On Mon, Jun 09, 2014 at 04:11:35PM +0200, João Damas wrote:
On 09 Jun 2014, at 15:53, Hank Nussbacher <hank@efes.iucc.ac.il> wrote:
On a related matter, is it possible currently to setup my aut-num that if anyone adds my autnum to their import/export/as-set objects I would receive a notification about it? Currently the "notify" field only informs me of changes to the specific aut-num, not people who reference my aut-num w/o my permission?
If this is not feasible with the system today, would it be possible to add this feature? I'll explain the rationale: we have recently discovered that hostile aut-num's that intend to perform a BGP hijack, will add the victims aut-num to their routing policy or to their unsuspecting upstream. This policy is then picked up as legitimate and propogated. By having a "notify-on-policy" email address field, I would be able to quickly see who is planning on hijacking my IP ranges.
This sounds like a reasonable thing to do to me. In fact, now that this has been mentioned it does sound like an obvious thing and I wonder what took the hostile aut-num’s so long to subvert the intent of the those fields.
I think some notification feature would be nice to have, but we need to figure out what and when we expect notifications. I propose we dub the attribute for nice alignment with existing attributes: notify-on-ref: <email-address> optional, multi-valued Questions: - do you want a notification each time an object is updated and has a reference to your object? - or do you only want notifications when a reference inititally is added to an object? (spares you a daily mailbomb for daily updated objects) - do you want a notification when the reference is removed from an object? - In what classes do you want to set a notify-on-ref attribute? (I think initially aut-num, as-set, rs-set) - do we want the notify-on-ref email addresses to be set to unread@ripe.net upon NRTM/ftp export? Regarding authorisation, for me requiring authorisation to reference a given object is a bridge too far at this point in time. Quite some operators automatically generate an autnum, route-sets & as-sets on a daily basis to reject their policy, and I don't see an easy way to make this a painless adventure. Let's first do notifications and based on those experiences look further. ok? Kind regards, Job