Re: ALTDB - Getting records removed
Are you referring to auto-dbm@ email, or the db-admin@ one? I emailed db-admin@ about 15 hours ago, and haven't heard back (although it didn't bounce this time!) Not sure what sort of response time to expect from a free service though. On 5/16/2018 12:17 PM, mike.l...@gmail.com wrote: As stated yesterday, email was fixed on AltDB yesterday. Please try again. Thanks, Mike On May 16, 2018, at 08:55, Delacruz, Anthony Bwrote: Ditto also interested have dozens of old entries from previous delegations would like to see cleaned up but my google-foo tells me it's been a nonresponsive black hole several years now that probably should just go away if it's not going to be maintained properly. I think my favorite is the "Is anyone still maintaining altdb.net? thread from April 2011. -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of John Hurley Sent: Saturday, May 12, 2018 11:16 AM To: nanog@nanog.org Subject: ALTDB - Getting records removed Hi All, Recently acquired a new 2-byte AS number from ARIN. It had a previous owner whom had records setup at ALTDB. I've sent emails to request removal but haven't heard anything back. Any tips or a different venue I can use to get in touch with the altdb folks? This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
Re: ALTDB - Getting records removed
As stated yesterday, email was fixed on AltDB yesterday. Please try again. Thanks, Mike > On May 16, 2018, at 08:55, Delacruz, Anthony B >wrote: > > Ditto also interested have dozens of old entries from previous delegations > would like to see cleaned up but my google-foo tells me it's been a > nonresponsive black hole several years now that probably should just go away > if it's not going to be maintained properly. I think my favorite is the "Is > anyone still maintaining altdb.net? thread from April 2011. > > -Original Message- > From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of John Hurley > Sent: Saturday, May 12, 2018 11:16 AM > To: nanog@nanog.org > Subject: ALTDB - Getting records removed > > Hi All, > > Recently acquired a new 2-byte AS number from ARIN. It had a previous owner > whom had records setup at ALTDB. > > I've sent emails to request removal but haven't heard anything back. > > Any tips or a different venue I can use to get in touch with the altdb > folks? > > > This communication is the property of CenturyLink and may contain > confidential or privileged information. Unauthorized use of this > communication is strictly prohibited and may be unlawful. If you have > received this communication in error, please immediately notify the sender by > reply e-mail and destroy all copies of the communication and any attachments.
RE: ALTDB - Getting records removed
Ditto also interested have dozens of old entries from previous delegations would like to see cleaned up but my google-foo tells me it's been a nonresponsive black hole several years now that probably should just go away if it's not going to be maintained properly. I think my favorite is the "Is anyone still maintaining altdb.net? thread from April 2011. -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of John Hurley Sent: Saturday, May 12, 2018 11:16 AM To: nanog@nanog.org Subject: ALTDB - Getting records removed Hi All, Recently acquired a new 2-byte AS number from ARIN. It had a previous owner whom had records setup at ALTDB. I've sent emails to request removal but haven't heard anything back. Any tips or a different venue I can use to get in touch with the altdb folks? This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
Re: ALTDB - Getting records removed
The altdb email system should have been fixed earlier today. You may want to try to reach out to them again. Thanks, Mike > On May 12, 2018, at 09:15, John Hurleywrote: > > Hi All, > > Recently acquired a new 2-byte AS number from ARIN. It had a previous owner > whom had records setup at ALTDB. > > I've sent emails to request removal but haven't heard anything back. > > Any tips or a different venue I can use to get in touch with the altdb > folks?
Re: ALTDB question.
On Mon, 1 Jul 2013, Faisal Imtiaz wrote: Hello, A quick question for all. It's my understanding that the Maintainer object needs to be created first. This is accomplished by sending the template to db-ad...@altdb.net This is not an automated process, but gets done manually. If there is any discrepancy then one gets a reply back with the error . a) Am I correct in my understanding of above ? b) Is there any auto reply to confirm email receipt ? or only replies are after the request is either complete or sent back for missing / incorrect info ? c) What would be the appropriate amount of time to wait for such a reply ? d) Is there a way to check to see if the Maintainer object has been created ? Once created, your maintainer object will be visible in the whois served by whois.altdb.net. If you're just getting started with IRR, no offense intended towards ALTDB, but I'd suggest using any of the other free ones. ARIN and RIPE are both, AFAIK, free for anyone to use and support better authentication than ALTDB. Also, AFAIK, ALTDB has been a one (or few?) person volunteer effort, and from time to time, there have been service outages, reliant on one or a few people for resolution. ARIN and RIPE are staffed and better financially backed. -- Jon Lewis, MCP :) | I route | therefore you are _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: altdb?
On Apr 13, 2012, at 4:59 PM, Justin Zipkin wrote: Anybody know what the scoop is with ALTDB? It's been down since yesterday. I just fixed it. -jav
Re: ARIN IRR Authentication (was: Re: AltDB?)
On Jan 29, 2011, at 10:50 PM, Jeff Wheeler wrote: On Thu, Jan 27, 2011 at 10:00 PM, John Curran jcur...@arin.net wrote: Based on the ARIN's IRR authentication thread a couple of weeks ago, there were suggestions placed into ARIN's ACSP process for changes to ARIN's IRR system. ARIN has looked at the integration issues involved and has scheduled an upgrade to the IRR system that will accept PGP and CRYPT-PW authentication as well as implementing notification support for both the mnt-nfy and notify fields by the end of August 2011. I'm glad to see that a decision was made to improve the ARIN IRR, rather than stick to status-quo or abandon it. Good to hear. However, this response is essentially what most folks I spoke with off-list imagined: You have an immediate operational security problem which could cause service impact to ARIN members and others relying on the ARIN IRR database, and fixing it by allowing passwords or PGP to be used is not very hard. I appreciate your estimate of the effort required to address this problem, but we're not doing this as a completely separate system but with the intention of having some level of integration with our existing ARIN Online system in the future. While this may take more effort, and was not in our original 2011 budget, we have been able to add it to plan with development to begin later in the year. As I have stated on this list, I believe ARIN is not organizationally capable of handling operational issues. You've asserted this belief in prior messages (as well as noting that No one is forced to use ARIN IRR) If the IRR does not meet your needs during this period, I would recommend using one of the many alternative routing registries available. In any case, I'd like to thank you again for raising the concern about lack of IRR authentication, as it was instrumental in bringing this matter to resolution. Thanks! /John John Curran President and CEO ARIN
Re: ARIN IRR Authentication (was: Re: AltDB?)
On Thu, Jan 27, 2011 at 10:00 PM, John Curran jcur...@arin.net wrote: Based on the ARIN's IRR authentication thread a couple of weeks ago, there were suggestions placed into ARIN's ACSP process for changes to ARIN's IRR system. ARIN has looked at the integration issues involved and has scheduled an upgrade to the IRR system that will accept PGP and CRYPT-PW authentication as well as implementing notification support for both the mnt-nfy and notify fields by the end of August 2011. I'm glad to see that a decision was made to improve the ARIN IRR, rather than stick to status-quo or abandon it. However, this response is essentially what most folks I spoke with off-list imagined: You have an immediate operational security problem which could cause service impact to ARIN members and others relying on the ARIN IRR database, and fixing it by allowing passwords or PGP to be used is not very hard. As I have stated on this list, I believe ARIN is not organizationally capable of handling operational issues. This should make everyone very worried about any ARIN involvement in RPKI, or anything else that could possibly have short-term operational impact on networks. Your plan to fix the very simple IRR problem within eight months is a very clear demonstration that I am correct. How did you arrive at the eight month time-frame to complete this project? Can you provide more detail on what CRYPT-PW hash algorithm(s) will be supported? Specifically, the traditional DES crypt(3) is functionally obsolete, and its entire key-space can be brute-forced within a few days on one modern desktop PC. Will you follow the practice established by several other IRR databases (including MERIT RADB) and avoid exposing the hashes by way of whois output and IRR database dumps? If PGP is causing your delay, why don't you address the urgent problem of supporting no authentication mechanism at all first, and allow CRYPT-PW (perhaps with a useful hash algorithm) and then spend the remaining 7.9 months on PGP? The plan and schedule you have announced is indefensible for an operational security issue. -- Jeff S Wheeler j...@inconcepts.biz Sr Network Operator / Innovative Network Concepts
Re: ARIN IRR Authentication (was: Re: AltDB?)
Based on the ARIN's IRR authentication thread a couple of weeks ago, there were suggestions placed into ARIN's ACSP process for changes to ARIN's IRR system. ARIN has looked at the integration issues involved and has scheduled an upgrade to the IRR system that will accept PGP and CRYPT-PW authentication as well as implementing notification support for both the mnt-nfy and notify fields by the end of August 2011. way cool! thank you. randy
Re: ARIN IRR Authentication (was: Re: AltDB?)
On Jan 28, 2011, at 4:09 AM, Randy Bush wrote: Based on the ARIN's IRR authentication thread a couple of weeks ago, there were suggestions placed into ARIN's ACSP process for changes to ARIN's IRR system. ARIN has looked at the integration issues involved and has scheduled an upgrade to the IRR system that will accept PGP and CRYPT-PW authentication as well as implementing notification support for both the mnt-nfy and notify fields by the end of August 2011. way cool! thank you. No problem at all (and my apologies for not noticing this state of affairs sooner) /John
ARIN IRR Authentication (was: Re: AltDB?)
On Jan 11, 2011, at 9:14 AM, John Curran wrote: As noted, we're now looking into how to fix the IRR authentication situation and will report back asap. Based on the ARIN's IRR authentication thread a couple of weeks ago, there were suggestions placed into ARIN's ACSP process for changes to ARIN's IRR system. ARIN has looked at the integration issues involved and has scheduled an upgrade to the IRR system that will accept PGP and CRYPT-PW authentication as well as implementing notification support for both the mnt-nfy and notify fields by the end of August 2011. For further details, please look at: https://www.arin.net/participate/acsp/suggestions/2011-1.html https://www.arin.net/participate/acsp/suggestions/2011-2.html I'd like to thank everyone for bringing this situation to our attention, and will report back once this functionality is in place. Thanks! /John John Curran President and CEO ARIN
Re: AltDB?
On Jan 11, 2011, at 1:45 AM, Doug Barton wrote: On (admittedly) cursory exam I didn't see a form to submit anything, so I gravitated to the rather large login widget under the assumption that it must be important because it's so big. :) ... Doug - It's perfectly understandable, and doesn't distract from your main point that the circumstances (ARIN effectively mandating MAIL-FROM for authentication) is patently unacceptable and shouldn't require any more effort than pointing such out in email. I did not perceive the situation initially, and hence sent Jeff Wheeler off to said suggestion form. As noted, we're now looking into how to fix the IRR authentication situation and will report back asap. /John John Curran President and CEO ARIN
Re: arin and ops fora (was Re: AltDB?)
On 1/11/2011 12:57 AM, David Conrad wrote: Or not. It may be that network operators (not just the ones that show up at ARIN meetings and are on PPML) are happy with the existing communication channels and that additional structures to encourage participation and input in the ARIN region regarding services ARIN provides to the public are unnecessary. Public easily reachable people. Public information on operations and what they do on their website with tons of pointers (even if it's not laid out the best). Public participation mailing lists. Presence of key people on other lists such as nanog. What more is an org supposed to do to communicate with people? Even the CEO lurks on nanog and responds when necessary. What community were you wanting them to interface with? I could be wrong, but I suspect any genius ideas which the CEO hears via the various communication mediums may quickly find it's way to be implemented. Sure, it may get restricted to some degree depending on how people in PPML feel about it. I'm sure the membership has some say on how their money is spent. Neither of these things limit the ability to suggest an idea. Jack
RE: AltDB?
On Jan 11, 2011 at 8:14AM, John Curran wrote: It's perfectly understandable, and doesn't distract from your main point that the circumstances (ARIN effectively mandating MAIL-FROM for authentication) is patently unacceptable and shouldn't require any more effort than pointing such out in email. I did not perceive the situation initially, and hence sent Jeff Wheeler off to said suggestion form. As noted, we're now looking into how to fix the IRR authentication situation and will report back asap. As you are checking out authentication, can you also check out the notify fields as well. I was informed in July 2010 that neither mnt-nfy nor notify fields were operational. I submitted suggestion 2011.2 requesting these be activated. Regards, Andrew Koch TDS Telecom - IP Network Operations andrew.k...@tdstelecom.com
Re: AltDB?
On Jan 11, 2011, at 10:18 AM, Koch, Andrew wrote: As you are checking out authentication, can you also check out the notify fields as well. I was informed in July 2010 that neither mnt-nfy nor notify fields were operational. I submitted suggestion 2011.2 requesting these be activated. Will do - Thanks for the note. /John John Curran President and CEO ARIN
Re: arin and ops fora (was Re: AltDB?)
On Jan 11, 2011, at 6:15 AM, Jack Bates wrote: On 1/11/2011 12:57 AM, David Conrad wrote: Or not. It may be that network operators (not just the ones that show up at ARIN meetings and are on PPML) are happy with the existing communication channels and that additional structures to encourage participation and input in the ARIN region regarding services ARIN provides to the public are unnecessary. Public easily reachable people. Public information on operations and what they do on their website with tons of pointers (even if it's not laid out the best). Public participation mailing lists. Presence of key people on other lists such as nanog. What more is an org supposed to do to communicate with people? Even the CEO lurks on nanog and responds when necessary. What community were you wanting them to interface with? I could be wrong, but I suspect any genius ideas which the CEO hears via the various communication mediums may quickly find it's way to be implemented. Sure, it may get restricted to some degree depending on how people in PPML feel about it. I'm sure the membership has some say on how their money is spent. Neither of these things limit the ability to suggest an idea. Jack Just to be clear... Participation in PPML is open to ANYONE, not just ARIN members. There are a lot of non-members on PPML and their voices count just as much as members on that list. Owen
Re: arin and ops fora (was Re: AltDB?)
