RIPE 51

RIPE Meeting: 51
Working Group: Database
Status: Final
Revision Number: 1

RIPE51 Database WG draft Minutes
14th October 2005

A. Administrative Matters

* scribe (Nigel Titley, FLAG Telecom)
* list of participants
* agenda
* minutes (please all review and return comments (2 weeks))
[AP51.1 NT13] To watch list, fold in updates to RIPE-50 minutes and release
after 2 weeks.
* "remote participation" coordination (if needed)


46.5 WW Coordinate with RIPE NCC to prepare a document summarizing
basic assumptions about the use of the database.

[Various documents have been produces, and others need
updating, but overtaken by events, Closed]

47.3 RIPE NCC Write a document properly documenting the use of the
IRT object for reporting abuse.
[Part of general documentation issue, ongoing]

48.6 RIPE NCC To change DB behaviour to return IRT object
[Misunderstanding of requirement, superceded by
AP51.8, complete]

49.2 RIPE NCC Give updates about the number of abuse records
in the database to the Working Group.
[Sent to list, Complete]

50.1 WW Take proposal to make the country attribute optional
and multiple for inetnum and inet6num objects to
the mailing list
[Take to policy development process, Ongoing]


B. DB Update (N.N., RIPE NCC)
See presentation

Things are really stable, query rates, update rates, query mix
etc. Statistics are all online. Database documentation is
being gradually reworked, and is being broken up into various
reference manuals. Document formats will be PDF and HTML. New
whois software is much easier to install (autoconf friendly)
Signed updates will now expire a week after signature, to
prevent replay attacks. WW noted problems with gnupg and
dates of signature. This will be checked.
[AP51.2 RIPE NCC]
Check gnupgp compatibility before release of functionality.



C Review of security mechanisms in the DB (Peter K., denic.de)
. quality of CRYPT-PW, CRYPT-MD5, X.509

This is a proposal to deprecate CRYPT-PW. See presentation.

CRYPT-PW is relatively easy to break. 25% of all maintainer
objects still contain CRYPT-PW and hence are easy to crack
(weakest scheme wins). Why bother? RIPE community responsible
for the strength of its tools. MD5-PW is much stronger and
may be kept, at least for the moment.

It was noted ??-PW cannot prevent replay attacks as there is
not embedded timestamp, although if you have the update
message you actually have the password.

It was noted that John the Ripper now supports MD5-PW,
although at about 100 times slower than CRYPT-PW.

It was agreed that the DB-WG should go with the proposal and
should have a practice with the Policy Development
Process.
[AP51.3 Peter Koch] Start by formulating the
proposal on the mailing list.

D. State of whois services, developments? (WW144, N.N., RIPE NCC)

There are concerns with the privacy of registry data. WW has
tried to get different parts of the EU to talk to each other
and formulate a unified view of requirements, ie is privacy
important? AT the moment this is more of a problem in the
domain name area, but it is possible that it may become an
issue for IP addresses too. See the next presentation.

E. IRIS pilot frontend to whois (Shane Kerr, RIPE NCC)
See presentation

Please have a look and see if it satisfies user requirements.

It was confirmed that IPv6 is also supported. There is no
support for routing policy at the moment in the protocol,
although this is being looked at, and a set of requirements
being formulated. There are some doubts as to the exact
benefits that IRIS gives to routing registries.
[AP51.4 RIPE NCC] Check that the mapping of contacts is indeed
not properly supported in IRIS (admin-c and tech-c).
[AP51.5 RIPE NCC] Check and see if there are any other missing
attributes that are needed for RIPE community.

F. Fact finding: RoutingReg facilities at RIRs (Gert D, SpaceNet)
No presentation

Do any of the other RiRs have facilities to store RPSL-ng
objects? There appear to be no objects in any of the other
RiRs.
[AP51.6 Matt ?? (ARIN)] To find out if any of the other
routing registries have the ability to store RPSL-ng.

X. Impact of "PDP" on how the DB-WG operates (WW144) [~15 min] . ref:
https://www.ripe.net/ripe/docs/ripe-350.html
From this WG meeting onwards, any sizeable changes should go
through the PDP. Note that this WG is not intended to invent
things, but to fill in the gaps left by other WGs and make
sure that they get the appropriate attention.

Y. Input from other WGs

* DNS: secureDNS requirements for the DB This has already been
covered by the DB Update presentation.
[AP51.7 RIPE NCC] Make sure that the proposed DNS Security
changes are implemented

Z. AOB Show irt: objects by default on address queries There has been
some misunderstanding of this requirement. It is still
necessary to use the -c flag to get the irt: object, whereas
the requirement was that if the irt: object existed then it
should be returned. It was noted that this would result in a
object being returned which was not actually referred to in
any of the queried objects. This is a change in behaviour, but
there was no objection to this.
[AP51.8 RIPE NCC] To properly implement behaviour as
requested.
[AP51.9 RIPE NCC] To contact a subset of the spam tool writers
and make sure that they are aware of the change in behaviour.