RFC2725: Routing Policy System Security

Download in PDF format Download in text format






Network Working Group                                      C. Villamizar
Request for Comments: 2725                                         Avici
Category: Standards Track                                C. Alaettinoglu
                                                                     ISI
                                                                D. Meyer
                                                                   Cisco
                                                               S. Murphy
                                                                     TIS
                                                           December 1999


                     Routing Policy System Security

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (1999).  All Rights Reserved.

Abstract

   The RIPE database specifications and RPSL language define languages
   used as the basis for representing information in a routing policy
   system.  A repository for routing policy system information is known
   as a routing registry.  A routing registry provides a means of
   exchanging information needed to address many issues of importance to
   the operation of the Internet.  The implementation and deployment of
   a routing policy system must maintain some degree of integrity to be
   of any operational use.  This document addresses the need to assure
   integrity of the data by providing an authentication and
   authorization model.














Villamizar, et al.          Standards Track                     [Page 1]

RFC 2725             Routing Policy System Security        December 1999


Table of Contents

   1  Overview  . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2  Background  . . . . . . . . . . . . . . . . . . . . . . . .  3
   3  Implicit Policy Assumptions . . . . . . . . . . . . . . . .  5
   4  Scope of Security Coverage  . . . . . . . . . . . . . . . .  5
   5  Organization of this Document   . . . . . . . . . . . . . .  6
   6  Goals and Requirements  . . . . . . . . . . . . . . . . . .  6
   7  Data Representation . . . . . . . . . . . . . . . . . . . . 10
   8  Authentication Model  . . . . . . . . . . . . . . . . . . . 10
   9  Authorization Model . . . . . . . . . . . . . . . . . . . . 12
     9.1   Maintainer Objects . . . . . . . . . . . . . . . . . . 12
     9.2   as-block and aut-num objects . . . . . . . . . . . . . 13
     9.3   inetnum objects  . . . . . . . . . . . . . . . . . . . 13
     9.4   route objects  . . . . . . . . . . . . . . . . . . . . 14
     9.5   reclaim and no-reclaim attributes  . . . . . . . . . . 14
     9.6   Other Objects  . . . . . . . . . . . . . . . . . . . . 15
     9.7   Objects with AS Hierarchical Names . . . . . . . . . . 16
     9.8   Query Processing . . . . . . . . . . . . . . . . . . . 16
     9.9   Adding to the Database . . . . . . . . . . . . . . . . 17
     9.10  Modifying or Deleting Database Objects . . . . . . . . 19
   10  Data Format Summaries  . . . . . . . . . . . . . . . . . . 20
     10.1  Changes to the RIPE/RPSL Schema  . . . . . . . . . . . 20
   Appendicies
   A  Core and Non-Core Functionality . . . . . . . . . . . . . . 23
   B  Examples  . . . . . . . . . . . . . . . . . . . . . . . . . 23
   C  Technical Discussion  . . . . . . . . . . . . . . . . . . . 26
     C.1   Relaxing requirements for ease of registry   . . . . . 27
     C.2   The address lending issue  . . . . . . . . . . . . . . 28
     C.3   Dealing with non-conformant or questionable older
           data . . . . . . . . . . . . . . . . . . . . . . . . . 29
   D  Common Operational Cases  . . . . . . . . . . . . . . . . . 30
     D.1   simple hierarchical address allocation and route
           allocation . . . . . . . . . . . . . . . . . . . . . . 31
     D.2   aggregation and multihomed more specific routes  . . . 32
     D.3   provider independent addresses and multiple origin
           AS . . . . . . . . . . . . . . . . . . . . . . . . . . 32
     D.4   change in Internet service provider  . . . . . . . . . 32
     D.5   renumbering grace periods  . . . . . . . . . . . . . . 32
   E  Deployment Considerations . . . . . . . . . . . . . . . . . 33
   F  Route Object Authorization Pseudocode . . . . . . . . . . . 35
   Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 37
   Intellectual Property Notice . . . . . . . . . . . . . . . . . 38
   References . . . . . . . . . . . . . . . . . . . . . . . . . . 38
   Security Considerations  . . . . . . . . . . . . . . . . . . . 40
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 40
   Full Copyright Statement   . . . . . . . . . . . . . . . . . . 41




Villamizar, et al.          Standards Track                     [Page 2]

RFC 2725             Routing Policy System Security        December 1999


1  Overview

   The Internet Routing Registry (IRR) has evolved to meet a need for
   Internet-wide coordination.  This need was described in RFC-1787, an
   informational RFC prepared on behalf of the IAB [14].  The following
   summary appears in Section 7 of RFC-1787.

      While ensuring Internet-wide coordination may be more and more
      difficult, as the Internet continues to grow, stability and
      consistency of the Internet-wide routing could significantly
      benefit if the information about routing requirements of various
      organizations could be shared across organizational boundaries.
      Such information could be used in a wide variety of situations
      ranging from troubleshooting to detecting and eliminating
      conflicting routing requirements.  The scale of the Internet
      implies that the information should be distributed.  Work is
      currently underway to establish depositories of this information
      (Routing Registries), as well as to develop tools that analyze, as
      well as utilize this information.

   A routing registry must maintain some degree of integrity to be of
   any use.  The degree of integrity required depends on the usage of
   the routing policy system.

   An initial intended usage of routing policy systems such as the RIPE
   database had been in an advisory capacity, documenting the intended
   routing policies for the purpose of debugging.  In this role a very
   weak form of authentication was deemed sufficient.

   The IRR is increasingly used for purposes that have a stronger
   requirement for data integrity and security.  This document addresses
   issues of data integrity and security that is consistent with the
   usage of the IRR and which avoids compromising data integrity and
   security even if the IRR is distributed among less trusted
   repositories.

2  Background

   An early routing policy system used in the NSFNET, the policy routing
   database (PRDB), provided a means of determining who was authorized
   to announce specific prefixes to the NSFNET backbone.  The need for a
   policy database was recognized as far back as 1989 [6, 4].  By 1991
   the database was in place [5].  Authentication was accomplished by
   requiring confirmation and was a manually intensive process.  This
   solved the problem for the NSFNET, but was oriented toward holding
   the routing policy of a single organization.





Villamizar, et al.          Standards Track                     [Page 3]

RFC 2725             Routing Policy System Security        December 1999


   The problem since has become more difficult.  New requirements have
   emerged.

   1. There is a need to represent the routing policies of many
      organizations.

   2. CIDR and overlapping prefixes and the increasing complexity of
      routing policies and the needs of aggregation have introduced new
      requirements.

   3. There is a need to assure integrity of the data and delegate
      authority for the data representing specifically allocated
      resources to multiple persons or organizations.

   4. There is a need to assure integrity of the data and distribute the
      storage of data subsets to multiple repositories.

   The RIPE effort specificly focused on the first issue and needs of
   the European community.  Its predecessor, the PRDB, addressed the
   needs of a single organization, the NSF. The RIPE database formats as
   described in [2] were the basis of the original IRR.

   Routing protocols themselves provide no assurance that the
   origination of a route is legitimate and can actually reach the
   stated destination.  The nature of CIDR allows more specific prefixes
   to override less specific prefixes [9, 15, 8].  Even with signed
   route origination, there is no way to determine if a more specific
   prefix is legitimate and should override a less specific route
   announcement without a means of determining who is authorized to
   announce specific prefixes.  Failing to do so places no assurance of
   integrity of global routing information and leaves an opportunity for
   a very effective form of denial of service attack.

   The Routing Policy System Language (RPSL) [1, 13] was a fairly
   substantial evolutionary step in the data representation which was
   largely targeted at addressing the second group of needs.  The PRDB
   accommodated CIDR in 1993 [12] and the RIPE database accommodated the
   entry of CIDR prefixes from inception, but RPSL provides many needed
   improvements including explicit support for aggregation.

   This document addresses the third group of needs identified above.

   While the current implementation supporting weak authentication
   doesn't guarantee integrity of the data, it does provide extensive
   mechanisms to make sure that all involved parties get notified when a
   change is made to the database, whether the change was malicious or
   intended.  This provides inadequate protection against additions.
   Since the software is increasingly used to configure the major parts



Villamizar, et al.          Standards Track                     [Page 4]

RFC 2725             Routing Policy System Security        December 1999


   of the Internet infrastructure, it is not considered to be adequate
   anymore to know about and have the ability roll back unintended
   changes.  Therefore, more active security mechanisms need to be
   developed to prevent such problems before they happen.

   A separate document will be needed to address the fourth group of
   needs.

3  Implicit Policy Assumptions

   The authorization model encodes certain policies for allocation of
   address numbers, AS numbers, and for the announcement of routes.
   Implicit to the authorization model is a very limited number of
   policy assumptions.

   1. Address numbers are allocated hierarchically.  The IANA delegates
      portions of the address space to the regional registries
      (currently ARIN, APNIC and RIPE), which in turn delegate address
      space to their members, who can assign addresses to their
      customers.

   2. AS numbers are allocated either singly or in small blocks by
      registries.  Registries are allocated blocks of AS numbers,
      thereby making the allocation hierarchical.

   3. Routes should only be announced with the consent of the holder of
      the origin AS number of the announcement and with the consent of
      the holder of the address space.

   4. AS numbers and IP address registries may be different entities
      from routing registries.

   For subsets of any of these three allocation spaces, network
   addresses, AS numbers, and routes, these restrictions may be loosened
   or disabled by specifying a very weak authorization method or an
   authentication method of "none".  However, even when no
   authentication mechanism is used, all involved parties can be
   notified about the changes that occurred through use of the existing
   "notify" attribute.

