jlewis at lewis.org
Sat Jan 8 12:10:47 CST 2011
Getting back to the original topic...sort of:
Looking at the data from altdb, it's not as widely used as I'd have
guessed. There are 461 mntner objects. Of these, 268 use MAIL-FROM
authentication. 192 use CRYPT-PW. At least those are the split if you
look at just the first auth: for each mntner object...plenty of objects
have multiple auth:'s and some even have multiple types like MAIL-FROM and
PGP. In such a case, does a change request have to satisfy both auth's or
just either one?
This makes me ask two questions.
1) Why did ARIN even bother setting up rr.arin.net with no
authentication other than MAIL-FROM? Even CRYPT-PW, while weak
would be far stronger and preferable to effectively no authentication.
2) Why does altdb (and presumably other RR's that support CRYPT-PW) only
support DES and not MD5-crypt? It's not 1990 anymore. RFC 2622 says that
CRYPT-PW uses the UNIX crypt format...but today, UNIX crypt supports a
variety of formats, including MD5, which is popular at least with Linux.
I don't mean to whine that altdb doesn't support MD5...it'd be nice if it
did, but at the price I'm paying for service ($0), I can't complain.
AFAIK, few networks base their BGP filters on the RR data, so I don't care
too much about RPKI. Who cares if ARIN certifies that my entries are
legit if only a fraction of the net uses that data and there will always
be portions of the net where anything goes and resource certification is
ignored? What I do care about is that my peers or transits that use RR
data to build filters use the data I put there, and that that data isn't
tampered with by anyone with the minimal level of clue required to forge
the from address on an email and construct an RPSL update email. Sure,
we'd get email notification of the change...but if they time it right or
the email doesn't get acted on quickly enough, filters might be built
 Don't care is probably too strong. At this point in time, I don't
think it makes sense to get hung up on it and refuse to do any
authentication if we're not doing RPKI, but not implement RPKI, because we
haven't worked out all the details on how it'll be done. As it is,
rr.arin.net is pretty much worthless.
Jon Lewis, MCP :) | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
More information about the NANOG