About RIPE | Contact  | Search | Sitemap    
Homepage RIPE  
RIPE Community Mail Archives
search  
     
Next Sectionyou are here: RIPE -> RIPE Maillists > Archives
RIPE Navigation Ends
About RIPE Maillists
Maillists Archive
Global Lists
Non Active Lists
RIPE NCC Navigation Ends
Next Section
<<< Chronological >>> Author Index    Subject Index <<< Threads >>>

[db-wg] Deprecating auth=NONE

  • From: Hank Nussbacher < >
  • Date: Tue, 15 Apr 2003 19:15:59 +0200
Back in March 2002 we started to deprecate auth=MAIL-FROM. In August we finished it:
http://www.ripe.net/ripencc/pub-services/db/mailfrom.html

We did not do the same for auth=NONE and the RIPE announcement stated:

"Though NONE "auth" scheme is even weaker it is not supposed to be consciously used for object protection, but rather as notification facility. Therefore NONE "auth" scheme is outside the scope of this proposal."

It has come lately to the attention in the Internet security realm that spammers as well as crackers are hijacking IP address space. One easy way to "steal" IP address space is via those that have auth=NONE on their objects.

Go to:
http://www.ripe.net/db/whois-free.html
select ALL and type in the search bar "auth: none".

The results of those that can have their IPs easily hijacked is, how shall I say this, enormous. Luckily the RIPE search form is limited to 100 hits.

Just as an example and not to pick on C&W but:

aut-num: AS13186
as-name: UNSPECIFIED
descr: C&W SA Autonomous System
descr: Alcalde Barnils 64-68
descr: Parque Empresarial Sant Joan
descr: 08190 Sant Cugat del Valles
descr: BARCELONA
import: from AS3352
action pref=100;
accept ANY
import: from AS12541
action pref=100;
accept ANY
import: from AS3561
action pref=100;
accept ANY
import: from AS16091
action pref=100;
accept AS16091
export: to AS3352
announce AS13186 AS16091
export: to AS12541
announce AS13186 AS16091
export: to AS3561
announce AS13186 AS16091
export: to AS16091
announce ANY
default: to AS12541
action pref=100;
networks ANY
admin-c: RV4415-RIPE
tech-c: XL5-RIPE
remarks: AS3352 -> anvazque@localhost
remarks: AS12541 ->graham.cole@localhost
mnt-by: AS13186-MNT

mntner: AS13186-MNT
descr: Cable and Wireless SA
admin-c: RV4415-RIPE
tech-c: XL5-RIPE
upd-to: d12@localhost
auth: NONE
mnt-by: AS13186-MNT
referral-by: RIPE-DBM-MNT

route: 212.66.160.0/19
descr: Intercom Servicios Telematicos Avanzados, S.A.
origin: AS13186
notify: xlario@localhost
mnt-by: AS13186-MNT

I could right now remove the route entry for 212.66.160.0/19 or change it to some other origin and thereby hijack the entry. All those that use auto-build tools based on the info in RIPE would allow me to announce the /19 and not C&W in Spain. Just an example. There are thousands.

RIPE NCC won't deprecate auth=NONE without us telling them to do it. Why would we not want this?

-Hank


  • Post To The List:
<<< Chronological >>> Author    Subject <<< Threads >>>
 

Next Section
     About RIPE | Site Map | LIR Portal | About the RIPE NCC | Contact | © RIPE Community. All rights reserved.
RIPE.NET Homepage LIR Portal RIPE Community