Author: Jon Lewis
Submitted On: 11 January 2011
rr.arin.net should be updated to support CRYPT-PW (with both DES and md5-crypt) and PGP authentication.
mail-from is too trivial to forge. Due to the fact that the registry would likely make public the encrypted passwords, DES crypt and its 8 character limit makes such passwords trivial to crack using modern computing resources.
MD5-crypt is better, but still vulnerable to brute force cracking since the encrypted password would likely be publicly visible. PGP should be the preferred method of authenticating email-submitted change requests as its the most difficult to forge.
With effectively no security on rr.arin.net data, I'm not willing to rely on it for teh purpose of having my transit providers build BGP filters based on the data. Frankly, I'm surprised anyone is using it in its current state.
Updated: 29 September 2011
26 January 2011
ARIN will be updating its IRR code to support pgp and crypt-pw authentication. We hope to have these new features ready and available for community use by the end of August 2011.
20 July 2011
This issue is currently in progress and is expected to meet the planned delivery by the end of August. This suggestion will be closed out.
29 September 2011
Implemented on 29 September 2011