Dear Bernhard,
On 2/11/21 11:10 AM, Bernhard Reiter wrote:
if you are responsible to only deal with reports for a country
The scope "for a country" is unfortunately not as clear as it may sound. Organizations in a country can have (some) resources (domains, IP addresses) in other countries, but are still part of your constituency. This become especially important with organizations moving to the cloud.
For example, the Austrian company OMV has the domain omv.com and the IP address behind is located in Canada. Still, the company is part of our[0] constituency.
and base your decisions on the RIPE database, how do you deal with more specific CIDRs that are from a different country, but within a CIDR that belongs to yours?
In general, most specific wins. That's what the entry in RIPE is for. If there are other indications that the organization in a different country needs to be contacted, for example because the .at TLD is used, we send the reports to foreign organizations as well.
But: If in doubt, better send out more reports rather than too few.
We (as CERT.at, not IntelMQ) have also received the feature request once, that an upstream provider wants to receive copies of the reports a sub-provider (who has it's own RIPE entries) receives. However, we haven't implemented that yet.
best regards Sebastian
[0] to be more specific: the constituency of the Austrian Energy CERT