FAQ: RIPE Database Security
- I have objects in the RIPE Database. How can I protect them ?
You must protect your objects using a mntner (maintainer) object. It can authenticate changes by using one of several authentication schemes, such as your RIPE NCC Access account or a PGP key. In order to set this up, you must first create a mntner object and then refer to it in the "mnt-by:" attribute in your object(s).
- In which database objects are maintainer references ("mnt-by") mandatory?
Every RIPE Database object should be protected by a maintainer. The kind of authentication you use for your maintainer depends on your use case. In general, we recommend using your RIPE NCC Access account or a PGP key. For detailed information, please refer to our recommendations page.
- How do I create a maintainer (mntner) object in the RIPE Database?
- One of my objects has RIPE-NCC-LOCKED-MNT as the only maintainer. Why is that?
It used to be possible to create unmaintained objects in the RIPE Database, but today that is no longer possible. Any unmaintained objects that were created before this change have had the RIPE-NCC-LOCKED-MNT added to it to prevent any person from making a change and potentially using it for abuse.
The RIPE Database also contains the RIPE-NCC-RPSL-MNT maintainer, that may be used to create objects to represent routing policy in the RIPE Database for number resources not allocated or assigned from the RIPE NCC. This maintainer should not be used as "mnt-by:" on any objects as it has a well-known public password, but in the past a number of users have done this anyway. The usage of the RIPE-NCC-RPSL-MNT maintainer is also restricted now and all objects that had this maintainer have been replaced with RIPE-NCC-LOCKED-MNT.
The locked objects will remain as they are. There is no procedure for unlocking these previously unmaintained or incorrectly maintained objects. If there is an operational need, new objects should be created by the object owners. This solution puts control back into the hands of the object owners. The user can follow the existing process for creating and referencing new objects.
Unreferenced person objects will be deleted from the RIPE Database periodically. See also: Clean-up of unreferenced person objects.
- We lost the password of our mntner. Can you please reset it?
You can reset a lost MD5 password on the Forgot maintainer password page. You need to be logged in to your RIPE NCC Access account to recover access to your mntner object. You can create an account if you do not have one yet.
After the reset procedure has completed, your maintainer will be protected with your RIPE NCC Access account instead of the MD5 password, as this is more secure and password resets can be done via the email address of your account.
- My maintainer password does not work. Why not ?
If you are still using MD5 passwords to authenticate against your maintainer object, you can use the Authorisation Password Generator page to verify that the MD5 hash string for your maintainer password matches your plain text password. If the string doesn't match and you cannot recover the MD5 password, you can reset it on the Forgot maintainer password page. The same applies when using PGP authentication.
Other reasons your password might not work are usually due to these common mistakes:
- Supplying the password in encrypted form instead of clear text
- Forgetting to specify "password:" before the password string when using email updates
- Sending the password in the subject line when using email updates
In case you use your RIPE NCC Access account to authenticate, please check for common mistakes such as having Caps Lock enabled. If you are certain that you lost your password you can reset it here.
- How can I encrypt a password for my mntner using MD5-PW?
We do not recommend that you use MD5 passwords for regular usage. Please see our security recommendations page for more information. If you still need to use MD5 passwords, such as for authenticating against the RIPE Database API over HTTPS, please visit the Authorisation Password Generator page and follow the instructions.
- What encryption algorithm should be used for the crypted password in the "auth:" attribute of a mntner object ?
Either MD5-PW or DES. Both are "one-way" algorithms; you can _guess_ the clear text password that was used to generate this password (if you have lots of time and many powerful computers), but you cannot reverse-engineer the clear text password from the crypted one; i.e. you cannot use an algorithm on the crypted password to find the clear text password.
Note: the level of security using clear text passwords is not high; you send your clear text password in an e-mail, which could be copied ("sniffed") without you knowing it. Also, a determined, malicious cracker may eventually guess the password.
More information is available in the RIPE Database Reference Manual
- How to use the MD5-PW auth scheme in my mntner?
We do not recommend that you use MD5 passwords for regular usage. Please see our security recommendations page for more information. If you still need to use MD5 passwords, such as for authenticating against the RIPE Database API over HTTPS, please follow these steps:
- Visit the Authorisation Password Generator page and follow the instructions to generate an MD5 hash from a clear text password of your choice. Please choose a strong password.
- In your maintainer, add an "auth:" attribute and as the value enter "MD5-PW", followed by a space and the encrypted password from step 1. For example, a maintainer would look like this:
descr: Sample maintainer
auth: MD5-PW $1$HaKpJ.7L$bMelWa6qPZJn9ZTn7dphr/
When authenticating using the MD5 password, you must supply it in clear text format. Therefore, we strongly discourage sending it via email.
- What software do I need to use PGP?
