Re: ARIN IRR Authentication (was: Re: AltDB?)
On Jan 29, 2011, at 10:50 PM, Jeff Wheeler wrote: On Thu, Jan 27, 2011 at 10:00 PM, John Curran jcur...@arin.net wrote: Based on the ARIN's IRR authentication thread a couple of weeks ago, there were suggestions placed into ARIN's ACSP process for changes to ARIN's IRR system. ARIN has looked at the integration issues involved and has scheduled an upgrade to the IRR system that will accept PGP and CRYPT-PW authentication as well as implementing notification support for both the mnt-nfy and notify fields by the end of August 2011. I'm glad to see that a decision was made to improve the ARIN IRR, rather than stick to status-quo or abandon it. Good to hear. However, this response is essentially what most folks I spoke with off-list imagined: You have an immediate operational security problem which could cause service impact to ARIN members and others relying on the ARIN IRR database, and fixing it by allowing passwords or PGP to be used is not very hard. I appreciate your estimate of the effort required to address this problem, but we're not doing this as a completely separate system but with the intention of having some level of integration with our existing ARIN Online system in the future. While this may take more effort, and was not in our original 2011 budget, we have been able to add it to plan with development to begin later in the year. As I have stated on this list, I believe ARIN is not organizationally capable of handling operational issues. You've asserted this belief in prior messages (as well as noting that No one is forced to use ARIN IRR) If the IRR does not meet your needs during this period, I would recommend using one of the many alternative routing registries available. In any case, I'd like to thank you again for raising the concern about lack of IRR authentication, as it was instrumental in bringing this matter to resolution. Thanks! /John John Curran President and CEO ARIN
Re: ARIN IRR Authentication (was: Re: AltDB?)
On Thu, Jan 27, 2011 at 10:00 PM, John Curran jcur...@arin.net wrote: Based on the ARIN's IRR authentication thread a couple of weeks ago, there were suggestions placed into ARIN's ACSP process for changes to ARIN's IRR system. ARIN has looked at the integration issues involved and has scheduled an upgrade to the IRR system that will accept PGP and CRYPT-PW authentication as well as implementing notification support for both the mnt-nfy and notify fields by the end of August 2011. I'm glad to see that a decision was made to improve the ARIN IRR, rather than stick to status-quo or abandon it. However, this response is essentially what most folks I spoke with off-list imagined: You have an immediate operational security problem which could cause service impact to ARIN members and others relying on the ARIN IRR database, and fixing it by allowing passwords or PGP to be used is not very hard. As I have stated on this list, I believe ARIN is not organizationally capable of handling operational issues. This should make everyone very worried about any ARIN involvement in RPKI, or anything else that could possibly have short-term operational impact on networks. Your plan to fix the very simple IRR problem within eight months is a very clear demonstration that I am correct. How did you arrive at the eight month time-frame to complete this project? Can you provide more detail on what CRYPT-PW hash algorithm(s) will be supported? Specifically, the traditional DES crypt(3) is functionally obsolete, and its entire key-space can be brute-forced within a few days on one modern desktop PC. Will you follow the practice established by several other IRR databases (including MERIT RADB) and avoid exposing the hashes by way of whois output and IRR database dumps? If PGP is causing your delay, why don't you address the urgent problem of supporting no authentication mechanism at all first, and allow CRYPT-PW (perhaps with a useful hash algorithm) and then spend the remaining 7.9 months on PGP? The plan and schedule you have announced is indefensible for an operational security issue. -- Jeff S Wheeler j...@inconcepts.biz Sr Network Operator / Innovative Network Concepts
Re: ARIN IRR Authentication (was: Re: AltDB?)
Based on the ARIN's IRR authentication thread a couple of weeks ago, there were suggestions placed into ARIN's ACSP process for changes to ARIN's IRR system. ARIN has looked at the integration issues involved and has scheduled an upgrade to the IRR system that will accept PGP and CRYPT-PW authentication as well as implementing notification support for both the mnt-nfy and notify fields by the end of August 2011. way cool! thank you. randy
Re: ARIN IRR Authentication (was: Re: AltDB?)
On Jan 28, 2011, at 4:09 AM, Randy Bush wrote: Based on the ARIN's IRR authentication thread a couple of weeks ago, there were suggestions placed into ARIN's ACSP process for changes to ARIN's IRR system. ARIN has looked at the integration issues involved and has scheduled an upgrade to the IRR system that will accept PGP and CRYPT-PW authentication as well as implementing notification support for both the mnt-nfy and notify fields by the end of August 2011. way cool! thank you. No problem at all (and my apologies for not noticing this state of affairs sooner) /John
ARIN IRR Authentication (was: Re: AltDB?)
On Jan 11, 2011, at 9:14 AM, John Curran wrote: As noted, we're now looking into how to fix the IRR authentication situation and will report back asap. Based on the ARIN's IRR authentication thread a couple of weeks ago, there were suggestions placed into ARIN's ACSP process for changes to ARIN's IRR system. ARIN has looked at the integration issues involved and has scheduled an upgrade to the IRR system that will accept PGP and CRYPT-PW authentication as well as implementing notification support for both the mnt-nfy and notify fields by the end of August 2011. For further details, please look at: https://www.arin.net/participate/acsp/suggestions/2011-1.html https://www.arin.net/participate/acsp/suggestions/2011-2.html I'd like to thank everyone for bringing this situation to our attention, and will report back once this functionality is in place. Thanks! /John John Curran President and CEO ARIN
