North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Guardian for ARIN
ARIN presented plans toward authentication at the recent Public Policy Meeting: http://www.arin.net/library/minutes/ARIN_XI/PDF/Tuesday/9_Authentication_Christensen.pdf or http://www.arin.net/library/minutes/ARIN_XI/PPT/Tuesday/9_Authentication_Christensen.ppt Isn't it nice when they're responsive? Lee On Fri, 2 May 2003, Sean Donelan wrote: > Date: Fri, 02 May 2003 01:09:01 -0400 (EDT) > From: Sean Donelan <[email protected]> > To: [email protected] > Subject: Guardian for ARIN > > > Once upon a time, NSI handled both domain names and network addresses. > > NSI originally only checked the sender of the e-mail address matched its > database. Spoofing the sender of an e-mail address is/was trivial, and > eventually several domain names were hijacked by other unauthorized > individuals. > > NSI added "Guardian" to their template process. Guardian permitted the > points of contact (NIC-Handle) for objects in the NSI database to add a > password (and allegedly a PGP key) to their records. Only templates using > the correct password would be processed. Since NSI handled both names and > numbers, a password on NIC-Handle protected both names and networks. > > ARIN was formed, and the duties associated with IP numbers (AS and IP > addresses) were transfered to the new ARIN. However, Guardian or some > alternative didn't seem to get transferred. So we're back to anyone > who can spoof the point of contacts e-mail address can make changes > to the ARIN records. > > Is it time for ARIN to re-add security to their database update > procedures? > >
|