Re: mnt-routes attribute in aut-num objects
Dear Frank, As RFC2725 says on page 18: Having found the AS and either a route object or inetnum, the authorization is taken from these two objects. The applicable maintainer object is any referenced by the mnt-routes attributes. If one or more mnt-routes attributes are present in an object, the mnt- by attributes are not considered. In the absence of a mnt-routes attribute in a given object, the mnt-by attributes are used for that object. The authentication must match one of the authorizations in each of the two objects. I.e. if "mnt-routes" attribute is present, then at least one of mainatiners from "mnt-routes" should pass the authorisation. If none of them passes, the creation is refused - no further check is done with "mnt-by" attribute in case of "mnt-routes" failure. "mnt-by" attribute is used only if "mnt-routes" is not present. This applies only to route object creation. For route object modification only "mnt-by" of the object itself is used to check the authorisation. If you have any more questions, please contact <ripe-dbm@ripe.net>. Regards, Katie Petrusha ____________________________ RIPE Database Administration. Original message follows: ------------------------ Dear Colleagues, how exactly is this meaning of MNT-ROUTES in AUT-NUM objects in case of routes object creation/modification ? RFC2725 is not realy detailed here. Means the existance of an MNT-ROUTES attribute in an AUT-NUM object that ONLY this/these referenced maintainer(s) will be able to authorized route creation/modification and the referenced MNT-BY maintainer(s) will not be used? Or should not the MNT-BY maintainer(s) checked if all MNT-ROUTES maintainer(s) authorisation fails? The current RIPE software checks MNT-ROUTES maintainers only. Thanks Frank
From: "Frank Bohnsack" <Frank.Bohnsack@deu.mci.com> Subject: LONGACK Date: Mon, 4 Aug 2003 23:42:06 +0200 Reply-To: Frank.Bohnsack@deu.mci.com Message-ID: <FAEKJBKGENGFILMMECELOEHICAAA.Frank.Bohnsack@deu.mci.com>
...
DETAILED EXPLANATION:
***Warning: Invalid keyword(s) found: LONGACK ***Warning: All keywords were ignored
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following object(s) were found to have ERRORS:
--- Create FAILED: [route] 139.8.32.0/24AS702 ***Error: Authorisation failed ***Info: Syntax check passed
route: 139.8.32.0/24 descr: DE PI route origin: AS702 member-of: AS702:RS-DE, AS702:RS-DE-PI, AS702:RS-DE-PULLUP mnt-by: WCOM-EMEA-RICE-MNT changed: rice@lists.mci.com 20030804 source: RIPE
***Info: Authorisation for parent [route] 139.8.0.0/16AS702 using mnt-by: authenticated by: WCOM-EMEA-RICE-MNT
***Info: Authorisation for origin [aut-num] AS702 using mnt-routes: not authenticated by: UUNETDK-MNT, AS1270-MNT, AS1849-MNT, AS1890-MNT, IWAY-NOC, AS702-MNT, SE-UUNET-MNT, UUNETDE-I
***Info: Authorisation for [route] 139.8.32.0/24AS702 using mnt-by: authenticated by: WCOM-EMEA-RICE-MNT
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
For assistance or clarification please contact: RIPE Database Administration <ripe-dbm@ripe.net>
participants (1)
-
RIPE Database Administration