RIPE NCC database lookups TIPS

– use -r (blocks recursive lookups)
or better
– use –no-personal to block searching person objects

failure to do so will get you blocked quickly!

– an ASN without an AUT-NUM can not be announced without a ROUTE object
– an AUT-NUM is for an AS number
– a ROUTE object combines inetnum and aut-num

(more stuff goes here)

MAINTAINER

want to use PGP key instead? (or x.509 object)
> create key-cert object
> associate the public PGP key with it
> add extra line to MNT object: PGPKEY-id (in single text area edit)
> once PGP is in there you’ll have to update the object and sign it using your private key

adding multiple AUTH objects works (password and PGP and cert)
BUT: adding multiple maintainers to a person object will _not_ make it more secure – just adds more gates to the castle

large companies: need ROLE object!
imagine someone who is in charge of a lot of objects dies…
tech-c / admin-c
associate the handles with the role > done!

DATABASE updates

use webupdates (easiest)
if you want to play > use the sandbox (RIPE test database)

first time registration: Use the “new object” wizard if your organization does not have a maintainer/org object
it will create a person and a maintainer

ROLE objects need to be two words

When asked for a NIC handle while creating the role do NOT use your person’s nic handle
use auto-1 to create one
under “admin-c” add your maintainer

Example Telecity:
Persons (engineers) have objects
they are added to tech-c and (if authorized) to the admin-c role object
the telecity maintainer has members, too
your person NIC should _not_ have the same maintainer
you might leave your organization one day

LIR portal – what do do there?
edit registry data queries and updates
also: ASN resources, ip analyser
lots of API’s available!

LIR portal and RIPE database are protected by different models / mechanisms
the one is public, the other is confidential

Exercise: first day as a LIR: “request resources” should go LAST

a mnt-routes object guards creation of a route/route6 object
a mng-domains object guards the reverse delegation (see PTR’s / mail servers)
— it should contain your nameservers (slide 54)

transfer allocations: allowed between RIPE members – 80% rule applies
> inter-RIR transfers in discussion (proposal 2012-03)

request PI space:
no ipv4 without ipv6!
request org, person and mntner objects!
send request form, end user agreement and registration KvK/company house to RIPE
sponsoring LIR is needed

no LIR? find a new one or become one!
if not? > return space!
see slide 59!!! there is now a fee for P.I. space > include into contract

RPKI digital certificate:
issue certificates with registration
a ROA is a ROUTE object signed by a certificate (by the LIR)
one cert for all allocations
“chain of trust”
AS32 can announce this address range – incorporate into routers
>> BGP origin validation!
important: this is not obligatory

you can group customer assignments (4096 x /48) into one large assignment (like, a /36)
IPv6 status: Aggregated by LIR
assignment-size: 48
mnt-by: MNT-LIR

infrastructure assignments:
P2P links, access points, etc…
grey area: colo locations, hosting, housing