You are here: Home > Participate > Join a Discussion > RIPE Forum
RIPE Forum v1.4.1

Database Working Group

Threaded
Collapse

[db-wg] Multi tenancy in a LIR?

User Image

Hank Nussbacher

2020-11-19 16:28:31 CET

  

    
    body p { margin-bottom: 0cm; margin-top: 0pt; } 
  
  
    

Can a LIR account handle multi-tenancy?

What if you had a parent organization and a few sub-organizations and each has their own resources (ASN + inetnum) that they wish to manage independently (objects, RPKI, etc) without the other sub-organizations of parent organization able to affect the resources. 

Is that at all possible or is the only solution to create a new LIR account?

Thanks, Hank Caveat: The views expressed above are solely my own and do not express the views or opinions of my employer

User Image

Randy Bush

2020-11-19 19:12:59 CET

> What if you had a parent organization and a few sub-organizations and
> each has their own resources (ASN + inetnum) that they wish to manage
> independently (objects, RPKI, etc) without the other sub-organizations
> of parent organization able to affect the resources.

the rpki part is trivial, parent CA with multiple child CAs.  IRR,
whois, accounting, ... are beyond my meager talents.

randy

denis walker

2020-11-19 20:41:49 CET

Hi Hank

Your scenario is not clear. When you say "each has their own
resources", how did they get those resources? Were they separate LIRs
that have received allocations, have there been mergers, were they all
allocated to the parent organisation's LIR and distributed to sub
organisations? Or do you mean they each want to have their own
resources?

As far as the database is concerned, address space resources allocated
to the parent organisation's LIR can be distributed to sub
organisations as LIR-PARTITIONED or ALLOCATED-BY-LIR. The sub
organisations can separately manage their resources. If you want
exclusive management control by the sub organisations you can set the
MNTNER attributes accordingly. But ultimately they are still the
parent organisations resources. They could be reclaimed by the parent
organisation. The organisation reference in the allocations will
always be the parent organisation that was allocated the resources by
the RIPE NCC. That cannot be changed.

cheers
denis
co-chair DB-WG

On Thu, 19 Nov 2020 at 16:28, Hank Nussbacher via db-wg <db-wg _at_ ripe _dot_ net> wrote:
>
> Can a LIR account handle multi-tenancy?
>
>
> What if you had a parent organization and a few sub-organizations and each has their own resources (ASN + inetnum) that they wish to manage independently (objects, RPKI, etc) without the other sub-organizations of parent organization able to affect the resources.
>
> Is that at all possible or is the only solution to create a new LIR account?
>
>
> Thanks,
> Hank
> Caveat: The views expressed above are solely my own and do not express the views or opinions of my employer

User Image

Hank Nussbacher

2020-11-20 06:27:15 CET

  
    
    body p { margin-bottom: 0cm; margin-top: 0pt; } 
  
  
    On 19/11/2020 21:41, denis walker via
      db-wg wrote:
    
    
    Good questions.
    
    
    I'll try to clarify.
    
    
    The parent organization has attained
      their ASN and ip-nets from RIPE NCC over the past 10 years.
    
    The sub-organization is planning on
      buying IP nets via the IP bourse/exchange and purchase multihoming
      at IXPs and thereby qualify for their own ASN from RIPE NCC.
    
    The question is whether to establish
      their own LIR or use the existing parent LIR.
    You state "...LIR-PARTITIONED or
      ALLOCATED-BY-LIR. The suborganisations can separately manage their
      resources."
    When I examined user privs in the LIR
      portal I saw there is admin or regular - each of which give total
      control to any resource listed under the LIR.
    Your suggestion of using a different
      MNTNER is intriguing, but wouldn't at some point the parent LIR
      have to know the password?
    
    
    Thanks,
    Hank
    
    
    
    
    
    
    
    CAKvLzuHH-MweVxc5GeazMmMa26VpPk-6NFFbEwuhE9+Fz7bmOA _at_ mail.gmail _dot_ com">
      Hi Hank

Your scenario is not clear. When you say "each has their own
resources", how did they get those resources? Were they separate LIRs
that have received allocations, have there been mergers, were they all
allocated to the parent organisation's LIR and distributed to sub
organisations? Or do you mean they each want to have their own
resources?

