Hi Martin, well, not only as-set and route. Assuming only legitimate owner of inetnum and aut-num have passwords for mntner from that objects can modify their RIPE DB objects and can create routes. So to create a route object, you have to have access for inetnum and aut-num objects (that can be different passwords and owners in general). Then, you state in your aut-num import and export to some upstream. To do that, you have to use your password, of course. Then, your upstream modifying it's aut-num stating import your asn from you and export your asn to it's upstream... and so on. So it is possible to provide full chain of trust inside RIPE region that way. As-sets is only the way to let manage a lot of downstreams' ASNs more easy. Many of ISPs using it, there is some software like RETN made, to build prefix list to your downstreams automatically. And it works. There is three problems: first, it is only RIPE region specific. You can't do that with ARIN nets for example. Second, it is RIPE-dependent. So we depend on RIPE DB when do routing. In some cases it can make some harm. Third, if someone steal or "recover" RIPE DB password from some inetnum - he can easy do a hijack through system uses RIPE DB filtering. On 04.02.16 13:14, Martin T wrote:
Hi,
am I correct that ISPs (in RIPE region), who update their BGP prefix filters automatically, ask their IP transit customer or peering partner to provide their "route"/"route6" object(s) or "as-set" object in order to find all the prefixes which they should accept? If the IP transit customer or peering partner provides an "as-set", then ISP needs to ensure that this "as-set" belongs to this IP transit customer or peering partner because there is no automatic authentication for this, i.e. anybody can create an "as-set" object to database with random "members" attributes? This is opposite to "route"/"route6" objects which follow a strict authentication scheme. In addition, in case of "as-set", an ISP needs to recursively find all the AS numbers from "members" attributes because "as-set" can include other "as-sets"? Quite a lot of question, but I would simply like to be sure that I understand this correctly.
thanks, Martin