AltDB?

Jon Lewis jlewis at lewis.org
Sat Jan 8 12:10:47 CST 2011


Getting back to the original topic...sort of:

Looking at the data from altdb, it's not as widely used as I'd have 
guessed.  There are 461 mntner objects.  Of these, 268 use MAIL-FROM 
authentication.  192 use CRYPT-PW.  At least those are the split if you 
look at just the first auth: for each mntner object...plenty of objects 
have multiple auth:'s and some even have multiple types like MAIL-FROM and 
PGP.  In such a case, does a change request have to satisfy both auth's or 
just either one?

This makes me ask two questions.

1) Why did ARIN even bother setting up rr.arin.net with no 
authentication other than MAIL-FROM?  Even CRYPT-PW, while weak 
would be far stronger and preferable to effectively no authentication.

2) Why does altdb (and presumably other RR's that support CRYPT-PW) only 
support DES and not MD5-crypt?  It's not 1990 anymore.  RFC 2622 says that 
CRYPT-PW uses the UNIX crypt format...but today, UNIX crypt supports a 
variety of formats, including MD5, which is popular at least with Linux.

I don't mean to whine that altdb doesn't support MD5...it'd be nice if it 
did, but at the price I'm paying for service ($0), I can't complain.

AFAIK, few networks base their BGP filters on the RR data, so I don't care 
too much about RPKI[1].  Who cares if ARIN certifies that my entries are 
legit if only a fraction of the net uses that data and there will always 
be portions of the net where anything goes and resource certification is 
ignored?  What I do care about is that my peers or transits that use RR 
data to build filters use the data I put there, and that that data isn't 
tampered with by anyone with the minimal level of clue required to forge 
the from address on an email and construct an RPSL update email.  Sure, 
we'd get email notification of the change...but if they time it right or 
the email doesn't get acted on quickly enough, filters might be built 
improperly.

[1] Don't care is probably too strong.  At this point in time, I don't 
think it makes sense to get hung up on it and refuse to do any 
authentication if we're not doing RPKI, but not implement RPKI, because we 
haven't worked out all the details on how it'll be done.  As it is, 
rr.arin.net is pretty much worthless.

----------------------------------------------------------------------
  Jon Lewis, MCP :)           |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________




More information about the NANOG mailing list