Guardian for ARIN
Christopher J. Wolff
chris at bblabs.com
Fri May 2 05:25:07 UTC 2003
Many good points here. On a related topic, IMHO, NSI needs to take a
step back and evaluate their domain/account management system. The
web-gui system in place now is truly the bastard child, leaving
subscribers with dozens (or hundreds) of domains, each with an
individual account number and no password (or challenge phrase).
I wonder how many virgin goats would need to be slaughtered at the
altars of Tenochtitlan to bring back the email forms ;-)
Christopher J. Wolff, VP CIO
Broadband Laboratories, Inc.
From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf Of
Sent: Thursday, May 01, 2003 10:09 PM
To: nanog at merit.edu
Subject: Guardian for ARIN
Once upon a time, NSI handled both domain names and network addresses.
NSI originally only checked the sender of the e-mail address matched its
database. Spoofing the sender of an e-mail address is/was trivial, and
eventually several domain names were hijacked by other unauthorized
NSI added "Guardian" to their template process. Guardian permitted the
points of contact (NIC-Handle) for objects in the NSI database to add a
password (and allegedly a PGP key) to their records. Only templates
the correct password would be processed. Since NSI handled both names
numbers, a password on NIC-Handle protected both names and networks.
ARIN was formed, and the duties associated with IP numbers (AS and IP
addresses) were transfered to the new ARIN. However, Guardian or some
alternative didn't seem to get transferred. So we're back to anyone
who can spoof the point of contacts e-mail address can make changes
to the ARIN records.
Is it time for ARIN to re-add security to their database update
More information about the NANOG