes attribute in an inetnum object allows addition of route + objects with exact matching or more specific prefixes. A mnt-routes + attribute in a route object allows addition of route objects with + + + +Villamizar, et al. Standards Track [Page 12] + +RFC 2725 Routing Policy System Security December 1999 + + + exact matching or more specific prefixes. A mnt-routes attribute + does not allow changes to the aut-num, inetnum, or route object where + it appears. A mnt-routes may optionally be constrained to only apply + to a subset of more specific routes. + + Where "mnt-routes" or "mnt-lower" are applicable, any maintainer + referenced in the "mnt-by" still apply. The set of applicable + maintainers for whatever check is being made is the union of the + "mnt-routes" or "mnt-lower" and the "mnt-by". For example, when + authorizing a route object software would look at "mnt-routes", if it + does not exist, look at "mnt-lower", if that does not exist look at + "mnt-by". + +9.2 as-block and aut-num objects + + An "as-block" object is needed to delegate a range of AS numbers to a + given repository. This is needed for authorization and it is needed + to avoid having to make an exhaustive search of all repositories to + find a specific AS. This search would not be an issue now but would + be if a more distributed routing repository is used. Distributed + registry issues are not within the scope of this document. + + The "as-block" object also makes it possible to separate AS number + allocation from registration of AS routing policy. + + as-block: AS1321 - AS1335 + + The "aut-num" describes the routing policy for an AS and is critical + for router configuration of that AS and for analysis performed by + another AS. For the purpose of this document it is sufficient to + consider the aut-num solely as a place holder identifying the + existence of an AS and providing a means to associate authorization + with that AS when adding "route" objects. + + The "as-block" object is proposed here solely as a means of recording + the delegation of blocks of AS numbers to alternate registries and in + doing so providing a means to direct queries and a means to support + hierarchical authorization across multiple repositories. + +9.3 inetnum objects + + The "inetnum" exists to support address allocation. For external + number registries, such as those using "[r]whoisd[++]" the "inet-num" + can serve as a secondary record that is added when an address + allocation is made in the authoritative database. Such records could + be added by a address registry such as ARIN as a courtesy to the + corresponding routing registry. + + + + +Villamizar, et al. Standards Track [Page 13] + +RFC 2725 Routing Policy System Security December 1999 + + + inetnum: 193.0.0.0 - 193.0.0.255 + source: IANA + +9.4 route objects + + Currently there are a quite few route objects in more than one + registry. Quite a few are registered with an origin AS for which + they have never been announced. There is a legitimate reason to be + in more than one origin AS. + + The "route" object is used to record routes which may appear in the + global routing table. Explicit support for aggregation is provided. + Route objects exist both for the configuration of routing information + filters used to isolate incidents of erroneous route announcements + (Section 6) and to support network problem diagnosis. + +9.5 reclaim and no-reclaim attributes + + A reclaim attribute is needed in as-block, inetnum and route objects. + The reclaim attribute allows a control to be retained over more + specific AS, IP address or route space by allowing modify and delete + privileges regardless of the mnt-by in the object itself. + + The reclaim attribute provides the means to enforce address lending. + It allows cleanup in cases where entities cease to exist or as a last + presort means to correct errors such as parties locking themselves + out of access to their own objects. To specify all more specific + objects the reclaim attribute value should be "ALL". To allow finer + control a set of prefixes can be specified. + + A no-reclaim attribute can be used to provide explicit exceptions. A + reclaim attribute can only be added to an existing object if the + addition of the reclaim attribute does not remove autonomy of + existing more specific objects that are covered by the new reclaim + attribute. + + 1. A reclaim attribute can be added to an existing object if there + are no existing exact matches or more specific objects overlapped + by the new reclaim attribute, or + + 2. if the submitter is listed in the maintainer pointed to by the + mnt-by of the objects which are overlapped, or + + 3. if any overlapped object is listed in a no-reclaim attribute in + the object where the reclaim is being added. + + + + + + +Villamizar, et al. Standards Track [Page 14] + +RFC 2725 Routing Policy System Security December 1999 + + + Similarly, a submitter may delete a no-reclaim attribute from an + object only when that submitter is the only maintainer listed in the + mnt-by attributes of any overlapped objects. If the submitter is not + listed in any of the maintainers pointed to by the mnt-by attributes + for one or more overlapped object, then the submitter is not + permitted to delete the no-reclaim attribute. + + If neither a reclaim or no-reclaim attribute is present, then more + specific objects of a given object cannot be modified by the + maintainer of the less specified object unless the maintainer is also + listed as a maintainer in the more specific object. However, the + addition of a new route or inetnum object must pass authentication of + the largest less specific prefix as part of the authentication check + described in Section 9.9. + + See Section 10 for a full description of the reclaim and no-reclaim + attributes. + +9.6 Other Objects + + Many of the RPSL ancillary objects have no natural hierarchy the way + AS numbers, Internet addresses and routes do have a numeric + hierarchy. Some examples are "maintainers", "people" and "role" + objects. For these objects, lack of any hierarchy leads to two + problems. + + 1. There is no hierarchy that can be exploited to direct queries to + alternate registries. At some point the query strategy of + searching all known registries becomes impractical. + + 2. There is no hierarchy on which authorizations of additions can be + based. + + The first problem can be addressed by considering the name space for + each of the ancillary objects to be unique only within the local + database and to use explicit references to an external repository + where needed. To specify an external repository reference, the + object key is preceded by the name of the repository and the + delimiter "::". For example a NIC handle may take the form + "RIPE::CO19". Currently there is a desire to keep NIC handles unique + so the naming convention of appending a dash and the repository name + is used. Prepending the repository name provides the unique name + space since an object in the RIPE database referencing "CO19" would + be interpreted as "RIPE::CO19" by default, but it would still be + possible to query or reference "IANA::CO19". There is no possibility + of accidentally forgetting to adhere to the conventions when making + an addition and the existing objects are accommodated, including + cases where name conflicts have already occurred. + + + +Villamizar, et al. Standards Track [Page 15] + +RFC 2725 Routing Policy System Security December 1999 + + + The second problem can be partially addressed by using a referral + system for the addition of maintainers and requiring that any other + object be submitted by a registered maintainer or by IANA. The + referral system would allow any existing maintainer to add another + maintainer. This can be used in parallel with the addition of other + object types to support the maintenance of those objects. For + example, when adding a subdomain to the "domain" hierarchy (in the + RIPE repository where domains are also handled), even when adding a + new domain to a relatively flat domain such as "com", there is + already a maintainer for the existing domain. The existing + maintainer can add the maintainer that will be needed for the new + domain in addition to adding the new domain and giving the new + maintainer the right to modify it. + + An