Software Engineering Institute | Carnegie Mellon University
Software Engineering Institute | Carnegie Mellon University

Digital Library

Javascript is currently disabled for your browser. For an optimal search experience, please enable javascript.

Advanced Search

Basic Search

Content Type

Topics

Publication Date

Presentation

Preparing RIR Allocation Data for Network Security Analysis Tasks

  • May 2004
  • By Brian Trammell
  • In this presentation, Brian Trammell describes techniques used by NetSA tools designed to automate the preparation of RIR data to analyze incident data.
  • Network Situational Awareness
  • Publisher: Software Engineering Institute
  • Abstract

    CERT's Network Situational Awareness group uses data from the regional registries\' allocation databases to supplement the analysis of network security incident data. The aim of this effort is to build a single allocation tree view of the IPv4 address space so that events may be aggregated by source and destination network. We are building a tool chain to automate the preparation of RIR data for this purpose. This presentation addresses the techniques used by these tools, including

    • Detection and resolution of conflicting information between registries.
    • Detection and correction of \"eroded\" ranges in reassignment records (e.g., a reassigned /24 appearing as the range x.y.z.(0,1) - x.y.z.(254,255), which causes problems with our CIDR block-centric view of the world).
    • Detection (and, if possible, correction) of errors in the allocation data, including:
      • corrupted record metadata (modification dates, etc.)
      • corrupted ranges (clear errors in allocations. e.g., a reassigned /29 appearing as x.y.z.0 - x.y.z+1.7)
      • range hierarchy \"inversions\" (a range that overlaps another such that a.start < b.start < a.end < b.end; indicative of a stale record or a corrupted range)
    Work to date suggests that automated tools will be able to correct all but a handful of irregularities in the source data. A process for reporting these irregularities back to the regional registries for correction or clarification may also be of some use to the Internet community at large.
  • Slides