4  Scope of Security Coverage

   This document is intended only to provide an authentication and
   authorization model to insure the integrity of the policy data in a
   registry.  Only authetication and authorization of additions,
   deletions, and changes to the database are within the scope of this
   document.  Authentication and authorization of database queries is




Villamizar, et al.          Standards Track                     [Page 5]

RFC 2725             Routing Policy System Security        December 1999


   explicitly out of scope.  Mutual authentication of queries, that is
   authenticating both the origin of the query and the repository from
   which query results are obtained, is also out of scope.

5  Organization of this Document

   Familiarity with RIPE-181 [2] and RPSL [1] is assumed throughout this
   document.  Goals are described in Section 6.  Section 7 through
   Section 9 provide descriptions of the changes and discussion.
   Section 10 provides a concise summary of data formats and semantics.
   Appendix C through Appendix E provide additional technical
   discussion, examples, and deployment considerations.

      Goals and Requirements Section 6 provides a more detailed
      description of the issues and identifies specific problems that
      need to be solved, some of which require a degree of cooperation
      in the Internet community.

      Data Representation Section 7 provides some characteristics of
      RPSL and formats for external representations of information.

      Authentication Model Section 8 describes current practice,
      proposes additional authentication methods, and describes the
      extension mechanism if additional methods are needed in the
      future.

      Authorization Model Section 9 describes the means of determining
      whether a transaction contains the authorization needed to add,
      modify, or delete specific data objects, based on stated
      authentication requirements in related data objects.

      Data Format Summaries Section 10 provides a concise reference to
      the data formats and steps in transaction processing.

      Technical Discussion Section C contains some discussion of
      technical tradeoffs.

      Common Operational Cases Section D provides some examples drawn
      from past operational experience with the IRR.

      Deployment Considerations Section E describes some deployment
      issues and discusses possible means of resolution.

6  Goals and Requirements

   The Internet is an open network.  This openness and the large scale
   of the Internet can present operational problems.  Technical
   weaknesses that allow misconfiguration or errant operation in part of



Villamizar, et al.          Standards Track                     [Page 6]

RFC 2725             Routing Policy System Security        December 1999


   the network to propagate globally or which provide potentials for
   simple denial of service attacks should be eliminated to the extent
   that it is practical.  The integrity of routing information is
   critical in assuring that traffic goes where it is supposed to.

   An accidental misconfiguration can direct traffic toward routers that
   cannot reach a destination for which they are advertising
   reachability.  This is commonly caused by misconfigured static routes
   though there are numerous other potential causes.  Static routes are
   often used to provide constant apparent reachability to single homed
   destinations.  Some of the largest ISPs literally have thousands of
   static routes in their networks.  These are often entered manually by
   operators.  Mistyping can divert traffic from a completely unrelated
   destination to a router with no actual reachability to the advertised
   destination.  This can happen and does happen somewhat regularly.  In
   addition, implementation bugs or severe misconfigurations that result
   in the loss of BGP AS path information or alteration of prefix length
   can result in the advertisement of large sets of routes.  Though
   considerably more rare, on a few occasions where this has occurred
   the results were catastrophic.

   Where there is the potential for an accidental misconfiguration in a
   remote part of the Internet affecting the global Internet there is
   also the potential for malice.  For example, it has been demonstrated
   by accident that multiple hour outages at a major institution can be
   caused by a laptop and a dial account if proper precautions are not
   taken.  The dial account need not be with the same provider used by
   the major institution.

   The potential for error is increased by the CIDR preference for more
   specific routes [8].  If an institution advertises a single route of
   a given length and a distant router advertises a more specific route
   covering critical hosts, the more specific route, if accepted at all,
   is preferred regardless of administrative weighting or any routing
   protocol attributes.

   There is a need to provide some form of checks on whether a route
   advertisement is valid.  Today checks are typically made against the
   border AS advertising the route.  This prevents accepting routes from
   the set of border AS that could not legitimately advertise the route.
   Theses checks rely on the use of information registered in the IRR to
   generate lists of prefixes that could be advertised by a specific
   border AS. Checks can also be made against the origin AS. If policy
   information were sufficiently populated, checks could be made against
   the entire AS path, but this is not yet feasible.






Villamizar, et al.          Standards Track                     [Page 7]

RFC 2725             Routing Policy System Security        December 1999


   The use of a routing registry can also make it more difficult for
   prefixes to be used without authorization such as unallocated
   prefixes or prefixes allocated to another party.

   In summary, some of the problems being addressed are:

   o  Localizing the impact of accidental misconfiguration made by
      Internet Providers to that provider's networks only.

   o  Eliminating the potential for an Internet provider's customer to
      use malicious misconfiguration of routing as a denial of service
      attack if the provider route filters their customers.  Localizing
      the denial of service to that Internet provider only if the
      immediate Internet service provider does not route filter their
      customers but other providers route filter the route exchange at
      the interprovider peering.

   o  Eliminating the unauthorized use of address space.

   If the data within a routing registry is critical, then the ability
   to change the data must be controlled.  Centralized authorities can
   provide control but centralization can lead to scaling problems (and
   is politically distasteful).

   Address allocation and name allocation is already delegated.  Since
   delegation can be to outside registries it is at least somewhat
   distributed [11].  Autonomous System (AS) numbers are allocated by
   the same authorities.  It makes sense to delegate the routing number
   space in a manner similar to the address allocation and AS number
   allocation.  The need for this delegation of authority to numerous
   registries increases the difficulty of maintaining the integrity of
   the body of information as a whole.

   As a first step, the database can be somewhat centrally administered
   with authority granted to many parties to change the information.
   This is the case with the current IRR. There are a very small number
   of well trusted repositories and a very large number of parties
   authorized to make changes.  Control must be exercised over who can
   make changes and what changes they can make.  The distinction of who
   vs what separates authentication from authorization.

   o  Authentication is the means to determine who is attempting to make
      a change.

   o  Authorization is the determination of whether a transaction
      passing a specific authentication check is allowed to perform a
      given operation.




Villamizar, et al.          Standards Track                     [Page 8]

RFC 2725             Routing Policy System Security        December 1999


   Different portions of the database will require different methods of
   authentication.  Some applications will require authentication based
   on strong encryption.  In other cases software supporting strong
   encryption may not be necessary or may not be legally available.  For
   this reason multiple authentication methods must be supported,
   selected on a per object basis through the specification of
   authentication methods in the maintainer object "auth" attribute.
   The authentication methods may range from very weak data integrity
   checks to cryptographicly strong signatures.  The authorization model
   must sure that the use of weak integrity checks in parts of the
   database does not compromise the overall integrity of the database.

   Additional requirements are placed on the authorization model if the
   database is widely distributed with delegations made to parties that
   may not be trustworthy or whose security practices may be lacking.
   This problem must be addressed in the authorization model in order to
   enable later evolution to a more distributed routing registry.

   Autonomous system numbers can be delegated in blocks and subdelegated
   as needed and then individual AS numbers assigned.  Address
   allocation is a simple numeric hierarchy.  Route allocation is
   somewhat more complicated.  The key attributes in a route object (key
   with regard to making it unique) contain both an address prefix and
   an AS number, known as the origin AS. The addition of a route object
   must be validated against the authorization criteria for both the AS
   and the address prefix.  Route objects may exist for the same prefix
   with multiple origin AS values due to a common multihoming practice
   that does not require a unique origin AS. There is often no
   correlation between the origin AS of a prefix and the origin AS of
   overlapping more specific prefixes.

   There are numerous operational cases that must be accommodated.  Some
   of the more common are listed below.  These are explored in greater
   detail in Appendix D with discussion of technical tradeoffs in
   Appendix C.

   o  simple hierarchical address allocation and route allocation

   o  aggregation and multihomed more specific routes

   o  provider independent addresses and multiple origin AS

   o  changing Internet service providers

   o  renumbering grace periods






Villamizar, et al.          Standards Track                     [Page 9]

RFC 2725             Routing Policy System Security        December 1999


   The authorization model must accommodate a variety of policies
   regarding the allocation of address space and cannot mandate the use
   of any one model.  There is no standardization of address allocation
   policies though guidelines do exist [11, 16].  Whether authorization
   allows the recovery of address space must be selectable on a per
   object basis and may differ in parts of the database.  This issue is
   discussed further in Appendix C.

7  Data Representation

   RPSL provides a complete description of the contents of a routing
   repository [1].  Many RPSL data objects remain unchanged from the
   RIPE specifications and RPSL references the RIPE-181 specification as
   recorded in RFC-1786 [2].  RPSL provides external data
   representation.  Data may be stored differently internal to a routing
   registry.

   Some database object types or database attributes must be added to
   RPSL to record the delegation of authority and to improve the
   authentication and authorization mechanisms.  These additions are
   very few and are described in Section 8 and Section 9.

   Some form of encapsulation must be used to exchange data.  The
   defacto encapsulation has been the one which the RIPE tools accept, a
   plain text file or plain text in the body of an RFC-822 formatted
   mail message with information needed for authentication derived from
   the mail headers or the body of the message.  Merit has slightly
   modified this using the PGP signed portion of a plain text file or
   PGP signed portion of the body of a mail message.  These very simple
   forms of encapsulation are suitable for the initial submission of a
   database transaction.

   The encapsulation of registry transaction submissions, registry
   queries and registry responses and exchanges between registries is
   outside the scope of this document.  The encapsulation of registry
   transaction submissions and exchanges between registries is outside
   the scope of this document.

8  Authentication Model

   The maintainer objects serve as a container to hold authentication
   filters.  A reference to a maintainer within another object defines
   authorization to perform operations on the object or on a set of
   related objects.  The maintainer is typically referenced by name in
   mnt-by attributes of objects.  Further details on the use of
   maintainers are provided in Section 9.1.





