On Jun 13, 2018, at 8:03 AM, Lu Heng via db-wg <db-wg@ripe.net> wrote:
The ultimate discussion should be, and will be, is it RIPE net or internet?
I am saying the current situation will break network by forbidding change it, and it is network we break, really doesn’t matter where it is which registry it from.
We are victims of massive hijacking, many of my space get registered without our knowledge as well, we spend time and money monitoring ripe dB for none authorised registration as well, I wish I don’t have to do it, I wish Afrinic IRR can function properly tomorrow, but until then, now ripe dB is our most visiable solution.
I do not understand your argument. You want to register your route object, good. Afrinic makes that difficult to do securely, so sorry. Your route object is “foreign” to RIPE. You recognize that the ability to register “foreign” route objects in RIPE is a security hole in RIPE. So your registered route objects are insecure in the RIPE db. You have experienced that insecurity first hand. You have not answered why any of the other IRRs would not suit your purposes just as well. Your registered route objects would be insecure in other IRRs, but no more insecure than in the RIPE db. “most visible solution” is not the same as “only solution”. If you can’t say why only RIPE provides your needs, there is no “break” in the network, and your argument is not persuasive. —Sandy
I hope we can make effect together to get Afrinic fix their IRR, it is internet, it’s not just “Afrinic people business”, it is all of us’s business, internet is one.
And until then, I think there is not enough consensus from the community to implement this change in the future. I would like to ask the chair, how can we ask RIPE to pause this implementation?
On Wed, Jun 13, 2018 at 19:11 Job Snijders <job@instituut.net> wrote: On Wed, Jun 13, 2018 at 10:56 AM, Lu Heng <h.lu@anytimechinese.com> wrote:
Internet is one, and this is a general problem of all Afrinic space, just don’t make it personal please.
I didn't intend to make anything personal, so phrased differently: What you highlight is ultimately a problem between AfriNIC members and the AfriNIC organisation.
I hope Afrinic fix it rather soon that way every thing works, until then, prevent network change is one way of breaking it.
I am sympathetic, but RIPE has no obligation to keep a glaring security hole open to accommodate another RIR's lack of expedience.
As I mentioned at the microphone at the last DB-WG session, right now I can simply register ALL not-yet-registered IP space in the RIPE NCC database and in doing so lock out anyone else from making any registrations for non-RIPE-managed space. There is nothing in place to stop anyone from doing so, this would immediately fix the security problem. I hope this both illustrates the size of the security hole and the problem of any business process relying on the existence of the hole.
Kind regards,
Job -- -- Kind regards. Lu