- db-wg - mailman.ripe.net

Geolocation beta functionality now in the RIPE DB
by Alex Band 18 Apr '12

18 Apr '12

Dear colleagues, We are happy to announce that geolocation functionality now is available as a beta in the RIPE Database. It can be optionally included in the INETNUM and INET6NUM objects. With the operational experience we gain with this beta, we will continue to develop it to a production service. Two attributes have been added: - "geoloc:" - "language:" The first attribute stores the geolocation data as longitude and latitude, specifying the area where the address space is used. The second attribute sets the preferred language that users of the address space wish to see content in. In addition, we are launching the Geolocation Finder: https://apps.db.ripe.net/search/geolocation-finder.html This tool helps you find geolocation data in the RIPE Database, by simply entering an IP address in the form. If the address is covered by either location or language data, the results are shown as text and on a Google map. Kind regards, Alex Band Product Manager RIPE NCC

1 0

Draft Minutes RIPE 63
by Nigel Titley 20 Mar '12

20 Mar '12

Folks, It looks to me as though I didn't send out the minutes for the DB-WG last November. Apologies for this. Please find them attached. Nigel

1 0

RIPE Database Access Control
by Denis Walker 09 Mar '12

09 Mar '12

Dear Colleagues As part of the redevelopment project for the RIPE Database, we re-implemented the Access Control List (ACL) mechanism. We simplified the process and have some questions to ask the community. 1/ Should we change the default query behaviour so personal data must be explicitly requested? 2/ Should we block access to personal data only and still allow access to operational data? 3/ Should there be more transparency of limits with some user options? More details about the new ACL and these three questions are provided below. As the RIPE NCC continues to progress with the redevelopment project, we will have more of these questions. The wider the community feedback on these questions, the easier it will be for us to build a RIPE Database service that satisfies your needs. Regards, Denis Walker Business Analyst RIPE NCC Database Group Overview of new ACL To make it very easy to understand what is happening, we have redefined the algorithm for blocking and unblocking. Now, when you hit a set limit for accessing personal data sets within a day, you will be temporarily blocked from accessing the RIPE Database. This temporary block will be removed at midnight (UTC). If you are temporarily blocked 10 times in a rolling 30 day period, you will be permanently blocked. A permanent block can only be removed by contacting Customer Services at <ripe-dbm(a)ripe.net> and discussing the situation. This is, in principle, the same as the current behaviour but with simplified time periods and reset points. Background to questions 1/ The current default behaviour on any query is to always return personal data referenced in any other data that is returned by the query. This is one of the main causes for temporary blocking of access to the RIPE Database. Personal data is often returned when it was not needed. To prevent the personal data being accounted, a query must include the '-r' option. Many users think an option like '-T INETNUM' will only return the INETNUM objects and no personal data will be involved. Unfortunately, '-T' is not a true query option. It is a filter. So the personal data is still queried and then filtered out of the results set. This causes the personal data to still be accounted for as if you had received it. We would like to suggest reversing the default query behaviour. This way no personal data will be returned unless you include a new query flag explicitly requesting it. 2/ The current blocking mechanism works on the basis of all or nothing. If you are not blocked, you can successfully query for any data in the RIPE Database. If you are blocked (either temporarily or permanently), any query from you is rejected with a "Denied access" error message. We would like to propose a middle road. Blocking can be set to only apply to personal data. So, after being blocked, you can still query for any operational data in the RIPE Database. But all personal data will be filtered out of the results set, even if you explicitly request it. If the community likes this idea, a further choice is possible. One option is to apply this middle road to both temporary and permanent blocks. Another is to only apply this to temporary blocks and keep a permanent block as a complete "Denied access" error. 3/ A final question regards information about the limits. In the past, details of limits and when they were reset were not clearly published in any document. But it is not difficult to determine them with a little trial and error. Perhaps the community would prefer complete transparency on this. We can publish all the limits in a revised Acceptable Use Policy (AUP) document and even provide a query option to let a user know how much of their daily limit they have already used.

