Intro
IRR / Internet routing registry (irr.net)
RIPE db is actually a subset of the IRR
some objects are part of both (ROUTE/AS-Numbers)
why all that? Question: “Is this ASN authorized to announce this IP range?”
Problem: Legacy space
Bigger Problems: ISP’s might not ask for ROUTE object and just announce IP address space – who holds them back?
> one way is to use ROUTE objects
the IRR is composed of 43 databases, RIPE is one of them, RPSL and Level3 are others..
the more south/east you go the less requirements you will have to announce a prefix (probably only a bag of money)
Issue/Challenge: Roting and the database are related / not the same
annouce? accept? >> RPSL!
~85% match between RIPE and BGP
database
primary lookup key for persons:
– handle
– email
primary lookup key for inetnum:
– netname
– ip range
what is a primary lookup?
query: “-v inetnum”
The inetnum class:
An inetnum object contains information on allocations and
assignments of IPv4 address space.
inetnum: [mandatory] [single] [primary/lookup key]
netname: [mandatory] [single] [lookup key]
descr: [mandatory] [multiple] [ ]
country: [mandatory] [multiple] [ ]
geoloc: [optional] [single] [ ]
language: [optional] [multiple] [ ]
org: [optional] [single] [inverse key]
now you have an assignment: 80.252.80.0 which results:
inetnum: 80.252.80.0 - 80.252.81.255
netname: TC-IS_SERVICES
descr: TelecityGroup customer Services/IS
country: NL
remarks: In case of abuse please email: abuse@telecity.com
admin-c: TA515-RIPE
tech-c: TT556-RIPE
status: ASSIGNED PA
mnt-by: TELECITY-MNT
mnt-by: TELECITY-NL-MNT
source: RIPE #Filtered
which is an assignment – but what is the allocation?
either: Do -L –no-personal x.x.x.x
or do inverse search!
-i org ORG-TP3-RIPE
shows all assignments for Telecity’s ORG ID
useful: -i person and your company handle!
example: -i person AR10441-RIPE
shows where you are allocated
remember to PROTECT objects and create ROLE OBJECTS
do not assign people to admin-c/tech-c
RIPE will never allow you to be MNT-BY in an inetnum or ASN
only mnt-lower, mnt-routes, mnt-domains (for PTRs)
so if you want to edit a ROUTE(6) object:
you need up to THREE passwords!
AS number
INET(6)NUM
ROUTE(6)
problem: Customer doesn’t want you to have his maintainer passwords
Solution: Create a mnt-routes in the INET(6)num and add the customer’s maintainer object there!
Alternative: customer has to add our maintainer in his AS number as “mnt-routes”
both will work
**EXERCISES**
Chapter 2: BGP/routing
AS-path prevents loops!
protect ASN
protect ROUTE
protect INETNUMs
protect ALL THE THINGS
RPSL
filtering ideas:
RegExp – exclude idividual ASN’s from the path?
blah.. complicated .. do not want
Tools
use them!
> IRRToolset can create configs
RPSLtool
IRR powertool
level3 filtergen
and so on
RPKI
does the same thing than the routing registry – but different
(route object on steroids)
ideal: use both!
is that ASN authorized to announce the IP range
so what makes RPKI easier / better?
– usable toolset
– integrated in routers
Use the certificate from RIPE to create ROA’s (resource origin something)
it states what AS the address range is announced from
and teh max. length
multiples possible, overlap possible
“invalid” comparison only when different ASN announces (or not matching prefix )
invalid ROA != invalid BGP announcement
Validator runs locally at your company
fetches data from RIPE via rsync
router runs the validation software in 7600, ASR9K is in early field trials
more RPKI