Villamizar, et al.          Standards Track                    [Page 10]

RFC 2725             Routing Policy System Security        December 1999


   The maintainer contains one or more "auth" attributes.  Each "auth"
   attribute begins with a keyword identifying the authentication method
   followed by the authentication information needed to enforce that
   method.  The PGPKEY method is slightly syntactically different in
   that the method PGPKEY is a substring.

   Authentication methods currently supported include the following.
   Note that pgp-from is being replaced by the pgpkey (see Section 10
   and [18]).

   mail-from  This is a very weak authentication check and is
      discouraged.  The authentication information is a regular
      expression over ASCII characters.  The maintainer is authenticated
      if the from or reply-to fields in RFC-822 mail headers are matched
      by this regular expression.  Since mail forgery is quite easy,
      this is a very weak form of authentication.

   crypt-pw  This is another weak form of authentication.  The
      authentication information is a fixed encrypted password in UNIX
      crypt format.  The maintainer is authenticated if the transaction
      contains the clear text password of the maintainer.  Since the
      password is in clear text in transactions, it can be captured by
      snooping.  Since the encrypted form of the password is exposed, it
      is subject to password guessing attacks.

   pgp-from  This format is being replaced by the "pgpkey" so that the
      public key certificate will be available to remote repositories.
      This is Merit's PGP extension.  The authentication information is
      a signature identity pointing to an external public key ring.  The
      maintainer is authenticated if the transaction (currently PGP
      signed portion of a mail message) is signed by the corresponding
      private key.

   pgpkey  This keyword takes the form "PGPKEY-hhhhhhhh", where
      "hhhhhhhh" is the hex representation of the four byte id of the
      PGP public key used for authentication.  The public key
      certificate is stored in a separate object as described in [18].

   Repositories may elect to disallow the addition of "auth" attributes
   specifying weaker forms of authentication and/or disallow their use
   in local transaction submissions.  Repositories are encouraged to
   disallow the addition of "auth" attributes with the deprecated "pgp-
   from" method.

   Any digital signature technique can in principle be used for
   authentication.  Transactions should be signed using multiple digital
   signature techniques to allow repositories or mirrors that only use a




Villamizar, et al.          Standards Track                    [Page 11]

RFC 2725             Routing Policy System Security        December 1999


   subset of the techniques to verify at least one of the signatures.
   The selection of digital signature techniques is not within the scope
   of this document.

9  Authorization Model

   The authorization model must accommodate the requirements outlined in
   Section 6.  A key feature of the authorization model is the
   recognition that authorization for the addition of certain types of
   data objects must be derived from related data objects.

   With multiple repositories, objects not found in RPSL are needed to
   control AS delegations and new attributes are needed in existing
   objects to control subdelegation.  The definition of RPSL objects
   used to implement a distrubuted routing registry system is not within
   the scope of this document.

9.1  Maintainer Objects

   The maintainer objects serve as a container to hold authentication
   filters.  The authentication methods are described in Section 8.  The
   maintainer can be referenced by name in other objects, most notably
   in the mnt-by attributes of those objects.

   Maintainers themselves contain mnt-by attributes.  In some cases the
   mnt-by in a maintainer will reference the maintainer itself.  In this
   case, authorization to modify the maintainer is provided to a
   (usually very limited) set of identities.  A good practice is to
   create a maintainer containing a long list of identities authorized
   to make specific types of changes but have the maintainer's mnt-by
   attribute reference a far more restrictive maintainer more tightly
   controlling changes to the maintainer object itself.

   The mnt-by attribute is mandatory in all objects.  Some data already
   exists without mnt-by attributes.  A missing mnt-by attribute is
   interpreted as the absence of any control over changes.  This is
   highly inadvisable and most repositories will no longer allow this.

   An additional maintainer reference can occur through a new attribute,
   "mnt-routes", and is used in aut-num, inetnum and route objects.  The
   "mnt-routes" attribute is an extension to RPSL and is described in
   detail in Section 10.

   A mnt-routes attribute in an aut-num object allows addition of route
   objects with that AS number as the origin to the maintainers listed.
   A mnt-routes attribute in an inetnum object allows addition of route
   objects with exact matching or more specific prefixes.  A mnt-routes
   attribute in a route object allows addition of route objects with



Villamizar, et al.          Standards Track                    [Page 12]

RFC 2725             Routing Policy System Security        December 1999


   exact matching or more specific prefixes.  A mnt-routes attribute
   does not allow changes to the aut-num, inetnum, or route object where
   it appears.  A mnt-routes may optionally be constrained to only apply
   to a subset of more specific routes.

   Where "mnt-routes" or "mnt-lower" are applicable, any maintainer
   referenced in the "mnt-by" still apply.  The set of applicable
   maintainers for whatever check is being made is the union of the
   "mnt-routes" or "mnt-lower" and the "mnt-by".  For example, when
   authorizing a route object software would look at "mnt-routes", if it
   does not exist, look at "mnt-lower", if that does not exist look at
   "mnt-by".

9.2  as-block and aut-num objects

   An "as-block" object is needed to delegate a range of AS numbers to a
   given repository.  This is needed for authorization and it is needed
   to avoid having to make an exhaustive search of all repositories to
   find a specific AS. This search would not be an issue now but would
   be if a more distributed routing repository is used.  Distributed
   registry issues are not within the scope of this document.

   The "as-block" object also makes it possible to separate AS number
   allocation from registration of AS routing policy.

      as-block:        AS1321 - AS1335

   The "aut-num" describes the routing policy for an AS and is critical
   for router configuration of that AS and for analysis performed by
   another AS. For the purpose of this document it is sufficient to
   consider the aut-num solely as a place holder identifying the
   existence of an AS and providing a means to associate authorization
   with that AS when adding "route" objects.

   The "as-block" object is proposed here solely as a means of recording
   the delegation of blocks of AS numbers to alternate registries and in
   doing so providing a means to direct queries and a means to support
   hierarchical authorization across multiple repositories.

9.3  inetnum objects

   The "inetnum" exists to support address allocation.  For external
   number registries, such as those using "[r]whoisd[++]" the "inet-num"
   can serve as a secondary record that is added when an address
   allocation is made in the authoritative database.  Such records could
   be added by a address registry such as ARIN as a courtesy to the
   corresponding routing registry.




Villamizar, et al.          Standards Track                    [Page 13]

RFC 2725             Routing Policy System Security        December 1999


      inetnum:        193.0.0.0 - 193.0.0.255
      source:         IANA

9.4  route objects

   Currently there are a quite few route objects in more than one
   registry.  Quite a few are registered with an origin AS for which
   they have never been announced.  There is a legitimate reason to be
   in more than one origin AS.

   The "route" object is used to record routes which may appear in the
   global routing table.  Explicit support for aggregation is provided.
   Route objects exist both for the configuration of routing information
   filters used to isolate incidents of erroneous route announcements
   (Section 6) and to support network problem diagnosis.

9.5  reclaim and no-reclaim attributes

   A reclaim attribute is needed in as-block, inetnum and route objects.
   The reclaim attribute allows a control to be retained over more
   specific AS, IP address or route space by allowing modify and delete
   privileges regardless of the mnt-by in the object itself.

   The reclaim attribute provides the means to enforce address lending.
   It allows cleanup in cases where entities cease to exist or as a last
   presort means to correct errors such as parties locking themselves
   out of access to their own objects.  To specify all more specific
   objects the reclaim attribute value should be "ALL". To allow finer
   control a set of prefixes can be specified.

   A no-reclaim attribute can be used to provide explicit exceptions.  A
   reclaim attribute can only be added to an existing object if the
   addition of the reclaim attribute does not remove autonomy of
   existing more specific objects that are covered by the new reclaim
   attribute.

   1. A reclaim attribute can be added to an existing object if there
      are no existing exact matches or more specific objects overlapped
      by the new reclaim attribute, or

   2. if the submitter is listed in the maintainer pointed to by the
      mnt-by of the objects which are overlapped, or

   3. if any overlapped object is listed in a no-reclaim attribute in
      the object where the reclaim is being added.






Villamizar, et al.          Standards Track                    [Page 14]

RFC 2725             Routing Policy System Security        December 1999


   Similarly, a submitter may delete a no-reclaim attribute from an
   object only when that submitter is the only maintainer listed in the
   mnt-by attributes of any overlapped objects.  If the submitter is not
   listed in any of the maintainers pointed to by the mnt-by attributes
   for one or more overlapped object, then the submitter is not
   permitted to delete the no-reclaim attribute.

   If neither a reclaim or no-reclaim attribute is present, then more
   specific objects of a given object cannot be modified by the
   maintainer of the less specified object unless the maintainer is also
   listed as a maintainer in the more specific object.  However, the
   addition of a new route or inetnum object must pass authentication of
   the largest less specific prefix as part of the authentication check
   described in Section 9.9.

   See Section 10 for a full description of the reclaim and no-reclaim
   attributes.

9.6  Other Objects

   Many of the RPSL ancillary objects have no natural hierarchy the way
   AS numbers, Internet addresses and routes do have a numeric
   hierarchy.  Some examples are "maintainers", "people" and "role"
   objects.  For these objects, lack of any hierarchy leads to two
   problems.

   1. There is no hierarchy that can be exploited to direct queries to
      alternate registries.  At some point the query strategy of
      searching all known registries becomes impractical.

   2. There is no hierarchy on which authorizations of additions can be
      based.

   The first problem can be addressed by considering the name space for
   each of the ancillary objects to be unique only within the local
   database and to use explicit references to an external repository
   where needed.  To specify an external repository reference, the
   object key is preceded by the name of the repository and the
   delimiter "::".  For example a NIC handle may take the form
   "RIPE::CO19".  Currently there is a desire to keep NIC handles unique
   so the naming convention of appending a dash and the repository name
   is used.  Prepending the repository name provides the unique name
   space since an object in the RIPE database referencing "CO19" would
   be interpreted as "RIPE::CO19" by default, but it would still be
   possible to query or reference "IANA::CO19".  There is no possibility
   of accidentally forgetting to adhere to the conventions when making
   an addition and the existing objects are accommodated, including
   cases where name conflicts have already occurred.



