Hi
On Sat, Jun 16, 2018 at 00:11 Daniel Suchy via db-wg wrote:
> On 06/15/2018 04:52 PM, Lu Heng via db-wg wrote:
> > Ripe and Afrinic, are not “someone else”, they are part of an unified RIR
> > system that adminiatrating the numbers.
>
> The system is *not* unified. Each RIR has it's own
On 06/15/2018 04:52 PM, Lu Heng via db-wg wrote:
> Ripe and Afrinic, are not “someone else”, they are part of an unified RIR
> system that adminiatrating the numbers.
The system is *not* unified. Each RIR has it's own policies, own rules,
own implementation of the database...
> As Job suggested,
I don’t see and I don’t think it’s relevant.
As Job suggested, let’s wait RIPE their plan and future discuss the
timeline—If Afrinic haven’t fix things by then.
In the meanwhile, I would hope globene community put joint effect to have
Afrinic fix their IRRs.
On Fri, Jun 15, 2018 at 23:54 Sandra
> On Jun 15, 2018, at 9:12 AM, Sascha Luck [ml] via db-wg
> wrote:
>
> There is nothing stupid or unreasonable about asking to delay an
> action that *will* cause operational issues even if their root
> cause lies elsewhere.
“Our operation relies on insecurity in the IRR database, so we want
On Fri, Jun 15, 2018 at 23:50 Sandra Murphy wrote:
>
> > On Jun 15, 2018, at 8:55 AM, Lu Heng via db-wg wrote:
> >
> > It’s internet, one internet, and it belong to everyone. just don’t tell
> someone else what must to be doing.
>
> Considering that you are asking RIPE to change RIPE's plans
On Fri, Jun 15, 2018 at 22:40 Job Snijders wrote:
> Hi all,
>
> On Fri, Jun 15, 2018 at 3:37 PM, Lu Heng via db-wg wrote:
> > On Fri, Jun 15, 2018 at 22:16 denis walker via db-wg
> wrote:
> >>
> >> Lu, the point being made is that RIPE (community, working groups,
> chairs,
> >> NCC) have no
Hi all,
On Fri, Jun 15, 2018 at 3:37 PM, Lu Heng via db-wg wrote:
> On Fri, Jun 15, 2018 at 22:16 denis walker via db-wg wrote:
>>
>> Lu, the point being made is that RIPE (community, working groups, chairs,
>> NCC) have no authority to change policies or procedures in the AFRINIC
>> region. If
Hi,
On Fri, Jun 15, 2018 at 02:12:54PM +0100, Sascha Luck [ml] via db-wg wrote:
> There is nothing stupid or unreasonable about asking to delay an
> action that *will* cause operational issues even if their root
> cause lies elsewhere.
Since no existing objects will be removed, it will not break
On Fri, Jun 15, 2018 at 02:57:17PM +0200, Gert Doering via db-wg wrote:
Please learn to read.
"Address management, delegation and authority are very clearly regionalized",
which means you cannot just go to some place you find convenient and complain
about problems elsewhere.
I would sort out
Hi,
On Fri, Jun 15, 2018 at 09:55:14PM +0900, Lu Heng wrote:
> > Internet doesn't distingish *traffic*, but that is not the relevant
> > question here anyway. Address management, delegation and authority
> > are very clearly regionalized, so any beef you have with Afrinic-delegated
> > space
Hi
On Fri, Jun 15, 2018 at 21:53 Gert Doering wrote:
> Hi,
>
> On Fri, Jun 15, 2018 at 09:48:12PM +0900, Lu Heng via db-wg wrote:
> > RIR IRR should not work separately, as internet doesn???t distinguish
> from
> > ripe traffic to Afrinic traffic, we shouldn???t solve one problem here
> and
> >
---
> *From:* Job Snijders
> *To:* denis walker
> *Cc:* Lu Heng ; Database WG
> *Sent:* Friday, 15 June 2018, 14:03
> *Subject:* Re: [db-wg] A test on AFRINIC range announcing without RIPE
> route object
>
> Dear Denis,
>
> On Fri, Jun 15, 2018 at 1:58 PM
: Friday, 15 June 2018, 14:03
Subject: Re: [db-wg] A test on AFRINIC range announcing without RIPE route
object
Dear Denis,
On Fri, Jun 15, 2018 at 1:58 PM, denis walker via db-wg wrote:
> My current understanding is that AFRINIC does not refuse to create a ROUTE
> simply because you do n
Dear Denis,
On Fri, Jun 15, 2018 at 1:58 PM, denis walker via db-wg wrote:
> My current understanding is that AFRINIC does not refuse to create a ROUTE
> simply because you do not own the foreign ASN. They may do some additional
> checks, but if everything is in order they will permit the ROUTE
Hi Lu
My current understanding is that AFRINIC does not refuse to create a ROUTE
simply because you do not own the foreign ASN. They may do some additional
checks, but if everything is in order they will permit the ROUTE creation. So
this is not a show stopper.
