Home / Blogs

Authentication Methods Used in the RIPE Database

Objects in the RIPE Database can only be modified by those authorised to do so. For instance, an object representing a certain range of IP addresses assigned to an organisation by the RIPE NCC or a Local Internet Registry (LIR) can be modified by the organisation holding that address space. Each database object contains one or more attributes referencing the maintainer(s) of that object. In a maintainer (MNTNER) object, credentials are listed for those who are authorised to modify any object referencing that MNTNER object. A credential can be any of the following:

  • An MD5 encrypted password string
  • A PGP key
  • An X.509 certificate ID

After a discussion at the recent RIPE 62 meeting in Amsterdam, we were asked to find out how many MNTNER objects registered in the RIPE Database are actively maintaining other database objects and which type of authentication methods are used.

We found a total of 36,768 MNTNER objects in the RIPE Database. Of those, 32,397 were referenced by other objects. This means that they are used to secure other objects, which is the basic function of a MNTNER. For the remaining 4,371, we saw that 3,692 of them only referenced themselves. This means that they were used to secure the MNTNER object itself but not any other object in the database. And 672 were not referenced at all. This means that these MNTNER objects were not actually used to secure objects in the RIPE Database, not even the MNTNER object itself. (The remaining seven were deleted between collecting the list of MNTNER objects and doing the analysis.)

In the chart, you can see the distribution of the types of MNTNER objects described above.

Number of MNTNER objects referenced by other objects in the RIPE Database

Next, we looked at how many of the referenced MNTNER objects used each type of authentication method. Multiple authentication methods and credentials are allowed in one MNTNER object. Encrypted passwords are currently the most commonly used method. We found 27,796 MNTNER objects that contained only password credentials and used no other authentication method. That is 86% of the referenced MNTNER objects.

It is interesting that only 50 of all the MNTNER objects in the RIPE Database do not use passwords as an authentication mechanism. Instead, they use a combination of PGP and/or X.509. The number of MNTNER objects is not the critical figure here. How much address space is maintained by these 50 MNTNER objects in the RIPE Database is more relevant.

We found that 0.85% (or 4,722,688) of the assigned IPv4 addresses in the RIPE Database are authorised by these 50 MNTNER objects. The other 99.15% is authorised by MNTNER objects that include one or more password credentials for authentication. The RIPE Database Working Group is currently discussing if it is necessary to change this behaviour.

For more information, please refer to the background article on RIPE Labs: Authentication Methods Used in the RIPE Database

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API


Sponsored byVerisign

New TLDs

Sponsored byRadix

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byCSC