6 8

Forward DOMAIN Object Cleanup and Syntax Changes
by Denis Walker 08 Mar '12

08 Mar '12

[Apologies for duplicate emails] Dear colleagues, At RIPE 57, the RIPE NCC was asked to remove all forward domain data from the RIPE Database. The last two ccTLD operators' data was removed today, 31 January 2011. The RIPE NCC can now confirm the completion of action point AP57.2 from the RIPE Database Working Group. At RIPE 62, the RIPE NCC was asked to look at the attributes in DOMAIN objects. With the removal of any hierarchy in reverse delegations and the removal of forward domain data, we no longer see any use case for the "mnt-lower:" attribute. Other attributes that it has been suggested were used only for forward domains are: - "refer:" - "sub-dom:" - "dom-net:" The statistics listed at the bottom of this email show how many of these attributes have been added to ENUM and reverse delegation DOMAIN objects. It has also been suggested that the "nserver:" optional attribute could be made a "required" attribute in reverse delegation DOMAIN objects. It could remain optional in ENUM DOMAIN objects or it could be disallowed. The RIPE NCC asked the community in July 2011 if anyone saw any justification for the use of these attributes in ENUM or reverse delegation DOMAIN objects. We did not receive any feedback on this. If there is no justification, the syntax of the DOMAIN object can be adjusted to deprecate these attributes. Then all current DOMAIN objects in the RIPE Database can be "cleaned" to remove this data. Business rules can be added to make the "nserver:" attribute required or disallowed in different types of DOMAIN objects, if this is considered useful. To keep the discussion focused, please send any comments or feedback to the DNS Working Group mailing list. Regards, Denis Walker Business Analyst RIPE NCC Database Group Statistics (as at July 2011) ---------- Number of each attribute used in reverse delegations or ENUMs and the number of unique maintainers who manage these objects. "refer:" = 6 unique maintainers = 1 "sub-dom:" = 271 unique maintainers = 23 "dom-net:" = 2,219 unique maintainers = 140 "mnt-lower:" = 46,485 unique maintainers = 4,208

9 11

Plain text passwords in email updates
by Denis Walker 22 Feb '12

22 Feb '12

Dear Colleagues, The RIPE NCC recently announced completion of an action point from the RIPE Database Working Group to hide the password hashes in MNTNER objects from public view. As a follow up to that, we agreed to contact all maintainers and advise them to update their passwords. This was also completed last week. At RIPE 64 we will provide some statistics on the outcome of that advice. The next issue that was raised in the Database Working group session at RIPE 63 was the use of plain text passwords in emails to update data in the RIPE Database. The RIPE NCC would like to invite members of the community to put forward and discuss ideas on resolving this matter. Note that there are now many ways to update objects in the RIPE Database. As well as the traditional email service, there is also Webupdates for single or small numbers of objects to be updated. For scripting of automated updates, there are Syncupdates and the RESTful API. Some ideas that have been suggested during discussions in the past are to disallow the use of passwords in email updates and also the option to drop email updates completely. There may also be other options. As usual, the RIPE NCC will follow any discussions and provide technical input where necessary. Regards, Denis Walker Business Analyst RIPE NCC Database Group

