Re: AltDB? (IRR support direction at ARIN)
On Sun, 9 Jan 2011, Charles N Wyble wrote: I am simply suggesting it is dangerous and irresponsible to run an IRR with only MAIL-FROM authentication, and quite easy to also support CRYPT-PW. ARIN should either support passwords or immediately make The trouble is, since the DES crypt passwords are publicly accessible, even CRYPT-PW is not much security. I suspect with a copy of the db, a passsword cracking program, and some modest computing capacity, you could crack all the passwords in ALTDB before this thread dies. I've been trying to convert from CRYPT-PW to PGPKEY auth, but I don't seem to be having much luck getting that working. I've put a key-cert (PGPKEY-7ABEC6A3) into altdb, and changed our mntner to permit either CRYPT-PW or PGPKEY-7ABEC6A3 for auth. But PGP signed update requests result in #ERROR: Authorization failure. I'm not sure why I'm getting this auth failure. i.e. Something wrong with the formatting of my submissions? Something wrong with my key-cert? The certif: from my key-cert wasn't automatically imported into the auto-dbm keyring? I'm assuming I can take a RPSL format submission, save it to a file, use GPG to clearisgn it, and put the result in the body of an email to auto-dbm. It's also possible altdb doesn't actually have working PGP support. Looking at the database dump I downloaded the other day, only one mntner uses PGP as their sole auth method...and that mntner hasn't made changes to any objects since the last change to their mntner...so it could be they changed to PGP auth, never got it working, and abandoned altdb. I was afraid of losing control of my mntner if there were issues with PGP, so I figured I'd add PGP as an auth method, test it, and then after seeing it work, remove CRYPT-PW. -- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: AltDB? (IRR support direction at ARIN)
On Mon, Jan 10, 2011 at 12:37 PM, Jon Lewis jle...@lewis.org wrote: On Sun, 9 Jan 2011, Charles N Wyble wrote: I am simply suggesting it is dangerous and irresponsible to run an IRR with only MAIL-FROM authentication, and quite easy to also support CRYPT-PW. ARIN should either support passwords or immediately make The trouble is, since the DES crypt passwords are publicly accessible, even CRYPT-PW is not much security. I suspect with a copy of the db, a passsword cracking program, and some modest computing capacity, you could crack all DES crypt() is not completely trivial yet, but I agree, it is far from state-of-the-art. It is substantially superior to MAIL-FROM. In addition, MERIT reduced this problem by simply filtering out the hashes from the RADB.db file and whois output (and presumably also, the www.radb.net tools.) -- Jeff S Wheeler j...@inconcepts.biz Sr Network Operator / Innovative Network Concepts
Re: AltDB? (IRR support direction at ARIN)
On Jan 5, 2011, at 12:07 PM, Jeff Wheeler wrote: I would like to note that RADB had route6: support in about 2004 or so, if my memory serves me; while the ARIN database did not accept route6 objects until about a year ago. So it is not exactly a high priority for ARIN. The priority of IRR at ARIN is based on community feedback and direction. There is no particular reason for ARIN to focus on ongoing IRR enhancements, if the community isn't asking for such. ARIN needs to stay focused on its mission, and prioritize all work accordingly. There has not been a clear consensus from the community one way or the other about enhancing the IRR services as part of that mission, nor on deeming it to be outside of the mission and phasing out the services. This makes it somewhat challenging for the Board and staff to discern the right approach, and leaves us simply maintaining the status quo for these services. Should IRR services be part of the ARIN mission? ARIN-discuss would be a great mailing list on which to discuss this topic, or (along the lines of Randy's earlier comments) on this NANOG list, if the mailing list folks consider it to be on topic. /John John Curran President and CEO ARIN
Re: AltDB? (IRR support direction at ARIN)
On Sun, 9 Jan 2011, John Curran wrote: Should IRR services be part of the ARIN mission? If that's a serious question, why does rr.arin.net exist at all? -- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: AltDB? (IRR support direction at ARIN)