Villamizar, et al.          Standards Track                    [Page 15]

RFC 2725             Routing Policy System Security        December 1999


   The second problem can be partially addressed by using a referral
   system for the addition of maintainers and requiring that any other
   object be submitted by a registered maintainer or by IANA.  The
   referral system would allow any existing maintainer to add another
   maintainer.  This can be used in parallel with the addition of other
   object types to support the maintenance of those objects.  For
   example, when adding a subdomain to the "domain" hierarchy (in the
   RIPE repository where domains are also handled), even when adding a
   new domain to a relatively flat domain such as "com", there is
   already a maintainer for the existing domain.  The existing
   maintainer can add the maintainer that will be needed for the new
   domain in addition to adding the new domain and giving the new
   maintainer the right to modify it.

   An organization gaining a presence on the Internet for the first time
   would be given a maintainer.  This maintainer may list a small number
   of very trusted employees that are authorized to modify the
   maintainer itself.  The organization itself can then add another
   maintainer listing a larger set of employees but listing the more
   restrictive maintainer in the mnt-by attributes of the maintainers
   themselves.  The organization can then add people and role objects as
   needed and any other objects as needed and as authorization permits.

9.7  Objects with AS Hierarchical Names

   Many RPSL objects do not have a natural hierarchy of their own but
   allow hierarchical names.  Some examples are the object types "as-
   set" and "route-set".  An as-set may have a name corresponding to no
   naming hierarchy such as "AS-Foo" or it may have a hierarchical name
   of the form "AS1:AS-Bar".

   When a hierarchical name is not used, authorization for objects such
   as "as-set" and "route-set" correspond to the rules for objects with
   no hierarchy described in Section 9.6.

   If hierarchical names are used, then the addition of an object must
   be authorized by the aut-num whose key is named by everything to the
   left of the rightmost colon in the name of the object being added.
   Authorization is determined by first using the mnt-lower maintainer
   reference, or if absent, using the mnt-by reference.

9.8  Query Processing

   A query may have to span multiple repositories.  All queries should
   be directed toward a local repository which may mirror the root
   repository and others.  Currently each IRR repository mirrors all
   other repositories.  In this way, the query may be answered by the
   local repository but draw data from others.



Villamizar, et al.          Standards Track                    [Page 16]

RFC 2725             Routing Policy System Security        December 1999


   The mechanism below when applied to multiple repositories assumes the
   existence of an attribute for traversal of the repositories.  The
   definition of this attribute is considered a distributed registry
   issue and is out of scope of this document.

   For object types that have a natural hierarchy, such as aut-num,
   inet-num, and route, the search begins at the root database and
   follows the hierarchy.  For objects types that have no natural
   hierarchy, such as maintainer, person, and role objects, the search
   is confined to a default database unless a database is specified.
   The default database is the same database as an object from which a
   reference is made if the query is launched through the need to follow
   a reference. Otherwise the default is generally the local database or
   a default set by the repository.  The default can be specified in the
   query itself as described in Section 9.7.

   In the absense of attributes to traverse multiple registries a search
   of all repositories is needed.  With such attributes the search would
   proceed as follows.  In searching for an AS, the delegation attribute
   in AS blocks can be consulted, moving the search to data from other
   repositories.  Eventually the AS is either found or the search fails.
   The search for an inetnum is similar.  Less specific inetnums may
   refer the search to other databases.  Eventually the most specific
   inetnum is found and its status (assigned or not assigned) can be
   determined.  The definition of attributes for traversal of
   repositories is considered a distrbiuted registry issue and is not
   within the scope of this document.

   The search for a route in the presence of attributes for the
   traversal of multiple registries is similar except the search may
   branch to more than one repository.  The most specific route in one
   repository may be more specific than the most specific in another.
   In looking for a route object it makes sense to return the most
   specific route that is not more specific than the query requests
   regardless of which repository that route is in rather than return
   one route from each repository that contains a less specific overlap.

9.9  Adding to the Database

   The mechanism below when applied to multiple repositories assumes the
   existence of an attribute for traversal of the repositories.  The
   definition of this attribute is considered a distributed registry
   issue and is out of scope of this document.

   The root repository must be initially populated at some epoch with a
   few entries.  An initial maintainer is needed to add more
   maintainers.  The referral-by attribute can be set to refer to itself
   in this special case (Section 10 describes the referral-by).  When



Villamizar, et al.          Standards Track                    [Page 17]

RFC 2725             Routing Policy System Security        December 1999


   adding an inetnum or a route object an existing exact match or a less
   specific overlap must exist.  A route object may be added based on an
   exact match or a less specific inetnum.  The root repository must be
   initially populated with the allocation of an inetnum covering the
   prefix 0/0, indicating that some address allocation authority exists.
   Similarly an initial as-block is needed covering the full AS number
   range.

   When adding an object with no natural hierarchy, the search for an
   existing object follows the procedure outlined in Section 9.8.

   When adding an aut-num (an AS), the same procedure used in a query is
   used to determine the appropriate repository for the addition and to
   determine which maintainer applies.  The sequence of AS-block objects
   and repository delegations is followed.  If the aut-num does not
   exist, then the submission must match the authentication specified in
   the maintainer for the most specific AS-block in order to be added.

   The procedure for adding an inetnum is similar.  The sequence of
   inet-num blocks is followed until the most specific is found.  The
   submission must match the authentication specified in the maintainer
   for the most specific inetnum overlapping the addition.

   Adding a route object is somewhat more complicated.  The route object
   submission must satisfy two authentication criteria.  It must match
   the authentication specified in the aut-num and the authentication
   specified in either a route object or if no applicable route object
   is found, then an inetnum.

   An addition is submitted with an AS number and prefix as its key.  If
   the object already exists, then the submission is treated as a modify
   (see Section 9.10).  If the aut-num does not exist on a route add,
   then the addition is rejected (see Section C for further discussion
   of tradeoffs).  If the aut-num exists then the submission is checked
   against the applicable maintainer.  A search is then done for the
   prefix first looking for an exact match.  If the search for an exact
   match fails, a search is made for the longest prefix match that is
   less specific than the prefix specified.  If this search succeeds it
   will return one or more route objects.  The submission must match an
   applicable maintainer in at least one of these route objects for the
   addition to succeed.  If the search for a route object fails, then a
   search is performed for an inetnum that exactly matches the prefix or
   for the most specific inetnum that is less specific than the route
   object submission.  The search for an inetnum should never fail but
   it may return an unallocated or reserved range.  The inetnum status
   must be "allocated" and the submission must match the maintainer.





Villamizar, et al.          Standards Track                    [Page 18]

RFC 2725             Routing Policy System Security        December 1999


   Having found the AS and either a route object or inetnum, the
   authorization is taken from these two objects.  The applicable
   maintainer object is any referenced by the mnt-routes attributes.  If
   one or more mnt-routes attributes are present in an object, the mnt-
   by attributes are not considered.  In the absence of a mnt-routes
   attribute in a given object, the mnt-by attributes are used for that
   object.  The authentication must match one of the authorizations in
   each of the two objects.

   If the addition of a route object or inetnum contains a reclaim
   attribute, then any more specific objects of the same type must be
   examined.  The reclaim attribute can only be added if there are no
   more specific overlaps or if the authentication on the addition is
   present in the authorization of a less specific object that already
   has a reclaim attribute covering the prefix range, or if the
   authentication on the addition is authorized for the modification of
   all existing more specific prefixes covered by the addition.

9.10  Modifying or Deleting Database Objects

   When modifying or deleting any existing object a search for the
   object is performed as described in Section 9.8.  If the submission
   matches an applicable maintainer for the object, then the operation
   can proceed.  An applicable maintainer for a modification is any
   maintainer referenced by the mnt-by attribute in the object.  For
   route and inet-num objects an applicable maintainer may be listed in
   a less specific object with a reclaim attribute.

   If the submission is for a route object, a search is done for all
   less specific route objects and inetnums.  If the submission is for
   an inetnum, a search is done for all less specific inetnums.  If the
   submission fails the authorization in the object itself but matches
   the reclaim attribute in any of the less specific objects, then the
   operation can proceed.  Section C contains discussion of the
   rationale behind the use of the reclaim attribute.

   A modification to an inetnum object that adds a reclaim attribute or
   removes a no-reclaim attribute must be checked against all existing
   inetnums that are more specific.  The same check of the reclaim
   attribute that is made during addition must be made when a reclaim
   attribute is added by a modification (see Section 9.9).

   A deletion is considered a special case of the modify operation.  The
   deleted object may remain in the database with a "deleted" attribute
   in which case the mnt-by can still be consulted to remove the
   "deleted" attribute.





Villamizar, et al.          Standards Track                    [Page 19]

RFC 2725             Routing Policy System Security        December 1999


10  Data Format Summaries

   RIPE-181 [2] and RPSL [1] data is represented externally as ASCII
   text.  Objects consist of a set of attributes.  Attributes are name
   value pairs.  A single attribute is represented as a single line with
   the name followed by a colon followed by whitespace characters
   (space, tab, or line continuation) and followed by the value.  Within
   a value all whitespace is equivalent to a single space.  Line
   continuation is supported by a backslash at the end of a line or the
   following line beginning with whitespace.  When transferred,
   externally attributes are generally broken into shorter lines using
   line continuation though this is not a requirement.  An object is
   externally represented as a series of attributes.  Objects are
   separated by blank lines.

