Routing Registry Training Course

February 2011

Schedule

09:00 - 09:30 Coffee, Tea & Network setup 11:00 - 11:15 Break 13:00 - 14:00 Lunch 15:00 - 15:15 Break 17:30 End

Ask questions at any time! All the material on ripe.net/training/

2

Introductions

Number on the list Name Experience with the RIPE DB & BGP Goals

Goals

Learn the benets of using Routing Registry (RR) Practice using the RIPE Database
-

create, modify & protect your objects

Practice describing your routing policy in RPSL Practice creating router conguration from RR
4

Todays topics: theory and practice

1. Benets of using Routing Registry (RR) - Exercise: Creating a route6 object 2. Conguring routers based on RR - Exercise: Generating prex list lter 3. Advanced RIPE DB usage - Exercise: Creating maintainer for PI End User 4. Routing Policy Specication Language (RPSL) - Exercise: Creating multihoming policy in aut-num - Exercise: Generating router conguration 5. Advanced RPSL policy options 6. Resource Certication & other services
5

1. Benefits of using Routing Registry

What is Internet Routing Registry

Distributed databases with public routing policy information, mirroring each other: irr.net
-

APNIC, RADB, Level3, SAVVIS...

RIPE NCC operates RIPE Routing Registry Big operators make use of it
-

AS286 (KPN), AS5400 (BT), AS1299 (Telia), AS8918 (Carrier1), AS2764 (Connect), AS3561 (Savvis), AS3356 (Level 3)...
7

What is your routing policy?

What prexes do you announce? Who are your neighbours?

-

upstreams, customers, peers

What prexes do you accept? Who from? What are your preferences?
8

Why publish your policy in IRR?

Required by some Transit Providers & IXPs

-

they use it for prex-based ltering and router conguration commands, based on RR prex based ltering prevents accidental leaks and route hijacking

Allows for automated generation of prex lters

-

Contributes to routing security

-

Consistent information between neighbors Good housekeeping

9

85% match between BGP/RIS & RR

According to the RIPE Labs article

10

RIPE Database

Public Internet resources database All your objects are already there:
Address space: inetnum & inet6num - AS Number: aut-num - Contact details: person, role, organisation - Strong protection: maintainer (key-cert, irt)
-

11

Connection between objects

aut-num: tech-c: mnt-by: mnt-routes: org: AS12345 LA789-RIPE LIR-MNT USER-MNT ORG-Bb2-RIPE inetnum: status: tech-c: mnt-lower: org: 85.118.184.0/21 ALLOCATED PA LA789-RIPE LIR-MNT ORG-Bb2-RIPE

org:

ORG-Bb2-RIPE RIPE-NCC-HM-MNT RIPE-NCC-HM-MNT LIR-MNT LA789-RIPE route: origin: mnt-by: 85.118.184.0/21 AS12345 LIR-MNT

mnt-by: mnt-ref: mnt-ref: admin-c:

role: mntner: LIR-MNT admin-c: LA789-RIPE tech-c: LA789-RIPE auth: MD5-PW $nje^6G nic-hdl: mnt-by: tech-c: tech-c: e-mail:

LIR ADMIN LA789-RIPE LIR-MNT JD1-RIPE JM1-RIPE noc@provider

person:

Jane Doe

nic-hdl: JD1-RIPE mnt-by: LIR-MNT address: somewhere phone: +31122345678 person: John Malkovich

nic-hdl: JM1-RIPE mnt-by: LIR-MNT address: under the bridge phone: +312458765432

RIPE RR is part of the RIPE Database

route[6] object creation is responsibility of LIR

-

every time you receive a new allocation, do create a route or route6 object address space being announced by an AS number
-

route and route6 objects represent routed prex

-

those are two primary keys

Only the holder of both address space and AS number can authorize creation of route[6] object
13

Exercise 1: Creating a route6 object for your LIR

Authenticating a route6 object for an LIR

inet6num: 2001:db8::/32 status: ALLOCATED-BY-RIR mnt-by: RIPE-NCC-HM-MNT mnt-routes: LIR-MNT
aut-num: aut-num: AS2