organization gaining a presence on the Internet for the first time + would be given a maintainer. This maintainer may list a small number + of very trusted employees that are authorized to modify the + maintainer itself. The organization itself can then add another + maintainer listing a larger set of employees but listing the more + restrictive maintainer in the mnt-by attributes of the maintainers + themselves. The organization can then add people and role objects as + needed and any other objects as needed and as authorization permits. + +9.7 Objects with AS Hierarchical Names + + Many RPSL objects do not have a natural hierarchy of their own but + allow hierarchical names. Some examples are the object types "as- + set" and "route-set". An as-set may have a name corresponding to no + naming hierarchy such as "AS-Foo" or it may have a hierarchical name + of the form "AS1:AS-Bar". + + When a hierarchical name is not used, authorization for objects such + as "as-set" and "route-set" correspond to the rules for objects with + no hierarchy described in Section 9.6. + + If hierarchical names are used, then the addition of an object must + be authorized by the aut-num whose key is named by everything to the + left of the rightmost colon in the name of the object being added. + Authorization is determined by first using the mnt-lower maintainer + reference, or if absent, using the mnt-by reference. + +9.8 Query Processing + + A query may have to span multiple repositories. All queries should + be directed toward a local repository which may mirror the root + repository and others. Currently each IRR repository mirrors all + other repositories. In this way, the query may be answered by the + local repository but draw data from others. + + + +Villamizar, et al. Standards Track [Page 16] + +RFC 2725 Routing Policy System Security December 1999 + + + The mechanism below when applied to multiple repositories assumes the + existence of an attribute for traversal of the repositories. The + definition of this attribute is considered a distributed registry + issue and is out of scope of this document. + + For object types that have a natural hierarchy, such as aut-num, + inet-num, and route, the search begins at the root database and + follows the hierarchy. For objects types that have no natural + hierarchy, such as maintainer, person, and role objects, the search + is confined to a default database unless a database is specified. + The default database is the same database as an object from which a + reference is made if the query is launched through the need to follow + a reference. Otherwise the default is generally the local database or + a default set by the repository. The default can be specified in the + query itself as described in Section 9.7. + + In the absense of attributes to traverse multiple registries a search + of all repositories is needed. With such attributes the search would + proceed as follows. In searching for an AS, the delegation attribute + in AS blocks can be consulted, moving the search to data from other + repositories. Eventually the AS is either found or the search fails. + The search for an inetnum is similar. Less specific inetnums may + refer the search to other databases. Eventually the most specific + inetnum is found and its status (assigned or not assigned) can be + determined. The definition of attributes for traversal of + repositories is considered a distrbiuted registry issue and is not + within the scope of this document. + + The search for a route in the presence of attributes for the + traversal of multiple registries is similar except the search may + branch to more than one repository. The most specific route in one + repository may be more specific than the most specific in another. + In looking for a route object it makes sense to return the most + specific route that is not more specific than the query requests + regardless of which repository that route is in rather than return + one route from each repository that contains a less specific overlap. + +9.9 Adding to the Database + + The mechanism below when applied to multiple repositories assumes the + existence of an attribute for traversal of the repositories. The + definition of this attribute is considered a distributed registry + issue and is out of scope of this document. + + The root repository must be initially populated at some epoch with a + few entries. An initial maintainer is needed to add more + maintainers. The referral-by attribute can be set to refer to itself + in this special case (Section 10 describes the referral-by). When + + + +Villamizar, et al. Standards Track [Page 17] + +RFC 2725 Routing Policy System Security December 1999 + + + adding an inetnum or a route object an existing exact match or a less + specific overlap must exist. A route object may be added based on an + exact match or a less specific inetnum. The root repository must be + initially populated with the allocation of an inetnum covering the + prefix 0/0, indicating that some address allocation authority exists. + Similarly an initial as-block is needed covering the full AS number + range. + + When adding an object with no natural hierarchy, the search for an + existing object follows the procedure outlined in Section 9.8. + + When adding an aut-num (an AS), the same procedure used in a query is + used to determine the appropriate repository for the addition and to + determine which maintainer applies. The sequence of AS-block objects + and repository delegations is followed. If the aut-num does not + exist, then the submission must match the authentication specified in + the maintainer for the most specific AS-block in order to be added. + + The procedure for adding an inetnum is similar. The sequence of + inet-num blocks is followed until the most specific is found. The + submission must match the authentication specified in the maintainer + for the most specific inetnum overlapping the addition. + + Adding a route object is somewhat more complicated. The route object + submission must satisfy two authentication criteria. It must match + the authentication specified in the aut-num and the authentication + specified in either a route object or if no applicable route object + is found, then an inetnum. + + An addition is submitted with an AS number and prefix as its key. If + the object already exists, then the submission is treated as a modify + (see Section 9.10). If the aut-num does not exist on a route add, + then the addition is rejected (see Section C for further discussion + of tradeoffs). If the aut-num exists then the submission is checked + against the applicable maintainer. A search is then done for the + prefix first looking for an exact match. If the search for an exact + match fails, a search is made for the longest prefix match that is + less specific than the prefix specified. If this search succeeds it + will return one or more route objects. The submission must match an + applicable maintainer in at least one of these route objects for the + addition to succeed. If the search for a route object fails, then a + search is performed for an inetnum that exactly matches the prefix or + for the most specific inetnum that is less specific than the route + object submission. The search for an inetnum should never fail but + it may return an unallocated or reserved range. The inetnum status + must be "allocated" and the submission must match the maintainer. + + + + + +Villamizar, et al. Standards Track [Page 18] + +RFC 2725 Routing Policy System Security December 1999 + + + Having found the AS and either a route object or inetnum, the + authorization is taken from these two objects. The applicable + maintainer object is any referenced by the mnt-routes attributes. If + one or more mnt-routes attributes are present in an object, the mnt- + by attributes are not considered. In the absence of a mnt-routes + attribute in a given object, the mnt-by attributes are used for that + object. The authentication must match one of the authorizations in + each of the two objects. + + If the addition of a route object or inetnum contains a reclaim + attribute, then any more specific objects of the same type must be + examined. The reclaim attribute can only be added if there are no + more specific overlaps or if the authentication on the addition is + present in the authorization of a less specific object that already + has a reclaim attribute covering the prefix range, or if the + authentication on the addition is authorized for the modification of + all existing more specific prefixes covered by the addition. + +9.10 Modifying or Deleting Database Objects + + When modifying or deleting any existing object a search for the + object is performed as described in Section 9.8. If the submission + matches an applicable maintainer for the object, then the operation + can proceed. An applicable maintainer for a modification is any + maintainer referenced by the mnt-by attribute in the object. For + route and inet-num objects an applicable maintainer may be listed in + a less specific object with a reclaim attribute. + + If the submission is for a route object, a search is done for all + less specific route objects and inetnums. If the submission is for + an inetnum, a search is done for all less specific inetnums. If the + submission fails the authorization in the object itself but matches + the reclaim attribute in any of the less specific objects, then the + operation can proceed. Section C contains discussion of the + rationale behind the use of the reclaim attribute. + + A modification to an inetnum object that adds a reclaim attribute or + removes a no-reclaim attribute must be checked against all existing + inetnums that are more specific. The same check of the reclaim + attribute that is made during addition must be made when a reclaim + attribute is added by a modification (see Section 9.9). + + A deletion is considered a special case of the modify operation. The + deleted object may remain in the database with a "deleted" attribute + in which case the mnt-by can still be consulted to remove the + "deleted" attribute. + + + + + +Villamizar, et al. Standards Track [Page 19] + +RFC 2725 Routing Policy System Security December 1999 + + +10 Data Format Summaries + + RIPE-181 [2] and RPSL [1] data is represented externally as ASCII + text. Objects consist of a set of attributes. Attributes are name + value pairs. A single attribute is represented as a single line with + the name followed by a colon followed by whitespace characters + (space, tab, or line continuation) and followed by the value. Within + a value all whitespace is equivalent to a single space. Line + continuation is supported by a backslash at the end of a line or the + following line beginning with whitespace. When transferred, + externally attributes are generally broken into shorter lines using + line continuation though this is not a requirement. An object is + externally represented as a series of attributes. Objects are + separated by blank lines. + + There are about 80 attribute types in the current RIPE schema and + about 15 object types. Some of the attributes are mandatory in + certain objects. Some attributes may appear multiple times. One or + more attributes may form a key. Some attributes or sets of + attributes may be required to be unique across all repositories. + Some of the attributes may reference a key field in an object type + and may be required to be a valid reference. Some attributes may be + used in inverse lookups. + + A review of the entire RIPE or RPSL schema would be too lengthy to + include here. Only the differences in the schema are described. + +10.1 Changes to the RIPE/RPSL Schema + + One new object type and several attributes are added to the RIPE/RPSL + schema. There are significant changes to the rules which determine + if the addition of an object is authorized. + + The new object type is listed below. The first attribute listed is + the key attribute and also serves as the name of the object type. + + as-block key mandatory single unique + descr optional multiple + remarks optional multiple + admin-c mandatory multiple + tech-c mandatory multiple + notify optional multiple + mnt-by mandatory multiple + changed mandatory multiple + source mandatory single + + + + + + +Villamizar, et al. Standards Track [Page 20] + +RFC 2725 Routing Policy System Security December 1999 + + + In the above object type only the key attribute "as-block" is new: + + as-block This attribute provides the AS number range for an "as- + block" object. The format is two AS numbers including the sub- + string "AS" separated by a "-" delimiter and optional whitespace + before and after the delimiter. + + In order to support stronger authentication, the following keywords + are added to the "auth" attribute: + + pgp-from The remainder of the attribute gives the string identifying + a PGP identity whose public key is held in an external keyring. + The use of this method is deprecated in favor of the "pgpkey" + method. + + pgpkey See [18]. + + In order to disable authentication and give permission to anyone, the + authentication method "none" is added. It has no arguments. + + An additional change is the "auth" attribute is allowed to exist in a + "person" or "role" object. The "auth" method "role" or "person" can + be used to refer to a role or person object and take the "auth" + fields from those objects. Care must be taken in implementations to + detect circular references and terminate expansion or the references + already visited. + + A few attributes are added to the schema. These are: + + mnt-routes The mnt-routes attribute may appear in an aut-num, inet- + num, or route object. This attribute references a maintainer + object which is used in determining authorization for the addition + of route objects. After the reference to the maintainer, an + optional list of prefix ranges (as defined in RPSL) inside of + curly braces or the keyword "ANY" may follow. The default, when + no additional set items are specified is "ANY" or all more + specifics. The mnt-routes attribute is optional and multiple. + See usage details in Section 9.1. + + mnt-lower The mnt-lower attribute may appear in an inetnum, route, + as-block or aut-num object. This attribute references a + maintainer object. When used in an inetnum or route object the + effect is the same as a "mnt-routes" but applies only to prefixes + more specific than the prefix of the object in which it is + contained. In an as block object, mnt-lower allows addition of + more specific as-block objects or aut-num objects. In an aut-num + + + + + +Villamizar, et al. Standards Track [Page 21] + +RFC 2725 Routing Policy System Security December 1999 + + + object the mnt-lower attribute specifies a maintainer that can be + used to add objects with hierarchical names as described in + Section 9.7. + + reclaim The reclaim attribute may appear in as-block, aut-num, + inet-num, or route objects. Any object of the same type below in + the hierarchy may be modified or deleted by the maintainer of the + object containing a reclaim attribute. The value of the attribute + is a set or range of objects of the same type where the syntax of + the set or range is as defined in RPSL. See Section 9.5 for + restrictions on adding reclaim attributes. + + no-reclaim The no-reclaim attribute is used with the reclaim + attribute. The no-reclaim attribute negates any reclaim attribute + it overlaps. See Section 9.5 for restrictions on deleting no- + reclaim attributes. + + referral-by This attribute is required in the maintainer object. It + may never be altered after the addition of the maintainer. This + attribute refers to the maintainer that created this maintainer. + It may be multiple if more than one signature appeared on the + transaction creating the object. + + auth-override An auth-override attribute can be added, deleted, or + changed by a transaction submitted by maintainer listed in the + referral-by. An auth-override can only be added to a maintainer + if that maintainer has been inactive for the prior 60 days. The + auth-override attribute itself contains only the date when the + attribute will go into effect which must be at least 60 days from + the current date unless there is already authorization to modify + the maintainer. After the date in the auth-override is reached, + those identified by the maintainer in the referral-by have + authorization to modify the maintainer. This attribute exists as + a means to clean up should the holder of a maintainer become + unresponsive and can only take effect if that maintainer does not + remove the auth-override in response