On 12/3/25 10:03 PM, David Farmer wrote:
On Wed, Dec 3, 2025 at 14:51 Randy Bush <[email protected]
<mailto:[email protected]>> wrote:
hi paul,
> To minimize the load on RIRs' WHOIS [RFC3912] services, the
> RIR's FTP [RFC0959] services SHOULD be used for large-scale
> access to gather
>
> I can't really ignore the fact that unsigned data is urged to be
> transfered in the clear possibly (likely?) without authentication.
yup. but, as was discussed in LC, that is traditionally how the RIRs
provided bulk access. as you say, they are heading for rdap, which is
over https.
ARIN announced early this year that it has retired the use of the FTP
protocol.
https://www.arin.net/announcements/20250331/ <https://www.arin.net/
announcements/20250331/>
We will clarify that this refers to Bulk WHOIS access which used to be
FTP only, but now Bulk WHOIS access via HTTPS is supported by all RIRs.
Note that Bulk WHOIS over HTTPS is different than RDAP.
> Does this contradict this earlier statement?
>
> This document provides a guideline for how interested parties
> should fetch and read prefixlen files. To minimize the
load on
> RIRs' WHOIS [RFC3912] services, the RIR's FTP [RFC0959]
> services SHOULD be used for large-scale access to gather
> inetnum: instances with prefixlen references.
>
> Either this contradicts, or if the FTP fetch is to fetch data points
> that point to where to fetch prefixlen files, then an attacker can
> still fetch the prefixlen files over HTTPS, filter the signature(s),
> modify what it wants, then serve this over their own HTTPS server by
> updating the FTP fetch stream as MITM to point to its own HTTPS
> server?
yes. but today, FTP is the service which works for all RIRs. until
that changes, the consequences of a weak protocol are inevitable.
otoh, your attack, though possible, is a bit complex. i have no
objection if you think it should be added to sec cons.
randy
===============================================
David Farmer Email:[email protected] <mailto:email%[email protected]>
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE Phone: 612-626-0815
Minneapolis, MN 55414-3029 Cell: 612-812-9952
===============================================
_______________________________________________
OPSAWG mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
OPSAWG mailing list -- [email protected]
To unsubscribe send an email to [email protected]
