AltDB? (IRR support & direction at ARIN)

• Previous message (by thread): AltDB? (IRR support & direction at ARIN)
• Next message (by thread): AltDB? (IRR support & direction at ARIN)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, Jan 9, 2011 at 11:00 PM, Charles N Wyble
<charles at knownelement.com> wrote:
> So why hasn't this happened already? If it's so easy, then all the
> normal actors that like to cause us late nights would have struck already.

As most of us in the net ops community know, there are many
vulnerabilities that are very much non-obvious to a black hat guy used
to DDoSing with botnets or exploiting the latest common daemon
vulnerability.  That is no assurance that this vulnerability will
never be exploited.  The very fact that we are talking about it on
this mailing list (unfortunately) raises the chances that it will
happen.  If there was an article on Slashdot, I bet significant
corruption pranks or deliberate, malicious erasure would happen inside
of a week.  If I spent 15 minutes making a "HOWTO anonymously delete
an ISP from the ARIN IRR with a telnet client and an open proxy" and
spread it around to some IRC bad-guys, you can be assured we would be
talking about damage control, not prevention, by tomorrow.  Finally,
anyone who has ever 1) learned how email works; and 2) learned how to
update their own IRR objects via email; can do it without reading
anything, and has probably realized this vulnerability on their own
years ago.

> So I don't think ARIN should spend it's limited resources on anything to
> do with it's copy of the IRR. In fact I'm not sure why they even operate
> one. It seems to be the realm of service providers to do so.

It is desirable to publish your IRR records in a neutral database, as
opposed to a service provider database.  Let's say I am a Level3
customer and I use their IRR.  A year goes by, and I don't renew my
contract with Level3, I instead start buying transit from AT&T.  Well,
AT&T does not operate an IRR database.  Now I have to find a new place
to publish my IRR data, *and* my new transit provider doesn't offer it
as a service.  If I have a need for IRR, I had better hope one of my
other transit providers offers me a database, or use RADB, ALTDB, or
another third-party database.

This is why MERIT has a bunch of customers paying annual fees for
RADB, a valuable service; and why some great folks volunteer their
time to maintain the ALTDB.  It is also no doubt the reason ARIN has
an IRR database, but unfortunately, the ARIN IRR is a liability, not
an asset, to the net ops community.

-- 
Jeff S Wheeler <jsw at inconcepts.biz>
Sr Network Operator  /  Innovative Network Concepts

• Previous message (by thread): AltDB? (IRR support & direction at ARIN)
• Next message (by thread): AltDB? (IRR support & direction at ARIN)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]