North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Guardian for ARIN

  • From: Christopher J. Wolff
  • Date: Fri May 02 01:27:21 2003


Many good points here.  On a related topic, IMHO, NSI needs to take a
step back and evaluate their domain/account management system.  The
web-gui system in place now is truly the bastard child, leaving
subscribers with dozens (or hundreds) of domains, each with an
individual account number and no password (or challenge phrase).  

I wonder how many virgin goats would need to be slaughtered at the
altars of Tenochtitlan to bring back the email forms ;-)

Christopher J. Wolff, VP CIO
Broadband Laboratories, Inc.

-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of
Sean Donelan
Sent: Thursday, May 01, 2003 10:09 PM
To: [email protected]
Subject: Guardian for ARIN

Once upon a time, NSI handled both domain names and network addresses.

NSI originally only checked the sender of the e-mail address matched its
database.  Spoofing the sender of an e-mail address is/was trivial, and
eventually several domain names were hijacked by other unauthorized

NSI added "Guardian" to their template process.  Guardian permitted the
points of contact (NIC-Handle) for objects in the NSI database to add a
password (and allegedly a PGP key) to their records.  Only templates
the correct password would be processed. Since NSI handled both names
numbers, a password on NIC-Handle protected both names and networks.

ARIN was formed, and the duties associated with IP numbers (AS and IP
addresses) were transfered to the new ARIN.  However, Guardian or some
alternative didn't seem to get transferred.  So we're back to anyone
who can spoof the point of contacts e-mail address can make changes
to the ARIN records.

Is it time for ARIN to re-add security to their database update