[anti-abuse-wg] Solving the issue of rogue ROUTE objects in the RIPE Database

Den 2015-11-05 kl. 20:40, skrev ripedenis at yahoo.co.uk:
> HI all
>
> I am going to have one last go at solving this problem. I challenge 
> anyone/everyone to tell me why this is such a stupid idea, technically 
> impossible to do, won't solve any of the issues partially or fully. 
> Then I can shut up about it and go away. If you can't condemn the idea 
> then support it. Lets fix this issue once and for all, stop this 
> endless discussion about rogue ROUTE objects and get on with life.
>
> So here is my 4 step proposal that I believe could be implemented 
> within a month. If we implemented this you can be sure that all ROUTE 
> objects in the RIPE Database were created with the knowledge and 
> approval of the related resource holders. I believe that is the 
> desired goal.

Hi Denis,

I don't see any immediate pitfalls in your 4-step. The only small, very 
small, thing is step 3 and it can be abused. But only for <24h.

So I think your proposal makes sense. +1 for it.

rgrds,


/bengan


>
> STEP 1
>
> Any ROUTE object submitted for creation in the RIPE Database involving 
> an out of region resource (address space and/or ASN) where that out of 
> region resource does not exist in the authoritative RIR database (has 
> not been allocated or assigned), reject the creation.
>
> The RIPE NCC mirrors the operational data from all the other 4 RIRs. 
> These mirrors are updated daily as well as the RIRs daily stats. It is 
> easy to determine if a resource is registered in the authoritative 
> database.
>
> STEP 2
>
> For those ROUTE objects from STEP 1 where the out of region resource 
> does exist, hold the object creation as pending. The mechanism for 
> doing this already exists in the RIPE Database software as it is used 
> for multiple authentications.
>
> Lookup the out of region resource(s) in the authoritative database(s) 
> and find the contacts for that resource. Send a notification to those 
> contacts informing them of the pending ROUTE object creation in the 
> RIPE Database. The notification mechanism already exists in the RIPE 
> Database software. If they don't approve, do nothing and the creation 
> request will time out after a week and the object will not be created. 
> If they do approve, respond in some way (many technical options for 
> doing this that the RIPE NCC can choose from). If appropriate 
> approval(s) are received within a week, create the ROUTE object.
>
> STEP 3
>
> On a daily basis, for each ROUTE object in the RIPE Database that 
> relates to an out of region resource, check for the continued 
> existence of that resource in the appropriate RIR database. If it no 
> longer exists, delete the ROUTE object from the RIPE Database.
>
> STEP 4
>
> This is a one off cleanup of existing ROUTE objects. For all ROUTE 
> objects currently in the RIPE Database that relate to an out of 
> region, existing resource, send the appropriate notifications. For any 
> that no response is received within a week, delete the ROUTE object 
> from the RIPE Database.
>
> cheers
> denis


-- 

Bengt Gördén
Resilans AB

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </ripe/mail/archives/anti-abuse-wg/attachments/20151105/a44ba070/attachment.html>