Re: ALTDB - Getting records removed

[Brian Rak]

Are you referring to auto-dbm@ email, or the db-admin@ one?  I emailed 
db-admin@ about 15 hours ago, and haven't heard back (although it didn't 
bounce this time!)  Not sure what sort of response time to expect from a 
free service though.



On 5/16/2018 12:17 PM, mike.l...@gmail.com wrote:

As stated yesterday, email was fixed on AltDB yesterday. Please try again.

Thanks,
Mike


On May 16, 2018, at 08:55, Delacruz, Anthony B 
 wrote:

Ditto also interested have dozens of old entries from previous delegations would 
like to see cleaned up but my google-foo tells me it's been a nonresponsive black 
hole several years now that probably should just go away if it's not going to be 
maintained properly. I think my favorite is the "Is anyone still maintaining 
altdb.net? thread from April 2011.

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of John Hurley
Sent: Saturday, May 12, 2018 11:16 AM
To: nanog@nanog.org
Subject: ALTDB - Getting records removed

Hi All,

Recently acquired a new 2-byte AS number from ARIN. It had a previous owner
whom had records setup at ALTDB.

I've sent emails to request removal but haven't heard anything back.

Any tips or a different venue I can use to get in touch with the altdb
folks?


This communication is the property of CenturyLink and may contain confidential 
or privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful. If you have received this communication in 
error, please immediately notify the sender by reply e-mail and destroy all 
copies of the communication and any attachments.

Re: ALTDB - Getting records removed

[mike . lyon]

As stated yesterday, email was fixed on AltDB yesterday. Please try again.

Thanks,
Mike

> On May 16, 2018, at 08:55, Delacruz, Anthony B 
>  wrote:
> 
> Ditto also interested have dozens of old entries from previous delegations 
> would like to see cleaned up but my google-foo tells me it's been a 
> nonresponsive black hole several years now that probably should just go away 
> if it's not going to be maintained properly. I think my favorite is the "Is 
> anyone still maintaining altdb.net? thread from April 2011.
> 
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of John Hurley
> Sent: Saturday, May 12, 2018 11:16 AM
> To: nanog@nanog.org
> Subject: ALTDB - Getting records removed
> 
> Hi All,
> 
> Recently acquired a new 2-byte AS number from ARIN. It had a previous owner
> whom had records setup at ALTDB.
> 
> I've sent emails to request removal but haven't heard anything back.
> 
> Any tips or a different venue I can use to get in touch with the altdb
> folks?
> 
> 
> This communication is the property of CenturyLink and may contain 
> confidential or privileged information. Unauthorized use of this 
> communication is strictly prohibited and may be unlawful. If you have 
> received this communication in error, please immediately notify the sender by 
> reply e-mail and destroy all copies of the communication and any attachments.

RE: ALTDB - Getting records removed

[Delacruz, Anthony B]

Ditto also interested have dozens of old entries from previous delegations 
would like to see cleaned up but my google-foo tells me it's been a 
nonresponsive black hole several years now that probably should just go away if 
it's not going to be maintained properly. I think my favorite is the "Is anyone 
still maintaining altdb.net? thread from April 2011.

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of John Hurley
Sent: Saturday, May 12, 2018 11:16 AM
To: nanog@nanog.org
Subject: ALTDB - Getting records removed

Hi All,

Recently acquired a new 2-byte AS number from ARIN. It had a previous owner
whom had records setup at ALTDB.

I've sent emails to request removal but haven't heard anything back.

Any tips or a different venue I can use to get in touch with the altdb
folks?


This communication is the property of CenturyLink and may contain confidential 
or privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful. If you have received this communication in 
error, please immediately notify the sender by reply e-mail and destroy all 
copies of the communication and any attachments.

Re: ALTDB - Getting records removed

[mike . lyon]

The altdb email system should have been fixed earlier today. You may want to 
try to reach out to them again.

Thanks,
Mike

> On May 12, 2018, at 09:15, John Hurley  wrote:
> 
> Hi All,
> 
> Recently acquired a new 2-byte AS number from ARIN. It had a previous owner
> whom had records setup at ALTDB.
> 
> I've sent emails to request removal but haven't heard anything back.
> 
> Any tips or a different venue I can use to get in touch with the altdb
> folks?

Re: ALTDB question.

[Jon Lewis]

On Mon, 1 Jul 2013, Faisal Imtiaz wrote:


Hello,

A quick question for all.

It's my understanding that the Maintainer object needs to be created first. 
This is accomplished by sending the template to db-ad...@altdb.net

This is not an automated process, but gets done manually. If there is any 
discrepancy then one gets a reply back with the error .

a) Am I correct in my understanding of above ?
b) Is there any auto reply to confirm email receipt ? or only replies are after 
the request is either complete or sent back for missing / incorrect info ?
c) What would be the appropriate amount of time to wait for such a reply ?
d) Is there a way to check to see if the Maintainer object has been created ?


Once created, your maintainer object will be visible in the whois served 
by whois.altdb.net.


If you're just getting started with IRR, no offense intended towards 
ALTDB, but I'd suggest using any of the other free ones.  ARIN and RIPE 
are both, AFAIK, free for anyone to use and support better authentication 
than ALTDB.  Also, AFAIK, ALTDB has been a one (or few?) person volunteer 
effort, and from time to time, there have been service outages, reliant on 
one or a few people for resolution.  ARIN and RIPE are staffed and better 
financially backed.


--
 Jon Lewis, MCP :)   |  I route
 |  therefore you are
_ http://www.lewis.org/~jlewis/pgp for PGP public key_

Re: altdb?

[Javier Henderson]

On Apr 13, 2012, at 4:59 PM, Justin Zipkin wrote:

 Anybody know what the scoop is with ALTDB?  It's been down since yesterday.

I just fixed it.

-jav

Re: ARIN IRR Authentication (was: Re: AltDB?)

[John Curran]

On Jan 29, 2011, at 10:50 PM, Jeff Wheeler wrote:

 On Thu, Jan 27, 2011 at 10:00 PM, John Curran jcur...@arin.net wrote:
 Based on the ARIN's IRR authentication thread a couple of weeks ago, there
 were suggestions placed into ARIN's ACSP process for changes to ARIN's IRR
 system. ARIN has looked at the integration issues involved and has scheduled
 an upgrade to the IRR system that will accept PGP and CRYPT-PW authentication
 as well as implementing notification support for both the mnt-nfy and notify
 fields by the end of August 2011.
 
 I'm glad to see that a decision was made to improve the ARIN IRR,
 rather than stick to status-quo or abandon it.

Good to hear.

 However, this response
 is essentially what most folks I spoke with off-list imagined: You
 have an immediate operational security problem which could cause
 service impact to ARIN members and others relying on the ARIN IRR
 database, and fixing it by allowing passwords or PGP to be used is not
 very hard.

I appreciate your estimate of the effort required to address this 
problem, but we're not doing this as a completely separate system
but with the intention of having some level of integration with 
our existing ARIN Online system in the future.  While this may 
take more effort, and was not in our original 2011 budget, we 
have been able to add it to plan with development to begin later
in the year.

 As I have stated on this list, I believe ARIN is not organizationally
 capable of handling operational issues.  

You've asserted this belief in prior messages (as well as noting 
that No one is forced to use ARIN IRR)  If the IRR does not meet
your needs during this period, I would recommend using one of the
many alternative routing registries available.  

In any case, I'd like to thank you again for raising the concern about 
lack of IRR authentication, as it was instrumental in bringing this 
matter to resolution.

Thanks!
/John

John Curran
President and CEO
ARIN

Re: ARIN IRR Authentication (was: Re: AltDB?)

[Jeff Wheeler]

On Thu, Jan 27, 2011 at 10:00 PM, John Curran jcur...@arin.net wrote:
 Based on the ARIN's IRR authentication thread a couple of weeks ago, there
 were suggestions placed into ARIN's ACSP process for changes to ARIN's IRR
 system. ARIN has looked at the integration issues involved and has scheduled
 an upgrade to the IRR system that will accept PGP and CRYPT-PW authentication
 as well as implementing notification support for both the mnt-nfy and notify
 fields by the end of August 2011.

I'm glad to see that a decision was made to improve the ARIN IRR,
rather than stick to status-quo or abandon it.  However, this response
is essentially what most folks I spoke with off-list imagined: You
have an immediate operational security problem which could cause
service impact to ARIN members and others relying on the ARIN IRR
database, and fixing it by allowing passwords or PGP to be used is not
very hard.

As I have stated on this list, I believe ARIN is not organizationally
capable of handling operational issues.  This should make everyone
very worried about any ARIN involvement in RPKI, or anything else that
could possibly have short-term operational impact on networks.  Your
plan to fix the very simple IRR problem within eight months is a very
clear demonstration that I am correct.

How did you arrive at the eight month time-frame to complete this project?

Can you provide more detail on what CRYPT-PW hash algorithm(s) will be
supported?  Specifically, the traditional DES crypt(3) is functionally
obsolete, and its entire key-space can be brute-forced within a few
days on one modern desktop PC.  Will you follow the practice
established by several other IRR databases (including MERIT RADB) and
avoid exposing the hashes by way of whois output and IRR database
dumps?

If PGP is causing your delay, why don't you address the urgent problem
of supporting no authentication mechanism at all first, and allow
CRYPT-PW (perhaps with a useful hash algorithm) and then spend the
remaining 7.9 months on PGP?

The plan and schedule you have announced is indefensible for an
operational security issue.

-- 
Jeff S Wheeler j...@inconcepts.biz
Sr Network Operator  /  Innovative Network Concepts

Re: ARIN IRR Authentication (was: Re: AltDB?)

[Randy Bush]

 Based on the ARIN's IRR authentication thread a couple of weeks ago, there
 were suggestions placed into ARIN's ACSP process for changes to ARIN's IRR 
 system. ARIN has looked at the integration issues involved and has scheduled 
 an upgrade to the IRR system that will accept PGP and CRYPT-PW authentication 
 as well as implementing notification support for both the mnt-nfy and notify 
 fields by the end of August 2011.

way cool!  thank you.

randy

Re: ARIN IRR Authentication (was: Re: AltDB?)

[John Curran]

On Jan 28, 2011, at 4:09 AM, Randy Bush wrote:

 Based on the ARIN's IRR authentication thread a couple of weeks ago, there
 were suggestions placed into ARIN's ACSP process for changes to ARIN's IRR 
 system. ARIN has looked at the integration issues involved and has scheduled 
 an upgrade to the IRR system that will accept PGP and CRYPT-PW 
 authentication 
 as well as implementing notification support for both the mnt-nfy and notify 
 fields by the end of August 2011.
 
 way cool!  thank you.

No problem at all (and my apologies for 
not noticing this state of affairs sooner)

/John

ARIN IRR Authentication (was: Re: AltDB?)

[John Curran]

On Jan 11, 2011, at 9:14 AM, John Curran wrote:

  As noted, we're now looking into how to fix the IRR authentication
  situation and will report back asap.

Based on the ARIN's IRR authentication thread a couple of weeks ago, there
were suggestions placed into ARIN's ACSP process for changes to ARIN's IRR 
system. ARIN has looked at the integration issues involved and has scheduled 
an upgrade to the IRR system that will accept PGP and CRYPT-PW authentication 
as well as implementing notification support for both the mnt-nfy and notify 
fields by the end of August 2011.

For further details, please look at:
  https://www.arin.net/participate/acsp/suggestions/2011-1.html
  https://www.arin.net/participate/acsp/suggestions/2011-2.html

I'd like to thank everyone for bringing this situation to our attention, 
and will report back once this functionality is in place.

Thanks!
/John

John Curran
President and CEO
ARIN

Re: AltDB?

[John Curran]

On Jan 11, 2011, at 1:45 AM, Doug Barton wrote:

 On (admittedly) cursory exam I didn't see a form to submit anything, so I 
 gravitated to the rather large login widget under the assumption that it must 
 be important because it's so big. :) 
 ...

Doug - 
 
  It's perfectly understandable, and doesn't distract from your main
  point that the circumstances (ARIN effectively mandating MAIL-FROM 
  for authentication) is patently unacceptable and shouldn't require any
  more effort than pointing such out in email.  I did not perceive the
  situation initially, and hence sent Jeff Wheeler off to said suggestion 
  form.  As noted, we're now looking into how to fix the IRR authentication
  situation and will report back asap.

/John

John Curran
President and CEO
ARIN

Re: arin and ops fora (was Re: AltDB?)

[Jack Bates]

On 1/11/2011 12:57 AM, David Conrad wrote:

Or not.  It may be that network operators (not just the ones that show up at 
ARIN meetings and are on PPML) are happy with the existing communication 
channels and that additional structures to encourage participation and input in 
the ARIN region regarding services ARIN provides to the public are unnecessary.



Public easily reachable people. Public information on operations and 
what they do on their website with tons of pointers (even if it's not 
laid out the best). Public participation mailing lists. Presence of key 
people on other lists such as nanog.


What more is an org supposed to do to communicate with people? Even the 
CEO lurks on nanog and responds when necessary. What community were you 
wanting them to interface with? I could be wrong, but I suspect any 
genius ideas which the CEO hears via the various communication mediums 
may quickly find it's way to be implemented. Sure, it may get restricted 
to some degree depending on how people in PPML feel about it. I'm sure 
the membership has some say on how their money is spent. Neither of 
these things limit the ability to suggest an idea.



Jack

RE: AltDB?

[Koch, Andrew]

On Jan 11, 2011 at 8:14AM, John Curran wrote:

   It's perfectly understandable, and doesn't distract from your main
   point that the circumstances (ARIN effectively mandating MAIL-FROM
   for authentication) is patently unacceptable and shouldn't require any
   more effort than pointing such out in email.  I did not perceive the
   situation initially, and hence sent Jeff Wheeler off to said suggestion
   form.  As noted, we're now looking into how to fix the IRR authentication
   situation and will report back asap.

As you are checking out authentication, can you also check out the notify 
fields as well.  I was informed in July 2010 that neither mnt-nfy nor notify 
fields were operational.  I submitted suggestion 2011.2 requesting these be 
activated.

Regards,

Andrew Koch
TDS Telecom - IP Network Operations
andrew.k...@tdstelecom.com

Re: AltDB?

[John Curran]

On Jan 11, 2011, at 10:18 AM, Koch, Andrew wrote:

 As you are checking out authentication, can you also check out the notify 
 fields as well.  I was informed in July 2010 that neither mnt-nfy nor notify 
 fields were operational.  I submitted suggestion 2011.2 requesting these be 
 activated.

Will do - Thanks for the note.
/John

John Curran 
President and CEO
ARIN

Re: arin and ops fora (was Re: AltDB?)

[Owen DeLong]

On Jan 11, 2011, at 6:15 AM, Jack Bates wrote:

 On 1/11/2011 12:57 AM, David Conrad wrote:
 Or not.  It may be that network operators (not just the ones that show up at 
 ARIN meetings and are on PPML) are happy with the existing communication 
 channels and that additional structures to encourage participation and input 
 in the ARIN region regarding services ARIN provides to the public are 
 unnecessary.
 
 
 Public easily reachable people. Public information on operations and what 
 they do on their website with tons of pointers (even if it's not laid out the 
 best). Public participation mailing lists. Presence of key people on other 
 lists such as nanog.
 
 What more is an org supposed to do to communicate with people? Even the CEO 
 lurks on nanog and responds when necessary. What community were you wanting 
 them to interface with? I could be wrong, but I suspect any genius ideas 
 which the CEO hears via the various communication mediums may quickly find 
 it's way to be implemented. Sure, it may get restricted to some degree 
 depending on how people in PPML feel about it. I'm sure the membership has 
 some say on how their money is spent. Neither of these things limit the 
 ability to suggest an idea.
 
 
 Jack

Just to be clear... Participation in PPML is open to ANYONE, not just ARIN 
members. There are a lot of non-members on PPML
and their voices count just as much as members on that list.

Owen

Re: arin and ops fora (was Re: AltDB?)

[Jack Bates]

On 1/9/2011 5:27 PM, John Curran wrote:

Excellent question.  To the extent that it is best practices on these types of
services, then that's relatively easy for ARIN to interface with... if it is
specific direction to ARIN to do xyz, then ultimately the decision rests with
the ARIN Board regarding that input, since that involves how we spend the 
service
fees of the members.



Which ARIN membership does have some resources on, though I do believe 
they could be improved, as most membership input deals more with the 
NRPM and not with auxiliary services.



The role is served by the ARIN Board, which is member-elected and composed of
volunteers (and myself as CEO).  If folks think that a more formal structure
for operational input (either within ARIN or via liaison to another body) is
called for, I'd suggest continued discussion on the various mailing lists.



