Hello IntelMQ-Users,
if you are responsible to only deal with reports for a country and base your decisions on the RIPE database, how do you deal with more specific CIDRs that are from a different country, but within a CIDR that belongs to yours?
See more details of the problem as seen from the ripe importer the intelmq-cb-mailgen solution uses: https://github.com/Intevation/intelmq-certbund-contact/issues/13
(Feel free to answer here or in the issue or personally.)
Thanks in advance, Bernhard
Dear Bernhard,
On 2/11/21 11:10 AM, Bernhard Reiter wrote:
if you are responsible to only deal with reports for a country
The scope "for a country" is unfortunately not as clear as it may sound. Organizations in a country can have (some) resources (domains, IP addresses) in other countries, but are still part of your constituency. This become especially important with organizations moving to the cloud.
For example, the Austrian company OMV has the domain omv.com and the IP address behind is located in Canada. Still, the company is part of our[0] constituency.
and base your decisions on the RIPE database, how do you deal with more specific CIDRs that are from a different country, but within a CIDR that belongs to yours?
In general, most specific wins. That's what the entry in RIPE is for. If there are other indications that the organization in a different country needs to be contacted, for example because the .at TLD is used, we send the reports to foreign organizations as well.
But: If in doubt, better send out more reports rather than too few.
We (as CERT.at, not IntelMQ) have also received the feature request once, that an upstream provider wants to receive copies of the reports a sub-provider (who has it's own RIPE entries) receives. However, we haven't implemented that yet.
best regards Sebastian
[0] to be more specific: the constituency of the Austrian Energy CERT
Hi Bernhard,
well, this is one of the things where the national boundary definitions don't really match the definitions of the internet. I have been coming across this problem many times.
Ultimately you will end up with a list of net blocks (or even individual IP addresses) which are somehow assigned to a country, or let's say it clearer, which are "your constituency" (the systems you are responsible for as a CERT).
Example: Embassies in other countries. Still relevant to a national CERT.
Hope it helped somewhat.
Best, a.
On 11.02.2021, at 11:10, Bernhard Reiter bernhard@intevation.de wrote:
Signed PGP part Hello IntelMQ-Users,
if you are responsible to only deal with reports for a country and base your decisions on the RIPE database, how do you deal with more specific CIDRs that are from a different country, but within a CIDR that belongs to yours?
See more details of the problem as seen from the ripe importer the intelmq-cb-mailgen solution uses: https://github.com/Intevation/intelmq-certbund-contact/issues/13
(Feel free to answer here or in the issue or personally.)
Thanks in advance, Bernhard
-- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner