ARIN IRR Authentication (was: Re: AltDB?)

• Previous message (by thread): ARIN IRR Authentication (was: Re: AltDB?)
• Next message (by thread): ARIN IRR Authentication (was: Re: AltDB?)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Jan 27, 2011 at 10:00 PM, John Curran <jcurran at arin.net> wrote:
> Based on the ARIN's IRR authentication thread a couple of weeks ago, there
> were suggestions placed into ARIN's ACSP process for changes to ARIN's IRR
> system. ARIN has looked at the integration issues involved and has scheduled
> an upgrade to the IRR system that will accept PGP and CRYPT-PW authentication
> as well as implementing notification support for both the mnt-nfy and notify
> fields by the end of August 2011.

I'm glad to see that a decision was made to improve the ARIN IRR,
rather than stick to status-quo or abandon it.  However, this response
is essentially what most folks I spoke with off-list imagined: You
have an immediate operational security problem which could cause
service impact to ARIN members and others relying on the ARIN IRR
database, and fixing it by allowing passwords or PGP to be used is not
very hard.

As I have stated on this list, I believe ARIN is not organizationally
capable of handling operational issues.  This should make everyone
very worried about any ARIN involvement in RPKI, or anything else that
could possibly have short-term operational impact on networks.  Your
plan to fix the very simple IRR problem within eight months is a very
clear demonstration that I am correct.

How did you arrive at the eight month time-frame to complete this project?

Can you provide more detail on what CRYPT-PW hash algorithm(s) will be
supported?  Specifically, the traditional DES crypt(3) is functionally
obsolete, and its entire key-space can be brute-forced within a few
days on one modern desktop PC.  Will you follow the practice
established by several other IRR databases (including MERIT RADB) and
avoid exposing the hashes by way of whois output and IRR database
dumps?

If PGP is causing your delay, why don't you address the urgent problem
of supporting no authentication mechanism at all first, and allow
CRYPT-PW (perhaps with a useful hash algorithm) and then spend the
remaining 7.9 months on PGP?

The plan and schedule you have announced is indefensible for an
operational security issue.

-- 
Jeff S Wheeler <jsw at inconcepts.biz>
Sr Network Operator  /  Innovative Network Concepts

• Previous message (by thread): ARIN IRR Authentication (was: Re: AltDB?)
• Next message (by thread): ARIN IRR Authentication (was: Re: AltDB?)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]