As far as the database is concerned, address space resources allocated
to the parent organisation's LIR can be distributed to sub
organisations as LIR-PARTITIONED or ALLOCATED-BY-LIR. The sub
organisations can separately manage their resources. If you want
exclusive management control by the sub organisations you can set the
MNTNER attributes accordingly. But ultimately they are still the
parent organisations resources. They could be reclaimed by the parent
organisation. The organisation reference in the allocations will
always be the parent organisation that was allocated the resources by
the RIPE NCC. That cannot be changed.

cheers
denis
co-chair DB-WG

On Thu, 19 Nov 2020 at 16:28, Hank Nussbacher via db-wg db-wg _at_ ripe _dot_ net"><db-wg _at_ ripe _dot_ net> wrote:

      
        
Can a LIR account handle multi-tenancy?


What if you had a parent organization and a few sub-organizations and each has their own resources (ASN + inetnum) that they wish to manage independently (objects, RPKI, etc) without the other sub-organizations of parent organization able to affect the resources.

Is that at all possible or is the only solution to create a new LIR account?


Thanks,
Hank
Caveat: The views expressed above are solely my own and do not express the views or opinions of my employer

      
      


    
    

User Image

Cynthia Revström

2020-11-20 14:24:51 CET

Hi Hank,

I think you are better off asking the RIPE NCC support, (ncc _at_ ripe _dot_ net or
lir-help _at_ ripe _dot_ net if you are already a member).
The DB-WG is not the support mailing list, but I have answered some of your
questions below.

> The question is whether to establish their own LIR or use the existing
parent LIR.

The parent org can of course sponsor an ASN and/or PI (Provider
Independent) resources for the subsidiary, just like any other LIR.
However if the subsidiary wants to hold PA resources, they need to be an
LIR.
But there is nothing preventing the parent org from holding the
resources and then just delegating them to the subsidiary.

> Your suggestion of using a different MNTNER is intriguing, but wouldn't
at some point the parent LIR have to know the password?

No, I think I should clarify that unless you have the default maintainer
sync option enabled in the LIR portal, the DB and LIR portal are completely
separate.

- Cynthia


On Fri, Nov 20, 2020 at 6:27 AM Hank Nussbacher via db-wg <db-wg _at_ ripe _dot_ net>
wrote:

> On 19/11/2020 21:41, denis walker via db-wg wrote:
>
> Good questions.
>
> I'll try to clarify.
>
> The parent organization has attained their ASN and ip-nets from RIPE NCC
> over the past 10 years.
> The sub-organization is planning on buying IP nets via the IP
> bourse/exchange and purchase multihoming at IXPs and thereby qualify for
> their own ASN from RIPE NCC.
> The question is whether to establish their own LIR or use the existing
> parent LIR.
> You state "...LIR-PARTITIONED or ALLOCATED-BY-LIR. The suborganisations
> can separately manage their resources."
> When I examined user privs in the LIR portal I saw there is admin or
> regular - each of which give total control to any resource listed under the
> LIR.
> Your suggestion of using a different MNTNER is intriguing, but wouldn't at
> some point the parent LIR have to know the password?
>
> Thanks,
> Hank
>
>
>
> Hi Hank
>
> Your scenario is not clear. When you say "each has their own
> resources", how did they get those resources? Were they separate LIRs
> that have received allocations, have there been mergers, were they all
> allocated to the parent organisation's LIR and distributed to sub
> organisations? Or do you mean they each want to have their own
> resources?
>
> As far as the database is concerned, address space resources allocated
> to the parent organisation's LIR can be distributed to sub
> organisations as LIR-PARTITIONED or ALLOCATED-BY-LIR. The sub
> organisations can separately manage their resources. If you want
> exclusive management control by the sub organisations you can set the
> MNTNER attributes accordingly. But ultimately they are still the
> parent organisations resources. They could be reclaimed by the parent
> organisation. The organisation reference in the allocations will
> always be the parent organisation that was allocated the resources by
> the RIPE NCC. That cannot be changed.
>
> cheers
> denis
> co-chair DB-WG
>
> On Thu, 19 Nov 2020 at 16:28, Hank Nussbacher via db-wg <db-wg _at_ ripe _dot_ net> <db-wg _at_ ripe _dot_ net> wrote:
>
> Can a LIR account handle multi-tenancy?
>
>
> What if you had a parent organization and a few sub-organizations and each has their own resources (ASN + inetnum) that they wish to manage independently (objects, RPKI, etc) without the other sub-organizations of parent organization able to affect the resources.
>
> Is that at all possible or is the only solution to create a new LIR account?
>
>
> Thanks,
> Hank
> Caveat: The views expressed above are solely my own and do not express the views or opinions of my employer
>
>
>

denis walker

2020-11-20 15:06:46 CET

Hi Hank

Cynthia is right, you would do well to contact RIPE NCC support.

