- db-wg - mailman.ripe.net

sub-allocation
by denis walker 31 Oct '24

31 Oct '24

Colleagues During the discussion in the DB-WG session this morning there was a question about sub-allocations. It was asked if it could be possible to identify when resources have been sub-allocated. Hans Petter said it would be possible to give some indication of this. Well, sorry, but NO. Thanks to 2023-04 it is no longer possible to identify sub-allocations. I believe most people were so focused on making assignments optional, no one gave any thought to the consequences of making the simple technical change of adding the status value 'aggregated-by-lir'. As I pointed out in an email some months ago, this has broken the database in many ways. An LIR with an allocation can now simply split that allocation in half and create two objects with status 'aggregated-by-lir'. The boundary between the two aggregations does not even need to match the boundaries of any more specific ranges. There are NO rules about using this status. Absolutely nothing else more specific to these aggregations needs to be documented in the RIPE Database, in any public domain or notified to the RIPE NCC. The LIR may make a sub-allocation of, say, a /24 below one of these aggregations. Or maybe below both of them, crossing the boundary. You will never know what they have done. That sub-allocation holder may sub-allocate again. They can even sub-allocate the whole sub-allocation. Because you do not need to create objects in the database, there is no reason why the whole range cannot be sub-allocated. There are no rules!!! The same block can be sub-allocated 100 times in a long chain of downstream customers. There are no rules!!! Even if there were rules, they would not be enforceable as no one can 'see' what is being done with these addresses. Finally the whole block could be assigned to an End User. This has serious consequences to rights enforcers and law enforcement trying to find that End User. They will never be found. As things stand, because none of the details of this chain of downstream customers is public information, court orders will be needed to identify each layer. In practice this means 100 sequential court orders, each one identifying the next link in the chain. This could zig zag across multiple countries, multiple legal jurisdictions, in multiple languages.The LIR does not know who the End User is. They only know who they sub-allocated to. Only the last link in the sub-allocation chain knows who the End User is. This situation was created by 2023-04 and a lack of attention to detail. We cannot allow this situation to continue. I would suggest we create/amend a policy so that when an LIR is served a court order to identify the (End) User of an IP address, the obligation is on the LIR to internally follow any such chain of sub-allocations, whether it is 1 or 100, to identify the End User. cheers denis ======================================================== DISCLAIMER Everything I said above is my personal, professional opinion. It is what I believe to be honest and true to the best of my knowledge. No one in this industry pays me anything. I have nothing to gain or lose by any decision. I push for what I believe is for the good of the Internet, in some small way. Nothing I say is ever intended to be offensive or a personal attack. Even if I strongly disagree with you or question your motives. Politicians question each other's motives all the time. RIPE discussion is often as much about politics and self interest as it is technical. I have a style of writing that some may not be familiar with, others sometimes use it against me. I also have OCD. It makes me see the world slightly differently to others. It drives my mind's obsessive need for detail. I can not change the way I express my detailed opinions. People may choose how to interpret them. ========================================================

3 8

API Key Expiry and Shared Credentials in the RIPE Database
by Felipe Silveira 26 Oct '24

26 Oct '24

Dear all, Thank you for your feedback during the recent DB-WG discussion on API key authentication for updates in the RIPE Database. After discussions and careful consideration of the points raised, we have come to the following decisions. Firstly, we will only support the use of API keys created and used by an individual RIPE NCC Access account. When multiple people share the same login credentials, it creates security risks, leaving the system open to potential abuse. For instance, a former employee with access to shared credentials could still access sensitive data after leaving the company. Additionally, it becomes impossible to track who made specific changes in the system, leading to a lack of accountability and an incomplete audit trail, making it difficult to investigate incidents or ensure compliance. Based on these risks, we have chosen not to offer a design that allows API key sharing for better security and traceability. We will help an LIR manage how API keys are used. The LIR Portal will list who has used API keys with the default maintainer in the LIR Portal. We will also display a warning in the LIR Portal when removing or changing a user’s role when they have API keys. Secondly, we will implement mandatory API key expiration dates. We will allow the user to choose the expiry date when creating a new key, but expiry cannot be more than one year. We will notify the RIPE NCC Access user in advance by email and on our web interface(s), if any of their API keys are due to expire soon. Our top priority is the security of everyone’s data. While I understand these decisions will require members to make changes to their scripts, it's essential that we remain compliant and follow best practices here. Kind regards, Felipe Victolla Silveira Chief Technology Officer RIPE NCC

