Ripe NCC introduces IP certification

Organisations will be able to get certificates for IP address blocks, which Ripe NCC says will cut down on incidents where internet traffic is badly routed around the world
Written by Tom Espiner, Contributor

Global internet disruption caused by traffic misrouting will be cut down by certification of IP address blocks, according to one of the organisations at the heart of the internet.

Ripe NCC, which is one of the five regional internet registries, has launched a voluntary cryptographic certificate. Organisations can use the certificate to show that a resource such as an IP address block has been officially registered with Ripe NCC.

"This allows organisations to automate [routing] checks," Ripe NCC chief operations officer Andrew de la Haye told ZDNet UK on Wednesday. "It's a natural evolution of the internet."

De la Haye said that incidents such as China Telecom rerouting traffic for 15 percent of the world's internet destinations, and Pakistan Telecom shutting down YouTube worldwide in 2008, would be lessened by certification.

Both rerouting issues occurred due to major ISPs incorrectly advertising themselves as the best route for packets. One of the major internet routing protocols is BGP (Border Gateway Protocol), which finds the most efficient routes for internet traffic in response to ISP information. ISPs can announce BGP routes, which then ripple out to other ISPs. Certification of IP blocks would enable ISPs to check automatically if advertised traffic routes were correct, said de la Haye.

"[Certification] is a transparent way to check who the holder of an IP resource is," said de la Haye.

The technology is based on a Public Key Infrastructure (PKI) developed by Ripe NCC using open standards and open-source components, said de la Haye. Ripe NCC used standards such as RFC 5280 to define an X.509 PKI, he added.

Malicious hands
Ripe NCC is in the process of developing a model that would allow larger ISPs to be certificate-issuing authorities.

"It needs some investment, but we can let organisations run their own [certificate-issuing] systems," said de la Haye.

Certification will not help the issue of IP address blocks being used by rogue ISPs to host criminal systems such as botnet command and control servers, said de la Haye.

"It's difficult to prevent IP resources falling into malicious hands," he said. "[Certification] is not a top-down mechanism, it will not change that."

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.
Editorial standards