   There are about 80 attribute types in the current RIPE schema and
   about 15 object types.  Some of the attributes are mandatory in
   certain objects.  Some attributes may appear multiple times.  One or
   more attributes may form a key.  Some attributes or sets of
   attributes may be required to be unique across all repositories.
   Some of the attributes may reference a key field in an object type
   and may be required to be a valid reference.  Some attributes may be
   used in inverse lookups.

   A review of the entire RIPE or RPSL schema would be too lengthy to
   include here.  Only the differences in the schema are described.

10.1  Changes to the RIPE/RPSL Schema

   One new object type and several attributes are added to the RIPE/RPSL
   schema.  There are significant changes to the rules which determine
   if the addition of an object is authorized.

   The new object type is listed below.  The first attribute listed is
   the key attribute and also serves as the name of the object type.

   as-block        key  mandatory  single    unique
   descr                optional   multiple
   remarks              optional   multiple
   admin-c              mandatory  multiple
   tech-c               mandatory  multiple
   notify               optional   multiple
   mnt-by               mandatory  multiple
   changed              mandatory  multiple
   source               mandatory  single






Villamizar, et al.          Standards Track                    [Page 20]

RFC 2725             Routing Policy System Security        December 1999


   In the above object type only the key attribute "as-block" is new:

   as-block  This attribute provides the AS number range for an "as-
      block" object.  The format is two AS numbers including the sub-
      string "AS" separated by a "-" delimiter and optional whitespace
      before and after the delimiter.

   In order to support stronger authentication, the following keywords
   are added to the "auth" attribute:

   pgp-from  The remainder of the attribute gives the string identifying
      a PGP identity whose public key is held in an external keyring.
      The use of this method is deprecated in favor of the "pgpkey"
      method.

   pgpkey  See [18].

   In order to disable authentication and give permission to anyone, the
   authentication method "none" is added.  It has no arguments.

   An additional change is the "auth" attribute is allowed to exist in a
   "person" or "role" object.  The "auth" method "role" or "person" can
   be used to refer to a role or person object and take the "auth"
   fields from those objects.  Care must be taken in implementations to
   detect circular references and terminate expansion or the references
   already visited.

   A few attributes are added to the schema.  These are:

   mnt-routes  The mnt-routes attribute may appear in an aut-num, inet-
      num, or route object.  This attribute references a maintainer
      object which is used in determining authorization for the addition
      of route objects.  After the reference to the maintainer, an
      optional list of prefix ranges (as defined in RPSL) inside of
      curly braces or the keyword "ANY" may follow.  The default, when
      no additional set items are specified is "ANY" or all more
      specifics.  The mnt-routes attribute is optional and multiple.
      See usage details in Section 9.1.

   mnt-lower  The mnt-lower attribute may appear in an inetnum, route,
      as-block or aut-num object.  This attribute references a
      maintainer object.  When used in an inetnum or route object the
      effect is the same as a "mnt-routes" but applies only to prefixes
      more specific than the prefix of the object in which it is
      contained.  In an as block object, mnt-lower allows addition of
      more specific as-block objects or aut-num objects.  In an aut-num





Villamizar, et al.          Standards Track                    [Page 21]

RFC 2725             Routing Policy System Security        December 1999


      object the mnt-lower attribute specifies a maintainer that can be
      used to add objects with hierarchical names as described in
      Section 9.7.

   reclaim  The reclaim attribute may appear in as-block, aut-num,
      inet-num, or route objects.  Any object of the same type below in
      the hierarchy may be modified or deleted by the maintainer of the
      object containing a reclaim attribute.  The value of the attribute
      is a set or range of objects of the same type where the syntax of
      the set or range is as defined in RPSL. See Section 9.5 for
      restrictions on adding reclaim attributes.

   no-reclaim  The no-reclaim attribute is used with the reclaim
      attribute.  The no-reclaim attribute negates any reclaim attribute
      it overlaps.  See Section 9.5 for restrictions on deleting no-
      reclaim attributes.

   referral-by  This attribute is required in the maintainer object.  It
      may never be altered after the addition of the maintainer.  This
      attribute refers to the maintainer that created this maintainer.
      It may be multiple if more than one signature appeared on the
      transaction creating the object.

   auth-override  An auth-override attribute can be added, deleted, or
      changed by a transaction submitted by maintainer listed in the
      referral-by.  An auth-override can only be added to a maintainer
      if that maintainer has been inactive for the prior 60 days.  The
      auth-override attribute itself contains only the date when the
      attribute will go into effect which must be at least 60 days from
      the current date unless there is already authorization to modify
      the maintainer.  After the date in the auth-override is reached,
      those identified by the maintainer in the referral-by have
      authorization to modify the maintainer.  This attribute exists as
      a means to clean up should the holder of a maintainer become
      unresponsive and can only take effect if that maintainer does not
      remove the auth-override in response to the automatic notification
      that occurs on changes.

   The existing "mnt-by" attribute references the "maintainer" object
   type.  The "mnt-by" attribute is now mandatory in all object types.
   A new maintainer may be added by any existing maintainer.  The
   "referral-by" attribute is now mandatory in the "maintainer" object
   to keep a record of which maintainer made the addition and can never
   be changed.  Maintainers cannot be deleted as long as they are
   referenced by a "referral-by" attribute elsewhere.






Villamizar, et al.          Standards Track                    [Page 22]

RFC 2725             Routing Policy System Security        December 1999


A  Core and Non-Core Functionality

   Most of the objects and attributes described in this document are
   essential to the authorization framework.  These are referred to as
   being part of the "core" functionality.  A few attributes listed here
   are considered "non-core".

   The "reclaim" and "no-reclaim" attributes are a convenience to
   support flexibility in the implementation of address lending.

   The "auth-override" attribute is a convenience to facilitate recovery
   in an environment where repository data is redistributed in any way.

   The "referal-by" attribute is a "core" feature.  An individual
   registry may express its sutonomy by creating a self-referencing
   maintainer, one whose "referal-by" points to itslef.  Other
   registries can decide on a case by case basis whether to consider
   such an entry valid.  A registry may only allow the "referal-by" to
   refer to a specific maintainer under the control of the registry.
   This further restriction is an issue that is purely local to the
   registry.

B  Examples

   The examples below leave out some required attributes that are not
   needed to illustrate the use of the objects and attributes described
   in this document.  Missing are admin-c, tech-c, changed, source.
   Also missing are attributes such as mnt-nfy, whose use are a good
   practice but are not strictly required.

   To do anything at all a maintainer is needed.  At some epoch a a
   single maintainer is populated in one repository and that maintianer
   has a referal-by pointing to itself.  All others referal-by
   references can be traced back to that maintainer.  At the epoch the
   as-block AS0- AS65535 and the inetnum 0.0.0.0-255.255.255.255 are
   also allocated.  Other ancilliary object may also be needed to
   bootstrap.

      mntner:        ROOT-MAINTAINER
      auth:          pgpkey-12345678

      mnt-by:        ROOT-MAINTAINER
      referal-by:    ROOT-MAINTAINER

   This root maintainer might add a top level maintainer for some
   organization.





Villamizar, et al.          Standards Track                    [Page 23]

RFC 2725             Routing Policy System Security        December 1999


      mntner:        WIZARDS
      descr:         High level Technical Folks
      auth:          pgpkey-23456789
      auth:          pgpkey-3456789a
      mnt-by:        WIZARDS
      referal-by:    ROOT-MAINTAINER

   That maintainer might add another who have more limited capabilities.

      mntner:        MORTALS
      descr:         Maintain day to day operations
      auth:          pgpkey-456789ab
      auth:          pgpkey-56789abc
      auth:          pgpkey-6789abcd
      mnt-by:        WIZARDS
      referal-by:    WIZARDS

   Note that the WIZARDS can change their own maintainer object and the
   MORTALS maintainer object but MORTALS cannot.

   At some point an as-block is allocated and broken down.  In the
   example below, private number space is used.

      as-block:      AS65500-AS65510
      mnt-by:        SOME-REGISTRY
      mnt-lower:     WIZARDS

      Note that a registry has control over the object that they have
      created representing the allocation, but have given the party to
      which the allocation was made the ability to create more specific
      objects. Below this as-block, an aut-num is added.  Note that
      import and export are normally required for a aut-num but are not
      shown here.

      aut-num:       AS65501
      mnt-by:        WIZARDS
      mnt-lower:     MORTALS

   In aut-num above the WIZARDS maintainer can modify the aut-num
   itself.  The MORTALS maintainer can add route objects using this AS
   as the origin if they also have authorization for the IP number space
   in a less specific route or inetnum.









Villamizar, et al.          Standards Track                    [Page 24]

RFC 2725             Routing Policy System Security        December 1999


   We also need an inetnum allocation.  In this example the inetnum is
   allocated to a completely different organization.  Again attributes
   are omited which would normally be needed in an inetnum.

      inetnum:       192.168.144.0-192.168.151.255
      mnt-by:        SOME-REGISTRY
      mnt-lower:     ISP
      reclaim:       ALL

   The maintainer ISP can add more specific inetnums or routes with this
   address space.  Note that the registry has declared their ability to
   reclaim the address space.