However I will also add some details to your questions.

You said the sub organisation is planning to buy some address space.
The RIPE Transfer Policy says resources can only be transferred to
another RIPE NCC member. So any purchase will become part of the
parent organisations LIR resources.

It is possible to achieve your goal by 'playing around' with the data
in the RIPE Database, but it does present some risk to the parent
organisation. [I'm sure the RIPE NCC will correct me if I am wrong
here.] If you want the address space, which will always be considered
to be part of the parent organisations resources, to be totally under
the control of the sub organisation then the parent organisation can
change the "mnt-by:" and "mnt-lower:" to be the MNTNER of the sub
organisation and remove their own MNTNER. The resources are now still
owned by the parent organisation but totally under the control of the
sub organisation.

I don't know why you would want this arrangement. If you do this the
parent organisation will lose all management control over the
resources, but still retains any liability for their use. They also
cut themselves off from using the reclaim functionality as that relies
on the "mnt-lower:" in the resource object.

cheers
denis
co-chair DB-WG

On Fri, 20 Nov 2020 at 06:27, Hank Nussbacher via db-wg <db-wg _at_ ripe _dot_ net> wrote:
>
> On 19/11/2020 21:41, denis walker via db-wg wrote:
>
> Good questions.
>
> I'll try to clarify.
>
> The parent organization has attained their ASN and ip-nets from RIPE NCC over the past 10 years.
> The sub-organization is planning on buying IP nets via the IP bourse/exchange and purchase multihoming at IXPs and thereby qualify for their own ASN from RIPE NCC.
> The question is whether to establish their own LIR or use the existing parent LIR.
> You state "...LIR-PARTITIONED or ALLOCATED-BY-LIR. The suborganisations can separately manage their resources."
> When I examined user privs in the LIR portal I saw there is admin or regular - each of which give total control to any resource listed under the LIR.
> Your suggestion of using a different MNTNER is intriguing, but wouldn't at some point the parent LIR have to know the password?
>
> Thanks,
> Hank
>
>
>
> Hi Hank
>
> Your scenario is not clear. When you say "each has their own
> resources", how did they get those resources? Were they separate LIRs
> that have received allocations, have there been mergers, were they all
> allocated to the parent organisation's LIR and distributed to sub
> organisations? Or do you mean they each want to have their own
> resources?
>
> As far as the database is concerned, address space resources allocated
> to the parent organisation's LIR can be distributed to sub
> organisations as LIR-PARTITIONED or ALLOCATED-BY-LIR. The sub
> organisations can separately manage their resources. If you want
> exclusive management control by the sub organisations you can set the
> MNTNER attributes accordingly. But ultimately they are still the
> parent organisations resources. They could be reclaimed by the parent
> organisation. The organisation reference in the allocations will
> always be the parent organisation that was allocated the resources by
> the RIPE NCC. That cannot be changed.
>
> cheers
> denis
> co-chair DB-WG
>
> On Thu, 19 Nov 2020 at 16:28, Hank Nussbacher via db-wg <db-wg _at_ ripe _dot_ net> wrote:
>
> Can a LIR account handle multi-tenancy?
>
>
> What if you had a parent organization and a few sub-organizations and each has their own resources (ASN + inetnum) that they wish to manage independently (objects, RPKI, etc) without the other sub-organizations of parent organization able to affect the resources.
>
> Is that at all possible or is the only solution to create a new LIR account?
>
>
> Thanks,
> Hank
> Caveat: The views expressed above are solely my own and do not express the views or opinions of my employer
>
>

denis walker

2020-11-20 15:20:15 CET

Hi Hank

Maybe you were not clear in your scenario. Perhaps what you really
want is that the sub organisation is 'able' to manage the resource
independently of any other sub organisation, but accepting that the
parent organisation could still over rule them. In that case the
parent organisation can simply add a "mnt-lower:" (perhaps also a
"mnt-routes:") to the resource object with the sub organisations
MNTNER. The sub organisation can then manage that address space. This
still allows the parent organisation to use the reclaim functionality
to remove any assignments and routes should they need to do so.