There are both commercial and free implementations of PGP available. The RIPE NCC uses GnuPG to implement its PGP operations. You can find more information on using PGP on our security recommendations page.
- How can I use PGP with my mail software?
PGP support is available for most of the popular e-mail software, with varying success. A quick search on a search engine should reveal the various tools/configurations/plugins specific to your mailer.
Although it's convenient to integrate PGP with the mailer software, it can be used separately to generate signed messages. Therefore, you can send signed messages, even if you can't find a suitable extension to your mailer software.
- Getting started with PGP in RIPE Database
After installing PGP, the next step is to run it once to create your settings. From the commandline, enter gpg once. It should give a message that the directory and options file are created.
You need a key for all operations with gpg, which you can create with the command gpg --gen-key. This command will ask you the following:
- what kind of key you want: For most purposes, (1) is suitable.
- What key size you want: 1024 is the default and reasonable choice. A lower value will decrease the security. On the other hand, a higher value will slow things down.
- how long the key should be valid: You can choose 0 here for a non-expiring key. For custom needs, a limited duration can be set.
- Real name: Your name and surname.
- E-mail address: Your e-mail adress.
- Comment: Remarks that will be appended after your name in the user-ID that gpg will create.
After entering all those information and confirming that they're correct, you'll be asked for a passphrase. Choose a passphrase that:
- is long,
- has special (non alpha-numeric) characters,
- is something special (not a name),
- is very hard to guess (not names, birth dates, phone numbers, names, number of children, ...)
Enter it twice and gpg will start generating the key. Moving your mouse or tapping the keyboard during this operation will help gpg to generate the key faster.
Further information is available on:
- What is a key-cert object, and how can I create it?
A key-cert object holds the public part of your key in the RIPE Database. To use the key you just generated in the RIPE Database, you should create it in the form of a key-cert object.
The following steps will help you create a key-cert object:
- Export your gpg public key to a file with the command gpg --export --armor < your_email_address> > key-cert.txt
- Issue the command gpg --list-keys and find the line with your e-mail address from output. It should be something like:
pub 1024D/75FE6D99 2002-07-10 John Smith <firstname.lastname@example.org>
Write down the eight characters after the / sign. This is the key id of your key. You'll need it while creating the key-cert.
- Open the file key-cert.txt with your favorite editor, and add "certif: " (without quotes, but a space after : sign) to the beginning of each line.
- Add a line to the beginning of the file in the form
where XXXXXXXX is the eight characters that you wrote down.
- To the end of the file, add the following:
where <mntner> is your maintainer name, <email> is your e-mail address, and <date> is the date in YYYYMMDD format.
- Finally, add the authentication of mntner, e.g. if your maintainer is protected by MD5-PW, add the authentication of mntner to the file in the form password: <cleartext password>.
- Send this update to email@example.com. You'll receive an acknowledgement. If all goes well, you'll be able to query the database and see the key-cert you just generated by the command PGPKEY-XXXXXXXX.
- How should I modify my maintainer to use PGP?
Just update your maintainer object to contain the line:
where XXXXXXXX is your key-ID.
Be aware that if there are other auth: lines in your object, all will be effective. So, if there are both auth: NONE and auth: PGPKEY-XXXXXXXX lines in the mntner object, still everybody can update it, without the need for the PGP key.
- How can I sign my update with PGP and send it?
The most straightforward way is to use gpg from the command line. The following steps will help you accomplish this:
- Write your update to a file (say, update.txt).
- Sign this file with the command gpg --clearsign update.txt. You'll be required to enter the passphrase. Then gpg will create a file update.txt.asc which contains the signed version of update.txt.
- Mail update.txt.asc to firstname.lastname@example.org.
You can also use your mailer software facilities to do this which is mostly a menu entry. Please see the documentation of the particular software for this.
- How can I put two or more signatures in a message?
Although there are a few variations for putting multiple signatures in an update, please note that there is yet no reported way to consistently do this via mailer interfaces. So, again the most straightforward way is to do this from the command line. For the first signature, just sign the message as explained in the previous question. For the consecutive signatures, sign the resulting .asc files from the last signing. Send the final resulting file to email@example.com, which will carry all authentications.
- Can I create a maintainer with only PGP authentication?
When you have created a person and maintainer pair, your maintainer will be protected with your RIPE NCC Access account. After this, you can create the key-cert object for PGP authentication and refer to it from your maintainer.
Once this is done, you can use both the PGP key and your RIPE NCC Access account to authenticate. We recommend leaving at least one RIPE NCC Access account (optionally with two-step verification) on a maintainer as a safety net in case something happens to your PGP key. This way you can always recover lost access yourself.
- What is the size of PGP key that can be used in a key-cert object in the RIPE Database?
The size of a PGP key is user defined. The RIPE Database key-cert object will accept any size that is generated by the software that generates the PGP key.