ACSP Suggestion 2011.1: Update rr.arin.net to support CRYPT-PW and PGP

Suggestion

Author: Jon Lewis   
Submitted On: 11 January 2011

Description:

rr.arin.net should be updated to support CRYPT-PW (with both DES and md5-crypt) and PGP authentication.

mail-from is too trivial to forge. Due to the fact that the registry would likely make public the encrypted passwords, DES crypt and its 8 character limit makes such passwords trivial to crack using modern computing resources.

MD5-crypt is better, but still vulnerable to brute force cracking since the encrypted password would likely be publicly visible. PGP should be the preferred method of authenticating email-submitted change requests as its the most difficult to forge.

With effectively no security on rr.arin.net data, I’m not willing to rely on it for teh purpose of having my transit providers build BGP filters based on the data. Frankly, I’m surprised anyone is using it in its current state.

Timeframe: Immediate

Status: Closed   Updated: 29 September 2011

Tracking Information

ARIN Comment

26 January 2011

ARIN will be updating its IRR code to support pgp and crypt-pw authentication. We hope to have these new features ready and available for community use by the end of August 2011.

ARIN Comment

20 July 2011

Jon,

This issue is currently in progress and is expected to meet the planned delivery by the end of August. This suggestion will be closed out.

ARIN Comment

29 September 2011

Implemented on 29 September 2011