About RIPE | Contact  | Search | Sitemap    
Homepage RIPE  
RIPE Community Mail Archives
search  
     
Next Sectionyou are here: RIPE -> RIPE Maillists > Archives
RIPE Navigation Ends
About RIPE Maillists
Maillists Archive
Global Lists
Non Active Lists
RIPE NCC Navigation Ends
Next Section
<<< Chronological >>> Author Index    Subject Index <<< Threads >>>

Hierarchical Authorisation in the RR

  • To:
  • From: Carol Orange < >
  • Date: Thu, 15 May 1997 14:50:20 +0200
Hi again,

Here is another brief proposal for your perusal. This time for an 
implementation of hierarchical authorization in the Routing Registry. 
The mechanism described below will implement a hierarchy in the RR 
for which I believe there is consensus. 

The ideas in the proposal below were sifted from discussions which
took place on the routing-wg@localhost mailing list and in the
Routing WG meetings at RIPE-25 and RIPE-26.

Please review this if you have time. We are hoping to have a go ahead 
on this from the Routing and Database WG's at or shortly after RIPE-27. 

Greetings,

Carol Orange
RIPE NCC

--------------------------------------------------------------------
Hierarchical Authorisation in the RR
Proposal for an Implementation 

Carol Orange, May 1997

At the January meeting of the Routing WG in Amsterdam, various
possible hierarchies for authorization in the Routing Registry (RR)
were considered. Whereas extensive discussion took place on the 
extent to which authority can be established in the RR, there 
was clear agreement that the maintainer of an AS should have 
authority over what routes are announced with a given aut-num 
in the "origin:" attribute. 

In the following, we specify an implementation to support the 
authority of "aut-num:" maintainers to determine who can announce 
routes under their AS. The mechanism can be extended as the need 
arises and consensus on other forms of authorization is achieved.

For more information on the discussions leading up to this proposal,
see: http://www.ripe.net/wg/routing/haro-d.html.

Implementation
--------------
If you (or your organization) manages an AS, then you should have
authority over the routes announced in your AS.

This can be implemented if we:

a) add a "mnt-lower:" attribute to the aut-num object

b) allow routes to be announced with a given "origin:" by those given
authority as defined in the mntner object specified in the "mnt-lower:"
attribute of the aut-num object.


Example
-------

If we add a "mnt-lower:" attribute to the aut-num object of the RIPE
NCC, then only those who know what peEw8Gb4xBNqI encrypts can add 
and remove routes originating in AS3333.

----
aut-num:     AS3333
...
mnt-lower:     AS3333-MNT
...

----
mntner:      AS3333-MNT
descr:       RIPE-NCC Maintainer
...
auth:        CRYPT-PW peEw8Gb4xBNqI
...

----
route:       193.0.0.0/23
descr:       RIPE-NCC
origin:      AS3333
...


Summary
-------
Other forms of hierarchical authorization and notification can be
implemented in the future if a well defined hierarchy can achieve
consensus. To provide some initial functionality which may meet the
needs of many RR users, we propose to implement the above in the short
term.
  • Post To The List:
<<< Chronological >>> Author    Subject <<< Threads >>>
 

Next Section
     About RIPE | Site Map | LIR Portal | About the RIPE NCC | Contact | © RIPE Community. All rights reserved.
RIPE.NET Homepage LIR Portal RIPE Community