6 9

Re: Agenda @ RIPE89 - Database Working Group
by William Sylvester 25 Oct '24

25 Oct '24

All, We are to start RIPE89 in Prague, Czechia. Our session will be after the morning coffee break @ 11:00 in the Main room on 31 October (Thursday). Please take a look at the NWIs to foster good discussion at the meeting. The NWIs are viewable at: https://www.ripe.net/manage-ips-and-asns/db/numbered-work-items/ Below is the agenda, please feel free to offer feedback as appropriate. If you have an interest in presenting to the working group please contact the Database Working Group Chairs at db-wg-chairs(a)ripe.net<mailto:db-wg-chairs@ripe.net>. Best regards, William, Peter, & David DB-WG Chairs A. Introduction - 15 min * Welcome * Scribe * Agenda B. Operational Update– 20 mins Edward Shryane, RIPE NCC C. dead-ends and car parks – 25 mins, Lee Kent, beIN D. MD5 and UTF-8– 15 mins Edward Shryane, RIPE E. NWI Review – 10 mins, WG Chairs Z. AOB (open discussion)

1 0

RIPE88 Database Working Group Minutes
by Peter Hessler 21 Oct '24

21 Oct '24

Hello Database Working Group, The draft minutes from our session at RIPE88 has been published on the RIPE website, available at https://www.ripe.net/community/wg/active-wg/db/minutes/ripe-database-workin… We'd like to thank Alun from the RIPE NCC for preparing the draft. Please review the minutes, and send any necessary corrections to the working group mailing list. Peter Hessler, On behalf of the DB WG Co-Chairs

