> Limiting database updates to only accounts associated with LIR sounds reasonable.
I cannot support this unless it is limited to AS-SET and similar; i for example hand out IPv6 prefixes to endusers and that would be impossible if they are unable to create MNT/Person/ORGs. I support this in general for AS-SET which makes no sense to have access to unless you have an ASN, but the startup maintainer process should stay the same. Same for ORGs - to request ASNs the enduser needs an ORG and i as LIR should not have to create that or even have MNT-BY on it. — William Sent from my iPhone > On 16.11.2022, at 12:00, db-wg-requ...@ripe.net wrote: > > Send db-wg mailing list submissions to > db-wg@ripe.net > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.ripe.net/mailman/listinfo/db-wg > or, via email, send a message with subject or body 'help' to > db-wg-requ...@ripe.net > > You can reach the person managing the list at > db-wg-ow...@ripe.net > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of db-wg digest..." > > > Today's Topics: > > 1. Re: proposal: disallow creation of new non-hierarchically > named AS-SET objects (Pierfrancesco Caci) > 2. Re: proposal: disallow creation of new non-hierarchically > named AS-SET objects (Yang Yu) > 3. Re: proposal: disallow creation of new non-hierarchically > named AS-SET objects (Teun Vink) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 16 Nov 2022 10:48:18 +0100 > From: Pierfrancesco Caci <pc...@pccwglobal.com> > To: Job Snijders via db-wg <db-wg@ripe.net> > Subject: Re: [db-wg] proposal: disallow creation of new > non-hierarchically named AS-SET objects > Message-ID: <20221116104818.25bba...@lavoro.tippete.net> > Content-Type: text/plain; charset=US-ASCII > > Hi > Speaking as be.ccafrique and uk.pccwg-uk I support Job's proposal. > > Pf > >> On Mon, 14 Nov 2022 17:41:16 +0000 >> Job Snijders via db-wg <db-wg@ripe.net> wrote: >> >> CAUTION: External email. Do not click links or open attachments unless you >> recognize the sender and know the content is safe. >> >> Dear DB-WG, >> >> Speaking in individual capacity. >> >> In RFC 2622 section 5 specifies the naming convention for AS-SET >> objects. https://www.rfc-editor.org/rfc/rfc2622#section-5.1 >> There basically are two styles: >> >> * "short" (example: AS-SNIJDERS) >> * "hierarchical" (example: AS15562:AS-SNIJDERS) >> >> Problem statement >> ================= >> In recent weeks a number of hypergiant cloud providers have faced the >> thorny effects of adversarial AS-SET object naming collisions between >> IRR databases. >> >> An example of this phenomenon is the existence of AS-AMAZON in both RADB >> and RIPE. According to https://www.peeringdb.com/net/1418 the RADB copy >> of the object is the the correct one and populated with a number of >> members entries. The RIPE one is empty, and not under control of Amazon. >> >> The existence of the AS-AMAZON object in the RIPE database might cause >> some operators to inadvertently apply empty prefix-filters to EBGP >> sessions which in turn causes various problems. >> >> It seems Amazon has no recourse to get the AS-AMAZON object removed from >> the RIPE database; because the existence of that object in the RIPE >> database does not violate any policies (as far as I know). But perhaps, >> going forward, this community can do a little bit more to help prevent >> similar situations from happening to others. >> >> Solution proposal >> ================= >> I think the solution is to - GOING FORWARD - disallow creation of new >> AS-SET objects which follow the 'short' naming style. >> >> The advantage of hierarchical naming is that the existing authorization >> rules as applied by the RIPE Whois Server database engine do a decent >> job of protecting/separating namespaces. 'Grandfathering' existing >> short-named objects ensures that implementation of this solution >> proposal causes minimal (if any) disruption to existing workflows. >> >> The RIPE database engine blocking creation of short-named AS-SETs might >> help nudge the industry towards making hierarchical naming the norm. >> >> Related work >> ============ >> Related work throughout the registry industry: IRRd version 4 forces new >> AS-SET objects to be structured hierarchically: >> https://github.com/irrdnet/irrd/issues/408 >> >> Kind regards, >> >> Job >> >> -- >> >> To unsubscribe from this mailing list, get a password reminder, or change >> your subscription options, please visit: >> https://lists.ripe.net/mailman/listinfo/db-wg >> > > > -- > Pierfrancesco Caci <pc...