[58156] in North American Network Operators' Group
Guardian for ARIN
daemon@ATHENA.MIT.EDU (Sean Donelan)
Fri May 2 01:09:35 2003
Date: Fri, 2 May 2003 01:09:01 -0400 (EDT)
From: Sean Donelan <sean@donelan.com>
To: nanog@merit.edu
Errors-To: owner-nanog-outgoing@merit.edu
Once upon a time, NSI handled both domain names and network addresses.
NSI originally only checked the sender of the e-mail address matched its
database. Spoofing the sender of an e-mail address is/was trivial, and
eventually several domain names were hijacked by other unauthorized
individuals.
NSI added "Guardian" to their template process. Guardian permitted the
points of contact (NIC-Handle) for objects in the NSI database to add a
password (and allegedly a PGP key) to their records. Only templates using
the correct password would be processed. Since NSI handled both names and
numbers, a password on NIC-Handle protected both names and networks.
ARIN was formed, and the duties associated with IP numbers (AS and IP
addresses) were transfered to the new ARIN. However, Guardian or some
alternative didn't seem to get transferred. So we're back to anyone
who can spoof the point of contacts e-mail address can make changes
to the ARIN records.
Is it time for ARIN to re-add security to their database update
procedures?