1 0

RDAP Transparency Report
by Edward Shryane 17 Oct '24

17 Oct '24

Dear colleagues, At RIPE 88, Leo Vegoda asked in the DB-WG session for a transparency report on RDAP, and in particular any functionality gaps between RDAP and Whois in the RIPE database. The Registration Data Access Protocol (RDAP) is an alternative protocol to Whois that specifies how to access Internet resource registration data. It is specifically designed to address various shortcomings in Whois. Because of these improvements in RDAP, we want to encourage its adoption. However, at least for the RIPE Database, over 90% of Whois queries are still on port 43. In 2015, the Whois output from both Regional Internet Registries (RIRs) and Domain Name Registries (DNSs) were collected and analysed, and created an object registry in RFC 7485, "Inventory and Analysis of WHOIS Registration Objects". https://www.rfc-editor.org/rfc/rfc7485 This formed the basis of the various object types supported in RDAP. There are gaps where Whois object types or attribute types are not supported by RDAP. One difficulty is that the Whois object model is different for each RIR. This makes supporting specific attributes in RDAP more difficult. For this analysis we will focus on the RIPE Database. Also specifically for the RIPE NCC service region, known differences between RDAP and the RIPE Database are listed in the Whois GitHub repository: https://github.com/RIPE-NCC/whois/blob/master/README.RDAP.md Once it is clear where the gaps are, we will work with the community to prioritise work to close the gaps between RDAP and Whois. We also plan to cooperate with the other RIRs to help standardise any changes. Let's now analyse the gaps by functional area between the RIPE Database and RDAP. The following sections document how RPSL attributes for different object types are mapped to RDAP. Attributes common to most or all object types follow at the end of the document. Internet Number Registry (INR) ------------------------------ The Internet Number Registry (INR) is a subset of the RIPE Database containing information about resources, including IPv4 and IPv6 prefixes and AS numbers. AS-BLOCK As-block objects are *not* returned by RDAP. If an in-region AS number is not found, even if the parent as-block exists, then HTTP status 404 “Not Found” is returned for that AS number. AUT-NUM +---------------------------------------+---------------------------------------+ | WHOIS | RDAP | +---------------------------------------+---------------------------------------+ | aut-num | /handle | | | /startAutnum | | | /endAutnum | +---------------------------------------+---------------------------------------+ | as-name | /name | +---------------------------------------+---------------------------------------+ | member-of | N/A (not returned) | +---------------------------------------+---------------------------------------+ | import-via | N/A | +---------------------------------------+---------------------------------------+ | import | N/A | +---------------------------------------+---------------------------------------+ | mp-import | N/A | +---------------------------------------+---------------------------------------+ | export-via | N/A | +---------------------------------------+---------------------------------------+ | export | N/A | +---------------------------------------+---------------------------------------+ | mp-export | N/A | +---------------------------------------+---------------------------------------+ | default | N/A | +---------------------------------------+---------------------------------------+ | mp-default | N/A | +---------------------------------------+---------------------------------------+ | sponsoring-org | N/A | +---------------------------------------+---------------------------------------+ | status | N/A | +---------------------------------------+---------------------------------------+ INETNUM +---------------------------------------+---------------------------------------+ | WHOIS | RDAP | +---------------------------------------+---------------------------------------+ | inetnum | /handle | | | /startAddress | | | /endAddress | | | /ipVersion ("v4") | +---------------------------------------+---------------------------------------+ | netname | /name | +---------------------------------------+---------------------------------------+ | country | /country | | | (Whois "country" is multiple but | | | single in RDAP. Only the first value | | | is returned). | +---------------------------------------+---------------------------------------+ | geofeed | /links/ | | | "rel": "geo" | | | "type": "application/geofeed+csv" | | | See draft-ietf-regext-rdap-geofeed | +---------------------------------------+---------------------------------------+ | geoloc | /vcardArray "geo" (N.B. this attribute| | | is not related to Geofeed) | +---------------------------------------+---------------------------------------+ | language | /lang | | | (Whois "language" is multiple but | | | single in RDAP). | +---------------------------------------+---------------------------------------+ | sponsoring-org | N/A (not returned) | +---------------------------------------+---------------------------------------+ | status | /type | +---------------------------------------+---------------------------------------+ | assignment-size | N/A (not returned) | +---------------------------------------+---------------------------------------+ INET6NUM +---------------------------------------+---------------------------------------+ | WHOIS | RDAP | +---------------------------------------+---------------------------------------+ | inet6num | /handle | | | /startAddress | | | /endAddress | | | /ipVersion ("v6") | +---------------------------------------+---------------------------------------+ | netname | /name | +---------------------------------------+---------------------------------------+ | country | /country | | | ("country" is multiple in Whois but | | | single in RDAP. Only the first value | | | is returned). | +---------------------------------------+---------------------------------------+ | geofeed | /links/ | | | "rel": "geo" | | | "type": "application/geofeed+csv" | | | See draft-ietf-regext-rdap-geofeed | +---------------------------------------+---------------------------------------+ | geoloc | /vcardArray "geo" (N.B. this attribute| | | is not related to Geofeed) | +---------------------------------------+---------------------------------------+ | language | /lang | | | ("language" is multiple in Whois but | | | single in RDAP. Only the first value | | | is returned). | +---------------------------------------+---------------------------------------+ | sponsoring-org | N/A (not returned) | +---------------------------------------+---------------------------------------+ | status | /type | +---------------------------------------+---------------------------------------+ | assignment-size | N/A (not returned) | +---------------------------------------+---------------------------------------+ Entity Object Types ------------------- Entities in RDAP include organisation, maintainer, person and role contact types. MNTNER +---------------------------------------+---------------------------------------+ | WHOIS | RDAP | +---------------------------------------+---------------------------------------+ | mntner | /handle | +---------------------------------------+---------------------------------------+ | upd-to | N/A (not intended as a contact | | | email address) | +---------------------------------------+---------------------------------------+ | mnt-nfy | N/A (not intended as a contact | | | email address) | +---------------------------------------+---------------------------------------+ | auth | N/A (mot returned) | +---------------------------------------+---------------------------------------+ ORGANISATION +---------------------------------------+---------------------------------------+ | WHOIS | RDAP | +---------------------------------------+---------------------------------------+ | organisation | /handle | +---------------------------------------+---------------------------------------+ | org-name | /vcardArray | | | "text": "org" | +---------------------------------------+---------------------------------------+ | org-type | N/A (not returned) | +---------------------------------------+---------------------------------------+ | address | /vcardArray | | | "adr" | +---------------------------------------+---------------------------------------+ | country | /country | | | ("country" is single in Whois and | | | single in RDAP. Only the first value | | | is returned). | +---------------------------------------+---------------------------------------+ | phone | /vcardArray | | | "tel" | | | "type": "voice" | +---------------------------------------+---------------------------------------+ | fax-no | /vcardArray | | | "tel" | | | "type": "fax" | +---------------------------------------+---------------------------------------+ | e-mail | /vcardArray | | | "email" | | | The "e-mail" value is filtered in | | | Whois but not in RDAP. | +---------------------------------------+---------------------------------------+ | geoloc | /vcardArray "geo" (N.B. this attribute| | | is not related to Geofeed) | +---------------------------------------+---------------------------------------+ | language | /lang ("language" is multiple in Whois| | | but single in RDAP. Only the first | | | value is returned). | +---------------------------------------+---------------------------------------+ | ref-nfy | N/A (not intended as a contact email | | | address) | +---------------------------------------+---------------------------------------+ ROLE +---------------------------------------+---------------------------------------+ | WHOIS | RDAP | +---------------------------------------+---------------------------------------+ | role | /vcardArray | | | "fn" | +---------------------------------------+---------------------------------------+ | address | /vcardArray | | | "adr" | +---------------------------------------+---------------------------------------+ | phone | /vcardArray | | | "tel" | | | "type": "voice" | +---------------------------------------+---------------------------------------+ | fax-no | /vcardArray | | | "tel" | | | "type": "fax" | +---------------------------------------+---------------------------------------+ | e-mail | /vcardArray | | | "email" | +---------------------------------------+---------------------------------------+ | nic-hdl | /handle | +---------------------------------------+---------------------------------------+ PERSON +---------------------------------------+---------------------------------------+ | WHOIS | RDAP | +---------------------------------------+---------------------------------------+ | person | /vcardArray | | | "fn" | +---------------------------------------+---------------------------------------+ | address | /vcardArray | | | "adr" | +---------------------------------------+---------------------------------------+ | phone | /vcardArray | | | "tel" | | | type": "voice" | +---------------------------------------+---------------------------------------+ | fax-no | /vcardArray | | | "tel" | | | "type": "fax" | +---------------------------------------+---------------------------------------+ | e-mail | /vcardArray | | | "email" | +---------------------------------------+---------------------------------------+ | nic-hdl | /handle | +---------------------------------------+---------------------------------------+ Internet Routing Registry (IRR) ------------------------------- The Internet Routing Registry (IRR) is a database of Routing policy information, including route objects and related sets. None of the IRR object types are currently returned by RDAP, including: ROUTE: IPv4 route ROUTE6: IPv6 route RTR-SET: Set of routers ROUTE-SET: Set of routes AS-SET: Set of aut-num objects FILTER-SET: Set of routes matched by its filter PEERING-SET: Set of peerings INET-RTR: Internet router Reverse Delegation ------------------ The RIPE Database contains information about the provisioning of Reverse Domain Name System (DNS) delegations, contained in the domain object type. DOMAIN +---------------------------------------+---------------------------------------+ | WHOIS | RDAP | +---------------------------------------+---------------------------------------+ | domain | /handle | | | /ldhName | +---------------------------------------+---------------------------------------+ | zone-c | /entities | | | "roles": "zone" | | | ("zone" is a non-standard entity type)| +---------------------------------------+---------------------------------------+ | nserver | /nameServers | +---------------------------------------+---------------------------------------+ | ds-rdata | secureDNS/dsData | +---------------------------------------+---------------------------------------+ Other Object Types ------------------ The RIPE Database also contains some other object types. IRT: referenced IRT objects are returned, but not directly. KEY-CERT : not returned by RDAP. Common Attributes ----------------- Some attributes appear on some or all object types in the RIPE Database and are mapped to RDAP as follows. +---------------------------------------+---------------------------------------+ | WHOIS | RDAP | +---------------------------------------+---------------------------------------+ | abuse-c | /entities/ | | | role: "technical" | | | email type "abuse" | +---------------------------------------+---------------------------------------+ | admin-c | /entities/ | | | role: "administrative" | +---------------------------------------+---------------------------------------+ | tech-c | /entities/ | | | role: "technical" | +---------------------------------------+---------------------------------------+ | descr | /remarks/description/ | +---------------------------------------+---------------------------------------+ | mnt-by | /entities/ | | mnt-lower | In RDAP the role "registrant" is used | | mnt-routes | to identify both organisations and | | mnt-domains | maintainer entities. | | mnt-irt | In RDAP only the "mnt-by" value is | | mnt-ref | returned and not the other mnt types. | +---------------------------------------+---------------------------------------+ | org | /entities/ | | | In RDAP the role "registrant" is used | | | to identify both organisations and | | | maintainer entities. | +---------------------------------------+---------------------------------------+ | notify | N/A (not returned in RDAP response) | +---------------------------------------+---------------------------------------+ | remarks | /remarks/description/ | +---------------------------------------+---------------------------------------+ | created | /eventeventAction "registration" | +---------------------------------------+---------------------------------------+ | last-modified | /events/ | | | eventAction: "last changed" | +---------------------------------------+---------------------------------------+ | source | /notices/ | | | title: "source" | | | description: ["Objects returned came | | | from source", "RIPE"] | +---------------------------------------+---------------------------------------+ RDAP Object Classes ------------------- The RIPE database RDAP implementation supports the following object classes: * entity - returns Whois person, role, organisation, mntner types * ip - returns Whois inetnum and inet6num types * autnum - returns Whois aut-num type * domain - returns Whois domain type It does not support the nameserver class, used for forward DNS names. RDAP Query Flags ---------------- Supported query flags in the RIPE Database can be found in the Database documentation: https://docs.db.ripe.net/Types-of-Queries/ RDAP supports the following query flags: * For entity queries there is “fn” which is used as a search term for person, role and organisation name. Also “handle” which is used as a search term just for organisation and nic-hdl. Both cannot be used at the same time. * For ip queries there is “name” or “handle” both are used as a search term for netname (which maps to “name” in RDAP). * For autnum queries, “name” which is used to specify the search term for as-name, and “handle” for aut-num. * For domain queries, “name” which is used as a search term for domain. Conclusion ---------- The RDAP protocol addresses various shortcomings in Whois. Support for resource types and contact types is reasonably good, but there is no support for Internet Routing Registry (IRR) object types in particular. We must work to close the remaining gaps between RDAP and Whois if we want to increase the adoption of RDAP. --- Regards Ed Shryane RIPE NCC