AS2

mnt-by: LIR-MNT

route6: 2001:db8::/32 origin: mnt-by: AS2 LIR-MNT

15

Exercise: Creating a route6 object

Task: Create a route6 object

for your allocation prex - originating from your AS number
-

hint: use a password of your LIRs maintainer

Time: 15 minutes

16

2. Configuring routers based on RR

Benefit of RR: automation of router config

By creating route objects in RR ISPs enable automated generation of prex lists BGP conguration made easier
-

with the help of tools

18

Tools for integration of RR & routers

DB Objects (route[6] & routing policy) Commands in the Template/Input File

Tool
(e.g. RtConfig)

(partial) router configuration

19

RtConfig

RtCong reads information from the IRR Generates parts of the router conguration le
-

Creates prex list, route-map and AS path lters

One of the tools in the IRRToolSet

-

http://irrtoolset.isc.org/wiki/CruftCleanout

20

More router configuration tools

rpsltool
-

a BGP lters generator based on Template::Toolkit http://www.linux.it/~md/software/ A collection of tools for the purpose of maintaining customer and peer BGP prex-lists PHP based http://sourceforge.net/projects/irrpt/

IRR Power Tool

-

whois -h ltergen.level3.net RIPE::AS-DEMON

21

Exercise 2: Generate prefix list filter

Exercise: generating prefix list filter

Task: Use a tool that creates a filter, based on the registered route objects, which allows prefixes of your neighbor

Time: 15 minutes
23

3. Advanced RIPE DB usage

Finding and changing your objects

Querying the RIPE Database

Command-line client - Web interface - Free text search (Glimpse)
-

& http://lab.db.ripe.net/portal/free-text/search.htm

Updating = creating, modifying, deleting

-

Web, sync, email

25

Protection

mntner: LIR-MNT auth: MD5-PW $1$o93Ux

person:

John Smith

nic-hdl: JS1-RIPE mnt-by: LIR-MNT

password: Clear_Text

26

Strong authentication

Password (MD5-PW) Private key / public key

-

PGPKEY-<id> and key-cert object X.509-<id> and key-cert object

27

Protection
inetnum: 85.118.184.0/24 status: ASSIGNED PA mnt-by: LIR-MNT

mntner: LIR-MNT auth: MD5-PW $1$o93Ux

person:

John Smith

nic-hdl: JS1-RIPE mnt-by: LIR-MNT

aut-num: AS2 mnt-by: LIR-MNT

28

Multiple protection
mntner: ONE-MNT

auth: MD5-PW $1$3SG9WP

person: John Smith

nic-hdl: JS1-RIPE mnt-by: mnt-by: mntner: TWO-MNT auth: auth: MD5-PW $1$o93UxR PGPKEY-AE6FBBF7 ONE-MNT TWO-MNT

key-cert: PGPKEY-AE6FBBF7

29

Hierarchical authorisation
inetnum: status: mnt-routes: mnt-lower: mnt-by: 85.118.184.0/21 ALLOCATED PA LIR-MNT LIR-MNT RIPE-NCC-HM-MNT

/21

Allocation

route: origin: mnt-by: aut-num:

85.118.184.0/21 AS2 LIR-MNT AS1

/21

Routed prefix

mnt-routes: LIR-MNT mnt-lower: LIR-MNT mnt-by: LIR-MNT mnt-by: RIPE-NCC-HM-MNT

30

Route object creation authentication

aut-num: AS12345 mnt-by: LIR1-MNT mnt-by: RIPE-NCC-HM-MNT inetnum: status: mnt-by: 85.118.184.0/23 ASSIGNED PI ISP-MNT

1 route: origin: mnt-by: 85.118.184.0/23 AS12345 USER-MNT

In the worst case - 3 passwords or signatures needed

Exercise 3: Creating maintainer for PI End User

Route object for an PI End User

aut-num: AS12345 mnt-by: LIR-MNT mnt-by: RIPE-NCC-HM-MNT mnt-routes: USER-MNT inetnum: status: mnt-by: mnt-by: 85.118.184.0/25 ASSIGNED PI LIR-MNT USER-MNT

1 route: origin: mnt-by: mnt-by: 3 85.118.184.0/25 AS12345 USER-MNT LIR-MNT

Exercise: Hierarchical DB protection

You have an End User that uses PI space

-

They want to announce it with your (LIRs) AS number

Task 1: Create a mntner object for End-User Task 2: Add End User maintaner to PI object Task 3: Create route object for PI End User

Time: 30 minutes

34

4. Routing Policy Specification Language

RPSL

Abstract
-

Not vendor specic

Global view, not router specic Well known: described in RFCs

RFC2622, RFC2725, RFC4012, RFC5943 - Using RPSL in Practice (RFC2650)
-

Tools available
for translating from RPSL into router conguration - for automated generation of router conguration les
36

Policy expressions

Aut-num
Lists neighbors (in import / export lines) - Denes lter rules for each neighbour - Denes route parameters modications per prex
-

Route object
-

Represents address range originating by ASN Grouping objects with similar policy / usage

Set objects
-

37

Controlling outbound traffic

import line determines outbound trafc

-

you decide which routes to accept (lter)

RPSL pref different from local pref

lower pref = more preferred - higher local pref = more preferred
-

import:

import:

from AS3 action pref=20; accept ANY from AS4 action pref=30; accept ANY
38

Controlling inbound traffic

export line determines inbound trafc

you have less control - you can make certain paths less interesting - choose, then put lters in AS path prepending
-

aut-num: export: export:

AS1 to AS3 announce AS1 to AS4 action aspath.prepend (AS1, AS1, AS1); announce AS1

39

Building an aut-num object - one example

Internet

AS2 AS1

AS3

aut-num: AS2
import: from AS1 accept AS1 export: to AS1 announce AS2

aut-num: AS1
export: to AS2 announce AS1 import: from AS3 accept ANY import: from AS2 accept AS2 export: to AS3 announce AS1

aut-num: AS3
export: to AS1 announce ANY import: from AS1 accept AS1

40

An aut-num object - second example

Internet

AS4 AS1

AS3

aut-num: AS4
import: from AS1 accept AS1 export: to AS1 announce ANY

aut-num: AS1
export: to AS4 announce AS1 action aspath.prepend (AS1, AS1); announce AS1 import: from AS3 action pref=80; accept ANY export: to AS3 announce AS1 import: from AS4 action pref=90; accept ANY

aut-num: AS3
export: to AS1 announce ANY import: from AS1 accept AS1

41

Filtering rules (AS1)

Direct peering, without route objects

import: from AS2 accept {10.2.3.0/24} export: to AS2 announce {172.0.0.0/24}

Accepting prexes that originate from customer

import: from AS5 accept AS5

No ltering - from upstream - full routing table

import: from AS3 accept ANY

Symmetrical policy of your peer: AS2

aut-num: AS2 import: from AS1 accept {172.0.0.0/24} export: to AS1 announce {10.2.3.0/24}
42

RPSLng: IPv6 in the Routing Registry

Prex:
route6: 2001:db8::/32 origin: AS65550

Aut-num object:
aut-num: AS65550 mp-import: afi ipv6.unicast from AS64496 accept ANY mp-export: afi ipv6.unicast to AS64496 announce AS65550

43

Exercise 4: Creating multihomed policy in aut-num

Exercise: Adding policy to aut-num object

ASx0x ASy0y

ASnn

Task:
Create RPSL policy reecting one scenario - Put this policy in your aut-num object
-

Time: 30 mins

45

Multihoming scenarios

Scenario A (IPv4)
-

Scenario C (IPv4)
-

AS101 is your upstream provider AS202 is private peer AS303 is your preferred upstream provider AS404 is your backup upstream provider

Scenario B (IPv6)
-

AS505 is your upstream provider AS606 is your PI customer AS707 is your upstream provider AS808 is your PI customer
46

Scenario D (IPv6)

Exercise 5: Generating router configuration

Automation of router config

Describing routing policy in aut-num enables generation of route-maps for policy routing Tools can read your policy towards peers
-

translation from RPSL to router conguration commands if their data changes, you only have to periodically run your scripts to collect updates

Tools collect the data your peers have in RR

-

48

Example of dynamic automated updates

aut-num: AS2 import: from AS1 accept AS1 route: 10.0.0.0/23 origin: AS1 route: 10.0.20.0/20 origin: AS1 @Rtconfig: import AS1 10.0.0.1 AS2 10.0.0.2

RtConfig

pl100: accept 10.0.0.0/23 accept: 10.0.20.0/20 deny 0.0.0.0/0 routeMap: import pl100 in 49

