10.7 Protection of Route(6) Object Space

The route object creation must satisfy several authorisation criteria. As with all objects, it must satisfy its own mntner object references in the “mnt-by:” attributes. It must also satisfy two separate hierarchical authorisations. All three authorisations must be passed for the object to be created. For modify and delete of a route object, only its own mntner object in the “mnt-by:” attributes needs to authorise the operation.

Address space: the creation of a route object needs to be authorised either by existing, related route objects or related address space objects. The route objects are checked first. If a route object with an exact matching address prefix exists, it will be used for authorisation. If this does not exist, one with a less specific prefix is used. If no such route object exists, an address space object (inetnum or inet6num) with an exact matching prefix will be used, otherwise a less specific prefix is used. One of these objects will always be found in the database. Following this order, the first valid object found is the one used to authorise the new object creation. If the supplied credentials do not satisfy the authorisation required by this first valid object found, then authorisation fails. The software does not look for the next possible valid object in the sequence.

In all cases, the above route can also be route6.

Autonomous System (AS) Number: the creation of a route object also needs authorisation from the AS Number that originates the route. This must exist in the RIPE Database. If the originating AS Number is not a RIPE resource, then a copy of the AS Number must be created in the RIPE Database.

As the RIPE Database is used as a global routing registry, there is a need to create route objects that may refer to resources that are not allocated by the RIPE NCC.

This documentation is in draft status.
Please send any feedback or feature requests to ripe-dbm@ripe.net.