Intro

IRR / Internet routing registry (irr.net)
RIPE db is actually a subset of the IRR
some objects are part of both (ROUTE/AS-Numbers)
why all that? Question: “Is this ASN authorized to announce this IP range?”
Problem: Legacy space
Bigger Problems: ISP’s might not ask for ROUTE object and just announce IP address space – who holds them back?
> one way is to use ROUTE objects

the IRR is composed of 43 databases, RIPE is one of them, RPSL and Level3 are others..

the more south/east you go the less requirements you will have to announce a prefix (probably only a bag of money)

Issue/Challenge: Roting and the database are related / not the same
annouce? accept? >> RPSL!
~85% match between RIPE and BGP

database

primary lookup key for persons:
– handle
– email
primary lookup key for inetnum:
– netname
– ip range

what is a primary lookup?
query: “-v inetnum”

The inetnum class:

inetnum: [mandatory] [single] [primary/lookup key]
netname: [mandatory] [single] [lookup key]
descr: [mandatory] [multiple] [ ]
country: [mandatory] [multiple] [ ]
geoloc: [optional] [single] [ ]
language: [optional] [multiple] [ ]
org: [optional] [single] [inverse key]

now you have an assignment: 80.252.80.0 which results:
inetnum: 80.252.80.0 - 80.252.81.255
netname: TC-IS_SERVICES
descr: TelecityGroup customer Services/IS
country: NL
remarks: In case of abuse please email: abuse@telecity.com
admin-c: TA515-RIPE
tech-c: TT556-RIPE
status: ASSIGNED PA
mnt-by: TELECITY-MNT
mnt-by: TELECITY-NL-MNT
source: RIPE #Filtered

which is an assignment – but what is the allocation?

either: Do -L –no-personal x.x.x.x

or do inverse search!
-i org ORG-TP3-RIPE

shows all assignments for Telecity’s ORG ID

useful: -i person and your company handle!
example: -i person AR10441-RIPE
shows where you are allocated

remember to PROTECT objects and create ROLE OBJECTS
do not assign people to admin-c/tech-c

RIPE will never allow you to be MNT-BY in an inetnum or ASN
only mnt-lower, mnt-routes, mnt-domains (for PTRs)

so if you want to edit a ROUTE(6) object:
you need up to THREE passwords!
AS number
INET(6)NUM
ROUTE(6)

problem: Customer doesn’t want you to have his maintainer passwords
Solution: Create a mnt-routes in the INET(6)num and add the customer’s maintainer object there!
Alternative: customer has to add our maintainer in his AS number as “mnt-routes”
both will work

**EXERCISES**

Chapter 2: BGP/routing

AS-path prevents loops!
protect ASN
protect ROUTE
protect INETNUMs
protect ALL THE THINGS

RPSL

filtering ideas:
RegExp – exclude idividual ASN’s from the path?

blah.. complicated .. do not want

Tools

use them!
> IRRToolset can create configs
RPSLtool
IRR powertool
level3 filtergen

and so on

RPKI

does the same thing than the routing registry – but different
(route object on steroids)
ideal: use both!
is that ASN authorized to announce the IP range
so what makes RPKI easier / better?
– usable toolset
– integrated in routers

Use the certificate from RIPE to create ROA’s (resource origin something)
it states what AS the address range is announced from
and teh max. length

multiples possible, overlap possible

“invalid” comparison only when different ASN announces (or not matching prefix )
invalid ROA != invalid BGP announcement

Validator runs locally at your company
fetches data from RIPE via rsync
router runs the validation software in 7600, ASR9K is in early field trials

more RPKI

RIPE NCC database lookups TIPS

– use -r (blocks recursive lookups)
or better
– use –no-personal to block searching person objects

failure to do so will get you blocked quickly!

– an ASN without an AUT-NUM can not be announced without a ROUTE object
– an AUT-NUM is for an AS number
– a ROUTE object combines inetnum and aut-num

(more stuff goes here)

MAINTAINER

want to use PGP key instead? (or x.509 object)
> create key-cert object
> associate the public PGP key with it
> add extra line to MNT object: PGPKEY-id (in single text area edit)
> once PGP is in there you’ll have to update the object and sign it using your private key

adding multiple AUTH objects works (password and PGP and cert)
BUT: adding multiple maintainers to a person object will _not_ make it more secure – just adds more gates to the castle

large companies: need ROLE object!
imagine someone who is in charge of a lot of objects dies…
tech-c / admin-c
associate the handles with the role > done!

DATABASE updates

use webupdates (easiest)
if you want to play > use the sandbox (RIPE test database)

first time registration: Use the “new object” wizard if your organization does not have a maintainer/org object
it will create a person and a maintainer

ROLE objects need to be two words

When asked for a NIC handle while creating the role do NOT use your person’s nic handle
use auto-1 to create one
under “admin-c” add your maintainer

Example Telecity:
Persons (engineers) have objects
they are added to tech-c and (if authorized) to the admin-c role object
the telecity maintainer has members, too
your person NIC should _not_ have the same maintainer
you might leave your organization one day

LIR portal – what do do there?
edit registry data queries and updates
also: ASN resources, ip analyser
lots of API’s available!

LIR portal and RIPE database are protected by different models / mechanisms
the one is public, the other is confidential

Exercise: first day as a LIR: “request resources” should go LAST

a mnt-routes object guards creation of a route/route6 object
a mng-domains object guards the reverse delegation (see PTR’s / mail servers)
— it should contain your nameservers (slide 54)

transfer allocations: allowed between RIPE members – 80% rule applies
> inter-RIR transfers in discussion (proposal 2012-03)

request PI space:
no ipv4 without ipv6!
request org, person and mntner objects!
send request form, end user agreement and registration KvK/company house to RIPE
sponsoring LIR is needed

no LIR? find a new one or become one!
if not? > return space!
see slide 59!!! there is now a fee for P.I. space > include into contract

RPKI digital certificate:
issue certificates with registration
a ROA is a ROUTE object signed by a certificate (by the LIR)
one cert for all allocations
“chain of trust”
AS32 can announce this address range – incorporate into routers
>> BGP origin validation!
important: this is not obligatory

you can group customer assignments (4096 x /48) into one large assignment (like, a /36)
IPv6 status: Aggregated by LIR
assignment-size: 48
mnt-by: MNT-LIR

infrastructure assignments:
P2P links, access points, etc…
grey area: colo locations, hosting, housing