   If ISP wished to reclaim all allocations but some suballocation of
   theirs resisted, we might get something like the following in which
   they will reclaim only the top half of an allocation (possibly if it
   remains unused).

      inetnum:       192.168.144.0-192.168.147.255
      mnt-by:        ISP
      mnt-lower:     EBG-COM
      reclaim:       192.168.146/23+

   If we assume that the maintainer EBG-COM and the maintainer MORTALS
   want to add a route object, one way to do it is for both parties to
   sign.  If EBG-COM for some reason couldn't aggregate an allocate a
   single top level route (which is inexcusable these days) or there was
   a preference for some reason to avoid the joint signature approach on
   a submission either party could give the other permission to make the
   addition.  A mnt-routes could be added to the aut-num or a mnt-lower
   could be added to an inetnum.

      aut-num:       AS65501
      mnt-by:        WIZARDS
      mnt-lower:     MORTALS
      mnt-routes:    EBG-COM {192.168.144/23}

   With this change to the aut-num the maintainer EBG-COM could add a
   route with origin AS65501, but only with a limited address range.

      route:         192.168.144/24
      origin:        AS65501
      descr:         These boneheads don't aggregate
      mnt-by:        EBG-COM
      mnt-by:        FICTION::MORTALS

   Note that while the maintainer EBG-COM added the object they allowed
   the maintainer MORTALS the ability to modify it.



Villamizar, et al.          Standards Track                    [Page 25]

RFC 2725             Routing Policy System Security        December 1999


   If an object ended up in another repository, a single maintainer
   could still be used.  In the example above the notation
   FICTION::MORTALS indicates that the route object is in a different
   repository and rather than duplicate the maintainer, a reference is
   made to the repository in which the MORTALS object resides.

   In the example below, a pair of route-sets are added and hierarchical
   names are used.

      route-set:     AS65501:Customers
      mnt-by:        WIZARDS
      mnt-lower:     MORTALS

      route-set:     AS65501:Customers:EBG-COM
      mnt-by:        MORTALS
      mnt-lower:     EBG-COM

   Suppose in the 192.168.144/24 object above, only the EBG-COM
   maintainer is listed.  If EBG-COM goes bankrupt, no longer needs
   address space, and stops responding, it could be difficult to delete
   this object.  The maintainer listed in the EBG-COM referral-by
   attribute could be contacted.  They could add a auth-override
   attribute to the EBG-COM object.  Later they could modify the EBG-COM
   object and then any objects with EBG-COM in the mnt-by.

      mntner:        EBG-COM
      mnt-by:        EBG-COM
      auth-override: 19990401

   The examples above stray significantly from realism.  They do provide
   simple illustrations of the usage of the objects type and attributes
   described in this document and hopefully in doing some are of some
   value.

C  Technical Discussion

   A few design tradeoffs exist.  Some of these tradeoffs, the selected
   solution, and the alternatives are discussed here.  Some of the
   issues are listed below.

   1. Whether to err on the side of permissiveness and weaken
      authorization controls or risk the possibility of erecting
      barriers to registering information.

   2. Whether to support enforcible address lending or provide the
      smaller or end user with ultimate control over the registration of
      the prefixes they are using.




Villamizar, et al.          Standards Track                    [Page 26]

RFC 2725             Routing Policy System Security        December 1999


   3. What to do with older objects that either don't conform to newer
      requirements regarding minimum authorization, authentication, and
      accountability, or are of questionable validity.

C.1  Relaxing requirements for ease of registry

   If the requirement that an aut-num exists is relaxed, then it is
   possible for anyone to make use of an unassigned AS number or make
   use of an assigned AS number for which the aut-num has not been
   entered.  Placing requirements on the entry of aut-num presumes
   cooperation of the Internet address allocation authority (if separate
   from the routing registry).  The address allocation authority must be
   willing to field requests to populate skeleton aut-nums from the
   party for which the allocation has been made.  These aut-num must
   include a reference to a maintainer.  A request to the address
   allocation authority must therefore include a reference to an
   existing maintainer.

   The ability to add route objects is also tied to the existence of
   less specific route objects or inetnums.  The Internet address
   allocation authority (if separate from the routing registry) must
   also be willing to field requests to add inetnum records for the
   party already allocated the address space.

   The Internet address allocation authority should also add inetnums
   and aut-nums for new allocations.  In order to do so, a maintainer
   must exist.  If a party is going to connect to the Internet, they can
   get a maintainer by making a request to the Internet service provider
   they will be connecting to.  Once they have a maintainer they can
   make a request for address space or an AS number.  The maintainer can
   contain a public key for a cryptographicly strong authorization
   method or could contain a "crypt-key" or "mail-to" authorization
   check if that is considered adequate by the registering party.
   Furthermore an address allocation authority should verify that the
   request for an AS number or for address space matches the
   authorization criteria in the maintainer.

   Currently only the registries themselves may add maintainers.  This
   becomes a problem for the registry, particularly in verifying public
   keys.  This requirement is relaxed by allowing existing maintainers
   to add maintainers.  Unfortunately the accountability trail does not
   exist for existing maintainers.  The requirement then should be
   relaxed such that existing maintainers may remain but only existing
   maintainers that have a "referral-by" attribute can add maintainers.
   The "referral-by" cannot be modified.  This requirement can be
   relaxed slightly so that a "referral-by" can be added to a maintainer





Villamizar, et al.          Standards Track                    [Page 27]

RFC 2725             Routing Policy System Security        December 1999


   by an existing maintainer with a "referral-by".  This will allow the
   accountability trail to be added to existing maintainers and these
   maintainers can then add new maintainers.

   Verifying that a party is who they claim to be on initial addition,
   is one of the problems that currently falls upon the AS number and
   address registry.  This problem is reduced by allowing existing
   maintainers to add maintainers.  This may actually make it easier to
   get maintainers and therefore easier to register.  The number
   authority still must verify that the AS or address space is actually
   needed by the party making a request.

   Authorization checks made during the addition of route objects that
   refer to AS objects and inetnums strongly rely on the cooperation of
   the Internet address allocation authorities.  The number authorities
   must register as-blocks, aut-nums, or inetnums as AS numbers or
   address space is allocated.  If only a subset of the number
   authorities cooperate, then either an inetnum or as-block can be
   created covering the space that registry allocates and essentially
   requiring null allocation (for example a "crypt-pw" authentication
   where the password is given in the remarks in the object or its
   maintainer) or those obtaining addresses from that number authority
   will have trouble registering in the routing registry.  The
   authorization model supports either option, though it would be
   preferable if the number authorities cooperated and the issue never
   surfaced in practice.

   The maintainer requirements can be relaxed slightly for existing
   maintainers making it easier to register.  Relaxing requirements on
   other objects may defeat the authorization model, hence is not an
   option.

C.2  The address lending issue

   The issue of whether lending contracts should be enforcible is an
   issue of who should ultimately be able to exercise control over
   allocations of address space.  The routing registry would be wise to
   stay as neutral as possible with regard to disputes between third
   parties.  The "reclaim" and "no-reclaim" are designed to allow either
   outcome to the decision as to whether the holder of a less specific
   inetnum or route object can exercise control over suballocations in
   the registry.  The routing registry itself must decide whether to
   retain control themselves and if so, should very clearly state under
   what conditions the registry would intervene.  A registry could even
   go to the extreme of stating that they will intervene in such a
   dispute only after the dispute has been resolved in court and a court
   order has been issued.




Villamizar, et al.          Standards Track                    [Page 28]

RFC 2725             Routing Policy System Security        December 1999


   When an allocation is made by a registry, the registry should keep a
   "reclaim" attribute in the less specific object and make a strong
   policy statement that the reclaim privilege will not be used except
   under very clearly defined special circumstances (which at the very
   minimum would include a court order).  If the allocation is further
   subdivided the party subdividing the allocation and the party
   accepting the suballocation must decide whether a "reclaim" can be
   kept by the holder of the less specific allocation or whether a "no-
   reclaim" must be added transferring control to the holder of the more
   specific.  The registry is not involved in that decision.  Different
   pairs of third parties may reach different decisions regarding the
   "reclaim" and any contractual restrictions on its use that may be
   expressed outside of the registry in the form of a legal contract and
   ultimately resolved by the courts in the event of a bitter dispute.

   By retaining "reclaim" rights the registry retains the ability to
   abide by a court order.  This may only truly become an issue in a
   distributed registry environment where registries will be rechecking
   the authorization of transactions made elsewhere and may fail to
   process the attempt of another registry to abide by a court order by
   overriding normal authorization to change the registry contents if a
   reclaim is not present.

C.3  Dealing with non-conformant or questionable older data

   Some of the newer requirements include requiring that all objects
   reference a maintainer object responsible for the integrity of the
   object and requiring accountability for the creation of maintainers
   to be recorded in the maintainer objects so that accountability can
   be traced back from an unresponsive maintainer.  In the event that
   contact information is absent or incorrect from objects and there is
   any question regarding the validity of the objects, the maintainer
   can be contacted.  If the maintainer is unresponsive, the maintainer
   that authorized the addition of that maintainer can be contacted to
   either update the contact information on the maintainer or confirm
   that the entity no longer exists or is no longer actively using the
   Internet or the registry.

   Many route objects exist for which there are no maintainers and for
   which inetnum and AS objects do not exist.  Some contain the now
   obsoleted guardian attribute rather than a mnt-by.

   It is not practical to unconditionally purge old data that does not
   have maintainers or does not conform to the authorization hierarchy.
   New additions must be required to conform to the new requirements
   (otherwise the requirements are meaningless).  New requirements can
   be phased in by requiring modifications to conform to the new
   requirements.



Villamizar, et al.          Standards Track                    [Page 29]

RFC 2725             Routing Policy System Security        December 1999


   A great deal of questionable data exists in the current registry.
   The requirement that all objects have maintainers and the
   requirements for improved accountability in the maintainers
   themselves may make it easier to determine contact information even
   where the objects are not updated to reflect contact information
   changes.

