Authorization for route objects
-
To: "'db-help@localhost" db-help@localhost
-
From: "Koepp, Karsten" <Karsten.Koepp@localhost
-
Date: Wed, 25 Sep 2002 10:58:00 +0200
Hi all,
maybe I have a misunderstanding concerning the protection of
route objects.
ripe-252 says in chapter 3.6.5:
When checking for prefix authorisation, an exact route object
prefix match is checked for first. If there is no exact match,
then a longest prefix match that is less specific than the
prefix is searched for. If the route prefix search fails,
then a search is performed for an inetnum object that exactly
matches the prefix or for the most specific inetnum object that
is less specific than the route object submission. The aut-num
object used for authentication checks is referenced by the
"origin:" attribute of the route object.
My Question: If a less specific route exists which fails the
authorization, will the database check for authorization in the
matching inetnum or return an authorization failure?
Real Example:
1. LIR assigns addresses with mnt-routes...
inetnum: 80.86.178.0 - 80.86.180.255
netname: ARGONNET
descr: Argonsoft GmbH
country: DE
admin-c: ES817-RIPE
tech-c: ES817-RIPE
tech-c: LNCD-RIPE
status: ASSIGNED PA
mnt-by: LNCD-MNT
mnt-routes: ARGONSOFT-MNT
notify: as@localhost
notify: hostmaster@localhost
changed: carsten.strahler@localhost 20020924
source: RIPE
route: 80.86.160.0/20
descr: Lambdanet Operations - German region
origin: AS13237
mnt-by: LNC-MNT
changed: karsten.koepp@localhost 20010821
source: RIPE
2. Customer wanted to create ...
route: 80.86.180.0/24
descr: ArgonSoft GmbH
descr: Emmy-Noether-Str. 9
descr: D-76131 Karlsruhe
origin: AS25263
notify: as@localhost
mnt-by: ARGONSOFT-MNT
changed: specht@localhost 20020925
source: RIPE
which failed in first attempt.
3. LIR created an exact match route object for the sake
of authorization....
route: 80.86.180.0/24
descr: Argonsoft - Lambdanet PA
origin: AS13237
mnt-by: LNC-MNT
mnt-routes: ARGONSOFT-MNT
notify: hostmaster@localhost
changed: michael.strunz-kroll@localhost 20020925
source: RIPE
after which (2) succeeded.
This is not desired because the object (3) does not reflect
an announced Internet route.
Was the problem that the route object is not an exact match
of the inetnum?
Regards Karsten
-------------------------------------------------------------
Karsten Koepp
IP Network Planning
Lambdanet Communications GmbH (AS13237)
Guenther-Wagner-Allee 13
D-30177 Hannover (Germany)
Phone +49 (0)511 / 84 88 - 12 55
Fax +49 (0)511 / 84 88 - 12 59
Mobile +49 (0)178 / 3 62 - 12 55
News & Facts on our Website: www.lambdanet.net
-------------------------------------------------------------