Dear Colleagues As part of the redevelopment project for the RIPE Database, we re-implemented the Access Control List (ACL) mechanism. We simplified the process and have some questions to ask the community. 1/ Should we change the default query behaviour so personal data must be explicitly requested? 2/ Should we block access to personal data only and still allow access to operational data? 3/ Should there be more transparency of limits with some user options? More details about the new ACL and these three questions are provided below. As the RIPE NCC continues to progress with the redevelopment project, we will have more of these questions. The wider the community feedback on these questions, the easier it will be for us to build a RIPE Database service that satisfies your needs. Regards, Denis Walker Business Analyst RIPE NCC Database Group Overview of new ACL To make it very easy to understand what is happening, we have redefined the algorithm for blocking and unblocking. Now, when you hit a set limit for accessing personal data sets within a day, you will be temporarily blocked from accessing the RIPE Database. This temporary block will be removed at midnight (UTC). If you are temporarily blocked 10 times in a rolling 30 day period, you will be permanently blocked. A permanent block can only be removed by contacting Customer Services at <ripe-dbm@ripe.net> and discussing the situation. This is, in principle, the same as the current behaviour but with simplified time periods and reset points. Background to questions 1/ The current default behaviour on any query is to always return personal data referenced in any other data that is returned by the query. This is one of the main causes for temporary blocking of access to the RIPE Database. Personal data is often returned when it was not needed. To prevent the personal data being accounted, a query must include the '-r' option. Many users think an option like '-T INETNUM' will only return the INETNUM objects and no personal data will be involved. Unfortunately, '-T' is not a true query option. It is a filter. So the personal data is still queried and then filtered out of the results set. This causes the personal data to still be accounted for as if you had received it. We would like to suggest reversing the default query behaviour. This way no personal data will be returned unless you include a new query flag explicitly requesting it. 2/ The current blocking mechanism works on the basis of all or nothing. If you are not blocked, you can successfully query for any data in the RIPE Database. If you are blocked (either temporarily or permanently), any query from you is rejected with a "Denied access" error message. We would like to propose a middle road. Blocking can be set to only apply to personal data. So, after being blocked, you can still query for any operational data in the RIPE Database. But all personal data will be filtered out of the results set, even if you explicitly request it. If the community likes this idea, a further choice is possible. One option is to apply this middle road to both temporary and permanent blocks. Another is to only apply this to temporary blocks and keep a permanent block as a complete "Denied access" error. 3/ A final question regards information about the limits. In the past, details of limits and when they were reset were not clearly published in any document. But it is not difficult to determine them with a little trial and error. Perhaps the community would prefer complete transparency on this. We can publish all the limits in a revised Acceptable Use Policy (AUP) document and even provide a query option to let a user know how much of their daily limit they have already used.
hi! On 03/06/2012 04:32 PM, Denis Walker wrote:
1/ Should we change the default query behaviour so personal data must be explicitly requested?
no.
2/ Should we block access to personal data only and still allow access to operational data?
no. there shouldn't be any personal i.e. non-public data in the whois-db.
3/ Should there be more transparency of limits with some user options?
yes. what limits are there? there shouldn't be any non-technically-motivated limits. regards, Chris
Hi Denis & all,
Dear Colleagues
As part of the redevelopment project for the RIPE Database, we re-implemented the Access Control List (ACL) mechanism. We simplified the process and have some questions to ask the community.
1/ Should we change the default query behaviour so personal data must be explicitly requested?
Actually changing default behavior should only be done if there is a real good reason for that (think of all the poor scripts and the old guys out there who never will be able to learn yet another new switch for the whois client etc.!). I do see your argument why you would want to change it. And i do see that there is seldom the need to return additional data like person objects when querying other types. -> I have no problem with the current situation and i perhaps would say it should NOT be changed, but in the end i wouldn't object if it solves more serious operational problems like the ACL issues for some. I've never really encountered the problem myself though and don't know how serious the impact is for others at all.
2/ Should we block access to personal data only and still allow access to operational data? [...] 2/ The current blocking mechanism works on the basis of all or nothing. If you are not blocked, you can successfully query for any data in the RIPE Database. If you are blocked (either temporarily or permanently), any query from you is rejected with a "Denied access" error message.
We would like to propose a middle road. Blocking can be set to only apply to personal data. So, after being blocked, you can still query for any operational data in the RIPE Database. But all personal data will be filtered out of the results set, even if you explicitly request it.
If the community likes this idea, a further choice is possible. One option is to apply this middle road to both temporary and permanent blocks. Another is to only apply this to temporary blocks and keep a permanent block as a complete "Denied access" error.
The question alone is misleading, but your comments below explain your intentions so i'm quoting both here :-) That idea is a more focused solution if you ask me. I guess i would support it. I haven't made up my mind about temp vs. perm block though since i never ran into this issue.
3/ Should there be more transparency of limits with some user options?