Example RtConfig commands template file

syntax: @RtCong export MyAS MyRouterIP PeerAS PeerRouterIP First %d replaced by peers ASN, Second %d incremented
! ! Peering @RtConfig @RtConfig ! @RtConfig @RtConfig

with OTHERCOMPANY set cisco_map_name = "AS%d-IMPORT-%d" import AS100 10.0.0.1 AS909 10.0.0.9 set cisco_map_name = "AS%d-EXPORT-%d" export AS100 10.0.0.1 AS909 10.0.0.9

50

Example Route Map (output)

no ip prefix-list pl100 ip prefix-list pl100 permit 193.99.0.0/16 ip prefix-list pl100 deny 0.0.0.0/0 le 32 ! no route-map AS909-IMPORT-1 ! route-map AS909-IMPORT-1 permit 1 match ip address prefix-list pl100 exit ! router bgp 100 ! neighbor 10.0.0.9 remote-as 909 neighbor 10.0.0.9 route-map AS909-IMPORT-1 in ! exit

51

Exercise: Generating router configuration

Tasks:
Create RtCong template le - Run RtCong with this template le
-

Time: 15 minutes

52

5. Advanced RPSL policy options

AS-path filters AS-sets MEDs Route-sets Communities

Using AS-path filters

To create AS-path lters, use regular expressions in the lter rules in aut-num Examples:
paths starting with AS4 import: from AS4 accept <^AS4> - prexes are originated in AS4; and - have paths composed of only AS4's import: from AS4 accept <^AS4+$>
-

54

Using AS-set to group your customers

as-set: AS4:AS-CUSTOMERS members: AS7, AS5, AS8
aut-num: AS4 export: to AS3 announce AS4 AS4:AS-customers export: to AS4:AS-CUSTOMERS announce ANY import: from AS4:AS-CUSTOMERS accept PeerAS

PeerAS means:
from AS5 accept AS5 - from AS7 accept AS7 - from AS8 accept AS8
55

Using others as-set (& with AS-path filters)

as-set: AS4:AS-CUSTOMERS members: AS7, AS5, AS8

aut-num: import: import: export:

AS3 from AS4 accept AS4 from AS4 accept <^AS4+ AS4:AS-CUSTOMERS*$> to AS4 announce AS3

AS7 AS3 AS4 AS5

AS8
56

Example of MED & route-sets

export: to AS4 10.0.0.4 at 10.0.0.1 action med=1000; announce AS1:rs-france to AS4 10.0.0.5 at 10.0.0.2 action med=2000; announce AS1:rs-spain

export:

57

Communities

Communities let you inuence trafc engineering of ISPs two hops away from you Example: information communities:
-

Europe - 3356:2 ; Dublin - 3356:2080; 3356:123 - Customer

Action communities:
-

Prepend 5400 to Google - 5400:2054 Set the local pref to 50 - 1299:50 Do not announce to KPN - 1299:2869 Don't announce outside local POP - 2764:2 Prepend 3 times to Ams-IX peers - 8918:3068
58

Applied communities
Google

KPN Ams-IX
Telia AS1299

BT AS5400

AS9
AS3 AS4 AS6 AS7 AS5

Actions: Communities

To set/append a community:
import: import: from AS6 action community = { 1:111 }; accept AS6 from AS2 action community.append(1:75); accept AS2

Filtering:
import: export: from AS2 accept AS2 AND community.contains (2:1) to AS3 announce AS3:AS-CUST AND community == {1:111};

60

Remote-triggered black-hole

If your network is under DDoS attack Advertise the host or prex with special community value
-

(CW: 3561:666, MCI: 701:999, 3356:9999, etc)

All the trafc for that prex will be NULL routed

export: to AS3561 action community = {3561:666}; announce {10.10.10.10/32} # host prefix

61

6. Resource Certification

Digital Resource Certificates

Based on open IETF standards (sidr) Issued by the RIRs The certicate states that an Internet number resource has been registered by the RIPE NCC The certicate does not give any indication of the identity of the holder All further information on the resource can be found in the registry
63

What Certification offers

Proof of holdership Secure Inter-Domain Routing

-

Route Origin Authorisation

Resource transfers

Validation is the added value!