On 1/9/2011 5:27 PM, John Curran wrote: Excellent question. To the extent that it is best practices on these types of services, then that's relatively easy for ARIN to interface with... if it is specific direction to ARIN to do xyz, then ultimately the decision rests with the ARIN Board regarding that input, since that involves how we spend the service fees of the members. Which ARIN membership does have some resources on, though I do believe they could be improved, as most membership input deals more with the NRPM and not with auxiliary services. The role is served by the ARIN Board, which is member-elected and composed of volunteers (and myself as CEO). If folks think that a more formal structure for operational input (either within ARIN or via liaison to another body) is called for, I'd suggest continued discussion on the various mailing lists. It's always a stickler, too. PPML works well for NRPM, but ARIN doesn't have enough auxiliary services to warrant a mailing list dealing with them. It becomes more of a suggestion, proposal, feedback, implementation, more feedback process. ARIN is generally good at notification of implementation concerning new services, though it would be nice if they had better channels for feedback through the entire process of new services so that they could be closer in sync with the membership. I don't believe services should reach the PDP level, but better communication wouldn't hurt, especially with members who generally don't know how or realize they can participate. It's just my personal opinion as a member. ARIN always has communication with other organizations and even nanog. They've always been polite in accepting input from others (even if they don't implement every suggestion, they'll be much nicer than some IETF people). :) Jack
Re: AltDB? (IRR support direction at ARIN)
On Sun, 9 Jan 2011, Charles N Wyble wrote: I am simply suggesting it is dangerous and irresponsible to run an IRR with only MAIL-FROM authentication, and quite easy to also support CRYPT-PW. ARIN should either support passwords or immediately make The trouble is, since the DES crypt passwords are publicly accessible, even CRYPT-PW is not much security. I suspect with a copy of the db, a passsword cracking program, and some modest computing capacity, you could crack all the passwords in ALTDB before this thread dies. I've been trying to convert from CRYPT-PW to PGPKEY auth, but I don't seem to be having much luck getting that working. I've put a key-cert (PGPKEY-7ABEC6A3) into altdb, and changed our mntner to permit either CRYPT-PW or PGPKEY-7ABEC6A3 for auth. But PGP signed update requests result in #ERROR: Authorization failure. I'm not sure why I'm getting this auth failure. i.e. Something wrong with the formatting of my submissions? Something wrong with my key-cert? The certif: from my key-cert wasn't automatically imported into the auto-dbm keyring? I'm assuming I can take a RPSL format submission, save it to a file, use GPG to clearisgn it, and put the result in the body of an email to auto-dbm. It's also possible altdb doesn't actually have working PGP support. Looking at the database dump I downloaded the other day, only one mntner uses PGP as their sole auth method...and that mntner hasn't made changes to any objects since the last change to their mntner...so it could be they changed to PGP auth, never got it working, and abandoned altdb. I was afraid of losing control of my mntner if there were issues with PGP, so I figured I'd add PGP as an auth method, test it, and then after seeing it work, remove CRYPT-PW. -- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: AltDB? (IRR support direction at ARIN)
On Mon, Jan 10, 2011 at 12:37 PM, Jon Lewis jle...@lewis.org wrote: On Sun, 9 Jan 2011, Charles N Wyble wrote: I am simply suggesting it is dangerous and irresponsible to run an IRR with only MAIL-FROM authentication, and quite easy to also support CRYPT-PW. ARIN should either support passwords or immediately make The trouble is, since the DES crypt passwords are publicly accessible, even CRYPT-PW is not much security. I suspect with a copy of the db, a passsword cracking program, and some modest computing capacity, you could crack all DES crypt() is not completely trivial yet, but I agree, it is far from state-of-the-art. It is substantially superior to MAIL-FROM. In addition, MERIT reduced this problem by simply filtering out the hashes from the RADB.db file and whois output (and presumably also, the www.radb.net tools.) -- Jeff S Wheeler j...@inconcepts.biz Sr Network Operator / Innovative Network Concepts
Re: arin and ops fora (was Re: AltDB?)
On Jan 10, 2011, at 7:25 AM, Jack Bates wrote: On 1/9/2011 5:27 PM, John Curran wrote: Excellent question. To the extent that it is best practices on these types of services, then that's relatively easy for ARIN to interface with... if it is specific direction to ARIN to do xyz, then ultimately the decision rests with the ARIN Board regarding that input, since that involves how we spend the service fees of the members. Which ARIN membership does have some resources on, though I do believe they could be improved, as most membership input deals more with the NRPM and not with auxiliary services. Members may bring any topic of interest to arin-discuss. The fact that there is more traffic on ppml dealing with the NRPM than there is on arin-discuss dealing with other issues is a matter of where the members choose to focus their attention more than anything else. The role is served by the ARIN Board, which is member-elected and composed of volunteers (and myself as CEO). If folks think that a more formal structure for operational input (either within ARIN or via liaison to another body) is called for, I'd suggest continued discussion on the various mailing lists. It's always a stickler, too. PPML works well for NRPM, but ARIN doesn't have enough auxiliary services to warrant a mailing list dealing with them. It becomes more of a suggestion, proposal, feedback, implementation, more feedback process. ARIN is generally good at notification of implementation concerning new services, though it would be nice if they had better channels for feedback through the entire process of new services so that they could be closer in sync with the membership. I don't believe services should reach the PDP level, but better communication wouldn't hurt, especially with members who generally don't know how or realize they can participate. PPML is a forum for the community (not just ARIN members, the entire community). There is a separate mailing list... arin-discuss which is for members of ARIN to discuss any ARIN-related topic of interest to the membership. They can and sometimes do discuss operational matters there. Additionally, there is the ACSP which allows members or the community to send comments and suggestions to ARIN regarding anything, including operations, etc. The ACSP provides a process for community review of the suggestions and semi-formal comment processes as well. Everything you are asking for in your last paragraph is available. Perhaps what is needed is better education of the membership and community on what tools are available and how to use them. Were you familiar with arin-discuss prior to this message? If so, in what way does it not meet the need you are describing? I'm not trying to pick on you Jack. I'm really trying to identify if what we have here is an issue of needing better tools, or, if all we need is better education and utilization of the tools that are already in place, or, some combination of both. Thanks, Owen
Re: arin and ops fora (was Re: AltDB?)
On 1/10/2011 5:13 PM, Owen DeLong wrote: Members may bring any topic of interest to arin-discuss. The fact that there is more traffic on ppml dealing with the NRPM than there is on arin-discuss dealing with other issues is a matter of where the members choose to focus their attention more than anything else. Would that be the list I've tried to subscribe to multiple times, get an autoresponder that it has to be approved, and then never hear a word? PPML is a forum for the community (not just ARIN members, the entire community). Good to know. I was under the impression that it was member only. There is a separate mailing list... arin-discuss which is for members of ARIN to discuss any ARIN-related topic of interest to the membership. They can and sometimes do discuss operational matters there. Except it's listed as no input from ARIN itself? Everything you are asking for in your last paragraph is available. Perhaps what is needed is better education of the membership and community on what tools are available and how to use them. Were you familiar with arin-discuss prior to this message? If so, in what way does it not meet the need you are describing? I can't get subscribed, so, :P I also haven't seen on the website pointers for where different tools and resources fall into for community review, comment, suggestion, etc. Perhaps it's just my website navigation skills. However, as I said previously, I have no serious complaints. It's not like the AC and CEO aren't publicly visible and vocal. Jack
Re: arin and ops fora (was Re: AltDB?)
PPML is a forum for the community (not just ARIN members, the entire community). Good to know. I was under the impression that it was member only. Nope... Anyone interested can subscribe to PPML. There is a separate mailing list... arin-discuss which is for members of ARIN to discuss any ARIN-related topic of interest to the membership. They can and sometimes do discuss operational matters there. Except it's listed as no input from ARIN itself? ARIN does occasionally send informational postings to arin-discuss, but, you are correct that ARIN staff does not engage in the discussions on that list. Perhaps a mechanism for ARIN participation would be a good improvement in this area. Everything you are asking for in your last paragraph is available. Perhaps what is needed is better education of the membership and community on what tools are available and how to use them. Were you familiar with arin-discuss prior to this message? If so, in what way does it not meet the need you are describing? I can't get subscribed, so, :P I'll try to address this issue with you off-list. I also haven't seen on the website pointers for where different tools and resources fall into for community review, comment, suggestion, etc. Perhaps it's just my website navigation skills. However, as I said previously, I have no serious complaints. It's not like the AC and CEO aren't publicly visible and vocal. Thanks... We try to be accessible to the community for just this reason. I think the website doesn't particularly point to those things, but, there pretty much are only three directions to go and the web site does provide a description of each one... PPML for discussion of number resource policies and related matters. ACSP for suggestions and consultations of the community on non-policy matters. arin-discuss mailing list for discussion with other members about any topic of interest to the ARIN membership, potentially including demand/desire for tools, operational practices of ARIN, fees, etc. Does that help? Owen
Re: AltDB?
On 01/09/2011 10:09, John Curran wrote: On Jan 9, 2011, at 2:09 AM, Jeff Wheeler wrote: In terms of database size, excluding RIPE, the ARIN IRR is the 8th largest, ahead of ALTDB and about 10% as large as Level3, the second largest IRR database (except RIPE.) A mass-corruption of the ARIN IRR overnight might be a serious incident causing service impact to a large number of users and businesses, and cause probably thousands of people to be got out of bed in the middle of the night, but clearly it would not be a total disaster. Jeff - Please suggest your preferred means of IRR authentication to the ARIN suggestion process:https://www.arin.net/participate/acsp/index.html Alternatively, point to a best practice document from the operator community for what should be done here. ARIN's work plan is very much driven by community input, so that's what is needed here. John, I get what motivates this response, and am even guilty of having provided similar responses. So I'm not going to glom onto the criticism of this as a response _per se_. However, there is a line beyond which some things cross which takes them out of the realm of, Show me you care about this issue by reporting it in triplicate and into the category of This is bad on its face and I need to use my internal channels to get people an answer ASAP. To me (speaking as someone with absolutely no dog in this hunt) the issue of The only authentication method available for the ARIN IRR is mail-from clearly falls into the latter category. My reading of the reaction here is incredulity that this was not your immediate response, and (once again without trying to glom on) this is a reaction that I share. Now it seems that you acknowledged that further on in this thread, but just for fun I decided to try your suggestions-suggestion. I went to the site, it requires a login. Well, ok, I think having a method for I don't want to track this I just want to throw it over the wall in case someone cares might be valuable, but everyone wants a login nowadays, so fine. I attempt to click the new user? link, and at some point I realize that the site requires cookies for login stuff. Ok, another necessary evil. So I enter my desired information, and click continue, and get bounced right back to to the original page. I figure my registration was successful and attempt to log in. That fails. I click the assistance link and enter the e-mail address I used to register, it's not registered. So I go back to the registration form, enter my information again, and hit Continue. This time I got an error message, user names must be at least 6 characters. Um ok. So I think of another username, click Continue, and get a new error: The e-mail address you entered appears to be a role account. Please enter an e-mail address that contains your name or initials. Note that ARIN Web account information will not be published in ARIN's Whois. If the e-mail address you entered is not a role account, please contact the Registration Services Department at hostmas...@arin.net or +1.703.227.0660. I create e-mail addresses of the form blah@dougbarton.us for all the sites that I register on to track whether or not they use my e-mail address for nefarious purposes. So yes, a...@dougbarton.us looks like a role account, but it's not. So I'll bite, I'll call the number and talk to them. Ooops! I called at 4:01 pm PST, and y'all had closed up shop 1 minute earlier. (Yes, I realize that the ARIN office is on the East Coast, don't care. My working day is still going on for hours more. Must really suck for ops in HI.) Now admittedly my method of working on line is different from the average Internet user, although arguably not _that_ different from a lot of the people in your custo^Wmember demographic. So one could make the argument that in its current form the suggestions page actually serves as a barrier to entry, rather than an effective communications channel. But soldiering on, I put in my regular e-mail address, and hit Continue again. It once again bounced me back to the main page, but once again, I was not actually registered. So, I started the whole registration process all over again, and this time it succeeded. So now... You must accept the Terms of Service Agreement in order to proceed. Hmm.. well, 79 very long lines of text, no way to download the document for my lawyers to review, and most of it applies to people managing information related to services. But what the heck, I'll give it a go. So now I have to create a web profile. First/Last, Company, and full postal address are all mandatory fields. Ok, all done with that, now I actually have a web account. *phew* Wait, what was I going to do with it again? Oh yes, I was going to submit a suggestion um where is the link for suggestions? At the top of the page I have Number Resources, Participate, Policies, Fees Invoices, Knowledge, About Us.
Re: AltDB?
On Jan 10, 2011, at 7:57 PM, Doug Barton wrote: On 01/09/2011 10:09, John Curran wrote: Please suggest your preferred means of IRR authentication to the ARIN suggestion process:https://www.arin.net/participate/acsp/index.html ... Now it seems that you acknowledged that further on in this thread, but just for fun I decided to try your suggestions-suggestion. I went to the site, it requires a login. Doug - Perhaps you saw the ARIN Online login on the left side and decided to create an account for registration services? The Suggestion Process page should haved displayed for you without any login; it describes the suggestion process as follows: Any person in the ARIN community is welcome to make a suggestion regarding an existing or potential ARIN service or practice. Such a suggestion will be sent to ARIN as described at Suggestion Submission https://www.arin.net/app/suggestion/ page. That Suggestion Submission form seems operational without any login as well (or at least works best I can recreate at this time using various browsers.) Well, ok, I think having a method for I don't want to track this I just want to throw it over the wall in case someone cares might be valuable That's the intent, and if its not working that way, then it will be fixed. Can you double check that the suggestion process page displayed including the link to the simple suggestion form? Thanks! /John John Curran President and CEO ARIN
Re: AltDB?
On Tue, 11 Jan 2011, John Curran wrote: Any person in the ARIN community is welcome to make a suggestion regarding an existing or potential ARIN service or practice. Such a suggestion will be sent to ARIN as described at Suggestion Submission https://www.arin.net/app/suggestion/ page. I just used that to put in the suggestion that rr.arin.net be updated to support CRYPT-PW (DES and MD5) and PGP, along with reasoning for the suggestion. The page had a captcha on it. Immediately after submitting, it, I got an email saying I had to hit a link to confirm the suggestion. Does ARIN get that much form submission spam on the suggestion form (with the captcha)? My suggestion ID is 2011.1...so I'm guessing this isn't a heavily used form :) -- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: AltDB?
On 01/10/2011 19:18, John Curran wrote: On Jan 10, 2011, at 7:57 PM, Doug Barton wrote: On 01/09/2011 10:09, John Curran wrote: Please suggest your preferred means of IRR authentication to the ARIN suggestion process:https://www.arin.net/participate/acsp/index.html ... Now it seems that you acknowledged that further on in this thread, but just for fun I decided to try your suggestions-suggestion. I went to the site, it requires a login. Doug - Perhaps you saw the ARIN Online login on the left side and decided to create an account for registration services? Wasn't a conscious decision, no. :) The page at the URL above looks like this for me: http://dougbarton.us/ARIN-Participation.png That's using firefox 3.6.13 on FreeBSD with a few addons, but nothing that should be affecting how the page renders. OTOH I do have the minimum font size cranked up globally. On (admittedly) cursory exam I didn't see a form to submit anything, so I gravitated to the rather large login widget under the assumption that it must be important because it's so big. :) Of course I wish now that I had spent a little more time searching for a suggestion link, but with the only prominently displayed suggestion-related item being the ARIN Consultation and Suggestion Process header, and no form below it, my eye went to the next biggest thing. The Suggestion Process page should haved displayed for you without any login; it describes the suggestion process as follows: Any person in the ARIN community is welcome to make a suggestion regarding an existing or potential ARIN service or practice. Such a suggestion will be sent to ARIN as described at Suggestion Submissionhttps://www.arin.net/app/suggestion/ page. Yes, when going to that page it's a lot more clear. I'm glad that it's my own incompetence that prevented me from effectively making a submission. Perhaps we're all better off as a result. :) Doug -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/
Re: arin and ops fora (was Re: AltDB?)