Well that's a no-brainer (i think) - full transparency it is. -- Mit freundlichen Grüßen / Kind Regards Sascha Lenz [SLZ-RIPE] Senior System- & Network Architect
On 06/03/2012 15:32, Denis Walker wrote:
1/ Should we change the default query behaviour so personal data must be explicitly requested?
No.
2/ Should we block access to personal data only and still allow access to operational data?
What is the scale of the problem here? I.e. how many blocks per day are instituted?
3/ Should there be more transparency of limits with some user options?
would be useful, yes.
To prevent the personal data being accounted, a query must include the '-r' option. Many users think an option like '-T INETNUM' will only return the INETNUM objects and no personal data will be involved. Unfortunately, '-T' is not a true query option. It is a filter. So the personal data is still queried and then filtered out of the results set. This causes the personal data to still be accounted for as if you had received it.
Uhhh, I think POLA[*] applies here, in bucketloads. The query results that are returned are what should be accounted for, not other objects which are filtered out in-between. Nick [*] http://en.wikipedia.org/wiki/Principle_of_least_astonishment
Uhhh, I think POLA[*] applies here, in bucketloads. The query results that are returned are what should be accounted for, not other objects which are filtered out in-between.
+1 Sander
Hi, On Wed, Mar 07, 2012 at 09:52:48PM +0000, Nick Hilliard wrote:
Uhhh, I think POLA[*] applies here, in bucketloads. The query results that are returned are what should be accounted for, not other objects which are filtered out in-between.
+1 (actually, +473, but you can't do that :) ) Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279
Dear Colleagues, On 8/03/12:11 8:52 AM, Gert Doering wrote:
Hi,
On Wed, Mar 07, 2012 at 09:52:48PM +0000, Nick Hilliard wrote:
Uhhh, I think POLA[*] applies here, in bucketloads. The query results that are returned are what should be accounted for, not other objects which are filtered out in-between.
+1
This issue is already addressed in the latest production release. As mentioned at RIPE 63 we are re-developing the whole query service to the RIPE Database step by step. We changed the work flow so that accounting is done as the last step before returning the data to the user. So the new ACL only accounts for the data that is returned to the user. In terms of the question we asked about changing the default behaviour, this is not the main issue. The majority of queries for address space do not apply filtering using the '-T' flag. Currently, if users do not know and remember to use the '-r' flag when they do NOT want to return personal data, they will be blocked after receiving 5000 personal data objects. With the current ACL a blocked user cannot access any data in the RIPE Database until they are unblocked the next day. We are proposing two changes: 1) We think it is more intuitive to have to ask to receive the personal data, rather than be given it by default. 2) Regardless of default behaviour, we think when they hit the limit, they should not get completely blocked. Instead, a user should still be able to access the RIPE Database, but without receiving any personal data in their query results. We typically block about 50 IP addresses per day for excessive querying of personal data. Most people who contact ripe-dbm with questions about blocking did not realise they should use '-r' if they do not want personal data. Regards, Denis Walker Business Analyst RIPE NCC Database Group
Hi! On 03/08/2012 12:29 PM, Denis Walker wrote:
1) We think it is more intuitive to have to ask to receive the personal data, rather than be given it by default. 2) Regardless of default behaviour, we think when they hit the limit, they should not get completely blocked. Instead, a user should still be able to access the RIPE Database, but without receiving any personal data in their query results.
We typically block about 50 IP addresses per day for excessive querying of personal data. Most people who contact ripe-dbm with questions about blocking did not realise they should use '-r' if they do not want personal data.
IMHO not doing recursion/reference resolving on the server side is most straightforward, implementing recursion or resolving of references client side seems to me like the 'natural' approach. Providing a switch to ask for server side recursion/reference resolving in this sense sounds like a comfortable solution. But again - what's the rationale for blocking, what makes querying excessive in your eyes? (I.e. what's the problem to the solution?) Regards, Chris
On 08/03/2012 11:29, Denis Walker wrote:
1) We think it is more intuitive to have to ask to receive the personal data, rather than be given it by default.
I disagree. This will break lots of scripts out there except for the very small number of people/organisations who are hitting the database very hard.
2) Regardless of default behaviour, we think when they hit the limit, they should not get completely blocked. Instead, a user should still be able to access the RIPE Database, but without receiving any personal data in their query results.
Ok, that is a sensible compromise yes. I.e. stuff like irrtoolset and rpsl queries will still work, but user information trawling won't.
We typically block about 50 IP addresses per day for excessive querying of personal data. Most people who contact ripe-dbm with questions about blocking did not realise they should use '-r' if they do not want personal data.
Seems a relatively constrained problem them. Again, I don't think that changing the default behaviour in order to reduce this 50 to something smaller is worthwhile, given the amount of trouble it will cause for everyone else who stays within the limits. Nick
participants (6)
-
chrish@consol.net -
Denis Walker -
Gert Doering -
Nick Hilliard -
Sander Steffann -
Sascha Lenz