Hi Hank,

I think you are better off asking the RIPE NCC support, (ncc@ripe.net or lir-help@ripe.net if you are already a member).

The DB-WG is not the support mailing list, but I have answered some of your questions below.

> The question is whether to establish their own LIR or use the existing parent LIR.

The parent org can of course sponsor an ASN and/or PI (Provider Independent) resources for the subsidiary, just like any other LIR.

However if the subsidiary wants to hold PA resources, they need to be an LIR.

But there is nothing preventing the parent org from holding the resources and then just delegating them to the subsidiary.

> Your suggestion of using a different MNTNER is intriguing, but wouldn't at some point the parent LIR have to know the password?

No, I think I should clarify that unless you have the default maintainer sync option enabled in the LIR portal, the DB and LIR portal are completely separate.

- Cynthia

On Fri, Nov 20, 2020 at 6:27 AM Hank Nussbacher via db-wg <db-wg@ripe.net> wrote:

On 19/11/2020 21:41, denis walker via db-wg wrote:

Good questions.

I'll try to clarify.

The parent organization has attained their ASN and ip-nets from RIPE NCC over the past 10 years.

The sub-organization is planning on buying IP nets via the IP bourse/exchange and purchase multihoming at IXPs and thereby qualify for their own ASN from RIPE NCC.

The question is whether to establish their own LIR or use the existing parent LIR.

You state "...LIR-PARTITIONED or ALLOCATED-BY-LIR. The suborganisations can separately manage their resources."

When I examined user privs in the LIR portal I saw there is admin or regular - each of which give total control to any resource listed under the LIR.

Your suggestion of using a different MNTNER is intriguing, but wouldn't at some point the parent LIR have to know the password?

Thanks,

Hank
Hi Hank

Your scenario is not clear. When you say "each has their own
resources", how did they get those resources? Were they separate LIRs
that have received allocations, have there been mergers, were they all
allocated to the parent organisation's LIR and distributed to sub
organisations? Or do you mean they each want to have their own
resources?

As far as the database is concerned, address space resources allocated
to the parent organisation's LIR can be distributed to sub
organisations as LIR-PARTITIONED or ALLOCATED-BY-LIR. The sub
organisations can separately manage their resources. If you want
exclusive management control by the sub organisations you can set the
MNTNER attributes accordingly. But ultimately they are still the
parent organisations resources. They could be reclaimed by the parent
organisation. The organisation reference in the allocations will
always be the parent organisation that was allocated the resources by
the RIPE NCC. That cannot be changed.

cheers
denis
co-chair DB-WG

On Thu, 19 Nov 2020 at 16:28, Hank Nussbacher via db-wg <db-wg@ripe.net> wrote:
Can a LIR account handle multi-tenancy?


What if you had a parent organization and a few sub-organizations and each has their own resources (ASN + inetnum) that they wish to manage independently (objects, RPKI, etc) without the other sub-organizations of parent organization able to affect the resources.

Is that at all possible or is the only solution to create a new LIR account?


Thanks,
Hank
Caveat: The views expressed above are solely my own and do not express the views or opinions of my employer