MD5 Hashes in the RIPE Database
Dear colleagues, It was clear from the discussions at RIPE 64 that we need to change the initial implementation of hiding the hashes for MD5 passwords in MNTNER objects. A suggestion was made to keep the "auth:" attributes in place. If the authentication token is an MD5 password we will remove the hash value. All PGP and X.509 values will remain unchanged. We have already worked on this and a sample MNTNER object would look like the object below. We can deploy this change within the next two weeks. Regards, Denis Walker Business Analyst RIPE NCC Database Group $whois -B DEV-ROOT-MNT % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf [Open URL] % Information related to 'DEV-ROOT-MNT' mntner: DEV-ROOT-MNT descr: Mntner for DEV-DBM-MNT admin-c: AA1-DEV tech-c: AA2-DEV upd-to: bitbucket@ripe.net mnt-nfy: bitbucket@ripe.net auth: MD5-PW # Filtered auth: PGPKEY-1290F9D2 notify: bitbucket@ripe.net mnt-by: DEV-ROOT-MNT referral-by: DEV-ROOT-MNT remarks: This is an automatically created object. changed: bitbucket@ripe.net 20051031 source: DEV # Filtered role: DEV ROLE nic-hdl: AA2-DEV address: Somewhere in nowhere phone: +12 34 567 8900 fax-no: +12 34 567 8900 e-mail: bitbucket@ripe.net abuse-mailbox: bitbucket@ripe.net admin-c: AA1-DEV tech-c: AA2-DEV mnt-by: DEV-ROOT-MNT remarks: This is an automatically created object. changed: bitbucket@ripe.net 20051031 source: DEV person: Test Person mnt-by: DEV-ROOT-MNT address: Somewhere in nowhere phone: +12 34 5678900 fax-no: +12 34 5678900 e-mail: bitbucket@ripe.net nic-hdl: AA1-DEV remarks: This is an automatically created object. changed: bitbucket@ripe.net 20051031 source: DEV % This query was served by the RIPE Database Query Service version 1.9-SNAPSHOT (UNDEFINED)
[...] All PGP and X.509 values will remain unchanged.
We have already worked on this and a sample MNTNER object would look like the object below. We can deploy this change within the next two weeks.
Excellent! Thanks, - Håvard
Hi, On Thu, Apr 26, 2012 at 11:25:32AM +0200, Denis Walker wrote:
It was clear from the discussions at RIPE 64 that we need to change the initial implementation of hiding the hashes for MD5 passwords in MNTNER objects. A suggestion was made to keep the "auth:" attributes in place. If the authentication token is an MD5 password we will remove the hash value. All PGP and X.509 values will remain unchanged.
I like this - for mntners with PGP-only, it means the "classic" edit cycle ("whois, save to file, edit, send back") will work again. For mntners with MD5, the MD5 hash *is* protected - and security is always a trade-off against convenience, so I see this as acceptable compromise. Gert Doering -- no hats -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279
Hi,
Dear colleagues,
It was clear from the discussions at RIPE 64 that we need to change the initial implementation of hiding the hashes for MD5 passwords in MNTNER objects. A suggestion was made to keep the "auth:" attributes in place. If the authentication token is an MD5 password we will remove the hash value. All PGP and X.509 values will remain unchanged.
We have already worked on this and a sample MNTNER object would look like the object below. We can deploy this change within the next two weeks.
i would very much like to see this implemented :-) Although i made myself comfortable with the current "new" way of doing updates by mail, it's annoying and certainly safes time to be able to do that again in one step like we used to. Thanks for this! -- Mit freundlichen Grüßen / Kind Regards Sascha Lenz [SLZ-RIPE] Senior System- & Network Architect
+1 Dave On 27 Apr 2012, at 15:47, "Sascha Lenz" <slz@baycix.de> wrote:
Hi,
Dear colleagues,
It was clear from the discussions at RIPE 64 that we need to change the initial implementation of hiding the hashes for MD5 passwords in MNTNER objects. A suggestion was made to keep the "auth:" attributes in place. If the authentication token is an MD5 password we will remove the hash value. All PGP and X.509 values will remain unchanged.
We have already worked on this and a sample MNTNER object would look like the object below. We can deploy this change within the next two weeks.
i would very much like to see this implemented :-)
Although i made myself comfortable with the current "new" way of doing updates by mail, it's annoying and certainly safes time to be able to do that again in one step like we used to.
