[134691] in North American Network Operators' Group
Re: AltDB?
daemon@ATHENA.MIT.EDU (John Curran)
Sun Jan 9 22:48:48 2011
From: John Curran <jcurran@arin.net>
To: Jeff Wheeler <jsw@inconcepts.biz>
Date: Mon, 10 Jan 2011 03:47:39 +0000
In-Reply-To: <AANLkTimMU4K1CgCRZBbrKGSR2osjwBNrJORARnUUSjVz@mail.gmail.com>
Cc: "<nanog@nanog.org>" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 9, 2011, at 9:53 PM, Jeff Wheeler wrote:
>=20
> Why should an operational security issue with the ARIN IRR be handled
> as a policy issue?
Operational security matters should simply be fixed; that's not a policy
matter but an implementation issue.=20
> Do you know that I have emailed ARIN about this both recently and in
> years past? Am I the only person who has ever tried to bring this to
> ARIN's attention? I doubt that.
Good to know; I'm rather interesting in knowing some particulars=20
here, so can you forward to me one or two of those messages? (or
just let me know the 'To' field used and I'll take it from there)
> What will the process be for handling operational security issues
> regarding future RPKI infrastructure? It is conceivable that there
> may be no alternative to ARIN, in the ARIN region, for trusted routing
> information data in the future. Today, we can choose not to use ARIN
> IRR, and the huge majority of networks who publish IRR data use their
> ISP databases or MERIT RADB. Are we faced with the possibility that
> ARIN simply doesn't have personnel capable of handling operational
> services, yet are forcing ARIN down a road that may make them a sole
> source of something we all need? If so, perhaps this is a very bad
> idea in need of further debate.
Feel free to discuss on this list (if deemed in charter) or arin-discuss=20
as you feel appropriate.
> I think the mentality at ARIN is one of paper-pushers and policy guys.
> That's perfectly fine for an organization whose main function is ...
> processing paperwork and allocating IP addresses. It is perhaps a
> very bad idea to ask ARIN to do operational things which they are very
> clearly unprepared to handle, to such an extent that they may need
> additional or different personnel, and really need to change their
> mentality.
Jeff - ARIN does indeed have folks who worry about whether the policy=20
development process is being followed. We also have folks who actually
implement the policy and issue number resources. What you may not know=20
is that we also have quite a few folks who have run production operational=
=20
services both for the Internet and other mission-critical environments. =20
I'm not surprised that the IRR allows plaintext passwords, but am myself
stunned if indeed we require them, since that disallows even a modicum of=20
protection from trivial acts of sabotage. Rather than repeat what lack=20
of information there is on the web site in regards to what forms of IRR=20
authentication is available, I will go determinate the state of reality=20
and post back here asap. At a minimum, we need much clearer documentation,=
=20
but if more is required, we'll get it fixed asap.
/John
John Curran
President and CEO
ARIN
