[anti-abuse-wg] Solving the issue of rogue ROUTE objects in the RIPE Database
- Previous message (by thread): [anti-abuse-wg] Solving the issue of rogue ROUTE objects in the RIPE Database
- Next message (by thread): [anti-abuse-wg] Solving the issue of rogue ROUTE objects in the RIPE Database
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Bengt Gördén
bengan at resilans.se
Thu Nov 5 20:59:35 CET 2015
Den 2015-11-05 kl. 20:40, skrev ripedenis at yahoo.co.uk: > HI all > > I am going to have one last go at solving this problem. I challenge > anyone/everyone to tell me why this is such a stupid idea, technically > impossible to do, won't solve any of the issues partially or fully. > Then I can shut up about it and go away. If you can't condemn the idea > then support it. Lets fix this issue once and for all, stop this > endless discussion about rogue ROUTE objects and get on with life. > > So here is my 4 step proposal that I believe could be implemented > within a month. If we implemented this you can be sure that all ROUTE > objects in the RIPE Database were created with the knowledge and > approval of the related resource holders. I believe that is the > desired goal. Hi Denis, I don't see any immediate pitfalls in your 4-step. The only small, very small, thing is step 3 and it can be abused. But only for <24h. So I think your proposal makes sense. +1 for it. rgrds, /bengan > > STEP 1 > > Any ROUTE object submitted for creation in the RIPE Database involving > an out of region resource (address space and/or ASN) where that out of > region resource does not exist in the authoritative RIR database (has > not been allocated or assigned), reject the creation. > > The RIPE NCC mirrors the operational data from all the other 4 RIRs. > These mirrors are updated daily as well as the RIRs daily stats. It is > easy to determine if a resource is registered in the authoritative > database. > > STEP 2 > > For those ROUTE objects from STEP 1 where the out of region resource > does exist, hold the object creation as pending. The mechanism for > doing this already exists in the RIPE Database software as it is used > for multiple authentications. > > Lookup the out of region resource(s) in the authoritative database(s) > and find the contacts for that resource. Send a notification to those > contacts informing them of the pending ROUTE object creation in the > RIPE Database. The notification mechanism already exists in the RIPE > Database software. If they don't approve, do nothing and the creation > request will time out after a week and the object will not be created. > If they do approve, respond in some way (many technical options for > doing this that the RIPE NCC can choose from). If appropriate > approval(s) are received within a week, create the ROUTE object. > > STEP 3 > > On a daily basis, for each ROUTE object in the RIPE Database that > relates to an out of region resource, check for the continued > existence of that resource in the appropriate RIR database. If it no > longer exists, delete the ROUTE object from the RIPE Database. > > STEP 4 > > This is a one off cleanup of existing ROUTE objects. For all ROUTE > objects currently in the RIPE Database that relate to an out of > region, existing resource, send the appropriate notifications. For any > that no response is received within a week, delete the ROUTE object > from the RIPE Database. > > cheers > denis -- Bengt Gördén Resilans AB -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.ripe.net/ripe/mail/archives/anti-abuse-wg/attachments/20151105/a44ba070/attachment.html>
- Previous message (by thread): [anti-abuse-wg] Solving the issue of rogue ROUTE objects in the RIPE Database
- Next message (by thread): [anti-abuse-wg] Solving the issue of rogue ROUTE objects in the RIPE Database
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]