[ncc-services-wg] Enforce 2FA for RIPE NCC Access account

Colleagues

I almost get tired of saying it, but the RIPE Database is based on a
25+ year old design and technology. Nothing related to the security of
your data in the database should be public. Some time ago we filtered
the password encrypted string and SSO name. I don't need to know ANY
details of your security. Do you use passwords or SSO or PGP or X.509.
How many passwords you have. How many SSO accounts are linked. The
MNTNER object should not be public!!! The whole security module of the
RIPE Database should be redesigned, even if we do nothing else.

We currently have an LIR portal, only for people/organisations who are
resource holders. But the RIPE Database is a combined number and
routing registry. There are people who manage routing data who may not
be resource holders. The LIR portal should become an RIR portal.
Anyone who maintains data in the RIPE Database should have an account.
ALL security arrangements should be managed through the portal
account. This needs a completely redesigned security model.
Notifications are a form of audit trail. This should be built into a
new security model and taken out of the public database, or at least
hidden from public view. I don't need to know anything about how you
audit changes to your data. It can also be managed through your portal
account.

EVERY time I raise the subject of the RIPE Database design or
technology, EVERY one of you completely blanks the subject. When a
service at the core of internet operations is built on a 25+ year old
design and technology, why are you surprised it has vulnerabilities
The RIPE community's complete refusal to even engage in any
conversation about the RIPE Database design and technology and how it
secures data is so unprofessional. I know I will be heavily criticised
for saying that, but you need to be hit with a dose of reality. It is
time for some of you to wake up and smell the coffee. Of course it
will cost the RIPE NCC membership money to redesign (part of) the RIPE
Database. But how much will it cost you not to do it? Drop this
community wide obsession with ignoring this topic and at least discuss
the basic question, "Is it time to discuss redesigning (parts of) the
RIPE Database?".

cheers
denis
co-chair DB-WG

On Thu, 4 Jan 2024 at 17:44, Daniel Suchy via ncc-services-wg
<ncc-services-wg at ripe.net> wrote:
>
> Hi,
>
> On 1/4/24 16:58, Gert Doering wrote:
> > Provide visibility, and enforce 2FA for all accounts hat have "interesting"
> > permissions (modify RPKI objects, transfer resources), at least.
>
> from this perspective, even maintainers (linked not only to SSO
> accounts; [1]) accounts are interesting asset. At least those linked to
> route/route6 and as-set objects. Deleting them can also cause a lot of
> operational damage, as filters are processed automatically according to
> IRR data at many places.
>
> And the maintainers are tied directly to all objects, there's no link
> back to the LIR portal.
>
> It's not only about RPKI-related objects. The problem is more complex
> from this point of view. Only the unwanted ROA modification pointed to
> it, but the same issue can occur with other kind of objects id DB.
>
> Transfers are better protected I think, as there's always some manual
> intervention (and legal authorization).
>
> - Daniel
>
> [1]
> https://apps.db.ripe.net/docs/Authorisation/Using-the-Authorisation-Methods/
>
> --
>
> To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://mailman.ripe.net/