This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
Hierarchical authorisation failed, request forwarded to maintaine r ???
- Previous message (by thread): Hierarchical authorisation failed, request forwarded to maintaine r ???
- Next message (by thread): Hierarchical authorisation failed, request forwarded to maintaine r ???
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Gert Doering
gert at space.net
Mon Oct 14 11:50:47 CEST 2002
Hi, On Mon, Oct 14, 2002 at 10:50:00AM +0200, Shane Kerr wrote: > > Shane, your explanation is confusing me. There are other examples > > with "same route, different origin AS" in the RIPE-DB (check > > 194.97.0.0/16), which is sometimes necessary while migrating a > > network to a new origin AS. > > > > So the database should permit entry of this *new* object, instead of > > checking for modification permission on the *existing* object. > > We currently implement RPSS, as best we understand it. I won't claim that I understand RPSS, but I claim to have observed actual practice :-) > I think the idea is that if there is a route object in the database, > then it's creation has been authorised, and that it represents an > actual route announcement. If somebody else starts advertising either > the same IP space with a different origin, or a more specific route > then it will affect traffic to the existing origin, so they should > approve the creation. > > Given this explanation, do you still think that the database should > permit the creation of the new object? Yes. I think that the creation of the new route: should NOT check the authorization on any existing route: objects, but should check mnt-routes: on the corresponding/encompassing inetnum: and on the AS-Object. "Unauthorized routes" should be sufficiently prevented by the inetnum: check. Yes, I am aware that this doesn't work for inetnum:s registered in a different database, unless distributed rps-auth is implemented. I do not have a proposal how to solve this in the mean time. [..] > The reality is that route checking is not 100% clear in the RPSS > document, RFC 2725. For instance, when creating a route it is > possible to have multiple parent routes with the same prefix, and it > is not specified what the behaviour is. I believe it was decided not > to look at this too carefully because some people in the IETF have > decided that advertising the same prefix from multiple origin AS > numbers is bad, and the authors of the document wanted to avoid a > flame-war or even having the document rejected over this issue. I agree with them - I think multiple different origin ASes *are* bad. Nevertheless migration of routes happen (think of "address space already allocated, AS number still in queue" or "address space already being used, but BGP not yet fully working at customer's site"). Sometimes, there might be other good reasons for multiple route: objects. Gert Doering -- NetMaster -- Total number of prefixes smaller than registry allocations: 48282 (47686) SpaceNet AG Mail: netmaster at Space.Net Joseph-Dollinger-Bogen 14 Tel : +49-89-32356-0 80807 Muenchen Fax : +49-89-32356-299
- Previous message (by thread): Hierarchical authorisation failed, request forwarded to maintaine r ???
- Next message (by thread): Hierarchical authorisation failed, request forwarded to maintaine r ???
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ db-wg Archives ]