OAuth for RIRs - There is already any Idea like that?
Douglas Fischer
fischerdouglas at gmail.com
Tue Mar 23 11:59:41 UTC 2021
For me, every day it becomes more evident the need to validate information
managed by the RIRs / NIRs / LIRs on separate information platforms.
A very simple example is PeeringDB itself, which requires confirmation of
correlation between the ASN whois contact and the account that is
registering the organization.
P.S.1: At least for me, this is more evident when it comes to numerical
resources, but without going much deeper into the analysis, I believe that
this is also applicable to name resources.
I was wondering how complex it would be for RIRs / NIRs to implement some
mechanism similar to the OAuth of NIC-Handler accounts to, through a
delimitation protocol, allow accounts between information platforms to be
correlated, information to be confirmed and maybe even inserted and updated.
Still dreaming a little bit about the possibilities, I imagined that in a
federation context, IANA or NRO could correlate NIC-Handlers from the same
organization in different RIRs.
In addition to the PeeringDB example, other uses (non-exhaustive list) of
this solution could be:
- Linking between Maintainers of IRR bases and owners of resources in RIRs.
- Linking between accounts on the basis of IXPs, and ASN owners.
- Authentication and integration of RPKI CA Delegate services.
I believe that we are already at a point where we can go beyond just using
email confirmation.
OAuth and similar protocols include benefits such as:
- Simplified use of cryptographic protections
- Specific definition of the duration of the authorization.
- Forced expiration of authorization.
- Granular definition of which attributes will have read-only or read and
write access.
I know that for a person with little experience everything seems possible,
and for more hardened people things do not seem that simple.
I also know that not everything in this world depends only on technological
feasibility. For although there may be protocols and techniques to solve a
problem, many questions depend on the layer 9 definitions of the OSI model.
P.S.2: To be honest, I don't know if there are already initiatives in this
direction from the point of view of making this a standard resource. But
unless I am mistaken, https://www.denic.de/ already has something similar
in place.
--
Douglas Fernando Fischer
Engº de Controle e Automação
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20210323/236d7180/attachment.html>
More information about the NANOG
mailing list