On Sun, Jan 9, 2011 at 11:00 PM, Charles N Wyble <charles@knownelement.com> wrote:
So why hasn't this happened already? If it's so easy, then all the normal actors that like to cause us late nights would have struck already.
As most of us in the net ops community know, there are many vulnerabilities that are very much non-obvious to a black hat guy used to DDoSing with botnets or exploiting the latest common daemon vulnerability. That is no assurance that this vulnerability will never be exploited. The very fact that we are talking about it on this mailing list (unfortunately) raises the chances that it will happen. If there was an article on Slashdot, I bet significant corruption pranks or deliberate, malicious erasure would happen inside of a week. If I spent 15 minutes making a "HOWTO anonymously delete an ISP from the ARIN IRR with a telnet client and an open proxy" and spread it around to some IRC bad-guys, you can be assured we would be talking about damage control, not prevention, by tomorrow. Finally, anyone who has ever 1) learned how email works; and 2) learned how to update their own IRR objects via email; can do it without reading anything, and has probably realized this vulnerability on their own years ago.
So I don't think ARIN should spend it's limited resources on anything to do with it's copy of the IRR. In fact I'm not sure why they even operate one. It seems to be the realm of service providers to do so.
It is desirable to publish your IRR records in a neutral database, as opposed to a service provider database. Let's say I am a Level3 customer and I use their IRR. A year goes by, and I don't renew my contract with Level3, I instead start buying transit from AT&T. Well, AT&T does not operate an IRR database. Now I have to find a new place to publish my IRR data, *and* my new transit provider doesn't offer it as a service. If I have a need for IRR, I had better hope one of my other transit providers offers me a database, or use RADB, ALTDB, or another third-party database. This is why MERIT has a bunch of customers paying annual fees for RADB, a valuable service; and why some great folks volunteer their time to maintain the ALTDB. It is also no doubt the reason ARIN has an IRR database, but unfortunately, the ARIN IRR is a liability, not an asset, to the net ops community. -- Jeff S Wheeler <jsw@inconcepts.biz> Sr Network Operator / Innovative Network Concepts