Thanks for this!
-- Mit freundlichen Grüßen / Kind Regards
Sascha Lenz [SLZ-RIPE] Senior System- & Network Architect
+1 On Fri, 27 Apr 2012, David Freedman wrote:
+1
Dave
On 27 Apr 2012, at 15:47, "Sascha Lenz" <slz@baycix.de> wrote:
Hi,
Dear colleagues,
It was clear from the discussions at RIPE 64 that we need to change the initial implementation of hiding the hashes for MD5 passwords in MNTNER objects. A suggestion was made to keep the "auth:" attributes in place. If the authentication token is an MD5 password we will remove the hash value. All PGP and X.509 values will remain unchanged.
We have already worked on this and a sample MNTNER object would look like the object below. We can deploy this change within the next two weeks.
i would very much like to see this implemented :-)
Although i made myself comfortable with the current "new" way of doing updates by mail, it's annoying and certainly safes time to be able to do that again in one step like we used to.
Thanks for this!
-- Mit freundlichen Grüßen / Kind Regards
Sascha Lenz [SLZ-RIPE] Senior System- & Network Architect
mvh Daniel Stolpe _________________________________________________________________________________ Daniel Stolpe Tel: 08 - 688 11 81 stolpe@resilans.se Resilans AB Fax: 08 - 55 00 21 63 http://www.resilans.se/ Box 13 054 556741-1193 103 02 Stockholm
+1 Med vänlig hälsning Andreas Larsen IP-Only Telecommunication AB| Postadress: 753 81 UPPSALA | Besöksadress: S:t Persgatan 6, Uppsala | Telefon: +46 (0)18 843 10 00 | Direkt: +46 (0)18 843 10 56 www.ip-only.se<https://webmail.ip-only.net/owa/UrlBlockedError.aspx> 27 apr 2012 kl. 16:46 skrev Sascha Lenz: Hi, Dear colleagues, It was clear from the discussions at RIPE 64 that we need to change the initial implementation of hiding the hashes for MD5 passwords in MNTNER objects. A suggestion was made to keep the "auth:" attributes in place. If the authentication token is an MD5 password we will remove the hash value. All PGP and X.509 values will remain unchanged. We have already worked on this and a sample MNTNER object would look like the object below. We can deploy this change within the next two weeks. i would very much like to see this implemented :-) Although i made myself comfortable with the current "new" way of doing updates by mail, it's annoying and certainly safes time to be able to do that again in one step like we used to. Thanks for this! -- Mit freundlichen Grüßen / Kind Regards Sascha Lenz [SLZ-RIPE] Senior System- & Network Architect
On 26/04/2012 10:25, Denis Walker wrote:
Dear colleagues,
It was clear from the discussions at RIPE 64 that we need to change the initial implementation of hiding the hashes for MD5 passwords in MNTNER objects. A suggestion was made to keep the "auth:" attributes in place. If the authentication token is an MD5 password we will remove the hash value. All PGP and X.509 values will remain unchanged.
We have already worked on this and a sample MNTNER object would look like the object below. We can deploy this change within the next two weeks.
I've noted 6 replies in favour of this and none against and so I'd ask the DB team to roll this change out as soon as conveniently possible. Nigel
Dear Colleagues, This revised implementation has now been deployed. If you have any specific issues with it, please contact our Customer Services with details on <ripe-dbm@ripe.net>, or for more general comments you can reply back to this mailing list. Regards, Denis Walker Business Analyst RIPE NCC Database Group On 16/05/12:21 12:35 PM, Nigel Titley wrote:
On 26/04/2012 10:25, Denis Walker wrote:
Dear colleagues,
It was clear from the discussions at RIPE 64 that we need to change the initial implementation of hiding the hashes for MD5 passwords in MNTNER objects. A suggestion was made to keep the "auth:" attributes in place. If the authentication token is an MD5 password we will remove the hash value. All PGP and X.509 values will remain unchanged.
We have already worked on this and a sample MNTNER object would look like the object below. We can deploy this change within the next two weeks.
I've noted 6 replies in favour of this and none against and so I'd ask the DB team to roll this change out as soon as conveniently possible.
Nigel
participants (8)
-
Andreas Larsen -
Daniel Stolpe -
David Freedman -
Denis Walker -
Gert Doering -
Havard Eidnes -
Nigel Titley -
Sascha Lenz