<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div><br>I support the idea of bcp</div><div><br>On Nov 21, 2012, at 3:52 AM, Douglas Onyango <<a href="mailto:ondouglas@gmail.com">ondouglas@gmail.com</a>> wrote:<br><br></div><blockquote type="cite"><div><p>I agree with Frank here: a policy shouldn't be required as this is an implementaion detail.</p>
<p>AfriNic should take this issue up and resolve it inline with whatever incident and/or change mgt process they have in place.</p>
<p>Regards,<br>
On Nov 21, 2012 12:34 PM, "Frank Habicht" <<a href="mailto:geier@geier.ne.tz">geier@geier.ne.tz</a>> wrote:<br>
><br>
> I support this.<br>
><br>
> Personally I hope it won't need a policy.<br>
> After all we also don't have a policy to tell AfriNIC to run the whois<br>
> service on port 43.<br>
> Some technical operations things are just BCP.<br>
><br>
> Frank<br>
><br>
><br>
> On 11/21/2012 10:53 AM, Guy Antony Halse wrote:<br>
> > Hi<br>
> ><br>
> > I'm not sure whether this needs to be a formal policy suggestion, or whether<br>
> > this is just common sense.<br>
> ><br>
> > As things currently stand, <a href="http://whois.afrinic.net">whois.afrinic.net</a> leaks authentication<br>
> > information in mntner objects. Given that MD5 is now considered<br>
> > compromised[1], this is a bad thing(tm).<br>
> ><br>
> > Consider this example from <a href="http://whois.afrinic.net">whois.afrinic.net</a>:<br>
> ><br>
> > guy@walrus:~% whois -h <a href="http://whois.afrinic.net">whois.afrinic.net</a> -- '-r rhodes-mnt'<br>
> > % This is the AfriNIC Whois server.<br>
> ><br>
> > % Note: this output has been filtered.<br>
> ><br>
> > % Information related to 'RHODES-MNT'<br>
> ><br>
> > mntner: RHODES-MNT<br>
> > descr: Rhodes University<br>
> > admin-c: RUAC1-AFRINIC<br>
> > tech-c: RUTC1-AFRINIC<br>
> > auth: MD5-PW $1$YNIwaJCr$o6HscaF6FNVCRsYjIFn1v0<br>
> > remarks: Rhodes University Information Technology Division<br>
> > remarks: <a href="http://www.ru.ac.za/">http://www.ru.ac.za/</a><br>
> > mnt-by: RHODES-MNT<br>
> > source: AFRINIC # Filtered<br>
> ><br>
> > which leaks an MD5 password in the auth: attribute.<br>
> ><br>
> > Then consider RIPE's output for the equivelent object:<br>
> ><br>
> > guy@walrus:~% whois -h <a href="http://whois.ripe.net">whois.ripe.net</a> -- '-r rhodes-mnt'<br>
> > % This is the RIPE Database query service.<br>
> > % The objects are in RPSL format.<br>
> > %<br>
> > % The RIPE Database is subject to Terms and Conditions.<br>
> > % See <a href="http://www.ripe.net/db/support/db-terms-conditions.pdf">http://www.ripe.net/db/support/db-terms-conditions.pdf</a><br>
> ><br>
> > % Note: this output has been filtered.<br>
> > % To receive output for a database update, use the "-B" flag.<br>
> ><br>
> > % Information related to 'RHODES-MNT'<br>
> ><br>
> > mntner: RHODES-MNT<br>
> > descr: Rhodes University<br>
> > remarks: see also RHODES-MNT in AfriNIC's database (<a href="http://whois.afrinic.net">whois.afrinic.net</a>)<br>
> > admin-c: RUZA1-RIPE<br>
> > admin-c: RUZA1-RIPE<br>
> > auth: MD5-PW # Filtered<br>
> > mnt-by: RHODES-MNT<br>
> > referral-by: RHODES-MNT<br>
> > remarks: Accepted the RIPE Database Terms and Conditions<br>
> > source: RIPE # Filtered<br>
> ><br>
> > % This query was served by the RIPE Database Query Service version 1.42 (WHOIS2)<br>
> ><br>
> > which filters the auth: attribute to remove the MD5 password string, while<br>
> > still maintaining sufficient information to let me know that the object is<br>
> > password protected and indeed has an MD5 password.<br>
> ><br>
> > I would strongly suggest that AfriNIC should be following RIPE's example,<br>
> > and filtering the auth: attribute of the mntner object in WHOIS output.<br>
> ><br>
> > Can someone from AfriNIC comment. If this needs to be a formal policy<br>
> > proposal, I'm happy to put one together.<br>
> ><br>
> > - Guy<br>
> ><br>
><br>
> _______________________________________________<br>
> rpd mailing list<br>
> <a href="mailto:rpd@afrinic.net">rpd@afrinic.net</a><br>
> <a href="https://lists.afrinic.net/mailman/listinfo.cgi/rpd">https://lists.afrinic.net/mailman/listinfo.cgi/rpd</a><br>
</p>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>rpd mailing list</span><br><span><a href="mailto:rpd@afrinic.net">rpd@afrinic.net</a></span><br><span><a href="https://lists.afrinic.net/mailman/listinfo.cgi/rpd">https://lists.afrinic.net/mailman/listinfo.cgi/rpd</a></span><br></div></blockquote></body></html>