On Mon, Jan 10, 2011 at 12:37 PM, Jon Lewis <jlewis@lewis.org> wrote:
On Sun, 9 Jan 2011, Charles N Wyble wrote:
I am simply suggesting it is dangerous and irresponsible to run an IRR with only MAIL-FROM authentication, and quite easy to also support CRYPT-PW. ARIN should either support passwords or immediately make
The trouble is, since the DES crypt passwords are publicly accessible, even CRYPT-PW is not much security. I suspect with a copy of the db, a passsword cracking program, and some modest computing capacity, you could crack all
DES crypt() is not completely trivial yet, but I agree, it is far from state-of-the-art. It is substantially superior to MAIL-FROM. In addition, MERIT reduced this problem by simply filtering out the hashes from the RADB.db file and whois output (and presumably also, the www.radb.net tools.) -- Jeff S Wheeler <jsw@inconcepts.biz> Sr Network Operator / Innovative Network Concepts