@pccwglobal.com> > VP Network & Security Architecture - AS3491 Peering Coordinator > Tel.: +39 0287 049 871 > www.pccwglobal.com > > This message (and any attachments) may contain information that is > confidential, proprietary, privileged or otherwise protected by law. > The message is intended solely for the named addressee (or a person > responsible for delivering it to the addressee). If you are not the > intended recipient of this message, you are not authorized to read, > print, retain, copy or disseminate this message or any part of it. If > you have received this message in error, please destroy the message or > delete it from your system immediately and notify the sender. PCCW > Global cannot guarantee that this e-mail is secure, error-free and/or > virus-free as e-mail messages could be intercepted, altered, corrupted, > lost, delayed or become incomplete and/or infected by viruses in the > course of their transmission. PCCW Global and the sender therefore do > not accept liability for any loss or damage arising from any errors or > omissions in the contents of this e-mail. > > > > > ------------------------------ > > Message: 2 > Date: Wed, 16 Nov 2022 04:06:57 -0600 > From: Yang Yu <yang.yu.l...@gmail.com> > To: denis walker <ripede...@gmail.com> > Cc: Job Snijders <j...@sobornost.net>, db-wg@ripe.net > Subject: Re: [db-wg] proposal: disallow creation of new > non-hierarchically named AS-SET objects > Message-ID: > <CAFwKRnR1U7X99nXsE_pqk982Hf4BXOZ9RoV+Aa7Y4C-Zyu=4...@mail.gmail.com> > Content-Type: text/plain; charset="UTF-8" > > I support this proposal. > >> It seems Amazon has no recourse to get the AS-AMAZON object removed from >> the RIPE database; because the existence of that object in the RIPE >> database does not violate any policies (as far as I know). > > Also ran into this issue and would like to see policy support to > handle this kind of abuse. > >> On Mon, Nov 14, 2022 at 3:08 PM denis walker via db-wg <db-wg@ripe.net> >> wrote: >> Interesting timing. I was about to make the same suggestion but for a >> different reason...accountability. Currently ANYONE can create a set >> object in the RIPE Database. You can be completely anonymous, not a >> member or LIR, hold no resources. All you need to do is create a ROLE, >> MNTNER and set object. > > Anyone with an email can make a RIPE account and start creating > objects in RIPE database. In other registries there are usually some > safeguards on user / mntner object creation. Limiting database updates > to only accounts associated with LIR sounds reasonable. > > > Yang > > > > ------------------------------ > > Message: 3 > Date: Wed, 16 Nov 2022 11:19:17 +0100 > From: "Teun Vink" <t...@bit.nl> > To: "Job Snijders" <j...@sobornost.net> > Cc: db-wg@ripe.net > Subject: Re: [db-wg] proposal: disallow creation of new > non-hierarchically named AS-SET objects > Message-ID: <a2df4e9c-3ba7-415c-8c0a-fdbe11bf9...@bit.nl> > Content-Type: text/plain > > Hi all, > > On 14 Nov 2022, at 18:41, Job Snijders via db-wg wrote: > [...] >> Solution proposal >> ================= >> I think the solution is to - GOING FORWARD - disallow creation of new >> AS-SET objects which follow the 'short' naming style. >> > > I support this proposal. > > Kind regards, > -- > Teun Vink > BIT | t...@bit.nl | +31 318 648 688 > KvK: 09090351 | GPG: 0xFC8B25D6 | RIPE: TEUN-RIPE > > > > ------------------------------ > > Subject: Digest Footer > > -- > > To unsubscribe from this mailing list, get a password reminder, or change > your subscription options, please visit: > https://lists.ripe.net/mailman/listinfo/db-wg > > > ------------------------------ > > End of db-wg Digest, Vol 135, Issue 8 > ************************************* -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/db-wg
