This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/db-wg@ripe.net/
[db-wg] Proposal to limit the use of the RIPE-NCC-RPSL-MNT on mnt-by
- Previous message (by thread): [db-wg] Proposal to limit the use of the RIPE-NCC-RPSL-MNT on mnt-by
- Next message (by thread): [db-wg] Proposal to limit the use of the RIPE-NCC-RPSL-MNT on mnt-by
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Job Snijders
job at ntt.net
Thu Oct 22 12:55:07 CEST 2015
Dear Tim, Working Group, [ exec summary: I'd like to see a round of +1's if you agree with the proposal and my small addition at the end. ] On Wed, Oct 21, 2015 at 04:32:26PM +0200, Tim Bruijnzeels wrote: > There is an open action point on us regarding the use of the > RIPE-NCC-RPSL-MNT maintainer: > https://www.ripe.net/ripe/mail/archives/db-wg/2015-May/004626.html > > > I'd like to ask RIPE NCC to provide the group with an implementation > > plan and a timeline on how to prevent the RIPE-NCC-RPSL-MNT mntner from > > being used to authenticate updates to an object after the object has > > been created. We also ask that the RIPE NCC look into cleaning up > > existing references to RIPE-NCC-RPSL-MNT and tell us their plan. > > Note that there is an ongoing an important parallel discussion about > the authorisation of out-of-region IRR objects in general. But this is > specifically about the use of 'RIPE-NCC-RPSL-MNT' on "mnt-by:". As > long as we do have RIPE-NCC-RPSL-MNT, there are things we can improve > and we want to propose the following to working group: > > 1) implement a business rule to prevent that this maintainer is used as 'mnt-by' > > Submitting an object that includes 'mnt-by: RIPE-NCC-RPSL-MNT' would > result in a hard error, with a message like: "The RIPE-NCC-RPSL-MNT is > used to authorise the creation of out-of-region aut-num and route(6) > objects, but may not be used as 'mnt-by'" > > This is fairly trivial to implement, provided of course that the > working group agrees to this. > > 2) remove the maintainer from existing objects > > There are roughly 2000 objects that are maintained by > 'RIPE-NCC-RPSL-MNT' only, and about 10000 objects that are maintained > by 'RIPE-NCC-RPSL-MNT' and at least one other maintainer. > > In the first case we propose to lock the object, i.e. set 'mnt-by: > RIPE-NCC-LOCKED-MNT', and send out a custom notification to any > contacts on the object explaining that the object has been locked to > prevent a hijack of the object, and that ripe-dbm at ripe.net can be > contacted to unlock the object. > > In the second case we propose to leave the remaining maintainer and > send out a custom notification informing contacts on the object that > the "RIPE-NCC-RPSL-MNT" has been removed to prevent a hijack of the > object, and listing which maintainer(s) remain. > > Technically this is not difficult either, but it can result in a lot > of questions. Therefore we prefer to do this in batches to make sure > that we can process possible follow up requests to ripe-dbm at ripe.net > properly. For reference we used a similar approach when dealing with > locking the old MD5 passwords earlier this year. Provided that the > working group agrees with this, we expect this can be done in the > space of a few weeks after the business rule is implemented. When the two steps above have been completed, it seems to me that the RIPE-NCC-RPSL-MNT maintainer can be deleted all together from the database, and we rely on the business rule as implemented in #1. I am happy to hear none of the two steps are "technically difficult". +1 from me Kind regards, Job
- Previous message (by thread): [db-wg] Proposal to limit the use of the RIPE-NCC-RPSL-MNT on mnt-by
- Next message (by thread): [db-wg] Proposal to limit the use of the RIPE-NCC-RPSL-MNT on mnt-by
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ db-wg Archives ]