This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[db-wg] Deprecating auth=NONE
- Next message (by thread): [db-wg] Deprecating auth=NONE
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hank Nussbacher
hank at att.net.il
Tue Apr 15 19:15:59 CEST 2003
Back in March 2002 we started to deprecate auth=MAIL-FROM. In August we finished it: http://www.ripe.net/ripencc/pub-services/db/mailfrom.html We did not do the same for auth=NONE and the RIPE announcement stated: "Though NONE "auth" scheme is even weaker it is not supposed to be consciously used for object protection, but rather as notification facility. Therefore NONE "auth" scheme is outside the scope of this proposal." It has come lately to the attention in the Internet security realm that spammers as well as crackers are hijacking IP address space. One easy way to "steal" IP address space is via those that have auth=NONE on their objects. Go to: http://www.ripe.net/db/whois-free.html select ALL and type in the search bar "auth: none". The results of those that can have their IPs easily hijacked is, how shall I say this, enormous. Luckily the RIPE search form is limited to 100 hits. Just as an example and not to pick on C&W but: aut-num: AS13186 as-name: UNSPECIFIED descr: C&W SA Autonomous System descr: Alcalde Barnils 64-68 descr: Parque Empresarial Sant Joan descr: 08190 Sant Cugat del Valles descr: BARCELONA import: from AS3352 action pref=100; accept ANY import: from AS12541 action pref=100; accept ANY import: from AS3561 action pref=100; accept ANY import: from AS16091 action pref=100; accept AS16091 export: to AS3352 announce AS13186 AS16091 export: to AS12541 announce AS13186 AS16091 export: to AS3561 announce AS13186 AS16091 export: to AS16091 announce ANY default: to AS12541 action pref=100; networks ANY admin-c: RV4415-RIPE tech-c: XL5-RIPE remarks: AS3352 -> anvazque at obscured-domain remarks: AS12541 ->graham.cole at obscured-domain mnt-by: AS13186-MNT mntner: AS13186-MNT descr: Cable and Wireless SA admin-c: RV4415-RIPE tech-c: XL5-RIPE upd-to: d12 at obscured-domain auth: NONE mnt-by: AS13186-MNT referral-by: RIPE-DBM-MNT route: 212.66.160.0/19 descr: Intercom Servicios Telematicos Avanzados, S.A. origin: AS13186 notify: xlario at obscured-domain mnt-by: AS13186-MNT I could right now remove the route entry for 212.66.160.0/19 or change it to some other origin and thereby hijack the entry. All those that use auto-build tools based on the info in RIPE would allow me to announce the /19 and not C&W in Spain. Just an example. There are thousands. RIPE NCC won't deprecate auth=NONE without us telling them to do it. Why would we not want this? -Hank
- Next message (by thread): [db-wg] Deprecating auth=NONE
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ db-wg Archives ]