Owen, On Jan 8, 2011, at 8:56 PM, Owen DeLong wrote: I suspect part of the issue is that ARIN is a monopoly provider of a variety public services that folks unrelated (directly) to ARIN must make use of. In other areas of public service provision, there are things like public utilities commissions that (in theory) ensure the monopoly service provider acts in the public benefit when services are added/changed/deleted. My impression is that the various WGs and SIGs in the other RIRs perform something similar to that function. There doesn't appear to be anything similar in the ARIN region. In ARIN, there are things like BoT elections and the BoT very much fulfills the role of the PUC as you describe above. Well, ARIN BoT members are fiduciarily responsible for ARIN. PUC members, to my understanding, are responsible to the public. In my experience on ARIN's board, the key role of the board was to ensure the public policy process was followed, not oversight of how public services are provided. However, things might have changed -- that was some time ago. People can submit requests for operational changes to ARIN through the ACSP and in my experience they get a good review and comment period by the community Which community? ARIN or NANOG? and the board listens to these things and responds appropriately. Somewhat as an aside, I'm a bit surprised the board would get involved at the level of detail this implies. I would've thought how public services are to be provided would be an operational decision made by the ARIN CEO/staff and that the board would only get involved to ensure sufficient resources were available. Especially if a suggestion receives significant support, it tends to get implemented. My impression of the concern is that the definition of support and decisions regarding what gets implemented are made within a subset of the network operations community. Regards, -drc
Re: arin and ops fora (was Re: AltDB?)
Owen, On Jan 10, 2011, at 3:13 PM, Owen DeLong wrote: Members may bring any topic of interest to arin-discuss. Just to be clear, arin-discuss is limited to ARIN members? They can and sometimes do discuss operational matters there. Operational matters that impact more than members? The ACSP provides a process for community review of the suggestions and semi-formal comment processes as well. Which community? Regards, -drc
Re: arin and ops fora (was Re: AltDB?)
Lee, On Jan 9, 2011, at 8:40 AM, Lee Howard wrote: Are you saying ARIN needs an ombudsman function to make sure the Board doesn't delay implementation of things the community wants while it figures out whether doing such things will prevent it from doing other things the community wants? No (or at least I don't think so -- I have difficulty parsing that sentence). I'm suggesting that the informal input mechanisms historically and currently used by ARIN to determine what should be done (and to some extent how) may be insufficient, inefficient, and/or imply certain risks given that many of the services provided by ARIN are done on a monopoly basis and failure of those service could have global effect. Or not. It may be that network operators (not just the ones that show up at ARIN meetings and are on PPML) are happy with the existing communication channels and that additional structures to encourage participation and input in the ARIN region regarding services ARIN provides to the public are unnecessary. I don't understand how this bee-watcher-watcher thing works. Sorry, which? Regards, -drc
Re: arin and ops fora (was Re: AltDB?)
On Jan 10, 2011, at 8:52 PM, David Conrad wrote: Owen, On Jan 10, 2011, at 3:13 PM, Owen DeLong wrote: Members may bring any topic of interest to arin-discuss. Just to be clear, arin-discuss is limited to ARIN members? To the best of my knowledge, yes. They can and sometimes do discuss operational matters there. Operational matters that impact more than members? Operational matters as in ARIN operations. While operations ARIN does such as rDNS, whois, etc. may impact those outside of ARIN membership, ARIN members are (generally) the ones paying for those operations. If you want a say in changing those operations (and thus changing what it costs to perform them), you can become a member of ARIN for a mere $500/year, or, you can use the ACSP which is the process for submitting non-policy matters to ARIN which are then brought before the community on PPML in a non-policy context. The ACSP provides a process for community review of the suggestions and semi-formal comment processes as well. Which community? The community on PPML. Owen
Re: arin and ops fora (was Re: AltDB?)
On Jan 10, 2011, at 8:23 PM, David Conrad wrote: Owen, On Jan 8, 2011, at 8:56 PM, Owen DeLong wrote: I suspect part of the issue is that ARIN is a monopoly provider of a variety public services that folks unrelated (directly) to ARIN must make use of. In other areas of public service provision, there are things like public utilities commissions that (in theory) ensure the monopoly service provider acts in the public benefit when services are added/changed/deleted. My impression is that the various WGs and SIGs in the other RIRs perform something similar to that function. There doesn't appear to be anything similar in the ARIN region. In ARIN, there are things like BoT elections and the BoT very much fulfills the role of the PUC as you describe above. Well, ARIN BoT members are fiduciarily responsible for ARIN. PUC members, to my understanding, are responsible to the public. In my experience on ARIN's board, the key role of the board was to ensure the public policy process was followed, not oversight of how public services are provided. However, things might have changed -- that was some time ago. Yes, ARIN BoT members have fiduciary responsibility for ARIN. However, the ARIN charter is not the same as most corporations. Indeed, as I understand it, the ARIN charter requires that ARIN disband itself if that is determined to be what is in the best interests of the community. The board is accountable to the ARIN membership, which includes all subscriber ISPs and others who pay their annual membership dues. I believe the board both ensures that the public policy process is followed and performs other executive management and leadership functions governing the operations of ARIN at a high level. Obviously most of the day-to-day decision making for that is vested in the CEO who also sits on the board. People can submit requests for operational changes to ARIN through the ACSP and in my experience they get a good review and comment period by the community Which community? ARIN or NANOG? Those who subscribe to PPML. If you are interested in having a voice in ARIN policies or how ARIN operates, it's essential to be on that list. and the board listens to these things and responds appropriately. Somewhat as an aside, I'm a bit surprised the board would get involved at the level of detail this implies. I would've thought how public services are to be provided would be an operational decision made by the ARIN CEO/staff and that the board would only get involved to ensure sufficient resources were available. For the most part, it is. However, if the community is asking for something ARIN isn't doing or pushing for ARIN to change how it does something, the board tends to at least review the matter. Especially if a suggestion receives significant support, it tends to get implemented. My impression of the concern is that the definition of support and decisions regarding what gets implemented are made within a subset of the network operations community. Anyone who wants to participate can join the mailing list and do so. I'm not sure how you would extend it to a wider group without seriously diminishing returns. Owen
RE: arin and ops fora (was Re: AltDB?)
On Jan 8, 2011, at 4:40 AM, Lee Howard wrote: I think that's a bit of what we've been trying to do with the Best Current Operational Practices BoFs. We need a place where operators can discuss and document BCOPs. While I think BCOPs (and BCOP BoFs) are a great idea, I guess the question is how can folks be assured that ARIN would follow a NANOG community-defined BCOP relating directly to ARIN operations. For example, if the NANOG community were to (reasonably) say BCOP is to use IETF-defined standards for publishing and accessing resource registration data, I'd imagine ARIN might (reasonably) disagree and continue down the RWS path. I don't think of BCOP as a subset of NANOG, but as an overlap of several communities, including NANOG and ARIN. Certainly ARIN is not bound by BCOP's findings (no one would be), but the AC and Board would take seriously a community-consensus best practice. I doubt ARIN would be surprised by any BCOP finding, given the involvement of several ARIN AC members in it. provision, there are things like public utilities commissions that (in theory) ensure the monopoly service provider acts in the public benefit when services are added/changed/deleted. My impression is that the various WGs and SIGs in the other RIRs perform something similar to that function. There doesn't appear to be anything similar in the ARIN region. Are you saying ARIN needs an ombudsman function to make sure the Board doesn't delay implementation of things the community wants while it figures out whether doing such things will prevent it from doing other things the community wants? I don't understand how this bee-watcher-watcher thing works. Lee
Re: AltDB?
On Jan 9, 2011, at 2:09 AM, Jeff Wheeler wrote: In terms of database size, excluding RIPE, the ARIN IRR is the 8th largest, ahead of ALTDB and about 10% as large as Level3, the second largest IRR database (except RIPE.) A mass-corruption of the ARIN IRR overnight might be a serious incident causing service impact to a large number of users and businesses, and cause probably thousands of people to be got out of bed in the middle of the night, but clearly it would not be a total disaster. Jeff - Please suggest your preferred means of IRR authentication to the ARIN suggestion process: https://www.arin.net/participate/acsp/index.html Alternatively, point to a best practice document from the operator community for what should be done here. ARIN's work plan is very much driven by community input, so that's what is needed here. Thanks! /John John Curran President and CEO ARIN
Re: AltDB? (IRR support direction at ARIN)
On Jan 5, 2011, at 12:07 PM, Jeff Wheeler wrote: I would like to note that RADB had route6: support in about 2004 or so, if my memory serves me; while the ARIN database did not accept route6 objects until about a year ago. So it is not exactly a high priority for ARIN. The priority of IRR at ARIN is based on community feedback and direction. There is no particular reason for ARIN to focus on ongoing IRR enhancements, if the community isn't asking for such. ARIN needs to stay focused on its mission, and prioritize all work accordingly. There has not been a clear consensus from the community one way or the other about enhancing the IRR services as part of that mission, nor on deeming it to be outside of the mission and phasing out the services. This makes it somewhat challenging for the Board and staff to discern the right approach, and leaves us simply maintaining the status quo for these services. Should IRR services be part of the ARIN mission? ARIN-discuss would be a great mailing list on which to discuss this topic, or (along the lines of Randy's earlier comments) on this NANOG list, if the mailing list folks consider it to be on topic. /John John Curran President and CEO ARIN
Re: AltDB? (IRR support direction at ARIN)
On Sun, 9 Jan 2011, John Curran wrote: Should IRR services be part of the ARIN mission? If that's a serious question, why does rr.arin.net exist at all? -- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: AltDB? (IRR support direction at ARIN)
On Jan 9, 2011, at 3:02 PM, Jon Lewis wrote: Should IRR services be part of the ARIN mission? If that's a serious question, why does rr.arin.net exist at all? Jon - Existence of not in and of itself proof that the services are presently desired by the community, nor that there are benefits in having them provided by ARIN. For example, one can argue that it is desirable for ARIN to provide IRR services in the case where allocation policy had dependencies into the state of the IRR; this is not the case in the ARIN region. Another reason for ARIN to offer services is if it can do so in a manner that would significantly improve their quality (one might argue such about resource certification via RPKI, but that's not as obvious for a routing registry) At the end of the day, we want ARIN to be providing quality services around the registration of Internet number resources; these services need to be valued by the community and provided cost-effectively. Do you: 1) want IRR services, and if so, with what features? 2) believe IRR services should be provided by ARIN? Getting input from the community on this will significantly help the ARIN staff make informed recommendations to the ARIN Board regarding how to best proceed. I'd also welcome private email with these thoughts if that's your preference. Thanks! /John John Curran President and CEO ARIN
Re: AltDB? (IRR support direction at ARIN)
Do you: 1) want IRR services, and if so, with what features? 2) believe IRR services should be provided by ARIN? the irr is slightly useful today. so, iff it is cheap and easy, arin providing an open and free instance is a public good. again, iff it is easy and cheap. and please do not waste time trying to 'fix' the irr, sad to say it's trying to make a silk purse out of a sow's ear. and thanks for asking. randy
arin and ops fora (was Re: AltDB?)
On Jan 8, 2011, at 4:11 AM, David Conrad wrote: Another view is that ARIN's whole and sole reason for being is to provide services to the network operators in the ARIN region. As such, it would be ill-advised for ARIN to change those services without consulting the community that ARIN serves and getting their buy-in. Hopefully, there's a middle ground. Agreed. Presently, we rely upon the ARIN consultation and suggestion process for getting tactical input on operational changes. We also recognize guidance from the IETF both via IAB communications and in the form of the BCP RFC series. Obviously, if there were a convenient way for the operator community to provide consensus guidance on Internet number resource operational matters, such input would be highly valued. On Jan 7, 2011, at 10:24 PM, Paul Vixie wrote: i hear in what you're saying a desire to have a way to impact ARIN's behaviour outside of NRPM edits and perhaps ARIN does need to address this with some new online forum for things which aren't allocation policy but which should still be decided using community input. Yep. Not sure it should be an ARIN-operated thing (nor am I sure that it shouldn't be), but something a bit more focused on the operation of services ARIN provides than ppml might be helpful. Excellent question. To the extent that it is best practices on these types of services, then that's relatively easy for ARIN to interface with... if it is specific direction to ARIN to do xyz, then ultimately the decision rests with the ARIN Board regarding that input, since that involves how we spend the service fees of the members. On Jan 8, 2011, at 4:15 PM, David Conrad wrote: While I think BCOPs (and BCOP BoFs) are a great idea, I guess the question is how can folks be assured that ARIN would follow a NANOG community-defined BCOP relating directly to ARIN operations. For example, if the NANOG community were to (reasonably) say BCOP is to use IETF-defined standards for publishing and accessing resource registration data, I'd imagine ARIN might (reasonably) disagree and continue down the RWS path. If the process for forming such recommendations were fair open to the same community, the resulting documents would be quite compelling. While that does not assure ARIN would follow them, this community has never been shy about providing feedback when the right things aren't happening... (and I'd note that a community which capable of reaching consensus on such documents is equally capable of seating a Board amenable to such documents, if there ever were to be a problem in this area) My impression is that the various WGs and SIGs in the other RIRs perform something similar to that function. There doesn't appear to be anything similar in the ARIN region. The role is served by the ARIN Board, which is member-elected and composed of volunteers (and myself as CEO). If folks think that a more formal structure for operational input (either within ARIN or via liaison to another body) is called for, I'd suggest continued discussion on the various mailing lists. Interesting discussion... thanks for raising it. /John John Curran President and CEO ARIN
Re: AltDB?
