About RIPE | Contact  | Search | Sitemap    
Homepage RIPE  
RIPE Community Mail Archives
search  
     
Next Sectionyou are here: RIPE -> RIPE Maillists > Archives
RIPE Navigation Ends
About RIPE Maillists
Maillists Archive
Global Lists
Non Active Lists
RIPE NCC Navigation Ends
Next Section
<<< Chronological >>> Author Index    Subject Index <<< Threads >>>

Re: How Change route object origin entry

  • To:
  • From: Andrei Robachevsky < >
  • Date: Fri, 28 Sep 2001 11:43:56 +0200
  • Organization: RIPE NCC
Dear Kevin,

kevin.bates@localhost wrote:
> 
> Hi
> 
> A question
> 
> I need to change the "Origin" entry on a /20 route object. This route is to
> be advertised via a different upstream provider, from a different AS number.
> 
> The upstream provider will not advertise the route "until RIPE have been
> informed".
> 
> I cannot change the route object entry. I get the following "Error:
> Hierarchical authorisation failed, request forwarded to maintainer" and I
> get the request forwarded to me.
> The mnt-by on the route object is not the problem - I can update other
> objects with that mnt-by object and I can change the "notify" entry on my
> route object.

The problem here is that "origin:" is part of the primary key for the
route object. So in fact you are creating a new route object, not
updating the existing one.

In this case the authorisation procedure is more complex and is defined
in the RFC2725 (Routing Policy System Security). To be able to create a
route object the request should pass authorisation from 
- the aut-num which is referenced from the "origin:" attribute
- the exact match route object (or one level less specific one if the
exact match does not exist),
  or
  the inetnum object (exact or one level less specific) if route objects
don't exist.

When checking authorisation from aut-num and route (inetnum)
"mnt-routes:" attribute is considered (or mnt-lower, mnt-by if
mnt-routes doesn't exist).

I may be more specific if you could send us the actual object you would
like to create.


> 
> Therefore the error must be because of the mnt-by entry within the
> "receiving" AS number. (which I am not authorised to update) but I don't
> understand how.
> 
> Is this the correct diagnosis? and is there something else I should be
> doing?
> 
> I could ask RIPE hostmaster to make the changes but the ticketing system
> could take a couple of weeks.
> 
> I could ask the new upstream AS owner  to add me to their mnt-by entry but I
> am nothing to do with them.
> 
> All suggestions gratefully received.
> 
> kevin


Regards,

Andrei Robachevsky
RIPE NCC
  • Post To The List:
<<< Chronological >>> Author    Subject <<< Threads >>>
 

Next Section
     About RIPE | Site Map | LIR Portal | About the RIPE NCC | Contact | Copyright Statement
RIPE.NET Homepage LIR Portal RIPE Community