3 4

help
by Caraliu.Samuel 16 Feb '12

16 Feb '12

2012/2/15 <db-wg-request(a)ripe.net> > Send db-wg mailing list submissions to > db-wg(a)ripe.net > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.ripe.net/mailman/listinfo/db-wg > or, via email, send a message with subject or body 'help' to > db-wg-request(a)ripe.net > > You can reach the person managing the list at > db-wg-owner(a)ripe.net > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of db-wg digest..." > > > Today's Topics: > > 1. Suggestion for a way to retrieve filtered objects > (Anders Mundt Due) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 14 Feb 2012 18:10:33 +0100 > From: "Anders Mundt Due" <anders.mundt.due(a)uni-c.dk> > Subject: [db-wg] Suggestion for a way to retrieve filtered objects > To: "Database WG" <db-wg(a)ripe.net> > Message-ID: > <80D52320F10F9143AF3670B571348EEA01F497BB(a)LGBEXCHANGE01.unic.local> > Content-Type: text/plain; charset="UTF-8" > > Hi there, > > We just had a problem with the RFC3068-MNT object, from what I can see, if > you have an object with at least one > auth: MD5 ... > > Only people that have one of the passwords can see the object in the > webupdater and get the full object to manipulate the object. > > So now, instead of having a chance to get rid of shared > passwords/passphrases, everybody needs to have one, because of the way > objects are filtered. > > Only idea I've had so far, would be that there should be a way to request > an object in a way where I can authenticate with my PGPKEY, for instance > using email and not a webbrowser, so I'd sign a mail requesting an object, > with a key that would be listed as authentication in the object I request, > and that would return the unfiltered object to me. > > Of course, the other solution is to just get hold of all the people with > an auth: MD5 line and make them take it out, that way you can get the full > object without authenticating on the webupdater. > > I'm not sure if my thought here is useable, good or practical. But it > someone can come up with a brilliant way to make shared objects of this > kind smoothly, I suspect the people implementing the database will be eager > to hear about it, and at the very least the people behind RFC3068-MNT will > be gratefull. > > /Anders > Forskningsnettet dk.denet > > End of db-wg Digest, Vol 6, Issue 2 > *********************************** >

1 0

cmd line asused and webasused
by Nina Hjorth Bargisen 18 Jan '12

18 Jan '12

Hi all Last year I learned - by asking around - that the asused tool commandline script was no longer supported by RIPE - that was after not being able to find it on the usual ftp site. We have since managed to get by with an old copy but now it seems that this is no longer able to get output from the RIPE db and hence all our adress usage and other homemade scripts are now broken. I assume that this step has been taken after some discussion that I myself have been too lazy to follow in this working group, but as I cant manage to find any reference of it in a brief search in the archives and my mailbox that holds mails from a few years, I hope someone in the group can enlighten me about why this step was taken. I have tried to use the webtool, but as it spams *every* person in the LIR contact list with several mails and all the output is jammed together in one long list, I am not really too happy about rewriting all my scripts to some how use the webtool to give me the nessercary output. So - Is there *ANY* chance of somehow get support of a similar tool to the old asused used, that one can install and run from our own box and with the support of the same options as before or does all tools now focus on small LIRs with very and hence very easily manually managed addressspace? /Nina TDC dk.teledanmark

7 11

Re: [db-wg] cmd line asused and webasused
by Alex Band 18 Jan '12

18 Jan '12

Hi Nigel, I can assure you that the action the board gave, what Axel understood and what we are developing is perfectly aligned. "Merely provisioning an API into the webasused tool" is not what I said and definitely not what we're creating. Our goal is to cater to all needs that the membership has with regards to address space information and management. Some just want a simple web based interface that they can check without needing to download and run a local tool. Some have a need to integrate address space information into their local (IPAM) toolsets and workflows. But what all users have in common is the desire to have a more comprehensive information set than is currently available, such as an overview of the invalid assignments, as Nina pointed out. This is why we're taking an approach of using Registry data instead of the RIPE Database. To summarise, again, we will provide functionality for both web-based and stand-alone use. In the mean time, we will do everything we can to make sure the current asused functionality is not disrupted. Kind regards, Alex On 17 Jan 2012, at 17:53, Nigel Titley wrote: > Nick, Alex et al > > At the Board meeting on the 8th December the board gave Axel an action "to reinstate/redevelop the stand-alone version of the RIPE NCC ASused tool" > > I doubt that this action would be satisfied merely by the provision of an API into the webasused tool. > > Alex, you may like to check this with Axel. It is possible that it was misunderstood by him, but it is very clearly minuted. > > And I'd agree with Nick that lack of platform portability is one of the few brickbats that cannot be aimed at perl. > > Nigel > > -----Original Message----- > From: db-wg-bounces(a)ripe.net [mailto:db-wg-bounces@ripe.net] On Behalf Of Nick Hilliard > Sent: 17 January 2012 16:22 > To: Alex Band > Cc: db-wg(a)ripe.net > Subject: Re: [db-wg] cmd line asused and webasused > > Hi Alex, > > On 17/01/2012 14:25, Alex Band wrote: >> Thanks for bringing up asused. It is a tool that was written and >> maintained by the RIPE NCC many years ago and later handed to the open >> source community, where it can be found in packages such as Debian: >> http://packages.qa.debian.org/a/asused.html >> >> This, along with the fact that is was written in a very platform >> specific manner, is the reason why the tool is no longer actively >> developed and supported by the RIPE NCC. On the other hand, we have >> always kept the existence of asused in mind, which means that we would >> never intentionally change anything to our (whois) configuration that >> would break asused. I want to assure you that we'll try to fix any >> issue that you may have on a best effort basis. > > Problem is, we don't yet have a replacement command-line tool for dealing with quick-n-easy LIR resource usage summarisation. This has meant that the people who depended on this tool were left hanging for the last 8 years, because the code slowly rotted as interfaces subtly changed over time. This is not a criticism of changing the DB interface or anything, btw - progress needs to happen. > > In terms of being platform specific, it was limited to any platform which could run perl - perhaps with minor modifications. There are lots of complaints that people make about perl, (some legitimate) but platform portability is not one of them. > > OTOH, webasused can be very slow. E.g. I submitted a request for a LIR at > 15:28 GMT today, and got a reply at 15:39. This makes it unusable for a typical workflow process (e.g. run asused, check output against internal records, submit a couple of updates, run asused again, check again, repeat until satisfied). > > The web version is also unauthenticated which means that it's open to third parties submitting requests for arbitrary LIRs. And it doesn't support ipv6, which means that it's still difficult to do resource reconciliation for v6 assignments. > > I'll admit that not everyone likes command line tools, but for those of us who continue to us asused, it's a real pity that it wasn't maintained and further developed to support ipv6. > > Nick > >