On Sun, Jan 9, 2011 at 1:09 PM, John Curran jcur...@arin.net wrote: Please suggest your preferred means of IRR authentication to the ARIN suggestion process: https://www.arin.net/participate/acsp/index.html Alternatively, point to a best practice document from the operator community for what should be done here. ARIN's work plan is very much driven by community input, so that's what is needed here. John, I appreciate you taking time to respond to this while on vacation. However, I think we all know that your response is not a here is how you tell us what to do, it's a here is our cop-out response to make an incredibly simple fix either never happen, or take six months to make it through the ARIN process. If you truly do not understand the posts regarding this matter, I will summarize them for you very simply: 1) ARIN IRR is a tool that has operational impact; service providers use it to build prefix-lists automatically, and if the data that underlies those prefix-lists is corrupted, networks that use the ARIN IRR will see their transit providers stop accepting their BGP announcements overnight. This is not a some database might be inaccurate but it's okay, problem; it is an operational problem. Some peoples' networks depend on that data not becoming corrupted. Specifically, every network that uses ARIN IRR. 2) ARIN IRR has effectively no security for record updates or deletes. Anyone who knows how to forge an email From: header can corrupt or delete part or all of the ARIN IRR database at any time. ARIN IRR is the only database that I am aware of without support for at least password authentication. The standard toolset supports passwords trivially. 3) If not supporting passwords was a business-driven decision, it was a bad one, but perhaps a mistake born out of ignorance. If it was a technically-driven decision by the staff members responsible for implementing and maintaining the ARIN IRR, those staff members are not qualified to handle anything of an operational nature, and you would be well-advised to find jobs for them that don't require any attentiveness to operational security. 4) The ARIN process will almost certainly not be the route taken when a change eventually arises. Some black hat will eventually decide it would be a clever prank to erase or corrupt the entire database, and you will then be faced with three choices; a) implement passwords immediately and not allow any updates from users who haven't selected one; b) make the ARIN IRR read-only and effectively make it useless; c) ignore the problem, at which point no ISPs will be willing to mirror the ARIN IRR anymore, because its data is a liability, not an asset. I appreciate that there is a process to go through for proposing ARIN policy changes, etc. Your suggestion that this be used when addressing an operational security matter is foolish and provides plenty of ammo for people who say ARIN is ineffective (or worse.) I suggest you take a moment to think about what the news coverage might be if this eventually blows up in a big enough way to interest news people. If a bunch of ISPs go down overnight due to an ARIN oversight, will some savvy reporter ask himself who at ARIN knew they were running an operationally-important service with no security mechanism at all? Will he have much trouble finding out about a mailing list discussion in which the CEO of ARIN glazed over the issue and referred a whistle-blowing person to the ARIN policy process? Will he then ask if ARIN is an effective steward of RPKI? Will his article assign blame to you personally? Will he draw some link to Chinese interception of 15% of the Internet? Who knows how mainstream press would interpret such an event, if it was big enough to attract attention. If I were you, though, I would not want my signature at the bottom of an email essentially telling someone to go post on the correct mailing list. I suggest you don't be the ARIN CEO that gets mud in his eye because he didn't understand the value of a password over mail-from. -- Jeff S Wheeler j...@inconcepts.biz Sr Network Operator / Innovative Network Concepts
Re: AltDB?
Subject: Re: AltDB? Date: Sun, Jan 09, 2011 at 06:09:13PM + Quoting John Curran (jcur...@arin.net): On Jan 9, 2011, at 2:09 AM, Jeff Wheeler wrote: Please suggest your preferred means of IRR authentication to the ARIN suggestion process: https://www.arin.net/participate/acsp/index.html Alternatively, point to a best practice document from the operator community for what should be done here. ARIN's work plan is very much driven by community input, so that's what is needed here. Just do as the other RIRen, for starters. The database sw is available, and ARIN coming up to the standards of the others would be a real improvement. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 My mind is a potato field ... pgpnj4PNLytDd.pgp Description: PGP signature
Re: AltDB? (IRR support direction at ARIN)
On Sun, Jan 9, 2011 at 6:27 PM, Randy Bush ra...@psg.com wrote: Do you: 1) want IRR services, and if so, with what features? 2) believe IRR services should be provided by ARIN? the irr is slightly useful today. so, iff it is cheap and easy, arin providing an open and free instance is a public good. again, iff it is easy and cheap. and please do not waste time trying to 'fix' the irr, sad to say it's trying to make a silk purse out of a sow's ear. I'm not suggesting that ARIN undertake a large and complex effort to solve a bunch of issues with IRR. All I am suggesting is that they prevent anonymous bad guys with no inside information, special access, or knowledge of passwords, from corrupting the data which some networks choose to publish in ARIN IRR. I am simply suggesting it is dangerous and irresponsible to run an IRR with only MAIL-FROM authentication, and quite easy to also support CRYPT-PW. ARIN should either support passwords or immediately make their IRR read-only and stop offering it as a service. Imagine if there was a Slashdot article or something about this, how long would it take for some 14-year-old to erase the whole database, and how that would pretty much force ARIN to make a choice anyway, but also, create a lot of negative fall-out that might jeopardize trust in ARIN with regard to other operational matters, like RPKI. -- Jeff S Wheeler j...@inconcepts.biz Sr Network Operator / Innovative Network Concepts
Re: AltDB? (IRR support direction at ARIN)
Do you: 1) want IRR services, and if so, with what features? 2) believe IRR services should be provided by ARIN? the irr is slightly useful today. so, iff it is cheap and easy, arin providing an open and free instance is a public good. again, iff it is easy and cheap. and please do not waste time trying to 'fix' the irr, sad to say it's trying to make a silk purse out of a sow's ear. I'm not suggesting that ARIN undertake a large and complex effort to solve a bunch of issues with IRR. jeff, i do not disagree that running an irr instance with only mail-from is s 1980s. and, as mans points out, there is free software out there to do it (i recommend irrd). but i do not see good cause for arin to spend anything non-trivial to fix a problem in an irr instance which is not used very much. i.e. better to drop it than to spend non-trivial money to modernize it. but more to the point, by 'fix' it, i did not mean modernizing the auth method set. i meant the content, syntax and semantics. randy
Re: AltDB? (IRR support direction at ARIN)
On Sun, Jan 9, 2011 at 6:48 PM, Randy Bush ra...@psg.com wrote: jeff, i do not disagree that running an irr instance with only mail-from is s 1980s. and, as mans points out, there is free software out there to do it (i recommend irrd). but i do not see good cause for arin to spend anything non-trivial to fix a problem in an irr instance which is not used very much. i.e. better to drop it than to spend non-trivial money to modernize it. I agree that if ARIN thinks it would be too costly to support password authentication, they should make the database read-only so users will migrate away from it and no damage can be done by bad guys. but more to the point, by 'fix' it, i did not mean modernizing the auth method set. i meant the content, syntax and semantics. I understood what you meant, and again, I agree with you; there is no reason to invest a lot of time and resources in something that should be made obsolete by other work already in progress. The fix I want is simply eliminating the large liability by continuing to allow updates with MAIL-FROM authentication. I believe ARIN IRR actually does support MD5 authentication, but if you email the ARIN IRR person, or go to ARIN's web site, you are told that only MAIL-FROM is allowed. So they probably already have the appropriate technical mechanism in place AND JUST AREN'T USING IT, and are actively discouraging users from utilizing it. This would be an example of ARIN's ineffectiveness when it comes to operational matters, and is why I have real fear that RPKI may one-day be a disaster because ARIN is an ineffective steward. -- Jeff S Wheeler j...@inconcepts.biz Sr Network Operator / Innovative Network Concepts
Re: AltDB?
On Jan 9, 2011, at 6:30 PM, Jeff Wheeler wrote: John, I appreciate you taking time to respond to this while on vacation. However, I think we all know that your response is not a here is how you tell us what to do, it's a here is our cop-out response to make an incredibly simple fix either never happen, or take six months to make it through the ARIN process. Jeff - As it turned out, I'm back from vacation but thanks for the thought. My reason for responding is simply to make sure that ARIN is doing what the community wants. I won't deny that this may take some time depending on exactly what is involved, but in my mind that is far better than not fixing the situation. If you truly do not understand the posts regarding this matter, I will summarize them for you very simply: 1) ARIN IRR is a tool that has operational impact; service providers use it to build prefix-lists automatically, and if the data that underlies those prefix-lists is corrupted, networks that use the ARIN IRR will see their transit providers stop accepting their BGP announcements overnight. This is not a some database might be inaccurate but it's okay, problem; it is an operational problem. Some peoples' networks depend on that data not becoming corrupted. Specifically, every network that uses ARIN IRR. Thanks; I'm aware of the ARIN IRR and how operators in the community make use of it, and have run ISPs which have made use of the data for route filtering. ... I appreciate that there is a process to go through for proposing ARIN policy changes, etc. Your suggestion that this be used when addressing an operational security matter is foolish and provides plenty of ammo for people who say ARIN is ineffective (or worse.) Agreed; dropping me an email is a fine process for operational security matters. Consider this one so reported. /John John Curran President and CEO ARIN
Re: AltDB?
On Sun, Jan 9, 2011 at 7:33 PM, John Curran jcur...@arin.net wrote: My reason for responding is simply to make sure that ARIN is doing what the community wants. I won't deny that this may take some time depending on exactly what is involved, but in my mind that is far better than not fixing the situation. How will ARIN respond to operational security matters with regard to RPKI infrastructure in the future? What experience does ARIN have with operational security in the past? When faced with DNS server vulnerabilities, did ARIN solicit community feedback before patching the servers responsible for IN-ADDR.ARPA zones administered by ARIN? Or did ARIN treat this matter as a legitimate, operational security concern, and apply whatever technical solution was available and generally accepted by other organizations administering DNS servers? Why should an operational security issue with the ARIN IRR be handled as a policy issue? Do you know that I have emailed ARIN about this both recently and in years past? Am I the only person who has ever tried to bring this to ARIN's attention? I doubt that. Are the personnel managing the ARIN IRR oblivious to the fact that every other IRR database except ARIN supports at least some form of password authentication? Are these personnel qualified to handle services with operational impact? Do you, or they, know that ARIN's IRR technical infrastructure actually does support password security, and that records exist in the ARIN IRR database with MD5 authentication, but that email to ARIN about this are answered with replies that only MAIL-FROM is possible? Why does the ARIN web site make no mention of anything besides MAIL-FROM? Thanks; I'm aware of the ARIN IRR and how operators in the community make use of it, and have run ISPs which have made use of the data for route filtering. When you ran ISPs that made use of IRR data for route filtering, did you use any kind of authentication when publishing and maintaining your own records, or advise customers to use such? Did the possibility of malicious data corruption or erasure ever enter your mind? Agreed; dropping me an email is a fine process for operational security matters. Consider this one so reported. What will the process be for handling operational security issues regarding future RPKI infrastructure? It is conceivable that there may be no alternative to ARIN, in the ARIN region, for trusted routing information data in the future. Today, we can choose not to use ARIN IRR, and the huge majority of networks who publish IRR data use their ISP databases or MERIT RADB. Are we faced with the possibility that ARIN simply doesn't have personnel capable of handling operational services, yet are forcing ARIN down a road that may make them a sole source of something we all need? If so, perhaps this is a very bad idea in need of further debate. I think the mentality at ARIN is one of paper-pushers and policy guys. That's perfectly fine for an organization whose main function is ... processing paperwork and allocating IP addresses. It is perhaps a very bad idea to ask ARIN to do operational things which they are very clearly unprepared to handle, to such an extent that they may need additional or different personnel, and really need to change their mentality. I understand that the technical side of the RPKI implementation at ARIN is most likely entrusted to Paul Vixie and ISC, which is a good thing. I never read an email from Paul saying, I think we need to solicit feedback before we patch this BIND issue. DNSSEC progress has taken a very long time, but that hasn't stopped ISC from continuing to provide quick technical solutions to immediate technical problems. What really worries me is ... if there is some serious issue with RPKI infrastructure in the future, will ARIN be able to solve it in an operational time-frame, or won't they? -- Jeff S Wheeler j...@inconcepts.biz Sr Network Operator / Innovative Network Concepts
Re: AltDB?