cheers
denis
co-chair DB-WG

On Fri, 20 Nov 2020 at 15:06, denis walker <ripedenis _at_ gmail _dot_ com> wrote:
>
> Hi Hank
>
> Cynthia is right, you would do well to contact RIPE NCC support.
>
> However I will also add some details to your questions.
>
> You said the sub organisation is planning to buy some address space.
> The RIPE Transfer Policy says resources can only be transferred to
> another RIPE NCC member. So any purchase will become part of the
> parent organisations LIR resources.
>
> It is possible to achieve your goal by 'playing around' with the data
> in the RIPE Database, but it does present some risk to the parent
> organisation. [I'm sure the RIPE NCC will correct me if I am wrong
> here.] If you want the address space, which will always be considered
> to be part of the parent organisations resources, to be totally under
> the control of the sub organisation then the parent organisation can
> change the "mnt-by:" and "mnt-lower:" to be the MNTNER of the sub
> organisation and remove their own MNTNER. The resources are now still
> owned by the parent organisation but totally under the control of the
> sub organisation.
>
> I don't know why you would want this arrangement. If you do this the
> parent organisation will lose all management control over the
> resources, but still retains any liability for their use. They also
> cut themselves off from using the reclaim functionality as that relies
> on the "mnt-lower:" in the resource object.
>
> cheers
> denis
> co-chair DB-WG
>
> On Fri, 20 Nov 2020 at 06:27, Hank Nussbacher via db-wg <db-wg _at_ ripe _dot_ net> wrote:
> >
> > On 19/11/2020 21:41, denis walker via db-wg wrote:
> >
> > Good questions.
> >
> > I'll try to clarify.
> >
> > The parent organization has attained their ASN and ip-nets from RIPE NCC over the past 10 years.
> > The sub-organization is planning on buying IP nets via the IP bourse/exchange and purchase multihoming at IXPs and thereby qualify for their own ASN from RIPE NCC.
> > The question is whether to establish their own LIR or use the existing parent LIR.
> > You state "...LIR-PARTITIONED or ALLOCATED-BY-LIR. The suborganisations can separately manage their resources."
> > When I examined user privs in the LIR portal I saw there is admin or regular - each of which give total control to any resource listed under the LIR.
> > Your suggestion of using a different MNTNER is intriguing, but wouldn't at some point the parent LIR have to know the password?
> >
> > Thanks,
> > Hank
> >
> >
> >
> > Hi Hank
> >
> > Your scenario is not clear. When you say "each has their own
> > resources", how did they get those resources? Were they separate LIRs
> > that have received allocations, have there been mergers, were they all
> > allocated to the parent organisation's LIR and distributed to sub
> > organisations? Or do you mean they each want to have their own
> > resources?
> >
> > As far as the database is concerned, address space resources allocated
> > to the parent organisation's LIR can be distributed to sub
> > organisations as LIR-PARTITIONED or ALLOCATED-BY-LIR. The sub
> > organisations can separately manage their resources. If you want
> > exclusive management control by the sub organisations you can set the
> > MNTNER attributes accordingly. But ultimately they are still the
> > parent organisations resources. They could be reclaimed by the parent
> > organisation. The organisation reference in the allocations will
> > always be the parent organisation that was allocated the resources by
> > the RIPE NCC. That cannot be changed.
> >
> > cheers
> > denis
> > co-chair DB-WG
> >
> > On Thu, 19 Nov 2020 at 16:28, Hank Nussbacher via db-wg <db-wg _at_ ripe _dot_ net> wrote:
> >
> > Can a LIR account handle multi-tenancy?
> >
> >
> > What if you had a parent organization and a few sub-organizations and each has their own resources (ASN + inetnum) that they wish to manage independently (objects, RPKI, etc) without the other sub-organizations of parent organization able to affect the resources.
> >
> > Is that at all possible or is the only solution to create a new LIR account?
> >
> >
> > Thanks,
> > Hank
> > Caveat: The views expressed above are solely my own and do not express the views or opinions of my employer
> >
> >

denis walker

2020-11-20 16:31:54 CET

HI Hank

A couple of corrections to what I said. Even if you do play around
with the MNTNERs in the database, the parent organisation who holds
the resource can always add a default MNTNER to the resource object
via the LIR portal. So, if it is RIPE allocated address space, they
will never lose control. You cannot have a total disconnect between
the parent organisation holder of the resource and the sub
organisation manager of the resource.

If you buy legacy address space you do not need to be an LIR/member.
But if you want to use RPKI I believe you do need to have a contract
with the RIPE NCC.