1 1

Re: API Key Expiry and Shared Credentials in the RIPE Database
by Cynthia Revström 10 Oct '24

10 Oct '24

I don't speak for the NCC but as I understand it they wanted a drop in replacement for MD5-PW. -Cynthia On Thu, 10 Oct 2024, 23:13 Laurent Pellegrino, < laurent.pellegrino(a)ipregistry.co> wrote: > Hi there, > > Given the focus on security and token management, was OAuth2 considered? > It’s a widely adopted standard that includes built-in mechanisms for secure > authentication and token expiration, and it supports various flows that > might align with your requirements. If it was evaluated, could you please > share any insights on why it wasn’t chosen? > > Regards, > Laurent > > On Thu, Oct 10, 2024 at 12:58 PM Cynthia Revström via db-wg < > db-wg(a)ripe.net> wrote: > >> I have to agree with Gert here. I think the intentions are good but it >> won't give the wanted result. >> >> Making it so API keys are tied to a user will cause people to create >> shared users to hold those keys. >> >> -Cynthia >> >> On Wed, 9 Oct 2024, 19:21 Gert Doering, <gert(a)space.net> wrote: >> >>> Hi, >>> >>> On Wed, Oct 09, 2024 at 02:28:26PM +0200, Felipe Silveira wrote: >>> > Our top priority is the security of everyone???s data. While I >>> understand >>> > these decisions will require members to make changes to their scripts, >>> it's >>> > essential that we remain compliant and follow best practices here. >>> >>> I think you've been reading the wrong books on security here... this >>> design is actively discouraging use of API keys, because it breaks >>> doing proper automatization on the LIR size. >>> >>> Gert Doering >>> -- NetMaster >>> -- >>> have you enabled IPv6 on something today...? >>> >>> SpaceNet AG Vorstand: Sebastian v. Bomhard, Ingo >>> Lalla, >>> Karin Schuler, Sebastian Cler >>> Joseph-Dollinger-Bogen 14 >>> <https://www.google.com/maps/search/Joseph-Dollinger-Bogen+14?entry=gmail&so…> >>> Aufsichtsratsvors.: A. Grundner-Culemann >>> D-80807 Muenchen HRB: 136055 (AG Muenchen) >>> Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 >>> ----- >>> To unsubscribe from this mailing list or change your subscription >>> options, please visit: >>> https://mailman.ripe.net/mailman3/lists/db-wg.ripe.net/ >>> As we have migrated to Mailman 3, you will need to create an account >>> with the email matching your subscription before you can change your >>> settings. >>> More details at: >>> https://www.ripe.net/membership/mail/mailman-3-migration/ >> >> ----- >> To unsubscribe from this mailing list or change your subscription >> options, please visit: >> https://mailman.ripe.net/mailman3/lists/db-wg.ripe.net/ >> As we have migrated to Mailman 3, you will need to create an account with >> the email matching your subscription before you can change your settings. >> More details at: >> https://www.ripe.net/membership/mail/mailman-3-migration/ > >