It's always a stickler, too. PPML works well for NRPM, but ARIN doesn't 
have enough auxiliary services to warrant a mailing list dealing with 
them. It becomes more of a suggestion, proposal, feedback, 
implementation, more feedback process. ARIN is generally good at 
notification of implementation concerning new services, though it would 
be nice if they had better channels for feedback through the entire 
process of new services so that they could be closer in sync with the 
membership. I don't believe services should reach the PDP level, but 
better communication wouldn't hurt, especially with members who 
generally don't know how or realize they can participate.


It's just my personal opinion as a member. ARIN always has communication 
with other organizations and even nanog. They've always been polite in 
accepting input from others (even if they don't implement every 
suggestion, they'll be much nicer than some IETF people). :)



Jack

Re: AltDB? (IRR support direction at ARIN)

[Jon Lewis]

On Sun, 9 Jan 2011, Charles N Wyble wrote:


I am simply suggesting it is dangerous and irresponsible to run an IRR
with only MAIL-FROM authentication, and quite easy to also support
CRYPT-PW.  ARIN should either support passwords or immediately make


The trouble is, since the DES crypt passwords are publicly accessible, 
even CRYPT-PW is not much security.  I suspect with a copy of the db, a 
passsword cracking program, and some modest computing capacity, you could 
crack all the passwords in ALTDB before this thread dies.


I've been trying to convert from CRYPT-PW to PGPKEY auth, but I don't seem 
to be having much luck getting that working.  I've put a key-cert 
(PGPKEY-7ABEC6A3) into altdb, and changed our mntner to permit either 
CRYPT-PW or PGPKEY-7ABEC6A3 for auth.  But PGP signed update requests 
result in #ERROR: Authorization failure.


I'm not sure why I'm getting this auth failure.  i.e. Something wrong with 
the formatting of my submissions?  Something wrong with my key-cert?  The 
certif: from my key-cert wasn't automatically imported into the auto-dbm 
keyring?  I'm assuming I can take a RPSL format submission, save it to a 
file, use GPG to clearisgn it, and put the result in the body of an email 
to auto-dbm.


It's also possible altdb doesn't actually have working PGP support. 
Looking at the database dump I downloaded the other day, only one mntner 
uses PGP as their sole auth method...and that mntner hasn't made changes 
to any objects since the last change to their mntner...so it could be they 
changed to PGP auth, never got it working, and abandoned altdb.


I was afraid of losing control of my mntner if there were issues with PGP, 
so I figured I'd add PGP as an auth method, test it, and then after seeing 
it work, remove CRYPT-PW.


--
 Jon Lewis, MCP :)   |  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key_

Re: AltDB? (IRR support direction at ARIN)

[Jeff Wheeler]

On Mon, Jan 10, 2011 at 12:37 PM, Jon Lewis jle...@lewis.org wrote:
 On Sun, 9 Jan 2011, Charles N Wyble wrote:

 I am simply suggesting it is dangerous and irresponsible to run an IRR
 with only MAIL-FROM authentication, and quite easy to also support
 CRYPT-PW.  ARIN should either support passwords or immediately make

 The trouble is, since the DES crypt passwords are publicly accessible, even
 CRYPT-PW is not much security.  I suspect with a copy of the db, a passsword
 cracking program, and some modest computing capacity, you could crack all

DES crypt() is not completely trivial yet, but I agree, it is far from
state-of-the-art.  It is substantially superior to MAIL-FROM.  In
addition, MERIT reduced this problem by simply filtering out the
hashes from the RADB.db file and whois output (and presumably also,
the www.radb.net tools.)

-- 
Jeff S Wheeler j...@inconcepts.biz
Sr Network Operator  /  Innovative Network Concepts

Re: arin and ops fora (was Re: AltDB?)

[Owen DeLong]

On Jan 10, 2011, at 7:25 AM, Jack Bates wrote:

 On 1/9/2011 5:27 PM, John Curran wrote:
 Excellent question.  To the extent that it is best practices on these types 
 of
 services, then that's relatively easy for ARIN to interface with... if it is
 specific direction to ARIN to do xyz, then ultimately the decision rests 
 with
 the ARIN Board regarding that input, since that involves how we spend the 
 service
 fees of the members.
 
 
 Which ARIN membership does have some resources on, though I do believe they 
 could be improved, as most membership input deals more with the NRPM and not 
 with auxiliary services.
 
Members may bring any topic of interest to arin-discuss. The fact that there is 
more
traffic on ppml dealing with the NRPM than there is on arin-discuss dealing 
with other
issues is a matter of where the members choose to focus their attention more 
than
anything else.

 The role is served by the ARIN Board, which is member-elected and composed of
 volunteers (and myself as CEO).  If folks think that a more formal structure
 for operational input (either within ARIN or via liaison to another body) is
 called for, I'd suggest continued discussion on the various mailing lists.
 
 
 It's always a stickler, too. PPML works well for NRPM, but ARIN doesn't have 
 enough auxiliary services to warrant a mailing list dealing with them. It 
 becomes more of a suggestion, proposal, feedback, implementation, more 
 feedback process. ARIN is generally good at notification of implementation 
 concerning new services, though it would be nice if they had better channels 
 for feedback through the entire process of new services so that they could be 
 closer in sync with the membership. I don't believe services should reach the 
 PDP level, but better communication wouldn't hurt, especially with members 
 who generally don't know how or realize they can participate.
 
PPML is a forum for the community (not just ARIN members, the entire community).

There is a separate mailing list... arin-discuss which is for members of ARIN 
to discuss
any ARIN-related topic of interest to the membership. They can and sometimes do
discuss operational matters there.

Additionally, there is the ACSP which allows members or the community to send 
comments
and suggestions to ARIN regarding anything, including operations, etc. The ACSP 
provides
a process for community review of the suggestions and semi-formal comment 
processes as
well.

Everything you are asking for in your last paragraph is available. Perhaps what 
is needed
is better education of the membership and community on what tools are available 
and how
to use them. Were you familiar with arin-discuss prior to this message? If so, 
in what way
does it not meet the need you are describing?

I'm not trying to pick on you Jack. I'm really trying to identify if what we 
have here is an
issue of needing better tools, or, if all we need is better education and 
utilization of the
tools that are already in place, or, some combination of both.

Thanks,

Owen

Re: arin and ops fora (was Re: AltDB?)

[Jack Bates]

On 1/10/2011 5:13 PM, Owen DeLong wrote:


Members may bring any topic of interest to arin-discuss. The fact that there is 
more
traffic on ppml dealing with the NRPM than there is on arin-discuss dealing 
with other
issues is a matter of where the members choose to focus their attention more 
than
anything else.

Would that be the list I've tried to subscribe to multiple times, get an 
autoresponder that it has to be approved, and then never hear a word?


PPML is a forum for the community (not just ARIN members, the entire 
community).

Good to know. I was under the impression that it was member only.


There is a separate mailing list... arin-discuss which is for members of ARIN 
to discuss
any ARIN-related topic of interest to the membership. They can and sometimes do
discuss operational matters there.


Except it's listed as no input from ARIN itself?


Everything you are asking for in your last paragraph is available. Perhaps what 
is needed
is better education of the membership and community on what tools are available 
and how
to use them. Were you familiar with arin-discuss prior to this message? If so, 
in what way
does it not meet the need you are describing?


I can't get subscribed, so, :P

I also haven't seen on the website pointers for where different tools 
and resources fall into for community review, comment, suggestion, etc. 
Perhaps it's just my website navigation skills. However, as I said 
previously, I have no serious complaints. It's not like the AC and CEO 
aren't publicly visible and vocal.



Jack

Re: arin and ops fora (was Re: AltDB?)

[Owen DeLong]

 PPML is a forum for the community (not just ARIN members, the entire 
 community).
 Good to know. I was under the impression that it was member only.
 
Nope... Anyone interested can subscribe to PPML.

 There is a separate mailing list... arin-discuss which is for members of 
 ARIN to discuss
 any ARIN-related topic of interest to the membership. They can and sometimes 
 do
 discuss operational matters there.
 
 Except it's listed as no input from ARIN itself?
 
ARIN does occasionally send informational postings to arin-discuss, but, you 
are correct
that ARIN staff does not engage in the discussions on that list.

Perhaps a mechanism for ARIN participation would be a good improvement in this 
area.

 Everything you are asking for in your last paragraph is available. Perhaps 
 what is needed
 is better education of the membership and community on what tools are 
 available and how
 to use them. Were you familiar with arin-discuss prior to this message? If 
 so, in what way
 does it not meet the need you are describing?
 
 I can't get subscribed, so, :P
 
I'll try to address this issue with you off-list.

 I also haven't seen on the website pointers for where different tools and 
 resources fall into for community review, comment, suggestion, etc. Perhaps 
 it's just my website navigation skills. However, as I said previously, I have 
 no serious complaints. It's not like the AC and CEO aren't publicly visible 
 and vocal.
 
Thanks... We try to be accessible to the community for just this reason.

I think the website doesn't particularly point to those things, but, there 
pretty much are only
three directions to go and the web site does provide a description of each 
one...

PPML for discussion of number resource policies and related matters.

ACSP for suggestions and consultations of the community on non-policy matters.

arin-discuss mailing list for discussion with other members about any topic of 
interest
to the ARIN membership, potentially including demand/desire for tools, 
operational
practices of ARIN, fees, etc.

Does that help?

Owen

Re: AltDB?

[Doug Barton]

On 01/09/2011 10:09, John Curran wrote:

On Jan 9, 2011, at 2:09 AM, Jeff Wheeler wrote:


In terms of database size, excluding RIPE, the ARIN IRR is the 8th
largest, ahead of ALTDB and about 10% as large as Level3, the second
largest IRR database (except RIPE.)  A mass-corruption of the ARIN IRR
overnight might be a serious incident causing service impact to a
large number of users and businesses, and cause probably thousands of
people to be got out of bed in the middle of the night, but clearly it
would not be a total disaster.



Jeff -

  Please suggest your preferred means of IRR authentication to the ARIN
  suggestion process:https://www.arin.net/participate/acsp/index.html
  Alternatively, point to a best practice document from the operator
  community for what should be done here. ARIN's work plan is very much
  driven by community input, so that's what is needed here.


John,

I get what motivates this response, and am even guilty of having 
provided similar responses. So I'm not going to glom onto the criticism 
of this as a response _per se_. However, there is a line beyond which 
some things cross which takes them out of the realm of, Show me you 
care about this issue by reporting it in triplicate and into the 
category of This is bad on its face and I need to use my internal 
channels to get people an answer ASAP. To me (speaking as someone with 
absolutely no dog in this hunt) the issue of The only authentication 
method available for the ARIN IRR is mail-from clearly falls into the 
latter category. My reading of the reaction here is incredulity that 
this was not your immediate response, and (once again without trying to 
glom on) this is a reaction that I share.


Now it seems that you acknowledged that further on in this thread, but 
just for fun I decided to try your suggestions-suggestion. I went to the 
site, it requires a login. Well, ok, I think having a method for I 
don't want to track this I just want to throw it over the wall in case 
someone cares might be valuable, but everyone wants a login nowadays, 
so fine. I attempt to click the new user? link, and at some point I 
realize that the site requires cookies for login stuff. Ok, another 
necessary evil. So I enter my desired information, and click continue, 
and get bounced right back to to the original page. I figure my 
registration was successful and attempt to log in. That fails. I click 
the assistance link and enter the e-mail address I used to register, 
it's not registered. So I go back to the registration form, enter my 
information again, and hit Continue. This time I got an error message, 
user names must be at least 6 characters. Um  ok. So I think of 
another username, click Continue, and get a new error:


The e-mail address you entered appears to be a role account. Please 
enter an e-mail address that contains your name or initials. Note that 
ARIN Web account information will not be published in ARIN's Whois. If 
the e-mail address you entered is not a role account, please contact the 
Registration Services Department at hostmas...@arin.net or +1.703.227.0660.


I create e-mail addresses of the form blah@dougbarton.us for all the 
sites that I register on to track whether or not they use my e-mail 
address for nefarious purposes. So yes, a...@dougbarton.us looks like 
a role account, but it's not. So I'll bite, I'll call the number and 
talk to them. Ooops! I called at 4:01 pm PST, and y'all had closed up 
shop 1 minute earlier. (Yes, I realize that the ARIN office is on the 
East Coast, don't care. My working day is still going on for hours more. 
Must really suck for ops in HI.)


Now admittedly my method of working on line is different from the 
average Internet user, although arguably not _that_ different from a lot 
of the people in your custo^Wmember demographic. So one could make the 
argument that in its current form the suggestions page actually serves 
as a barrier to entry, rather than an effective communications channel.


But soldiering on, I put in my regular e-mail address, and hit 
Continue again. It once again bounced me back to the main page, but once 
again, I was not actually registered. So, I started the whole 
registration process all over again, and this time it succeeded. So now...


You must accept the Terms of Service Agreement in order to proceed.

Hmm.. well, 79 very long lines of text, no way to download the document 
for my lawyers to review, and most of it applies to people managing 
information related to services. But what the heck, I'll give it a go.


So now I have to create a web profile. First/Last, Company, and full 
postal address are all mandatory fields. Ok, all done with that, now I 
actually have a web account. *phew*  Wait, what was I going to do with 
it again? Oh yes, I was going to submit a suggestion  um  where 
is the link for suggestions? At the top of the page I have Number 
Resources, Participate, Policies, Fees  Invoices, Knowledge, About Us. 

Re: AltDB?

[John Curran]

On Jan 10, 2011, at 7:57 PM, Doug Barton wrote:
On 01/09/2011 10:09, John Curran wrote:
 Please suggest your preferred means of IRR authentication to the ARIN
  suggestion process:https://www.arin.net/participate/acsp/index.html
 ...
 Now it seems that you acknowledged that further on in this thread, but just 
 for fun I decided to try your suggestions-suggestion. I went to the site, it 
 requires a login.

Doug - Perhaps you saw the ARIN Online login on the left side and decided 
to create an account for registration services?  The Suggestion Process page 
should haved displayed for you without any login; it describes the suggestion 
process as follows:

Any person in the ARIN community is welcome to make a suggestion 
 regarding an existing or potential ARIN service or practice. 
 Such a suggestion will be sent to ARIN as described at Suggestion 
 Submission https://www.arin.net/app/suggestion/ page. 

That Suggestion Submission form seems operational without any login as well 
(or at least works best I can recreate at this time using various browsers.)

 Well, ok, I think having a method for I don't want to track this I just want 
 to throw it over the wall in case someone cares might be valuable

That's the intent, and if its not working that way, then it will be fixed. 
Can you double check that the suggestion process page displayed including
the link to the simple suggestion form?

Thanks!
/John

John Curran
President and CEO
ARIN

Re: AltDB?

[Jon Lewis]

On Tue, 11 Jan 2011, John Curran wrote:


Any person in the ARIN community is welcome to make a suggestion
regarding an existing or potential ARIN service or practice.
Such a suggestion will be sent to ARIN as described at Suggestion
Submission https://www.arin.net/app/suggestion/ page. 


I just used that to put in the suggestion that rr.arin.net be updated to 
support CRYPT-PW (DES and MD5) and PGP, along with reasoning for the 
suggestion.  The page had a captcha on it.


Immediately after submitting, it, I got an email saying I had to hit a 
link to confirm the suggestion.  Does ARIN get that much form submission 
spam on the suggestion form (with the captcha)?  My suggestion ID is 
2011.1...so I'm guessing this isn't a heavily used form :)


--
 Jon Lewis, MCP :)   |  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key_

Re: AltDB?

[Doug Barton]

On 01/10/2011 19:18, John Curran wrote:

On Jan 10, 2011, at 7:57 PM, Doug Barton wrote:
On 01/09/2011 10:09, John Curran wrote:

Please suggest your preferred means of IRR authentication to the ARIN
  suggestion process:https://www.arin.net/participate/acsp/index.html

...
Now it seems that you acknowledged that further on in this thread, but just for 
fun I decided to try your suggestions-suggestion. I went to the site, it 
requires a login.


Doug - Perhaps you saw the ARIN Online login on the left side and decided
to create an account for registration services?


Wasn't a conscious decision, no. :)  The page at the URL above looks 
like this for me:


http://dougbarton.us/ARIN-Participation.png

That's using firefox 3.6.13 on FreeBSD with a few addons, but nothing 
that should be affecting how the page renders. OTOH I do have the 
minimum font size cranked up globally.


