Back in March 2002 we started to deprecate auth=MAIL-FROM. In August we finished it: http://www.ripe.net/ripencc/pub-services/db/mailfrom.html We did not do the same for auth=NONE and the RIPE announcement stated: "Though NONE "auth" scheme is even weaker it is not supposed to be consciously used for object protection, but rather as notification facility. Therefore NONE "auth" scheme is outside the scope of this proposal." It has come lately to the attention in the Internet security realm that spammers as well as crackers are hijacking IP address space. One easy way to "steal" IP address space is via those that have auth=NONE on their objects. Go to: http://www.ripe.net/db/whois-free.html select ALL and type in the search bar "auth: none". The results of those that can have their IPs easily hijacked is, how shall I say this, enormous. Luckily the RIPE search form is limited to 100 hits. Just as an example and not to pick on C&W but: aut-num: AS13186 as-name: UNSPECIFIED descr: C&W SA Autonomous System descr: Alcalde Barnils 64-68 descr: Parque Empresarial Sant Joan descr: 08190 Sant Cugat del Valles descr: BARCELONA import: from AS3352 action pref=100; accept ANY import: from AS12541 action pref=100; accept ANY import: from AS3561 action pref=100; accept ANY import: from AS16091 action pref=100; accept AS16091 export: to AS3352 announce AS13186 AS16091 export: to AS12541 announce AS13186 AS16091 export: to AS3561 announce AS13186 AS16091 export: to AS16091 announce ANY default: to AS12541 action pref=100; networks ANY admin-c: RV4415-RIPE tech-c: XL5-RIPE remarks: AS3352 -> anvazque@obscured-domain remarks: AS12541 ->graham.cole@obscured-domain mnt-by: AS13186-MNT mntner: AS13186-MNT descr: Cable and Wireless SA admin-c: RV4415-RIPE tech-c: XL5-RIPE upd-to: d12@obscured-domain auth: NONE mnt-by: AS13186-MNT referral-by: RIPE-DBM-MNT route: 212.66.160.0/19 descr: Intercom Servicios Telematicos Avanzados, S.A. origin: AS13186 notify: xlario@obscured-domain mnt-by: AS13186-MNT I could right now remove the route entry for 212.66.160.0/19 or change it to some other origin and thereby hijack the entry. All those that use auto-build tools based on the info in RIPE would allow me to announce the /19 and not C&W in Spain. Just an example. There are thousands. RIPE NCC won't deprecate auth=NONE without us telling them to do it. Why would we not want this? -Hank
participants (1)
-
Hank Nussbacher