1 0

Impact Analysis of Removing MD5 Hashed Passwords from the RIPE Database
by Edward Shryane 29 Sep '24

29 Sep '24

Dear colleagues, At RIPE 88 during the DB-WG session, I mentioned the need to replace MD5 hashed passwords that are used for authenticating updates in the RIPE Database. Now I’d like to present an impact analysis of doing this, what the alternatives are, and a draft migration plan. Please let me know your feedback. I plan to finalise the contents and present at RIPE 89 next month. Regards Ed Shryane RIPE NCC --- Introduction ------------ In the RIPE Database, some maintainers contain passwords which are protected using the MD5 hash algorithm. However MD5 has been found to have vulnerabilities which make it unsuitable for continued use. Accordingly the RIPE NCC plans to soon phase out the use of MD5 hashed passwords. We describe some alternatives, and a migration plan to deprecate passwords. Why Not Switch to a Stronger Hash Algorithm? -------------------------------------------- Stronger cryptographic hash algorithms exist, but we do not want to simply replace MD5 with a different hash algorithm. If a hash is compromised it would still need to be replaced, so the risks of exposure remain, regardless of the hash algorithm used. It is better to completely remove all password hashes from maintainer objects, so they are no longer part of the RIPE Database. Alternatives to Passwords ------------------------- In order to successfully migrate away from MD5 hashed passwords, we must also ensure that there are viable alternatives, in particular for non-interactive updates. What Alternatives Already Exist? -------------------------------- A number of alternative authentication methods are already available in the RIPE Database: * SSO (Single Sign-On). A user registers a RIPE NCC Access account and associates it with their maintainer. * Over 80% of maintainers already contain an SSO account for authentication. * SSO is an adequate replacement for passwords for interactive updates. * However SSO can only be used interactively (through the RIPE Database website), and not for batch (non-interactive) updates. * PGP can be used to authenticate updates using a signature. * There is no shared secret between the client and server, unlike with passwords. * However PGP can only be used in Syncupdates or Mailupdates, not with the REST API. * PGP signatures were used to authenticate 33% of all successful updates in the past year, but only 6% of all maintainers reference a PGP key, so it is not a widely used solution. * X-509 Certificates can also be used to authenticate updates * Use S/MIME to create a signed mailupdate message * Use Client Certificate authentication with the REST API. * X.509 signed updates were only used in a handful of updates in the past year. Only 29 maintainers reference an X.509 certificate. This means that alternatives to passwords for non-interactive (batch) updates are not widely used. In order to completely replace passwords there must be a usable alternative. Introducing API Keys -------------------- In addition to the existing alternatives, we also propose to introduce API keys linked to an SSO account to replace passwords, that is convenient and secure. An API key is an auto-generated string associated with a user account that can be used to authenticate updates on behalf of that user. They are already widely used across the Internet, although by different names (e.g. GitHub Tokens, Google Application Passwords, AWS does use API keys, etc.). Other RIPE NCC services already make use of API keys, for example the LIR Portal and RIPE Atlas. We are investigating how to create a new service to allow RIPE NCC Access accounts to generate API keys that can be used to authenticate updates to the RIPE Database. The advantages include: * RIPE NCC Access accounts are associated with a maintainer in the RIPE database and not any API keys, so there are no credentials that can be leaked. * API keys can be associated with a SSO account, so there is accountability to identify who authenticated an update. * We can automatically expire API keys after a certain time limit for increased security, in case they are leaked. * Users can more easily migrate away from passwords as API keys can be used in the same way. Deprecating Insecure Transport of Credentials --------------------------------------------- In addition to deprecating MD5 hashed passwords, we also plan to deprecate any insecure ways of transporting credentials, so that updates are kept secure. Using Mailupdates with password authentication can be insecure, as the mail message may be sent unencrypted, or the message may be spooled to disk during transport, so could be leaked. We found that 16% of successful Mailupdates contained a password. We will no longer allow Mailupdates using a password and only allow an X.509 or PGP signature for authentication. Using Syncupdates over plaintext HTTP with a password can be insecure. We found that 3% of total successful Syncupdates requests over HTTP used a password. Currently a warning is returned if this happens. We will no longer allow HTTP and only allow Syncupdates over HTTPS using an API key or a PGP signature for authentication. Password authentication of Whois REST API queries and updates already require HTTPS, and in the future it will be possible to authenticate using API keys, in addition to client certificate authentication. How Are Updates Performed? -------------------------- In the past 12 months (July 2023 to June 2024 inclusive), there were 4.3 million successful updates to the RIPE Database in total. +-------------+-------------------+-----------------------+ | | Number of Updates | Percentage of Updates | +-------------+-------------------+-----------------------+ | REST API | 2.4M | 56% | | Syncupdates | 1.0M | 24% | | Mailupdates | 0.88M | 20% | | TOTAL | 4.3M | (100%) | +-------------+-------------------+-----------------------+ Looking at the authentication method used for each protocol: +-------------+----------+-----+-----+ | | Password | SSO | PGP | +-------------+----------+-----+-----+ | REST API | 76% | 24% | N/A | | Syncupdates | 16% | 16% | 68% | | Mailupdates | 16% | N/A | 84% | | TOTAL | 50% | 17% | 33% | +-------------+----------+-----+-----+ Passwords were used in half of all successful