This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/db-wg@ripe.net/
[db-wg] proposal: disallow creation of new non-hierarchically named AS-SET objects
- Previous message (by thread): [db-wg] proposal: disallow creation of new non-hierarchically named AS-SET objects
- Next message (by thread): [db-wg] proposal: disallow creation of new non-hierarchically named AS-SET objects
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
William Weber
william at inbox.li
Wed Nov 16 12:24:22 CET 2022
> Limiting database updates to only accounts associated with LIR sounds reasonable. I cannot support this unless it is limited to AS-SET and similar; i for example hand out IPv6 prefixes to endusers and that would be impossible if they are unable to create MNT/Person/ORGs. I support this in general for AS-SET which makes no sense to have access to unless you have an ASN, but the startup maintainer process should stay the same. Same for ORGs - to request ASNs the enduser needs an ORG and i as LIR should not have to create that or even have MNT-BY on it. — William Sent from my iPhone > On 16.11.2022, at 12:00, db-wg-request at ripe.net wrote: > > Send db-wg mailing list submissions to > db-wg at ripe.net > > To subscribe or unsubscribe via the World Wide Web, visit > https://mailman.ripe.net/ > or, via email, send a message with subject or body 'help' to > db-wg-request at ripe.net > > You can reach the person managing the list at > db-wg-owner at ripe.net > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of db-wg digest..." > > > Today's Topics: > > 1. Re: proposal: disallow creation of new non-hierarchically > named AS-SET objects (Pierfrancesco Caci) > 2. Re: proposal: disallow creation of new non-hierarchically > named AS-SET objects (Yang Yu) > 3. Re: proposal: disallow creation of new non-hierarchically > named AS-SET objects (Teun Vink) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 16 Nov 2022 10:48:18 +0100 > From: Pierfrancesco Caci <pcaci at pccwglobal.com> > To: Job Snijders via db-wg <db-wg at ripe.net> > Subject: Re: [db-wg] proposal: disallow creation of new > non-hierarchically named AS-SET objects > Message-ID: <20221116104818.25bba55e at lavoro.tippete.net> > Content-Type: text/plain; charset=US-ASCII > > Hi > Speaking as be.ccafrique and uk.pccwg-uk I support Job's proposal. > > Pf > >> On Mon, 14 Nov 2022 17:41:16 +0000 >> Job Snijders via db-wg <db-wg at ripe.net> wrote: >> >> CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe. >> >> Dear DB-WG, >> >> Speaking in individual capacity. >> >> In RFC 2622 section 5 specifies the naming convention for AS-SET >> objects. https://www.rfc-editor.org/rfc/rfc2622#section-5.1 >> There basically are two styles: >> >> * "short" (example: AS-SNIJDERS) >> * "hierarchical" (example: AS15562:AS-SNIJDERS) >> >> Problem statement >> ================= >> In recent weeks a number of hypergiant cloud providers have faced the >> thorny effects of adversarial AS-SET object naming collisions between >> IRR databases. >> >> An example of this phenomenon is the existence of AS-AMAZON in both RADB >> and RIPE. According to https://www.peeringdb.com/net/1418 the RADB copy >> of the object is the the correct one and populated with a number of >> members entries. The RIPE one is empty, and not under control of Amazon. >> >> The existence of the AS-AMAZON object in the RIPE database might cause >> some operators to inadvertently apply empty prefix-filters to EBGP >> sessions which in turn causes various problems. >> >> It seems Amazon has no recourse to get the AS-AMAZON object removed from >> the RIPE database; because the existence of that object in the RIPE >> database does not violate any policies (as far as I know). But perhaps, >> going forward, this community can do a little bit more to help prevent >> similar situations from happening to others. >> >> Solution proposal >> ================= >> I think the solution is to - GOING FORWARD - disallow creation of new >> AS-SET objects which follow the 'short' naming style. >> >> The advantage of hierarchical naming is that the existing authorization >> rules as applied by the RIPE Whois Server database engine do a decent >> job of protecting/separating namespaces. 