Hi guys Maybe you are asking the wrong questions. What is the purpose of the AUP and is it effective? All it does is catch those who accidentally exceed the 1000 limit on PERSON objects. Those who want to intentionally data mine the RIPE Database will never get blocked. If you include the '-r' flag in your queries you will never get blocked as no personal objects are returned. That allows you to query the entire database without the personal data objects. This can be spread over a 'period of time' to not stand out as making excessive queries. From that data you can extract a list of all nic handles currently active in the database. There are currently about 2m PERSON objects in the database. With a 1000 limit per IP address, you only need 2000 IP addresses to query the whole set of PERSON objects in one day. As long as each IP address only queries 999 PERSON objects they will never trigger the AUP blocking mechanism. So the /64 will never get blocked. There is an anti-avoidance clause in the AUP. For that to be triggered the RIPE NCC has to notice the coordinated action, consider it and take some action. You can query 2m objects long before that will happen. You can even spread it over several days to avoid any anti-avoidance detection. PERSON objects don't change that quickly. There are millions of queries made every day. Would an extra 2m stand out? Unfortunately this type of rate limiting never has and never will work. As I said in my policy proposal on privacy (2022-01) 90% of the personal data contained in the RIPE Database does not need to be there. The answer to this problem is not having so much personal data in the database. Not trying to limit access to what is there unnecessarily. cheers denis On Mon, 5 Aug 2024 at 15:32, Edward Shryane <eshryane@ripe.net> wrote:
Hi Daniel, Gert,
On 5 Aug 2024, at 14:51, Daniel Suchy <danny@danysek.cz> wrote:
Hi,
the whole problem arises from the fact that you replace the term IP address with end user site. These are two different terms with different meanings.
The current system is a compromise between allowing queries containing personal data, and complying with the Acceptable Use Policy: https://www.ripe.net/manage-ips-and-asns/db/support/documentation/ripe-datab...
The limit is 1,000 objects that could contain personal data, which is not normally reached by most users (< 0.02%), and it is clear what can be done if this is exceeded.
Rather than re-write the accounting code, can the community review why objects containing personal data is returned by default? Can we make "-r" the default?
Regards Ed Shryane RIPE NCC
----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/db-wg.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/