updates (2.15M out of 4.3M) in the past year. How Many Maintainers Use Password Authentication? ------------------------------------------------- There are approximately 62,000 maintainers in the RIPE database. About 18,000 maintainers have MD5 hashed passwords. About 3,000 of those maintainers only have MD5 hashed passwords and no alternative authentication method. So most maintainers don’t use passwords, and most of those that do have at least one alternative. Any maintainers using passwords will soon need to migrate to an alternative. As mentioned already, 18,000 maintainers contain at least one MD5 hashed password. About half of all updates in the past year were authenticated with a password, but these were submitted by only 1,362 maintainers. There are about 3,000 maintainers that only have an MD5-PW auth: attribute. Only 872 of those maintainers made a successful update in the past year. It may seem that deprecating passwords will be a tall order. However, we found that only a minority of maintainers use them regularly. How Many Maintainers Use an Alternative Authentication Method? -------------------------------------------------------------- There are 51,000 maintainers containing at least one RIPE NCC Access account (SSO). In the past year, we found that 23,000 maintainers authenticated using SSO, by far the most of any authentication method. There are about 4,000 maintainers which reference a PGP key-cert that is not expired. One third of all updates are authenticated with a PGP signed message, but these were submitted by only 477 maintainers. There are only 29 maintainers which reference an X.509 key-cert that is not expired. There are only a handful of updates authenticated using an X.509 certificate each year. Migration Plan To Deprecate Passwords ------------------------------------- Firstly, existing maintainers do not need to wait for any migration away from MD5 hashed passwords as they can be replaced already. If you only perform updates interactively through the RIPE database website, then you can rely on SSO authentication. If you perform batch updates, you can switch to PGP signed updates or client certificate authentication. Following is an outline of how we can migrate away from passwords. We ask the DB-WG community for their feedback and suggestions, and will update the migration plan accordingly. In the coming months, we plan to first phase out any insecure ways of transporting credentials in Mailupdates and Syncupdates, namely: * Stop allowing passwords in Mailupdates. Any mailupdates requests containing only password authentication will fail with an error. Users must switch to PGP signed mailupdates or use the REST API or Syncupdates. * Stop allowing HTTP for Syncupdates. Any Syncupdates requests over HTTP will fail with a 403 Forbidden response. Users must switch to HTTPS. We will notify the DB-WG and affected maintainers in advance of any changes. Once the design is ready and approved, we will introduce API keys alongside password authentication as an alternative for non-interactive updates. Finally we will begin to deprecate passwords as follows: * Encourage maintainers using passwords to switch to an alternative * Stop allowing new passwords to be added to a maintainer * Set an expiration date for existing passwords * Remove passwords automatically from maintainers once they have expired We will plan together with the DB-WG and notify affected maintainers in advance of any changes. The details and timing are to be agreed with the DB-WG. Impact Analysis --------------- What is the impact on RIPE NCC services of removing MD5 hashed passwords in the RIPE Database? RIPE Database Queries Deprecating MD5 hashed passwords will have little impact on queries to the RIPE Database, except for authenticated queries for a MNTNER object. In that case, a password will no longer be allowed for authentication when querying for an unfiltered MNTNER object, and unfiltered MNTNER objects will no longer contain any password hashes. An existing alternative to using password authentication for authenticated queries is client certificate authentication, and in the future API keys will be provided as an additional alternative. RIPE Database Updates Passwords will no longer be allowed when using any RIPE Database update interface. For the Whois REST API, passwords will be replaced by client certificate authentication and API keys. Affected maintainers will need to migrate to an alternative. HTTPS is already required for updates. For Mailupdates, password authentication will no longer be allowed. Affected maintainers will need to migrate to signed updates or use an alternative transport. For Syncupdates, HTTP will no longer be allowed and passwords will be replaced by signed updates or API keys. Affected maintainers will also need to migrate. New Member Signup No impact to New Member Signup, as new LIRs are not asked for a password during the process. All LIR contacts are added as SSO accounts to the newly created maintainer during LIR activation. However, users can still add a password themselves to authenticate updates. LIR Portal There is no impact to interactive users of the LIR Portal, as authentication of changes in the RIPE Database (e.g. Set Default Maintainer) is done using their SSO account credentials. There is no impact to the API Keys feature in the LIR Portal, as these requests are not authenticated with a password. TEST Environment Currently in the TEST environment we depend on a “well-known” maintainer password to authenticate changes normally performed by the RIPE NCC. This will be changed to allow a user to make changes (e.g. setup test data) without a password. However we need to consider how to allow this while also keeping the authentication model consistent with the RIPE Database. RIPE Database Associate Certification When a user signs up to the RIPE Database Associate certification course, we provide them with resources and a user maintainer with a password. In future, a user will use their SSO account credentials to create and update their objects in the database. Training Courses The training materials used in RIPE NCC courses will have to change to account for API keys. Also we will encourage use of other alternatives such as signed updates and client certificate authentication. (END)

