CERT's Network Situational Awareness group uses data from the regional registries' allocation databases to supplement the analysis of network security incident data. The aim of this effort is to build a single allocation tree view of the IPv4 address space so that events may be aggregated by source and destination network. We are building a tool chain to automate the preparation of RIR data for this purpose. This presentation addresses the techniques used by these tools, including:

1. Detection and resolution of conflicting information between registries.
2. Detection and correction of "eroded" ranges in reassignment records (e.g., a reassigned /24 appearing as the range x.y.z.(0,1) - x.y.z.(254,255), which causes problems with our CIDR block-centric view of the world).
3. Detection (and, if possible, correction) of errors in the allocation data, including:
   • corrupted record metadata (modification dates, etc.)
   • corrupted ranges (clear errors in allocations. e.g., a reassigned /29 appearing as x.y.z.0 - x.y.z+1.7)
   • range hierarchy "inversions" (a range that overlaps another such that
     a.start < b.start < a.end < b.end; indicative of a stale record or a corrupted range)

About the Presenter
Brian Trammell is a Member of the Technical Staff on the CERT Network Situational Awareness team in Pittsburgh, Pennsylvania. His current work includes the design and implementation of network security data collection and analysis tools. Brian holds a B.S. in Computer Science from the Georgia Institute of Technology.