Re: AltDB? (IRR support & direction at ARIN)

[Jeff Wheeler <jsw () inconcepts biz>]

On Sun, Jan 9, 2011 at 6:48 PM, Randy Bush <randy () psg com> wrote:
> jeff, i do not disagree that running an irr instance with only mail-from
> is soooo 1980s.  and, as mans points out, there is free software out
> there to do it (i recommend irrd).  but i do not see good cause for arin
> to spend anything non-trivial to fix a problem in an irr instance which
> is not used very much.  i.e. better to drop it than to spend non-trivial
> money to modernize it.

I agree that if ARIN thinks it would be "too costly" to support
password authentication, they should make the database read-only so
users will migrate away from it and no damage can be done by "bad
guys."

> but more to the point, by 'fix' it, i did not mean modernizing the auth
> method set.  i meant the content, syntax and semantics.

I understood what you meant, and again, I agree with you; there is no
reason to invest "a lot" of time and resources in something that
should be made obsolete by other work already in progress.  The "fix"
I want is simply eliminating the large liability by continuing to
allow updates with MAIL-FROM authentication.

I believe ARIN IRR actually does support MD5 authentication, but if
you email the ARIN IRR person, or go to ARIN's web site, you are told
that only MAIL-FROM is allowed.  So they probably already have the
appropriate technical mechanism in place AND JUST AREN'T USING IT, and
are actively discouraging users from utilizing it.  This would be an
example of ARIN's ineffectiveness when it comes to operational
matters, and is why I have real fear that RPKI may one-day be a
disaster because ARIN is an ineffective steward.

-- 
Jeff S Wheeler <jsw () inconcepts biz>
Sr Network Operator  /  Innovative Network Concepts