2 1

MD5 Password Security Update Deployed
by Denis Walker 12 Jan '12

12 Jan '12

Dear colleagues, [Apologies for duplicate emails.] The RIPE NCC is pleased to announce that the implementation of the MD5 password security change has now been fully deployed. This was discussed recently on the RIPE Database Working Group mailing list. The RIPE NCC was asked to implement the technical change as outlined in this RIPE Labs article: https://labs.ripe.net/Members/denis/securing-md5-hashes-in-the-ripe-database This deployment has an impact only when you modify a MNTNER object that contains an MD5 password. This can only be done using Webupdates. You must be one of the password holders to make changes. Operations on all other object types are unchanged. The RIPE NCC will now: - Send emails to contact addresses in all MNTNER objects containing MD5 passwords recommending a password change and suggesting that a strong password be used - Perform a small MNTNER clean-up by preparing a list of unreferenced MNTNER objects and deleting those that are still unreferenced one month later. If you have not followed this discussion, we recommend that you read the RIPE Labs article to ensure that you understand the new process for maintaining MNTNER objects in the RIPE Database. Regards, Denis Walker Business Analyst RIPE NCC Database Group

1 0

Security of MD5 hashes in the RIPE Database
by Denis Walker 10 Jan '12

10 Jan '12

Dear Colleagues, The RIPE NCC Database Group is pleased to announce that the implementation of the MD5 password security change is now ready for deployment. This was discussed recently on the DB WG mailing list. The Database Group was asked to implement the technical change as outlined in this RIPE Labs article: https://labs.ripe.net/Members/denis/securing-md5-hashes-in-the-ripe-database The Database Group will now: - Fully deploy these changes on Thursday 12 January 2012 - Send emails to contact addresses in all MNTNER objects containing MD5 passwords recommending a password change and suggesting that a strong password be used - Perform a small MNTNER clean-up by preparing a list of unreferenced MNTNER objects and deleting those that are still unreferenced one month later. If you have not followed this discussion, we recommend that you read the RIPE Labs article to ensure that you understand the new process for maintaining MNTNER objects in the RIPE Database. A new version of Webupdates has already been deployed that asks for a password before allowing a MNTNER object with a password to be updated. But querying MNTNER objects from the RIPE Database will not change until Thursday. The full new software has been deployed on the TEST Database. So it is no longer possible to query a full MNTNER object that contains a password authentication token from the TEST Database, except by entering the password in Webupdates. Regards, Denis Walker Business Analyst RIPE NCC Database Group

1 0