Hi Rodolfo,
On 19 Sep 2024, at 11:30, Rodolfo García Peñas (kix) <kix@kix.es> wrote:
Hello,
I agree that the use of clear passwords and the use of MD5 is not a secure option. I think it is important to be able to look for alternatives. Thank you very much for this post.
Thanks for your feedback!
If we look at the statistics shown, while there are 18,000 LIRs with MD5 and 3,000 of them only with MD5, the other 15,000 may have users for personal modification, but also (in relation to what Tore indicates), they may have IPAM tools or their own management systems for updating the data. I think it is important to set dates for manufacturers/developers to migrate from MD5/clear passwords to other options. In addition, it could be interesting to provide documentation to help this migration. The error messages that are answered should have as little impact as possible on the LIR systems/IPAM tools, mainly indicating that the modification could not be made.
I agree that we need to allow enough time in the migration plan for everyone to move to other options. The existing alternatives for automated updates are PGP signed messages and client certificate authentication, these are both in the DB documentation. Once we introduce the planned alternative of API keys we will document that also. We will also update related training courses and support individual users directly. We have a clear goal of making this transition as straightforward as possible.
On the other hand, it might be interesting to apply other securitisation methods, such as the LIRs being able to specify source IP ranges for the update of the DB information, use of specific email addresses for each password/PGP/.... These methods could be implemented right now, regardless of the elimination of MD5/passwords.
We plan to add features when generating API keys to restrict the scope in different ways, e.g. specific maintainers, source IP ranges etc. although the priority is to deprecate MD5 as soon as possible.
Regarding Tore's point about the use of passwords at LIR level, I think it is better for LIRs to have an identification of which user is doing the modification. In fact, there has been an effort to eliminate generic users in the LIR portal. However, the alternative of creating API keys at LIR level offers an easy migration alternative and leaves it up to the LIR to use them.
I agree it's important to identify which user was responsible for making changes. Hopefully API keys provides this and is usable by LIRs. We will review any use cases not supported by the switch to (per-user) API keys. Regards Ed Shryane RIPE NCC