   It is not unreasonable to require valid contact information on
   existing data.  A great deal of data appears to be unused, such as
   route objects for which no announcement has been seen in many months
   or years.  An attempt should be made to contact the listed contacts
   in the object, in the maintainer if there is one, then up the
   maintainer referral-by chain if there is one, and using the number
   registry or origin AS contact information if there is no maintainer
   accountability trail to follow.  Experience so far indicates that the
   vast majority of deletions identified by comparing registered
   prefixes against route dumps will be positively confirmed (allowing
   the deletion) or there will be no response due to invalid contact
   information (in many cases the IRR contact information points to
   nsfnet-admin@merit.edu).

   By allowing the registry to modify (or delete) any objects which are
   disconnected from the maintainer accountability trail, cleanup can be
   made possible (though mail header forging could in many cases have
   the same effect it is preferable to record the fact that the registry
   itself made the cleanup).  Similarly, a mechanism may be needed in
   the future to allow the maintainer in the referral-by to override
   maintainer privileges in a referred maintainer if all contacts have
   become unresponsive for a maintainer.  The referral-by maintainer is
   allowed to add an "auth-override" attribute which becomes usable as
   an "auth" within 60 days from the time of addition.  The maintainer
   themselves would be notified of the change and could remove the
   "auth-override" attribute before it becomes effective and inquire as
   to why it was added and correct whatever problem existed.  This can
   be supported immediately or added later if needed.

D  Common Operational Cases

   In principle, address allocation and route allocation should be
   hierarchical with the hierarchy corresponding to the physical
   topology.  In practice, this is often not the case for numerous
   reasons.  The primary reasons are the topology is not strictly tree
   structured and the topology can change.  More specificly:








Villamizar, et al.          Standards Track                    [Page 30]

RFC 2725             Routing Policy System Security        December 1999


   1. The Internet topology is not strictly tree structured.

      o  At the top level the network more closely resembles a
         moderately dense mesh.

      o  Near the bottom level many attachments to the Internet are
         multi-homed to more than one Internet provider.

   2. The Internet topology can and does change.

      o  Many attachments switch providers to obtain better service or
         terms.

      o  Service providers may modify adjacencies to obtain better
         transit service or terms.

      o  Service providers may disappear completely scattering
         attachments or they may merge.

   Renumbering is viewed as a practical means to maintain a strict
   numeric hierarchy [16].  It is also acknowledged that renumbering
   IPv4 networks can be difficult [16, 3, 17].  We examine first the
   simple case where hierarchy still exists.  We then examine the
   operational cases where either initial topology is not tree
   structured or cases where topology changes.

D.1  simple hierarchical address allocation and route allocation

   This is the simplest case.  Large ranges of inetnums are assigned to
   address registries.  These registries in turn assign smaller ranges
   for direct use or to topologically large entities where allocations
   according to topology can reduce the amount of routing information
   needed (promote better route aggregation).

   AS objects are allocated as topology dictates the need for additional
   AS [10].  Route objects can be registered by those with authorization
   given by the AS and by the address owner.  This is never an issue
   where the maintainer of the AS and the inetnum are the same.  Where
   they differ, either the provider can give permission to add route
   objects for their AS, or the party allocated the address space can
   give the provider permission to add route objects for their address
   space, or both parties can sign the transaction.  Permission is
   provided by adding to maintainer attributes.








Villamizar, et al.          Standards Track                    [Page 31]

RFC 2725             Routing Policy System Security        December 1999


D.2  aggregation and multihomed more specific routes

   Aggregation is normally not a problem if a provider is aggregating
   address space allocated to the provider and then suballocated
   internally and/or to customers.  In fact, the provider would be
   expected to do so.  This is not a problem even if the route object
   for the aggregation is added after the more specific route objects
   since only less specific objects are considered.

   Aggregation is potentially a problem if a provider or a set of
   providers plan to aggregate address space that was never explicitly
   allocated as a block to those providers but rather remains the
   allocation of a address registry.  These large aggregations can be
   expected to be uncommon, but relatively easily dealt with.
   Superaggregates of this type will generally be formed by
   topologically close entities who have also managed to draw adjacent
   address allocations.  In effect, the registry must give permission to
   form such a superaggregate by either giving permission to do so in
   the mnt-routes of an inetnum or by signing the submission along with
   the other parties.

D.3  provider independent addresses and multiple origin AS

   Provider independent addresses and multihoming arrangement using
   multiple origin AS present a similar problem to multihoming.  The
   maintainer of the address space and the maintainer of the AS is not
   the same.  Permission can be granted using mnt-routes or multiple
   signatures can appear on the submission.

D.4  change in Internet service provider

   A change in Internet service providers is similar to multihoming.  A
   minor difference is that the AS for the more specific route will be
   the AS of the new provider rather than the AS of the multihomed
   customer.  Permission can be granted using mnt-routes or multiple
   signatures can appear on the submission.

D.5  renumbering grace periods

   Renumbering grace periods allow a provider who wants to keep an
   address allocation intact to allow a customer who has chosen to go to
   another provider to renumber their network gradually and then return
   the address space after renumbering is completed.  The issue of
   whether to require immediate renumbering or offer renumbering grace
   periods and how long they should be or whether they should be
   indefinite has been topic of bitter disputes.  The authorization
   model can support no renumbering grace period, a finite renumbering




Villamizar, et al.          Standards Track                    [Page 32]

RFC 2725             Routing Policy System Security        December 1999


   grace period, or an indefinite renumbering grace period.  The
   "reclaim" attribute described in Section 9.1 provides a means to end
   the grace period.

E  Deployment Considerations

   This section describes deployment considerations.  The intention is
   to raise issues and discuss approaches rather than to provide a
   deployment plan.

   The use of routing registries is not yet universally accepted.  There
   still remain Internet providers who see no reason to provide the
   added assurance of accurate routing information described in Section
   6.  More accurately, these benefits are viewed as being insufficient
   to justify the cost.  This has been largely caused an inability of a
   very major router vendor up until recently to handle prefix lists of
   the size needed to specify routing policy on a per prefix basis.

   Another reason cited is that filtering on a prefix basis in an
   environment where routing registry information is incomplete or
   inaccurate can interfere with connectivity.

   There clearly is a critical mass issue with regard to the use of
   routing registries.  A minority of providers use the existing IRR to
   filter on a per prefix basis.  Another minority of providers do not
   support the IRR and generally fail to register prefixes until
   connectivity problems are reported.  The majority of providers
   register prefixes but do not implement strict prefix filtering.

   Deploying new authentication mechanisms has no adverse consequences.
   This has been proven with Merit's deployment of PGP.

   In deploying new authorization mechanisms, a major issue is dealing
   with existing data of very questionable origin.  A very large number
   of route objects refer to prefixes that have not been announced for
   many years.  Other route objects refer to prefixes that are no longer
   announced with the origin AS that they are registered with (some were
   incorrectly registered to start with).  There are many causes for
   this.

   1. During the transition from the NSFNET PRDB to the RADB a large
      number of prefixes were registered with an origin AS corresponding
      to the border AS at which the NSFNET had once heard the route
      announcements.  The PRDB did not support origin AS, so border AS
      was used.  Many of these routes were no longer in use at the time
      and are now routed with a submitter listed as "nsfnet-
      admin@merit.edu".




Villamizar, et al.          Standards Track                    [Page 33]

RFC 2725             Routing Policy System Security        December 1999


   2. As CIDR was deployed, aggregates replaced previously separately
      announced more specific prefixes.  The route objects for the more
      specific prefixes were never withdrawn from the routing
      registries.

   3. Some prefixes are simply no longer in use.  Some networks have
      been renumbered.  Some network no longer exist.  Often the routing
      registry information is not withdrawn.

   4. As provider AS adjacencies changed and as end customers switched
      providers often the actual origin AS changed.  This was often not
      reflected by a change in the routing registry.

   Inaccuracies will continue to occur due to the reasons above, except
   the first.  The hierarchical authorization provides greater
   accountability.  In the event that the contacts for specific objects
   become unresponsive traversal up the authorization hierarchy should
   help identify the parties having previous provided authorization.
   These contacts may still have sufficient authorization to perform the
   necessary cleanup.  This issue is discussed in Section C.

   A great deal of information is currently missing in the IRR. Quite a
   few AS have no aut-num.  Quite a lot of data has no maintainer and
   the vast majority of maintainers use only the weakest of
   authentication methods.  Very little can be done by the registries to
   correct this.  The defaults in the cases of missing objects needed
   for authorization has to be to make no authentication checks at all.

   The transition can be staged as follows:

   1. Add and make use of stronger authorization models.

   2. Make schema modifications necessary to support delegations.

   3. Add delegation attributes needed for query traversal.
   4. Base query traversal on delegations rather than a search of all
      known registries.

   5. Obtain the cooperation of the address registries for the purpose
      of populating the "inetnum" entries on an ongoing basis.

   6. Add hierarchical authorization support for critical object types,
      "aut-num", "inetnum" and "route".

   7. Add the requirement that database object either be in use or have
      valid contact information and if queries are made by the registry
      a response from a contact indicating that the object serves a
      purpose if it is not clear what its use is.



Villamizar, et al.          Standards Track                    [Page 34]

RFC 2725             Routing Policy System Security        December 1999


   8. Begin to purge data which is clearly not in use and for which
      there is no valid contact information or no response from the
      contacts.

   Deployment of hierarchical authorization requires cooperation among
   the existing routing registries.  New code will have to be deployed.
   In some cases minimal development resources are available and
   substantial inertia exists due to the reliance on the current
   repository and the need to avoid disruption.

   If hierarchical authorization of route objects depends on the
   existence of address registration information, minimal cooperation of
   the currently separate address registries is required.  The extent of
   the cooperation amounts to sending cryptographically signed
   transactions from the address registry to the number registry as
   address allocations are made or providing equivalent access to new
   address allocations.