On Jan 9, 2011, at 3:02 PM, Jon Lewis wrote: Should IRR services be part of the ARIN mission? If that's a serious question, why does rr.arin.net exist at all? Jon - Existence of not in and of itself proof that the services are presently desired by the community, nor that there are benefits in having them provided by ARIN. For example, one can argue that it is desirable for ARIN to provide IRR services in the case where allocation policy had dependencies into the state of the IRR; this is not the case in the ARIN region. Another reason for ARIN to offer services is if it can do so in a manner that would significantly improve their quality (one might argue such about resource certification via RPKI, but that's not as obvious for a routing registry) At the end of the day, we want ARIN to be providing quality services around the registration of Internet number resources; these services need to be valued by the community and provided cost-effectively. Do you: 1) want IRR services, and if so, with what features? 2) believe IRR services should be provided by ARIN? Getting input from the community on this will significantly help the ARIN staff make informed recommendations to the ARIN Board regarding how to best proceed. I'd also welcome private email with these thoughts if that's your preference. Thanks! /John John Curran President and CEO ARIN
Re: AltDB? (IRR support direction at ARIN)
Do you: 1) want IRR services, and if so, with what features? 2) believe IRR services should be provided by ARIN? the irr is slightly useful today. so, iff it is cheap and easy, arin providing an open and free instance is a public good. again, iff it is easy and cheap. and please do not waste time trying to 'fix' the irr, sad to say it's trying to make a silk purse out of a sow's ear. and thanks for asking. randy
Re: AltDB? (IRR support direction at ARIN)
On Sun, Jan 9, 2011 at 6:27 PM, Randy Bush ra...@psg.com wrote: Do you: 1) want IRR services, and if so, with what features? 2) believe IRR services should be provided by ARIN? the irr is slightly useful today. so, iff it is cheap and easy, arin providing an open and free instance is a public good. again, iff it is easy and cheap. and please do not waste time trying to 'fix' the irr, sad to say it's trying to make a silk purse out of a sow's ear. I'm not suggesting that ARIN undertake a large and complex effort to solve a bunch of issues with IRR. All I am suggesting is that they prevent anonymous bad guys with no inside information, special access, or knowledge of passwords, from corrupting the data which some networks choose to publish in ARIN IRR. I am simply suggesting it is dangerous and irresponsible to run an IRR with only MAIL-FROM authentication, and quite easy to also support CRYPT-PW. ARIN should either support passwords or immediately make their IRR read-only and stop offering it as a service. Imagine if there was a Slashdot article or something about this, how long would it take for some 14-year-old to erase the whole database, and how that would pretty much force ARIN to make a choice anyway, but also, create a lot of negative fall-out that might jeopardize trust in ARIN with regard to other operational matters, like RPKI. -- Jeff S Wheeler j...@inconcepts.biz Sr Network Operator / Innovative Network Concepts
Re: AltDB? (IRR support direction at ARIN)
Do you: 1) want IRR services, and if so, with what features? 2) believe IRR services should be provided by ARIN? the irr is slightly useful today. so, iff it is cheap and easy, arin providing an open and free instance is a public good. again, iff it is easy and cheap. and please do not waste time trying to 'fix' the irr, sad to say it's trying to make a silk purse out of a sow's ear. I'm not suggesting that ARIN undertake a large and complex effort to solve a bunch of issues with IRR. jeff, i do not disagree that running an irr instance with only mail-from is s 1980s. and, as mans points out, there is free software out there to do it (i recommend irrd). but i do not see good cause for arin to spend anything non-trivial to fix a problem in an irr instance which is not used very much. i.e. better to drop it than to spend non-trivial money to modernize it. but more to the point, by 'fix' it, i did not mean modernizing the auth method set. i meant the content, syntax and semantics. randy