As a side note, if you have
Hi Lu,
Are you disagreeing with the proposal, or disagreeing with the implementation
details? I have seen several requests to delay implementation, but none with a
valid technical reason to not close a security flaw. As I brought up at the
microphone, I would love to see a solution built that
Hi Denis:
Consensus is neither unanimity nor majority.
Below is a quotation from RFC:
"quite often we are letting the majority win the day without consideration
of minority concerns. "
"Lack of disagreement is more important than agreement"
"Rough consensus is achieved when all issues are
Hi All
The co-chairs of the DB-WG are talking in the background to the RIRs about how
this change will impact the holders of their address space. We are following
the points raised here and checking some issues with the appropriate RIRs. The
RIPE NCC Database team is also in the loop of these
I personally think the highest priority for RIPE should be to clean up the
security of the RIPE database to reduce the ability to use it for undesired
purposes. Once the database is locked down to ensure that only authenticated
RIPE members can register space that is registered to them, then
i think the bottom line here is that the IRR, and by that i mean the
total collection of IRR instances, is poorly secured by design. we
can spend a lot of time with patches and workarounds, or we can take
it for what it is and live with it.
if you want security and authenticity by design, use
> Why can't small ISPs use the IRR provided by the RIR?
this may come as a shock, but not all isps are close to their regional
rir.
> You only end up in a third party IRR database (such as RADB) if you
> have a prefix from AfriNIC and an ASN from RIPE.
and hundreds of dollars per year
> But if
BUSH, RANDY, DBWGOPS would like to recall the message, "A test on
AFRINIC range announcing without RIPE route object".
?
> [ off list ]
well, it wasn't. thanks to header modification by broken do-gooder
email software. do not modify email headers!!!
On Wed, Jun 13, 2018 at 09:39:52AM -0700, Randy Bush via db-wg wrote:
> [ off list ]
this was not offlist.
> isps need the irr-based filtering 'telcoms' to use all the irr
> instances, as small emerging economy isps can not afford radb and will
> soon not be able to use ripe. so the attackers
[ off list ]
isps need the irr-based filtering 'telcoms' to use all the irr
instances, as small emerging economy isps can not afford radb
and will soon not be able to use ripe. so the attackers will
use the irr instance with lowest security to spoof.
randy
> On Jun 13, 2018, at 9:23 AM, Lu Heng via db-wg wrote:
>
> I do not mean in the very least sense to delay an implementation unless the
> risk shown by it is far too serious. So if it is just because no one notices
> the problem in the very beginning (which I am trying to address now)
Not
> On Jun 13, 2018, at 8:03 AM, Lu Heng via db-wg wrote:
>
> The ultimate discussion should be, and will be, is it RIPE net or internet?
>
> I am saying the current situation will break network by forbidding change it,
> and it is network we break, really doesn’t matter where it is which
Lu Heng via db-wg wrote on 13/06/2018 14:23:
All I am asking here is to delay implementation and give Afrinic
sometime to fix their IRR.
