[58169] in North American Network Operators' Group
Re: Guardian for ARIN
daemon@ATHENA.MIT.EDU (Lee Howard)
Fri May 2 09:53:12 2003
Date: Fri, 2 May 2003 09:50:37 -0400 (EDT)
From: Lee Howard <lee.howard@mci.com>
To: Sean Donelan <sean@donelan.com>
Cc: nanog@merit.edu
In-Reply-To: <Pine.GSO.4.44.0305020053030.6059-100000@clifden.donelan.com>
Errors-To: owner-nanog-outgoing@merit.edu
ARIN presented plans toward authentication at the recent Public Policy
Meeting:
http://www.arin.net/library/minutes/ARIN_XI/PDF/Tuesday/9_Authentication_Christensen.pdf
or
http://www.arin.net/library/minutes/ARIN_XI/PPT/Tuesday/9_Authentication_Christensen.ppt
Isn't it nice when they're responsive?
Lee
On Fri, 2 May 2003, Sean Donelan wrote:
> Date: Fri, 02 May 2003 01:09:01 -0400 (EDT)
> From: Sean Donelan <sean@donelan.com>
> To: nanog@merit.edu
> Subject: Guardian for ARIN
>
>
> Once upon a time, NSI handled both domain names and network addresses.
>
> NSI originally only checked the sender of the e-mail address matched its
> database. Spoofing the sender of an e-mail address is/was trivial, and
> eventually several domain names were hijacked by other unauthorized
> individuals.
>
> NSI added "Guardian" to their template process. Guardian permitted the
> points of contact (NIC-Handle) for objects in the NSI database to add a
> password (and allegedly a PGP key) to their records. Only templates using
> the correct password would be processed. Since NSI handled both names and
> numbers, a password on NIC-Handle protected both names and networks.
>
> ARIN was formed, and the duties associated with IP numbers (AS and IP
> addresses) were transfered to the new ARIN. However, Guardian or some
> alternative didn't seem to get transferred. So we're back to anyone
> who can spoof the point of contacts e-mail address can make changes
> to the ARIN records.
>
> Is it time for ARIN to re-add security to their database update
> procedures?
>
>
