question on requirement for mnt-by fields:

Dale,

You're touching history here - let me try to explain what happened:

In the past, when the current authorisation mechanism wasn't in place yet,
aut-num objects were always protected - you had to send them to another
address, and they were authorized by hand (basically, we checked the sender
and the headers and then did a privileged update).
The reason for this was that people felt that it should not be possible
to have the routing policy changed by anyone - this data should be
protected.

Later the authorisation mechanism was added, and it works as a
logical or:
- You pass one of the mnt-by authorisation mechanisms, OR
- The update is done using the special privileged update mechanism.

... which means that if an object doesn't have a mnt-by, then
it can only be updated by a privileged person.

You can remove the authentication using a maintainer like this:
aut-num:	AS4711
mnt-by:  	AS4711-MNT

mntner:		AS4711-MNT
auth:		NONE

Hope this helps,

Geert Jan

On Fri, 5 May 1995 10:05:19 -0400  "Dale S. Johnson" wrote:
> 
> Anyone?
> 
> > > JH> > Without the self referencing mnt-by field, the auto-dbm barfed on y
our
> > > JH> > submission.
> > > JH> Eh? Without??
> > >  
> > >  
> > > By your own admission, originally, your mntner did NOT have a mnt-by fiel
d
> > > thus you weren't allowed to modify it.
> > 
> > Why does the lack of a mnt-by field suggest that I would be unable to modif
y
> > the mntner object? I had been just recently modified it; it was only
> > attempting to add the self-referential mnt-by that fail authorization.
> > 
> > RIPE-120 says:
> > 
> > 	If there is no mnt-by attribute, the update always  proceeds
> > 	causing  any notifications specified in notify attributes of
> > 	the object.  This ensures  backward  compatibility.   It  is
> > 
> > Is the existance of an mnt-by a prerequisite for adding one?
> > 
> > The next paragraph reads:
> > 
> > 	If a new object with a mnt-by  attribute  is  added  to  the
> > 	database  or  a  mnt-by attribute is added to an object that
> > 	previously had no such attribute, the authorisation step  is
> > 	performed on the maintainer to be added.
> > 
> > I must admit, I'm perplexed -- what do they mean by the last
> > phrase ``the authorization step...''? Are they implying that such
> > an action will always fail?
> > 
> > --jhawk
> > 



-------- Logged at  Fri May 5 16:56:29 MET DST 1995  ---------