Re: hierarchical auth with route objects

[Daniel Karrenberg <]

Joachim,

thank you for starting the discussion.  Here are my 2 cents worth.

I firmly believe that authorisation in the database should
follow authority in the real world. In practise the administrator
of an AS has the exclusive autority which routes to originate.
Therefore the authorisation to create route objects should be
linkt to the aut-num object referred to in the origin attribute 
of the route object to be created and nothing else.
This can be implemented by defining the mnt-lower attribute
of the aut-num object to control all such route creations.

It has been noted that it would be useful to involve the user
of the address space covered by the route somehow as well.
I believe that a notification scheme would be sufficient here.
Authorisation is not necessary. 

I have not thought out a hierarchical notification scheme.
Here are a few things to consider:

- Notification should only occur if requested by an attribute in
the object which is hierarchically higher.

- one might consider to make notification of overlapping *routes*
without request, but the conditions should be well specified.

- route creation notification should be possible for both other routes
covering the same address space and inetnums covering that address space.

- the creator of the route should be notified of the notifications
as well, so that he can also take the initiative to coordinate

So far my 0.02s worth. I would be interested to hear what people
with complex ASes think about this.

Daniel