On (admittedly) cursory exam I didn't see a form to submit anything, so 
I gravitated to the rather large login widget under the assumption that 
it must be important because it's so big. :) Of course I wish now that I 
had spent a little more time searching for a suggestion link, but with 
the only prominently displayed suggestion-related item being the ARIN 
Consultation and Suggestion Process header, and no form below it, my 
eye went to the next biggest thing.



The Suggestion Process page
should haved displayed for you without any login; it describes the suggestion
process as follows:

Any person in the ARIN community is welcome to make a suggestion
  regarding an existing or potential ARIN service or practice.
  Such a suggestion will be sent to ARIN as described at Suggestion
  Submissionhttps://www.arin.net/app/suggestion/  page. 


Yes, when going to that page it's a lot more clear. I'm glad that it's 
my own incompetence that prevented me from effectively making a 
submission. Perhaps we're all better off as a result. :)



Doug

--

Nothin' ever doesn't change, but nothin' changes much.
-- OK Go

Breadth of IT experience, and depth of knowledge in the DNS.
Yours for the right price.  :)  http://SupersetSolutions.com/

Re: arin and ops fora (was Re: AltDB?)

[David Conrad]

Owen,

On Jan 8, 2011, at 8:56 PM, Owen DeLong wrote:
 I suspect part of the issue is that ARIN is a monopoly provider of a variety 
 public services that folks unrelated (directly) to ARIN must make use of. In 
 other areas of public service provision, there are things like public 
 utilities commissions that  (in theory) ensure the monopoly service provider 
 acts in the public benefit when services are added/changed/deleted.  My 
 impression is that the various WGs and SIGs in the other RIRs perform 
 something similar to that function.  There doesn't appear to be anything 
 similar in the ARIN region.
 
 In ARIN, there are things like BoT elections and the BoT very much fulfills 
 the role of the PUC as you describe above.

Well, ARIN BoT members are fiduciarily responsible for ARIN. PUC members, to my 
understanding, are responsible to the public. In my experience on ARIN's board, 
the key role of the board was to ensure the public policy process was followed, 
not oversight of how public services are provided.  However, things might have 
changed -- that was some time ago.  

 People can submit requests for operational changes to ARIN through the ACSP 
 and in my experience they get a good review
 and comment period by the community

Which community? ARIN or NANOG?

 and the board listens to these things and responds appropriately.

Somewhat as an aside, I'm a bit surprised the board would get involved at the 
level of detail this implies.  I would've thought how public services are to be 
provided would be an operational decision made by the ARIN CEO/staff and that 
the board would only get involved to ensure sufficient resources were available.

 Especially if a
 suggestion receives significant support, it tends to get implemented.

My impression of the concern is that the definition of support and decisions 
regarding what gets implemented are made within a subset of the network 
operations community.

Regards,
-drc

Re: arin and ops fora (was Re: AltDB?)

[David Conrad]

Owen,

On Jan 10, 2011, at 3:13 PM, Owen DeLong wrote:
 Members may bring any topic of interest to arin-discuss.

Just to be clear, arin-discuss is limited to ARIN members?

 They can and sometimes do discuss operational matters there.

Operational matters that impact more than members?

 The ACSP provides
 a process for community review of the suggestions and semi-formal comment 
 processes as
 well.

Which community?

Regards,
-drc

Re: arin and ops fora (was Re: AltDB?)

[David Conrad]

Lee,

On Jan 9, 2011, at 8:40 AM, Lee Howard wrote:
 Are you saying ARIN needs an ombudsman function to make sure the Board 
 doesn't delay implementation of things the community wants while it figures 
 out whether doing such things will prevent it from doing other things the 
 community wants?

No (or at least I don't think so -- I have difficulty parsing that sentence). 
I'm suggesting that the informal input mechanisms historically and currently 
used by ARIN to determine what should be done (and to some extent how) may be 
insufficient, inefficient, and/or imply certain risks given that many of the 
services provided by ARIN are done on a monopoly basis and failure of those 
service could have global effect.

Or not.  It may be that network operators (not just the ones that show up at 
ARIN meetings and are on PPML) are happy with the existing communication 
channels and that additional structures to encourage participation and input in 
the ARIN region regarding services ARIN provides to the public are unnecessary. 

 I don't understand how this bee-watcher-watcher thing works.

Sorry, which?

Regards,
-drc

Re: arin and ops fora (was Re: AltDB?)

[Owen DeLong]

On Jan 10, 2011, at 8:52 PM, David Conrad wrote:

 Owen,
 
 On Jan 10, 2011, at 3:13 PM, Owen DeLong wrote:
 Members may bring any topic of interest to arin-discuss.
 
 Just to be clear, arin-discuss is limited to ARIN members?
 
To the best of my knowledge, yes.

 They can and sometimes do discuss operational matters there.
 
 Operational matters that impact more than members?
 
Operational matters as in ARIN operations.

While operations ARIN does such as rDNS, whois, etc. may impact those
outside of ARIN membership, ARIN members are (generally) the ones
paying for those operations.

If you want a say in changing those operations (and thus changing what it costs
to perform them), you can become a member of ARIN for a mere $500/year, or,
you can use the ACSP which is the process for submitting non-policy matters
to ARIN which are then brought before the community on PPML in a non-policy
context.

 The ACSP provides
 a process for community review of the suggestions and semi-formal comment 
 processes as
 well.
 
 Which community?
 
The community on PPML.

Owen

Re: arin and ops fora (was Re: AltDB?)

[Owen DeLong]

On Jan 10, 2011, at 8:23 PM, David Conrad wrote:

 Owen,
 
 On Jan 8, 2011, at 8:56 PM, Owen DeLong wrote:
 I suspect part of the issue is that ARIN is a monopoly provider of a 
 variety public services that folks unrelated (directly) to ARIN must make 
 use of. In other areas of public service provision, there are things like 
 public utilities commissions that  (in theory) ensure the monopoly service 
 provider acts in the public benefit when services are 
 added/changed/deleted.  My impression is that the various WGs and SIGs in 
 the other RIRs perform something similar to that function.  There doesn't 
 appear to be anything similar in the ARIN region.
 
 In ARIN, there are things like BoT elections and the BoT very much fulfills 
 the role of the PUC as you describe above.
 
 Well, ARIN BoT members are fiduciarily responsible for ARIN. PUC members, to 
 my understanding, are responsible to the public. In my experience on ARIN's 
 board, the key role of the board was to ensure the public policy process was 
 followed, not oversight of how public services are provided.  However, things 
 might have changed -- that was some time ago.  
 
Yes, ARIN BoT members have fiduciary responsibility for ARIN.

However, the ARIN charter is not the same as most corporations. Indeed, as I 
understand it, the ARIN charter requires that ARIN disband itself if that is 
determined to be what is in the best interests of the community. The board is 
accountable to the ARIN membership, which includes all subscriber ISPs and 
others who pay their annual membership dues.

I believe the board both ensures that the public policy process is followed and 
performs other executive management and leadership functions governing the 
operations of ARIN at a high level. Obviously most of the day-to-day decision 
making for that is vested in the CEO who also sits on the board.

 People can submit requests for operational changes to ARIN through the ACSP 
 and in my experience they get a good review
 and comment period by the community
 
 Which community? ARIN or NANOG?
 
Those who subscribe to PPML. If you are interested in having a voice in ARIN 
policies or how ARIN operates, it's essential to be on that list.

 and the board listens to these things and responds appropriately.
 
 Somewhat as an aside, I'm a bit surprised the board would get involved at the 
 level of detail this implies.  I would've thought how public services are to 
 be provided would be an operational decision made by the ARIN CEO/staff and 
 that the board would only get involved to ensure sufficient resources were 
 available.
 
For the most part, it is. However, if the community is asking for something 
ARIN isn't doing or pushing for ARIN to change how it does something, the board 
tends to at least review the matter. 

 Especially if a
 suggestion receives significant support, it tends to get implemented.
 
 My impression of the concern is that the definition of support and decisions 
 regarding what gets implemented are made within a subset of the network 
 operations community.
 
Anyone who wants to participate can join the mailing list and do so. I'm not 
sure how you would extend it to a wider group without seriously diminishing 
returns.

Owen

RE: arin and ops fora (was Re: AltDB?)

[Lee Howard]

 On Jan 8, 2011, at 4:40 AM, Lee Howard wrote:
  I think that's a bit of what we've been trying to do with the Best
Current Operational
 Practices BoFs.  We need a place where operators can discuss and document
BCOPs.
 
 While I think BCOPs (and BCOP BoFs) are a great idea, I guess the question
is how can
 folks be assured that ARIN would follow a NANOG community-defined  BCOP
relating
 directly to ARIN operations. For example, if the NANOG community were to
(reasonably)
 say BCOP is to use IETF-defined standards for publishing and accessing
resource
 registration data, I'd imagine ARIN might (reasonably) disagree and
continue down the
 RWS path.

I don't think of BCOP as a subset of NANOG, but as an overlap of several
communities,
including NANOG and ARIN.  Certainly ARIN is not bound by BCOP's findings
(no
one would be), but the AC and Board would take seriously a
community-consensus
best practice.  I doubt ARIN would be surprised by any BCOP finding, given
the
involvement of several ARIN AC members in it.


 provision, there are things like public utilities commissions that  (in
theory) ensure the
 monopoly service provider acts in the public benefit when services are
 added/changed/deleted.  My impression is that the various WGs and SIGs in
the other RIRs
 perform something similar to that function.  There doesn't appear to be
anything similar in
 the ARIN region.

Are you saying ARIN needs an ombudsman function to make sure the Board
doesn't 
delay implementation of things the community wants while it figures out
whether doing
such things will prevent it from doing other things the community wants?

I don't understand how this bee-watcher-watcher thing works.

Lee

Re: AltDB?

[John Curran]

On Jan 9, 2011, at 2:09 AM, Jeff Wheeler wrote:

 In terms of database size, excluding RIPE, the ARIN IRR is the 8th
 largest, ahead of ALTDB and about 10% as large as Level3, the second
 largest IRR database (except RIPE.)  A mass-corruption of the ARIN IRR
 overnight might be a serious incident causing service impact to a
 large number of users and businesses, and cause probably thousands of
 people to be got out of bed in the middle of the night, but clearly it
 would not be a total disaster.


Jeff - 
 
 Please suggest your preferred means of IRR authentication to the ARIN 
 suggestion process: https://www.arin.net/participate/acsp/index.html
 Alternatively, point to a best practice document from the operator 
 community for what should be done here. ARIN's work plan is very much
 driven by community input, so that's what is needed here.

Thanks!
/John

John Curran
President and CEO
ARIN

Re: AltDB? (IRR support direction at ARIN)

[John Curran]

On Jan 5, 2011, at 12:07 PM, Jeff Wheeler wrote:

 I would like to note that RADB had route6: support in about 2004 or
 so, if my memory serves me; while the ARIN database did not accept
 route6 objects until about a year ago.  So it is not exactly a high
 priority for ARIN.

The priority of IRR at ARIN is based on community feedback and 
direction.  There is no particular reason for ARIN to focus on 
ongoing IRR enhancements, if the community isn't asking for such.

ARIN needs to stay focused on its mission, and prioritize all work
accordingly. There has not been a clear consensus from the community 
one way or the other about enhancing the IRR services as part of 
that mission, nor on deeming it to be outside of the mission and 
phasing out the services.  This makes it somewhat challenging for 
the Board and staff to discern the right approach, and leaves us 
simply maintaining the status quo for these services.

Should IRR services be part of the ARIN mission?  ARIN-discuss 
would be a great mailing list on which to discuss this topic, or 
(along the lines of Randy's earlier comments) on this NANOG list,
if the mailing list folks consider it to be on topic.

/John

John Curran
President and CEO
ARIN

Re: AltDB? (IRR support direction at ARIN)

[Jon Lewis]

On Sun, 9 Jan 2011, John Curran wrote:


Should IRR services be part of the ARIN mission?


If that's a serious question, why does rr.arin.net exist at all?

--
 Jon Lewis, MCP :)   |  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key_

Re: AltDB? (IRR support direction at ARIN)

[John Curran]

On Jan 9, 2011, at 3:02 PM, Jon Lewis wrote:
 Should IRR services be part of the ARIN mission?
 
 If that's a serious question, why does rr.arin.net exist at all?

Jon - 
 
  Existence of not in and of itself proof that the services are
  presently desired by the community, nor that there are benefits 
  in having them provided by ARIN.

  For example, one can argue that it is desirable for ARIN to 
  provide IRR services in the case where allocation policy had
  dependencies into the state of the IRR; this is not the case
  in the ARIN region. Another reason for ARIN to offer services
  is if it can do so in a manner that would significantly improve
  their quality (one might argue such about resource certification
  via RPKI, but that's not as obvious for a routing registry)

  At the end of the day, we want ARIN to be providing quality
  services around the registration of Internet number resources;
  these services need to be valued by the community and provided
  cost-effectively. 

  Do you: 1) want IRR services, and if so, with what features?
  2) believe IRR services should be provided by ARIN?
  
  Getting input from the community on this will significantly 
  help the ARIN staff make informed recommendations to the 
  ARIN Board regarding how to best proceed.  I'd also welcome 
  private email with these thoughts if that's your preference.

Thanks!
/John

John Curran
President and CEO
ARIN 

Re: AltDB? (IRR support direction at ARIN)

[Randy Bush]

   Do you: 1) want IRR services, and if so, with what features?
   2) believe IRR services should be provided by ARIN?

the irr is slightly useful today.  so, iff it is cheap and easy, arin
providing an open and free instance is a public good.  again, iff it is
easy and cheap.  and please do not waste time trying to 'fix' the irr,
sad to say it's trying to make a silk purse out of a sow's ear.

and thanks for asking.

randy

arin and ops fora (was Re: AltDB?)

[John Curran]

On Jan 8, 2011, at 4:11 AM, David Conrad wrote:

 Another view is that ARIN's whole and sole reason for being is to provide 
 services to the network operators in the ARIN region. As such, it would be 
 ill-advised for ARIN to change those services without consulting the 
 community that ARIN serves and getting their buy-in. Hopefully, there's a 
 middle ground.

Agreed.  Presently, we rely upon the ARIN consultation and suggestion process 
for getting tactical input on operational changes.  We also recognize guidance 
from the IETF both via IAB communications and in the form of the BCP RFC 
series.  
Obviously, if there were a convenient way for the operator community to provide 
consensus guidance on Internet number resource operational matters, such input 
would be highly valued.

 On Jan 7, 2011, at 10:24 PM, Paul Vixie wrote:
 i hear in what you're saying
 a desire to have a way to impact ARIN's behaviour outside of NRPM edits
 and perhaps ARIN does need to address this with some new online forum for
 things which aren't allocation policy but which should still be decided
 using community input.
 
 Yep.  Not sure it should be an ARIN-operated thing (nor am I sure that it 
 shouldn't be), but something a bit more focused on the operation of services 
 ARIN provides than ppml might be helpful.

Excellent question.  To the extent that it is best practices on these types of
services, then that's relatively easy for ARIN to interface with... if it is 
specific direction to ARIN to do xyz, then ultimately the decision rests with
the ARIN Board regarding that input, since that involves how we spend the 
service
fees of the members.

On Jan 8, 2011, at 4:15 PM, David Conrad wrote:
 While I think BCOPs (and BCOP BoFs) are a great idea, I guess the question is 
 how can folks be assured that ARIN would follow a NANOG community-defined  
 BCOP relating directly to ARIN operations. For example, if the NANOG 
 community were to (reasonably) say BCOP is to use IETF-defined standards for 
 publishing and accessing resource registration data, I'd imagine ARIN might 
 (reasonably) disagree and continue down the RWS path.

If the process for forming such recommendations were fair  open to the same 
community, the resulting documents would be quite compelling.  While that does 
not 
assure ARIN would follow them, this community has never been shy about providing
feedback when the right things aren't happening... (and I'd note that a 
community
which capable of reaching consensus on such documents is equally capable of 
seating 
a Board amenable to such documents, if there ever were to be a problem in this 
area)

  My impression is that the various WGs and SIGs in the other RIRs perform 
 something similar to that function.  There doesn't appear to be anything 
 similar in the ARIN region.

The role is served by the ARIN Board, which is member-elected and composed of 
volunteers (and myself as CEO).  If folks think that a more formal structure
for operational input (either within ARIN or via liaison to another body) is 
called for, I'd suggest continued discussion on the various mailing lists.

Interesting discussion... thanks for raising it.
/John

John Curran
President and CEO
ARIN

Re: AltDB?

[Jeff Wheeler]

On Sun, Jan 9, 2011 at 1:09 PM, John Curran jcur...@arin.net wrote:
  Please suggest your preferred means of IRR authentication to the ARIN
  suggestion process: https://www.arin.net/participate/acsp/index.html
  Alternatively, point to a best practice document from the operator
  community for what should be done here. ARIN's work plan is very much
  driven by community input, so that's what is needed here.