On Jan 9, 2011, at 9:53 PM, Jeff Wheeler wrote: Why should an operational security issue with the ARIN IRR be handled as a policy issue? Operational security matters should simply be fixed; that's not a policy matter but an implementation issue. Do you know that I have emailed ARIN about this both recently and in years past? Am I the only person who has ever tried to bring this to ARIN's attention? I doubt that. Good to know; I'm rather interesting in knowing some particulars here, so can you forward to me one or two of those messages? (or just let me know the 'To' field used and I'll take it from there) What will the process be for handling operational security issues regarding future RPKI infrastructure? It is conceivable that there may be no alternative to ARIN, in the ARIN region, for trusted routing information data in the future. Today, we can choose not to use ARIN IRR, and the huge majority of networks who publish IRR data use their ISP databases or MERIT RADB. Are we faced with the possibility that ARIN simply doesn't have personnel capable of handling operational services, yet are forcing ARIN down a road that may make them a sole source of something we all need? If so, perhaps this is a very bad idea in need of further debate. Feel free to discuss on this list (if deemed in charter) or arin-discuss as you feel appropriate. I think the mentality at ARIN is one of paper-pushers and policy guys. That's perfectly fine for an organization whose main function is ... processing paperwork and allocating IP addresses. It is perhaps a very bad idea to ask ARIN to do operational things which they are very clearly unprepared to handle, to such an extent that they may need additional or different personnel, and really need to change their mentality. Jeff - ARIN does indeed have folks who worry about whether the policy development process is being followed. We also have folks who actually implement the policy and issue number resources. What you may not know is that we also have quite a few folks who have run production operational services both for the Internet and other mission-critical environments. I'm not surprised that the IRR allows plaintext passwords, but am myself stunned if indeed we require them, since that disallows even a modicum of protection from trivial acts of sabotage. Rather than repeat what lack of information there is on the web site in regards to what forms of IRR authentication is available, I will go determinate the state of reality and post back here asap. At a minimum, we need much clearer documentation, but if more is required, we'll get it fixed asap. /John John Curran President and CEO ARIN
Re: AltDB? (IRR support direction at ARIN)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/09/2011 03:41 PM, Jeff Wheeler wrote: On Sun, Jan 9, 2011 at 6:27 PM, Randy Bush ra...@psg.com wrote: Do you: 1) want IRR services, and if so, with what features? 2) believe IRR services should be provided by ARIN? I am simply suggesting it is dangerous and irresponsible to run an IRR with only MAIL-FROM authentication, and quite easy to also support CRYPT-PW. ARIN should either support passwords or immediately make their IRR read-only and stop offering it as a service. Imagine if there was a Slashdot article or something about this, how long would it take for some 14-year-old to erase the whole database, and how that would pretty much force ARIN to make a choice anyway, but also, create a lot of negative fall-out that might jeopardize trust in ARIN with regard to other operational matters, like RPKI. So why hasn't this happened already? If it's so easy, then all the normal actors that like to cause us late nights would have struck already. And according to http://www.irr.net/docs/list.html there are lots of IRR databases. I had a vague concept of IRR before this thread, and have researched them as a result of it. They seem quite useful. I didn't know anything about RPKI before this thread. I'm looking into that now. So I don't think ARIN should spend it's limited resources on anything to do with it's copy of the IRR. In fact I'm not sure why they even operate one. It seems to be the realm of service providers to do so. Can anyone enlighten me as to why a RIR is operating an IRR database? It doesn't make sense to me. - -- Charles N Wyble (char...@knownelement.com) Systems craftsman for the stars http://www.knownelement.com Mobile: 626 539 4344 Office: 310 929 8793 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJNKoRSAAoJEMvvG/TyLEAtjuUP/0HsjYoulhixWOp/2LRMzll+ zc0YBVOD+mebDyM2tPdXN/UGVVQCrhdakbWOkbRsn1+qHOZEK0SKI41cnWineluB z4xxEXVSbOb3wRfqVr+WwNilZnQIST8p6IddEShJ283ZDvFBa7f6b80POue28SU2 DSFW0DWL+Ti38tGyXBuiPSBMWNY4mRUJQDznz5msiXLiWTzHIUeXmiyGErbR0R+f OPK5SPUvkJvI1G2ytqqWdzkelCgp78O6uQzVM0443ZvdN4HBEq45ac82+t3pR99q 2DgTnU4mWjMiQBZxWAZidqxW7Rsl3K4Zbr1lJEQ8R5Ke9PQzLD2cd8k0AKUFOg3M rNY/wz2ha75G38k9f4OqglCcwQOglGwXX1ASWCjKM9ISVcq0+m/SyOnlmtf/fRLH R+LdX8fntpCMv6kxjqAojBghOmaso9NvrW0umHqT0XSMZRuHGOIP4XYj+Rws/TwI IFV4gQLNCoqEswq5vreM2cMzTIFXJDsS8Pd4HS/g+c+teIMC/8TIIs4EUMhX2wPY O5iW8PiDCLnbwXT0OrPDHjz1M5Xl5fNduAvjsTnN0Kn7jc+TwRuTIoPJudKxqa9A L6MDGEYgK7nyboARUYmPrB9f+/FMA9jKTXD2b5j7ZiTj0bWxByU1BL6V2eBtDwdd GPMgRarxix8cp2Stn4dx =shdY -END PGP SIGNATURE-
Re: AltDB? (IRR support direction at ARIN)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/09/2011 03:48 PM, Randy Bush wrote: Do you: 1) want IRR services, and if so, with what features? I think so. In theory it seems useful. In practice... http://www.renesys.com/blog/2009/05/keeping-score.shtml not so much. 2) believe IRR services should be provided by ARIN? No. As I mentioned elsewhere in this thread, I don't see why an RIR is operating an IRR database. It seems to be something clearly in the realm of service providers (ie people who are making use of allocated resources). John, Can you shed some light on why this is the case? Was this requested by the community, or driven internally? Or both? - -- Charles N Wyble (char...@knownelement.com) Systems craftsman for the stars http://www.knownelement.com Mobile: 626 539 4344 Office: 310 929 8793 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJNKoZsAAoJEMvvG/TyLEAt/xsP/2CC55GEeTO46/QB2UN3RWwZ MxiLAIgurtyHTjeh9Gr6dfujnx5si6HP1Kxv+ET3HDapyOc4M8yfugvuSfrAMz1Z A/ObcWbHwtTFvii6ULtE4w7+AU1Msy7XQIPluh9g3fYk85+fBdMvE45Hyw1je04o SidM3m9XP5jCDMcKNgbSN90ibf8GykgzR6u0fExRxUta0bhHrTWZM15oVSpXeCGN Kl/6E0QSd1DbQvWxvQPotMCHoaEulAjPt4kKiBAKnxAAGsB1aC2ceMZ5PI2xeNeB pZcsWqiaemhnDmlUyPE5xjoVYSUxFk5R99RV4PfGBbAf7TyZJFAhfsm3yHqYVefN EIaguXaB0T1ekCJuBzgljExNnrMCTllx8j5GmLAQrgusrkBna61OFknp/DzVzWjS cxb60AKVbJX8kfvFdxd//zw4+15qflslrBFoGx+8/eJItzCuE5sggj4vQj9lSO5p ocvl7zbVkiYsw0EfDcJAlVpj3VGC4V93k0h8Rkh9oIykqJuO0JC7VSB7ZBwjM43t AN7/Kjqhp0e19ztUiIjFpFW3Gi9Bpw0M8KMPo8pX27W4sXcG/CMlu2jTwadiKQyR Dk+7a5B9qVvgLC4c1ygYzfyPYJzvq78CYa+vpsBl3Wl0vgLNSLicPg9gN/87fJhU kt4lYu8javFnsFGQbH69 =Bc5T -END PGP SIGNATURE-
Re: AltDB? (IRR support direction at ARIN)
I had a vague concept of IRR before this thread, and have researched them as a result of it. They seem quite useful. I didn't know anything about RPKI before this thread. I'm looking into that now. So I don't think ARIN should spend it's limited resources on anything to do with it's copy of the IRR. In fact I'm not sure why they even operate one. It seems to be the realm of service providers to do so. Can anyone enlighten me as to why a RIR is operating an IRR database? It doesn't make sense to me. Sure. I've been staying quiet on this thread, but as one person who has used (and still maintains a number of records) ARIN's IRRd, I'll respond. Firstly, There are many networks with whom want to put their IRR objects into a neutral and objective database.I know that AltDB is free, but as I've been told before, if you want support, donate to Abha Ahuja Women in Science in Engineering scholarship fund, otherwise your maintainer objects will never be approved (know this one first hand). And RADB, with whom used to be free charges a fee to have records maintained via their web GUI.Many network operators don't want to directly pay for such services, so ARIN makes sense in this regard.My original alternative was to setup my own IRRd, but was glad not to have to go to the trouble. Secondly, ARIN's IRRd is a lot easier to use than any service provider IRRd as those are intended for customer records only and if you wish to leave them, they will delete your records or just simply deny you support. Especially when said providers mirror ARIN's database. It's much like using PA vs PI IP space. If you want to be indebted to your provider, continue to use their free services. Thirdly, with the above in mind, ARIN provides support to all members of ARIN, so you can get a real person on the phone or by email to respond to questions. So, all in all, I am grateful that ARIN has supplied the IRRd service, would love to see the authentication enhanced, but otherwise I don't have any complaints.I encourage others to use the service regularly and am glad to see it getting some attention, we just need to make sure to channel the attention into enhancements and not limitations. thanks, charles
Re: AltDB?
On Sun, Jan 9, 2011 at 10:47 PM, John Curran jcur...@arin.net wrote: Jeff - ARIN does indeed have folks who worry about whether the policy development process is being followed. We also have folks who actually implement the policy and issue number resources. And we all agree that this is ARIN's primary role, and what ARIN, organizationally, has been built to be good at. This is what members consider when electing the BoT and no doubt drives ARIN's day-to-day business and technical decisions. is that we also have quite a few folks who have run production operational services both for the Internet and other mission-critical environments. What does ARIN, as an organization, do that has short-term operational impact on its members? Two things that I am aware of: IN-ADDR.ARPA delegation and IRR. One of these things gives people no reason to complain. The other is demonstrably insecure in a manner that could have really serious, and embarrassing, consequences, both financial for the members, and in terms of peoples' confidence in ARIN. I'm not surprised that the IRR allows plaintext passwords, but am myself stunned if indeed we require them, since that disallows even a modicum of protection from trivial acts of sabotage. Rather than repeat what lack of information there is on the web site in regards to what forms of IRR authentication is available, I will go determinate the state of reality and post back here asap. At a minimum, we need much clearer documentation, but if more is required, we'll get it fixed asap. Thanks, I am glad you are now looking into this. To be clear, it's not just plain text passwords. There aren't any passwords for the majority of objects. The ARIN documentation indicates that only MAIL-FROM is supported. When asked about this, ARIN personnel who respond to rt...@arin.net reply that yes, MAIL-FROM is the only authentication mechanism supported, and that no, there is no support for passwords (good) or PGP (also good, but too complicated for some users.) This isn't simply an issue of plain text passwords. Your mechanism is MAIL-FROM, which means the only check that is done on update/add/delete requests is the From: header. The ARIN database, which is publicly mirrored, contains the email addresses that must be used to add/update/delete objects maintained by a given mntner: object. All you have to do to corrupt or erase a record is look up the record you want to corrupt in the IRR, then look up that mntner, then forge an email from the auth: MAIL-FROM listed in that mntner record. It's dead simple and it is not plain text passwords, it is no passwords at all. The reason I am still posting is I am deeply concerned about the lack of technical and management competence needed to let this happen in the first place. You shouldn't seriously believe that no ARIN staffer ever thought about this, while also believing that ARIN is currently capable of administering RPKI, by its very nature and as its primary goal, to improve operational network security. For this reason, I think your true task is not simply to address the IRR issue, but to change the mentality at ARIN. If you do have technically skilled personnel, something is preventing them from being effective. If there isn't a management or cultural problem stopping folks from speaking up, then, quite frankly, I think you may be greatly over-estimating the technical savvy of ARIN staff. -- Jeff S Wheeler j...@inconcepts.biz Sr Network Operator / Innovative Network Concepts
Re: AltDB?
Date: Sat, 08 Jan 2011 15:47:51 +0900 From: Randy Bush ra...@psg.com ... more recent rumors, and john's posting here, seem to indicate that ... even to the extent that i know what's really happened or happening, i'd be loathe to comment on rumours. i have high confidence in arin's board and staff, and i believe that the right things are happening, even with the delays. right things as in what's best for the community and for the internet industry in the arin service region. as a strong proponent of rpki and of all things like rpki that will strengthen infrastructure, i remain delay-tolerant if review is the cost of getting it right. first, it would really help if the arin bot and management were much more open about these issues and decisions. at the detailed level. we are all not fools out here, present company excepted :). for a radical example, considering that arin is managing a public resource for the community, why are bot meetings not streamed a la cspan? can you cite some examples of nonprofit companies whose boards operate at the level of transparency you're asking me to consider in this example? the process of rolling out something like rpki involves some checks and balances, it's no longer just a simple matter of the technical people doing the right thing even though i remember older times when that was the way most things on the internet worked. i do not see how you are going to get rid of the liability. you have it now in whois/irr if i use it for routing (except they are so widely known to be bad data that the world knows i would be a fool to bet on them). whether the source of a roa is a user whacking on an arin web page or by other means, you still attested to the rights to that address space. my own belief here (not speaking for ARIN or for the ARIN BoT) is that the folks who use IRR/whois data to build route filters have a confidence level much lower than those who will use RPKI to do the same will have. i know that if i still had enable on anything other than my home router, that's how i'd feel. also, liability isn't just got rid of it's also documented and risk-managed, and doing that may require some kind of internal review. but all this is based on inference and rumor. can you please be more open and direct about this? thanks. i don't know. john (speaking for ARIN) gave an excellent and complete answer that i completely agree with. you're repeating some rumours which i won't comment on one way or the other. if you have specific questions which were not answered by john's response or which were raised by john's response you should ask them. saying i heard a rumour, would anyone care to refute it? is not going to move the conversational line of scrimmage at all. paul
Re: AltDB?
first, it would really help if the arin bot and management were much more open about these issues and decisions. at the detailed level. we are all not fools out here, present company excepted :). for a radical example, considering that arin is managing a public resource for the community, why are bot meetings not streamed a la cspan? can you cite some examples of nonprofit companies whose boards operate at the level of transparency you're asking me to consider in this example? fcc
Re: AltDB?
From: David Conrad d...@virtualized.org Date: Fri, 7 Jan 2011 21:01:52 -1000 do you have a specific proposal? i've noted in the past that arin tries hard to stick to its knitting, which is allocation and allocation policy. Yes. This is a positive (IMHO), however it seems that occasionally, ARIN's knitting tangles up folks who don't necessarily involve themselves with ARIN's existing interaction mechanisms (at least directly). the price of changing what ARIN does is, at a minimum: participation. it seems to me that if some in the community wanted arin to run SIGs or WGs on things like routing policy arin could do it but that a lot of folks would say that's mission creep and that it would be arin poaching on nanog lands. The issue I see is that there are non-address allocation{, policy} topics that can deeply affect network operations in which ARIN has a direct role, yet network operators (outside of the normal ARIN participants) have no obvious mechanism in which to comment/discuss/etc. Examples would include reverse DNS operations, whois database-related issues (operations, schema, access methods, etc.), (potentially?) RPKI, etc. It doesn't seem appropriate to me for these to be discussed in relation to addressing policy nor are the issues associated with those examples necessarily related to address allocation, hence I wouldn't think they'd be fodder for ppml. they are, though. i understand the subtlety of the question, is that a policy matter? but discussions on ppml@ have led to determinations of what is lameness? and when is a nameserver so lame that it's better to remove it from in-addr than to leave it in? i hear in what you're saying a desire to have a way to impact ARIN's behaviour outside of NRPM edits and perhaps ARIN does need to address this with some new online forum for things which aren't allocation policy but which should still be decided using community input. (as i recall my first act as a new ARIN trustee was to sign onto a policy proposal that would have changed the way e-mail templates worked, and at the end of the process the ARIN BoT shot it down because it wasn't a policy, and i understood that decision. strange, eh?) ... So, in other words, no, I don't really have a specific proposal. perhaps others will chime in. i will continue to think about it also.
Re: AltDB?
the price of changing what ARIN does is, at a minimum: participation. aha! there we go. the old ietf attitude. you come to the mountain. well, i'll tell you what i told the ietf. the high and mighty mountain can bite my ass. randy
Re: AltDB?
Paul, On Jan 7, 2011, at 10:24 PM, Paul Vixie wrote: the price of changing what ARIN does is, at a minimum: participation. Another view is that ARIN's whole and sole reason for being is to provide services to the network operators in the ARIN region. As such, it would be ill-advised for ARIN to change those services without consulting the community that ARIN serves and getting their buy-in. Hopefully, there's a middle ground. i hear in what you're saying a desire to have a way to impact ARIN's behaviour outside of NRPM edits and perhaps ARIN does need to address this with some new online forum for things which aren't allocation policy but which should still be decided using community input. Yep. Not sure it should be an ARIN-operated thing (nor am I sure that it shouldn't be), but something a bit more focused on the operation of services ARIN provides than ppml might be helpful. Regards, -drc
Re: AltDB?
the price of changing what ARIN does is, at a minimum: participation. aha! there we go. the old ietf attitude. you come to the mountain. well, i'll tell you what i told the ietf. the high and mighty mountain can bite my ass. let me be a bit more clear on this o you affect the operational community, you talk with (not to) the operational community where the operational community talks o i have given a lot of blood to arin, far more than it deserved. so do not tell me i need to give more. o eighteen months or so ago, a gang of big arin folk guilt-tripped me into running for the board (which i founded back in '96-'97). i did the nomcom form and all that, AND WAS SILENTLY NOT ALLOWED ON THE BALLOT. never given notice or reason. so take your high and mighty open participation crap and shove it where the sun don't shine. but i sure was relieved, to tell the truth. my mental and physical health just don't need the arin vigilante high and mighty crap on a daily basis. randy
RE: AltDB?
example, considering that arin is managing a public resource for the community, why are bot meetings not streamed a la cspan? Having watched Congress on CSPAN, and heard reports about open ICANN Board meetings, it looks to me like making deliberative meetings public means nothing substantive happens during meetings. People get afraid to say anything that might make them look ignorant, and just make prepared speeches. All decisions are made ahead of time through private negotiations, which ends up being the opposite of transparency. I think ARIN's Board's output is better than Congress. i do not see how you are going to get rid of the liability. Looking at the ARIN Board minutes of https://www.arin.net/about_us/bot/bot2010_1006.html and https://www.arin.net/about_us/bot/bot2010_1122.html it looks like the Board is requesting a more detailed liability assessment. Well-informed decisions are more likely to be good than the other kind. Lee
RE: AltDB?