11 23

Whois Release 1.114
by Edward Shryane 19 Sep '24

19 Sep '24

Dear colleagues, RIPE Database release 1.114 has been deployed to the Release Candidate environment for testing. We plan to deploy to production on Thursday 19th September. This release has the following main changes: * NRTMv4 Key Rotation (#1484) * HTTP DoS Filter for Update Requests (#1495) * HTTP block IP Filter (#1498) * Add Warning When Password Authentication is used in Mailupdates (#1511) The release notes are on the website: https://docs.db.ripe.net/Release-Notes/#ripe-database-release-1-114 More information on the Release Candidate environment can be found on our website: https://docs.db.ripe.net/Release-Notes/#release-candidate-environment The data in the RC environment is a dummified copy of production from 2nd September. Please let us know if you find any issues with this release in the RC environment. Regards Ed Shryane RIPE NCC

6 12

Draft Agenda & Call for Presentations @ RIPE89 - Database Working Group
by William Sylvester 18 Sep '24

18 Sep '24

All, We are about six weeks out from the start of RIPE89 in Prague, Czechia. Our session will be after the morning coffee break @ 11:00 in the Main room on 31 October (Thursday). Please take a look at the NWIs to foster good discussion at the meeting. The NWIs are viewable at: https://www.ripe.net/manage-ips-and-asns/db/numbered-work-items/ Below is the current draft agenda, please feel free to offer feedback as appropriate. We still have space on the agenda for presentations. If you have an interest in presenting to the working group please contact the Database Working Group Chairs at db-wg-chairs(a)ripe.net<mailto:db-wg-chairs@ripe.net>. Best regards, William, Peter, & David DB-WG Chairs A. Introduction - 15 min * Welcome * Scribe * Agenda B. Operational Update– 30 mins Edward Shryane, RIPE NCC D. NWI Review – 30 mins, WG Chairs D. [ YOUR PRESENTATION COULD BE HERE ] – 10 mins, WG Chairs Z. AOB (open discussion)

1 0

Force-delete of route object not possible as aut-num resource holder
by Wessel Sandkuijl 04 Sep '24

04 Sep '24

Hi all, RIPE NCC has assigned me an ASN a couple of years ago. During some routine checks I noticed a few route objects with my ASN in it which were created long before the ASN got assigned to me. When trying to force-delete these objects I was unable to. After contacting RIPE NCC this is apparently by design, and RIPE NCC was unable to delete them either because the route objects were protected by a valid maintainer. They suggested I contact the original creator of the objects (which I couldn't, the email bounced), or contact the inetnum resource holder and ask them to (force) delete the route objects. I find it odd that as ASN resource holder I am unable to force-delete objects referencing the ASN that is assigned to me. I'm apparently not the only one. From what I've been told requests from ASN resource holders to delete route objects referencing their ASN pop up regularly in RIPE NCC support. I think this is something that can be improved. I suggest implementing the option to force-delete a route(6) object as ASN resource holder. This saves both the resource holder and RIPE NCC valuable time. Regards, Wessel

11 13