AltDB? (IRR support & direction at ARIN)

Jon Lewis jlewis at lewis.org
Mon Jan 10 11:37:32 CST 2011


On Sun, 9 Jan 2011, Charles N Wyble wrote:

>> I am simply suggesting it is dangerous and irresponsible to run an IRR
>> with only MAIL-FROM authentication, and quite easy to also support
>> CRYPT-PW.  ARIN should either support passwords or immediately make

The trouble is, since the DES crypt passwords are publicly accessible, 
even CRYPT-PW is not much security.  I suspect with a copy of the db, a 
passsword cracking program, and some modest computing capacity, you could 
crack all the passwords in ALTDB before this thread dies.

I've been trying to convert from CRYPT-PW to PGPKEY auth, but I don't seem 
to be having much luck getting that working.  I've put a key-cert 
(PGPKEY-7ABEC6A3) into altdb, and changed our mntner to permit either 
CRYPT-PW or PGPKEY-7ABEC6A3 for auth.  But PGP signed update requests 
result in #ERROR: Authorization failure.

I'm not sure why I'm getting this auth failure.  i.e. Something wrong with 
the formatting of my submissions?  Something wrong with my key-cert?  The 
certif: from my key-cert wasn't automatically imported into the auto-dbm 
keyring?  I'm assuming I can take a RPSL format submission, save it to a 
file, use GPG to clearisgn it, and put the result in the body of an email 
to auto-dbm.

It's also possible altdb doesn't actually have working PGP support. 
Looking at the database dump I downloaded the other day, only one mntner 
uses PGP as their sole auth method...and that mntner hasn't made changes 
to any objects since the last change to their mntner...so it could be they 
changed to PGP auth, never got it working, and abandoned altdb.

I was afraid of losing control of my mntner if there were issues with PGP, 
so I figured I'd add PGP as an auth method, test it, and then after seeing 
it work, remove CRYPT-PW.

----------------------------------------------------------------------
  Jon Lewis, MCP :)           |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________




More information about the NANOG mailing list