nanog mailing list archives
Re: ARIN IRR Authentication (was: Re: AltDB?)
From: Jeff Wheeler <jsw () inconcepts biz>
Date: Sat, 29 Jan 2011 22:50:05 -0500
On Thu, Jan 27, 2011 at 10:00 PM, John Curran <jcurran () arin net> wrote:
Based on the ARIN's IRR authentication thread a couple of weeks ago, there were suggestions placed into ARIN's ACSP process for changes to ARIN's IRR system. ARIN has looked at the integration issues involved and has scheduled an upgrade to the IRR system that will accept PGP and CRYPT-PW authentication as well as implementing notification support for both the mnt-nfy and notify fields by the end of August 2011.
I'm glad to see that a decision was made to improve the ARIN IRR, rather than stick to status-quo or abandon it. However, this response is essentially what most folks I spoke with off-list imagined: You have an immediate operational security problem which could cause service impact to ARIN members and others relying on the ARIN IRR database, and fixing it by allowing passwords or PGP to be used is not very hard. As I have stated on this list, I believe ARIN is not organizationally capable of handling operational issues. This should make everyone very worried about any ARIN involvement in RPKI, or anything else that could possibly have short-term operational impact on networks. Your plan to fix the very simple IRR problem within eight months is a very clear demonstration that I am correct. How did you arrive at the eight month time-frame to complete this project? Can you provide more detail on what CRYPT-PW hash algorithm(s) will be supported? Specifically, the traditional DES crypt(3) is functionally obsolete, and its entire key-space can be brute-forced within a few days on one modern desktop PC. Will you follow the practice established by several other IRR databases (including MERIT RADB) and avoid exposing the hashes by way of whois output and IRR database dumps? If PGP is causing your delay, why don't you address the urgent problem of supporting no authentication mechanism at all first, and allow CRYPT-PW (perhaps with a useful hash algorithm) and then spend the remaining 7.9 months on PGP? The plan and schedule you have announced is indefensible for an operational security issue. -- Jeff S Wheeler <jsw () inconcepts biz> Sr Network Operator / Innovative Network Concepts
Current thread:
- Re: AltDB?, (continued)
- Re: AltDB? Doug Barton (Jan 10)
- Re: AltDB? John Curran (Jan 10)
- Re: AltDB? Jon Lewis (Jan 10)
- Re: AltDB? Doug Barton (Jan 10)
- Re: AltDB? John Curran (Jan 11)
- RE: AltDB? Koch, Andrew (Jan 11)
- Re: AltDB? John Curran (Jan 11)
- ARIN IRR Authentication (was: Re: AltDB?) John Curran (Jan 27)
- Re: ARIN IRR Authentication (was: Re: AltDB?) Randy Bush (Jan 28)
- Re: ARIN IRR Authentication (was: Re: AltDB?) John Curran (Jan 28)
- Re: ARIN IRR Authentication (was: Re: AltDB?) Jeff Wheeler (Jan 29)
- Re: ARIN IRR Authentication (was: Re: AltDB?) John Curran (Jan 30)
- Re: AltDB? Robert Bonomi (Jan 08)
- Re: AltDB? Randy Bush (Jan 08)
- Re: AltDB? Robert Bonomi (Jan 08)
- Re: AltDB? Randy Bush (Jan 08)
- Re: AltDB? Owen DeLong (Jan 08)
- Re: AltDB? David Conrad (Jan 08)
- Re: AltDB? David Conrad (Jan 08)
- Re: AltDB? Paul Vixie (Jan 08)
- arin and ops fora (was Re: AltDB?) John Curran (Jan 09)