<html><head></head><body><div class="ydpe8e4c7dyahoo-style-wrap" style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:16px;"><div></div>
<div>Hi Havard</div><div><br></div><div>(Sorry for not posting inline but yahoo doesn't allow for that option.)</div><div><br></div><div>It is not quite a 'normal' delete. You are deleting an object using the authorisation from another, related, object. But not from any MNTNER on the object you are deleting. This is not possible in any other situation.</div><div><br></div><div>Often when someone is given a sub-allocation the "mnt-by:" will be set to the LIRs MNTNER but the "mnt-lower:" may be set to the receiving organisation's MNTNER so they can make assignments. The sub-allocation could be split into two 'LIR PARTITIONED' objects, from which assignments can still be made. Then without this route creation flow, ROUTE objects could be created for the 'LIR PARTITIONED' objects. The first test would be for an exact matching INETNUM object. This would over ride any "mnt-routes:" set on the sub allocation object.</div><div><br></div><div>cheers</div><div>denis</div><div><br></div><div>co-chair DB-WG</div><div><br></div>
</div><div id="ydpf5c1c5d8yahoo_quoted_5746281095" class="ydpf5c1c5d8yahoo_quoted">
<div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:13px;color:#26282a;">
<div>
On Tuesday, 16 April 2019, 09:48:58 CEST, Havard Eidnes <he@uninett.no> wrote:
</div>
<div><br></div>
<div><br></div>
<div><div dir="ltr">Hi, Denis,<br clear="none"><br clear="none">thanks for your follow-up.<br clear="none"><br clear="none">> Firstly the 'forced delete' has nothing to do with the LIR<br clear="none">> portal. It is also indifferent to the authentication option you<br clear="none">> use (signed email, password, SSO). If you are the holder of an<br clear="none">> allocation or PI assignment then you can delete a ROUTE object<br clear="none">> for your resource or any more specific range using the MNTNER<br clear="none">> authentication on the resource object.<br clear="none"><br clear="none">OK, so a "forced delete" is just a normal "delete" operation?<br clear="none">Not sure then why it deserves the "forced" tag...<br clear="none"><br clear="none">> Why is authorisation still needed from a ROUTE object? I don't<br clear="none">> know much about how you guys structure your routing, but purely<br clear="none">> from the Database rules I can suggest this possible scenario<br clear="none">> (although it may not apply in practise). Suppose an LIR makes a<br clear="none">> sub-allocation to another organisation, but the LIR routes the<br clear="none">> whole of their allocation including the sub-allocation. The<br clear="none">> organisation holding the sub-allocation cannot choose to route<br clear="none">> their sub-allocation without the consent of the LIR as to<br clear="none">> create such a ROUTE object would need to be authorised by the<br clear="none">> LIR's ROUTE object covering the whole allocation.<br clear="none"><br clear="none">That's normally what happens with PA address blocks.<br clear="none"><br clear="none">However, I still don't understand why authorization via an<br clear="none">existing route object would be needed in that case -- all that<br clear="none">would be needed to express the stated restriction is either<br clear="none">mnt-lower or mnt-routes attributes in the enclosing address space<br clear="none">object (inet{,6}num), which is typically held and maintained by<div class="ydpf5c1c5d8yqt0342226051" id="ydpf5c1c5d8yqtfd96497"><br clear="none">the LIR.<br clear="none"><br clear="none">Best regards,<br clear="none"><br clear="none">- HÃ¥vard</div></div></div>
</div>
</div></body></html>