Re: [db-wg] out of region routing in the RIPE Database
On Tue, 2017-07-18 at 15:26 +0200, Nick Hilliard via db-wg wrote:
I am not in favour of having the RIPE database as an open-access database on the basis that this mixes up two sets of data, authoritative and non-authoritative, and it it is impossible for someone casually querying the database to determine which is which.
Some people are inserting random route: objects into the database, and those route: objects are being picked up by provisioning systems and ending up configured on routers and IXP route servers. This enables prefix hijacking, which is a pressing operational issue.
I agree with Nick's position. It legitimates what seems to be rogue announcements, like for example 196.16.0.0/14, as mentionned recently on the NANOG mailing list (*). We should, IMHO not be able to insert out of region route(6) object without having a prior authentication mechanism, or making it be specially flagged, so the auto ACL system from upstreams wouldnt match it. (*) https://mailman.nanog.org/pipermail/nanog/2017-August/091954.html -- Clément Cavadore
participants (1)
-
Clement Cavadore