John,

I appreciate you taking time to respond to this while on vacation.
However, I think we all know that your response is not a here is how
you tell us what to do, it's a here is our cop-out response to make
an incredibly simple fix either never happen, or take six months to
make it through the ARIN process.

If you truly do not understand the posts regarding this matter, I will
summarize them for you very simply:
1) ARIN IRR is a tool that has operational impact; service providers
use it to build prefix-lists automatically, and if the data that
underlies those prefix-lists is corrupted, networks that use the ARIN
IRR will see their transit providers stop accepting their BGP
announcements overnight.  This is not a some database might be
inaccurate but it's okay, problem; it is an operational problem.
Some peoples' networks depend on that data not becoming corrupted.
Specifically, every network that uses ARIN IRR.

2) ARIN IRR has effectively no security for record updates or deletes.
 Anyone who knows how to forge an email From: header can corrupt or
delete part or all of the ARIN IRR database at any time.  ARIN IRR is
the only database that I am aware of without support for at least
password authentication.  The standard toolset supports passwords
trivially.

3) If not supporting passwords was a business-driven decision, it was
a bad one, but perhaps a mistake born out of ignorance.  If it was a
technically-driven decision by the staff members responsible for
implementing and maintaining the ARIN IRR, those staff members are not
qualified to handle anything of an operational nature, and you would
be well-advised to find jobs for them that don't require any
attentiveness to operational security.

4) The ARIN process will almost certainly not be the route taken
when a change eventually arises.  Some black hat will eventually
decide it would be a clever prank to erase or corrupt the entire
database, and you will then be faced with three choices; a) implement
passwords immediately and not allow any updates from users who haven't
selected one; b) make the ARIN IRR read-only and effectively make it
useless; c) ignore the problem, at which point no ISPs will be willing
to mirror the ARIN IRR anymore, because its data is a liability, not
an asset.

I appreciate that there is a process to go through for proposing ARIN
policy changes, etc.  Your suggestion that this be used when
addressing an operational security matter is foolish and provides
plenty of ammo for people who say ARIN is ineffective (or worse.)

I suggest you take a moment to think about what the news coverage
might be if this eventually blows up in a big enough way to interest
news people.  If a bunch of ISPs go down overnight due to an ARIN
oversight, will some savvy reporter ask himself who at ARIN knew they
were running an operationally-important service with no security
mechanism at all?  Will he have much trouble finding out about a
mailing list discussion in which the CEO of ARIN glazed over the issue
and referred a whistle-blowing person to the ARIN policy process?
Will he then ask if ARIN is an effective steward of RPKI?  Will his
article assign blame to you personally?  Will he draw some link to
Chinese interception of 15% of the Internet?

Who knows how mainstream press would interpret such an event, if it
was big enough to attract attention.  If I were you, though, I would
not want my signature at the bottom of an email essentially telling
someone to go post on the correct mailing list.

I suggest you don't be the ARIN CEO that gets mud in his eye because
he didn't understand the value of a password over mail-from.

-- 
Jeff S Wheeler j...@inconcepts.biz
Sr Network Operator  /  Innovative Network Concepts

Re: AltDB?

[Mans Nilsson]

Subject: Re: AltDB? Date: Sun, Jan 09, 2011 at 06:09:13PM + Quoting John 
Curran (jcur...@arin.net):
 On Jan 9, 2011, at 2:09 AM, Jeff Wheeler wrote:
  
  Please suggest your preferred means of IRR authentication to the ARIN 
  suggestion process: https://www.arin.net/participate/acsp/index.html
  Alternatively, point to a best practice document from the operator 
  community for what should be done here. ARIN's work plan is very much
  driven by community input, so that's what is needed here.

Just do as the other RIRen, for starters. The database sw is available,
and ARIN coming up to the standards of the others would be a real
improvement.
-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
My mind is a potato field ...


pgpnj4PNLytDd.pgp
Description: PGP signature

Re: AltDB? (IRR support direction at ARIN)

[Jeff Wheeler]

On Sun, Jan 9, 2011 at 6:27 PM, Randy Bush ra...@psg.com wrote:
   Do you: 1) want IRR services, and if so, with what features?
           2) believe IRR services should be provided by ARIN?

 the irr is slightly useful today.  so, iff it is cheap and easy, arin
 providing an open and free instance is a public good.  again, iff it is
 easy and cheap.  and please do not waste time trying to 'fix' the irr,
 sad to say it's trying to make a silk purse out of a sow's ear.

I'm not suggesting that ARIN undertake a large and complex effort to
solve a bunch of issues with IRR.  All I am suggesting is that they
prevent anonymous bad guys with no inside information, special access,
or knowledge of passwords, from corrupting the data which some
networks choose to publish in ARIN IRR.

I am simply suggesting it is dangerous and irresponsible to run an IRR
with only MAIL-FROM authentication, and quite easy to also support
CRYPT-PW.  ARIN should either support passwords or immediately make
their IRR read-only and stop offering it as a service.  Imagine if
there was a Slashdot article or something about this, how long would
it take for some 14-year-old to erase the whole database, and how that
would pretty much force ARIN to make a choice anyway, but also, create
a lot of negative fall-out that might jeopardize trust in ARIN with
regard to other operational matters, like RPKI.

-- 
Jeff S Wheeler j...@inconcepts.biz
Sr Network Operator  /  Innovative Network Concepts

Re: AltDB? (IRR support direction at ARIN)

[Randy Bush]

   Do you: 1) want IRR services, and if so, with what features?
           2) believe IRR services should be provided by ARIN?

 the irr is slightly useful today.  so, iff it is cheap and easy, arin
 providing an open and free instance is a public good.  again, iff it is
 easy and cheap.  and please do not waste time trying to 'fix' the irr,
 sad to say it's trying to make a silk purse out of a sow's ear.
 
 I'm not suggesting that ARIN undertake a large and complex effort to
 solve a bunch of issues with IRR.

jeff, i do not disagree that running an irr instance with only mail-from
is s 1980s.  and, as mans points out, there is free software out
there to do it (i recommend irrd).  but i do not see good cause for arin
to spend anything non-trivial to fix a problem in an irr instance which
is not used very much.  i.e. better to drop it than to spend non-trivial
money to modernize it.

but more to the point, by 'fix' it, i did not mean modernizing the auth
method set.  i meant the content, syntax and semantics.

randy

Re: AltDB? (IRR support direction at ARIN)

[Jeff Wheeler]

On Sun, Jan 9, 2011 at 6:48 PM, Randy Bush ra...@psg.com wrote:
 jeff, i do not disagree that running an irr instance with only mail-from
 is s 1980s.  and, as mans points out, there is free software out
 there to do it (i recommend irrd).  but i do not see good cause for arin
 to spend anything non-trivial to fix a problem in an irr instance which
 is not used very much.  i.e. better to drop it than to spend non-trivial
 money to modernize it.

I agree that if ARIN thinks it would be too costly to support
password authentication, they should make the database read-only so
users will migrate away from it and no damage can be done by bad
guys.

 but more to the point, by 'fix' it, i did not mean modernizing the auth
 method set.  i meant the content, syntax and semantics.

I understood what you meant, and again, I agree with you; there is no
reason to invest a lot of time and resources in something that
should be made obsolete by other work already in progress.  The fix
I want is simply eliminating the large liability by continuing to
allow updates with MAIL-FROM authentication.

I believe ARIN IRR actually does support MD5 authentication, but if
you email the ARIN IRR person, or go to ARIN's web site, you are told
that only MAIL-FROM is allowed.  So they probably already have the
appropriate technical mechanism in place AND JUST AREN'T USING IT, and
are actively discouraging users from utilizing it.  This would be an
example of ARIN's ineffectiveness when it comes to operational
matters, and is why I have real fear that RPKI may one-day be a
disaster because ARIN is an ineffective steward.

-- 
Jeff S Wheeler j...@inconcepts.biz
Sr Network Operator  /  Innovative Network Concepts

Re: AltDB?

[John Curran]

On Jan 9, 2011, at 6:30 PM, Jeff Wheeler wrote:
 
 John,
 
 I appreciate you taking time to respond to this while on vacation.
 However, I think we all know that your response is not a here is how
 you tell us what to do, it's a here is our cop-out response to make
 an incredibly simple fix either never happen, or take six months to
 make it through the ARIN process.

Jeff - 

As it turned out, I'm back from vacation but thanks for the thought.  
My reason for responding is simply to make sure that ARIN is doing 
what the community wants.  I won't deny that this may take some time
depending on exactly what is involved, but in my mind that is far 
better than not fixing the situation.

 If you truly do not understand the posts regarding this matter, I will
 summarize them for you very simply:
 1) ARIN IRR is a tool that has operational impact; service providers
 use it to build prefix-lists automatically, and if the data that
 underlies those prefix-lists is corrupted, networks that use the ARIN
 IRR will see their transit providers stop accepting their BGP
 announcements overnight.  This is not a some database might be
 inaccurate but it's okay, problem; it is an operational problem.
 Some peoples' networks depend on that data not becoming corrupted.
 Specifically, every network that uses ARIN IRR.

Thanks; I'm aware of the ARIN IRR and how operators in the community
make use of it, and have run ISPs which have made use of the data 
for route filtering.

 ...
 I appreciate that there is a process to go through for proposing ARIN
 policy changes, etc.  Your suggestion that this be used when
 addressing an operational security matter is foolish and provides
 plenty of ammo for people who say ARIN is ineffective (or worse.)

Agreed; dropping me an email is a fine process for operational
security matters.  Consider this one so reported.

/John

John Curran
President and CEO
ARIN

Re: AltDB?

[Jeff Wheeler]

On Sun, Jan 9, 2011 at 7:33 PM, John Curran jcur...@arin.net wrote:
 My reason for responding is simply to make sure that ARIN is doing
 what the community wants.  I won't deny that this may take some time
 depending on exactly what is involved, but in my mind that is far
 better than not fixing the situation.

How will ARIN respond to operational security matters with regard to
RPKI infrastructure in the future?

What experience does ARIN have with operational security in the past?
When faced with DNS server vulnerabilities, did ARIN solicit community
feedback before patching the servers responsible for IN-ADDR.ARPA
zones administered by ARIN?  Or did ARIN treat this matter as a
legitimate, operational security concern, and apply whatever technical
solution was available and generally accepted by other organizations
administering DNS servers?

Why should an operational security issue with the ARIN IRR be handled
as a policy issue?

Do you know that I have emailed ARIN about this both recently and in
years past?  Am I the only person who has ever tried to bring this to
ARIN's attention?  I doubt that.

Are the personnel managing the ARIN IRR oblivious to the fact that
every other IRR database except ARIN supports at least some form of
password authentication?  Are these personnel qualified to handle
services with operational impact?

Do you, or they, know that ARIN's IRR technical infrastructure
actually does support password security, and that records exist in the
ARIN IRR database with MD5 authentication, but that email to ARIN
about this are answered with replies that only MAIL-FROM is possible?
Why does the ARIN web site make no mention of anything besides
MAIL-FROM?

 Thanks; I'm aware of the ARIN IRR and how operators in the community
 make use of it, and have run ISPs which have made use of the data
 for route filtering.

When you ran ISPs that made use of IRR data for route filtering, did
you use any kind of authentication when publishing and maintaining
your own records, or advise customers to use such?  Did the
possibility of malicious data corruption or erasure ever enter your
mind?

 Agreed; dropping me an email is a fine process for operational
 security matters.  Consider this one so reported.

What will the process be for handling operational security issues
regarding future RPKI infrastructure?  It is conceivable that there
may be no alternative to ARIN, in the ARIN region, for trusted routing
information data in the future.  Today, we can choose not to use ARIN
IRR, and the huge majority of networks who publish IRR data use their
ISP databases or MERIT RADB.  Are we faced with the possibility that
ARIN simply doesn't have personnel capable of handling operational
services, yet are forcing ARIN down a road that may make them a sole
source of something we all need?  If so, perhaps this is a very bad
idea in need of further debate.

I think the mentality at ARIN is one of paper-pushers and policy guys.
 That's perfectly fine for an organization whose main function is ...
processing paperwork and allocating IP addresses.  It is perhaps a
very bad idea to ask ARIN to do operational things which they are very
clearly unprepared to handle, to such an extent that they may need
additional or different personnel, and really need to change their
mentality.

I understand that the technical side of the RPKI implementation at
ARIN is most likely entrusted to Paul Vixie and ISC, which is a good
thing.  I never read an email from Paul saying, I think we need to
solicit feedback before we patch this BIND issue.  DNSSEC progress
has taken a very long time, but that hasn't stopped ISC from
continuing to provide quick technical solutions to immediate technical
problems.  What really worries me is ... if there is some serious
issue with RPKI infrastructure in the future, will ARIN be able to
solve it in an operational time-frame, or won't they?

-- 
Jeff S Wheeler j...@inconcepts.biz
Sr Network Operator  /  Innovative Network Concepts

Re: AltDB?

[John Curran]

On Jan 9, 2011, at 9:53 PM, Jeff Wheeler wrote:
 
 Why should an operational security issue with the ARIN IRR be handled
 as a policy issue?

Operational security matters should simply be fixed; that's not a policy
matter but an implementation issue. 

 Do you know that I have emailed ARIN about this both recently and in
 years past?  Am I the only person who has ever tried to bring this to
 ARIN's attention?  I doubt that.

Good to know; I'm rather interesting in knowing some particulars 
here, so can you forward to me one or two of those messages?  (or
just let me know the 'To' field used and I'll take it from there)

 What will the process be for handling operational security issues
 regarding future RPKI infrastructure?  It is conceivable that there
 may be no alternative to ARIN, in the ARIN region, for trusted routing
 information data in the future.  Today, we can choose not to use ARIN
 IRR, and the huge majority of networks who publish IRR data use their
 ISP databases or MERIT RADB.  Are we faced with the possibility that
 ARIN simply doesn't have personnel capable of handling operational
 services, yet are forcing ARIN down a road that may make them a sole
 source of something we all need?  If so, perhaps this is a very bad
 idea in need of further debate.

Feel free to discuss on this list (if deemed in charter) or arin-discuss 
as you feel appropriate.

 I think the mentality at ARIN is one of paper-pushers and policy guys.
 That's perfectly fine for an organization whose main function is ...
 processing paperwork and allocating IP addresses.  It is perhaps a
 very bad idea to ask ARIN to do operational things which they are very
 clearly unprepared to handle, to such an extent that they may need
 additional or different personnel, and really need to change their
 mentality.

Jeff - ARIN does indeed have folks who worry about whether the policy 
development process is being followed.  We also have folks who actually
implement the policy and issue number resources.  What you may not know 
is that we also have quite a few folks who have run production operational 
services both for the Internet and other mission-critical environments.  
I'm not surprised that the IRR allows plaintext passwords, but am myself
stunned if indeed we require them, since that disallows even a modicum of 
protection from trivial acts of sabotage.  Rather than repeat what lack 
of information there is on the web site in regards to what forms of IRR 
authentication is available, I will go determinate the state of reality 
and post back here asap. At a minimum, we need much clearer documentation, 
but if more is required, we'll get it fixed asap.

/John

John Curran
President and CEO
ARIN

Re: AltDB? (IRR support direction at ARIN)

[Charles N Wyble]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/09/2011 03:41 PM, Jeff Wheeler wrote:
 On Sun, Jan 9, 2011 at 6:27 PM, Randy Bush ra...@psg.com wrote:
   Do you: 1) want IRR services, and if so, with what features?
   2) believe IRR services should be provided by ARIN?


 
 I am simply suggesting it is dangerous and irresponsible to run an IRR
 with only MAIL-FROM authentication, and quite easy to also support
 CRYPT-PW.  ARIN should either support passwords or immediately make
 their IRR read-only and stop offering it as a service.  Imagine if
 there was a Slashdot article or something about this, how long would
 it take for some 14-year-old to erase the whole database, and how that
 would pretty much force ARIN to make a choice anyway, but also, create
 a lot of negative fall-out that might jeopardize trust in ARIN with
 regard to other operational matters, like RPKI.

So why hasn't this happened already? If it's so easy, then all the
normal actors that like to cause us late nights would have struck already.

And according to http://www.irr.net/docs/list.html there are lots of IRR
databases.

I had a vague concept of IRR before this thread, and have researched
them as a result of it. They seem quite useful. I didn't know anything
about RPKI before this thread. I'm looking into that now.

So I don't think ARIN should spend it's limited resources on anything to
do with it's copy of the IRR. In fact I'm not sure why they even operate
one. It seems to be the realm of service providers to do so.

