[ARIN-Suggestions] New ACSP Suggestions
ARIN
info at arin.net
Fri Feb 11 10:54:40 EST 2022
Two new suggestions were recently submitted to ARIN’s Consultation and Suggestion Process (ACSP). One has been reviewed and is pending implementation, and the other is in review and pending response.
----------
ACSP Suggestion 2022.4: ARIN Online - Display RSA/LRSA Status
https://www.arin.net/participate/community/acsp/suggestions/2022/2022-04/
Description: Give ARIN Orgs the ability to see if their IP resources are covered by an L/RSA via the user dashboard.
Value to Community: ARIN requires IP resources to be covered an L/RSA to use RPKI services and the ARIN authenticated IRR. Giving resource holders the ability to identify which, if any, need an L/RSA before signing up for RPKI and IRR services, and should limit the calls to the ARIN help desk requesting this information.
Timeframe: Not specified
Response from ARIN: Thank you for your suggestion, numbered 2022.4 on confirmed receipt, requesting that we display RSA/LRSA status on resources in ARIN Online so customers can check their resources to see if they are eligible to use ARIN’s authenticated Internet Routing Registry (IRR) and Resource Public Key Infrastructure (RPKI) services. We agree this is a beneficial improvement for both customers and staff and will prioritize it for implementation this year.
Thank you for participating in the ARIN Consultation and Suggestion Process. Your suggestion will remain open until implemented.
----------
ACSP Suggestion 2022.5: Alternative to API Token in REST calls
https://www.arin.net/participate/community/acsp/suggestions/2022/2022-05/
Description: Alternative to sending API Token as URL parameter in REST calls. Either sending as POST form data or as an HTTP header field would be preferable as those should not tend to be logged in production systems. Some other implementations of REST interfaces are using X-CSRFToken in the HTTP header field. e.g. curl -H “X-CSRFToken: $myToken” -X GET http:/my.fqdn/noun
Value to Community: Logging systems often log the entire URL and hence unnecessarily expose the API token to anyone with access to and reading the logs. This could accidentally lead to a security incident caused by unauthorized access to ARIN resources from a valid hijacked token.
Timeframe: Not specified
Response Pending
Regards,
American Registry for Internet Numbers (ARIN)
More information about the arin-suggestions
mailing list