Search RPD Archives
Limit search to: Subject & Body Subject Author
Sort by:

[AFRINIC-rpd] leaks passwords

Viv Padayatchy viv.padayatchy at
Thu Nov 22 14:00:58 UTC 2012

I agree with Sunday.

Let's fix the anomaly first. For the rest, we have more time to
discuss...and debate!

Thanks to Guy for pointing this out btw.



-----Original Message-----
From: rpd-bounces at [mailto:rpd-bounces at] On Behalf Of
Sunday Folayan
Sent: 22 November 2012 10:19
To: rpd at
Subject: Re: [AFRINIC-rpd] leaks passwords

Hi Adiel,

Filter the display of the MD5 password immediately per BCP. Whether to use
other passwords can be discussed in Khartoum, but let the filter be done

In complex statement notation: With Whois do b, then a and/or c in any



On 22/11/2012 06:50, Adiel Akplogan wrote:
> Hello Guy-Antony,
> Thanks for pointing this out.
> We are aware of the issue and actually looking into options that can 
> be implemented to properly address it. A presentation will be deliver 
> on it during AFRINIC-17 in Karthoum.
> Our thinking is around a) Encouraging people to use PGP or X.509 
> instead of MD-5 b) Doing what you are suggesting and filter out the 
> MD-5 encrypted password while displaying mntner queries output, and/or 
> c) gradually phase out MD-5 completely to only allow PGP and X.509. In 
> my sense a combination of (b) and (c) could be the appropriate way to 
> handle this for the long term.
> While we consider this as an operational issue to some extend, I'm 
> interested to know what is the community take on phasing out MD-5 
> completely.
> In any case people currently have the choice to use PGP or X.509 
> instead of MD-5 as authentication method for their mntner objects.
> Thanks.
> - a.
> On 2012-11-21, at 11:53 AM, Guy Antony Halse <G.halse at> wrote:
>> Hi
>> I'm not sure whether this needs to be a formal policy suggestion, or 
>> whether this is just common sense.
>> As things currently stand, leaks authentication 
>> information in mntner objects.  Given that MD5 is now considered 
>> compromised[1], this is a bad thing(tm).
>> Consider this example from
>>   guy at walrus:~% whois -h -- '-r rhodes-mnt'
>>   % This is the AfriNIC Whois server.
>>   % Note: this output has been filtered.
>>   % Information related to 'RHODES-MNT'
>>   mntner:         RHODES-MNT
>>   descr:          Rhodes University
>>   admin-c:        RUAC1-AFRINIC
>>   tech-c:         RUTC1-AFRINIC
>>   auth:           MD5-PW $1$YNIwaJCr$o6HscaF6FNVCRsYjIFn1v0
>>   remarks:        Rhodes University Information Technology Division
>>   remarks:
>>   mnt-by:         RHODES-MNT
>>   source:         AFRINIC # Filtered
>> which leaks an MD5 password in the auth: attribute.
>> Then consider RIPE's output for the equivelent object:
>>   guy at walrus:~% whois -h -- '-r rhodes-mnt'
>>   % This is the RIPE Database query service.
>>   % The objects are in RPSL format.
>>   %
>>   % The RIPE Database is subject to Terms and Conditions.
>>   % See
>>   % Note: this output has been filtered.
>>   %       To receive output for a database update, use the "-B" flag.
>>   % Information related to 'RHODES-MNT'
>>   mntner:         RHODES-MNT
>>   descr:          Rhodes University
>>   remarks:        see also RHODES-MNT in AfriNIC's database
>>   admin-c:        RUZA1-RIPE
>>   admin-c:        RUZA1-RIPE
>>   auth:           MD5-PW # Filtered
>>   mnt-by:         RHODES-MNT
>>   referral-by:    RHODES-MNT
>>   remarks:        Accepted the RIPE Database Terms and Conditions
>>   source:         RIPE # Filtered
>>   % This query was served by the RIPE Database Query Service version 
>> 1.42 (WHOIS2)
>> which filters the auth: attribute to remove the MD5 password string, 
>> while still maintaining sufficient information to let me know that 
>> the object is password protected and indeed has an MD5 password.
>> I would strongly suggest that AfriNIC should be following RIPE's 
>> example, and filtering the auth: attribute of the mntner object in WHOIS
>> Can someone from AfriNIC comment.  If this needs to be a formal 
>> policy proposal, I'm happy to put one together.
>> - Guy
>> --
>> Manager: Systems, IT Division, Rhodes University, Grahamstown, South
>> Email: G.Halse at   Web:   IRC:
rm-rf at
>> *** ANSI Standard Disclaimer ***
>> [1]
>> _______________________________________________
>> rpd mailing list
>> rpd at
> _______________________________________________
> rpd mailing list
> rpd at

Sunday Adekunle Folayan
    email: sfolayan at, sfolayan at
    phone: +234-802-291-2202
    skype: sfolayan
    tweet: sfolayan
linkedin: sfolayan

rpd mailing list
rpd at

More information about the RPD mailing list