Can anyone enlighten me as to why a RIR is operating an IRR database? It
doesn't make sense to me.


- -- 
Charles N Wyble (char...@knownelement.com)
Systems craftsman for the stars
http://www.knownelement.com
Mobile: 626 539 4344
Office: 310 929 8793
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNKoRSAAoJEMvvG/TyLEAtjuUP/0HsjYoulhixWOp/2LRMzll+
zc0YBVOD+mebDyM2tPdXN/UGVVQCrhdakbWOkbRsn1+qHOZEK0SKI41cnWineluB
z4xxEXVSbOb3wRfqVr+WwNilZnQIST8p6IddEShJ283ZDvFBa7f6b80POue28SU2
DSFW0DWL+Ti38tGyXBuiPSBMWNY4mRUJQDznz5msiXLiWTzHIUeXmiyGErbR0R+f
OPK5SPUvkJvI1G2ytqqWdzkelCgp78O6uQzVM0443ZvdN4HBEq45ac82+t3pR99q
2DgTnU4mWjMiQBZxWAZidqxW7Rsl3K4Zbr1lJEQ8R5Ke9PQzLD2cd8k0AKUFOg3M
rNY/wz2ha75G38k9f4OqglCcwQOglGwXX1ASWCjKM9ISVcq0+m/SyOnlmtf/fRLH
R+LdX8fntpCMv6kxjqAojBghOmaso9NvrW0umHqT0XSMZRuHGOIP4XYj+Rws/TwI
IFV4gQLNCoqEswq5vreM2cMzTIFXJDsS8Pd4HS/g+c+teIMC/8TIIs4EUMhX2wPY
O5iW8PiDCLnbwXT0OrPDHjz1M5Xl5fNduAvjsTnN0Kn7jc+TwRuTIoPJudKxqa9A
L6MDGEYgK7nyboARUYmPrB9f+/FMA9jKTXD2b5j7ZiTj0bWxByU1BL6V2eBtDwdd
GPMgRarxix8cp2Stn4dx
=shdY
-END PGP SIGNATURE-

Re: AltDB? (IRR support direction at ARIN)

[Charles N Wyble]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/09/2011 03:48 PM, Randy Bush wrote:
   Do you: 1) want IRR services, and if so, with what features?

I think so. In theory it seems useful. In practice...
http://www.renesys.com/blog/2009/05/keeping-score.shtml

not so much.

   2) believe IRR services should be provided by ARIN?

No. As I mentioned elsewhere in this thread, I don't see why an RIR is
operating an IRR database. It seems to be something clearly in the realm
of service providers (ie people who are making use of allocated resources).

John,

Can you shed some light on why this is the case? Was this requested by
the community, or driven internally? Or both?



- -- 
Charles N Wyble (char...@knownelement.com)
Systems craftsman for the stars
http://www.knownelement.com
Mobile: 626 539 4344
Office: 310 929 8793
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNKoZsAAoJEMvvG/TyLEAt/xsP/2CC55GEeTO46/QB2UN3RWwZ
MxiLAIgurtyHTjeh9Gr6dfujnx5si6HP1Kxv+ET3HDapyOc4M8yfugvuSfrAMz1Z
A/ObcWbHwtTFvii6ULtE4w7+AU1Msy7XQIPluh9g3fYk85+fBdMvE45Hyw1je04o
SidM3m9XP5jCDMcKNgbSN90ibf8GykgzR6u0fExRxUta0bhHrTWZM15oVSpXeCGN
Kl/6E0QSd1DbQvWxvQPotMCHoaEulAjPt4kKiBAKnxAAGsB1aC2ceMZ5PI2xeNeB
pZcsWqiaemhnDmlUyPE5xjoVYSUxFk5R99RV4PfGBbAf7TyZJFAhfsm3yHqYVefN
EIaguXaB0T1ekCJuBzgljExNnrMCTllx8j5GmLAQrgusrkBna61OFknp/DzVzWjS
cxb60AKVbJX8kfvFdxd//zw4+15qflslrBFoGx+8/eJItzCuE5sggj4vQj9lSO5p
ocvl7zbVkiYsw0EfDcJAlVpj3VGC4V93k0h8Rkh9oIykqJuO0JC7VSB7ZBwjM43t
AN7/Kjqhp0e19ztUiIjFpFW3Gi9Bpw0M8KMPo8pX27W4sXcG/CMlu2jTwadiKQyR
Dk+7a5B9qVvgLC4c1ygYzfyPYJzvq78CYa+vpsBl3Wl0vgLNSLicPg9gN/87fJhU
kt4lYu8javFnsFGQbH69
=Bc5T
-END PGP SIGNATURE-

Re: AltDB? (IRR support direction at ARIN)

[Charles Gucker]

 I had a vague concept of IRR before this thread, and have researched
 them as a result of it. They seem quite useful. I didn't know anything
 about RPKI before this thread. I'm looking into that now.

 So I don't think ARIN should spend it's limited resources on anything to
 do with it's copy of the IRR. In fact I'm not sure why they even operate
 one. It seems to be the realm of service providers to do so.

 Can anyone enlighten me as to why a RIR is operating an IRR database? It
 doesn't make sense to me.

Sure.   I've been staying quiet on this thread, but as one person who
has used (and still maintains a number of records) ARIN's IRRd, I'll
respond.

Firstly, There are many networks with whom want to put their IRR
objects into a neutral and objective database.I know that AltDB is
free, but as I've been told before, if you want support, donate to
Abha Ahuja Women in Science in Engineering scholarship fund,
otherwise your maintainer objects will never be approved (know this
one first hand).   And RADB, with whom used to be free charges a fee
to have records maintained via their web GUI.Many network
operators don't want to directly pay for such services, so ARIN makes
sense in this regard.My original alternative was to setup my own
IRRd, but was glad not to have to go to the trouble.

Secondly, ARIN's IRRd is a lot easier to use than any service provider
IRRd as those are intended for customer records only and if you wish
to leave them, they will delete your records or just simply deny you
support.   Especially when said providers mirror ARIN's database.
It's much like using PA vs PI IP space.   If you want to be indebted
to your provider, continue to use their free services.

Thirdly, with the above in mind, ARIN provides support to all members
of ARIN, so you can get a real person on the phone or by email to
respond to questions.

So, all in all, I am grateful that ARIN has supplied the IRRd service,
would love to see the authentication enhanced, but otherwise I don't
have any complaints.I encourage others to use the service
regularly and am glad to see it getting some attention, we just need
to make sure to channel the attention into enhancements and not
limitations.

thanks,
charles

Re: AltDB?

[Jeff Wheeler]

On Sun, Jan 9, 2011 at 10:47 PM, John Curran jcur...@arin.net wrote:
 Jeff - ARIN does indeed have folks who worry about whether the policy
 development process is being followed.  We also have folks who actually
 implement the policy and issue number resources.

And we all agree that this is ARIN's primary role, and what ARIN,
organizationally, has been built to be good at.  This is what members
consider when electing the BoT and no doubt drives ARIN's day-to-day
business and technical decisions.

 is that we also have quite a few folks who have run production operational
 services both for the Internet and other mission-critical environments.

What does ARIN, as an organization, do that has short-term operational
impact on its members?  Two things that I am aware of: IN-ADDR.ARPA
delegation and IRR.  One of these things gives people no reason to
complain.  The other is demonstrably insecure in a manner that could
have really serious, and embarrassing, consequences, both financial
for the members, and in terms of peoples' confidence in ARIN.

 I'm not surprised that the IRR allows plaintext passwords, but am myself
 stunned if indeed we require them, since that disallows even a modicum of
 protection from trivial acts of sabotage.  Rather than repeat what lack
 of information there is on the web site in regards to what forms of IRR
 authentication is available, I will go determinate the state of reality
 and post back here asap. At a minimum, we need much clearer documentation,
 but if more is required, we'll get it fixed asap.

Thanks, I am glad you are now looking into this.  To be clear, it's
not just plain text passwords.  There aren't any passwords for the
majority of objects.  The ARIN documentation indicates that only
MAIL-FROM is supported.  When asked about this, ARIN personnel who
respond to rt...@arin.net reply that yes, MAIL-FROM is the only
authentication mechanism supported, and that no, there is no support
for passwords (good) or PGP (also good, but too complicated for some
users.)

This isn't simply an issue of plain text passwords.  Your mechanism
is MAIL-FROM, which means the only check that is done on
update/add/delete requests is the From: header.  The ARIN database,
which is publicly mirrored, contains the email addresses that must be
used to add/update/delete objects maintained by a given mntner:
object.  All you have to do to corrupt or erase a record is look up
the record you want to corrupt in the IRR, then look up that mntner,
then forge an email from the auth: MAIL-FROM listed in that mntner
record.  It's dead simple and it is not plain text passwords, it is
no passwords at all.

The reason I am still posting is I am deeply concerned about the lack
of technical and management competence needed to let this happen in
the first place.  You shouldn't seriously believe that no ARIN staffer
ever thought about this, while also believing that ARIN is currently
capable of administering RPKI, by its very nature and as its primary
goal, to improve operational network security.

For this reason, I think your true task is not simply to address the
IRR issue, but to change the mentality at ARIN.  If you do have
technically skilled personnel, something is preventing them from being
effective.  If there isn't a management or cultural problem stopping
folks from speaking up, then, quite frankly, I think you may be
greatly over-estimating the technical savvy of ARIN staff.

-- 
Jeff S Wheeler j...@inconcepts.biz
Sr Network Operator  /  Innovative Network Concepts

Re: AltDB?

[Paul Vixie]

 Date: Sat, 08 Jan 2011 15:47:51 +0900
 From: Randy Bush ra...@psg.com
 ...
 more recent rumors, and john's posting here, seem to indicate that
 ...

even to the extent that i know what's really happened or happening, i'd
be loathe to comment on rumours.  i have high confidence in arin's board
and staff, and i believe that the right things are happening, even with
the delays.  right things as in what's best for the community and for
the internet industry in the arin service region.  as a strong proponent
of rpki and of all things like rpki that will strengthen infrastructure,
i remain delay-tolerant if review is the cost of getting it right.

 first, it would really help if the arin bot and management were much
 more open about these issues and decisions.  at the detailed level.  we
 are all not fools out here, present company excepted :).  for a radical
 example, considering that arin is managing a public resource for the
 community, why are bot meetings not streamed a la cspan?

can you cite some examples of nonprofit companies whose boards operate at
the level of transparency you're asking me to consider in this example?

the process of rolling out something like rpki involves some checks and
balances, it's no longer just a simple matter of the technical people doing 
the right thing even though i remember older times when that was the way
most things on the internet worked.

 i do not see how you are going to get rid of the liability.  you have it
 now in whois/irr if i use it for routing (except they are so widely known
 to be bad data that the world knows i would be a fool to bet on them).
 whether the source of a roa is a user whacking on an arin web page or by
 other means, you still attested to the rights to that address space.

my own belief here (not speaking for ARIN or for the ARIN BoT) is that the
folks who use IRR/whois data to build route filters have a confidence level
much lower than those who will use RPKI to do the same will have.  i know
that if i still had enable on anything other than my home router, that's
how i'd feel.  also, liability isn't just got rid of it's also documented
and risk-managed, and doing that may require some kind of internal review.

 but all this is based on inference and rumor.  can you please be more
 open and direct about this?  thanks.

i don't know.  john (speaking for ARIN) gave an excellent and complete answer
that i completely agree with.  you're repeating some rumours which i won't
comment on one way or the other.  if you have specific questions which were
not answered by john's response or which were raised by john's response you
should ask them.  saying i heard a rumour, would anyone care to refute it?
is not going to move the conversational line of scrimmage at all.

paul

Re: AltDB?

[Randy Bush]

 first, it would really help if the arin bot and management were much
 more open about these issues and decisions.  at the detailed level.  we
 are all not fools out here, present company excepted :).  for a radical
 example, considering that arin is managing a public resource for the
 community, why are bot meetings not streamed a la cspan?
 
 can you cite some examples of nonprofit companies whose boards operate at
 the level of transparency you're asking me to consider in this
 example?

fcc

Re: AltDB?

[Paul Vixie]

 From: David Conrad d...@virtualized.org
 Date: Fri, 7 Jan 2011 21:01:52 -1000
 
  do you have a specific proposal? i've noted in the past that arin tries
  hard to stick to its knitting, which is allocation and allocation policy.
 
 Yes. This is a positive (IMHO), however it seems that occasionally,
 ARIN's knitting tangles up folks who don't necessarily involve
 themselves with ARIN's existing interaction mechanisms (at least
 directly).

the price of changing what ARIN does is, at a minimum: participation.

  it seems to me that if some in the community wanted arin to run SIGs
  or WGs on things like routing policy arin could do it but that a lot
  of folks would say that's mission creep and that it would be arin
  poaching on nanog lands.
 
 The issue I see is that there are non-address allocation{, policy}
 topics that can deeply affect network operations in which ARIN has a
 direct role, yet network operators (outside of the normal ARIN
 participants) have no obvious mechanism in which to
 comment/discuss/etc.  Examples would include reverse DNS operations,
 whois database-related issues (operations, schema, access methods,
 etc.), (potentially?) RPKI, etc.  It doesn't seem appropriate to me
 for these to be discussed in relation to addressing policy nor are the
 issues associated with those examples necessarily related to address
 allocation, hence I wouldn't think they'd be fodder for ppml.

they are, though.  i understand the subtlety of the question, is that a
policy matter? but discussions on ppml@ have led to determinations of
what is lameness? and when is a nameserver so lame that it's better to
remove it from in-addr than to leave it in?  i hear in what you're saying
a desire to have a way to impact ARIN's behaviour outside of NRPM edits
and perhaps ARIN does need to address this with some new online forum for
things which aren't allocation policy but which should still be decided
using community input.  (as i recall my first act as a new ARIN trustee
was to sign onto a policy proposal that would have changed the way e-mail
templates worked, and at the end of the process the ARIN BoT shot it down
because it wasn't a policy, and i understood that decision.  strange, eh?)

 ...
 
 So, in other words, no, I don't really have a specific proposal.

perhaps others will chime in.  i will continue to think about it also.

Re: AltDB?

[Randy Bush]

 the price of changing what ARIN does is, at a minimum: participation.

aha!  there we go.  the old ietf attitude.  you come to the mountain.

well, i'll tell you what i told the ietf.  the high and mighty mountain
can bite my ass.

randy

Re: AltDB?

[David Conrad]

Paul,

On Jan 7, 2011, at 10:24 PM, Paul Vixie wrote:
 the price of changing what ARIN does is, at a minimum: participation.

Another view is that ARIN's whole and sole reason for being is to provide 
services to the network operators in the ARIN region. As such, it would be 
ill-advised for ARIN to change those services without consulting the community 
that ARIN serves and getting their buy-in. Hopefully, there's a middle ground.

 i hear in what you're saying
 a desire to have a way to impact ARIN's behaviour outside of NRPM edits
 and perhaps ARIN does need to address this with some new online forum for
 things which aren't allocation policy but which should still be decided
 using community input.

Yep.  Not sure it should be an ARIN-operated thing (nor am I sure that it 
shouldn't be), but something a bit more focused on the operation of services 
ARIN provides than ppml might be helpful.

Regards,
-drc

Re: AltDB?

[Randy Bush]

 the price of changing what ARIN does is, at a minimum: participation.
 aha!  there we go.  the old ietf attitude.  you come to the mountain.
 well, i'll tell you what i told the ietf.  the high and mighty mountain
 can bite my ass.

let me be a bit more clear on this

  o you affect the operational community, you talk with (not to) the
operational community where the operational community talks

  o i have given a lot of blood to arin, far more than it deserved.  so
do not tell me i need to give more.

  o eighteen months or so ago, a gang of big arin folk guilt-tripped me
into running for the board (which i founded back in '96-'97).  i did
the nomcom form and all that, AND WAS SILENTLY NOT ALLOWED ON THE
BALLOT.  never given notice or reason.  so take your high and mighty
open participation crap and shove it where the sun don't shine.  but
i sure was relieved, to tell the truth.  my mental and physical
health just don't need the arin vigilante high and mighty crap on a
daily basis.

randy

RE: AltDB?

[Lee Howard]

 example, considering that arin is managing a public resource for the
 community, why are bot meetings not streamed a la cspan?

Having watched Congress on CSPAN, and heard reports about open
ICANN Board meetings, it looks to me like making deliberative 
meetings public means nothing substantive happens during meetings.
People get afraid to say anything that might make them look 
ignorant, and just make prepared speeches.  All decisions are made 
ahead of time through private negotiations, which ends up being the
opposite of transparency.
I think ARIN's Board's output is better than Congress.

 i do not see how you are going to get rid of the liability.  