-Original Message- From: David Conrad [mailto:d...@virtualized.org] The definition of what comes under the public policy mailing list umbrella has always been a bit confusing to me. Too bad something like the APNIC SIGs and RIPE Working Groups don't really exist in the ARIN region. I think that's a bit of what we've been trying to do with the Best Current Operational Practices BoFs. We need a place where operators can discuss and document BCOPs. Lee
Re: AltDB?
From: David Conrad d...@virtualized.org Date: Fri, 7 Jan 2011 23:11:32 -1000 On Jan 7, 2011, at 10:24 PM, Paul Vixie wrote: the price of changing what ARIN does is, at a minimum: participation. Another view is that ARIN's whole and sole reason for being is to provide services to the network operators in the ARIN region. yes. As such, it would be ill-advised for ARIN to change those services without consulting the community that ARIN serves and getting their buy-in. that's very much what i mean by participation. arin could never exist without a community to serve. if there are better ways to serve the community or better ways for the community to participate in steering arin's services, then i'm very interested in discovering them. Hopefully, there's a middle ground. this *is* the middle ground. we're beyond the span of decades when a couple of smart engineers could bang out a working solution that the rest of the community would just adopt out of opportunity and inertia. and let's not just blame-the-lawyers for that. the stakeholders in the infrastructure of the information economy now number in the 'many' and their views and needs have to be represented in the decisions that get made by places like ICANN, IETF, the RIRs, and similar. i hear in what you're saying a desire to have a way to impact ARIN's behaviour outside of NRPM edits and perhaps ARIN does need to address this with some new online forum for things which aren't allocation policy but which should still be decided using community input. Yep. Not sure it should be an ARIN-operated thing (nor am I sure that it shouldn't be), but something a bit more focused on the operation of services ARIN provides than ppml might be helpful. count me as 'intrigued' and expect me to be thinking more about this.
Re: AltDB?
Date: Sat, 08 Jan 2011 18:17:55 +0900 From: Randy Bush ra...@psg.com let me be a bit more clear on this thanks. o you affect the operational community, you talk with (not to) the operational community where the operational community talks i think arin does this today. certainly that is the intent. on the other fork of this thread, drc has noted some ways that this engagement area can be further improved, and i have counted myself as intrigued. also, i neglected to mention in my earlier notes on this thread that in addition to public policy meetings and the public policy mailing list which are open to the entire community not just arin members and which allow for remote participation not just those who can travel, arin has a consultation and suggestion process (URL below). i urge all operators and interested parties of the operational community to consider sharing their perspectives and their wisdom with arin to guide it going forward. ARIN Consultation and Suggestion Process: https://www.arin.net/participate/acsp/index.html ARIN Public Policy Mailing List: http://lists.arin.net/mailman/listinfo/arin-ppml Meetings: https://www.arin.net/participate/meetings/index.html https://www.arin.net/participate/meetings/reports/ARIN_XXVI/index.html https://www.arin.net/participate/meetings/ARIN-XXVI/remote.html https://www.arin.net/participate/meetings/ARIN-XXVII/index.html https://www.arin.net/participate/meetings/ARIN-XXVIII/index.html Fellowships: https://www.arin.net/participate/meetings/fellowship.html Scholarships: https://www.arin.net/participate/meetings/scholarships.html
Re: AltDB?
Date: Sat, 08 Jan 2011 18:08:12 +0900 From: Randy Bush ra...@psg.com Subject: Re: AltDB? aha! there we go. the old ietf attitude. you come to the mountain. well, i'll tell you what i told the ietf. the high and mighty mountain can bite my ass. Let me see if I've got this right -- you think ARIN should change their policies, but _you_ are not willing to put in any personal effort to make it happen, right? Can you think of any good reason why _any_ organization should care about the opinions of someone with that attitude?
Re: AltDB?
Getting back to the original topic...sort of: Looking at the data from altdb, it's not as widely used as I'd have guessed. There are 461 mntner objects. Of these, 268 use MAIL-FROM authentication. 192 use CRYPT-PW. At least those are the split if you look at just the first auth: for each mntner object...plenty of objects have multiple auth:'s and some even have multiple types like MAIL-FROM and PGP. In such a case, does a change request have to satisfy both auth's or just either one? This makes me ask two questions. 1) Why did ARIN even bother setting up rr.arin.net with no authentication other than MAIL-FROM? Even CRYPT-PW, while weak would be far stronger and preferable to effectively no authentication. 2) Why does altdb (and presumably other RR's that support CRYPT-PW) only support DES and not MD5-crypt? It's not 1990 anymore. RFC 2622 says that CRYPT-PW uses the UNIX crypt format...but today, UNIX crypt supports a variety of formats, including MD5, which is popular at least with Linux. I don't mean to whine that altdb doesn't support MD5...it'd be nice if it did, but at the price I'm paying for service ($0), I can't complain. AFAIK, few networks base their BGP filters on the RR data, so I don't care too much about RPKI[1]. Who cares if ARIN certifies that my entries are legit if only a fraction of the net uses that data and there will always be portions of the net where anything goes and resource certification is ignored? What I do care about is that my peers or transits that use RR data to build filters use the data I put there, and that that data isn't tampered with by anyone with the minimal level of clue required to forge the from address on an email and construct an RPSL update email. Sure, we'd get email notification of the change...but if they time it right or the email doesn't get acted on quickly enough, filters might be built improperly. [1] Don't care is probably too strong. At this point in time, I don't think it makes sense to get hung up on it and refuse to do any authentication if we're not doing RPKI, but not implement RPKI, because we haven't worked out all the details on how it'll be done. As it is, rr.arin.net is pretty much worthless. -- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: AltDB?
On Sat, Jan 8, 2011 at 1:10 PM, Jon Lewis jle...@lewis.org wrote: Getting back to the original topic...sort of: thanks! [1] Don't care is probably too strong. At this point in time, I don't think it makes sense to get hung up on it and refuse to do any authentication if we're not doing RPKI, but not implement RPKI, because we haven't worked out all the details on how it'll be done. As it is, rr.arin.net is pretty much worthless. I don't think rr.arin.net and RPKI have anything to do with each other. I think the direction the RPKI should/is taking is to have the RIR sign a ROA to the ORG that they allocate the address space to... Similarly the ORG (if they are an N|LIR-type) will sign a ROA to the ORG that they assign address space to. Ideally you should be able to ask the RPKI system: I have 1.2.3.0/24 in a bgp announcement, origin'd by AS1234. Is that proper? Ideally that magic doesn't happen on the router but a digested form of the data is available making much of the heavy-lifting not router-based. The parts of the puzzle here that ARIN (or really any RIR) is responsible for are the 'signing roas to allocatees' (the up/down protocol as it's referred to in the drafts - http://tools.ietf.org/html/draft-ietf-sidr-rescerts-provisioning-09 and potentially having a system which permits end-users/ORGs to enter data which generates ROA data (and sends that along to some publication point for the rest of the routing world to download/digest). I believe the 'up/down protocol' part here is critical, the web server part ... I'm not sure is so critical, maybe a third party makes that happen outside of the ARIN management chain? Using someone not yourself (ARIN or another third party) to manage your ROA data means you probably have (in the most simple case) given the ability to that third party to sign objects for you, that means they have your private key(s) and can break you by mistake/malfeasance/oversight/etc. For this reason some folks may be ok with using a third party, many will choose to hold their fate in their own hands. -Chris
Re: AltDB?
On Sat, Jan 8, 2011 at 2:58 PM, Abhijit Phanse abhi...@unitedlayer.com wrote: Could you please remove all @unitedlayer.com addresses from this distribution. Thanks in advance. I think you mean to ask this of nanog-admin ... though honestly @unitedlayer.com folks CAN request that themselves (with the associated mailman data in the message headers) -chris
arin and ops fora (was Re: AltDB?)
Lee, On Jan 8, 2011, at 4:40 AM, Lee Howard wrote: I think that's a bit of what we've been trying to do with the Best Current Operational Practices BoFs. We need a place where operators can discuss and document BCOPs. While I think BCOPs (and BCOP BoFs) are a great idea, I guess the question is how can folks be assured that ARIN would follow a NANOG community-defined BCOP relating directly to ARIN operations. For example, if the NANOG community were to (reasonably) say BCOP is to use IETF-defined standards for publishing and accessing resource registration data, I'd imagine ARIN might (reasonably) disagree and continue down the RWS path. I suspect part of the issue is that ARIN is a monopoly provider of a variety public services that folks unrelated (directly) to ARIN must make use of. In other areas of public service provision, there are things like public utilities commissions that (in theory) ensure the monopoly service provider acts in the public benefit when services are added/changed/deleted. My impression is that the various WGs and SIGs in the other RIRs perform something similar to that function. There doesn't appear to be anything similar in the ARIN region. Regards, -drc
Re: AltDB?
Let me see if I've got this right -- you think ARIN should change their policies, but _you_ are not willing to put in any personal effort to make it happen, right? i not put in personal effort? you're kidding or really new here, right? one underlying problem with the RIRs, ICANN, ... is that once we form these organizations, they start thinking like organizations, protect themselves, look to budgets, look to liability, welcome to real life. but these realistic organizational things sometimes actually have conflict with the original goals. randy
Re: arin and ops fora (was Re: AltDB?)
I suspect part of the issue is that ARIN is a monopoly provider of a variety public services that folks unrelated (directly) to ARIN must make use of. In other areas of public service provision, there are things like public utilities commissions that (in theory) ensure the monopoly service provider acts in the public benefit when services are added/changed/deleted. My impression is that the various WGs and SIGs in the other RIRs perform something similar to that function. There doesn't appear to be anything similar in the ARIN region. having worked closely with a number of other RIRs, sad to say that a lot still goes on under the table [0]. hence my cspan analogy, shed some light in the corners. the community should be transparent before wikileaks gets to us. :) randy -- [0] - an old sardonic comment of mine on ripe is that it is a bottom up organization, and daniel and rob are at the bottom. and wear thick rubber/leather gloves when entering apnic.
Re: AltDB?
On Jan 8, 2011, at 7:39 AM, Robert Bonomi wrote: Let me see if I've got this right -- you think ARIN should change their policies, Not policies. Operations. Or rather, how ARIN communicates and obtains buy-in from the operational community regarding operations that affect that community. but _you_ are not willing to put in any personal effort to make it happen, right? Not to speak for Randy, but I believe he is suggesting the onus is on ARIN to engage the community their activities impact, rather than the community engaging ARIN. Can you think of any good reason why _any_ organization should care about the opinions of someone with that attitude? Liability? Folks don't have an option regarding where they get some of the services. An (imperfect) analogy: in the SF bay area, the monopoly provider of pipeline natural gas, PGE, appears to have made the operational decision to cut costs in inspecting high risk gas lines and not upgrade those pipelines (despite receiving permission from the CA PUC to bill ratepayers for the upgrade). Pragmatically speaking, the vast majority of folks affected by the operation of those pipelines most likely had no interest in making a personal effort to ensure PGE does what they say they'll do. In Sept 2009, one of those high risk pipelines exploded. I imagine PGE now cares a great deal about the folks who were affected as you can probably already hear the class action lawsuit lawyers revving their engines. Regards, -drc
Re: AltDB?
On Sat, Jan 8, 2011 at 2:47 PM, Christopher Morrow morrowc.li...@gmail.com wrote: I don't think rr.arin.net and RPKI have anything to do with each other. I think the direction the RPKI should/is taking is to have the I at least think that whatever future and time-table is planned for RPKI, this should not stand in the way of ARIN offering an effective authentication mechanism for the ARIN IRR. FYI, the reply I received from ARIN was that there are no plans to improve its authentication capability. I didn't ask why and don't really care why it has never had anything more than MAIL-FROM in the past. Either it should be improved (IMO) or it shouldn't be. I really do wonder what ARIN's plan is if a bad guy decides to forge emails and delete or modify some or all of the objects. Would they just shut it down, improve authentication, or keep doing business as usual? I am always surprised that black hat folks do not do things like this when faced with a damaging vulnerability that can easily be exploited with no way to trace the activity back to the bad guy. -- Jeff S Wheeler j...@inconcepts.biz Sr Network Operator / Innovative Network Concepts
Re: AltDB?
Date: Sun, 09 Jan 2011 06:25:33 +0900 From: Randy Bush ra...@psg.com Cc: nanog@nanog.org Subject: Re: AltDB? Let me see if I've got this right -- you think ARIN should change their policies, but _you_ are not willing to put in any personal effort to make it happen, right? i not put in personal effort? you're kidding or really new here, right? I used future tense, not past. Taking your prior language at face value, which you elided, it appears that you have no intent of any future participation in ARIN processes. Your subsequently revaealed story regarding your thwarted attempt at a _requested_ run for a BoT seat, provides some understanding for a 'why' for that attitude. I'll simply note that _if_ you do cease future particioation in =their= process, you _have_ 'let the bastards win'.
Re: AltDB?
Taking your prior language at face value, which you elided, it appears that you have no intent of any future participation in ARIN processes. i am doing so right here and now. you just don't like my choice of forum and probably my message. tough patooties. randy
Re: AltDB?
I at least think that whatever future and time-table is planned for RPKI, this should not stand in the way of ARIN offering an effective authentication mechanism for the ARIN IRR. ... I really do wonder what ARIN's plan is if a bad guy decides to forge emails and delete or modify some or all of the objects. my guess is do their best to try to see who has the right data. as arin seems to be driven by fud, policy wannbes, and lawyer(s), this might be complex, slow, and expensive. so it goes. but, unlike the other regions, the arin.irr is not confuddled with the arin.whois. i.e. it is kind of irrelevant to the authority on resource ownership, arin's real responsibility. they are just providing a free irr service, as it is the popular thing for rirs to do these years. and i don't think many use it. if you don't like its weak authentication, then don't use it, there are plenty of alternatives, e.g. see $subject. i agree that running an irr instance with only mail-from is pretty lame. and there is good free software out there to do it well if you do not suffer from nih. so i would advise putting it late in your peval() string. randy, who runs an irr instance using irrd
Re: arin and ops fora (was Re: AltDB?)
