RIPE NCC 25/09/2013 IPv6 for LIRs course

compress IPv6 addresses with double colons from the left to the right

also don’t compress a single quad of 4 zeroes

(read RFCs if wanted)

Status “ASSIGNED PA” becomes “ASSIGNED”

AGGREGATED-BY-LIR is new: put all your /56’s that you assign to customers there
use “assignment-size” switch to show how big the assignments are

sub-allocated-pa becomes “allocated-by-lir”


getting PI IPv6 space:

minimum /48

example Fridge6:
4000 fridges – each with internet, security, alerting and wifi router

transition mechanisms
6to4 uses anycast!
6RD > relay operations!
464xlat > fixes the problems NAT64/DNS64 causes
DS-lite – tunnel ipv4 over ipv6

conclusion: DUAL-STACK while you can
it is still possible!

use /64’s for Loopbacks!

network design: Take the router with the most interfaces and prepare for a /64 per interface
don’t assign different sizes for routers
imagine: Nexus 7000 – maximum port density?
256 interfaces per router is assumed so /56 per router
or /52 per router, 4096 x /64 per port
/40 per router/switch that can handle customers > 256 x /48 possible

the number of hosts in a /64 is irrelevant!


flip the bit and use EUI-64
listen to RA’s
a router’s response will contain:
– address of router
– prefixes allowed on link
– SLAAC allowed?

problem: Privacy! – same MAC address
solution: Privacy extensions (random ID)

“managed” flag forces DHCPv6

use RA guard
disable RA’s (cisco)
human error!!!

colo checklist:

set ACLs
set SNMP (and protect)
have DNS working

SLAAC can assign you a subnet “unexpectedly”
not all firewalls support ipv6
be careful with “ipv6 ready”

DSL provider:
/48 per pop
/56 per router
/64 per interface

don’t use EUI-64!
no autoconfig
port number for services > IPv6 addresses!
set gateway manually

in the CORE: USe /64 per link – ::1 and ::2 stuff
easy to remember

RIPE tools:
download RIPE 554 and “what to do with IPv6”

> stars get t-shirt

RIPE NCC 24/09/2013 Routing Security Training


IRR / Internet routing registry (
RIPE db is actually a subset of the IRR
some objects are part of both (ROUTE/AS-Numbers)
why all that? Question: “Is this ASN authorized to announce this IP range?”
Problem: Legacy space
Bigger Problems: ISP’s might not ask for ROUTE object and just announce IP address space – who holds them back?
> one way is to use ROUTE objects

the IRR is composed of 43 databases, RIPE is one of them, RPSL and Level3 are others..

the more south/east you go the less requirements you will have to announce a prefix (probably only a bag of money)

Issue/Challenge: Roting and the database are related / not the same
annouce? accept? >> RPSL!
~85% match between RIPE and BGP


primary lookup key for persons:
– handle
– email
primary lookup key for inetnum:
– netname
– ip range

what is a primary lookup?
query: “-v inetnum”

The inetnum class:

An inetnum object contains information on allocations and
assignments of IPv4 address space.

inetnum: [mandatory] [single] [primary/lookup key]
netname: [mandatory] [single] [lookup key]
descr: [mandatory] [multiple] [ ]
country: [mandatory] [multiple] [ ]
geoloc: [optional] [single] [ ]
language: [optional] [multiple] [ ]
org: [optional] [single] [inverse key]

now you have an assignment: which results:
inetnum: -
descr: TelecityGroup customer Services/IS
country: NL
remarks: In case of abuse please email:
admin-c: TA515-RIPE
tech-c: TT556-RIPE
source: RIPE #Filtered

which is an assignment – but what is the allocation?

either: Do -L –no-personal x.x.x.x

or do inverse search!
-i org ORG-TP3-RIPE

shows all assignments for Telecity’s ORG ID

useful: -i person and your company handle!
example: -i person AR10441-RIPE
shows where you are allocated

remember to PROTECT objects and create ROLE OBJECTS
do not assign people to admin-c/tech-c