Re: AltDB? (IRR support direction at ARIN)
On Sun, Jan 9, 2011 at 6:48 PM, Randy Bush ra...@psg.com wrote: jeff, i do not disagree that running an irr instance with only mail-from is s 1980s. and, as mans points out, there is free software out there to do it (i recommend irrd). but i do not see good cause for arin to spend anything non-trivial to fix a problem in an irr instance which is not used very much. i.e. better to drop it than to spend non-trivial money to modernize it. I agree that if ARIN thinks it would be too costly to support password authentication, they should make the database read-only so users will migrate away from it and no damage can be done by bad guys. but more to the point, by 'fix' it, i did not mean modernizing the auth method set. i meant the content, syntax and semantics. I understood what you meant, and again, I agree with you; there is no reason to invest a lot of time and resources in something that should be made obsolete by other work already in progress. The fix I want is simply eliminating the large liability by continuing to allow updates with MAIL-FROM authentication. I believe ARIN IRR actually does support MD5 authentication, but if you email the ARIN IRR person, or go to ARIN's web site, you are told that only MAIL-FROM is allowed. So they probably already have the appropriate technical mechanism in place AND JUST AREN'T USING IT, and are actively discouraging users from utilizing it. This would be an example of ARIN's ineffectiveness when it comes to operational matters, and is why I have real fear that RPKI may one-day be a disaster because ARIN is an ineffective steward. -- Jeff S Wheeler j...@inconcepts.biz Sr Network Operator / Innovative Network Concepts
Re: AltDB? (IRR support direction at ARIN)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/09/2011 03:41 PM, Jeff Wheeler wrote: On Sun, Jan 9, 2011 at 6:27 PM, Randy Bush ra...@psg.com wrote: Do you: 1) want IRR services, and if so, with what features? 2) believe IRR services should be provided by ARIN? I am simply suggesting it is dangerous and irresponsible to run an IRR with only MAIL-FROM authentication, and quite easy to also support CRYPT-PW. ARIN should either support passwords or immediately make their IRR read-only and stop offering it as a service. Imagine if there was a Slashdot article or something about this, how long would it take for some 14-year-old to erase the whole database, and how that would pretty much force ARIN to make a choice anyway, but also, create a lot of negative fall-out that might jeopardize trust in ARIN with regard to other operational matters, like RPKI. So why hasn't this happened already? If it's so easy, then all the normal actors that like to cause us late nights would have struck already. And according to http://www.irr.net/docs/list.html there are lots of IRR databases. I had a vague concept of IRR before this thread, and have researched them as a result of it. They seem quite useful. I didn't know anything about RPKI before this thread. I'm looking into that now. So I don't think ARIN should spend it's limited resources on anything to do with it's copy of the IRR. In fact I'm not sure why they even operate one. It seems to be the realm of service providers to do so. Can anyone enlighten me as to why a RIR is operating an IRR database? It doesn't make sense to me. - -- Charles N Wyble (char...@knownelement.com) Systems craftsman for the stars http://www.knownelement.com Mobile: 626 539 4344 Office: 310 929 8793 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJNKoRSAAoJEMvvG/TyLEAtjuUP/0HsjYoulhixWOp/2LRMzll+ zc0YBVOD+mebDyM2tPdXN/UGVVQCrhdakbWOkbRsn1+qHOZEK0SKI41cnWineluB z4xxEXVSbOb3wRfqVr+WwNilZnQIST8p6IddEShJ283ZDvFBa7f6b80POue28SU2 DSFW0DWL+Ti38tGyXBuiPSBMWNY4mRUJQDznz5msiXLiWTzHIUeXmiyGErbR0R+f OPK5SPUvkJvI1G2ytqqWdzkelCgp78O6uQzVM0443ZvdN4HBEq45ac82+t3pR99q 2DgTnU4mWjMiQBZxWAZidqxW7Rsl3K4Zbr1lJEQ8R5Ke9PQzLD2cd8k0AKUFOg3M rNY/wz2ha75G38k9f4OqglCcwQOglGwXX1ASWCjKM9ISVcq0+m/SyOnlmtf/fRLH R+LdX8fntpCMv6kxjqAojBghOmaso9NvrW0umHqT0XSMZRuHGOIP4XYj+Rws/TwI IFV4gQLNCoqEswq5vreM2cMzTIFXJDsS8Pd4HS/g+c+teIMC/8TIIs4EUMhX2wPY O5iW8PiDCLnbwXT0OrPDHjz1M5Xl5fNduAvjsTnN0Kn7jc+TwRuTIoPJudKxqa9A L6MDGEYgK7nyboARUYmPrB9f+/FMA9jKTXD2b5j7ZiTj0bWxByU1BL6V2eBtDwdd GPMgRarxix8cp2Stn4dx =shdY -END PGP SIGNATURE-
