Authentication Methods Used in the RIPE Database

By Mirjam Kuehne
Mirjam Kuehne

Objects in the RIPE Database can only be modified by those authorised to do so. For instance, an object representing a certain range of IP addresses assigned to an organisation by the RIPE NCC or a Local Internet Registry (LIR) can be modified by the organisation holding that address space. Each database object contains one or more attributes referencing the maintainer(s) of that object. In a maintainer (MNTNER) object, credentials are listed for those who are authorised to modify any object referencing that MNTNER object. A credential can be any of the following:

After a discussion at the recent RIPE 62 meeting in Amsterdam, we were asked to find out how many MNTNER objects registered in the RIPE Database are actively maintaining other database objects and which type of authentication methods are used.

We found a total of 36,768 MNTNER objects in the RIPE Database. Of those, 32,397 were referenced by other objects. This means that they are used to secure other objects, which is the basic function of a MNTNER. For the remaining 4,371, we saw that 3,692 of them only referenced themselves. This means that they were used to secure the MNTNER object itself but not any other object in the database. And 672 were not referenced at all. This means that these MNTNER objects were not actually used to secure objects in the RIPE Database, not even the MNTNER object itself. (The remaining seven were deleted between collecting the list of MNTNER objects and doing the analysis.)

In the chart, you can see the distribution of the types of MNTNER objects described above.

Number of MNTNER objects referenced by other objects in the RIPE Database

Next, we looked at how many of the referenced MNTNER objects used each type of authentication method. Multiple authentication methods and credentials are allowed in one MNTNER object. Encrypted passwords are currently the most commonly used method. We found 27,796 MNTNER objects that contained only password credentials and used no other authentication method. That is 86% of the referenced MNTNER objects.

It is interesting that only 50 of all the MNTNER objects in the RIPE Database do not use passwords as an authentication mechanism. Instead, they use a combination of PGP and/or X.509. The number of MNTNER objects is not the critical figure here. How much address space is maintained by these 50 MNTNER objects in the RIPE Database is more relevant.

We found that 0.85% (or 4,722,688) of the assigned IPv4 addresses in the RIPE Database are authorised by these 50 MNTNER objects. The other 99.15% is authorised by MNTNER objects that include one or more password credentials for authentication. The RIPE Database Working Group is currently discussing if it is necessary to change this behaviour.

For more information, please refer to the background article on RIPE Labs: Authentication Methods Used in the RIPE Database

By Mirjam Kuehne

Related topics: IP Addressing