to the automatic notification + that occurs on changes. + + The existing "mnt-by" attribute references the "maintainer" object + type. The "mnt-by" attribute is now mandatory in all object types. + A new maintainer may be added by any existing maintainer. The + "referral-by" attribute is now mandatory in the "maintainer" object + to keep a record of which maintainer made the addition and can never + be changed. Maintainers cannot be deleted as long as they are + referenced by a "referral-by" attribute elsewhere. + + + + + + +Villamizar, et al. Standards Track [Page 22] + +RFC 2725 Routing Policy System Security December 1999 + + +A Core and Non-Core Functionality + + Most of the objects and attributes described in this document are + essential to the authorization framework. These are referred to as + being part of the "core" functionality. A few attributes listed here + are considered "non-core". + + The "reclaim" and "no-reclaim" attributes are a convenience to + support flexibility in the implementation of address lending. + + The "auth-override" attribute is a convenience to facilitate recovery + in an environment where repository data is redistributed in any way. + + The "referal-by" attribute is a "core" feature. An individual + registry may express its sutonomy by creating a self-referencing + maintainer, one whose "referal-by" points to itslef. Other + registries can decide on a case by case basis whether to consider + such an entry valid. A registry may only allow the "referal-by" to + refer to a specific maintainer under the control of the registry. + This further restriction is an issue that is purely local to the + registry. + +B Examples + + The examples below leave out some required attributes that are not + needed to illustrate the use of the objects and attributes described + in this document. Missing are admin-c, tech-c, changed, source. + Also missing are attributes such as mnt-nfy, whose use are a good + practice but are not strictly required. + + To do anything at all a maintainer is needed. At some epoch a a + single maintainer is populated in one repository and that maintianer + has a referal-by pointing to itself. All others referal-by + references can be traced back to that maintainer. At the epoch the + as-block AS0- AS65535 and the inetnum 0.0.0.0-255.255.255.255 are + also allocated. Other ancilliary object may also be needed to + bootstrap. + + mntner: ROOT-MAINTAINER + auth: pgpkey-12345678 + + mnt-by: ROOT-MAINTAINER + referal-by: ROOT-MAINTAINER + + This root maintainer might add a top level maintainer for some + organization. + + + + + +Villamizar, et al. Standards Track [Page 23] + +RFC 2725 Routing Policy System Security December 1999 + + + mntner: WIZARDS + descr: High level Technical Folks + auth: pgpkey-23456789 + auth: pgpkey-3456789a + mnt-by: WIZARDS + referal-by: ROOT-MAINTAINER + + That maintainer might add another who have more limited capabilities. + + mntner: MORTALS + descr: Maintain day to day operations + auth: pgpkey-456789ab + auth: pgpkey-56789abc + auth: pgpkey-6789abcd + mnt-by: WIZARDS + referal-by: WIZARDS + + Note that the WIZARDS can change their own maintainer object and the + MORTALS maintainer object but MORTALS cannot. + + At some point an as-block is allocated and broken down. In the + example below, private number space is used. + + as-block: AS65500-AS65510 + mnt-by: SOME-REGISTRY + mnt-lower: WIZARDS + + Note that a registry has control over the object that they have + created representing the allocation, but have given the party to + which the allocation was made the ability to create more specific + objects. Below this as-block, an aut-num is added. Note that + import and export are normally required for a aut-num but are not + shown here. + + aut-num: AS65501 + mnt-by: WIZARDS + mnt-lower: MORTALS + + In aut-num above the WIZARDS maintainer can modify the aut-num + itself. The MORTALS maintainer can add route objects using this AS + as the origin if they also have authorization for the IP number space + in a less specific route or inetnum. + + + + + + + + + +Villamizar, et al. Standards Track [Page 24] + +RFC 2725 Routing Policy System Security December 1999 + + + We also need an inetnum allocation. In this example the inetnum is + allocated to a completely different organization. Again attributes + are omited which would normally be needed in an inetnum. + + inetnum: 192.168.144.0-192.168.151.255 + mnt-by: SOME-REGISTRY + mnt-lower: ISP + reclaim: ALL + + The maintainer ISP can add more specific inetnums or routes with this + address space. Note that the registry has declared their ability to + reclaim the address space. + + If ISP wished to reclaim all allocations but some suballocation of + theirs resisted, we might get something like the following in which + they will reclaim only the top half of an allocation (possibly if it + remains unused). + + inetnum: 192.168.144.0-192.168.147.255 + mnt-by: ISP + mnt-lower: EBG-COM + reclaim: 192.168.146/23+ + + If we assume that the maintainer EBG-COM and the maintainer MORTALS + want to add a route object, one way to do it is for both parties to + sign. If EBG-COM for some reason couldn't aggregate an allocate a + single top level route (which is inexcusable these days) or there was + a preference for some reason to avoid the joint signature approach on + a submission either party could give the other permission to make the + addition. A mnt-routes could be added to the aut-num or a mnt-lower + could be added to an inetnum. + + aut-num: AS65501 + mnt-by: WIZARDS + mnt-lower: MORTALS + mnt-routes: EBG-COM {192.168.144/23} + + With this change to the aut-num the maintainer EBG-COM could add a + route with origin AS65501, but only with a limited address range. + + route: 192.168.144/24 + origin: AS65501 + descr: These boneheads don't aggregate + mnt-by: EBG-COM + mnt-by: FICTION::MORTALS + + Note that while the maintainer EBG-COM added the object they allowed + the maintainer MORTALS the ability to modify it. + + + +Villamizar, et al. Standards Track [Page 25] + +RFC 2725 Routing Policy System Security December 1999 + + + If an object ended up in another repository, a single maintainer + could still be used. In the example above the notation + FICTION::MORTALS indicates that the route object is in a different + repository and rather than duplicate the maintainer, a reference is + made to the repository in which the MORTALS object resides. + + In the example below, a pair of route-sets are added and hierarchical + names are used. + + route-set: AS65501:Customers + mnt-by: WIZARDS + mnt-lower: MORTALS + + route-set: AS65501:Customers:EBG-COM + mnt-by: MORTALS + mnt-lower: EBG-COM + + Suppose in the 192.168.144/24 object above, only the EBG-COM + maintainer is listed. If EBG-COM goes bankrupt, no longer needs + address space, and stops responding, it could be difficult to delete + this object. The maintainer listed in the EBG-COM referral-by + attribute could be contacted. They could add a auth-override + attribute to the EBG-COM object. Later they could modify the EBG-COM + object and then any objects with EBG-COM in the mnt-by. + + mntner: EBG-COM + mnt-by: EBG-COM + auth-override: 19990401 + + The examples above stray significantly from realism. They do provide + simple illustrations of the usage of the objects type and attributes + described in this document and hopefully in doing some are of some + value. + +C Technical Discussion + + A few design tradeoffs exist. Some of these tradeoffs, the selected + solution, and the alternatives are discussed here. Some of the + issues are listed below. + + 1. Whether to err on the side of permissiveness and weaken + authorization controls or risk the possibility of erecting + barriers to registering information. + + 2. Whether to support enforcible address lending or provide the + smaller or end user with ultimate control over the registration of + the prefixes they are using. + + + + +Villamizar, et al. Standards Track [Page 26] + +RFC 2725 Routing Policy System Security December 1999 + + + 3. What to do with older objects that either don't conform to newer + requirements regarding minimum authorization, authentication, and + accountability, or are of questionable validity. + +C.1 Relaxing requirements for ease of registry + + If the requirement that an aut-num exists