   Currently most registries return query results from all of the known
   repositories using their mirrored copies.  Cross registry
   authorizations are not yet implemented.  Minimal schema changes have
   to be made to support the ability to delegate objects for which there
   is an authorization hierarchy and to support queries and references
   to other repositories.  In the case of AS delegations, "as-block"
   need to be created solely for the purpose of traversal.

F  Route Object Authorization Pseudocode

   The following list provides a brief review of basic concepts.

   1. The route object submission must satisfy two authentication
      criteria.  It must match the authentication specified in the aut-
      num and the authentication specified in either a route object or
      if no applicable route object is found, then an inetnum.

   2. When checking for prefix authorization, an exact route object
      prefix match is checked for first.  If there is not an exact match
      then a longest prefix match that is less specific than the prefix
      is searched for.  If the route prefix search fails, then a search
      is performed for an inetnum that exactly matches the prefix or for
      the most specific inetnum that is less specific than the route
      object submission.

      The search for an inetnum should never fail but it may return an
      unallocated or reserved range.  The inetnum status must be
      "allocated" and the submission must pass it's maintainer





Villamizar, et al.          Standards Track                    [Page 35]

RFC 2725             Routing Policy System Security        December 1999


      authorization in order to get authorization from an inetnum.  So
      an unallocated or reserved range inetnum will cause the route
      object submission to fail.

   3. A route object must pass authorization from both the referenced
      aut-num object and the route or inetnum object.  Authorization
      shall be tested using the maintainer(s) referenced in the "mnt-
      routes" attribute(s) first.  If that check fails, the "mnt-lower"
      attributes are checked.  If that check fails the "mnt-by"
      attributes are used for the authorization check.

   4. The "reclaim" attribute can appear in inetnum, route and as-block
      objects and provides a means to support address lending. "reclaim"
      gives authorization over more specific objects, regardless of the
      "mnt-by" in the object.  The value of a "reclaim" attribute can be
      a list or set of objects to provide finer grain control.

      The "reclaim" attribute is important to this discussion since it
      affects prefix/origin authentication when a new route object is
      submitted.

      The "no-reclaim" attribute is used to provide explicit exceptions.

   The following pseudocode outlines the algorithm used to check for
   proper authorization of a route object submission.

    Case #1.  Route object add
              (ie, no exact prefix/origin match exists).

    /* first check the aut-num authorization */

    if ( the referenced aut-num object does not exist or
         the aut-num authorization fails )
      authorization fails

    /* next we check for prefix authorization */

    if ( a less specific route(s) with the longest prefix is found ) [
      if ( authorization does not pass for at least one of the less
           specific route(s) )
        authorization fails

    /* now check for a "reclaim" attr */

      if ( the object has a "reclaim" attribute ) [
        if ( no more-specifics exist
             OR a less specific exists which passes
                authorization and has a "reclaim" attribute



Villamizar, et al.          Standards Track                    [Page 36]

RFC 2725             Routing Policy System Security        December 1999


             OR all more specifics routess pass modify authorization )
          authorization passes
        else
          authorization fails
      ] else
        authorization passes
    ]

    /* there are no less specific routes to check for prefix
       authentication, so we need to try and get authorization from an
       inetnum object */

    if ( ( an inetnum is found that is an exact match
           OR is less specific and it's status is "allocated" )
         AND a maintainer referenced by the inetnum
             passes authorization )
      authorization succeeds

    /* if there is no inetnum or route object then then
       authorization fails.  This should never happen if
       the DB is initialized properly. */

    authorization fails.

    Case #2.  Route object modify/delete
              (ie, exact prefix/origin match exists).

    if ( the mnt-by passes authorization )
      authorization succeeds

    /* if the authorization did not pass from the matched object,
       we can still get authorization from a less specific route if it
       has a "reclaim" attribute and we pass authorization */

    if ( a less specific route or inetnum object passes authorization
         AND has a "reclaim" attribute applicable to
             the object to be modified )
      authorization succeeds
    else
      authorization fails

Acknowledgments

   This document draws ideas from numerous discussions and contributions
   of the IETF Routing Policy System Work Group and RIPE Routing Work
   Group.  Earlier drafts of this document listed Carol Orange as a co-
   author.  Carol Orange made contributions to this document while at
   RIPE.



Villamizar, et al.          Standards Track                    [Page 37]

RFC 2725             Routing Policy System Security        December 1999


   Gerald Winters provided the pseudocode in an email message to the
   RIPE dbsec mailing list that was the basis of the pseudocode found in
   appendix F.  Susan Harris provided comments and numerous editorial
   corrections.

Intellectual Property Notice

   The IETF takes no position regarding the validity or scope of any
   intellectual property or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; neither does it represent that it
   has made any effort to identify any such rights.  Information on the
   IETF's procedures with respect to rights in standards-track and
   standards-related documentation can be found in BCP-11.  Copies of
   claims of rights made available for publication and any assurances of
   licenses to be made available, or the result of an attempt made to
   obtain a general license or permission for the use of such
   proprietary rights by implementors or users of this specification can
   be obtained from the IETF Secretariat.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights which may cover technology that may be required to practice
   this standard.  Please address the information to the IETF Executive
   Director.

References

    [1]  Alaettinoglu, C., Bates, T., Gerich, E., Karrenberg, D., Meyer,
         D., Terpstra M. and C. Villamizar, "Routing Policy
         Specification Language (RPSL)", RFC 2280, January 1998.

    [2]  Bates, T., Gerich, E., Joncheray, L., Jouanigot, J-M.,
         Karrenberg, D., Terpstra, M. and J. Yu, "Representation of IP
         Routing Policies in a Routing Registry (ripe-81++)", RFC 1786,
         March 1995.

    [3]  Berkowitz, H., "Router Renumbering Guide", RFC 2072, January
         1997.

    [4]  Braun, H-W., "Models of policy based routing", RFC 1104, June
         1989.

    [5]  Braun, H-W. and Y. Rekhter, "Advancing the NSFNET routing
         architecture", RFC 1222, May 1991.





Villamizar, et al.          Standards Track                    [Page 38]

RFC 2725             Routing Policy System Security        December 1999


    [6]  Clark, D., "Policy routing in Internet protocols", RFC 1102,
         May 1989.

    [7]  Crocker, D., "Standard for the format of ARPA Internet text
         messages", STD 11, RFC 822, August 1982.

    [8]  Fuller, V., Li, T., Yu, J. and K. Varadhan, "Classless Inter-
         Domain Routing (CIDR): an Address Assignment and Aggregation
         Strategy", RFC 1519, September 1993.

    [9]  Internet Engineering Steering Group and R. Hinden,
         "Applicability Statement for the Implementation of Classless
         Inter-Domain Routing (CIDR)", RFC 1517, September 1993.

   [10]  Hawkinson, J. and T. Bates, "Guidelines for creation,
         selection, and registration of an Autonomous System (AS)", RFC
         1930, March 1996.

   [11]  Hubbard, K., Kosters, M., Conrad, D., Karrenberg, D. and J.
         Postel, "Internet Registry IP Allocation Guidelines", BCP 12,
         RFC 2050, November 1996.

   [12]  Knopper, M.  and S. Richardson, "Aggregation Support in the
         NSFNET Policy-Based Routing Database", RFC 1482, June 1993.

   [13]  Meyer, D., Prior, M., Alaettinoglu, C., Schmitz, J. and Carol
         Orange, "Using RPSL in Practice", RFC 2650, August 1999.

   [14]  Rekhter, Y., "Routing in a Multi-provider Internet", RFC 1787,
         April 1995.

   [15]  Rekhter Y. and T. Li, "An Architecture for IP Address
         Allocation with CIDR", RFC 1518, September 1993.

   [16]  Rekhter Y. and T. Li, "Implications of Various Address
         Allocation Policies for Internet Routing", RFC 2008, October
         1996.

   [17]  Rekhter, Y., Lothberg, P., Hinden, R., Deering, S. and J.
         Postel, "An IPv6 Provider-Based Unicast Address Format", RFC
         2073, January 1997.

   [18]  Zsako, J., "PGP Authentication for RIPE Database Updates", RFC
         2726, December 1999.







Villamizar, et al.          Standards Track                    [Page 39]

RFC 2725             Routing Policy System Security        December 1999


Security Considerations

   This document primarily addresses authorization rules for making
   additions, deletions, and changes to routing policy information
   repositories.  The authentication of these transactions through
   strong cryptographic means are addressed by [18], referenced
   thorughout this document.  The authorization rules are designed such
   that the integrity of any transaction can be verified independently
   by any party mirroring a repository to insure that rules are adhered
   to.  To accomplish this the mirror must contain data already known to
   be properly authorized.  In other words, the mirror must be complete
   and authentication and authorization checks must be made continuously
   as changes to the repository are recieved and processed in order.

   Authentication alone does not provide a complete security model.
   Current practice specifies authorization for deletions and changes
   only, not for additions.  The authorization rules provide here
   complete the security model for additions, deletions, and changes by
   very explicitly defining rules for addition and clarifying procedures
   for handling exception cases such as organizations which have ceased
   to exist and therefore become entirely unresponsive.

   Authentication and authorization of queries is explicitly stated to
   be out of scope of this document.

Authors' Addresses

   Curtis Villamizar
   Avici Systems
   EMail: curtis@avici.com


   Cengiz Alaettinoglu
   ISI
   EMail: cengiz@ISI.EDU


   David M. Meyer
   Cisco
   EMail: dmm@cisco.com


   Sandy Murphy
   Trusted Information Systems
   EMail: sandy@tis.com






Villamizar, et al.          Standards Track                    [Page 40]

RFC 2725             Routing Policy System Security        December 1999


Full Copyright Statement

   Copyright (C) The Internet Society (1999).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgement

   Funding for the RFC Editor function is currently provided by the
   Internet Society.



















Villamizar, et al.          Standards Track                    [Page 41]