Dear Frank,
As RFC2725 says on page 18:
Having found the AS and either a route object or inetnum, the
authorization is taken from these two objects. The applicable
maintainer object is any referenced by the mnt-routes attributes. If
one or more mnt-routes attributes are present in an object, the mnt-
by attributes are not considered. In the absence of a mnt-routes
attribute in a given object, the mnt-by attributes are used for that
object. The authentication must match one of the authorizations in
each of the two objects.
I.e. if "mnt-routes" attribute is present, then at least one of mainatiners
from "mnt-routes" should pass the authorisation. If none of them passes,
the creation is refused - no further check is done with "mnt-by"
attribute in case of "mnt-routes" failure.
"mnt-by" attribute is used only if "mnt-routes" is not present.
This applies only to route object creation. For route object modification
only "mnt-by" of the object itself is used to check the authorisation.
If you have any more questions, please contact <ripe-dbm(a)ripe.net>.
Regards,
Katie Petrusha
____________________________
RIPE Database Administration.
Original message follows:
------------------------
Dear Colleagues,
how exactly is this meaning of MNT-ROUTES in AUT-NUM objects in case
of routes object creation/modification ?
RFC2725 is not realy detailed here. Means the existance of an MNT-ROUTES
attribute in an AUT-NUM object that ONLY this/these referenced maintainer(s)
will be able to authorized route creation/modification and the referenced
MNT-BY maintainer(s) will not be used? Or should not the MNT-BY maintainer(s)
checked if all MNT-ROUTES maintainer(s) authorisation fails?
The current RIPE software checks MNT-ROUTES maintainers only.
Thanks
Frank
> > From: "Frank Bohnsack" <Frank.Bohnsack(a)deu.mci.com>
> > Subject: LONGACK
> > Date: Mon, 4 Aug 2003 23:42:06 +0200
> > Reply-To: Frank.Bohnsack(a)deu.mci.com
> > Message-ID: <FAEKJBKGENGFILMMECELOEHICAAA.Frank.Bohnsack(a)deu.mci.com>
>
> ...
>
> DETAILED EXPLANATION:
>
>
> ***Warning: Invalid keyword(s) found: LONGACK
> ***Warning: All keywords were ignored
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> The following object(s) were found to have ERRORS:
>
>
> ---
> Create FAILED: [route] 139.8.32.0/24AS702
> ***Error: Authorisation failed
> ***Info: Syntax check passed
>
> route: 139.8.32.0/24
> descr: DE PI route
> origin: AS702
> member-of: AS702:RS-DE,
> AS702:RS-DE-PI,
> AS702:RS-DE-PULLUP
> mnt-by: WCOM-EMEA-RICE-MNT
> changed: rice(a)lists.mci.com 20030804
> source: RIPE
>
> ***Info: Authorisation for parent [route] 139.8.0.0/16AS702
> using mnt-by:
> authenticated by: WCOM-EMEA-RICE-MNT
>
> ***Info: Authorisation for origin [aut-num] AS702
> using mnt-routes:
> not authenticated by: UUNETDK-MNT, AS1270-MNT, AS1849-MNT,
> AS1890-MNT, IWAY-NOC, AS702-MNT, SE-UUNET-MNT, UUNETDE-I
>
> ***Info: Authorisation for [route] 139.8.32.0/24AS702
> using mnt-by:
> authenticated by: WCOM-EMEA-RICE-MNT
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>
> For assistance or clarification please contact:
> RIPE Database Administration <ripe-dbm(a)ripe.net>
>
>
>
>