On Wed, Dec 3, 2025 at 14:51 Randy Bush <[email protected]> wrote: > hi paul, > > > To minimize the load on RIRs' WHOIS [RFC3912] services, the > > RIR's FTP [RFC0959] services SHOULD be used for large-scale > > access to gather > > > > I can't really ignore the fact that unsigned data is urged to be > > transfered in the clear possibly (likely?) without authentication. > > yup. but, as was discussed in LC, that is traditionally how the RIRs > provided bulk access. as you say, they are heading for rdap, which is > over https.
ARIN announced early this year that it has retired the use of the FTP protocol. https://www.arin.net/announcements/20250331/ > > Does this contradict this earlier statement? > > > > This document provides a guideline for how interested parties > > should fetch and read prefixlen files. To minimize the load on > > RIRs' WHOIS [RFC3912] services, the RIR's FTP [RFC0959] > > services SHOULD be used for large-scale access to gather > > inetnum: instances with prefixlen references. > > > > Either this contradicts, or if the FTP fetch is to fetch data points > > that point to where to fetch prefixlen files, then an attacker can > > still fetch the prefixlen files over HTTPS, filter the signature(s), > > modify what it wants, then serve this over their own HTTPS server by > > updating the FTP fetch stream as MITM to point to its own HTTPS > > server? > > yes. but today, FTP is the service which works for all RIRs. until > that changes, the consequences of a weak protocol are inevitable. > > otoh, your attack, though possible, is a bit complex. i have no > objection if you think it should be added to sec cons. > > randy =============================================== David Farmer Email:[email protected] Networking & Telecommunication Services Office of Information Technology University of Minnesota 2218 University Ave SE Phone: 612-626-0815 Minneapolis, MN 55414-3029 Cell: 612-812-9952 ===============================================
_______________________________________________ OPSAWG mailing list -- [email protected] To unsubscribe send an email to [email protected]
