Hi Hank Cynthia is right, you would do well to contact RIPE NCC support. However I will also add some details to your questions. You said the sub organisation is planning to buy some address space. The RIPE Transfer Policy says resources can only be transferred to another RIPE NCC member. So any purchase will become part of the parent organisations LIR resources. It is possible to achieve your goal by 'playing around' with the data in the RIPE Database, but it does present some risk to the parent organisation. [I'm sure the RIPE NCC will correct me if I am wrong here.] If you want the address space, which will always be considered to be part of the parent organisations resources, to be totally under the control of the sub organisation then the parent organisation can change the "mnt-by:" and "mnt-lower:" to be the MNTNER of the sub organisation and remove their own MNTNER. The resources are now still owned by the parent organisation but totally under the control of the sub organisation. I don't know why you would want this arrangement. If you do this the parent organisation will lose all management control over the resources, but still retains any liability for their use. They also cut themselves off from using the reclaim functionality as that relies on the "mnt-lower:" in the resource object. cheers denis co-chair DB-WG On Fri, 20 Nov 2020 at 06:27, Hank Nussbacher via db-wg <db-wg@ripe.net> wrote:
On 19/11/2020 21:41, denis walker via db-wg wrote:
Good questions.
I'll try to clarify.
The parent organization has attained their ASN and ip-nets from RIPE NCC over the past 10 years. The sub-organization is planning on buying IP nets via the IP bourse/exchange and purchase multihoming at IXPs and thereby qualify for their own ASN from RIPE NCC. The question is whether to establish their own LIR or use the existing parent LIR. You state "...LIR-PARTITIONED or ALLOCATED-BY-LIR. The suborganisations can separately manage their resources." When I examined user privs in the LIR portal I saw there is admin or regular - each of which give total control to any resource listed under the LIR. Your suggestion of using a different MNTNER is intriguing, but wouldn't at some point the parent LIR have to know the password?
Thanks, Hank
Hi Hank
Your scenario is not clear. When you say "each has their own resources", how did they get those resources? Were they separate LIRs that have received allocations, have there been mergers, were they all allocated to the parent organisation's LIR and distributed to sub organisations? Or do you mean they each want to have their own resources?
As far as the database is concerned, address space resources allocated to the parent organisation's LIR can be distributed to sub organisations as LIR-PARTITIONED or ALLOCATED-BY-LIR. The sub organisations can separately manage their resources. If you want exclusive management control by the sub organisations you can set the MNTNER attributes accordingly. But ultimately they are still the parent organisations resources. They could be reclaimed by the parent organisation. The organisation reference in the allocations will always be the parent organisation that was allocated the resources by the RIPE NCC. That cannot be changed.
cheers denis co-chair DB-WG
On Thu, 19 Nov 2020 at 16:28, Hank Nussbacher via db-wg <db-wg@ripe.net> wrote:
Can a LIR account handle multi-tenancy?
What if you had a parent organization and a few sub-organizations and each has their own resources (ASN + inetnum) that they wish to manage independently (objects, RPKI, etc) without the other sub-organizations of parent organization able to affect the resources.
Is that at all possible or is the only solution to create a new LIR account?
Thanks, Hank Caveat: The views expressed above are solely my own and do not express the views or opinions of my employer