[ppml] LDAP? Why not?

Leslie Daigle leslie at thinkingcat.com
Fri Jul 25 10:34:04 EDT 2003


FYI, for documentation of a project that put considerable
effort into attempting to do just that for domain whois, see

http://www.ietf.org/internet-drafts/draft-newton-ldap-whois-03.txt

In particular, Section 6 ("Lessons Learned") describes pretty
plainly the disappointments that LDAP could not be used "out
of the box".  E.g., in spite of having created a data model
using only standard LDAP objects, etc, the expected benefit of
client reuse simply wasn't there.

Having made that effort, note that the author of the document
(and main proponent of the project) is now behind the *non* LDAP
proposal for domain whois replacement in the IETF CRISP working
group.

Leslie.


Michael.Dillon at radianz.com wrote:
>>>Oh, and while you're at it, why not put all of this stuff into an LDAP
>>>server as well so that nobody gets the idea of using BGP peering 
> 
> sessions
> 
>>>to distribute up to date abuse contact info.
> 
> 
>>I'm losing you here...
>>Please explain?
> 
> 
> It's my pet theory. I believe that if everyone published their directory 
> type information using LDAP the world would be a better place. Examples 
> include the whois directory, the various BGP and DNS based spammer 
> blacklists like ORBS and the DUL. 
> 
> Instead of hacking BGP and/or DNS to do something they weren't intended to 
> we would just write an LDAP schema (kind of like a data description) and 
> then use an LDAP server. The DNS would only be used as a locator mechanism 
> to find the right LDAP server
> 
>      _lwhois._tcp.example.com SRV lwhois.example.com
>      lwhois.example.com       A   192.0.0.7
> 
> You could publish a directory of ASes originating abuse which you have 
> detected and you could put all the reporting details into the directory 
> instead of spewing out emails to abuse.example.com. Then, once a week, you 
> could send a single email to a known good contact at example.com reporting 
> the number of incidents in your directory and giving them the password 
> needed to access the full details of their incidents. LDAP makes it easy 
> to protect parts of the directory with passwords. The public would only be 
> able to browse the high level stats on on incidents and the origin ASes 
> could get at the details.
> 
> But, since LDAP is a protocol, the origin ASes could plug their own 
> applications into your directory and do things like poll for new incidents 
> every 15 minutes. It is a lot harder to do stuff like this if you have to 
> parse the text of email messages or web pages. Basically, I think the 
> world should stop writing new text parsers and start using the existing 
> standard data encapsulation protocols like LDAP, etc.
> 
> If you decide to seriously do something like this, you might want to 
> discuss it with Rob Thomas from Team Cymru because he has expressed some 
> level of interest in publishing his directories using LDAP. You can find 
> out more at the Bogon project http://www.cymru.com/BGP/bogon-rs.html
> 
> --Michael Dillon
> 
> 




More information about the ARIN-PPML mailing list