Guardian for ARIN

• Previous message (by thread): Guardian for ARIN
• Next message (by thread): The Cidr Report
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

ARIN presented plans toward authentication at the recent Public Policy
Meeting:

http://www.arin.net/library/minutes/ARIN_XI/PDF/Tuesday/9_Authentication_Christensen.pdf

or

http://www.arin.net/library/minutes/ARIN_XI/PPT/Tuesday/9_Authentication_Christensen.ppt

Isn't it nice when they're responsive?

Lee

On Fri, 2 May 2003, Sean Donelan wrote:

> Date: Fri, 02 May 2003 01:09:01 -0400 (EDT)
> From: Sean Donelan <sean at donelan.com>
> To: nanog at merit.edu
> Subject: Guardian for ARIN
> 
> 
> Once upon a time, NSI handled both domain names and network addresses.
> 
> NSI originally only checked the sender of the e-mail address matched its
> database.  Spoofing the sender of an e-mail address is/was trivial, and
> eventually several domain names were hijacked by other unauthorized
> individuals.
> 
> NSI added "Guardian" to their template process.  Guardian permitted the
> points of contact (NIC-Handle) for objects in the NSI database to add a
> password (and allegedly a PGP key) to their records.  Only templates using
> the correct password would be processed. Since NSI handled both names and
> numbers, a password on NIC-Handle protected both names and networks.
> 
> ARIN was formed, and the duties associated with IP numbers (AS and IP
> addresses) were transfered to the new ARIN.  However, Guardian or some
> alternative didn't seem to get transferred.  So we're back to anyone
> who can spoof the point of contacts e-mail address can make changes
> to the ARIN records.
> 
> Is it time for ARIN to re-add security to their database update
> procedures?
> 
> 

• Previous message (by thread): Guardian for ARIN
• Next message (by thread): The Cidr Report
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]