[ARIN-Suggestions] New ACSP Suggestion and Responses
ARIN
info at arin.net
Wed Feb 23 14:21:53 EST 2022
One new suggestion was recently submitted to ARIN’s Consultation and Suggestion Process (ACSP). It is in review and pending response. Two previous suggestions have been reviewed and pending implementation, with our responses below.
----------
ACSP Suggestion 2022.7: IRR Transaction Log for RESTful API
https://www.arin.net/participate/community/acsp/suggestions/2022/2022-07/
Description: Although IRR email changes are slow, a validation and confirmation email was sent after the change was committed - so there was a record of the change. When using the API to make RPSL changes, the change is silent except for the updated record itself.
A transaction log is required of user’s org RPSL and RPKI object changes made via REST API or from within the associated account’s web interface.
If this feature exists currently within the REST API it is not documented in https://www.arin.net/resources/manage/irr/irr-restful/ and it’s not available in the web UI in the Downloads & Services section.
Value to Community: Logging of changes is good practice.
Timeframe: Not specified
Response Pending
----------
ACSP Suggestion 2022.6: Increase API Token Length
https://www.arin.net/participate/community/acsp/suggestions/2022/2022-06/
Description: After stripping the “API” and “-” characters the token has only 16 characters, each character having 36 unique values. Double the current length to 32 variable characters.
Value to Community: Longer token aligned to other API implementations will make the tokens more difficult to brute force.
Timeframe: Not specified
Response from ARIN: Thank you for your suggestion, numbered 2022.6 on confirmed receipt, requesting that we extend the length of API tokens to 36 characters to make them less susceptible to brute force attacks. We agree this would be a helpful change and increase the security of the API tokens. We will place this suggestion on the list for prioritization for the 2023 Engineering Roadmap.
Thank you for participating in the ARIN Consultation and Suggestion Process. Your suggestion will remain open until implemented.
----------
ACSP Suggestion 2022.5: Alternative to API Token in REST calls
https://www.arin.net/participate/community/acsp/suggestions/2022/2022-05/
Description: Alternative to sending API Token as URL parameter in REST calls. Either sending as POST form data or as an HTTP header field would be preferable as those should not tend to be logged in production systems. Some other implementations of REST interfaces are using X-CSRFToken in the HTTP header field. e.g. curl -H “X-CSRFToken: $myToken” -X GET http:/my.fqdn/noun
Value to Community: Logging systems often log the entire URL and hence unnecessarily expose the API token to anyone with access to and reading the logs. This could accidentally lead to a security incident caused by unauthorized access to ARIN resources from a valid hijacked token.
Timeframe: Not specified
Response from ARIN: Thank you for your suggestion, numbered 2022.5 on confirmed receipt, requesting that we consider alternatives to sending the API token as a URL parameter in REST calls to improve security. We agree that a change of this type would improve security. In evaluating this suggestion, we have determined that making the change to send the API token as part of the HTTP header field would be the best solution as it will also allow ARIN to support this new feature as well as the current query parameter. We will place this suggestion on the list for prioritization for the 2023 Engineering Roadmap.
Thank you for participating in the ARIN Consultation and Suggestion Process. Your suggestion will remain open until implemented.
Regards,
American Registry for Internet Numbers (ARIN)
More information about the arin-suggestions
mailing list