Colleagues
The RIPE Database Requirements Task Force recently published notes on their last meeting showing some of their current thinking and progress so far. This can be read here:
https://www.ripe.net/ripe/mail/archives/ripe-db-requirements-tf/2020-March/000045.html
I am going to play devil's advocate and make a few comments and raise a few questions on this and throw in some issues that may not have been discussed. Some of you may wish to make other comments or discuss some of the points...
cheers
denis
co-chair DB-WG
public - should all/some/none of the RIPE Database data content be public? As a public registry, what data is needed by which stakeholders for this to be a useful registry? It is clear from the recent survey that the RIPE Database is used for other purposes, like IPAM. It was suggested in the notes that this could be offered as a separate service. The RIPE Database involves a considerable amount of infrastructure to provide a very reliable and resilient service. Why duplicate that for another service or provide a lesser service if it can be incorporated into the RIPE Database as non public data? So a requirement could be that the RIPE Database will provide a range of IPAM (and maybe other) services to resource holders using non public data. Or perhaps a mix of (non)public data.
RPSL - whether or not the RIPE Database stores data internally in RPSL format is a design/technical issue, not a requirement concern. The requirement could be that the RIPE Database uses a common, simple format for managing the data content. This format will be reflected in the user interfaces. Where RPSL is required, a conversion of data content into/from RPSL option will be provided.
geolocation - This and the "language:" option were originally added as an experimental service without any concrete requirement. Although it has been discussed several times since, no decision was ever made about it. There were always a few people who liked it, a few who didn't, most had no opinion. Some questions that perhaps need to be answered are:
-Once you have a definition of what geolocation means (in the context of the RIPE Database), can the RIPE Database provide a viable and accurate service within that definition?
-Can it provide a service with additional/complementary benefits to existing 3rd party services, or will it simply replicate or conflict with existing services?
-Is such a service of sufficient benefit to the community/public to justify the effort to maintain it (as an optional/mandatory service)?
Postal and Legal address - The RIPE Database T&C says in Article 3 one of the purposes is:
"Providing information about the Registrant and Maintainer of Internet number resources when the resources are suspected of being used for unlawful activities, to parties who are authorised under the law to receive such information."
Article 10 says the governing law is that of the Netherlands.
-Does Dutch law permit such information to be given directly on request to any relevant party or only to/via the Dutch police or Dutch court? In particular other (pan)national LEAs?
-The purpose in the T&C does not define the process. Does the Dutch law require this to be with a subpoena or will a formal letter be sufficient?
person/role - I don't see the bigger questions being asked:
-Is there a need for ANY personal data in the RIPE Database?
-If so what, how much, for what purpose, which stakeholders need access to which parts of it?
-Should personal data be public?
irt - Perhaps we shouldn't get too hung up on numbers of objects or queries. They have a clearly defined role in a specialist area. The numbers are never going to be high. The main question seems to be:
-is it a useful service to the (security) community?
UTF8 - Something that may not have been discussed yet, but perhaps it is crying out to be considered at a requirement level. The technical aspect has been looked at several times by the RIPE NCC, but it never moves forward because of the social/political/registry/legal issues which cannot be resolved at the technical level:
-Should we allow all/some/none of the data content to be in non Latin characters?
-Is there some data content that must be in Latin characters (for the correct functioning of the registry?), some that can be duplicated in Latin and local characters, some that can be in any format chosen by the resource holder?
-Who can make these decisions (this is the bit that has been missing ever since the subject was first raised)?
RIPE Database Purposes - The DBTF preliminary list of purposes does not cover all the currently defined purposes in the RIPE Database T&C. Were the ommisions intentional?