Re: [db-wg] NWI-5 Out of region ROUTE(6)/AUT-NUM objects implementation request

2018-02-14 Thread Randy Bush via db-wg 
 This can be a separate effort. However, what I did not mention
 earlier is that we probably should disallow the creation of new
 out-of-region AUT-NUM objects if they are no longer required to
 authorise ROUTE(6) objects.
>> 
>> how long do you think it will be before there are no inter-region
>> barriers to AS transfers?  add a year or so to that to give people
>> time to clean up the mess caused by this policy hole.
> 
> It is not entirely clear to me what the issue of inter-RIR ASN transfers
> has to do with the topic at hand. However, there is a lively discussion
> on ARIN PPML about Inter-RIR ASN transfers, you too can participate:
> http://lists.arin.net/pipermail/arin-ppml/2018-February/thread.html

there is a lively bunch of animals in that pile of chicken manure over
in the barnyard; you too can participate.

i'll count my chickens when they hatch.  in the meantime, i have ARIN
ASs announcing RIPE prefixes, as do many others.

randy

Re: [db-wg] NWI-5 Out of region ROUTE(6)/AUT-NUM objects implementation request

2018-02-14 Thread Randy Bush via db-wg 
> My personal (and I stress personal) opinion moving forward, is that
> the use of an IRR really does not sit well with the management side of
> delegation of authority in a distributed model that we have right now.
> 
> If we move to a model where the IRR/RPSL "maintainer" is understood to
> be documentation and not the actual authority over change, we can
> discuss more rational mechanisms to certify (and I use that word
> deliberately) that a given person has shown their intent, and consent,
> to have a given IRR/RPSL statement made over their resources.
> 
> If we did that, then any delegated authority over some INR should be
> able to make statements which validate the insertion into any IRR.
> 
> The problem of course (wilfred: hello) is referential integrity. Which
> I cannot fix because this is a fundamental problem in distributed
> systems which have hierarchy of independent elements capable of
> withdrawing consent. I suspect the fix is to put maximum lifetime on
> things being retained without reference to an explicit permission
> granted from outside and then remove them.
> 
> I don't configure routers. I therefore can't meaningfully comment on
> the costs on the configuration side, of this.

not positive i get your intent here.  but seems a lot as if you are
hoping to apply an external formally defined authorisation structure to
add artistic verisimilitude to an otherwise bald and unconvincing
narrative, the irr.

it is amusing to watch, after decades of failure on intra-irr
authentication and authorisation, we are now going to a new fantasy
where we restrict a registry to 'our' data; when the quality of the
various rirs' data are mediocre at best.

mr trump, the problem isn't nasty 'foreign' irr data raping our route6:
objects.  the problem is all irr data.  folk are trying to whitewash
quality and security decades ex post facto; a well known joke.

what we need is a formally verifyable hierarchy whch matches the actual
delegations, iana on down.  oh, wait...

randy

Re: [db-wg] NWI-5 Out of region ROUTE(6)/AUT-NUM objects implementation request

2018-02-14 Thread Job Snijders via db-wg 
On Wed, Feb 14, 2018 at 12:59:22PM +0900, Randy Bush via db-wg wrote:
> >> This can be a separate effort. However, what I did not mention
> >> earlier is that we probably should disallow the creation of new
> >> out-of-region AUT-NUM objects if they are no longer required to
> >> authorise ROUTE(6) objects.
> 
> how long do you think it will be before there are no inter-region
> barriers to AS transfers?  add a year or so to that to give people
> time to clean up the mess caused by this policy hole.

It is not entirely clear to me what the issue of inter-RIR ASN transfers
has to do with the topic at hand. However, there is a lively discussion
on ARIN PPML about Inter-RIR ASN transfers, you too can participate:
http://lists.arin.net/pipermail/arin-ppml/2018-February/thread.html

> > Yes, I support disallowing the creation of NEW out-of-region AUT-NUM
> > and ROUTE objects.
> 
> not exact;ly what tim was suggesting, see above.
> 
> > I keep seeing route objects covering non-RIPE IP space popping up in
> > the RIPE IRR for nefarious purposes.
> 
> that may be the wrong question.  are some appearing for legitimate and
> useful purposes?  if so, how will those needs be addressed going
> forward?

I'm happy to discuss "legitimate use cases", provided they exist, and
aren't the result of an incorrect use of the RIPE IRR. Can you share
some?

To me it is quite significant that I'm not aware of operational issues
related to the policies of the APNIC IRR, and RIPE is moving towards
that same model.

Kind regards,

Job

Re: [db-wg] NWI-5 Out of region ROUTE(6)/AUT-NUM objects implementation request

2018-02-14 Thread George Michaelson via db-wg 
My personal (and I stress personal) opinion moving forward, is that
the use of an IRR really does not sit well with the management side of
delegation of authority in a distributed model that we have right now.

If we move to a model where the IRR/RPSL "maintainer" is understood to
be documentation and not the actual authority over change, we can
discuss more rational mechanisms to certify (and I use that word
deliberately) that a given person has shown their intent, and consent,
to have a given IRR/RPSL statement made over their resources.

If we did that, then any delegated authority over some INR should be
able to make statements which validate the insertion into any IRR.

The problem of course (wilfred: hello) is referential integrity. Which
I cannot fix because this is a fundamental problem in distributed
systems which have hierarchy of independent elements capable of
withdrawing consent. I suspect the fix is to put maximum lifetime on
things being retained without reference to an explicit permission
granted from outside and then remove them.

I don't configure routers. I therefore can't meaningfully comment on
the costs on the configuration side, of this.

-George

On Wed, Feb 14, 2018 at 1:59 PM, Randy Bush via db-wg  wrote:
>>> This can be a separate effort. However, what I did not mention
>>> earlier is that we probably should disallow the creation of new
>>> out-of-region AUT-NUM objects if they are no longer required to
>>> authorise ROUTE(6) objects.
>
> how long do you think it will be before there are no inter-region
> barriers to AS transfers?  add a year or so to that to give people
> time to clean up the mess caused by this policy hole.
>
>> Yes, I support disallowing the creation of NEW out-of-region AUT-NUM
>> and ROUTE objects.
>
> not exact;ly what tim was suggesting, see above.
>
>> I keep seeing route objects covering non-RIPE IP space popping up in
>> the RIPE IRR for nefarious purposes.
>
> that may be the wrong question.  are some appearing for legitimate and
> useful purposes?  if so, how will those needs be addressed going
> forward?
>
> randy
>