64

The system

Accessible through the LIR Portal Administrator grants access to users

http://www.ripe.net/certication/enable.html
65

Proof of holdership

Public Key Resources Signature

66

Route Origin Authorisation (ROA)

IP Prefixes AS Number Signature

67

ROA creation demo

Software Validation of certificates and ROAs

Validators access publically accessible repository Three software tools available

1. RIPE NCC Validator Easy to set-up and use, limited feature set 2. rcynic 3. BBN Relying Party Software
-

Complex set-up, but more options and felixibility

http://ripe.net/certication/validation
69

Hardware Validation: RPKI-RTR protocol

BGP Decision Process

validated cache

RPKI RTR PROTOCOL

route-map validity-0 match rpki-invalid drop route-map validity-1 match rpki-not-found set localpref 50 // valid defaults to 100

70

Who Controls Routing?

Certicates do not create additional powers for the Regional Internet Registries Certicates reect the resource registration status
no registration no certicate - the reverse is not true!
-

Routing decisions are made by network operators!

71

The road ahead

Web-based validator Up / Down protocol

Run your own Certicate Authority - Allow PI holders to manage ROAs - Transfers between RIRs: ERX space
-

ROA import tool

-

Use combination of IRR + BGP + Human

More information: http://ripe.net/certication Mailing list: certtest@ripe.net

72

Serving ROAs as route[6] objects

73

RPKI-IRR

whois h whois-rpki-irr.db.ripe.net T route 85.118.184.0/21

route: descr: origin: remarks: mnt-by: source:

85.118.184.0/21 rsync://certrepo.ripe.net/[..]bNak.roa AS33764 85.118.184.0/21-24 RPKI-MNT RPKI # ripe

http://labs.ripe.net/Members/Paul_P_/content-serving-roasrpsl-route-objects

74

7. Other routingrelated services

Getting an AS number

Multihoming criteria
-

checked after 3 monhts optional: transfer from one LIR to another

Contractual agreement
-

Payment for independent resource

76

RIS: Looking-glass with History

Database with information about prexes With history

3 months online - more is available
-

Route Collectors at several IXPs

-

more then 600 peers

Similar to routeviews.org http://www.ripe.net/ris/

77

RIS Tools

Visualization of routing updates seen by RIS IS Alarms

-

includes MyASN alarm type for notications on rogue announcements of your address space Last appearance of ASN / prex in global routing table

ASInUse / PrexInUse
-

Looking Glass (also for IPv6) whois -h riswhois.ripe.net <prefix> NetSense.ripe.net (beta)
78

Routing Registry Consistency Check

http://www.ripe.net/rrcc/

Compares RR & RIS Gives you the lists of

missing prexes in RR - missing prexes in RIS - missing peers in RR - missing peers in RIS
-

Allows you to correct your policy

-

or BGP routing
79

RIPE Global Resource Service (GRS)

New method of mirroring other RRs Fully synchronised with the authoritative sources Translated and adjusted:
-

Adding missing mandatory attributes Wrapping unrecognised attributes with "remarks" Creating dummy objects for missing data to keep referential integrity Converting attribute values All these transformations are marked by "End Of Line" comments in the objects

RADb, APNIC and ARIN available in the new format - whois -h whois.ripe.net -q sources Now with new API: http://lab.db.ripe.net/portal/search.htm

80

- Project REX
Has your new address space ever been:
used - announced by another AS - put in a blacklist - delegated for reverse DNS
-

Have your current resources been used by others? We'll tell you with REX, the Resource Explainer

http://rex.ripe.net
81

IPv6 Ripeness - rating of ISPs (LIRs)

Address space Routing security
(route6 object in RIPE Database)

Reverse DNS Routed on Internet

(visible in RIS)
http://ipv6ripeness.ripe.net
82

Homework

Create route & route6 objects for your allocations

-

if you have all 4 ripeness stars you get a T-shirt :)

Subscribe to RIPE routing-wg mailing list Subscribe to irrtools@isc.org list Try out REX & RIS Practice all this at home in the Test Database
-

all RRTEST objects also in there!! (source TEST)

Download, install, use RtCong Check your RR Consistency Create certicates & ROA for your prexes
83

The End!
Ende Konec Lpp Fine Kraj Beigas

Y Diwedd F Liugt Ki Kpaj Slutt Koniec Finis

Finvezh nn Fund Son

Einde

Vge Endir e

An Croch Fin Slut

Sfrit Pabaiga

Fim

Amaia

Loppu

Tmiem