Looking at the ARIN Board minutes of
https://www.arin.net/about_us/bot/bot2010_1006.html 
and https://www.arin.net/about_us/bot/bot2010_1122.html it looks like the
Board is requesting a more detailed liability assessment.   Well-informed
decisions are more likely to be good than the other kind.

Lee

RE: AltDB?

[Lee Howard]

 -Original Message-
 From: David Conrad [mailto:d...@virtualized.org]
 
 The definition of what comes under the public policy mailing list
umbrella has always been
 a bit confusing to me.  Too bad something like the APNIC SIGs and RIPE
Working Groups
 don't really exist in the ARIN region.

I think that's a bit of what we've been trying to do with the Best Current
Operational Practices
BoFs.  We need a place where operators can discuss and document BCOPs.

Lee

Re: AltDB?

[Paul Vixie]

 From: David Conrad d...@virtualized.org
 Date: Fri, 7 Jan 2011 23:11:32 -1000
 
 On Jan 7, 2011, at 10:24 PM, Paul Vixie wrote:
  the price of changing what ARIN does is, at a minimum: participation.
 
 Another view is that ARIN's whole and sole reason for being is to
 provide services to the network operators in the ARIN region.

yes.

 As such, it would be ill-advised for ARIN to change those services
 without consulting the community that ARIN serves and getting their
 buy-in.

that's very much what i mean by participation.  arin could never exist
without a community to serve.  if there are better ways to serve the
community or better ways for the community to participate in steering
arin's services, then i'm very interested in discovering them.

 Hopefully, there's a middle ground.

this *is* the middle ground.  we're beyond the span of decades when a
couple of smart engineers could bang out a working solution that the
rest of the community would just adopt out of opportunity and inertia.
and let's not just blame-the-lawyers for that.  the stakeholders in
the infrastructure of the information economy now number in the 'many'
and their views and needs have to be represented in the decisions that
get made by places like ICANN, IETF, the RIRs, and similar.

  i hear in what you're saying a desire to have a way to impact ARIN's
  behaviour outside of NRPM edits and perhaps ARIN does need to address
  this with some new online forum for things which aren't allocation
  policy but which should still be decided using community input.
 
 Yep.  Not sure it should be an ARIN-operated thing (nor am I sure that
 it shouldn't be), but something a bit more focused on the operation of
 services ARIN provides than ppml might be helpful.

count me as 'intrigued' and expect me to be thinking more about this.

Re: AltDB?

[Paul Vixie]

 Date: Sat, 08 Jan 2011 18:17:55 +0900
 From: Randy Bush ra...@psg.com
 
 let me be a bit more clear on this

thanks.

   o you affect the operational community, you talk with (not to) the
 operational community where the operational community talks

i think arin does this today.  certainly that is the intent.  on the other
fork of this thread, drc has noted some ways that this engagement area can
be further improved, and i have counted myself as intrigued.

also, i neglected to mention in my earlier notes on this thread that in
addition to public policy meetings and the public policy mailing list
which are open to the entire community not just arin members and which
allow for remote participation not just those who can travel, arin has a
consultation and suggestion process (URL below).  i urge all operators
and interested parties of the operational community to consider sharing
their perspectives and their wisdom with arin to guide it going forward.

ARIN Consultation and Suggestion Process:
https://www.arin.net/participate/acsp/index.html

ARIN Public Policy Mailing List:
http://lists.arin.net/mailman/listinfo/arin-ppml

Meetings:
https://www.arin.net/participate/meetings/index.html
https://www.arin.net/participate/meetings/reports/ARIN_XXVI/index.html
https://www.arin.net/participate/meetings/ARIN-XXVI/remote.html
https://www.arin.net/participate/meetings/ARIN-XXVII/index.html
https://www.arin.net/participate/meetings/ARIN-XXVIII/index.html

Fellowships:
https://www.arin.net/participate/meetings/fellowship.html

Scholarships:
https://www.arin.net/participate/meetings/scholarships.html

Re: AltDB?

[Robert Bonomi]

 Date: Sat, 08 Jan 2011 18:08:12 +0900
 From: Randy Bush ra...@psg.com
 Subject: Re: AltDB? 


 aha!  there we go.  the old ietf attitude.  you come to the mountain.

 well, i'll tell you what i told the ietf.  the high and mighty mountain
 can bite my ass.

Let me see if I've got this right -- you think ARIN should change their
policies, but _you_ are not willing to put in any personal effort to make
it happen, right?

Can you think of any good reason why _any_ organization should care about
the opinions of someone with that attitude?

Re: AltDB?

[Jon Lewis]

Getting back to the original topic...sort of:

Looking at the data from altdb, it's not as widely used as I'd have 
guessed.  There are 461 mntner objects.  Of these, 268 use MAIL-FROM 
authentication.  192 use CRYPT-PW.  At least those are the split if you 
look at just the first auth: for each mntner object...plenty of objects 
have multiple auth:'s and some even have multiple types like MAIL-FROM and 
PGP.  In such a case, does a change request have to satisfy both auth's or 
just either one?


This makes me ask two questions.

1) Why did ARIN even bother setting up rr.arin.net with no 
authentication other than MAIL-FROM?  Even CRYPT-PW, while weak 
would be far stronger and preferable to effectively no authentication.


2) Why does altdb (and presumably other RR's that support CRYPT-PW) only 
support DES and not MD5-crypt?  It's not 1990 anymore.  RFC 2622 says that 
CRYPT-PW uses the UNIX crypt format...but today, UNIX crypt supports a 
variety of formats, including MD5, which is popular at least with Linux.


I don't mean to whine that altdb doesn't support MD5...it'd be nice if it 
did, but at the price I'm paying for service ($0), I can't complain.


AFAIK, few networks base their BGP filters on the RR data, so I don't care 
too much about RPKI[1].  Who cares if ARIN certifies that my entries are 
legit if only a fraction of the net uses that data and there will always 
be portions of the net where anything goes and resource certification is 
ignored?  What I do care about is that my peers or transits that use RR 
data to build filters use the data I put there, and that that data isn't 
tampered with by anyone with the minimal level of clue required to forge 
the from address on an email and construct an RPSL update email.  Sure, 
we'd get email notification of the change...but if they time it right or 
the email doesn't get acted on quickly enough, filters might be built 
improperly.


[1] Don't care is probably too strong.  At this point in time, I don't 
think it makes sense to get hung up on it and refuse to do any 
authentication if we're not doing RPKI, but not implement RPKI, because we 
haven't worked out all the details on how it'll be done.  As it is, 
rr.arin.net is pretty much worthless.


--
 Jon Lewis, MCP :)   |  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key_

Re: AltDB?

[Christopher Morrow]

On Sat, Jan 8, 2011 at 1:10 PM, Jon Lewis jle...@lewis.org wrote:
 Getting back to the original topic...sort of:

thanks!

 [1] Don't care is probably too strong.  At this point in time, I don't think
 it makes sense to get hung up on it and refuse to do any authentication if
 we're not doing RPKI, but not implement RPKI, because we haven't worked out
 all the details on how it'll be done.  As it is, rr.arin.net is pretty much
 worthless.

I don't think rr.arin.net and RPKI have anything to do with each
other. I think the direction the RPKI should/is taking is to have the
RIR sign a ROA to the ORG that they allocate the address space to...
Similarly the ORG (if they are an N|LIR-type) will sign a ROA to the
ORG that they assign address space to.

Ideally you should be able to ask the RPKI system: I have 1.2.3.0/24
in a bgp announcement, origin'd by AS1234. Is that proper? Ideally
that magic doesn't happen on the router but a digested form of the
data is available making much of the heavy-lifting not router-based.

The parts of the puzzle here that ARIN (or really any RIR) is
responsible for are the 'signing roas to allocatees' (the up/down
protocol as it's referred to in the drafts -
http://tools.ietf.org/html/draft-ietf-sidr-rescerts-provisioning-09
and potentially having a system which permits end-users/ORGs to enter
data which generates ROA data (and sends that along to some
publication point for the rest of the routing world to
download/digest).

I believe the 'up/down protocol' part here is critical, the web
server part ... I'm not sure is so critical, maybe a third party
makes that happen outside of the ARIN management chain?

Using someone not yourself (ARIN or another third party) to manage
your ROA data means you probably have (in the most simple case) given
the ability to that third party to sign objects for you, that means
they have your private key(s) and can break you by
mistake/malfeasance/oversight/etc. For this reason some folks may be
ok with using a third party, many will choose to hold their fate in
their own hands.

-Chris

Re: AltDB?

[Christopher Morrow]

On Sat, Jan 8, 2011 at 2:58 PM, Abhijit Phanse abhi...@unitedlayer.com wrote:
 Could you please remove all @unitedlayer.com addresses from this
 distribution.

 Thanks in advance.

I think you mean to ask this of nanog-admin ... though honestly
@unitedlayer.com folks CAN request that themselves (with the
associated mailman data in the message headers)

-chris

arin and ops fora (was Re: AltDB?)

[David Conrad]

Lee,

On Jan 8, 2011, at 4:40 AM, Lee Howard wrote:
 I think that's a bit of what we've been trying to do with the Best Current 
 Operational Practices BoFs.  We need a place where operators can discuss and 
 document BCOPs.

While I think BCOPs (and BCOP BoFs) are a great idea, I guess the question is 
how can folks be assured that ARIN would follow a NANOG community-defined  BCOP 
relating directly to ARIN operations. For example, if the NANOG community were 
to (reasonably) say BCOP is to use IETF-defined standards for publishing and 
accessing resource registration data, I'd imagine ARIN might (reasonably) 
disagree and continue down the RWS path.

I suspect part of the issue is that ARIN is a monopoly provider of a variety 
public services that folks unrelated (directly) to ARIN must make use of. In 
other areas of public service provision, there are things like public utilities 
commissions that  (in theory) ensure the monopoly service provider acts in the 
public benefit when services are added/changed/deleted.  My impression is that 
the various WGs and SIGs in the other RIRs perform something similar to that 
function.  There doesn't appear to be anything similar in the ARIN region.

Regards,
-drc

Re: AltDB?

[Randy Bush]

 Let me see if I've got this right -- you think ARIN should change their
 policies, but _you_ are not willing to put in any personal effort to make
 it happen, right?

i not put in personal effort?  you're kidding or really new here, right?

one underlying problem with the RIRs, ICANN, ...  is that once we form
these organizations, they start thinking like organizations, protect
themselves, look to budgets, look to liability,   welcome to real
life.  but these realistic organizational things sometimes actually have
conflict with the original goals.

randy

Re: arin and ops fora (was Re: AltDB?)

[Randy Bush]

 I suspect part of the issue is that ARIN is a monopoly provider of a
 variety public services that folks unrelated (directly) to ARIN must
 make use of. In other areas of public service provision, there are
 things like public utilities commissions that (in theory) ensure the
 monopoly service provider acts in the public benefit when services are
 added/changed/deleted.  My impression is that the various WGs and SIGs
 in the other RIRs perform something similar to that function.  There
 doesn't appear to be anything similar in the ARIN region.

having worked closely with a number of other RIRs, sad to say that a lot
still goes on under the table [0].  hence my cspan analogy, shed some
light in the corners.  the community should be transparent before
wikileaks gets to us. :)

randy

--

[0] - an old sardonic comment of mine on ripe is that it is a bottom up
  organization, and daniel and rob are at the bottom.  and wear
  thick rubber/leather gloves when entering apnic.

Re: AltDB?

[David Conrad]

On Jan 8, 2011, at 7:39 AM, Robert Bonomi wrote:
 Let me see if I've got this right -- you think ARIN should change their
 policies,

Not policies. Operations. Or rather, how ARIN communicates and obtains buy-in 
from the operational community regarding operations that affect that community.

 but _you_ are not willing to put in any personal effort to make
 it happen, right?

Not to speak for Randy, but I believe he is suggesting the onus is on ARIN to 
engage the community their activities impact, rather than the community 
engaging ARIN.

 Can you think of any good reason why _any_ organization should care about
 the opinions of someone with that attitude?

Liability? Folks don't have an option regarding where they get some of the 
services.

An (imperfect) analogy: in the SF bay area, the monopoly provider of pipeline 
natural gas, PGE, appears to have made the operational decision to cut costs 
in inspecting high risk gas lines and not upgrade those pipelines (despite 
receiving permission from the CA PUC to bill ratepayers for the upgrade).  
Pragmatically speaking, the vast majority of folks affected by the operation of 
those pipelines most likely had no interest in making a personal effort to 
ensure PGE does what they say they'll do. In Sept 2009, one of those high risk 
pipelines exploded. I imagine PGE now cares a great deal about the folks who 
were affected as you can probably already hear the class action lawsuit lawyers 
revving their engines.

Regards,
-drc

Re: AltDB?

[Jeff Wheeler]

On Sat, Jan 8, 2011 at 2:47 PM, Christopher Morrow
morrowc.li...@gmail.com wrote:
 I don't think rr.arin.net and RPKI have anything to do with each
 other. I think the direction the RPKI should/is taking is to have the

I at least think that whatever future and time-table is planned for
RPKI, this should not stand in the way of ARIN offering an effective
authentication mechanism for the ARIN IRR.  FYI, the reply I received
from ARIN was that there are no plans to improve its authentication
capability.  I didn't ask why and don't really care why it has never
had anything more than MAIL-FROM in the past.  Either it should be
improved (IMO) or it shouldn't be.

I really do wonder what ARIN's plan is if a bad guy decides to forge
emails and delete or modify some or all of the objects.  Would they
just shut it down, improve authentication, or keep doing business as
usual?  I am always surprised that black hat folks do not do things
like this when faced with a damaging vulnerability that can easily be
exploited with no way to trace the activity back to the bad guy.

-- 
Jeff S Wheeler j...@inconcepts.biz
Sr Network Operator  /  Innovative Network Concepts

Re: AltDB?

[Robert Bonomi]

 Date: Sun, 09 Jan 2011 06:25:33 +0900
 From: Randy Bush ra...@psg.com
 Cc: nanog@nanog.org
 Subject: Re: AltDB?

  Let me see if I've got this right -- you think ARIN should change their
  policies, but _you_ are not willing to put in any personal effort to make
  it happen, right?

 i not put in personal effort?  you're kidding or really new here, right?

I used future tense, not past. 

Taking your prior language at face value, which you elided, it appears that
you have no intent of any future participation in ARIN processes.

Your subsequently revaealed story regarding your thwarted attempt at a
_requested_ run for a BoT seat, provides some understanding for a 'why'
for that attitude.

I'll simply note that _if_ you do cease future particioation in =their=
process, you _have_ 'let the bastards win'.

Re: AltDB?

[Randy Bush]

 Taking your prior language at face value, which you elided, it appears
 that you have no intent of any future participation in ARIN processes.

i am doing so right here and now.  you just don't like my choice of
forum and probably my message.  tough patooties.

randy

Re: AltDB?

[Randy Bush]

 I at least think that whatever future and time-table is planned for
 RPKI, this should not stand in the way of ARIN offering an effective
 authentication mechanism for the ARIN IRR.
 ...
 I really do wonder what ARIN's plan is if a bad guy decides to forge
 emails and delete or modify some or all of the objects.

my guess is do their best to try to see who has the right data.  as arin
seems to be driven by fud, policy wannbes, and lawyer(s), this might be
complex, slow, and expensive.  so it goes.

but, unlike the other regions, the arin.irr is not confuddled with the
arin.whois.  i.e. it is kind of irrelevant to the authority on resource
ownership, arin's real responsibility.

they are just providing a free irr service, as it is the popular thing
for rirs to do these years.  and i don't think many use it.  if you
don't like its weak authentication, then don't use it, there are plenty
of alternatives, e.g. see $subject.

i agree that running an irr instance with only mail-from is pretty lame.
and there is good free software out there to do it well if you do not
suffer from nih.

so i would advise putting it late in your peval() string.

randy, who runs an irr instance using irrd

Re: arin and ops fora (was Re: AltDB?)

[Owen DeLong]

On Jan 8, 2011, at 1:15 PM, David Conrad wrote:

 Lee,
 
 On Jan 8, 2011, at 4:40 AM, Lee Howard wrote:
 I think that's a bit of what we've been trying to do with the Best Current 
 Operational Practices BoFs.  We need a place where operators can discuss and 
 document BCOPs.
 