Re: AltDB? (IRR support direction at ARIN)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/09/2011 03:48 PM, Randy Bush wrote: Do you: 1) want IRR services, and if so, with what features? I think so. In theory it seems useful. In practice... http://www.renesys.com/blog/2009/05/keeping-score.shtml not so much. 2) believe IRR services should be provided by ARIN? No. As I mentioned elsewhere in this thread, I don't see why an RIR is operating an IRR database. It seems to be something clearly in the realm of service providers (ie people who are making use of allocated resources). John, Can you shed some light on why this is the case? Was this requested by the community, or driven internally? Or both? - -- Charles N Wyble (char...@knownelement.com) Systems craftsman for the stars http://www.knownelement.com Mobile: 626 539 4344 Office: 310 929 8793 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJNKoZsAAoJEMvvG/TyLEAt/xsP/2CC55GEeTO46/QB2UN3RWwZ MxiLAIgurtyHTjeh9Gr6dfujnx5si6HP1Kxv+ET3HDapyOc4M8yfugvuSfrAMz1Z A/ObcWbHwtTFvii6ULtE4w7+AU1Msy7XQIPluh9g3fYk85+fBdMvE45Hyw1je04o SidM3m9XP5jCDMcKNgbSN90ibf8GykgzR6u0fExRxUta0bhHrTWZM15oVSpXeCGN Kl/6E0QSd1DbQvWxvQPotMCHoaEulAjPt4kKiBAKnxAAGsB1aC2ceMZ5PI2xeNeB pZcsWqiaemhnDmlUyPE5xjoVYSUxFk5R99RV4PfGBbAf7TyZJFAhfsm3yHqYVefN EIaguXaB0T1ekCJuBzgljExNnrMCTllx8j5GmLAQrgusrkBna61OFknp/DzVzWjS cxb60AKVbJX8kfvFdxd//zw4+15qflslrBFoGx+8/eJItzCuE5sggj4vQj9lSO5p ocvl7zbVkiYsw0EfDcJAlVpj3VGC4V93k0h8Rkh9oIykqJuO0JC7VSB7ZBwjM43t AN7/Kjqhp0e19ztUiIjFpFW3Gi9Bpw0M8KMPo8pX27W4sXcG/CMlu2jTwadiKQyR Dk+7a5B9qVvgLC4c1ygYzfyPYJzvq78CYa+vpsBl3Wl0vgLNSLicPg9gN/87fJhU kt4lYu8javFnsFGQbH69 =Bc5T -END PGP SIGNATURE-
Re: AltDB? (IRR support direction at ARIN)
I had a vague concept of IRR before this thread, and have researched them as a result of it. They seem quite useful. I didn't know anything about RPKI before this thread. I'm looking into that now. So I don't think ARIN should spend it's limited resources on anything to do with it's copy of the IRR. In fact I'm not sure why they even operate one. It seems to be the realm of service providers to do so. Can anyone enlighten me as to why a RIR is operating an IRR database? It doesn't make sense to me. Sure. I've been staying quiet on this thread, but as one person who has used (and still maintains a number of records) ARIN's IRRd, I'll respond. Firstly, There are many networks with whom want to put their IRR objects into a neutral and objective database.I know that AltDB is free, but as I've been told before, if you want support, donate to Abha Ahuja Women in Science in Engineering scholarship fund, otherwise your maintainer objects will never be approved (know this one first hand). And RADB, with whom used to be free charges a fee to have records maintained via their web GUI.Many network operators don't want to directly pay for such services, so ARIN makes sense in this regard.My original alternative was to setup my own IRRd, but was glad not to have to go to the trouble. Secondly, ARIN's IRRd is a lot easier to use than any service provider IRRd as those are intended for customer records only and if you wish to leave them, they will delete your records or just simply deny you support. Especially when said providers mirror ARIN's database. It's much like using PA vs PI IP space. If you want to be indebted to your provider, continue to use their free services. Thirdly, with the above in mind, ARIN provides support to all members of ARIN, so you can get a real person on the phone or by email to respond to questions. So, all in all, I am grateful that ARIN has supplied the IRRd service, would love to see the authentication enhanced, but otherwise I don't have any complaints.I encourage others to use the service regularly and am glad to see it getting some attention, we just need to make sure to channel the attention into enhancements and not limitations. thanks, charles