On Jan 8, 2011, at 1:15 PM, David Conrad wrote: Lee, On Jan 8, 2011, at 4:40 AM, Lee Howard wrote: I think that's a bit of what we've been trying to do with the Best Current Operational Practices BoFs. We need a place where operators can discuss and document BCOPs. While I think BCOPs (and BCOP BoFs) are a great idea, I guess the question is how can folks be assured that ARIN would follow a NANOG community-defined BCOP relating directly to ARIN operations. For example, if the NANOG community were to (reasonably) say BCOP is to use IETF-defined standards for publishing and accessing resource registration data, I'd imagine ARIN might (reasonably) disagree and continue down the RWS path. I suspect part of the issue is that ARIN is a monopoly provider of a variety public services that folks unrelated (directly) to ARIN must make use of. In other areas of public service provision, there are things like public utilities commissions that (in theory) ensure the monopoly service provider acts in the public benefit when services are added/changed/deleted. My impression is that the various WGs and SIGs in the other RIRs perform something similar to that function. There doesn't appear to be anything similar in the ARIN region. Regards, -drc In ARIN, there are things like BoT elections and the BoT very much fulfills the role of the PUC as you describe above. People can submit requests for operational changes to ARIN through the ACSP and in my experience they get a good review and comment period by the community and the board listens to these things and responds appropriately. Especially if a suggestion receives significant support, it tends to get implemented. Owen
Re: AltDB?
On Jan 8, 2011, at 7:08 PM, Randy Bush wrote: Taking your prior language at face value, which you elided, it appears that you have no intent of any future participation in ARIN processes. i am doing so right here and now. you just don't like my choice of forum and probably my message. tough patooties. randy Throwing rocks at a process in another organizations forum is not participating in the process any more than standing before the Syrian Government and criticizing the US congress would be participating in US politics. Owen
Re: AltDB?
note that while i am also an ARIN trustee, i am speaking here as what randy calls just another bozo on this bus. for further background, ISC has done some rpki work and everybody at ISC including me likes rpki just fine. when the ARIN board was first considering funding ISC to do some early rpki work, went out into the hallway until the discussion was over (ending positively.) On Jan 5, 2011, at 12:32 PM, Randy Bush wrote: i have a rumor that arin is delaying and possibly not doing rpki that seems to have been announced on the ppml list (to which i do not subscribe). john curran has explained that arin is doing its due diligence on some concerns that were brought up during a review of the rpki rollout. there is no sense in which arin has said that it is not doing rpki although the current review does technically qualify as delaying rpki. i'm treating the above rumour as false. David Conrad d...@virtualized.org writes: I heard about the delay, but not about ARIN possibly not doing RPKI. That would be ... surprising. [...] it would be very much surprising to me as well. [bush] as it has impact on routing, not address policy, across north america and, in fact the globe, one would think it would be announced and discussed a bit more openly and widely. even if i thought that the operational impact could be felt in these early days when rpki remains an almost completely nonproduction service, and i don't think this by the way, i would still say that an internal review of a new service is not really something the whole community cares about. [conrad] The definition of what comes under the public policy mailing list umbrella has always been a bit confusing to me. Too bad something like the APNIC SIGs and RIPE Working Groups don't really exist in the ARIN region. do you have a specific proposal? i've noted in the past that arin tries hard to stick to its knitting, which is allocation and allocation policy. it seems to me that if some in the community wanted arin to run SIGs or WGs on things like routing policy arin could do it but that a lot of folks would say that's mission creep and that it would be arin poaching on nanog lands. -- Paul Vixie Chairman and Chief Scientist, ISC Trustee, ARIN
Re: AltDB?
[ caveat: i am *one of* the architects of all this, and am paid to work on it, currently (indirectly) by the usg dhs. ] for background, the other four rirs have rolled rpki out in the last weeks, apnic and afrinic with the up/down protocol, ripe web only, and i am not well informed about lacnic's roll out. for the geeky, i append the trust anchor locators for all but afrinic (i'll try to get that). even if i thought that the operational impact could be felt in these early days when rpki remains an almost completely nonproduction service, and i don't think this by the way, i would still say that an internal review of a new service is not really something the whole community cares about. well yes and no. it was important enough that (i have been told) john announced it on major arin mailing list(s). and, as we all know, when info is not openly visible, it gets warped in transmission. hence the (i think you are saying) incorrect impression out here that the bot is questioning rpki roll-out in general. more recent rumors, and john's posting here, seem to indicate that o arin's lawyer, who actually seems to run arin, has created massive fud about liability. o so arin management is seriously reconsidering a web-only roll-out and seriously considering prioritizing being able to delegate the authority to the large isps by implementing the up/down protocol (draft-ietf-sidr-rescerts-provisioning-09.txt). i am a big fan of up/down. i am not a big fan of delay. first, it would really help if the arin bot and management were much more open about these issues and decisions. at the detailed level. we are all not fools out here, present company excepted :). for a radical example, considering that arin is managing a public resource for the community, why are bot meetings not streamed a la cspan? i do not see how you are going to get rid of the liability. you have it now in whois/irr if i use it for routing (except they are so widely known to be bad data that the world knows i would be a fool to bet on them). whether the source of a roa is a user whacking on an arin web page or by other means, you still attested to the rights to that address space. but all this is based on inference and rumor. can you please be more open and direct about this? thanks. randy --- ripe-ncc-root.tal rsync://rpki.afrinic.net/repository/AfriNIC.cer MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxsAqAhWIO+ON2Ef9oRDM pKxv+AfmSLIdLWJtjrvUyDxJPBjgR+kVrOHUeTaujygFUp49tuN5H2C1rUuQavTH vve6xNF5fU3OkTcqEzMOZy+ctkbde2SRMVdvbO22+TH9gNhKDc9l7Vu01qU4LeJH k3X0f5uu5346YrGAOSv6AaYBXVgXxa0s9ZvgqFpim50pReQe/WI3QwFKNgpPzfQL 6Y7fDPYdYaVOXPXSKtx7P4s4KLA/ZWmRL/bobw/i2fFviAGhDrjqqqum+/9w1hEl L/vqihVnV18saKTnLvkItA/Bf5i11Yhw2K7qv573YWxyuqCknO/iYLTR1DToBZcZ UQIDAQAB rsync://repository.lacnic.net/rpki/lacnic/RTA_LACNIC_RPKI.cer MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1AuR49ZoKS59Vnpq8M0X djeV3ROqtElwx6sNmUXvWBFPQlZLs2tR5/0MwprIWRi91WnMBVWjsECcLBe7Pu+u V/tTvPMJRXm/c+l8nR+FhAj7pn4M5A2pHFBndCPc1UrFD+BLACx9DSNiUjzKr1t7 wjHTW+F0NMnZ9g9hKdxDNCFi66BGx2f3TTW3uGns/IPfkxrRCeYtJcBpQ5mKoc8g QOndiEG/33uXDS9EOe1dycmnaw9EQqxqHp+Bj0TIVoFyfDNuT+soJ3uwtQr2g5Ys AIxJtmBAZrLj+acmLeQrYC0xQuK118dSAS9r6GSm476m2aGEYtb083fLodeYSEjM /wIDAQAB rsync://rpki.ripe.net/ta/ripe-ncc-ta.cer MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0URYSGqUz2m yBsOzeW1jQ6NsxNvlLMyhWknvnl8NiBCs/T/S2XuNKQNZ+wBZxIgPPV 2pFBFeQAvoH/WK83HwA26V2siwm/MY2nKZ+Olw+wlpzlZ1p3Ipj2eNc Krmit8BwBC8xImzuCGaV0jkRB0GZ0hoH6Ml03umLprRsn6v0xOP0+l6 Qc1ZHMFVFb385IQ7FQQTcVIxrdeMsoyJq9eMkE6DoclHhF/NlSllXub ASQ9KUWqJ0+Ot3QCXr4LXECMfkpkVR2TZT+v5v658bHVs6ZxRD1b6Uk 1uQKAyHUbn/tXvP8lrjAibGzVsXDT2L0x4Edx+QdixPgOji3gBMyL2V wIDAQAB
Re: AltDB?
Paul, On Jan 7, 2011, at 7:33 PM, Paul Vixie wrote: The definition of what comes under the public policy mailing list umbrella has always been a bit confusing to me. Too bad something like the APNIC SIGs and RIPE Working Groups don't really exist in the ARIN region. do you have a specific proposal? i've noted in the past that arin tries hard to stick to its knitting, which is allocation and allocation policy. Yes. This is a positive (IMHO), however it seems that occasionally, ARIN's knitting tangles up folks who don't necessarily involve themselves with ARIN's existing interaction mechanisms (at least directly). it seems to me that if some in the community wanted arin to run SIGs or WGs on things like routing policy arin could do it but that a lot of folks would say that's mission creep and that it would be arin poaching on nanog lands. The issue I see is that there are non-address allocation{, policy} topics that can deeply affect network operations in which ARIN has a direct role, yet network operators (outside of the normal ARIN participants) have no obvious mechanism in which to comment/discuss/etc. Examples would include reverse DNS operations, whois database-related issues (operations, schema, access methods, etc.), (potentially?) RPKI, etc. It doesn't seem appropriate to me for these to be discussed in relation to addressing policy nor are the issues associated with those examples necessarily related to address allocation, hence I wouldn't think they'd be fodder for ppml. In the other regions, the RIRs host the discussions (e.g., for reverse DNS-related discussions there is dns-wg in RIPE and dns-sig in APNIC, not sure if there are similar constructs in LACNIC or AfriNIC) and the RIR staff provides input but (as far as I know) do not direct results. Since the (non-ARIN) RIRs typically perform some action based on input from these hosted discussions (or explain to the community why they can't/won't), this works reasonably well. In the ARIN region, for reasons that you mention among others, I'm unclear whether there is sufficient trust (on both sides, ARIN or the ARIN-region network operations community) for ARIN to do something similar (note I'm not saying there isn't trust, just that I'm not sure that there is). One alternative (which I suggest being blissfully ignorant of either politics or establishment mechanisms in NANOG) would be for some sort of joint ARIN/NANOG interest group (or whatever) for areas that impact ARIN and network operators in which folks have interest such as routing policy/security, dns operations, registration data representation/access, etc. So, in other words, no, I don't really have a specific proposal. Regards, -drc
Re: ARIN and the RPKI (was Re: AltDB?)
Date: Thu, 06 Jan 2011 14:24:01 +0900 From: Randy Bush ra...@psg.com I think ACLs here means prefix-lists ... or I hope that's what Randy meant? sorry. yes, irr based prefix lists. and, sad to say, data which have sucked for 15+ years. i was the poster child for the irr, and it just never took off. [ irr data are pretty bad except for some islands where there is culture of maintining them. and, as it is a global internet, islands don't help much. europe and japan are two islands with better than the average irr data quality. and they have rpki rolling to varied degrees. ] The day of reasonable accuracy of the IRR ended when UUnet bought ANI. Since ANI actually used the IRR to generate there router configs and ANI was pretty big, people were really forced to register. Curtis had a lot of excellent software that did all sorts of impressive stuff with the IRR, but I guess that all went into the bit bucket when UUnet took over. Very, very sad! -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: ober...@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751
Re: ARIN and the RPKI (was Re: AltDB?)
On Thu, Jan 6, 2011 at 2:03 PM, Kevin Oberman ober...@es.net wrote: Date: Thu, 06 Jan 2011 14:24:01 +0900 From: Randy Bush ra...@psg.com I think ACLs here means prefix-lists ... or I hope that's what Randy meant? sorry. yes, irr based prefix lists. and, sad to say, data which have sucked for 15+ years. i was the poster child for the irr, and it just never took off. [ irr data are pretty bad except for some islands where there is culture of maintining them. and, as it is a global internet, islands don't help much. europe and japan are two islands with better than the average irr data quality. and they have rpki rolling to varied degrees. ] The day of reasonable accuracy of the IRR ended when UUnet bought ANI. Since ANI actually used the IRR to generate there router configs s/NI/NS/g and ANI was pretty big, people were really forced to register. Curtis s/NI/NS/ had a lot of excellent software that did all sorts of impressive stuff with the IRR, but I guess that all went into the bit bucket when UUnet took over. we did require you to email nacr-list@ :) that didn't help? All sed jokes aside, would having attestations that the route you see is part of a block assigned by IANA to ARIN and from ARIN to UUNET and from UUNET to JoesCrabShuckers make sense to you? (and to your router policy provided the router policy engine and code worked) The efficacy of the IRR isn't at question, the ability to assure with some level of reasonableness that the thing you see (and eventually it's path to get to you) is valid is what the RPKI system is building toward. -Chris Very, very sad! (tears were shed) -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: ober...@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751
Re: ARIN and the RPKI (was Re: AltDB?)
had a lot of excellent software that did all sorts of impressive stuff with the IRR, but I guess that all went into the bit bucket when UUnet took over. we did require you to email nacr-list@ :) that didn't help? and he processed on wednesday, not exactly optimal for ops. if we are listing those who gave good blood for the irr, joe lawrence and roy alcala, of mci and later level(3), would be at the top of my list. randy
Re: AltDB?
[moved to nanog as it seems a far more appropriate forum than cisco-nsp] On Wed, 5 Jan 2011, Jose Madrid wrote: Anyone here use AltDB? It seems their servers have been down for two days. I have emailed their admin alias but have gotten nothing. Anyone? whois -h whois.altdb.net 199.48.252.0 [Querying whois.altdb.net] [Unable to connect to remote host] Can anyone from Level3 say how this will impact customer BGP filters. Will L3 keep working with the last data sync they got from altdb? I'm guessing if whatever the problem is with altdb isn't fixed soon, those who use it as their IRR will need to re-publish all their objects in another IRR DB and have any transit providers who build filters based on IRR data update their profiles to use object data from the IRR DB to which they moved their records. I'd been thinking about moving from altdb to ARIN's but hadn't had sufficient motivation. www.altdb.net is reachable, but the whois server is not. Even altdb queries run from http://www.altdb.net/ fail. -- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: AltDB?
On Wed, Jan 5, 2011 at 11:26 AM, Jon Lewis jle...@lewis.org wrote: Anyone here use AltDB? It seems their servers have been down for two days. Can anyone from Level3 say how this will impact customer BGP filters. Will L3 keep working with the last data sync they got from altdb? I'm guessing Since Level3 updates their prefix-lists at least daily, and integrates new ALTDB updates at least daily, and the ALTDB has been down for over a day, obviously it will not affect your Level3 prefix-lists in the near-term. If Level3 decided to stop honoring ALTDB objects, say, because ALTDB was never fixed, I imagine you would find it necessary to re-publish your objects or Level3 would stop honoring your routes. I'd been thinking about moving from altdb to ARIN's but hadn't had sufficient motivation. I emailed ARIN yesterday to ask if their IRR database has any authentication support (other than mail-from) yet. I haven't seen any reply from ARIN yet, but my guess is they still have no useful authentication mechanism. I would rather depend on an IRR database that can't process updates for a few days per year, than use one where a malicious party could alter or erase all of my objects at any time. I would like to note that RADB had route6: support in about 2004 or so, if my memory serves me; while the ARIN database did not accept route6 objects until about a year ago. So it is not exactly a high priority for ARIN. Note also that Level3 has an IRR database, so you could use theirs if you want to. I don't prefer to use a transit provider database if I can use a neutral one, but sometimes I would rather not pay the (entirely reasonable) fee for the MERIT RADB. -- Jeff S Wheeler j...@inconcepts.biz Sr Network Operator / Innovative Network Concepts
Re: AltDB?
