About RIPE | Contact  | Search | Sitemap    
Homepage RIPE  
RIPE Community Mail Archives
search  
     
Next Sectionyou are here: RIPE -> RIPE Maillists > Archives
RIPE Navigation Ends
About RIPE Maillists
Maillists Archive
Global Lists
Non Active Lists
RIPE NCC Navigation Ends
Next Section
<<< Chronological >>> Author Index    Subject Index <<< Threads >>>

RE: Can anyone shed some light on this?

  • To: "Stephen Burley" < >
    < >
  • From: "Boyan Krosnov" < >
  • Date: Wed, 5 Dec 2001 12:36:37 +0200
http://www.ripe.net/ripe/docs/databaseref-manual.html
3.6.5  Protection of route object space
The route object creation must satisfy several authentication criteria.
It must match the authentication specified in the aut-num and the
authentication specified in either a route object or, if no applicable
route object is found, then an inetnum. Finally the creation must be
authorised by the maintainer of the route object itself referenced by
the "mnt-by:" attribute of the object.

When checking for prefix authorisation, an exact route object prefix
match is checked for first.  If there is no exact match, then a longest
prefix match that is less specific than the prefix is searched for.  If
the route prefix search fails, then a search is performed for an inetnum
object that exactly matches the prefix or for the most specific inetnum
object that is less specific than the route object submission. The
aut-num object used for authentication checks is referenced by the
"origin:" attribute of the route object.

A route object must pass authorisation from both the referenced aut-num
object and the route or inetnum object.  Authorisation shall be tested
using the maintainer(s) referenced in the "mnt-routes:" attribute(s)
first.  If that check fails, the "mnt-lower:" attributes are checked.
If that check fails, the "mnt-by:" attributes are used for the
authorisation check.
----------
aut-num:      AS702
as-name:      AS702
descr:        UUNET - Commercial IP service provider in Europe
....
mnt-routes:   UUNETDK-MNT
mnt-routes:   AS1270-MNT
mnt-routes:   AS1849-MNT
mnt-routes:   AS1890-MNT
mnt-routes:   IWAY-NOC
mnt-by:       UUNET-MNT
---------
I bet you didn't pass this authorization check.

does this shed a light? :)

BR,
CCNP Boyan Krosnov
Network Administrator
Lirex Net
phone: +359-2-91815
 

> -----Original Message-----
> From: Stephen Burley [
	    
	    

]
> Sent: Wednesday, December 05, 2001 12:30 PM
> Cc: db-wg@localhost
> Subject: Can anyone shed some light on this?
> 
> 
> route:       212.249.0.0/16
> descr:       UUNET CH
> origin:      AS702
> mnt-by:      AS702-MNT
> password:  *********
> changed:     jsc@localhost 20011204
> source:      RIPE
> 
> I send the above object to the DB and get the following error:
> 
> New FAILED: [route] 212.249.0.0/16
> route:       212.249.0.0/16
> descr:       UUNET CH
> origin:      AS702
> mnt-by:      AS702-MNT
> changed:     stephenb@localhost 20011204
> source:      RIPE
> ***Error: Hierarchical authorisation failed, request forwarded to
> maintainer.
> 
> Objects in RIPE-181 format are no longer accepted.
> Please see http://www.ripe.net/rpsl for more information.
> 
> RIPE Database Maintenance Department
> 
> Which is strange as the mainainer is us AS702-mnt. Any help 
> on this matter
> whould be appreciated as this is not the only one.
> 
> Regards
> Stephen Burley
> UUNET EMEA Hostmaster
> SB855-RIPE
> 
> 
> 
>
  • Post To The List:
<<< Chronological >>> Author    Subject <<< Threads >>>
 

Next Section
     About RIPE | Site Map | LIR Portal | About the RIPE NCC | Contact | Copyright Statement
RIPE.NET Homepage LIR Portal RIPE Community