'Grandfathering' existing >> short-named objects ensures that implementation of this solution >> proposal causes minimal (if any) disruption to existing workflows. >> >> The RIPE database engine blocking creation of short-named AS-SETs might >> help nudge the industry towards making hierarchical naming the norm. >> >> Related work >> ============ >> Related work throughout the registry industry: IRRd version 4 forces new >> AS-SET objects to be structured hierarchically: >> https://github.com/irrdnet/irrd/issues/408 >> >> Kind regards, >> >> Job >> >> -- >> >> To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://mailman.ripe.net/ >> > > > -- > Pierfrancesco Caci <pcaci at pccwglobal.com> > VP Network & Security Architecture - AS3491 Peering Coordinator > Tel.: +39 0287 049 871 > www.pccwglobal.com > > This message (and any attachments) may contain information that is > confidential, proprietary, privileged or otherwise protected by law. > The message is intended solely for the named addressee (or a person > responsible for delivering it to the addressee). If you are not the > intended recipient of this message, you are not authorized to read, > print, retain, copy or disseminate this message or any part of it. If > you have received this message in error, please destroy the message or > delete it from your system immediately and notify the sender. PCCW > Global cannot guarantee that this e-mail is secure, error-free and/or > virus-free as e-mail messages could be intercepted, altered, corrupted, > lost, delayed or become incomplete and/or infected by viruses in the > course of their transmission. PCCW Global and the sender therefore do > not accept liability for any loss or damage arising from any errors or > omissions in the contents of this e-mail. > > > > > ------------------------------ > > Message: 2 > Date: Wed, 16 Nov 2022 04:06:57 -0600 > From: Yang Yu <yang.yu.list at gmail.com> > To: denis walker <ripedenis at gmail.com> > Cc: Job Snijders <job at sobornost.net>, db-wg at ripe.net > Subject: Re: [db-wg] proposal: disallow creation of new > non-hierarchically named AS-SET objects > Message-ID: > <CAFwKRnR1U7X99nXsE_pqk982Hf4BXOZ9RoV+Aa7Y4C-Zyu=4fA at mail.gmail.com> > Content-Type: text/plain; charset="UTF-8" > > I support this proposal. > >> It seems Amazon has no recourse to get the AS-AMAZON object removed from >> the RIPE database; because the existence of that object in the RIPE >> database does not violate any policies (as far as I know). > > Also ran into this issue and would like to see policy support to > handle this kind of abuse. > >> On Mon, Nov 14, 2022 at 3:08 PM denis walker via db-wg <db-wg at ripe.net> wrote: >> Interesting timing. I was about to make the same suggestion but for a >> different reason...accountability. Currently ANYONE can create a set >> object in the RIPE Database. You can be completely anonymous, not a >> member or LIR, hold no resources. All you need to do is create a ROLE, >> MNTNER and set object. > > Anyone with an email can make a RIPE account and start creating > objects in RIPE database. In other registries there are usually some > safeguards on user / mntner object creation. Limiting database updates > to only accounts associated with LIR sounds reasonable. > > > Yang > > > > ------------------------------ > > Message: 3 > Date: Wed, 16 Nov 2022 11:19:17 +0100 > From: "Teun Vink" <teun at bit.nl> > To: "Job Snijders" <job at sobornost.net> > Cc: db-wg at ripe.net > Subject: Re: [db-wg] proposal: disallow creation of new > non-hierarchically named AS-SET objects > Message-ID: <A2DF4E9C-3BA7-415C-8C0A-FDBE11BF9736 at bit.nl> > Content-Type: text/plain > > Hi all, > > On 14 Nov 2022, at 18:41, Job Snijders via db-wg wrote: > [...] >> Solution proposal >> ================= >> I think the solution is to - GOING FORWARD - disallow creation of new >> AS-SET objects which follow the 'short' naming style. >> > > I support this proposal. > > Kind regards, > -- > Teun Vink > BIT | teun at bit.nl | +31 318 648 688 > KvK: 09090351 | GPG: 0xFC8B25D6 | RIPE: TEUN-RIPE > > > > ------------------------------ > > Subject: Digest Footer > > -- > > To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://mailman.ripe.net/ > > > ------------------------------ > > End of db-wg Digest, Vol 135, Issue 8 > *************************************
- Previous message (by thread): [db-wg] proposal: disallow creation of new non-hierarchically named AS-SET objects
- Next message (by thread): [db-wg] proposal: disallow creation of new non-hierarchically named AS-SET objects
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ db-wg Archives ]