 While I think BCOPs (and BCOP BoFs) are a great idea, I guess the question is 
 how can folks be assured that ARIN would follow a NANOG community-defined  
 BCOP relating directly to ARIN operations. For example, if the NANOG 
 community were to (reasonably) say BCOP is to use IETF-defined standards for 
 publishing and accessing resource registration data, I'd imagine ARIN might 
 (reasonably) disagree and continue down the RWS path.
 
 I suspect part of the issue is that ARIN is a monopoly provider of a variety 
 public services that folks unrelated (directly) to ARIN must make use of. In 
 other areas of public service provision, there are things like public 
 utilities commissions that  (in theory) ensure the monopoly service provider 
 acts in the public benefit when services are added/changed/deleted.  My 
 impression is that the various WGs and SIGs in the other RIRs perform 
 something similar to that function.  There doesn't appear to be anything 
 similar in the ARIN region.
 
 Regards,
 -drc
 

In ARIN, there are things like BoT elections and the BoT very much fulfills the 
role of the PUC as you describe above.

People can submit requests for operational changes to ARIN through the ACSP and 
in my experience they get a good review
and comment period by the community and the board listens to these things and 
responds appropriately. Especially if a
suggestion receives significant support, it tends to get implemented.

Owen

Re: AltDB?

[Owen DeLong]

On Jan 8, 2011, at 7:08 PM, Randy Bush wrote:

 Taking your prior language at face value, which you elided, it appears
 that you have no intent of any future participation in ARIN processes.
 
 i am doing so right here and now.  you just don't like my choice of
 forum and probably my message.  tough patooties.
 
 randy

Throwing rocks at a process in another organizations forum is not participating
in the process any more than standing before the Syrian Government and
criticizing the US congress would be participating in US politics.

Owen

Re: AltDB?

[Paul Vixie]

note that while i am also an ARIN trustee, i am speaking here as what randy
calls just another bozo on this bus.  for further background, ISC has done
some rpki work and everybody at ISC including me likes rpki just fine.  when
the ARIN board was first considering funding ISC to do some early rpki work,
went out into the hallway until the discussion was over (ending positively.)

On Jan 5, 2011, at 12:32 PM, Randy Bush wrote:
 i have a rumor that arin is delaying and possibly not doing rpki that
 seems to have been announced on the ppml list (to which i do not
 subscribe).  

john curran has explained that arin is doing its due diligence on some
concerns that were brought up during a review of the rpki rollout.  there
is no sense in which arin has said that it is not doing rpki although the
current review does technically qualify as delaying rpki.  i'm treating
the above rumour as false.

David Conrad d...@virtualized.org writes:
 I heard about the delay, but not about ARIN possibly not doing RPKI. That
 would be ... surprising.  [...]

it would be very much surprising to me as well.

[bush]
 as it has impact on routing, not address policy, across north america
 and, in fact the globe, one would think it would be announced and
 discussed a bit more openly and widely.

even if i thought that the operational impact could be felt in these early
days when rpki remains an almost completely nonproduction service, and i
don't think this by the way, i would still say that an internal review of
a new service is not really something the whole community cares about.

[conrad]
 The definition of what comes under the public policy mailing list
 umbrella has always been a bit confusing to me.  Too bad something like
 the APNIC SIGs and RIPE Working Groups don't really exist in the ARIN
 region.

do you have a specific proposal?  i've noted in the past that arin tries
hard to stick to its knitting, which is allocation and allocation policy.
it seems to me that if some in the community wanted arin to run SIGs or WGs
on things like routing policy arin could do it but that a lot of folks would
say that's mission creep and that it would be arin poaching on nanog lands.
-- 
Paul Vixie
Chairman and Chief Scientist, ISC
Trustee, ARIN

Re: AltDB?

[Randy Bush]

[ caveat: i am *one of* the architects of all this, and am paid to work
  on it, currently (indirectly) by the usg dhs. ]

for background, the other four rirs have rolled rpki out in the last
weeks, apnic and afrinic with the up/down protocol, ripe web only, and i
am not well informed about lacnic's roll out.  for the geeky, i append
the trust anchor locators for all but afrinic (i'll try to get that).

 even if i thought that the operational impact could be felt in these
 early days when rpki remains an almost completely nonproduction
 service, and i don't think this by the way, i would still say that an
 internal review of a new service is not really something the whole
 community cares about.

well yes and no.  it was important enough that (i have been told) john
announced it on major arin mailing list(s).  and, as we all know, when
info is not openly visible, it gets warped in transmission.  hence the
(i think you are saying) incorrect impression out here that the bot is
questioning rpki roll-out in general.

more recent rumors, and john's posting here, seem to indicate that

  o arin's lawyer, who actually seems to run arin, has created massive
fud about liability.

  o so arin management is seriously reconsidering a web-only roll-out
and seriously considering prioritizing being able to delegate the
authority to the large isps by implementing the up/down protocol
(draft-ietf-sidr-rescerts-provisioning-09.txt).  i am a big fan of
up/down.  i am not a big fan of delay.

first, it would really help if the arin bot and management were much
more open about these issues and decisions.  at the detailed level.  we
are all not fools out here, present company excepted :).  for a radical
example, considering that arin is managing a public resource for the
community, why are bot meetings not streamed a la cspan?

i do not see how you are going to get rid of the liability.  you have it
now in whois/irr if i use it for routing (except they are so widely known
to be bad data that the world knows i would be a fool to bet on them).
whether the source of a roa is a user whacking on an arin web page or by
other means, you still attested to the rights to that address space.

but all this is based on inference and rumor.  can you please be more
open and direct about this?  thanks.

randy

---

ripe-ncc-root.tal 
rsync://rpki.afrinic.net/repository/AfriNIC.cer
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxsAqAhWIO+ON2Ef9oRDM
pKxv+AfmSLIdLWJtjrvUyDxJPBjgR+kVrOHUeTaujygFUp49tuN5H2C1rUuQavTH
vve6xNF5fU3OkTcqEzMOZy+ctkbde2SRMVdvbO22+TH9gNhKDc9l7Vu01qU4LeJH
k3X0f5uu5346YrGAOSv6AaYBXVgXxa0s9ZvgqFpim50pReQe/WI3QwFKNgpPzfQL
6Y7fDPYdYaVOXPXSKtx7P4s4KLA/ZWmRL/bobw/i2fFviAGhDrjqqqum+/9w1hEl
L/vqihVnV18saKTnLvkItA/Bf5i11Yhw2K7qv573YWxyuqCknO/iYLTR1DToBZcZ
UQIDAQAB
rsync://repository.lacnic.net/rpki/lacnic/RTA_LACNIC_RPKI.cer
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1AuR49ZoKS59Vnpq8M0X
djeV3ROqtElwx6sNmUXvWBFPQlZLs2tR5/0MwprIWRi91WnMBVWjsECcLBe7Pu+u
V/tTvPMJRXm/c+l8nR+FhAj7pn4M5A2pHFBndCPc1UrFD+BLACx9DSNiUjzKr1t7
wjHTW+F0NMnZ9g9hKdxDNCFi66BGx2f3TTW3uGns/IPfkxrRCeYtJcBpQ5mKoc8g
QOndiEG/33uXDS9EOe1dycmnaw9EQqxqHp+Bj0TIVoFyfDNuT+soJ3uwtQr2g5Ys
AIxJtmBAZrLj+acmLeQrYC0xQuK118dSAS9r6GSm476m2aGEYtb083fLodeYSEjM
/wIDAQAB
rsync://rpki.ripe.net/ta/ripe-ncc-ta.cer
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0URYSGqUz2m
yBsOzeW1jQ6NsxNvlLMyhWknvnl8NiBCs/T/S2XuNKQNZ+wBZxIgPPV
2pFBFeQAvoH/WK83HwA26V2siwm/MY2nKZ+Olw+wlpzlZ1p3Ipj2eNc
Krmit8BwBC8xImzuCGaV0jkRB0GZ0hoH6Ml03umLprRsn6v0xOP0+l6
Qc1ZHMFVFb385IQ7FQQTcVIxrdeMsoyJq9eMkE6DoclHhF/NlSllXub
ASQ9KUWqJ0+Ot3QCXr4LXECMfkpkVR2TZT+v5v658bHVs6ZxRD1b6Uk
1uQKAyHUbn/tXvP8lrjAibGzVsXDT2L0x4Edx+QdixPgOji3gBMyL2V
wIDAQAB

Re: AltDB?

[David Conrad]

Paul,

On Jan 7, 2011, at 7:33 PM, Paul Vixie wrote:
 The definition of what comes under the public policy mailing list
 umbrella has always been a bit confusing to me.  Too bad something like
 the APNIC SIGs and RIPE Working Groups don't really exist in the ARIN
 region.
 
 do you have a specific proposal? i've noted in the past that arin tries
 hard to stick to its knitting, which is allocation and allocation policy.

Yes. This is a positive (IMHO), however it seems that occasionally, ARIN's 
knitting tangles up folks who don't necessarily involve themselves with ARIN's 
existing interaction mechanisms (at least directly).

 it seems to me that if some in the community wanted arin to run SIGs or WGs
 on things like routing policy arin could do it but that a lot of folks would
 say that's mission creep and that it would be arin poaching on nanog lands.

The issue I see is that there are non-address allocation{, policy} topics that 
can deeply affect network operations in which ARIN has a direct role, yet 
network operators (outside of the normal ARIN participants) have no obvious 
mechanism in which to comment/discuss/etc.  Examples would include reverse DNS 
operations, whois database-related issues (operations, schema, access methods, 
etc.), (potentially?) RPKI, etc.  It doesn't seem appropriate to me for these 
to be discussed in relation to addressing policy nor are the issues associated 
with those examples necessarily related to address allocation, hence I wouldn't 
think they'd be fodder for ppml.

In the other regions, the RIRs host the discussions (e.g., for reverse 
DNS-related discussions there is dns-wg in RIPE and dns-sig in APNIC, not sure 
if there are similar constructs in LACNIC or AfriNIC) and the RIR staff 
provides input but (as far as I know) do not direct results.  Since the 
(non-ARIN) RIRs typically perform some action based on input from these hosted 
discussions (or explain to the community why they can't/won't), this works 
reasonably well. In the ARIN region, for reasons that you mention among others, 
I'm unclear whether there is sufficient trust (on both sides, ARIN or the 
ARIN-region network operations community) for ARIN to do something similar 
(note I'm not saying there isn't trust, just that I'm not sure that there is).  
One alternative (which I suggest being blissfully ignorant of either politics 
or establishment mechanisms in NANOG) would be for some sort of joint 
ARIN/NANOG interest group (or whatever) for areas that impact ARIN and 
network operators in which folks have interest such as routing policy/security, 
dns operations, registration data representation/access, etc.

So, in other words, no, I don't really have a specific proposal.

Regards,
-drc

Re: ARIN and the RPKI (was Re: AltDB?)

[Kevin Oberman]

 Date: Thu, 06 Jan 2011 14:24:01 +0900
 From: Randy Bush ra...@psg.com
 
  I think ACLs here means prefix-lists ... or I hope that's what Randy
  meant?
 
 sorry.  yes, irr based prefix lists.  and, sad to say, data which have
 sucked for 15+ years.  i was the poster child for the irr, and it just
 never took off.
 
 [ irr data are pretty bad except for some islands where there is culture
   of maintining them.  and, as it is a global internet, islands don't
   help much.  europe and japan are two islands with better than the
   average irr data quality.  and they have rpki rolling to varied
   degrees. ]

The day of reasonable accuracy of the IRR ended when UUnet bought
ANI. Since ANI actually used the IRR to generate there router configs
and ANI was pretty big, people were really forced to register. Curtis
had a lot of excellent software that did all sorts of impressive stuff
with the IRR, but I guess that all went into the bit bucket when UUnet
took over.

Very, very sad!
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: ober...@es.net  Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751

Re: ARIN and the RPKI (was Re: AltDB?)

[Christopher Morrow]

On Thu, Jan 6, 2011 at 2:03 PM, Kevin Oberman ober...@es.net wrote:
 Date: Thu, 06 Jan 2011 14:24:01 +0900
 From: Randy Bush ra...@psg.com

  I think ACLs here means prefix-lists ... or I hope that's what Randy
  meant?

 sorry.  yes, irr based prefix lists.  and, sad to say, data which have
 sucked for 15+ years.  i was the poster child for the irr, and it just
 never took off.

 [ irr data are pretty bad except for some islands where there is culture
   of maintining them.  and, as it is a global internet, islands don't
   help much.  europe and japan are two islands with better than the
   average irr data quality.  and they have rpki rolling to varied
   degrees. ]

 The day of reasonable accuracy of the IRR ended when UUnet bought
 ANI. Since ANI actually used the IRR to generate there router configs

s/NI/NS/g

 and ANI was pretty big, people were really forced to register. Curtis

s/NI/NS/

 had a lot of excellent software that did all sorts of impressive stuff
 with the IRR, but I guess that all went into the bit bucket when UUnet
 took over.

we did require you to email nacr-list@ :) that didn't help?

All sed jokes aside, would having attestations that the route you see
is part of a block assigned by IANA to ARIN and from ARIN to UUNET and
from UUNET to JoesCrabShuckers make sense to you? (and to your router
policy provided the router policy engine and code worked)

The efficacy of the IRR isn't at question, the ability to assure with
some level of reasonableness that the thing you see (and eventually
it's path to get to you) is valid is what the RPKI system is
building toward.

-Chris

 Very, very sad!

(tears were shed)

 --
 R. Kevin Oberman, Network Engineer
 Energy Sciences Network (ESnet)
 Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
 E-mail: ober...@es.net                  Phone: +1 510 486-8634
 Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751

Re: ARIN and the RPKI (was Re: AltDB?)

[Randy Bush]

 had a lot of excellent software that did all sorts of impressive stuff
 with the IRR, but I guess that all went into the bit bucket when UUnet
 took over.
 we did require you to email nacr-list@ :) that didn't help?

and he processed on wednesday, not exactly optimal for ops.

if we are listing those who gave good blood for the irr, joe lawrence
and roy alcala, of mci and later level(3), would be at the top of my
list.

randy

Re: AltDB?

[Jon Lewis]

[moved to nanog as it seems a far more appropriate forum than cisco-nsp]
On Wed, 5 Jan 2011, Jose Madrid wrote:


Anyone here use AltDB? It seems their servers have been down for two days.
I have emailed their admin alias but have gotten nothing.  Anyone?

whois -h whois.altdb.net 199.48.252.0
[Querying whois.altdb.net]
[Unable to connect to remote host]


Can anyone from Level3 say how this will impact customer BGP filters. 
Will L3 keep working with the last data sync they got from altdb?  I'm 
guessing if whatever the problem is with altdb isn't fixed soon, those who 
use it as their IRR will need to re-publish all their objects in another 
IRR DB and have any transit providers who build filters based on IRR data 
update their profiles to use object data from the IRR DB to which they 
moved their records.


I'd been thinking about moving from altdb to ARIN's but hadn't had 
sufficient motivation.


www.altdb.net is reachable, but the whois server is not.  Even altdb 
queries run from http://www.altdb.net/ fail.


--
 Jon Lewis, MCP :)   |  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key_

Re: AltDB?

[Jeff Wheeler]

On Wed, Jan 5, 2011 at 11:26 AM, Jon Lewis jle...@lewis.org wrote:
 Anyone here use AltDB? It seems their servers have been down for two days.
 Can anyone from Level3 say how this will impact customer BGP filters. Will
 L3 keep working with the last data sync they got from altdb?  I'm guessing

Since Level3 updates their prefix-lists at least daily, and integrates
new ALTDB updates at least daily, and the ALTDB has been down for over
a day, obviously it will not affect your Level3 prefix-lists in the
near-term.  If Level3 decided to stop honoring ALTDB objects, say,
because ALTDB was never fixed, I imagine you would find it necessary
to re-publish your objects or Level3 would stop honoring your routes.

 I'd been thinking about moving from altdb to ARIN's but hadn't had
 sufficient motivation.

I emailed ARIN yesterday to ask if their IRR database has any
authentication support (other than mail-from) yet.  I haven't seen any
reply from ARIN yet, but my guess is they still have no useful
authentication mechanism.  I would rather depend on an IRR database
that can't process updates for a few days per year, than use one where
a malicious party could alter or erase all of my objects at any time.
I would like to note that RADB had route6: support in about 2004 or
so, if my memory serves me; while the ARIN database did not accept
route6 objects until about a year ago.  So it is not exactly a high
priority for ARIN.

Note also that Level3 has an IRR database, so you could use theirs if
you want to.  I don't prefer to use a transit provider database if I
can use a neutral one, but sometimes I would rather not pay the
(entirely reasonable) fee for the MERIT RADB.

-- 
Jeff S Wheeler j...@inconcepts.biz
Sr Network Operator  /  Innovative Network Concepts

Re: AltDB?

