[db-wg] Foreign ROUTE objects in RIPE Database - final decision?
Job Snijders job at instituut.net
Tue Oct 17 09:52:58 CEST 2017
Dear WG, chairs, On Mon, Oct 16, 2017 at 11:24:14PM +0000, William Sylvester via db-wg wrote: > Now that there has been substantial discussion on this topic, I wanted > to try to bring the conversation back to a more practical and > actionable path forward. Clearly this is a topic where there are a lot > of opinions. From seeing the discussion and receiving additional > feedback, I wanted to point out some re-occurring themes and request a > revised proposal for working group consideration. > > 1) Remove the "origin:" authorization requirement. RIPE is currently > the only RIR that requires this, the current implementation creates > data concurrency issues across Internet databases by requiring the > creation of duplicate autnums. > > 2) Flag "route:" objects for non-RIPE-managed space with "source: > RIPE-NONAUTH" to identify non-authoritative data. > > I’d like to seek input from the group; > > - Do you feel these options are straight forward and easy to understand? > - Does this provide a reasonable security posture? > - Will this make a positive impact for RIPE DB and the greater Internet? > - Do you support these concepts? I fully support executing both action items. Removal of the "origin:" authorisation step will bring the RIPE IRR in line with other databases such as APNIC, RADB and as such make use of the database easier for global organisations. It also aligns with the practises observed in RPKI. Flagging "route:/route6:" objects with "RIPE-NONAUTH" when they cover non-RIPE managed space has many benefits. Setting the "source:" to represent what the data actually means, we can programmatically analyse the contents of the RIPE DB and facilitate creation of higher quality route filters, but also for instance use it as a reputation factor in spam scoring. These two options represent what currently is the lowest hanging fruit to improve in this problem space. Funny enough, neither of these items makes things more difficult for anyone involved, on the contrary - by making route: authorisation easier, _and_ showing what is authoritative data and what is not, we improve the security posture of the RIPE community. Kind regards, Job
[ db-wg Archives ]