On Jan 5, 2011, at 9:26 AM, Jon Lewis wrote: [snip] Can anyone from Level3 say how this will impact customer BGP filters. Will L3 keep working with the last data sync they got from altdb? Yes, Level 3 will continue to use the last data mirrored and archived. New filters are not pushed daily, they are only pushed when things change. Archives are here in case people want to know what the latest was: ftp://rr.level3.net/pub/rr/archive.mirror-data/ regards
Re: AltDB?
On 05/01/2011 17:09, Craig Pierantozzi wrote: On Jan 5, 2011, at 9:26 AM, Jon Lewis wrote: [snip] Can anyone from Level3 say how this will impact customer BGP filters. Will L3 keep working with the last data sync they got from altdb? Yes, Level 3 will continue to use the last data mirrored and archived. New filters are not pushed daily, they are only pushed when things change. Archives are here in case people want to know what the latest was: ftp://rr.level3.net/pub/rr/archive.mirror-data/ regards So has anyone had any contact from ALTDB as to what's going on? Thanks! --J
RE: AltDB?
So has anyone had any contact from ALTDB as to what's going on? Thanks! --J I just got off the phone with Steve Rubin. He restarted it 45 minutes ago and it's back up. Regards, Randy
Re: AltDB?
On 2011-01-05, at 12:31, Jared Mauch wrote: 2) If you DEPEND on something for your business, it may just be worth it to: a) pay RADB who operates professionally b) use your ISP provided IRR (eg: NTT, level3, savvis, etc) I generally recommend that people use the RIPE database, regardless of location. The main reason for that used to be that they supported IPv6 policy attributes before anybody else did, but that's quite possibly no longer a useful discriminator. If you ever have ambitions to announce a route to a peer in Europe, having objects in the RIPE db can also help avoid annoyance. Joe
Re: AltDB?
1) If ARIN doesn't provide the level of authentication you desire, as an ARIN member you should send a note to ppml each day until it's available this is not address policy. this is ops. surely one does not have to dirty one's self with the ppml list to get an ops fix done in arin. it is not address policy. i have a rumor that arin is delaying and possibly not doing rpki that seems to have been announced on the ppml list (to which i do not subscribe). as it has impact on routing, not address policy, across north america and, in fact the globe, one would think it would be announced and discussed a bit more openly and widely. randy
ARIN and the RPKI (was Re: AltDB?)
Sorry for the subject change, it seems now we're talking about something perhaps more relevant to me (security and routing stuff) On Wed, Jan 5, 2011 at 5:32 PM, Randy Bush ra...@psg.com wrote: i have a rumor that arin is delaying and possibly not doing rpki that seems to have been announced on the ppml list (to which i do not I have heard this as well ... the message in the archive is: (arin-announce actually, not ppml) http://lists.arin.net/pipermail/arin-announce/2010-December/001107.html Essentially the note says that Kosters crew are delaying until Q2-2011 the deployment of RPKI services (nebulous 'other features need to be implemented due to security concerns' is the stated reason) subscribe). as it has impact on routing, not address policy, across north america and, in fact the globe, one would think it would be announced and discussed a bit more openly and widely. I agree... so, what is the RPKI for and why should ops/security folks care? (and should we care enough to poke our local ARIN constabulary in the eye with a sharp stick?) I'm of the belief that if we (ops/security folks) feel the need to have a more secure routing infrastructure so we can hope to avoid incidents like: (quick examples, there are many others like these) o AS7007 full-table re-announce + re-originate o ConEdison hijack + re-originate o Pakistan/YT hijack + re-originate o Pilosov/Kapela hijacks/manipulations o Christmas TurkTelecom leak/hijack o PRC network leakages/hijacks/etc of April 2010 (Note: let's not debate if the above incidents are one/the-other hijack/mistake/etc, the simple fact is traffic was diverted and some better filtering/control would have avoided these failures in our system) We need at least these things to exist: o an accurate mapping of resource (netblock/asn) to authorized-entity (RIR/NIR/LIR/Customer/...) o a system to manage this data for our routing equipment o protocol enhancements that can be used to help propagate the mapping information or at the least help a router programmaticly understand if a resource is being used by the authorized entity o routing software that can digest the enhanced data o routing hardware that won't crumple under the weight of (what seems like) heavier weight routing protocol requirements I believe the lynch-pin in this is the accurate mapping of resources to authorized users, I believe that is supposed to be the RPKI system. I believe that the RPKI will tell me, an end-operator, that 63.0.0.0/9 was handed from IANA to ARIN to UUNET/VerizonBusiness and that this is being properly announced with an Origin-AS of 701. Having the service run by these organizations seems reasonable to me... IANA signs down to the RIR (ARIN in my example) and ARIN signs to VZB who can choose to sign down to their customers if necessary. Today there is a very loose, in all regions not just ARIN's, association with lots of cruft and inaccuracies. The RPKI, operated by RIR's, would provide some solid linkage and authority between resources and owners, it should help to enforce cruft management as well as provide mechanical (and relatively simple) management of the data and associated filtering/etc on devices. There is, of course, some risk with this model and we should take the time to accept/discuss that as well. Danny has had lots of good input on this topic, I'd hope that other folks who've been through longer term ops battles with filtering (jared, shane, charles gucker, rs, ras, ...) and the like can take some time to think about this problem. I'd love it if we could have some reasoned discussion here as well. Finally, everyone should go poke their ARIN corporate representative(s) (or email the BoT or AC folks directly even?) with their thoughts on whether or not the RPKI system and Routing Security are important items for ARIN (as one RIR) to pursue for the health of the Internet and Ops Sanity. The BoT folks are listed at: https://www.arin.net/about_us/bot.html (with email addresses even!) The AC folks are listed at: https://www.arin.net/about_us/ac.html -Chris
Re: ARIN and the RPKI (was Re: AltDB?)
We need at least these things to exist: o an accurate mapping of resource (netblock/asn) to authorized-entity (RIR/NIR/LIR/Customer/...) o a system to manage this data for our routing equipment see all the sidr documents in last call to go from i-ds to rfcs. oh, you co-chair sidr :) o protocol enhancements that can be used to help propagate the mapping information or at the least help a router programmaticly understand if a resource is being used by the authorized entity see draft-ietf-sidr-rpki-rtr-07 o routing software that can digest the enhanced data in test. rumors of going normal release from at least one vendor in q2 o routing hardware that won't crumple under the weight of (what seems like) heavier weight routing protocol requirements actually, the formal rpki-based origin-validation stuff is measured to take *less* cpu, a lot less, than ACLs There is, of course, some risk with this model and we should take the time to accept/discuss that as well. some guidance toward ameliorating the risks are in draft-ietf-sidr-rpki-origin-ops-00.txt. input from ops into all this stuff would be most welcome. randy
Re: ARIN and the RPKI (was Re: AltDB?)
On Wed, Jan 5, 2011 at 11:16 PM, Randy Bush ra...@psg.com wrote: We need at least these things to exist: o an accurate mapping of resource (netblock/asn) to authorized-entity (RIR/NIR/LIR/Customer/...) o a system to manage this data for our routing equipment see all the sidr documents in last call to go from i-ds to rfcs. oh, you co-chair sidr :) yes, sorry I should have been more open ... i do co-chair (with sandy murphy) the sidr-wg at the IETF. o protocol enhancements that can be used to help propagate the mapping information or at the least help a router programmaticly understand if a resource is being used by the authorized entity see draft-ietf-sidr-rpki-rtr-07 o routing software that can digest the enhanced data in test. rumors of going normal release from at least one vendor in q2 o routing hardware that won't crumple under the weight of (what seems like) heavier weight routing protocol requirements actually, the formal rpki-based origin-validation stuff is measured to take *less* cpu, a lot less, than ACLs CPU + RAM both parts of the vector matter. (but you knew this) Some of the interesting data would, I think, be good for ops folks to see more openly, things that may actually affect their purchasing and design decisions even! Danny's had some good presentation material about changes in spec/implementations that have altered drastically the update load on devices in actual networks. There is, of course, some risk with this model and we should take the time to accept/discuss that as well. some guidance toward ameliorating the risks are in draft-ietf-sidr-rpki-origin-ops-00.txt. input from ops into all this stuff would be most welcome. yes (as the co-chair) yes (as the OP... more input/thought/discussion) and looking at the: https://www.arin.net/about_us/bot/index.html it looks like the BoT is due to have a meeting either this week or next? (they seem to always have one in the first week or two of the year?) so again speak up here AND perhaps send a note the BoT or your ARIN Rep's way now. -Chris
Re: ARIN and the RPKI (was Re: AltDB?)
On Jan 6, 2011, at 11:16 AM, Randy Bush wrote: actually, the formal rpki-based origin-validation stuff is measured to take *less* cpu, a lot less, than ACLs On the platforms which really matter in terms of rPKI, ACLs are handled in hardware, so this is pretty much a wash. Concur on all the other points, however. Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Most software today is very much like an Egyptian pyramid, with millions of bricks piled on top of each other, with no structural integrity, but just done by brute force and thousands of slaves. -- Alan Kay
Re: ARIN and the RPKI (was Re: AltDB?)
On Wed, Jan 5, 2011 at 11:30 PM, Dobbins, Roland rdobb...@arbor.net wrote: On Jan 6, 2011, at 11:16 AM, Randy Bush wrote: actually, the formal rpki-based origin-validation stuff is measured to take *less* cpu, a lot less, than ACLs On the platforms which really matter in terms of rPKI, ACLs are handled in hardware, so this is pretty much a wash. I think ACLs here means prefix-lists ... or I hope that's what Randy meant? (prefix-lists are still, I believe, handled in the router CPU, and the normal router OS not in hardware) Concur on all the other points, however. cool, thanks! -chris Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Most software today is very much like an Egyptian pyramid, with millions of bricks piled on top of each other, with no structural integrity, but just done by brute force and thousands of slaves. -- Alan Kay
Re: ARIN and the RPKI (was Re: AltDB?)
actually, the formal rpki-based origin-validation stuff is measured to take *less* cpu, a lot less, than ACLs On the platforms which really matter in terms of rPKI, ACLs are handled in hardware, so this is pretty much a wash. really? it was measured on a GSR. full check on a prefix, 10usec. that's microseconds. as chris pointed out, though, one pays for having the data in the trie, i.e. in ram. but not a lot. randy
Re: ARIN and the RPKI (was Re: AltDB?)
I think ACLs here means prefix-lists ... or I hope that's what Randy meant? sorry. yes, irr based prefix lists. and, sad to say, data which have sucked for 15+ years. i was the poster child for the irr, and it just never took off. [ irr data are pretty bad except for some islands where there is culture of maintining them. and, as it is a global internet, islands don't help much. europe and japan are two islands with better than the average irr data quality. and they have rpki rolling to varied degrees. ] randy
Re: AltDB?
On Jan 5, 2011, at 12:32 PM, Randy Bush wrote: i have a rumor that arin is delaying and possibly not doing rpki that seems to have been announced on the ppml list (to which i do not subscribe). I heard about the delay, but not about ARIN possibly not doing RPKI. That would be ... surprising. While I have always had some questions regarding the political (not technical) feasibility of actually deploying secure routing based on the top-down hierarchical model assumed by RPKI, it seems obvious to me that there needs to be a better way to authenticate allocation data other than querying a whois server. RPKI will (would have?) provided this and the actual deployment of RPKI would allow the ops community to gain experience with the technology. as it has impact on routing, not address policy, across north america and, in fact the globe, one would think it would be announced and discussed a bit more openly and widely. The definition of what comes under the public policy mailing list umbrella has always been a bit confusing to me. Too bad something like the APNIC SIGs and RIPE Working Groups don't really exist in the ARIN region. Regards, -drc
Re: AltDB?
On Thu, Jan 6, 2011 at 1:21 AM, David Conrad d...@virtualized.org wrote: On Jan 5, 2011, at 12:32 PM, Randy Bush wrote: i have a rumor that arin is delaying and possibly not doing rpki that seems to have been announced on the ppml list (to which i do not subscribe). I heard about the delay, but not about ARIN possibly not doing RPKI. That would be ... surprising. While I have always had some questions regarding the political (not technical) feasibility of actually deploying secure routing based on the top-down hierarchical model assumed by RPKI, it seems obvious to me that there needs to be a better way to authenticate allocation data other than querying a whois server. RPKI will (would have?) provided this and the actual deployment of RPKI would allow the ops community to gain experience with the technology. pls express this to your local BoT or AC or ARIN Rep... see the other thread. thanks! -Chris
Re: AltDB?
I heard about the delay, but not about ARIN possibly not doing RPKI. there are arin board members, one in particular i am told, that do not like the rpki. including side contracts to turn the irr pig's ear into a silk purse. randy
Re: AltDB?
On Jan 5, 2011, at 8:43 PM, Christopher Morrow wrote: pls express this to your local BoT or AC or ARIN Rep... see the other thread. As I am not an ARIN member nor do I have any ARIN-delegated resources, it isn't clear to me who my local BoT/AC/ARIN Rep might be. However, as I'm aware some of the folks you mention are on NANOG, I suspect they might have seen my comment (FWIW). Regards, -drc
Re: ALTDB Problems
On Tue, Oct 27, 2009 at 11:21 AM, Steve Rubin s...@tch.org wrote: ALTDB is free and you get what you pay for. However. Donations to http://www.nanog.org/scholarships/abha.php would probably get requests done a lot faster. -- Steve Rubin/ AE6CH / http://www.altdb.net/ Email: s...@tch.org / N6441C / http://www.tch.org/~ser/ so, each time someone wants to update they need to donate to make sure it gets processed in a timely matter? or do you track who donates and give priority to their updates? dont get me wrong - its a great cause, and people should donate if they can if the project is short of volunteers - i'm sure there are people in the community who would not mind helping out -ck
Re: ALTDB Problems
On Oct 28, 2009, at 3:53 PM, christian koch wrote: On Tue, Oct 27, 2009 at 11:21 AM, Steve Rubin s...@tch.org wrote: ALTDB is free and you get what you pay for. However. Donations to http://www.nanog.org/scholarships/abha.php would probably get requests done a lot faster. -- Steve Rubin/ AE6CH / http://www.altdb.net/ Email: s...@tch.org / N6441C / http://www.tch.org/~ser/ so, each time someone wants to update they need to donate to make sure it gets processed in a timely matter? or do you track who donates and give priority to their updates? dont get me wrong - its a great cause, and people should donate if they can if the project is short of volunteers - i'm sure there are people in the community who would not mind helping out -ck No, every update does not require a donation. In fact, very little of what goes on on the database requires my intervention at all. Only new maintainers and a few other bits of administrivia require that. Right now I am very busy and do not have time to deal with things at the speed required by some people. As I have always said, if you require immediate support I recommend the very fine RADB service run by Merit. -- Steve Rubin/ AE6CH / http://www.altdb.net/ Email: s...@tch.org / N6441C / http://www.tch.org/~ser/