Hi Denis,

> On 15 May 2024, at 02:40, denis walker <ripede...@gmail.com> wrote:
> 
> Hi Ed
> 
> This sounds like a good move. I have 2 questions about the rules.
> 
> If I query 1000 personal data sets on an IP address, then I log in to
> my access account, can I query 1000 more? I know this to some extent
> bypasses the strict rules. But in that office situation you referred
> to, suppose someone else has queried 1001 objects and got the IP
> address temporarily blocked. Now I log in to my access account I would
> expect to have access to 1000 objects.

You are correct, a user can still query by SSO account if the IP address is 
temporarily blocked.

However, we make a distinction between temporarily blocked (for the rest of the 
day) and permanently blocked (after repeatedly being blocked on multiple days).

(1) If the IP is permanently blocked, we don't allow any queries, either 
accounting by IP address or by SSO account.
(2) If the IP is temporarily blocked, we do still allow queries by SSO account.
(3) If the SSO account is temporarily blocked, we allow queries by IP address 
(if you log out of SSO).

But of course you could also switch IP address and continue to query, it's 
difficult to prevent this if the queries are anonymous. We account by /32 
prefix for an IPv4 address and by /64 prefix for an IPv6 address.

We added the ability to account by SSO account to support offices behind a NAT 
address: previously, if one individual gets blocked, the whole office was 
blocked.

> I'll ask you the other question when I see you in Krakow. If I am
> right I don't want to give people another way to bypass your new
> rules. Of course nothing changes if you have a block of IPv6 addresses
> you can still query 1000 personal objects per IP address.  Do you
> still include (non abuse-c) ROLE objects in the count as well as
> PERSON objects?

Yes we count non abuse-c ROLE objects and PERSON objects as "personal data 
sets" according to the Acceptable Use Policy.

Thanks for your feedback, I hope this clarifies the rules, and we are open to 
improving them if necessary.

Looking forward to seeing you in Krakow and the DB-WG session.

Regards
Ed Shryane
RIPE NCC


> cheers
> denis
> co-chair DB-WG
> 
> 
> 
> On Tue, 14 May 2024 at 19:48, Edward Shryane via db-wg <db-wg@ripe.net> wrote:
>> 
>> Dear colleagues,
>> 
>> We would like to share some changes to the RIPE Database Acceptable Use 
>> Policy and how we implement the daily limit. The Database team will enable 
>> these changes from this Thursday, 16 May 2024 onwards.
>> 
>> The RIPE NCC Executive Board approved amendments to the "RIPE Database 
>> Acceptable Use Policy" (AUP) in March this year, allowing for an additional 
>> method of accounting for RIPE Database queries containing personal data. 
>> With this method, the count will be based per user, rather than per IP 
>> address, for logged-in users. This allows multiple users to share the same 
>> public IP address but be accounted for separately. Previously, an office 
>> behind a NAT, for example, would get blocked as all users shared the same 
>> query limit. This will no longer be the case, as we will count the number of 
>> queries per user based on their RIPE NCC Access (single sign-on) accounts, 
>> if they are logged in. For users who are not logged in to RIPE NCC Access 
>> accounts, the queries will be counted based on IP addresses.
>> 
>> Additionally, we found that the daily limit configured in Whois was 
>> inconsistent with the AUP.  Along with the other changes described above, we 
>> will enforce the daily query limit in Whois in line with the Acceptable Use 
>> Policy:
>> * Number of personal data sets returned in queries from an IP address – 
>> 1,000 per 24 hours
>> * Number of personal data sets returned in queries from a RIPE NCC Access 
>> (SSO) account – 1,000 per 24 hours
>> 
>> Users who query for personal data above the daily limit will receive the 
>> message below explaining what has happened and what to do next:
>> 
>> Access from your host has been temporarily denied. For more information, see:
>> https://apps.db.ripe.net/docs/FAQ/#why-did-i-receive-an-error-201-access-denied
>> 
>> The minutes from the March meeting of the RIPE NCC Executive Board are 
>> available at:
>> https://www.ripe.net/about-us/executive-board/minutes/2024/174th-executive-board-meeting-minutes/
>> 
>> The resolution amending the RIPE Database Acceptable Use Policy is under 
>> section 4.6.
>> 
>> The updated RIPE Database Acceptable Use Policy is available on our website:
>> https://www.ripe.net/manage-ips-and-asns/db/support/documentation/ripe-database-acceptable-use-policy/
>> 
>> Regards,
>> Ed Shryane
>> RIPE NCC
>> 
>> 
>> --
>> 
>> To unsubscribe from this mailing list, get a password reminder, or change 
>> your subscription options, please visit: 
>> https://lists.ripe.net/mailman/listinfo/db-wg


-- 

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/db-wg

Reply via email to