is relaxed, then it is + possible for anyone to make use of an unassigned AS number or make + use of an assigned AS number for which the aut-num has not been + entered. Placing requirements on the entry of aut-num presumes + cooperation of the Internet address allocation authority (if separate + from the routing registry). The address allocation authority must be + willing to field requests to populate skeleton aut-nums from the + party for which the allocation has been made. These aut-num must + include a reference to a maintainer. A request to the address + allocation authority must therefore include a reference to an + existing maintainer. + + The ability to add route objects is also tied to the existence of + less specific route objects or inetnums. The Internet address + allocation authority (if separate from the routing registry) must + also be willing to field requests to add inetnum records for the + party already allocated the address space. + + The Internet address allocation authority should also add inetnums + and aut-nums for new allocations. In order to do so, a maintainer + must exist. If a party is going to connect to the Internet, they can + get a maintainer by making a request to the Internet service provider + they will be connecting to. Once they have a maintainer they can + make a request for address space or an AS number. The maintainer can + contain a public key for a cryptographicly strong authorization + method or could contain a "crypt-key" or "mail-to" authorization + check if that is considered adequate by the registering party. + Furthermore an address allocation authority should verify that the + request for an AS number or for address space matches the + authorization criteria in the maintainer. + + Currently only the registries themselves may add maintainers. This + becomes a problem for the registry, particularly in verifying public + keys. This requirement is relaxed by allowing existing maintainers + to add maintainers. Unfortunately the accountability trail does not + exist for existing maintainers. The requirement then should be + relaxed such that existing maintainers may remain but only existing + maintainers that have a "referral-by" attribute can add maintainers. + The "referral-by" cannot be modified. This requirement can be + relaxed slightly so that a "referral-by" can be added to a maintainer + + + + + +Villamizar, et al. Standards Track [Page 27] + +RFC 2725 Routing Policy System Security December 1999 + + + by an existing maintainer with a "referral-by". This will allow the + accountability trail to be added to existing maintainers and these + maintainers can then add new maintainers. + + Verifying that a party is who they claim to be on initial addition, + is one of the problems that currently falls upon the AS number and + address registry. This problem is reduced by allowing existing + maintainers to add maintainers. This may actually make it easier to + get maintainers and therefore easier to register. The number + authority still must verify that the AS or address space is actually + needed by the party making a request. + + Authorization checks made during the addition of route objects that + refer to AS objects and inetnums strongly rely on the cooperation of + the Internet address allocation authorities. The number authorities + must register as-blocks, aut-nums, or inetnums as AS numbers or + address space is allocated. If only a subset of the number + authorities cooperate, then either an inetnum or as-block can be + created covering the space that registry allocates and essentially + requiring null allocation (for example a "crypt-pw" authentication + where the password is given in the remarks in the object or its + maintainer) or those obtaining addresses from that number authority + will have trouble registering in the routing registry. The + authorization model supports either option, though it would be + preferable if the number authorities cooperated and the issue never + surfaced in practice. + + The maintainer requirements can be relaxed slightly for existing + maintainers making it easier to register. Relaxing requirements on + other objects may defeat the authorization model, hence is not an + option. + +C.2 The address lending issue + + The issue of whether lending contracts should be enforcible is an + issue of who should ultimately be able to exercise control over + allocations of address space. The routing registry would be wise to + stay as neutral as possible with regard to disputes between third + parties. The "reclaim" and "no-reclaim" are designed to allow either + outcome to the decision as to whether the holder of a less specific + inetnum or route object can exercise control over suballocations in + the registry. The routing registry itself must decide whether to + retain control themselves and if so, should very clearly state under + what conditions the registry would intervene. A registry could even + go to the extreme of stating that they will intervene in such a + dispute only after the dispute has been resolved in court and a court + order has been issued. + + + + +Villamizar, et al. Standards Track [Page 28] + +RFC 2725 Routing Policy System Security December 1999 + + + When an allocation is made by a registry, the registry should keep a + "reclaim" attribute in the less specific object and make a strong + policy statement that the reclaim privilege will not be used except + under very clearly defined special circumstances (which at the very + minimum would include a court order). If the allocation is further + subdivided the party subdividing the allocation and the party + accepting the suballocation must decide whether a "reclaim" can be + kept by the holder of the less specific allocation or whether a "no- + reclaim" must be added transferring control to the holder of the more + specific. The registry is not involved in that decision. Different + pairs of third parties may reach different decisions regarding the + "reclaim" and any contractual restrictions on its use that may be + expressed outside of the registry in the form of a legal contract and + ultimately resolved by the courts in the event of a bitter dispute. + + By retaining "reclaim" rights the registry retains the ability to + abide by a court order. This may only truly become an issue in a + distributed registry environment where registries will be rechecking + the authorization of transactions made elsewhere and may fail to + process the attempt of another registry to abide by a court order by + overriding normal authorization to change the registry contents if a + reclaim is not present. + +C.3 Dealing with non-conformant or questionable older data + + Some of the newer requirements include requiring that all objects + reference a maintainer object responsible for the integrity of the + object and requiring accountability for the creation of maintainers + to be recorded in the maintainer objects so that accountability can + be traced back from an unresponsive maintainer. In the event that + contact information is absent or incorrect from objects and there is + any question regarding the validity of the objects, the maintainer + can be contacted. If the maintainer is unresponsive, the maintainer + that authorized the addition of that maintainer can be contacted to + either update the contact information on the maintainer or confirm + that the entity no longer exists or is no longer actively using the + Internet or the registry. + + Many route objects exist for which there are no maintainers and for + which inetnum and AS objects do not exist. Some contain the now + obsoleted guardian attribute rather than a mnt-by. + + It is not practical to unconditionally purge old data that does not + have maintainers or does not conform to the authorization hierarchy. + New additions must be required to conform to the new requirements + (otherwise the requirements are meaningless). New requirements can + be phased in by requiring modifications to conform to the new + requirements. + + + +Villamizar, et al. Standards Track [Page 29] + +RFC 2725 Routing Policy System Security December 1999 + + + A great deal of questionable data exists in the current registry. + The requirement that all objects have maintainers and the + requirements for improved accountability in the maintainers + themselves may make it easier to determine contact information even + where the objects are not updated to reflect contact information + changes. + + It is not unreasonable to require valid contact information on + existing data. A great deal of data appears to be unused, such as + route objects for which no announcement has been seen in many months + or years. An attempt should be made to contact the listed contacts + in the object, in the maintainer if there is one, then up the + maintainer referral-by chain if there is one, and using the number + registry or origin AS contact information if there is no maintainer + accountability trail to follow. Experience so far indicates that the + vast majority of deletions identified by comparing registered + prefixes against route dumps will be positively confirmed (allowing + the deletion) or there will be no response due to invalid contact + information (in many cases the IRR contact information points to + nsfnet-admin@merit.edu). + + By allowing the registry to modify (or delete) any objects which are + disconnected from the maintainer accountability trail, cleanup can be + made possible (though mail header forging could in many cases have + the same effect it is preferable to record the fact that the registry + itself made the cleanup). Similarly, a mechanism may be needed in + the future to allow the maintainer in the referral-by to override + maintainer privileges in a referred maintainer if all contacts have + become unresponsive for a maintainer. The referral-by maintainer is + allowed to add an "auth-override" attribute which becomes usable as + an "auth" within 60 days from the time of addition. The maintainer + themselves would be notified of the change and could remove the + "auth-override" attribute before it becomes effective and inquire as + to why it was added and correct whatever problem existed. This can + be supported immediately or added later if needed. + +D Common Operational Cases + + In principle, address allocation and route allocation should be + hierarchical with the hierarchy corresponding to the physical + topology. In practice, this is often not the case for numerous + reasons. The primary reasons are the topology is not strictly tree + structured and the topology can change. More specificly: + + + + + + + + +Villamizar, et al. Standards Track [Page 30] + +RFC 2725 Routing Policy System Security December 1999 + + + 1. The Internet topology is not strictly tree structured. + + o At the top level the network more closely resembles a + moderately dense mesh. + + o Near the bottom level many attachments to the Internet are + multi-homed to more than one Internet provider. + + 2. The Internet topology can and does change. + + o Many attachments switch providers to obtain better service or + terms. + + o Service providers may modify adjacencies to obtain better + transit service or terms. + + o Service providers may disappear completely scattering + attachments or they may merge. + + Renumbering is viewed as a practical means to maintain a strict + numeric hierarchy [16]. It is also acknowledged that renumbering + IPv4 networks can be difficult [16, 3, 17]. We examine first the + simple case where hierarchy still exists. We then examine the + operational cases where either initial topology is not tree + structured or cases where topology changes. + +D.1 simple hierarchical address allocation and route allocation + + This is the simplest case. Large ranges of inetnums are assigned to + address registries. These registries in turn assign smaller ranges + for direct use or to topologically large entities where allocations + according to topology can reduce the amount of routing information + needed (promote better route aggregation). + + AS objects are allocated as topology dictates the need for additional + AS [10]. Route objects can be registered by those with authorization + given by the AS and by the address owner. This is never an issue + where the maintainer of the AS and the inetnum are the same. Where + they differ, either the provider can give permission to add route + objects for their AS, or the party allocated the address space can + give the provider permission to add route objects for their address + space, or both parties can sign the transaction. Permission is + provided by adding to maintainer attributes. + + + + + + + + +Villamizar, et al. Standards Track [Page 31] + +RFC 2725 Routing Policy System Security December 1999 + + +D.2 aggregation and multihomed more specific routes + + Aggregation is normally not a problem if a provider is aggregating + address space allocated to the provider and then suballocated + internally and/or to customers. In fact, the provider would be + expected to do so. This is not a problem even if the route object + for the aggregation is added after the more specific route objects + since only less specific objects are considered. + + Aggregation is potentially a problem if a provider or a set of + providers plan to aggregate address space that was never explicitly + allocated as a block to those providers but rather remains the + allocation of a address registry. These large aggregations can be + expected to be uncommon, but relatively easily dealt with. + Superaggregates of this type will generally be formed by + topologically close entities who have also managed to draw adjacent + address allocations. In effect, the registry must give permission to + form such a superaggregate by either giving permission to do so in + the mnt-routes of an inetnum or by signing the submission along with + the other parties. + +D.3 provider independent addresses and multiple origin AS + + Provider independent addresses and multihoming arrangement using + multiple origin AS present a similar problem to multihoming. The + maintainer of the address space and the maintainer of the AS is not + the same. Permission can be granted using mnt-routes or multiple + signatures can appear on the submission. + +D.4 change in Internet service provider + + A change in Internet service providers is similar to multihoming. A + minor difference is that the AS for the more specific route will be + the AS of the new provider rather than the AS of the multihomed + customer. Permission can be granted using mnt-routes or multiple + signatures can appear on the submission. + +D.5 renumbering grace periods + + Renumbering grace periods allow a provider who wants to keep an + address allocation intact to allow a customer who has chosen to go to + another provider to renumber their network gradually and then return + the address space after renumbering is completed. The issue of + whether to require immediate renumbering or offer renumbering grace + periods and how long they should be or whether they should be + indefinite has been topic of bitter disputes. The authorization + model can support no renumbering grace period, a finite renumbering + + + + +Villamizar, et al. Standards Track [Page 32] + +RFC 2725 Routing Policy System Security December 1999 + + + grace period, or an indefinite renumbering grace period. The + "reclaim" attribute described in Section 9.1 provides a means to end + the grace period. + +E Deployment Considerations + + This section describes deployment considerations. The intention is + to raise issues and discuss approaches rather than to provide a + deployment plan. + + The use of routing registries is not yet universally accepted. There + still remain Internet providers who see no reason to provide the + added assurance of accurate routing information described in Section + 6. More accurately, these benefits are viewed as being insufficient + to justify the cost. This has been largely caused an inability of a + very major router vendor up until recently to handle prefix lists of + the size needed to specify routing policy on a per prefix basis. + + Another reason cited is that filtering on a prefix basis in an + environment where routing registry information is incomplete or + inaccurate can interfere with connectivity. + + There clearly is a critical mass issue with regard to the use of + routing registries. A minority of providers use the existing IRR to + filter on a per prefix basis. Another minority of providers do not + support the IRR and generally fail to register prefixes until + connectivity problems are reported. The majority