nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: AltDB?

From: Jon Lewis <jlewis () lewis org>
Date: Sat, 8 Jan 2011 13:10:47 -0500 (EST)
Getting back to the original topic...sort of:
Looking at the data from altdb, it's not as widely used as I'd have guessed. There are 461 mntner objects. Of these, 268 use MAIL-FROM authentication. 192 use CRYPT-PW. At least those are the split if you look at just the first auth: for each mntner object...plenty of objects have multiple auth:'s and some even have multiple types like MAIL-FROM and PGP. In such a case, does a change request have to satisfy both auth's or just either one? 

This makes me ask two questions.
1) Why did ARIN even bother setting up rr.arin.net with no authentication other than MAIL-FROM? Even CRYPT-PW, while weak would be far stronger and preferable to effectively no authentication.
2) Why does altdb (and presumably other RR's that support CRYPT-PW) only support DES and not MD5-crypt? It's not 1990 anymore. RFC 2622 says that CRYPT-PW uses the UNIX crypt format...but today, UNIX crypt supports a variety of formats, including MD5, which is popular at least with Linux.
I don't mean to whine that altdb doesn't support MD5...it'd be nice if it did, but at the price I'm paying for service ($0), I can't complain.
AFAIK, few networks base their BGP filters on the RR data, so I don't care too much about RPKI[1]. Who cares if ARIN certifies that my entries are legit if only a fraction of the net uses that data and there will always be portions of the net where anything goes and resource certification is ignored? What I do care about is that my peers or transits that use RR data to build filters use the data I put there, and that that data isn't tampered with by anyone with the minimal level of clue required to forge the from address on an email and construct an RPSL update email. Sure, we'd get email notification of the change...but if they time it right or the email doesn't get acted on quickly enough, filters might be built improperly.
[1] Don't care is probably too strong. At this point in time, I don't think it makes sense to get hung up on it and refuse to do any authentication if we're not doing RPKI, but not implement RPKI, because we haven't worked out all the details on how it'll be done. As it is, rr.arin.net is pretty much worthless. 

----------------------------------------------------------------------
 Jon Lewis, MCP :)           |  I route
 Senior Network Engineer     |  therefore you are
 Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Previous By Date Next
Previous By Thread Next

Current thread: