search menu icon-carat-right cmu-wordmark

Preparing RIR Allocation Data for Network Security Analysis Tasks

May 2004 Presentation
Brian Trammell

In this presentation, Brian Trammell describes techniques used by NetSA tools designed to automate the preparation of RIR data to analyze incident data.


Software Engineering Institute


CERT's Network Situational Awareness group uses data from the regional registries\' allocation databases to supplement the analysis of network security incident data. The aim of this effort is to build a single allocation tree view of the IPv4 address space so that events may be aggregated by source and destination network. We are building a tool chain to automate the preparation of RIR data for this purpose. This presentation addresses the techniques used by these tools, including

  • Detection and resolution of conflicting information between registries.
  • Detection and correction of \"eroded\" ranges in reassignment records (e.g., a reassigned /24 appearing as the range x.y.z.(0,1) - x.y.z.(254,255), which causes problems with our CIDR block-centric view of the world).
  • Detection (and, if possible, correction) of errors in the allocation data, including:
    • corrupted record metadata (modification dates, etc.)
    • corrupted ranges (clear errors in allocations. e.g., a reassigned /29 appearing as x.y.z.0 - x.y.z+1.7)
    • range hierarchy \"inversions\" (a range that overlaps another such that a.start < b.start < a.end < b.end; indicative of a stale record or a corrupted range)
Work to date suggests that automated tools will be able to correct all but a handful of irregularities in the source data. A process for reporting these irregularities back to the regional registries for correction or clarification may also be of some use to the Internet community at large.