Re: [db-wg] Analysis of MNTNER Authentication
Hi Peter We looked a little deeper into this. We noticed there are only 50 MNTNER objects in the database that do NOT have a password. They use a combination of PGP and/or X.509 only. So we looked at where these MNTNERs are used. There are probably many ways to look at this. The one we chose is how allocated address space is managed by LIRs. So we looked at the "mnt-lower:" on the allocation INETNUM objects. Some of these 50 MNTNERs are used in this way. The "mnt-lower:" allows assignments to be created. So this can be seen as a measure of control over the assigned address space. We calculated the cumulative size of the allocation blocks where one of these 50 MNTNERs is used as the "mnt-lower:" as a percentage of the total allocated address space. Cumulative total of allocations 4722688 using one of these 50 MNTNERS Total allocated address space 555648000 Percentage of address space 0.85% controlled by PGP/X.509 only (without any passwords) For the other 99.15% of address space, there may be a PGP or X.509 credential in the MNTNER object, but in addition to a password. Regards Denis Walker Business Analyst RIPE NCC Database Group On 21/06/11:26 7:14 PM, Peter Koch wrote:
Denis,
thanks a lot for producing the numbers and information.
The next step was to look into the referenced MNTNER objects to see how many used password, PGP or X.509, and in what combination and numbers.
MNTNER with one auth containing a password = 27,434 85% MNTNER with only password = 27,796 86% MNTNER with one auth containing a PGP = 952 3% MNTNER with only PGP = 1,507 5% MNTNER with one auth containing an X.509 = 16 <1% MNTNER with only X.509 = 21 <1% MNTNER with password plus either PGP or X.509 = 3,023 9% MNTNER with PGP plus X.509 (no password) = 50 <1% MNTNER with one password plus multiple PGP = 357 1% MNTNER with one PGP plus multiple password = 59 <1%
in addition to what Shane suggested (which methods are actually _used_), I'd be interested to learn how large of a percentage of the address space (as opposed to the number of objects) is covered by "password" authentication. This is to avoid artefacts by passwords being used for small chunks and PGP/X.509 for the larger ones - or vice versa.
Thanks, Peter
participants (1)
-
Denis Walker