I don't see a good reason to do this. Afrinic have a process in place
to create route objects and there are other IRRDBs which can be used as
an
Hi colleagues:
I do not mean in the very least sense to delay an implementation unless the
risk shown by it is far too serious. So if it is just because no one
notices the problem in the very beginning (which I am trying to address
now), does that mean we have to ignore it? A dangerous bridge
Hi,
On Wed, Jun 13, 2018 at 08:11:34PM +0800, Lu Heng wrote:
> On Wed, Jun 13, 2018 at 20:10 Gert Doering wrote:
>
> > On Wed, Jun 13, 2018 at 08:03:20PM +0800, Lu Heng via db-wg wrote:
> > > And until then, I think there is not enough consensus from the community
> > to
> > > implement this
Lu Heng via db-wg wrote on 13/06/2018 13:11:
On Wed, Jun 13, 2018 at 20:10 Gert Doering wrote:
This has been discussed extensively and there has been consensus to go
ahead with this.
That’s a bullying answer.
What Gert said was simply a statement of fact:
On Wed, Jun 13, 2018 at 20:10 Gert Doering wrote:
> Hi,
>
> On Wed, Jun 13, 2018 at 08:03:20PM +0800, Lu Heng via db-wg wrote:
> > And until then, I think there is not enough consensus from the community
> to
> > implement this change in the future.
>
> This has been discussed extensively and
Hi,
On Wed, Jun 13, 2018 at 08:03:20PM +0800, Lu Heng via db-wg wrote:
> And until then, I think there is not enough consensus from the community to
> implement this change in the future.
This has been discussed extensively and there has been consensus to go
ahead with this.
Gert Doering
The ultimate discussion should be, and will be, is it RIPE net or internet?
I am saying the current situation will break network by forbidding change
it, and it is network we break, really doesn’t matter where it is which
registry it from.
We are victims of massive hijacking, many of my space
Dear Denis,
On Wed, Jun 13, 2018 at 11:45:24AM +, denis walker wrote:
> >> In conclusion, If you employ a non-Afrinic asn for announcements
> >> (which means a foreign asn), using RIPE’s route object will be the
> >> only choice for you unless you are one of those big telecoms which
> >> has
Sascha Luck [ml] via db-wg wrote on 13/06/2018 12:39:
Secondly, there is an unintended consequence to this, namely
that, if you make it impossible for a segment of resource holders
to register their routes properly, some transit providers and
IXPs will have no choice but to accept their
Hi Job
From: Job Snijders via db-wg
To: Lu Heng
Cc: Database WG
Sent: Wednesday, 13 June 2018, 12:52
Subject: Re: [db-wg] A test on AFRINIC range announcing without RIPE route
object
>>
>> In conclusion, If you employ a non-Afrinic asn for announcements
>
On Wed, Jun 13, 2018 at 11:11:09AM +, Job Snijders via db-wg wrote:
I am sympathetic, but RIPE has no obligation to keep a glaring
security hole open to accommodate another RIR's lack of expedience.
There was a time when it would have been seen as the obligation
of any RIR to keep the
+1 ... in CAPITAL LETTERS too.
Regards,
Peter Thimmesch
--
hic sunt dracones
On Jun 13, 2018, at 7:12 PM, Job Snijders via db-wg
mailto:db-wg@ripe.net>> wrote:
On Wed, Jun 13, 2018 at 10:56 AM, Lu Heng
mailto:h...@anytimechinese.com>> wrote:
Internet is one, and
On Wed, Jun 13, 2018 at 10:56 AM, Lu Heng wrote:
> Internet is one, and this is a general problem of all Afrinic space, just
> don’t make it personal please.
I didn't intend to make anything personal, so phrased differently:
What you highlight is ultimately a problem between AfriNIC members and
Hi Job:
Internet is one, and this is a general problem of all Afrinic space, just
don’t make it personal please.
I hope Afrinic fix it rather soon that way every thing works, until then,
prevent network change is one way of breaking it.
On Wed, Jun 13, 2018 at 18:52 Job Snijders wrote:
> Dear
Dear Lu,
On Wed, Jun 13, 2018 at 06:19:10PM +0800, Lu Heng via db-wg wrote:
> In the past three weeks, we have done some tests on 3 AFRINIC /24
> which have been announced in the US, Europe, and Asia, by an ARIN ASN,
> APNIC ASN, and an RIPE ASN.
>
> Test results:
>
> If it is a direct announce
42 matches
Mail list logo