Deprecation of the NONE Authentication Scheme

As announced at RIPE 47 and on the Database Working Group Mailing List the "NONE authentication scheme" has been deprecated as of 26 April 2004.

• mntner objects which only had the NONE authentication scheme have been updated to use the MD5-PW scheme and the passwords e-mailed to the mntner contacts (admin-c, tech-c). Request for your password to be re-sent.

• mntner objects which had the NONE and at least one other authentication scheme have been updated to remove the NONE authentication scheme.

• Objects protected with RIPE-NCC-NONE-MNT have been updated with RIPE-NCC-LOCKED-MNT. If you are listed as a contact in an object with RIPE-NCC-LOCKED-MNT you can assign a new or existing mntner .

Please contact <ripe-dbm@ripe.net> for any questions.

History and details

1. Motivation

The RIPE Database protects data from unauthorised modification through the use of references to maintainer (mntner) objects. The maintainer objects contain an "auth:" attribute which specify how a user is authenticated during updates to the database.

One of the allowed authentication schemes is "NONE", which is actually not an authentication at all, but rather specifies that no authentication is necessary. NONE is intended to be used consciously, as a notification facility or as a means to tag objects.

In April 2003, a proposal was sent to the Database Working Group by Hank Nussbacher:

    It has come lately to the attention in the Internet security
    realm that spammers as well as crackers are hijacking IP address
    space.  One easy way to "steal" IP address space is via those that
    have auth=NONE on their objects.

2. Plan

Normally with a database cleanup effort, an announcement is sent to the appropriate mailing lists, posted to the RIPE web page, and also sent to the specific users affected. A period of time for cleanup is given. Finally, if the users have not fixed the data then it is modified.

However, for the NONE deprecation, it is inadvisable to do this as it means announcing what is in effect a security vulnerability. Also, our operational experience with past cleanups shows that most users do not really participate through the phases of the effort.

Therefore, the plan for mntner objects with the NONE authentication scheme is as follows:

• Announcement only to db-wg mailing list.

• Remove "auth: NONE" attributes from all mntner objects, by changing them to a "remarks:" attribute with a URL explaining the change.

• If that is the only authentication scheme, update the mntner objects, adding MD5-PW with a generated password.

• E-mail the "admin-c:" and "tech-c:" of the objects, and the e-mail addresses listed in the "upd-to:" and "mnt-nfy:" attributes of the objects, explaining the change and including the new password if one is added.

• Passwords can be requested via an e-mail to <ripe-dbm@ripe.net>.

The reply with the password will be sent to the same contacts. After a certain period of time the service will be discontinued. Users wishing to use these maintainers may contact <ripe-dbm@ripe.net> for assistance.

3. RIPE-NCC-NONE-MNT

A maintainer with NONE authentication, RIPE-NCC-NONE-MNT, was added to objects without any maintainer when the database was converted from RIPE-181 format to RPSL format in April 2001. There is a remark in these objects which includes the following:

remarks:      The RIPE NCC will never use this maintainer object to 
remarks:      enforce any sort of control over user's objects. 

One use of the RIPE-NCC-NONE-MNT has been to allow the creation of objects representing routing policy for resources not allocated or assigned by the RIPE NCC. This is done by using "mnt-routes: RIPE-NCC-NONE-MNT" or "mnt-lower: RIPE-NCC-NONE-MNT" as appropriate.

A new maintainer object will be created for these cases, with a well- known password, published in the object:

mntner:       RIPE-NCC-RPSL-MNT
descr:        This maintainer may be used to create objects to represent
descr:        routing policy in the RIPE Database for number resources not
descr:        allocated or assigned from the RIPE NCC.
admin-c:      RD132-RIPE
upd-to:       ripe-dbm-notify@ripe.net
auth:         MD5-PW $1$GUExyzzy$XQtbZHGVqy9GW8BiAckBV1
remarks:      *******************************************************
remarks:      * The password for this object is 'RPSL', without the *
remarks:      * quotes.                                             *
remarks:      *******************************************************
mnt-by:       RIPE-DBM-MNT
referral-by:  RIPE-DBM-MNT
changed:      ripe-dbm@ripe.net 20040301
source:       RIPE

For objects using RIPE-NCC-NONE-MNT:

• If there are other "mnt-by:" attributes it will be changed to a "remarks:" attribute.

• Otherwise, the "mnt-by:" will be changed to RIPE-NCC-LOCKED-MNT, which has a locked password (or PGP key).

• A "remarks:" attribute will be added explaining how to generate a maintainer.

• An e-mail will be sent to the "admin-c:" and "tech-c:" of the objects, and the e-mail addresses listed in the "notify:" attributes of the objects, explaining the change and giving a URL which will help to generate a new maintainer or assign another existing maintainer.

• At the URL, the object will be automatically updated to have a new maintainer.

• After a certain period of time the service will be discontinued. Users wishing to use these maintainers may contact ripe-dbm@ripe.net for assistance.

4. Other maintainers with "auth: NONE"

The RIPE-NCC-PN-NONE-MNT was used to mark PERSON objects not to be deleted in the 2001 person cleanup. It can be removed and the maintainer deleted.

The LIM-MNT is used for limericks. It will have a well-known password similar to the RPSL maintainer. It will also be maintained by another maintainer (not itself, as currently).