Association of IRT Objects to IP Ranges Announced by RedIRIS

Index

• Introduction
• What is an IRT object?
• Importance of associating IRT objects
• RedIRIS policy on IRT objects
• Requirements and compliance
• Annex: Consultation and documentation of IRT objects

Introduction

As a National Research and Academic Network (NREN), RedIRIS plays a fundamental role in guaranteeing not only the connectivity and operability of the network, but also its security and incident response capacity. In this context, a mandatory policy is established that requires that every IP range routed through RedIRIS has an IRT (Incident Response Team) object duly defined in the RIPE database.

This measure aims to strengthen cybersecurity incident response capacity, ensure effective communication between response teams, and comply with international best practices.

What is an IRT object?

An IRT (Incident Response Team) object in the RIPE database allows you to document the security points of contact associated with an IP range. This object provides information on how to contact the security team (CSIRT, CERT or SOC) of the organization that manages that address space.

The IRT object may include:

• Abuse and security contact emails(abuse-mailbox).
• Emergency contact phones or emails
• Authentication and access methods
• Notes or remarks about the response team
• PGP key information that can be used for contact.

Importance of associating IRT objects

The presence of an IRT object linked to each IP range allows:

• Quick and effective response to security incidents
• Clear identification of the person responsible for the IP range
• Better collaboration between academic organizations and operators
• Compliance with best practices recommended by RIPE and other organizations.

RedIRIS policy on IRT objects

Every IP range announced by RedIRIS must have a valid IRT object assigned to it in the RIPE database. This IRT object can be the RedIRIS IRT object, that of the regional network it serves or that of the institution itself.

1. IP ranges managed by RedIRIS as LIRs

All IP ranges assigned directly to RedIRIS as LIR will have by default a general IRT object associated with them, which will act as the last point of contact. This object does not include a specific security contact, but guarantees an available institutional channel.

Additionally, in all those ranges not assigned to affiliated institutions, the specific RedIRIS IRT object will be assigned.

2. IP ranges managed by RedIRIS and assigned to a connected institution

By default these institutions will be linked to the specific RedIRIS IRT object, unless the institution requests and manages its own IRT object and wants to link it.

3. IP ranges owned by institutions connected to RedIRIS

For institutions with their own IP ranges (requested from RIPE but routed by RedIRIS), two options are established:

• Define their own IRT object, if they have an institutional CSIRT/CERT/SOC.
• Use the specific RedIRIS IRT object as contact CSIRT.

4. IP ranges of institutions affiliated and not routed by RedIRIS

For institutions with IP ranges not routed by RedIRIS and that have that range assigned in RIPE may request that the specific RedIRIS IRT object be associated to these ranges for notification management.

In all cases, the IRT object must be associated to the range by means of the mnt-irt attribute in the RIPE database.

Requirements and compliance

RedIRIS will check that all routed IP ranges have an IRT object assigned to them. Institutions will be notified so that in coordination with RedIRIS the corresponding IRT object can be defined.

Annex: Consultation and documentation of IRT objects

How to query the IRT object of an IP range?

You can use the RIPE WHOIS tool:

whois -h whois.ripe.net <IP_RANGE>.

Or use the web browser:

https://apps.db.ripe.net/db-web-ui/query

Search for the mnt-irt attribute in the output:

mnt-irt: IRT-EXAMPLE.

You can then query that object directly:

whois -h whois.ripe.net IRT-EXAMPLE

Typical contents of an IRT object

• irt: object name
• address, phone, e-mail: basic contact
• abuse-mailbox: email for abuse reports
• auth: authentication (PGP, MD5, etc.)
• mnt-by, mnt-irt: authorized maintainers

IRT objects in use in RedIRIS

IRT-IRISCERT

Contact information for IRISCERT service to affiliated institutions

IRT-IRIS-CERT

IRT object : IRT object that refers to the RedIRIS backbone and RedIRIS as a hub, this object is "managed" by Trusted intrudocer for now.

IRT-IRIS

Old" IRT object of the management of security notifications by INTECO/INCIBE, for now it is maintained although it will disappear when the service is completely taken over.

Official documentation

• RIPE Database Reference Manual
• Information about abuse-c
• How to create an IRT object

This policy reinforces the responsible management of IP resources and the ability of RedIRIS and its affiliated institutions to deal with cybersecurity incidents. RedIRIS will encourage the implementation of IRT objects, providing assistance and follow-up so that all IP ranges have a clear and accessible security point of contact.