of providers + register prefixes but do not implement strict prefix filtering. + + Deploying new authentication mechanisms has no adverse consequences. + This has been proven with Merit's deployment of PGP. + + In deploying new authorization mechanisms, a major issue is dealing + with existing data of very questionable origin. A very large number + of route objects refer to prefixes that have not been announced for + many years. Other route objects refer to prefixes that are no longer + announced with the origin AS that they are registered with (some were + incorrectly registered to start with). There are many causes for + this. + + 1. During the transition from the NSFNET PRDB to the RADB a large + number of prefixes were registered with an origin AS corresponding + to the border AS at which the NSFNET had once heard the route + announcements. The PRDB did not support origin AS, so border AS + was used. Many of these routes were no longer in use at the time + and are now routed with a submitter listed as "nsfnet- + admin@merit.edu". + + + + +Villamizar, et al. Standards Track [Page 33] + +RFC 2725 Routing Policy System Security December 1999 + + + 2. As CIDR was deployed, aggregates replaced previously separately + announced more specific prefixes. The route objects for the more + specific prefixes were never withdrawn from the routing + registries. + + 3. Some prefixes are simply no longer in use. Some networks have + been renumbered. Some network no longer exist. Often the routing + registry information is not withdrawn. + + 4. As provider AS adjacencies changed and as end customers switched + providers often the actual origin AS changed. This was often not + reflected by a change in the routing registry. + + Inaccuracies will continue to occur due to the reasons above, except + the first. The hierarchical authorization provides greater + accountability. In the event that the contacts for specific objects + become unresponsive traversal up the authorization hierarchy should + help identify the parties having previous provided authorization. + These contacts may still have sufficient authorization to perform the + necessary cleanup. This issue is discussed in Section C. + + A great deal of information is currently missing in the IRR. Quite a + few AS have no aut-num. Quite a lot of data has no maintainer and + the vast majority of maintainers use only the weakest of + authentication methods. Very little can be done by the registries to + correct this. The defaults in the cases of missing objects needed + for authorization has to be to make no authentication checks at all. + + The transition can be staged as follows: + + 1. Add and make use of stronger authorization models. + + 2. Make schema modifications necessary to support delegations. + + 3. Add delegation attributes needed for query traversal. + 4. Base query traversal on delegations rather than a search of all + known registries. + + 5. Obtain the cooperation of the address registries for the purpose + of populating the "inetnum" entries on an ongoing basis. + + 6. Add hierarchical authorization support for critical object types, + "aut-num", "inetnum" and "route". + + 7. Add the requirement that database object either be in use or have + valid contact information and if queries are made by the registry + a response from a contact indicating that the object serves a + purpose if it is not clear what its use is. + + + +Villamizar, et al. Standards Track [Page 34] + +RFC 2725 Routing Policy System Security December 1999 + + + 8. Begin to purge data which is clearly not in use and for which + there is no valid contact information or no response from the + contacts. + + Deployment of hierarchical authorization requires cooperation among + the existing routing registries. New code will have to be deployed. + In some cases minimal development resources are available and + substantial inertia exists due to the reliance on the current + repository and the need to avoid disruption. + + If hierarchical authorization of route objects depends on the + existence of address registration information, minimal cooperation of + the currently separate address registries is required. The extent of + the cooperation amounts to sending cryptographically signed + transactions from the address registry to the number registry as + address allocations are made or providing equivalent access to new + address allocations. + + Currently most registries return query results from all of the known + repositories using their mirrored copies. Cross registry + authorizations are not yet implemented. Minimal schema changes have + to be made to support the ability to delegate objects for which there + is an authorization hierarchy and to support queries and references + to other repositories. In the case of AS delegations, "as-block" + need to be created solely for the purpose of traversal. + +F Route Object Authorization Pseudocode + + The following list provides a brief review of basic concepts. + + 1. The route object submission must satisfy two authentication + criteria. It must match the authentication specified in the aut- + num and the authentication specified in either a route object or + if no applicable route object is found, then an inetnum. + + 2. When checking for prefix authorization, an exact route object + prefix match is checked for first. If there is not an exact match + then a longest prefix match that is less specific than the prefix + is searched for. If the route prefix search fails, then a search + is performed for an inetnum that exactly matches the prefix or for + the most specific inetnum that is less specific than the route + object submission. + + The search for an inetnum should never fail but it may return an + unallocated or reserved range. The inetnum status must be + "allocated" and the submission must pass it's maintainer + + + + + +Villamizar, et al. Standards Track [Page 35] + +RFC 2725 Routing Policy System Security December 1999 + + + authorization in order to get authorization from an inetnum. So + an unallocated or reserved range inetnum will cause the route + object submission to fail. + + 3. A route object must pass authorization from both the referenced + aut-num object and the route or inetnum object. Authorization + shall be tested using the maintainer(s) referenced in the "mnt- + routes" attribute(s) first. If that check fails, the "mnt-lower" + attributes are checked. If that check fails the "mnt-by" + attributes are used for the authorization check. + + 4. The "reclaim" attribute can appear in inetnum, route and as-block + objects and provides a means to support address lending. "reclaim" + gives authorization over more specific objects, regardless of the + "mnt-by" in the object. The value of a "reclaim" attribute can be + a list or set of objects to provide finer grain control. + + The "reclaim" attribute is important to this discussion since it + affects prefix/origin authentication when a new route object is + submitted. + + The "no-reclaim" attribute is used to provide explicit exceptions. + + The following pseudocode outlines the algorithm used to check for + proper authorization of a route object submission. + + Case #1. Route object add + (ie, no exact prefix/origin match exists). + + /* first check the aut-num authorization */ + + if ( the referenced aut-num object does not exist or + the aut-num authorization fails ) + authorization fails + + /* next we check for prefix authorization */ + + if ( a less specific route(s) with the longest prefix is found ) [ + if ( authorization does not pass for at least one of the less + specific route(s) ) + authorization fails + + /* now check for a "reclaim" attr */ + + if ( the object has a "reclaim" attribute ) [ + if ( no more-specifics exist + OR a less specific exists which passes + authorization and has a "reclaim" attribute + + + +Villamizar, et al. Standards Track [Page 36] + +RFC 2725 Routing Policy System Security December 1999 + + + OR all more specifics routess pass modify authorization ) + authorization passes + else + authorization fails + ] else + authorization passes + ] + + /* there are no less specific routes to check for prefix + authentication, so we need to try and get authorization from an + inetnum object */ + + if ( ( an inetnum is found that is an exact match + OR is less specific