RIPE will never allow you to be MNT-BY in an inetnum or ASN
only mnt-lower, mnt-routes, mnt-domains (for PTRs)

so if you want to edit a ROUTE(6) object:
you need up to THREE passwords!
AS number

problem: Customer doesn’t want you to have his maintainer passwords
Solution: Create a mnt-routes in the INET(6)num and add the customer’s maintainer object there!
Alternative: customer has to add our maintainer in his AS number as “mnt-routes”
both will work


Chapter 2: BGP/routing

AS-path prevents loops!
protect ASN
protect ROUTE
protect INETNUMs


filtering ideas:
RegExp – exclude idividual ASN’s from the path?

blah.. complicated .. do not want


use them!
> IRRToolset can create configs
IRR powertool
level3 filtergen

and so on


does the same thing than the routing registry – but different
(route object on steroids)
ideal: use both!
is that ASN authorized to announce the IP range
so what makes RPKI easier / better?
– usable toolset
– integrated in routers

Use the certificate from RIPE to create ROA’s (resource origin something)
it states what AS the address range is announced from
and teh max. length

multiples possible, overlap possible

“invalid” comparison only when different ASN announces (or not matching prefix )
invalid ROA != invalid BGP announcement

Validator runs locally at your company
fetches data from RIPE via rsync
router runs the validation software in 7600, ASR9K is in early field trials

more RPKI

RIPE NCC 23/09/2013 LIR training notes

RIPE NCC database lookups TIPS

– use -r (blocks recursive lookups)
or better
– use –no-personal to block searching person objects

failure to do so will get you blocked quickly!

– an ASN without an AUT-NUM can not be announced without a ROUTE object
– an AUT-NUM is for an AS number
– a ROUTE object combines inetnum and aut-num

(more stuff goes here)


want to use PGP key instead? (or x.509 object)
> create key-cert object
> associate the public PGP key with it
> add extra line to MNT object: PGPKEY-id (in single text area edit)
> once PGP is in there you’ll have to update the object and sign it using your private key

adding multiple AUTH objects works (password and PGP and cert)
BUT: adding multiple maintainers to a person object will _not_ make it more secure – just adds more gates to the castle

large companies: need ROLE object!
imagine someone who is in charge of a lot of objects dies…
tech-c / admin-c
associate the handles with the role > done!

DATABASE updates

use webupdates (easiest)
if you want to play > use the sandbox (RIPE test database)

first time registration: Use the “new object” wizard if your organization does not have a maintainer/org object
it will create a person and a maintainer

ROLE objects need to be two words

When asked for a NIC handle while creating the role do NOT use your person’s nic handle
use auto-1 to create one
under “admin-c” add your maintainer

Example Telecity:
Persons (engineers) have objects
they are added to tech-c and (if authorized) to the admin-c role object
the telecity maintainer has members, too
your person NIC should _not_ have the same maintainer
you might leave your organization one day

LIR portal – what do do there?
edit registry data queries and updates
also: ASN resources, ip analyser
lots of API’s available!

LIR portal and RIPE database are protected by different models / mechanisms
the one is public, the other is confidential

Exercise: first day as a LIR: “request resources” should go LAST

a mnt-routes object guards creation of a route/route6 object
a mng-domains object guards the reverse delegation (see PTR’s / mail servers)
— it should contain your nameservers (slide 54)

transfer allocations: allowed between RIPE members – 80% rule applies
> inter-RIR transfers in discussion (proposal 2012-03)

request PI space:
no ipv4 without ipv6!
request org, person and mntner objects!
send request form, end user agreement and registration KvK/company house to RIPE
sponsoring LIR is needed

no LIR? find a new one or become one!
if not? > return space!
see slide 59!!! there is now a fee for P.I. space > include into contract

RPKI digital certificate:
issue certificates with registration
a ROA is a ROUTE object signed by a certificate (by the LIR)
one cert for all allocations
“chain of trust”
AS32 can announce this address range – incorporate into routers
>> BGP origin validation!
important: this is not obligatory

you can group customer assignments (4096 x /48) into one large assignment (like, a /36)
IPv6 status: Aggregated by LIR
assignment-size: 48
mnt-by: MNT-LIR

infrastructure assignments:
P2P links, access points, etc…
grey area: colo locations, hosting, housing