I suggest you discuss your detailed requirements with the RIPE NCC support,

cheers
denis
co-chair DB-WG

On Fri, 20 Nov 2020 at 15:20, denis walker <ripedenis _at_ gmail _dot_ com> wrote:
>
> Hi Hank
>
> Maybe you were not clear in your scenario. Perhaps what you really
> want is that the sub organisation is 'able' to manage the resource
> independently of any other sub organisation, but accepting that the
> parent organisation could still over rule them. In that case the
> parent organisation can simply add a "mnt-lower:" (perhaps also a
> "mnt-routes:") to the resource object with the sub organisations
> MNTNER. The sub organisation can then manage that address space. This
> still allows the parent organisation to use the reclaim functionality
> to remove any assignments and routes should they need to do so.
>
> cheers
> denis
> co-chair DB-WG
>
> On Fri, 20 Nov 2020 at 15:06, denis walker <ripedenis _at_ gmail _dot_ com> wrote:
> >
> > Hi Hank
> >
> > Cynthia is right, you would do well to contact RIPE NCC support.
> >
> > However I will also add some details to your questions.
> >
> > You said the sub organisation is planning to buy some address space.
> > The RIPE Transfer Policy says resources can only be transferred to
> > another RIPE NCC member. So any purchase will become part of the
> > parent organisations LIR resources.
> >
> > It is possible to achieve your goal by 'playing around' with the data
> > in the RIPE Database, but it does present some risk to the parent
> > organisation. [I'm sure the RIPE NCC will correct me if I am wrong
> > here.] If you want the address space, which will always be considered
> > to be part of the parent organisations resources, to be totally under
> > the control of the sub organisation then the parent organisation can
> > change the "mnt-by:" and "mnt-lower:" to be the MNTNER of the sub
> > organisation and remove their own MNTNER. The resources are now still
> > owned by the parent organisation but totally under the control of the
> > sub organisation.
> >
> > I don't know why you would want this arrangement. If you do this the
> > parent organisation will lose all management control over the
> > resources, but still retains any liability for their use. They also
> > cut themselves off from using the reclaim functionality as that relies
> > on the "mnt-lower:" in the resource object.
> >
> > cheers
> > denis
> > co-chair DB-WG
> >
> > On Fri, 20 Nov 2020 at 06:27, Hank Nussbacher via db-wg <db-wg _at_ ripe _dot_ net> wrote:
> > >
> > > On 19/11/2020 21:41, denis walker via db-wg wrote:
> > >
> > > Good questions.
> > >
> > > I'll try to clarify.
> > >
> > > The parent organization has attained their ASN and ip-nets from RIPE NCC over the past 10 years.
> > > The sub-organization is planning on buying IP nets via the IP bourse/exchange and purchase multihoming at IXPs and thereby qualify for their own ASN from RIPE NCC.
> > > The question is whether to establish their own LIR or use the existing parent LIR.
> > > You state "...LIR-PARTITIONED or ALLOCATED-BY-LIR. The suborganisations can separately manage their resources."
> > > When I examined user privs in the LIR portal I saw there is admin or regular - each of which give total control to any resource listed under the LIR.
> > > Your suggestion of using a different MNTNER is intriguing, but wouldn't at some point the parent LIR have to know the password?
> > >
> > > Thanks,
> > > Hank
> > >
> > >
> > >
> > > Hi Hank
> > >
> > > Your scenario is not clear. When you say "each has their own
> > > resources", how did they get those resources? Were they separate LIRs
> > > that have received allocations, have there been mergers, were they all
> > > allocated to the parent organisation's LIR and distributed to sub
> > > organisations? Or do you mean they each want to have their own
> > > resources?
> > >
> > > As far as the database is concerned, address space resources allocated
> > > to the parent organisation's LIR can be distributed to sub
> > > organisations as LIR-PARTITIONED or ALLOCATED-BY-LIR. The sub
> > > organisations can separately manage their resources. If you want
> > > exclusive management control by the sub organisations you can set the
> > > MNTNER attributes accordingly. But ultimately they are still the
> > > parent organisations resources. They could be reclaimed by the parent
> > > organisation. The organisation reference in the allocations will
> > > always be the parent organisation that was allocated the resources by
> > > the RIPE NCC. That cannot be changed.
> > >
> > > cheers
> > > denis
> > > co-chair DB-WG
> > >
> > > On Thu, 19 Nov 2020 at 16:28, Hank Nussbacher via db-wg <db-wg _at_ ripe _dot_ net> wrote:
> > >
> > > Can a LIR account handle multi-tenancy?
> > >
> > >
> > > What if you had a parent organization and a few sub-organizations and each has their own resources (ASN + inetnum) that they wish to manage independently (objects, RPKI, etc) without the other sub-organizations of parent organization able to affect the resources.
> > >
> > > Is that at all possible or is the only solution to create a new LIR account?
> > >
> > >
> > > Thanks,
> > > Hank
> > > Caveat: The views expressed above are solely my own and do not express the views or opinions of my employer
> > >
> > >