and it's status is "allocated" ) + AND a maintainer referenced by the inetnum + passes authorization ) + authorization succeeds + + /* if there is no inetnum or route object then then + authorization fails. This should never happen if + the DB is initialized properly. */ + + authorization fails. + + Case #2. Route object modify/delete + (ie, exact prefix/origin match exists). + + if ( the mnt-by passes authorization ) + authorization succeeds + + /* if the authorization did not pass from the matched object, + we can still get authorization from a less specific route if it + has a "reclaim" attribute and we pass authorization */ + + if ( a less specific route or inetnum object passes authorization + AND has a "reclaim" attribute applicable to + the object to be modified ) + authorization succeeds + else + authorization fails + +Acknowledgments + + This document draws ideas from numerous discussions and contributions + of the IETF Routing Policy System Work Group and RIPE Routing Work + Group. Earlier drafts of this document listed Carol Orange as a co- + author. Carol Orange made contributions to this document while at + RIPE. + + + +Villamizar, et al. Standards Track [Page 37] + +RFC 2725 Routing Policy System Security December 1999 + + + Gerald Winters provided the pseudocode in an email message to the + RIPE dbsec mailing list that was the basis of the pseudocode found in + appendix F. Susan Harris provided comments and numerous editorial + corrections. + +Intellectual Property Notice + + The IETF takes no position regarding the validity or scope of any + intellectual property or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; neither does it represent that it + has made any effort to identify any such rights. Information on the + IETF's procedures with respect to rights in standards-track and + standards-related documentation can be found in BCP-11. Copies of + claims of rights made available for publication and any assurances of + licenses to be made available, or the result of an attempt made to + obtain a general license or permission for the use of such + proprietary rights by implementors or users of this specification can + be obtained from the IETF Secretariat. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights which may cover technology that may be required to practice + this standard. Please address the information to the IETF Executive + Director. + +References + + [1] Alaettinoglu, C., Bates, T., Gerich, E., Karrenberg, D., Meyer, + D., Terpstra M. and C. Villamizar, "Routing Policy + Specification Language (RPSL)", RFC 2280, January 1998. + + [2] Bates, T., Gerich, E., Joncheray, L., Jouanigot, J-M., + Karrenberg, D., Terpstra, M. and J. Yu, "Representation of IP + Routing Policies in a Routing Registry (ripe-81++)", RFC 1786, + March 1995. + + [3] Berkowitz, H., "Router Renumbering Guide", RFC 2072, January + 1997. + + [4] Braun, H-W., "Models of policy based routing", RFC 1104, June + 1989. + + [5] Braun, H-W. and Y. Rekhter, "Advancing the NSFNET routing + architecture", RFC 1222, May 1991. + + + + + +Villamizar, et al. Standards Track [Page 38] + +RFC 2725 Routing Policy System Security December 1999 + + + [6] Clark, D., "Policy routing in Internet protocols", RFC 1102, + May 1989. + + [7] Crocker, D., "Standard for the format of ARPA Internet text + messages", STD 11, RFC 822, August 1982. + + [8] Fuller, V., Li, T., Yu, J. and K. Varadhan, "Classless Inter- + Domain Routing (CIDR): an Address Assignment and Aggregation + Strategy", RFC 1519, September 1993. + + [9] Internet Engineering Steering Group and R. Hinden, + "Applicability Statement for the Implementation of Classless + Inter-Domain Routing (CIDR)", RFC 1517, September 1993. + + [10] Hawkinson, J. and T. Bates, "Guidelines for creation, + selection, and registration of an Autonomous System (AS)", RFC + 1930, March 1996. + + [11] Hubbard, K., Kosters, M., Conrad, D., Karrenberg, D. and J. + Postel, "Internet Registry IP Allocation Guidelines", BCP 12, + RFC 2050, November 1996. + + [12] Knopper, M. and S. Richardson, "Aggregation Support in the + NSFNET Policy-Based Routing Database", RFC 1482, June 1993. + + [13] Meyer, D., Prior, M., Alaettinoglu, C., Schmitz, J. and Carol + Orange, "Using RPSL in Practice", RFC 2650, August 1999. + + [14] Rekhter, Y., "Routing in a Multi-provider Internet", RFC 1787, + April 1995. + + [15] Rekhter Y. and T. Li, "An Architecture for IP Address + Allocation with CIDR", RFC 1518, September 1993. + + [16] Rekhter Y. and T. Li, "Implications of Various Address + Allocation Policies for Internet Routing", RFC 2008, October + 1996. + + [17] Rekhter, Y., Lothberg, P., Hinden, R., Deering, S. and J. + Postel, "An IPv6 Provider-Based Unicast Address Format", RFC + 2073, January 1997. + + [18] Zsako, J., "PGP Authentication for RIPE Database Updates", RFC + 2726, December 1999. + + + + + + + +Villamizar, et al. Standards Track [Page 39] + +RFC 2725 Routing Policy System Security December 1999 + + +Security Considerations + + This document primarily addresses authorization rules for making + additions, deletions, and changes to routing policy information + repositories. The authentication of these transactions through + strong cryptographic means are addressed by [18], referenced + thorughout this document. The authorization rules are designed such + that the integrity of any transaction can be verified independently + by any party mirroring a repository to insure that rules are adhered + to. To accomplish this the mirror must contain data already known to + be properly authorized. In other words, the mirror must be complete + and authentication and authorization checks must be made continuously + as changes to the repository are recieved and processed in order. + + Authentication alone does not provide a complete security model. + Current practice specifies authorization for deletions and changes + only, not for additions. The authorization rules provide here + complete the security model for additions, deletions, and changes by + very explicitly defining rules for addition and clarifying procedures + for handling exception cases such as organizations which have ceased + to exist and therefore become entirely unresponsive. + + Authentication and authorization of queries is explicitly stated to + be out of scope of this document. + +Authors' Addresses + + Curtis Villamizar + Avici Systems + EMail: curtis@avici.com + + + Cengiz Alaettinoglu + ISI + EMail: cengiz@ISI.EDU + + + David M. Meyer + Cisco + EMail: dmm@cisco.com + + + Sandy Murphy + Trusted Information Systems + EMail: sandy@tis.com + + + + + + +Villamizar, et al. Standards Track [Page 40] + +RFC 2725 Routing Policy System Security December 1999 + + +Full Copyright Statement + + Copyright (C) The Internet Society (1999). All Rights Reserved. + + This document and translations of it may be copied and furnished to + others, and derivative works that comment on or otherwise explain it + or assist in its implementation may be prepared, copied, published + and distributed, in whole or in part, without restriction of any + kind, provided that the above copyright notice and this paragraph are + included on all such copies and derivative works. However, this + document itself may not be modified in any way, such as by removing + the copyright notice or references to the Internet Society or other + Internet organizations, except as needed for the purpose of + developing Internet standards in which case the procedures for + copyrights defined in the Internet Standards process must be + followed, or as required to translate it into languages other than + English. + + The limited permissions granted above are perpetual and will not be + revoked by the Internet Society or its successors or assigns. + + This document and the information contained herein is provided on an + "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING + TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING + BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION + HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF + MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Acknowledgement + + Funding for the RFC Editor function is currently provided by the + Internet Society. + + + + + + + + + + + + + + + + + + + +Villamizar, et al. Standards Track [Page 41] + -- cgit v1.2.3