[Craig Pierantozzi]

On Jan 5, 2011, at 9:26 AM, Jon Lewis wrote:

[snip]

 Can anyone from Level3 say how this will impact customer BGP filters. Will L3 
 keep working with the last data sync they got from altdb?

Yes, Level 3 will continue to use the last data mirrored and archived. New 
filters are not pushed daily, they are only pushed when things change.

Archives are here in case people want to know what the latest was: 
ftp://rr.level3.net/pub/rr/archive.mirror-data/

regards

Re: AltDB?

[Jay Coley]

On 05/01/2011 17:09, Craig Pierantozzi wrote:
 On Jan 5, 2011, at 9:26 AM, Jon Lewis wrote:
 
 [snip]
 
 Can anyone from Level3 say how this will impact customer BGP filters. Will 
 L3 keep working with the last data sync they got from altdb?
 
 Yes, Level 3 will continue to use the last data mirrored and archived. New 
 filters are not pushed daily, they are only pushed when things change.
 
 Archives are here in case people want to know what the latest was: 
 ftp://rr.level3.net/pub/rr/archive.mirror-data/
 
 regards
 

So has anyone had any contact from ALTDB as to what's going on?

Thanks!
--J

RE: AltDB?

[Randy Epstein]

So has anyone had any contact from ALTDB as to what's going on?

Thanks!
--J

I just got off the phone with Steve Rubin.  He restarted it 45 minutes ago
and it's back up.

Regards,

Randy

Re: AltDB?

[Joe Abley]

On 2011-01-05, at 12:31, Jared Mauch wrote:

 2) If you DEPEND on something for your business, it may just be worth it to:
  a) pay RADB who operates professionally
  b) use your ISP provided IRR (eg: NTT, level3, savvis, etc) 

I generally recommend that people use the RIPE database, regardless of 
location. The main reason for that used to be that they supported IPv6 policy 
attributes before anybody else did, but that's quite possibly no longer a 
useful discriminator.

If you ever have ambitions to announce a route to a peer in Europe, having 
objects in the RIPE db can also help avoid annoyance.


Joe

Re: AltDB?

[Randy Bush]

 1) If ARIN doesn't provide the level of authentication you desire, as
 an ARIN member you should send a note to ppml each day until it's
 available

this is not address policy.  this is ops.  surely one does not have to
dirty one's self with the ppml list to get an ops fix done in arin.  it
is not address policy.

i have a rumor that arin is delaying and possibly not doing rpki that
seems to have been announced on the ppml list (to which i do not
subscribe).  as it has impact on routing, not address policy, across
north america and, in fact the globe, one would think it would be
announced and discussed a bit more openly and widely.

randy

ARIN and the RPKI (was Re: AltDB?)

[Christopher Morrow]

Sorry for the subject change, it seems now we're talking about
something perhaps more relevant to me (security and routing stuff)

On Wed, Jan 5, 2011 at 5:32 PM, Randy Bush ra...@psg.com wrote:
 i have a rumor that arin is delaying and possibly not doing rpki that
 seems to have been announced on the ppml list (to which i do not

I have heard this as well ... the message in the archive is:
(arin-announce actually, not ppml)
http://lists.arin.net/pipermail/arin-announce/2010-December/001107.html

Essentially the note says that Kosters  crew are delaying until
Q2-2011 the deployment of RPKI services (nebulous 'other features need
to be implemented due to security concerns' is the stated reason)

 subscribe).  as it has impact on routing, not address policy, across
 north america and, in fact the globe, one would think it would be
 announced and discussed a bit more openly and widely.

I agree... so, what is the RPKI for and why should ops/security folks
care? (and should we care enough to poke our local ARIN constabulary
in the eye with a sharp stick?)

I'm of the belief that if we (ops/security folks) feel the need to
have a more secure routing infrastructure so we can hope to avoid
incidents like: (quick examples, there are many others like these)
  o AS7007 full-table re-announce + re-originate
  o ConEdison hijack + re-originate
  o Pakistan/YT hijack + re-originate
  o Pilosov/Kapela hijacks/manipulations
  o Christmas TurkTelecom leak/hijack
  o PRC network leakages/hijacks/etc of April 2010

(Note: let's not debate if the above incidents are one/the-other
hijack/mistake/etc, the simple fact is traffic was diverted and some
better filtering/control would have avoided these failures in our
system)

We need at least these things to exist:
  o an accurate mapping of resource (netblock/asn) to
authorized-entity (RIR/NIR/LIR/Customer/...)
  o a system to manage this data for our routing equipment
  o protocol enhancements that can be used to help propagate the
mapping information
  or at the least help a router programmaticly understand if a
resource is being used by the authorized
  entity
  o routing software that can digest the enhanced data
  o routing hardware that won't crumple under the weight of (what
seems like) heavier weight routing
 protocol requirements

I believe the lynch-pin in this is the accurate mapping of resources
to authorized users, I believe that is supposed to be the RPKI system.
I believe that the RPKI will tell me, an end-operator, that 63.0.0.0/9
was handed from IANA to ARIN to UUNET/VerizonBusiness and that this is
being properly announced with an Origin-AS of 701. Having the service
run by these organizations seems reasonable to me... IANA signs down
to the RIR (ARIN in my example) and ARIN signs to VZB who can choose
to sign down to their customers if necessary.

Today there is a very loose, in all regions not just ARIN's,
association with lots of cruft and inaccuracies. The RPKI, operated by
RIR's, would provide some solid linkage and authority between
resources and owners, it should help to enforce cruft management as
well as provide mechanical (and relatively simple) management of the
data and associated filtering/etc on devices.

There is, of course, some risk with this model and we should take the
time to accept/discuss that as well.
Danny has had lots of good input on this topic, I'd hope that other
folks who've been through longer term ops battles with filtering
(jared, shane, charles gucker, rs, ras, ...) and the like can take
some time to think about this problem. I'd love it if we could have
some reasoned discussion here as well. Finally, everyone should go
poke their ARIN corporate representative(s) (or email the BoT or AC
folks directly even?) with their thoughts on whether or not the RPKI
system and Routing Security are important items for ARIN (as one RIR)
to pursue for the health of the Internet and Ops Sanity.

The BoT folks are listed at:
  https://www.arin.net/about_us/bot.html
  (with email addresses even!)
The AC folks are listed at:
  https://www.arin.net/about_us/ac.html

-Chris

Re: ARIN and the RPKI (was Re: AltDB?)

[Randy Bush]

 We need at least these things to exist:
   o an accurate mapping of resource (netblock/asn) to
 authorized-entity (RIR/NIR/LIR/Customer/...) 
   o a system to manage this data for our routing equipment

see all the sidr documents in last call to go from i-ds to rfcs.  oh,
you co-chair sidr :)

   o protocol enhancements that can be used to help propagate the
 mapping information or at the least help a router programmaticly
 understand if a resource is being used by the authorized entity

see draft-ietf-sidr-rpki-rtr-07

   o routing software that can digest the enhanced data

in test.  rumors of going normal release from at least one vendor in q2

   o routing hardware that won't crumple under the weight of (what
 seems like) heavier weight routing protocol requirements

actually, the formal rpki-based origin-validation stuff is measured to
take *less* cpu, a lot less, than ACLs

 There is, of course, some risk with this model and we should take the
 time to accept/discuss that as well.

some guidance toward ameliorating the risks are in
draft-ietf-sidr-rpki-origin-ops-00.txt.

input from ops into all this stuff would be most welcome.

randy

Re: ARIN and the RPKI (was Re: AltDB?)

[Christopher Morrow]

On Wed, Jan 5, 2011 at 11:16 PM, Randy Bush ra...@psg.com wrote:
 We need at least these things to exist:
   o an accurate mapping of resource (netblock/asn) to
     authorized-entity (RIR/NIR/LIR/Customer/...)
   o a system to manage this data for our routing equipment

 see all the sidr documents in last call to go from i-ds to rfcs.  oh,
 you co-chair sidr :)

yes, sorry I should have been more open ... i do co-chair (with sandy
murphy) the sidr-wg at the IETF.


   o protocol enhancements that can be used to help propagate the
     mapping information or at the least help a router programmaticly
     understand if a resource is being used by the authorized entity

 see draft-ietf-sidr-rpki-rtr-07

   o routing software that can digest the enhanced data

 in test.  rumors of going normal release from at least one vendor in q2

   o routing hardware that won't crumple under the weight of (what
     seems like) heavier weight routing protocol requirements

 actually, the formal rpki-based origin-validation stuff is measured to
 take *less* cpu, a lot less, than ACLs

CPU + RAM both parts of the vector matter. (but you knew this)
Some of the interesting data would, I think, be good for ops folks to
see more openly, things that may actually affect their purchasing and
design decisions even! Danny's had some good presentation material
about changes in spec/implementations that have altered drastically
the update load on devices in actual networks.

 There is, of course, some risk with this model and we should take the
 time to accept/discuss that as well.

 some guidance toward ameliorating the risks are in
 draft-ietf-sidr-rpki-origin-ops-00.txt.

 input from ops into all this stuff would be most welcome.

yes (as the co-chair)
yes (as the OP... more input/thought/discussion)

and looking at the:
  https://www.arin.net/about_us/bot/index.html
it looks like the BoT is due to have a meeting either this week or
next? (they seem to always have one in the first week or two of the
year?) so again speak up here AND perhaps send a note the BoT or your
ARIN Rep's way now.

-Chris

Re: ARIN and the RPKI (was Re: AltDB?)

[Dobbins, Roland]

On Jan 6, 2011, at 11:16 AM, Randy Bush wrote:

 actually, the formal rpki-based origin-validation stuff is measured to take 
 *less* cpu, a lot less, than ACLs

On the platforms which really matter in terms of rPKI, ACLs are handled in 
hardware, so this is pretty much a wash. 

Concur on all the other points, however.


Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com

Most software today is very much like an Egyptian pyramid, with millions
of bricks piled on top of each other, with no structural integrity, but
just done by brute force and thousands of slaves.

  -- Alan Kay

Re: ARIN and the RPKI (was Re: AltDB?)

[Christopher Morrow]

On Wed, Jan 5, 2011 at 11:30 PM, Dobbins, Roland rdobb...@arbor.net wrote:

 On Jan 6, 2011, at 11:16 AM, Randy Bush wrote:

 actually, the formal rpki-based origin-validation stuff is measured to take 
 *less* cpu, a lot less, than ACLs

 On the platforms which really matter in terms of rPKI, ACLs are handled in 
 hardware, so this is pretty much a wash.

I think ACLs here means prefix-lists ... or I hope that's what Randy
meant? (prefix-lists are still, I believe, handled in the router CPU,
and the normal router OS not in hardware)

 Concur on all the other points, however.


cool, thanks!
-chris

 
 Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com

 Most software today is very much like an Egyptian pyramid, with millions
 of bricks piled on top of each other, with no structural integrity, but
 just done by brute force and thousands of slaves.

                          -- Alan Kay

Re: ARIN and the RPKI (was Re: AltDB?)

[Randy Bush]

 actually, the formal rpki-based origin-validation stuff is measured
 to take *less* cpu, a lot less, than ACLs
 On the platforms which really matter in terms of rPKI, ACLs are
 handled in hardware, so this is pretty much a wash.

really?  it was measured on a GSR.  full check on a prefix, 10usec.
that's microseconds.

as chris pointed out, though, one pays for having the data in the trie,
i.e. in ram.  but not a lot.

randy

Re: ARIN and the RPKI (was Re: AltDB?)

[Randy Bush]

 I think ACLs here means prefix-lists ... or I hope that's what Randy
 meant?

sorry.  yes, irr based prefix lists.  and, sad to say, data which have
sucked for 15+ years.  i was the poster child for the irr, and it just
never took off.

[ irr data are pretty bad except for some islands where there is culture
  of maintining them.  and, as it is a global internet, islands don't
  help much.  europe and japan are two islands with better than the
  average irr data quality.  and they have rpki rolling to varied
  degrees. ]

randy

Re: AltDB?

[David Conrad]

On Jan 5, 2011, at 12:32 PM, Randy Bush wrote:
 i have a rumor that arin is delaying and possibly not doing rpki that
 seems to have been announced on the ppml list (to which i do not
 subscribe).  

I heard about the delay, but not about ARIN possibly not doing RPKI. That would 
be ... surprising.  While I have always had some questions regarding the 
political (not technical) feasibility of actually deploying secure routing 
based on the top-down hierarchical model assumed by RPKI, it seems obvious to 
me that there needs to be a better way to authenticate allocation data other 
than querying a whois server.  RPKI will (would have?) provided this and the 
actual deployment of RPKI would allow the ops community to gain experience with 
the technology.

 as it has impact on routing, not address policy, across
 north america and, in fact the globe, one would think it would be
 announced and discussed a bit more openly and widely.


The definition of what comes under the public policy mailing list umbrella 
has always been a bit confusing to me.  Too bad something like the APNIC SIGs 
and RIPE Working Groups don't really exist in the ARIN region.

Regards,
-drc

Re: AltDB?

[Christopher Morrow]

On Thu, Jan 6, 2011 at 1:21 AM, David Conrad d...@virtualized.org wrote:
 On Jan 5, 2011, at 12:32 PM, Randy Bush wrote:
 i have a rumor that arin is delaying and possibly not doing rpki that
 seems to have been announced on the ppml list (to which i do not
 subscribe).

 I heard about the delay, but not about ARIN possibly not doing RPKI. That 
 would be ... surprising.  While I have always had some questions regarding 
 the political (not technical) feasibility of actually deploying secure 
 routing based on the top-down hierarchical model assumed by RPKI, it seems 
 obvious to me that there needs to be a better way to authenticate allocation 
 data other than querying a whois server.  RPKI will (would have?) provided 
 this and the actual deployment of RPKI would allow the ops community to gain 
 experience with the technology.

pls express this to your local BoT or AC or ARIN Rep... see the other thread.

thanks!
-Chris

Re: AltDB?

[Randy Bush]

 I heard about the delay, but not about ARIN possibly not doing RPKI.

there are arin board members, one in particular i am told, that do not
like the rpki.  including side contracts to turn the irr pig's ear into
a silk purse.

randy

Re: AltDB?

[David Conrad]

On Jan 5, 2011, at 8:43 PM, Christopher Morrow wrote:
 pls express this to your local BoT or AC or ARIN Rep... see the other thread.

As I am not an ARIN member nor do I have any ARIN-delegated resources, it isn't 
clear to me who my local BoT/AC/ARIN Rep might be.  However, as I'm aware some 
of the folks you mention are on NANOG, I suspect they might have seen my 
comment (FWIW).

Regards,
-drc

Re: ALTDB Problems

[christian koch]

On Tue, Oct 27, 2009 at 11:21 AM, Steve Rubin s...@tch.org wrote:


 ALTDB is free and you get what you pay for.

 However.  Donations to http://www.nanog.org/scholarships/abha.php would
 probably get requests done a lot faster.


 --
 Steve Rubin/ AE6CH   /   http://www.altdb.net/
 Email: s...@tch.org  /  N6441C  /   http://www.tch.org/~ser/


so, each time someone wants to update they need to donate to make sure it
gets processed in a timely matter?

or do you track who donates and give priority to their updates?

dont get me wrong - its a great cause, and people should donate if they can

if the project is short of volunteers - i'm sure there are people in the
community who would not mind helping out


-ck

Re: ALTDB Problems

[Steve Rubin]

On Oct 28, 2009, at 3:53 PM, christian koch wrote:


On Tue, Oct 27, 2009 at 11:21 AM, Steve Rubin s...@tch.org wrote:

ALTDB is free and you get what you pay for.

However.  Donations to http://www.nanog.org/scholarships/abha.php  
would probably get requests done a lot faster.



--
Steve Rubin/ AE6CH   /   http://www.altdb.net/
Email: s...@tch.org  /  N6441C  /   http://www.tch.org/~ser/


so, each time someone wants to update they need to donate to make  
sure it gets processed in a timely matter?


or do you track who donates and give priority to their updates?

dont get me wrong - its a great cause, and people should donate if  
they can


if the project is short of volunteers - i'm sure there are people in  
the community who would not mind helping out



-ck





No, every update does not require a donation.  In fact, very little of  
what goes on on the database requires my intervention at all.
Only new maintainers and a few other bits of administrivia require  
that.  Right now I am very busy and do not have time to deal with  
things at the speed required by some people.   As I have always said,  
if you require immediate support I recommend the very fine RADB  
service run by Merit.



--
Steve Rubin/ AE6CH   /   http://www.altdb.net/
Email: s...@tch.org  /  N6441C  /   http://www.tch.org/~ser/